Deniable Internet Key Exchange

In this work, we develop a family of non-malleable and deniable Diffie-Hellman key-exchange (DHKE) protocols, named deniable Internet keyexchange (DIKE). The newly developed DIKE protocols are of conceptual clarity, provide much remarkable privacy protection to protocol participants, and are of highly practical (online) efficiency. For the security of the DIKE protocols, we formulate the notion of tag-based robust non-malleability (TBRNM) for DHKE protocols, which ensures robust non-malleability for DHKE protocols against concurrent man-in-the-middle (CMIM) adversaries and particularly implies concurrent forward deniability for both protocol participants. We show that the TBRNM security and the sessionkey security (SK-security) in accordance with the Canetti-Krawczyk framework are mutually complementary, thus much desirable to have DHKE protocols that enjoy both of them simultaneously. We prove our DIKE protocol indeed satisfies both (privacy preserving) TBRNM security and SK-security (with post-specified peers). The TBRNManalysis is based on a variant of the knowledge-of-exponent assumption (KEA), called concurrent KEA assumption introduced and clarified in this work, which might be of independent interest.

[1]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[2]  Rafael Pass,et al.  Concurrent non-malleable commitments , 2005, 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS'05).

[3]  Rosario Gennaro,et al.  New approaches for deniable authentication , 2005, CCS.

[4]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[5]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[6]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[7]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[8]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[9]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[10]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[11]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[12]  Rafael Pass,et al.  New and improved constructions of non-malleable cryptographic protocols , 2005, STOC '05.

[13]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[14]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[15]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[16]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[17]  Yehuda Lindell General Composition and Universal Composability in Secure Multiparty Computation , 2008, Journal of Cryptology.

[18]  Rafael Pass,et al.  On Deniability in the Common Reference String and Random Oracle Model , 2003, CRYPTO.

[19]  Moni Naor,et al.  Nonmalleable Cryptography , 2000, SIAM Rev..

[20]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[21]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[22]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[23]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[24]  Jiang Wu,et al.  A Zero-Knowledge Identification and Key Agreement Protocol , 2007, IACR Cryptol. ePrint Arch..

[25]  Moni Naor,et al.  Concurrent zero-knowledge , 1998, STOC '98.

[26]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[27]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[28]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[29]  Jianying Zhou,et al.  Further analysis of the Internet key exchange protocol , 2000, Comput. Commun..

[30]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[31]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[32]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[33]  William Allen Simpson,et al.  Photuris: Session-Key Management Protocol , 1999, RFC.

[34]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[35]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[36]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[37]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[38]  Jiang Wu,et al.  An efficient and secure two-flow zero-knowledge identification protocol , 2007, J. Math. Cryptol..

[39]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[40]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[41]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[42]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[43]  Yehuda Lindell,et al.  Lower Bounds and Impossibility Results for Concurrent Self Composition , 2008, Journal of Cryptology.

[44]  Yunlei Zhao,et al.  Interactive Zero-Knowledge with Restricted Random Oracles , 2006, TCC.

[45]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[46]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[47]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[48]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[49]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[50]  Ran Canetti,et al.  Black-box concurrent zero-knowledge requires \tilde {Ω} (logn) rounds , 2001, STOC '01.