Future-Proofing Key Exchange Protocols

Key exchange protocols, first introduced by Diffie and Hellman in 1976, are one of the most widely-deployed cryptographic protocols. They allow two parties, that have never interacted before, to establish shared secrets. These shared cryptographic keys may subsequently be used to establish a secure communication channel. Use cases include the classic client-server setting that is for example at play when browsing the internet, but also chats via end-to-end-encrypted instant messaging applications. Security-wise, we generally demand of key exchange protocols to achieve key secrecy and authentication. While, informally, authentication ensures that the communicating parties have confidence in the identity of their peers, key secrecy ensures that any shared cryptographic key that is established via the key exchange protocol is only known to the participants in the protocol and can be used securely in cryptographic protocols, i.e., is sufficiently random. In 1993, Bellare and Rogaway gave a first formalization of key exchange protocol security that captures these properties with respect to powerful adversaries with full control over the network. Their model constitutes the basis of the many subsequent treatments of authenticated key exchange security, including the models presented in this thesis. The common methodological approach underlying all of these formalizations is the provable security paradigm, which has become a standard tool in assessing the security of cryptographic protocols and primitives. So-called security models specify the expected security guarantees of the scheme in question with regards to a well-defined class of adversaries. Proofs that validate these security claims do so by reducing the security of the overall scheme to the security of the underlying cryptographic primitives and hardness assumptions. However, advances in computational power and more sophisticated cryptanalytic capabilities often render exactly these components insecure. Especially the advent of quantum computers will have a devastating effect on much of today's public key cryptography. This is especially true for key exchange protocols since they rely crucially on public-key algorithms. In this thesis, our focus in future-proofing key exchange protocols is two-fold. First, we focus on extending security models for key exchange protocols to capture the (un)expected break of cryptographic primitives and hardness assumptions. The aim is to gain assurances with respect to future adversaries and to investigate the effects of primitive failures on key exchange protocols. More specifically, we explore how key exchange protocols can be safely transitioned to new, post-quantum secure algorithms with hybrid techniques. Hybrids combine classical and post-quantum algorithms such that the overall key agreement scheme remains secure as long as one of the two base schemes remains secure. For this, we introduce security notions for key encapsulation mechanisms that account for adversaries with varying levels of quantum capabilities and present three new constructions for hybrid key encapsulation mechanisms. Our hybrid designs are practice-inspired and for example capture draft proposals for hybrid modes in the Transport Layer Security (TLS) protocol, which is one of the most widely-deployed cryptographic protocols that enables key agreement. Furthermore, our notion of breakdown resilience for key exchange protocols allows to gauge the security of past session keys in the event of a failure of a cryptographic component in the key exchange. We exercise our model on variants of the post-quantum secure key exchange protocol NewHope by Alkim et al. Thereby, we confirm the intuition that, in order to guard against adversaries that only have access to quantum computing power in the (more distant) future, it is sufficient to use classically-secure authentication mechanisms alongside post-quantum key agreement to achieve authenticated key exchange. As with any mathematical statement, theorems in the provable security paradigm are only as valid as the underlying assumptions. A careful consideration of any newly made assumption is thus essential to ensure the meaningfulness of the statement itself and make the assumption a viable tool for future analyses. Thus, secondly, we systematically classify the PRF-ODH assumption, a complexity-theoretic hardness assumption that has been used in key exchange security analyses of such prominent protocols as TLS, Signal, and Wireguard. In particular, we give a unified, parametrized definition of the assumption encompassing different variants that are present in the literature. We relate the resulting parametrized notions in terms of their strength and show where these assumptions fit in the collection of well-understood related hardness assumptions. We finally sketch our result on the impossibility of instantiating this assumption in the standard model, thereby disposing of the uncertainty in the community whether PRF-ODH is in fact a standard model assumption, i.e., removes the usage of some idealized assumptions in key exchange protocol proofs.

[1]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[2]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[3]  Kenneth G. Paterson,et al.  A Cryptographic Analysis of the WireGuard Protocol , 2018, IACR Cryptol. ePrint Arch..

[4]  Mihir Bellare,et al.  The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES , 2001, CT-RSA.

[5]  Alfred Menezes,et al.  Entity Authentication and Authenticated Key Transport Protocols Employing Asymmetric Techniques , 1997, Security Protocols Workshop.

[6]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[7]  Shay Gueron,et al.  Continuous Key Agreement with Reduced Bandwidth , 2019, IACR Cryptol. ePrint Arch..

[8]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[9]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[10]  Marc Fischlin,et al.  Composability of bellare-rogaway key exchange protocols , 2011, CCS '11.

[11]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[12]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[13]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2015, Des. Codes Cryptogr..

[14]  Junji Shikata,et al.  On the Security of Multiple Encryption or CCA-security+CCA-security=CCA-security? , 2004, Public Key Cryptography.

[15]  Marc Fischlin,et al.  Breakdown Resilience of Key Exchange Protocols and the Cases of NewHope and TLS 1.3 , 2017, IACR Cryptol. ePrint Arch..

[16]  Douglas Stebila,et al.  Modelling Ciphersuite and Version Negotiation in the TLS Protocol , 2015, ACISP.

[17]  Martin R. Albrecht,et al.  NewHope Algorithm Specifications and Supporting Documentation , 2017 .

[18]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[19]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[20]  Jörg Schwenk,et al.  Flexible Authenticated and Confidential Channel Establishment (fACCE): Analyzing the Noise Protocol Framework , 2020, IACR Cryptol. ePrint Arch..

[21]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[22]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[23]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[24]  Lov K. Grover A fast quantum mechanical algorithm for database search , 1996, STOC '96.

[25]  Shay Gueron,et al.  Design issues for hybrid key exchange in TLS 1.3 , 2000 .

[26]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[27]  Berkant Ustaoglu,et al.  Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS , 2008, Des. Codes Cryptogr..

[28]  Marc Fischlin,et al.  PRF-ODH: Relations, Instantiations, and Impossibility Results , 2017, CRYPTO.

[29]  Eike Kiltz,et al.  A Tool Box of Cryptographic Functions Related to the Diffie-Hellman Function , 2001, INDOCRYPT.

[30]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[31]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[33]  Richard Barnes,et al.  The Messaging Layer Security (MLS) Protocol , 2019 .

[34]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[35]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[36]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[37]  Erdem Alkim,et al.  Post-quantum Key Exchange - A New Hope , 2016, USENIX Security Symposium.

[38]  R. Feynman Simulating physics with computers , 1999 .

[39]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[40]  Hong Wang,et al.  IND-CCA-Secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited , 2018, CRYPTO.

[41]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[42]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[43]  Jonathan Katz,et al.  Aggregate Message Authentication Codes , 1995 .

[44]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[45]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[46]  Thomas Peyrin,et al.  Freestart Collision for Full SHA-1 , 2015, EUROCRYPT.

[47]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[48]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[49]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[50]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, CRYPTO.

[51]  Karthikeyan Bhargavan,et al.  Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH , 2016, NDSS.

[52]  Robert H. Deng,et al.  Variations of Diffie-Hellman Problem , 2003, ICICS.

[53]  Hugo Krawczyk,et al.  The OPTLS Protocol and TLS 1.3 , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[54]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[55]  Eric Crockett,et al.  BIKE and SIKE Hybrid Key Exchange Cipher Suites for Transport Layer Security (TLS) , 2019 .

[56]  Alexander W. Dent,et al.  Fundamental problems in provable security and cryptography , 2006, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences.

[57]  Marc Fischlin,et al.  Zero Round-Trip Time for the Extended Access Control Protocol , 2017, ESORICS.

[58]  Nina Bindel On the Security of Lattice-Based Signature Schemes in a Post-Quantum World , 2018 .

[59]  Marc Fischlin,et al.  Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[60]  Britta Hale,et al.  Revisiting Post-Compromise Security Guarantees in Group Messaging , 2019, IACR Cryptol. ePrint Arch..

[61]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[62]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[63]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[64]  Alexander W. Dent A Note On Game-Hopping Proofs , 2006, IACR Cryptol. ePrint Arch..

[65]  Tetsu Iwata,et al.  Cryptanalysis of OCB2: Attacks on Authenticity and Confidentiality , 2020, Journal of Cryptology.

[66]  Goutam Paul,et al.  (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher , 2012, Journal of Cryptology.

[67]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[68]  Hugo Krawczyk,et al.  HMAC-based Extract-and-Expand Key Derivation Function (HKDF) , 2010, RFC.

[69]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[70]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[71]  Thierry Paul,et al.  Quantum computation and quantum information , 2007, Mathematical Structures in Computer Science.

[72]  Erdem Alkim,et al.  NewHope without reconciliation , 2016, IACR Cryptol. ePrint Arch..

[73]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[74]  Lov K. Grover From Schrödinger’s equation to the quantum search algorithm , 2001, quant-ph/0109116.

[75]  Suela Kodra Fuzzy extractors : How to generate strong keys from biometrics and other noisy data , 2015 .

[76]  Yehuda Lindell,et al.  Introduction to Modern Cryptography, Second Edition , 2014 .

[77]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[78]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[79]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[80]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[81]  Bogdan Warinschi,et al.  Generic Forward-Secure Key Agreement Without Signatures , 2017, ISC.

[82]  Kasper Bonne Rasmussen,et al.  On Bitcoin Security in the Presence of Broken Cryptographic Primitives , 2016, ESORICS.

[83]  Craig Costello,et al.  Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem , 2015, 2015 IEEE Symposium on Security and Privacy.

[84]  Alfred Menezes,et al.  Critical perspectives on provable security: Fifteen years of "another look" papers , 2019, Adv. Math. Commun..

[85]  Marc Fischlin,et al.  Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents , 2010, ISC.

[86]  Christoph G. Günther,et al.  An Identity-Based Key-Exchange Protocol , 1990, EUROCRYPT.

[87]  Franziskus Kiefer,et al.  Hybrid ECDHE-SIDH Key Exchange for TLS , 2018 .

[88]  Eike Kiltz,et al.  Generic Authenticated Key Exchange in the Quantum Random Oracle Model , 2020, IACR Cryptol. ePrint Arch..

[89]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[90]  Douglas Stebila,et al.  Transitioning to a Quantum-Resistant Public Key Infrastructure , 2017, IACR Cryptol. ePrint Arch..

[91]  Oded Goldreich,et al.  On the power of cascade ciphers , 1985, TOCS.

[92]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[93]  Marc Fischlin,et al.  Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange , 2019, IACR Cryptol. ePrint Arch..

[94]  Moni Naor,et al.  On Robust Combiners for Oblivious Transfer and Other Primitives , 2005, EUROCRYPT.

[95]  Christina Brzuska On the foundations of key exchange , 2013 .

[96]  Daniel J. Bernstein,et al.  Comparing proofs of security for lattice-based encryption , 2019, IACR Cryptol. ePrint Arch..

[97]  Cas J. F. Cremers,et al.  On Ends-to-Ends Encryption: Asynchronous Group Messaging with Strong Security Guarantees , 2018, IACR Cryptol. ePrint Arch..

[98]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[99]  G. Blakley,et al.  An efficient algorithm for constructing a cryptosystem which is harder to break than two other cryptosystems , 1981 .

[100]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[101]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[102]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[103]  Kasper Bonne Rasmussen,et al.  When the Crypto in Cryptocurrencies Breaks: Bitcoin Security under Broken Primitives , 2018, IEEE Security & Privacy.

[104]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[105]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[106]  Oscar Garcia-Morchon,et al.  Quantum-Safe Hybrid (QSH) Key Exchange for Transport Layer Security (TLS) version 1.3 , 2017 .

[107]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[108]  Mihir Bellare,et al.  Symmetric and Dual PRFs from Standard Assumptions: A Generic Validation of an HMAC Assumption , 2015, IACR Cryptol. ePrint Arch..

[109]  Zhenfeng Zhang,et al.  Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model , 2019, IACR Cryptol. ePrint Arch..

[110]  Paul Hoffman The Transition from Classical to Post-Quantum Cryptography , 2019 .

[111]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[112]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[113]  Jonathan Katz,et al.  Chosen-Ciphertext Security of Multiple Encryption , 2005, TCC.

[114]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[115]  Douglas Stebila,et al.  A Formal Security Analysis of the Signal Messaging Protocol , 2017, Journal of Cryptology.

[116]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[117]  Fernando Virdia,et al.  Estimate all the {LWE, NTRU} schemes! , 2018, IACR Cryptol. ePrint Arch..

[118]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol , 2016, IACR Cryptol. ePrint Arch..

[119]  Matthew Green,et al.  Downgrade Resilience in Key-Exchange Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[120]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[121]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[122]  Amir Herzberg,et al.  On Tolerant Cryptographic Constructions , 2005, CT-RSA.

[123]  Christian Paquin,et al.  Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH , 2019, IACR Cryptol. ePrint Arch..

[124]  Denise Demirel,et al.  Efficient proactive secret sharing , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[125]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[126]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[127]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[128]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[129]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[130]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[131]  Hugo Krawczyk,et al.  Cryptographic Extraction and Key Derivation: The HKDF Scheme , 2010, IACR Cryptol. ePrint Arch..

[132]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[133]  Jintai Ding,et al.  A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem , 2012, IACR Cryptol. ePrint Arch..

[134]  Steven D. Galbraith,et al.  Mathematics of Public Key Cryptography , 2012 .

[135]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[136]  Cas J. F. Cremers,et al.  On Post-compromise Security , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).