Introduction Assumptions On Shoup's lemma The proof To do Conclusion

By
Published by

Introduction Assumptions On Shoup's lemma The proof To do Conclusion Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet Joint work with David Pointcheval CNRS, Ecole Normale Superieure, INRIA, Paris April 2010 Bruno Blanchet (CNRS, ENS, INRIA) EKE in CryptoVerif April 2010 1 / 20

  • eke using

  • precisely evaluated

  • computational diffie-hellman

  • password- based key

  • trivial protocol

  • sku ?


Published : Tuesday, June 19, 2012
Reading/s : 17
Tags :
Origin : di.ens.fr
Number of pages: 25
See more See less
IntroductionAssmutpoisnnOhSuopemslThmaroepToofoCodulcnnoisonurBENS,NR(CetchanBlVotpfireirpA102lINS,A)RIEiEKrynC01/20
´ CNRS, Ecole Normale Superieure, INRIA, Paris ´
Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval
April 2010
Automatic, computational proof of EKE using CryptoVerif (Work in progress)
ortnIAnoitcudmeamplsorfohTpeptiossumShounsOnisulnoodoTcnoCBetchNR(CnoruanBl02/2l2010
Motivation
EKE (Encrypted Key Exchange): A password-based key exchange protocol. A non-trivial protocol. It took some time before getting a computational proof of this protocol. Our goal: Mechanize, and automate as far as possible, its proof using the automatic computational protocol verifierCryptoVerif. This is an opportunity forseveral interesting extensionsof CryptoVerif. This work is still in progress.
VotpyrCnirpAfireINS,ENS,EiEKA)RI
||X|U||SH1(Auth(0|UUkHUKs)Y|||ut)AKU|||YX||||ShtuAfiyXsKh]XgxU,XR[1,q1q,1Y]gyR1[S,)YDyY(YpwK)Y(xYUYwpENIIRNE,SiECn)AKEoVerryptril2ifAp02/3010
We consider the variant of EKE of [Bresson, Chevassut, Pointcheval, CCS’03].
EKE
ClientUServerS sharedpw
H=(1|US||||XY|||KS)thenskSH0(U|||S|Y||XSK||urB)Blnochan(CetS,NRtcoiAnssmutpoisnIntroduisnoluncCodoToofroephTammelspuohSnOx
niousclussAitpmcudonoittrInTfdoConoTaehrpooupslemmonsOnShoalBoehcnNC(tE,SR,INSIANRKE)ECrinBrun
The proof relies on theComputational Diffie-Hellmanassumption and on theIdeal Cipher Model. Model these assumptions in CryptoVerif. The proof usesShoup’s lemma: Insert an event and later prove that the probability of this event is negligible. Implement this reasoning technique in CryptoVerif. Theof an attack must be precisely evaluatedprobability of success as a function of the size of the password space. Optimize the computation of probabilities in CryptoVerif.
EKE
02/40120ilprfAriVetoyp
b:Z;(OA(wa:Z;newnei!Nenbnweirtt,!b)Ni0ex:=g,p(,)a,)(BOe=:)g(px)))(a,bmultp(g,=zxe)G=:(H:zO0DC,a(gxp=e):A((OZ;:bwen;Z:awenNi!ireVotpyacsiht,fCrInNE,SNI,StehcRNC(rynCoVptA)RIEiEK2l10502/refipAir0
Computational Diffie-Hellman assumption
Consider a multiplicative cyclic groupGof orderq, with generatorg. A probabilistic polynomial-time adversary has a negligible probability of computinggabfromg,ga,gb, for randoma,bZq.
OB),:=()p(exb)g,0i!,O0N(HDC)G:z:=false)Applicatoi:nesamtnciesuchaoftyriGaEledshehtnilamromodnarmodeacleChaul(A.)iB.hdrulBnauronuspmitnocuitnosAIntrodnsuoifTooprheclonoCodpuohSnOsTammels
502/2l10pAirrefiptoVnCryEKEiRIA)
In CryptoVerif, this can be written
!iNnewa:Z;newb:Z; (OA() :=exp(g,a),OB() :=exp(g,b), !i0N0OCDH(z:G) :=z=exp(g,mult(a,b))) !iNnewa:Z;newb:Z; (OA() :=exp(g,a),OB() :=exp(g,b), !i0N0OCDH(z:G) :=false)
Computational Diffie-Hellman assumption in CryptoVerif
Consider a multiplicative cyclic groupGof orderq, with generatorg. A probabilistic polynomial-time adversary has a negligible probability of computinggabfromg,ga,gb, for randoma,bZq.
0(l.AhCuacaelomedrandomormalintheNE,SNI,StehcRNC(noruanBlurdh.Bi)orpehTamoCodoTfoShOnnsioemslpoutcoiorudmutpAnssIntnclusiontnciesucoi:nesamshedElGarityofhaplApatic
tehcRNC(NE,SNI,SA)RIEiEKrynCoVptBruInnotBlanpAirrefi502/2l10
Consider a multiplicative cyclic groupGof orderq, with generatorg. A probabilistic polynomial-time adversary has a negligible probability of computinggabfromg,ga,gb, for randoma,bZq.
In CryptoVerif, this can be written
!iNnewa:Z;newb:Z; (OA() :=exp(g,a),OB() :=exp(g,b), !i0N0OCDH(z:G) :=z=exp(g,mult(a,b))) !iNnewa:Z;newb:Z; (OA() :=exp(g,a),OB() :=exp(g,b), !i0N0OCDH(z:G) :=false)
0
Computational Diffie-Hellman assumption in CryptoVerif
Application: semantic security ofhashed El Gamal in the random oracle model(A. Chaudhuri).
noisulcnCodoToofroepThmalsmeuopnOhSoisnumptnAssctiorodu
runoBchetBlanEiEKrynCoVptiferRNC(NE,SNI,S)AIRpAir2l10602/0
This model isnot sufficientfor EKE and other practical protocols. It assumes thataandbare chosen under the same replication. In practice, one participant choosesa, another choosesb, so these choices are made under different replications.
Computational Diffie-Hellman assumption in CryptoVerif
ItntcoiorudmutpAnssOnShionsslemouporpehTamoCodoTfoonsilunc
C(RNhcte,SNI,SNEBBlanrunohSuosnnOtpoissmuionAductntroIisulnoodoTcnoCepThofroslpmaemtpVoCnyrKEiEIR)A07/2l201Aprierif
!ibNbnewb:Z; (OB() :=exp(g,b),Ob() :=letkb=markinb, !ibCDHnbCDHOCDHb(m:G,jNa) := (symmetric ofOCDHa))
OCDHb(m:G,jNa) :=m=exp(g,mult(a[j],b)))
!iaNanewa:Z; (OA() :=exp(g,a),Oa() :=a, !iaCDHnaCDHOCDHa(m:G,jNb) :=m=exp(g,mult(b[j],a))), !ibNbnewb:Z; (OB() :=exp(g,b),Ob() :=b, !ibCDHnbCDH !iaNanewa:Z; (OA() :=exp(g,a),Oa() :=letka=markina, !iaCDHnaCDHOCDHa(m:G,jNb) := findunbsuchthat defined(kb[u],b[u])b[j] =b[u]then m=exp(g,mult(b[j],a)) else if defined(ka)thenm=exp(g,mult(b[j],a))elsefalse),
Computational Diffie-Hellman assumption in CryptoVerif
0
!g,muexp(:=m=red],)a))j[,]tlb(HaCDHOCDnaHCDiaiuqer[)bNj,G:m(nIrtoductionAssumptioinlcsuohSnOsnommelspuooprheaTonoCodfT
!iaCDHnaCDHOCDHa(m:G,jNb) :=
Computational Diffie-Hellman assumption in CryptoVerif
0
!iaNanewa:Z; (OA() :=exp(g,a),Oa()[3]:=a,
!ibCDHnbCDHOCDHb(m:G,jNa) :=m=exp(g,mult(a[j],b))) (#OCDHa+#OCDHb)×max(1,e2#Oa)×max(1,e2#Ob)× pCDH(time+(na+nb+#OCDHa+#OCDHb)×time(exp)) !iaNanewa:Z; (OA() :=exp0(g,a),Oa() :=letka=markina,
!ibNbnewb:Z; (OB() :=exp(g,b),Ob()[3]:=b,
!ibNbnewb:Z; (OB() :=exp0(g,b),Ob() :=letkb=markinb,
m=exp(g,mult(b[j],a)) else if defined(ka)thenm=exp0(g,mult(b[j],a))elsefalse),
findunbsuchthat defined(kb[u],b[u])b[j] =b[u]then
2l10702/refipAirHnbibCD!j,Nm(G:DCbHDCOHtrmeofic:=a)ym(sonurnalBHDCOB))aS,ENS,INchet(CNRCnyrtpVoIR)AKEiE
RTNfIo,oSCNoEd,oSTRaNmCm(rtpeehhVetnoypCricnlKoEn)iEoIuAs/8020201rpliirAf
(exp(g,x) =exp(g,y)) = (x=y) (exp0(g,x) =exp0(g,y)) = (x=y) Injectivity
Other declarations for Diffie-Hellman (1)
newx1 :Z;newx2 :Z;newx3 :Z;newx4 :Z; mult(x1,x2) =mult(x3,x4)1/|Z|false Collision between products
g:Ggenerator ofG exp(G,Z) :Gexponentiation mult(Z,Z) :Zcommutative product inZq exp(exp(z,a),b) =exp(z,mult(a,b)) (za)b=zab (ga)b=gaband (gb)a=gba, equal by commutativity ofmult
InuspmnosAcuitrtdounsolBelhaonucpsOnStiBorn
Be the first to leave a comment!!

12/1000 maximum characters.

Broadcast this publication

You may also like

next