Strong authenticated key exchange with auxiliary inputs
Willy Susilo2016, Designs, Codes and Cryptography
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
Leakage attacks, including various kinds of side-channel attacks, allow an attacker to learn partial information about the internal secrets such as the secret key and the randomness of a cryptographic system. Designing a strong, meaningful, yet achievable security notion to capture practical leakage attacks is one of the primary goals of leakage-resilient cryptography. In this work, we revisit the modelling and design of authenticated key exchange (AKE) protocols with leakage resilience. We show that the prior works on this topic are inadequate in capturing realistic leakage attacks. To close this research gap, we propose a new security notion named leakage-resilient eCK model w.r.t. auxiliary inputs (AI-LR-eCK) for AKE protocols, which addresses the limitations of the previous models. Our model allows computationally hard-to-invert leakage of both the long-term secret key and the randomness, and also addresses a limitation existing in most of the previous models where the adversary is disallowed to make leakage queries during the challenge session. As another major contribution of this work, we present a generic framework for the construction of AKE protocols that are secure under the proposed AI-LR-eCK model. An instantiation based on the Decision Diffie-Hellman (DDH) assumption in the standard model is also given to demonstrate the feasibility of our proposed framework.
Related papers
Strongly Leakage-Resilient Authenticated Key Exchange
Lecture Notes in Computer Science, 2016
Authenticated Key Exchange (AKE) protocols have been widely deployed in many real-world applications for securing communication channels. In this paper, we make the following contributions. First, we revisit the security modelling of leakage-resilient AKE protocols, and show that the existing models either impose some unnatural restrictions or do not sufficiently capture leakage attacks in reality. We then introduce a new strong yet meaningful security model, named challenge-dependent leakage-resilient eCK (CLR-eCK) model, to capture challenge-dependent leakage attacks on both long-term secret key and ephemeral secret key (i.e., randomness). Second, we propose a general framework for constructing one-round CLR-eCK-secure AKE protocols based on smooth projective hash functions (SPHFs). This framework ensures the session key is private and authentic even if the adversary learns a large fraction of both long-term secret key and ephemeral secret key, and hence provides stronger security guarantee than existing AKE protocols which become insecure if the adversary can perform leakage attacks during the execution of a session. Finally, we also present a practical instantiation of the general framework based on the Decisional Diffie-Hellman assumption without random oracle. Our result shows that the instantiation is efficient in terms of the communication and computation overhead and captures more general leakage attacks.
Leakage Resilient Authenticated Key Exchange Secure in the Auxiliary Input Model
Lecture Notes in Computer Science, 2013
Authenticated key exchange (AKE) protocols allow two parties communicating over an insecure network to establish a common secret key. They are among the most widely used cryptographic protocols in practice. In order to resist key-leakage attacks, several leakage resilient AKE protocols have been proposed recently in the bounded leakage model. In this paper, we initiate the study on leakage resilient AKE in the auxiliary input model. A promising way to construct such a protocol is to use a digital signature scheme that is entropicallyunforgeable under chosen message and auxiliary input attacks. However, to date we are not aware of any digital signature scheme that can satisfy this requirement. On the other hand, we show that in the random oracle model, it is sufficient to use a digital signature scheme that is secure under random message and auxiliary input attacks in order to build a secure AKE protocol in the auxiliary input model, while the existence of such a digital signature scheme has already been proven. We will also give a comparison between the existing public-key encryption based and digital signature based leakage resilient AKE protocols. We show that the latter can provide a higher level of security than the former.
Strongly leakage resilient authenticated key exchange, revisited
Designs, Codes and Cryptography, 2019
Authenticated Key Exchange (AKE) protocols allow two (or multiple) parties to authenticate each other and agree on a common secret key, which is essential for establishing a secure communication channel over a public network. AKE protocols form a central component in many network security standards such as IPSec, TLS/SSL, and SSH. However, it has been demonstrated that many standardized AKE protocols are vulnerable to side-channel and key leakage attacks. In order to defend against such attacks, leakage resilient (LR-) AKE protocols have been proposed in the literature. Nevertheless, most of the existing LR-AKE protocols only focused on the resistance to long-term key leakage, while in reality leakage of ephemeral secret key (or randomness) can also occur due to various reasons such as the use of poor randomness sources or insecure pseudo-random number generators (PRNGs). In this paper, we revisit the strongly leakage resilient AKE protocol (CT-RSA'16) that aimed to resist challenge-dependent leakage on both long-term and ephemeral secret keys. We show that there is a security issue in the design of the protocol and propose an improved version that can fix the problem. In addition, we extend the protocol to a more general framework that can be efficiently instantiated under various assumptions, including hybrid instantiations that can resist key leakage attacks while preserving session key security against future quantum machines.
Efficient Leakage-Resilient Authenticated Key Agreement Protocol in the Continual Leakage eCK Model
IEEE Access
Based on users' permanent private keys and ephemeral secret keys (randomness secret values), authenticated key agreement (AKA) protocols are used to construct a common session key between two session parties while authenticating each other. Recently, the design of leakage-resilient AKA (LR-AKA) resisting side-channel attacks has received significant attention from researchers. By sidechannel attacks, an adversary is allowed to obtain fractional leakage information of private (secret) keys during the computation rounds of LR-AKA protocols. However, most LR-AKA protocols have a restriction, namely, the overall fractional leakage information must be bounded. In this paper, we propose an efficient LR-AKA protocol with overall unbounded leakage property in the continual leakage extended Canetti-Krawczyk model. Security analysis is given to demonstrate that our LR-AKA protocol is provably secure in the generic bilinear group model. By comparisons, our protocol is better than the previously proposed LR-AKA protocols in terms of computation cost, security model, and leakage properties.
Standard model leakage-resilient authenticated key exchange using inner-product extractors
Designs, Codes and Cryptography, 2022
With the development of side-channel attacks, a necessity arises to invent authenticated key exchange protocols in a leakage-resilient manner. Constructing authenticated key exchange protocols using existing cryptographic schemes is an effective method, as such construction can be instantiated with any appropriate scheme in a way that the formal security argument remains valid. In parallel, constructing authenticated key exchange protocols that are proven to be secure in the standard model is more preferred as they rely on real-world assumptions. In this paper, we present a Diffie-Hellman-style construction of a leakageresilient authenticated key exchange protocol, that can be instantiated with any CCLA2-secure public-key encryption scheme and a function from the pseudo-random function family. Our protocol is proven to be secure in the standard model assuming the hardness of the decisional Diffie-Hellman problem. Furthermore, it is resilient to continuous partial leakage of long-term secret keys, that happens even after the session key is established, while satisfying the security features defined by the eCK security model.
An Efficient and Leakage-Resilient RSA-Based Authenticated Key Exchange Protocol with Tight Security Reduction
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2007
Both mutual authentication and generation of session keys can be accomplished by an authenticated key exchange (AKE) protocol. Let us consider the following situation: (1) a client, who communicates with many different servers, remembers only one password and has insecure devices (e.g., mobile phones or PDAs) with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure against various attacks (e.g., virus or hackers); (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. The main goal of this paper is to provide security against the leakage of stored secrets as well as to attain high efficiency on client's side. For those, we propose an efficient and leakage-resilient RSA-based AKE (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and another secret. In the extended model where an adversary is given access to the stored secret of client, we prove that its security of the RSA-AKE protocol is reduced tightly to the RSA one-wayness in the random oracle model. We also show that the RSA-AKE protocol guarantees several security properties (e.g., security of password, multiple sever scenario with only one password, perfect forward secrecy and anonymity). To our best knowledge, the RSA-AKE protocol is the most efficient, in terms of both computation costs of client and communication costs, over the previous AKE protocols of their kind (using password and RSA). key words: authenticated key exchange, passwords, on-line and off-line dictionary attacks, RSA, leakage of stored secrets, efficiency, perfect forward secrecy
Authenticated Key Exchange Secure Against Dictionary Attacks
Password-based protocols for authenticated key exchange AKE are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, o line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by de ning a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to de ne various goals. We take AKE with implicit" authentication as the basic" goal, and we give de nitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange EKE protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-ow protocol at the core of EKE. security analysis. This protocol problem has become quite popular, with further papers suggesting solutions including 7, 10, 11, 15 18,21, 22 . The reason for this interest is simple: password-guessing attacks are a common avenue for breaking into systems, and here is a domain where good cryptographic protocols can help. Contributions. Our rst goal was to nd an approach to help manage the complexity of de nitions and proofs in this domain. We start with the model and de nitions of Bellare and Rogaway 4 and modify or extend them appropriately. The model can be used to de ne the execution of authentication and keyexchange protocols in many di erent settings. We specify the model in pseudocode, not only in English, so as to provide succinct and unambiguous execution semantics. The model is used to de ne the ideas of proper partnering, freshness of session keys, and measures of security for authenticated key exchange, unilateral authentication, and mutual authentication. Some speci c features of our approach are: partnering via session IDs an old idea of Bellare, Petrank, Racko , and Rogaway|see Remark 1; a distinction between accepting a key and terminating; incorporation of a technical correction to 4 concerning Test queries this arose from a counter-example by Racko |see Remark 5; providing the adversary a separate capability to obtain honest protocol executions important to measure security against dictionary attacks; and providing the adversary corruption capabilities which enable a treatment of forward secrecy.
Security Enhancement and Modular Treatment towards Authenticated Key Exchange
Lecture Notes in Computer Science, 2010
We present an enhanced security model for the authenticated key exchange (AKE) protocols to capture the pre-master secret replication attack and to avoid the controversial random oracle assumption in the security proof. Our model treats the AKE protocol as two relatively independent modules, the secret exchange module and the key derivation module, and formalizes the adversarial capabilities and security properties for each of these modules. We prove that the proposed security model is stronger than the extended Canetti-Krawczyk model. Moreover, we introduce NACS, a two-pass AKE protocol which is secure in the enhanced model. NACS is practical and efficient, since it reqires less exponentiations, and, more important, admits a tight security reduction with weaker standard cryptographic assumptions. Finally, the compact and elegant security proof of NACS shows that our method is reasonable and effective.
Efficient Public-Key Cryptography in the Presence of Key Leakage
2010
We study the design of cryptographic primitives resistant to a large class of side-channel attacks, called “memory attacks”, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ℓ. Although the study of such primitives was initiated only recently by Akavia et al. [2], subsequent work already produced many such “leakage-resilient” primitives [48,4,42], including signature, encryption, identification (ID) and authenticated key agreement (AKA) schemes. Unfortunately, every existing scheme, — for any of the four fundamental primitives above, — fails to satisfy at least one of the following desirable properties: Efficiency. While the construction may be generic, it should have some efficient instantiations, based on standard cryptographic assumptions, and without relying on random oracles. Strong Security. The construction should satisfy the strongest possible definition of security (even in the presence of leakage). For example, encryption schemes should be secure against chosen ciphertext attack (CCA), while signatures should be existentially unforgeable. Leakage Flexibility. It should be possible to set the scheme parameters so that the leakage bound ℓ can come arbitrarily close to the secret-key size. In this work we design the first signature, encryption, ID and AKA schemes which overcome these limitations, and satisfy all the properties above. Moreover, all our constructions are generic, in several cases elegantly simplifying and generalizing the prior constructions (which did not have any efficient instantiations). We also introduce several tools of independent interest, such as the abstraction (and constructions) of true-simulation extractable NIZK arguments, and a new deniable DH-based AKA protocol based on any CCA-secure encryption.
On the limits of authenticated key exchange security with an application to bad randomness
State-of-the-art authenticated key exchange (AKE) protocols are proven secure in gamebased security models. These models have considerably evolved in strength from the original Bellare-Rogaway model. However, so far only informal impossibility results, which suggest that no protocol can be secure against stronger adversaries, have been sketched. At the same time, there are many different security models being used, all of which aim to model the strongest possible adversary. In this paper we provide the first systematic analysis of the limits of game-based security models. Our analysis reveals that different security goals can be achieved in different relevant classes of AKE protocols. From our formal impossibility results, we derive strong security models for these protocol classes and give protocols that are secure in them. In particular, we analyse the security of AKE protocols in the presence of adversaries who can perform attacks based on chosen randomness, in which the adversary controls the randomness used in protocol sessions. Protocols that do not modify memory shared among sessions, which we call stateless protocols, are insecure against chosen-randomness attacks. We propose novel stateful protocols that provide resilience even against this worst case randomness failure, thereby weakening the security assumptions required on the random number generator.
Related papers
Leakage resilient eCK-secure key exchange protocol without random oracles
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011
This paper presents the first formalization of partial key leakage security of a two-pass two-party authenticated key exchange (AKE) protocol on the extended Canetti-Krawczyk (eCK) security model. Our formalization, λ-leakage resilient eCK security, is a (stronger) generalization of the eCK security model with enhanced by the notion of λ-leakage resilient security recently introduced by Akavia, Goldwasser and Vaikuntanathan. We present a PKI-based two-pass key exchange protocol with Hash Proof System (HPS), that is λ-leakage resilient eCK secure without random oracles.
Modelling after-the-fact leakage for key exchange
Proceedings of the 9th ACM symposium on Information, computer and communications security - ASIA CCS '14, 2014
Security models for two-party authenticated key exchange (AKE) protocols have developed over time to prove the security of AKE protocols even when the adversary learns certain secret values. In this work, we address more granular leakage: partial leakage of long-term secrets of protocol principals, even after the session key is established. We introduce a generic key exchange security model, which can be instantiated allowing bounded or continuous leakage, even when the adversary learns certain ephemeral secrets or session keys. Our model is the strongest known partial-leakage-based security model for key exchange protocols. We propose a generic construction of a two-pass leakage-resilient key exchange protocol that is secure in the proposed model, by introducing a new concept: the leakage-resilient NAXOS trick. We identify a special property for public-key cryptosystems: pair generation indistinguishability, and show how to obtain the leakage-resilient NAXOS trick from a pair generation indistinguishable leakage-resilient public-key cryptosystem.
A Leakage-Resilient Certificateless Authenticated Key Exchange Protocol Withstanding Side-Channel Attacks
IEEE Access
Certificateless public-key cryptography has conquered both the certificate management problem in the traditional public-key cryptography and the key escrow problem in the ID-based publickey cryptography. Certificateless authenticated key exchange (CLAKE) protocol is an important primitive of the certificateless public-key cryptography. A CLAKE protocol is employed to provide both mutual authentication and establishing a session key between two participators. Indeed, all conventional publickey cryptographies have encountered a new kind of attack, named ''side-channel attacks''. Fortunately, leakage-resilient cryptography is a flexible approach to withstand such attacks. However, the design of leakage-resilient CLAKE (LR-CLAKE) protocols is not studied. In the article, by extending the wellknown extended-Canetti-Krawczyk (eCK) model, we present the security notions (adversary model) of LR-CLAKE protocols, called continual-leakage-resilient eCK (CLReCK) model. The first LR-CLAKE protocol withstanding side-channel attacks is proposed. By employing the proof technique of the generic bilinear group (GBG) model, we formally prove the security of our protocol in the CLReCK model.
A Simple Leakage-Resilient Authenticated Key Establishment Protocol, Its Extensions, and Applications
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2005
Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review the previous AKE protocols, all of which turn out to be insecure, under the following realistic assumptions: (1) High-entropy secrets that should be stored on devices may leak out due to accidents such as bugs or mis-configureations of the system; (2) The size of human-memorable secret, i.e. password, is short enough to memorize, but large enough to avoid on-line exhaustive search;
Leakage-Resilient Authenticated Key Establishment Protocols
Lecture Notes in Computer Science, 2003
Authenticated Key Establishment (AKE) protocols enable two entities, say a client (or a user) and a server, to share common session keys in an authentic way. In this paper, we review AKE protocols from a little bit different point of view, i.e. the relationship between information a client needs to possess (for authentication) and immunity to the respective leakage of stored secrets from a client side and a server side. Since the information leakage would be more conceivable than breaking down the underlying cryptosystems, it is desirable to enhance the immunity to the leakage. First and foremost, we categorize AKE protocols according to how much resilience against the leakage can be provided. Then, we propose new AKE protocols that have immunity to the leakage of stored secrets from a client and a server (or servers), respectively. And we extend our protocols to be possible for updating secret values registered in server(s) or password remembered by a client.
A note on leakage-resilient authenticated key exchange
IEEE Transactions on Wireless Communications, 2000
Fathi et al. recently proposed a leakage-resilient authenticated key exchange protocol for a server-client model in mobility environment over wireless links. In the paper, we address flaws in a hash function used in the protocol. The direct use of the hash function cannot guarantee the security of the protocol. We also point out that a combination of the hash function and the RSA cryptosystem in the protocol may not work securely. To remedy these problems, we improve upon the protocol by modifying the hash function correctly.
Security of a leakage-resilient protocol for key establishment and mutual authentication
2007
We revisit Shin et al.'s leakage-resilient password-based authenticated key establishment protocol (LR-AKEP) and the security model used to prove the security of LR-AKEP. By refining the Leak oracle in the security model, we show that LR-AKE (1) can, in fact, achieve a stronger notion of leakage-resilience than initially claimed and (2) also achieve an additional feature of traceability, not previously mentioned.
New approach to practical leakage-resilient public-key cryptography
Journal of Mathematical Cryptology
We present a new approach to construct several leakage-resilient cryptographic primitives, including leakage-resilient public-key encryption (PKE) schemes, authenticated key exchange (AKE) protocols and low-latency key exchange (LLKE) protocols. To this end, we introduce a new primitive called leakage-resilient non-interactive key exchange (LR-NIKE) protocol. We introduce an appropriate security model for LR-NIKE protocols in the bounded memory leakage (BML) settings. We then show a secure construction of the LR-NIKE protocol in the BML setting that achieves an optimal leakage rate, i.e., {1-o(1)} . Our construction of LR-NIKE requires a minimal use of a leak-free hardware component. We argue that the use of such a leak-free hardware component seems to be unavoidable in any construction of an LR-NIKE protocol, even in the BML setting. Finally, we show how to construct the aforementioned leakage-resilient primitives from such an LR-NIKE protocol as summarized below. All these primiti...
A Leakage-resilient ID-based Authenticated Key Exchange Protocol with a Revocation Mechanism
IEEE Access
Establishing a session key (SSK) is very important for real-world deployment in open networks, which enables secure communication between remote parties. In the past, some authenticated key exchange (AKE) protocols have been proposed to generate a SSK, but the certificate management issue is inhered in the traditional public key infrastructure and must be addressed. To tackle this issue, the identity (ID)-based concept is added to AKE, called ID-AKE. Indeed, the security of the existing AKE/ID-AKE protocols is gaining increasing importance due to some new types of attacks, namely, side-channel attacks. In such attacks, adversaries could obtain secret keys' partial information during the execution of cryptographic protocols (including AKE/ID-AKE). To withstand such attacks, many leakage-resilient ID-AKE (LR-ID-AKE) protocols resisting side-channel attacks have been proposed. However, these existing LR-ID-AKE protocols have no efficient solution to revoke compromised users. In this article, the first LR-ID-AKE protocol with an efficient revocation mechanism, called LR-RID-AKE, is proposed. The proposed protocol is not only as secure as existing LR-ID-AKE protocols but also able to efficiently revoke compromised users from the system. INDEX TERMS Leakage-resilient; authenticated key exchange; revocation; generic bilinear group This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
Weaknesses in a leakage-resilient authenticated key transport protocol
2005
In this paper we demonstrate the existence of a number of weaknesses in a leakage-resilient authenticated key transport protocol due to Shin, Kobara and Imai. The weaknesses imply that the protocol cannot achieve the security goals claimed by its designers. We also propose an enhanced protocol which is immune to some of these vulnerabilities.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.