You Lyu,Shengli Liu

DOI: https://doi.org/10.1007/978-3-031-50594-2_21

2024-01-01

Abstract:In two-message authenticated key exchange (AKE), it is necessary for the initiator to keep a round state after sending the first round-message, because he/she has to derive his/her session key after receiving the second round-message. Up to now almost all two-message AKEs constructed from public-key encryption (PKE) only achieve weak security which does not allow the adversary obtaining the round state. How to support state reveal to obtain a better security called IND-AA security has been an open problem proposed by Hovelmann et al. (PKC 2020). In this paper, we solve the open problem with a generic construction of two-message AKE from any CCA-secure Tagged Key Encapsulation Mechanism (TKEM). Our AKE supports state reveal and achieves IND-AA security. Given the fact that CCA-secure public-key encryption (PKE) implies CCA-secure TKEM, our AKE can be constructed from any CCA-secure PKE with proper message space. The abundant choices for CCA-secure PKE schemes lead to many IND-AA secure AKE schemes in the standard model. Moreover, following the online-extractability technique in recent work by Don et al. (Eurocrypt 2022), we can extend the Fujisaki-Okamoto transformation to transform any CPA-secure PKE into a CCA-secure Tagged KEM in QROM. Therefore, we obtain the first generic construction of IND-AA secure two-message AKE from CPA-secure PKE in QROM. This construction does not need any signature scheme, and this result is especially helpful in the post-quantum world, since the current quantum-secure PKE schemes are much more efficient than their signature counterparts.

Shuai Han,Tibor Jager,Eike Kiltz,Shengli Liu,Jiaxin Pan,Doreen Riepel,Sven Schaege

DOI: https://doi.org/10.1007/978-3-030-84259-8_23

2021-01-01

Abstract:We construct the first authenticated key exchange protocols that achieve tight security in the standard model. Previous works either relied on techniques that seem to inherently require a random oracle, or achieved only "Multi-Bit-Guess" security, which is not known to compose tightly, for instance, to build a secure channel. Our constructions are generic, based on digital signatures and key encapsulation mechanisms (KEMs). The main technical challenges we resolve is to determine suitable KEM security notions which on the one hand are strong enough to yield tight security, but at the same time weak enough to be efficiently instantiable in the standard model, based on standard techniques such as universal hash proof systems. Digital signature schemes with tight multi-user security in presence of adaptive corruptions are a central building block, which is used in all known constructions of tightly-secure AKE with full forward security. We identify a subtle gap in the security proof of the only previously known efficient standard model scheme by Bader et al. (TCC 2015). We develop a new variant, which yields the currently most efficient signature scheme that achieves this strong security notion without random oracles and based on standard hardness assumptions.

Xiangyu Liu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-31368-4_24

2023-01-01

Abstract:(Asymmetric) Password-based Authenticated Key Exchange ((a)PAKE) protocols allow two parties establish a session key with a pre-shared low-entropy password. In this paper, we show how Encrypted Key Exchange (EKE) compiler [Bellovin and Merritt, S &P 1992] meets tight security in the Universally Composable (UC) framework. We propose a strong 2DH variant of EKE, denoted by 2DH-EKE, and prove its tight security in the UC framework based on the CDH assumption. The efficiency of 2DH-EKE is comparable to the original EKE, with only $$O(\lambda )$$ bits growth in communication ( $$\lambda $$ the security parameter), and two (resp., one) extra exponentiation in computation for client (resp., server). We also develop an asymmetric PAKE scheme 2DH-aEKE from 2DH-EKE. The security reduction loss of 2DH-aEKE is N, the total number of client-server pairs. With a meta-reduction, we formally prove that such a factor N is inevitable in aPAKE. Namely, our 2DH-aEKE meets the optimal security loss. As a byproduct, we further apply our technique to PAKE protocols like SPAKE2 and PPK in the relaxed UC framework, resulting in their 2DH variants with tight security from the CDH assumption.

Qi Xie,Guilin Wang,Fubiao Xia,Deren Chen

DOI: https://doi.org/10.1002/cpe.3058

2013-01-01

Concurrency and Computation Practice and Experience

Abstract:By integrating self-certified public-key systems and the designated verifier proxy signature with message recovery, Wu and Lin proposed the first self-certified proxy convertible authenticated encryption (SP-CAE) scheme and its variants based on discrete logarithm problem (DLP) in 2009. Though their schemes are claimed provably secure, we demonstrate that their schemes are existentially forgeable under adaptive chosen warrants, unconfidentiable and verifiable under adaptive chosen messages and designated verifiers. Then we propose a provably secure SP-CAE scheme in the random oracle model.

Shuai Han,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-92075-3_17

2021-01-01

Abstract:For Key Encapsulation Mechanism (KEM) deployed in a multi-user setting, an adversary may corrupt some users to learn their secret keys, and obtain some encapsulated keys due to careless key managements of users. To resist such attacks, we formalize Enhanced security against Chosen Plaintext/Ciphertext Attack (ECPA/ECCA), which ask the pseudorandomness of unrevealed encapsulated keys under uncorrupted users. This enhanced security for KEM serves well for the security of a class of Authenticated Key Exchange protocols built from KEM. In this paper, we study the achievability of tight ECPA and ECCA security for KEM in the multi-user setting, and present an impossibility result and an optimal security loss factor that can be obtained. The existing meta-reduction technique due to Bader et al. (EUROCRYPT 2016) rules out some KEMs, but many well-known KEMs, e.g., Cramer-Shoup KEM (SIAM J. Comput. 2003), Kurosawa-Desmedt KEM (CRYPTO 2004), run out. To solve this problem, we develop a new technique tool named rank of KEM and a new secret key partitioning strategy for meta-reduction. With this new tool and new strategy, we prove that KEM schemes with polynomially-bounded ranks have no tight ECPA and ECCA security from non-interactive complexity assumptions, and the security loss is at least linear in the number n of users. This impossibility result covers lots of well-known KEMs, including the CramerShoup KEM, Kurosawa-Desmedt KEM and many others. Moreover, we show that the linear security loss is optimal by presenting concrete KEMs with security loss T(n). This is justified by a non-trivial security reduction with linear loss factor from ECPA/ECCA security to the traditional multi-challenge CPA/CCA security.

LIU Wen-hao,XU Chun-xiang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.096

2011-01-01

Abstract:This paper proposed a new strongly secure AKA scheme.The new scheme satisfied many known desirable security properties for AKA including resistance to key-compromise impersonation(KCI)attacks,resilience to the leakage of known session-specific temporary information and the leakage of hash values.The new scheme was secure in the eCK model as long as each party had at least one uncompromised secret,what's more,the new scheme enhanced the computational efficiency.

Jintai Ding,Saed Alsayigh,Jean Lancrenon,R. Saraswathy,Michael Snook

DOI: https://doi.org/10.1007/978-3-319-52153-4_11

2017-01-01

Abstract:Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over a insecure communications network. Password-Authenticated Key Exchange (PAKE) assumes that the parties in play share a simple password, which is cheap and human-memorable and is used to achieve the authentication. PAKEs are practically relevant as these features are extremely appealing in an age where most people access sensitive personal data remotely from more-and-more pervasive hand-held devices. Theoretically, PAKEs allow the secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this paper, we apply the recently proposed technique introduced in [19] to construct two lattice-based PAKE protocols enjoying a very simple and elegant design that is an parallel extension of the class of Random Oracle Model (ROM)-based protocols PAK and PPK [13,41], but in the lattice-based setting. The new protocol resembling PAK is three-pass, and provides mutual explicit authentication, while the protocol following the structure of PPK is two-pass, and provides implicit authentication. Our protocols rely on the Ring-Learning-with-Errors (RLWE) assumption, and exploit the additive structure of the underlying ring. They have a comparable level of efficiency to PAK and PPK, which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that they are both efficient and practical. We believe they are suitable quantum safe replacements for PAK and PPK.

Mingming Jiang,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-17146-8_17

2022-01-01

Abstract:Fuzzy authenticated key exchange (FAKE) enables two parties to agree on a shared key with the help of their fuzzy sources, like biometric features [3,9], physical unclonable functions (PUFs) [16], etc. In FAKE, each user will generate public strings from its own fuzzy source, and register public strings to the system. In the interactive protocol of FAKE, the user will again employ their own fuzzy sources to accomplish key agreement and achieve authenticity and privacy for the agreed session keys. The advantage of FAKE is that users do not have to store them in the devices, hence do not worry about key leakage due to bad key management in devices. In this paper, We propose a generic construction of FAKE from three building blocks including secure sketch (SS), key encapsulation scheme (KEM) and a digital signature (SIG). We also define authenticity for users and pseudo-randomness for session keys to formalize the security of FAKE in the multi-user multi-challenge setting. We prove the security of our FAKE construction with tight security reductions to the building blocks in the random oracle model. Given the available choices for SS, tightly secure KEM and tightly secure SIG schemes, we obtain a bunch of FAKE schemes with tight security in the multi-user multi-challenge setting.

Yunxia Han,Chunxiang Xu,Changsong Jiang,Kefei Chen

DOI: https://doi.org/10.1109/tdsc.2024.3382359

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Two-factor authentication key exchange (AKE) is an effective way to strengthen the security of password-authenticated key exchange. Most two-factor AKE schemes using smart cards as the second factor require users to have the second factor with them any time, which causes users inconveniences. Biometrics provide a user-friendly manner to achieve two-factor AKE since they need not be carried. However, biometrics may have less entropy than expected and would suffer from offline guessing attacks. In this paper, we propose a secure two-factor authentication key exchange scheme TAKE that resists offline guessing attacks against biometrics and passwords. In TAKE, a user generates a combined factor of his/her biometrics and password. To protect the combined factor, the user and the server leverages secure two-party computation to blind it with a key which is protected in a trusted execution environment. Thus, TAKE prevents an adversary from eavesdropping on the combined factor, and simultaneously guarantees that he cannot recover the combined factor from blinded one to undertake offline guessing attacks even if he compromises the server and obtains the blinded combined factor. We provide the formal security proof of TAKE. The experiments show that TAKE is efficient in terms of storage, computation, and communication overhead.

computer science, information systems, software engineering, hardware & architecture

Jiang Zhang,Zhenfeng Zhang,Jintai Ding,Michael Snook,Oezguer Dagdelen

DOI: https://doi.org/10.1007/978-3-662-46803-6_24

2015-01-01

Abstract:In this paper, we present a practical and provably secure two-pass AKE protocol from ideal lattices, which is conceptually simple and has similarities to the Diffie-Hellman based protocols such as HMQV (CRYPTO 2005) and OAKE (CCS 2013). Our protocol does not rely on other cryptographic primitives—in particular, it does not use signatures—simplifying the protocol and resting the security solely on the hardness of the ring learning with errors problem. The security is proven in the Bellare-Rogaway model with weak perfect forward secrecy. We also give a one-pass variant of our two-pass protocol, which might be appealing in specific applications. Several concrete choices of parameters are provided, and a proof-of-concept implementation shows that our protocols are indeed practical.

Lin Lyu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-319-76578-5_3

2018-01-01

Abstract:Selective opening security (SO security) is desirable for public key encryption (PKE) in a multi-user setting. In a selective opening attack, an adversary receives a number of ciphertexts for possibly correlated messages, then it opens a subset of them and gets the corresponding messages together with the randomnesses used in the encryptions. SO security aims at providing security for the unopened ciphertexts. Among the existing simulation-based, selective opening, chosen ciphertext secure (SIM-SO-CCA secure) PKEs, only one (Libert et al. Crypto'17) enjoys tight security, which is reduced to the Non-Uniform LWE assumption. However, their public key and ciphertext are not compact.In this work, we focus on constructing PKE with tight SIM-SO-CCA security based on standard assumptions. We formalize security notions needed for key encapsulation mechanism (KEM) and show how to transform these securities into SIM-SO-CCA security of PKE through a tight security reduction, while the construction of PKE from KEM follows the general framework proposed by Liu and Paterson (PKC'15). We present two KEM constructions with tight securities based on the Matrix Decision Diffie-Hellman assumption. These KEMs in turn lead to two tightly SIM-SO-CCA secure PKE schemes. One of them enjoys not only tight security but also compact public key.

Changsong Jiang,Chunxiang Xu,Yunxia Han,Zhao Zhang,Kefei Chen

DOI: https://doi.org/10.1109/tifs.2024.3372812

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Multi-factor authenticated key exchange (AKE) enables a user to be authenticated by a server using multiple factors and negotiate a shared session key to protect subsequent communications. Most existing multi-factor AKE schemes utilize biometrics as one factor due to their uniqueness and invariance properties. To support matching for noisy biometrics and protect them, fuzzy extractors are employed to extract a constant random string from varying biometric measurements without disclosing biometric data. However, the fuzzy extractors used in these schemes merely work on biometrics with an entropy rate greater than the error rate. Hence these schemes are unsuitable for biometrics with low entropy rates. In this paper, we propose a secure two-factor AKE scheme dubbed AHEAD from passwords and biometrics, which eliminates the limitation of biometric entropy rates. In AHEAD, we conceive a matching mechanism to simultaneously check whether an input biometric measurement with low entropy rates is close enough to the registered one, and whether an input password exactly matches the registered password. The mechanism allows a valid user to generate a secret element shared with the server in an oblivious way. By adopting a randomization technique, the secret element can be randomized for derivation of session keys. The security and efficiency of AHEAD are demonstrated by formal security proofs and experimental evaluations.

computer science, theory & methods,engineering, electrical & electronic

You Lyu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-22969-5_8

2022-01-01

Abstract:Privacy-Preserving Authenticated Key Exchange (PPAKE) provides protection both for the session keys and the identity information of the involved parties. In this paper, we introduce the concept of robustness into PPAKE. Robustness enables each user to confirm whether itself is the target recipient of the first round message in the protocol. With the help of robustness, a PPAKE protocol can successfully avoid the heavy redundant communications and computations caused by the ambiguity of communicants in the existing PPAKE, especially in broadcast channels. We propose a generic construction of robust PPAKE from key encapsulation mechanism (KEM), digital signature (SIG), message authentication code (MAC), pseudo-random generator (PRG) and symmetric encryption (SE). By instantiatingKEM, MAC, PRG from theDDHassumption and SIG from the CDH assumption, we obtain a specific robust PPAKE scheme in the standard model, which enjoys forward security for session keys, explicit authentication and forward privacy for user identities. Thanks to the robustness of our PPAKE, the number of broadcast messages per run and the computational complexity per user are constant, and in particular, independent of the number of users in the system.

Jianjie Zhao,Dawu Gu

DOI: https://doi.org/10.1016/j.jss.2010.07.010

2010-01-01

Abstract:Constructing a secure key exchange protocol is one of the most challenging problems in information security. We propose a provably secure two-round two-party authenticated key exchange (2AKE) protocol based on the well-studied CDH assumption in eCK model to provide the strongest definition of security for key exchange protocol when using the matching session to define the partnership. The underlying hardness assumption (CDH assumption) of our protocol is weaker than these of four other provably secure 2AKE protocols in CK model or eCK model and the computational cost of our protocol is reasonable. We also present a three-round variant of our protocol to realize key conformation.

Shuai Han,Shengli Liu,Lin Lyu

DOI: https://doi.org/10.1155/2017/2148534

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages f(sk) which are closely related to the secret key sk, where f∈F, even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM[Faff]-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM[Fpolyd]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.

Jianjie Zhao,Dawu Gu

DOI: https://doi.org/10.1016/j.ins.2011.07.015

IF: 8.1

2011-01-01

Information Sciences

Abstract:A three-party password-based authenticated key exchange (3PAKE) protocol is a useful mechanism to establish a secure session key in a network. However, most current 3PAKE protocols only achieve “heuristic” security; the underlying hardness assumptions of these protocols are not perfect. We propose a 3PAKE protocol which is provably secure if the Diffie–Hellman problem is computationally infeasible (the CDH assumption), even in the 3eCK model where the adversary is allowed to make more queries and have more freedom than previous models. In our formal proof, we use the trapdoor test technique introduced by Cash, Kiltz and Shoup to construct an efficient decision oracle. As far as we know, our protocol is the first provably secure 3PAKE protocol based on the CDH assumption and the first 3PAKE protocol using the trapdoor test technique for the security proof.

Mingping Qi,Jianhua Chen

DOI: https://doi.org/10.1109/JSYST.2020.2986506

2021-01-01

Abstract:Authenticated key exchange (AKE) is a crucial cryptographic primitive used for establishing an authenticated and confidential communication channel between parties, which has been widely used in our daily life when we surf on the Internet. However, in past decades mutual AKE protocols have been studied extensively in theory, while in many practical environments such as in the Tor anonymity network the mutual authentication property is undesirable. Meanwhile, considering privacy protection is getting more and more attention and one-way AKE protocols play an important role in privacy protection, so no matter in theory or in practice, it is quite meaningful to conduct research on the one-way AKE protocols. In this article, we present a new efficient anonymous one-way AKE protocol, which has strong anonymity and security properties guarantee, and efficiency advantages. Moreover, our new scheme has tight security reduction and is formally proved secure in the random oracle model under the Gap-DH and XCR signature security assumptions.

Xiangyu Pan,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2021.102075

IF: 5.836

2021-01-01

Journal of Systems Architecture

Abstract:The notion of Public-key Encryption with Keyword Search (PEKS) was first proposed by Boneh et al. in 2004. However, almost all PEKS schemes cannot resist offline Keyword Guessing Attacks (KGA). To address this issue, Huang and Li introduced the notion of Public-key Authenticated Encryption with Keyword Search (PAEKS) in 2017. Recently, Qin et al. put forward a new security model named Multi-Ciphertext Indistinguishability (MCI), in which an adversary aims to distinguish two tuples of ciphertexts. They found that Huang and Li’s scheme cannot achieve MCI-security, so they proposed a new scheme which is able to achieve MCI-security. Furthermore, Qin et al. referred to another security model named Multi-Trapdoor Indistinguishability (MTI). They stated that the future work direction is to design a scheme which can achieve both MCI-security and MTI-security. In this paper, we present a new PAEKS scheme and prove that it is capable of achieving MCI-security and MTI-security simultaneously with the help of random oracles. Finally, we compare our scheme with other four related schemes using PBC library and provide experimental results. It turns out that our scheme achieves a higher security level with a little more cost.

Jiehui Nan,Mengce Zheng,Zilong Wang,Honggang Hu

DOI: https://doi.org/10.1007/978-981-15-0818-9_17

2019-01-01

Abstract:In cyber security, authenticated key exchange (AKE) can be used to achieve the privacy and authentication of data. As a relevant cryptographic protocol, password-based authenticated key exchange (PAKE) has been studied for its convenience. Recently, Katz and Vaikuntanathan proposed a round-optimal PAKE from smooth projective hash functions (SPHFs). However, the instantiation of smooth projective hash functions depends on the underlying NP-relation which is a CCA-secure encryption relation in their construction. In this paper, we apply a new cryptographic primitive named witness PRFs to construct PAKE. In our settings, the concrete construction of witness PRFs is independent of the underlying NP-relation. At this point, our construction is more general, and furthermore, we have a discussion on some possible NP-relations, which could be used to construct secure PAKE in our settings.

Zheng Yang,Shuangqing Li

DOI: https://doi.org/10.1016/j.ipl.2015.08.006

IF: 0.851

2016-01-01

Information Processing Letters

Abstract:In this paper, we revisit the security result of an authenticated key exchange (AKE) scheme proposed in AsiaCCS'14 by Alawatugoda, Stebila and Boyd (which is referred to as ASB scheme). The ASB scheme is proved to be secure in a new bounded (continuous) after-the-fact leakage extended Canetti–Krawczyk (B(C)AFL-eCK) model without random oracles, where the B(C)AFL-eCK is extended from the eCK model. However we disprove their security results. We first show an attack against ASB scheme in the eCK model. This also implies that the insecurity of ASB scheme in the B(C)AFL-eCK model. Secondly we point out that the security of ASB scheme is incorrectly reduced to DDH assumption. A solution is proposed to fix the problem of ASB scheme with minimum changes, which yields a new ASB' scheme. We prove the eCK security of ASB' in the random oracle model under Gap Diffie–Hellman assumption.