A New Family of Practical Non-Malleable Protocols

Nowadays, achieving cryptosystems secure in an asynchronous network like the Internet is demanded to be necessary, where concurrent non-malleable proof-of-knowledge and universal composability are among the most powerful and fundamental security properties. But, when achieving more and more complex cryptosystems secure in an open network like the Internet, it is often the case that generic solutions are either impossible or infeasible. In this work, we investigate highly practical approaches for achieving non-malleable cryptosystems secure against concurrent man-in-the-middles. We start our study with the DiffieHellman key-exchange (DHKE) protocol, which is at the root of public-key cryptography and is one of the main pillars of both theory and practice of cryptography. We develop the mechanisms of non-malleable joint proof-of-knowledge (NMJPOK) and self-sealed joint proof-of-knowledge (SSJPOK), which are of independent values. In particular, using NMJPOK and SSJPOK as the key building tools, we present a new family of DHKE protocols, with remarkable performance among security, privacy, efficiency and easy deployment. Particularly important to applied crypto engineering, the newly developed DHKE protocols add novelties and values to a range of key industry standards for ensuring network security (e.g., IKE, (H)MQV, SSH, etc). Along the way, we also reinvestigate the security definition frameworks for DHKE, and clarify various subtleties surrounding the design and analysis of non-malleable DHKE protocols. Then, motivated by the building tools, NMJPOK and SSJPOK, proposed and justified in this work, we formulate non-malleable extractable joint one-way function (NME-JOWF), and demonstrate general applications of NME-JOWF (including 3-round CNMZK and UCZK in the plain model). Then, we propose candidates of NME-JOWF based upon bilinear pairings, and show various concrete applications of the pairing-based NME-JOWF candidates. ∗Institute for Theoretical Computer Science (ITCS), Tsinghua University, Beijing, China. andrewcyao@tsinghua.edu.cn †Software School, Fudan University, Shanghai 200433, China. ylzhao@fudan.edu.cn

[1]  Joonsang Baek,et al.  Formal Proofs for the Security of Signcryption , 2002, Journal of Cryptology.

[2]  Helger Lipmaa,et al.  On Diophantine Complexity and Statistical Zero-Knowledge Arguments , 2003, ASIACRYPT.

[3]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[4]  Rafael Pass,et al.  Concurrent Non-Malleable Zero Knowledge with Adaptive Inputs , 2011, TCC.

[5]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[6]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[7]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[8]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[9]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[10]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[11]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[12]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[13]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[14]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[15]  Ran Canetti,et al.  Universally Composable Security with Global Setup , 2007, TCC.

[16]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[17]  Yunlei Zhao,et al.  Generic and Practical Resettable Zero-Knowledge in the Bare Public-Key Model , 2007, EUROCRYPT.

[18]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[19]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[20]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[21]  Marc Fischlin,et al.  Completely Non-malleable Schemes , 2005, ICALP.

[22]  Tatu Ylonen,et al.  SSH Transport Layer Protocol , 1996 .

[23]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[24]  Yvo Desmedt,et al.  A Secure and Efficient Conference Key Distribution System (Extended Abstract) , 1994, EUROCRYPT.

[25]  Yehuda Lindell,et al.  General Composition and Universal Composability in Secure Multiparty Computation , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[26]  David Cash,et al.  Foundations of Non-malleable Hash and One-Way Functions , 2009, ASIACRYPT.

[27]  Mihir Bellare,et al.  On Probabilistic versus Deterministic Provers in the Definition of Proofs Of Knowledge , 2006, IACR Cryptol. ePrint Arch..

[28]  Yi Mu,et al.  Efficient Non-interactive Range Proof , 2009, COCOON.

[29]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[30]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[31]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[32]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[33]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[34]  Abhi Shelat,et al.  Efficient Protocols for Set Membership and Range Proofs , 2008, ASIACRYPT.

[35]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[36]  Yunlei Zhao,et al.  Deniable Internet Key Exchange , 2010, ACNS.

[37]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[38]  Yehuda Lindell,et al.  Lower Bounds and Impossibility Results for Concurrent Self Composition , 2008, Journal of Cryptology.

[39]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[40]  David M'Raïhi,et al.  Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard , 1994, EUROCRYPT.

[41]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[42]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[43]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[44]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[45]  Yunlei Zhao,et al.  Adaptive Concurrent Non-Malleability with Bare Public-Keys , 2009, IACR Cryptol. ePrint Arch..

[46]  Emmanuel Bresson,et al.  Password-Based Group Key Exchange in a Constant Number of Rounds , 2006, Public Key Cryptography.

[47]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[48]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[49]  Emmanuel Bresson,et al.  Mutual authentication and group key agreement for low-power mobile devices , 2003, Comput. Commun..

[50]  Adi Shamir,et al.  Publicly Verifiable Non-Interactive Zero-Knowledge Proofs , 1990, CRYPTO.

[51]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[52]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[53]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[54]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[55]  Yunlei Zhao,et al.  Interactive Zero-Knowledge with Restricted Random Oracles , 2006, TCC.

[56]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[57]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[58]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[59]  권태경,et al.  SSL Protocol 기반의 서버인증 , 2003 .

[60]  Yehuda Lindell,et al.  Adaptive Zero-Knowledge Proofs and Adaptively Secure Oblivious Transfer , 2009, Journal of Cryptology.

[61]  Jiang Wu,et al.  An efficient and secure two-flow zero-knowledge identification protocol , 2007, J. Math. Cryptol..

[62]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[63]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[64]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[65]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[66]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[67]  Hugo Krawczyk HMQV in IEEE P1363 , 2006 .

[68]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[69]  Rafael Pass,et al.  Concurrent Non-malleable Commitments from Any One-Way Function , 2008, TCC.

[70]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[71]  Ran Canetti,et al.  Resettable Zero-Knowledge , 1999, IACR Cryptol. ePrint Arch..

[72]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[73]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[74]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[75]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[76]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[77]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[78]  David Pointcheval,et al.  A New Key Exchange Protocol Based on MQV Assuming Public Computations , 2006, SCN.

[79]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[80]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[81]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[82]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[83]  Ran Canetti,et al.  Towards a Theory of Extractable Functions , 2009, TCC.

[84]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[85]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[86]  Duncan S. Wong,et al.  Complexity Analysis of a Fast Modular Multiexponentiation Algorithm , 2008, IACR Cryptol. ePrint Arch..

[87]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[88]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[89]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[90]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[91]  Jiang Wu,et al.  A Zero-Knowledge Identification and Key Agreement Protocol , 2007, IACR Cryptol. ePrint Arch..

[92]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[93]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[94]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[95]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[96]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[97]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[98]  Ran Canetti,et al.  Extractable Perfectly One-Way Functions , 2008, ICALP.

[99]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[100]  Rosario Gennaro,et al.  New approaches for deniable authentication , 2005, CCS.

[101]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.