Computer Security – ESORICS 2013

SPDZ (pronounced “Speedz”) is the nickname of the MPC protocol of Damgård et al. from Crypto 2012. In this paper we both resolve a number of open problems with SPDZ; and present several theoretical and practical improvements to the protocol. In detail, we start by designing and implementing a covertly secure key generation protocol for obtaining a BGV public key and a shared associated secret key. We then construct both a covertly and actively secure preprocessing phase, both of which compare favourably with previous work in terms of efficiency and provable security. We also build a new online phase, which solves a major problem of the SPDZ protocol: namely prior to this work preprocessed data could be used for only one function evaluation and then had to be recomputed from scratch for the next evaluation, while our online phase can support reactive functionalities. This improvement comes mainly from the fact that our construction does not require players to reveal the MAC keys to check correctness of MAC’d values.

[1]  Bogdan Warinschi,et al.  The TLS Handshake Protocol: A Modular Analysis , 2010, Journal of Cryptology.

[2]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[3]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[4]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[5]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, Journal of Cryptology.

[6]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[7]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[8]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[9]  Raphael C.-W. Phan,et al.  Privacy of Recent RFID Authentication Protocols , 2008, ISPEC.

[10]  Pierre-Yves Strub,et al.  Modular code-based cryptographic verification , 2011, CCS '11.

[11]  Morris J. Dworkin,et al.  SP 800-38B. Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication , 2005 .

[12]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[13]  Hugo Krawczyk,et al.  UMAC: Fast and Secure Message Authentication , 1999, CRYPTO.

[14]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[15]  Erez Petrank,et al.  CBC MAC for Real-Time Data Sources , 2015, Journal of Cryptology.

[16]  Jerry den Hartog,et al.  A Probabilistic Hoare-style Logic for Game-Based Cryptographic Proofs , 2006, ICALP.

[17]  Alfred Menezes,et al.  Security arguments for the UM key agreement protocol in the NIST SP 800-56A standard , 2008, ASIACCS '08.

[18]  Kenneth G. Paterson,et al.  Modular Security Proofs for Key Agreement Protocols , 2005, ASIACRYPT.

[19]  David Pointcheval,et al.  Automated Security Proofs with Sequences of Games , 2006, CRYPTO.

[20]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, PerCom Workshops.

[21]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[22]  Reihaneh Safavi-Naini,et al.  Automated Security Proof for Symmetric Encryption Modes , 2009, ASIAN.

[23]  Miles E. Smid,et al.  Security Requirements for Cryptographic Modules | NIST , 1994 .

[24]  Ahmad-Reza Sadeghi,et al.  Universally Composable Security Analysis of TLS , 2008, ProvSec.

[25]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[26]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[27]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[28]  Pascal Lafourcade,et al.  Towards automated proofs for asymmetric encryption schemes in the random oracle model , 2008, CCS.

[29]  Ralf Küsters,et al.  Composition theorems without pre-established session identifiers , 2011, CCS '11.

[30]  Mike Burmester,et al.  Universally composable and forward-secure RFID authentication and authenticated key exchange , 2007, ASIACCS '07.

[31]  Bruce M. Kapron,et al.  Computational indistinguishability logic , 2010, CCS '10.

[32]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[33]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.

[34]  Benjamin Grégoire,et al.  Beyond Provable Security Verifiable IND-CCA Security of OAEP , 2011, CT-RSA.

[35]  Benjamin Grégoire,et al.  Computer-Aided Security Proofs for the Working Cryptographer , 2011, CRYPTO.

[36]  Kenneth G. Paterson,et al.  Authenticated-Encryption with Padding: A Formal Security Treatment , 2012, Cryptography and Security.

[37]  Ian Goldberg,et al.  Anonymity and one-way authentication in key exchange protocols , 2013, Des. Codes Cryptogr..