The Twist-AUgmented Technique for Key Exchange

Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, formal proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to deriving other keys. Whereas this is a quite simple tool, it is not easy to use in practice –or it is easy to misuse it–. In addition, in many standards, the acronym PRF (Pseudo-Random Functions) is used for several tasks, and namely the randomness extraction. While randomness extractors and pseudo-random functions are a priori distinct tools, we first study whether such an application is correct or not. We thereafter study the case of $\mathbb{Z}^{*}_{p}$ where p is a safe-prime and the case of elliptic curve since in IPSec for example, only these two groups are considered. We present very efficient and provable randomness extraction techniques for these groups under the DDH assumption. In the special case of elliptic curves, we present a new technique —the so-called 'Twist-AUgmented' technique— which exploits specific properties of some elliptic curves, and avoids the need of any randomness extractor. We finally compare the efficiency of this method with other solutions.

[1]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[2]  Bodo Möller,et al.  A Public-Key Encryption Scheme with Pseudo-random Ciphertexts , 2004, ESORICS.

[3]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[4]  Luca Trevisan,et al.  Extracting randomness from samplable distributions , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[5]  Shai Halevi,et al.  An Architecture for Robust Pseudo-Random Generation and Applications to /dev/random , 2005, CCS 2005.

[6]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[7]  K. Brown,et al.  Graduate Texts in Mathematics , 1982 .

[8]  Russell Impagliazzo,et al.  How to recycle random bits , 1989, 30th Annual Symposium on Foundations of Computer Science.

[9]  Hugo Krawczyk,et al.  Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes , 2004, CRYPTO.

[10]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[11]  Colin Boyd,et al.  Elliptic Curve Based Password Authenticated Key Exchange Protocols , 2001, ACISP.

[12]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[13]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[14]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[15]  David Zuckerman,et al.  DETERMINISTIC EXTRACTORS FOR BIT-FIXING SOURCES AND EXPOSURE-RESILIENT CRYPTOGRAPHY , 2003 .

[16]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[17]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[18]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[20]  Miklos Santha,et al.  Generating Quasi-random Sequences from Semi-random Sources , 1986, J. Comput. Syst. Sci..

[21]  P. L. Montgomery,et al.  An FFT extension of the elliptic curve method of factorization , 1992 .

[22]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[23]  Yevgeniy Dodis,et al.  Exposure-resilient cryptography , 2000 .

[24]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[25]  Dieter Gollmann,et al.  Computer Security – ESORICS 2004 , 2004, Lecture Notes in Computer Science.

[26]  Ronen Shaltiel,et al.  True Random Number Generators Secure in a Changing Environment , 2003, CHES.

[27]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[28]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[29]  Eyal Kushilevitz,et al.  Exposure-Resilient Functions and All-or-Nothing Transforms , 2000, EUROCRYPT.

[30]  Victor Shoup,et al.  A computational introduction to number theory and algebra , 2005 .

[31]  Alexander Russell,et al.  Perfect Information Leader Election in log* n+O (1) Rounds , 2001, J. Comput. Syst. Sci..

[32]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[33]  J. Amaechi,et al.  Man in the Middle , 2007 .

[34]  Hugo Krawczyk,et al.  Secure Hashed Diffie-Hellman over Non-DDH Groups , 2004, EUROCRYPT.

[35]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[36]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[37]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[38]  Olivier Chevassut,et al.  Key Derivation and Randomness Extraction , 2005, IACR Cryptol. ePrint Arch..

[39]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[40]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[41]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[42]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[43]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[44]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[45]  Burton S. Kaliski,et al.  One-way permutations on elliptic curves , 2004, Journal of Cryptology.

[46]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[47]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[48]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[49]  Ronen Shaltiel,et al.  Recent Developments in Explicit Constructions of Extractors , 2002, Bull. EATCS.

[50]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[51]  Shai Halevi,et al.  A model and architecture for pseudo-random generation with applications to /dev/random , 2005, CCS '05.

[52]  Amit Sahai,et al.  On Perfect and Adaptive Security in Exposure-Resilient Cryptography , 2001, EUROCRYPT.