We propose a protocol framework for credential-authenticated key exchange, in which two parties aim at establishing a secure channel without a joint PKI. Both parties prove in zero-knowledge that their credentials fulfill a relationship, say that both are citizens of a certain country or that they know a password. If they both fulfill the relation, they will obtain a joint random key for secure channel establishment. Otherwise they won’t learn anything about each other.

1. Jan Camenisch, Nathalie Casati, Thomas Gross and Victor Shoup
15 August 2010
Credential-Authenticated
Identification and Key Exchange
© 2009 IBM Corporation

2. IBM Presentation Template Full Version
Alice and Bob want to talk...
CAKE
erasures adaptive
2 © 2009 IBM Corporation

3. What to do with a CAKE?
PAKE
PAKE*
Secret Handshake
3 © 2009 IBM Corporation

4. IBM Presentation Template Full Version
Problem Tools Solution
4 © 2009 IBM Corporation

5. IBM Presentation Template Full Version
Problem
What's the CAKE ideal functionality?
What's key ideal world building block?
What challenges to solve for CAKE?
5 © 2009 IBM Corporation

6. What's the Strong CAKE ideal functionality?
1. Await inputs
2. On
With corruption
else
6 © 2009 IBM Corporation

7. What is the enhanced zero knowledge ideal functionality? [Can2005]
1. On input
such that
send
2. Wait for
3. On input
send to P
7 © 2009 IBM Corporation

8. How to realize CAID protocols?
How to overcome How to construct
dependency? CAID?
Protocols for
useful relations?
How to
realize ?
8 © 2009 IBM Corporation

9. IBM Presentation Template Full Version
Tools
How to bootstrap an authenticated
channel?
How to realize UC EZK?
How to prove equality?
9 © 2009 IBM Corporation

10. How to bootstrap an authenticated channel? [BCLPR2005]
Faites vos
jeux...
EITHER: OR:
10 © 2009 IBM Corporation

11. How to realize two-party split key exchange efficiently?
DH KE
Split Fn
?
all
Allows us to UC-realize split multi-
session secure channels under DDH.
11 © 2009 IBM Corporation

12. How to realize enhanced zero-knowledge? [GaMaYa2003, JarLys2000]
CRS CRS'
UCZK
[GaMaYa2003] [JarLys2000]
Paillier encrypt Committed proof
Strong and commit [MacYan2003]
RSA Proof of SSTC trapdoor
representation commitment
12 © 2009 IBM Corporation

13. How to prove equality? [CraSho1998, JarLys2000]
Are secrets and
equal?
Non-committing encryption
KeyGen Random
Encrypt t
s
Random
Mangle
z
Decrypt
UC-realize for under DDH
13
assumption in the hybrid model. © 2009 IBM Corporation

14. IBM Presentation Template Full Version
Solution
How to put it all together?
How to prove the protocols UC secure?
14 © 2009 IBM Corporation

15. How to put it together and prove it UC secure?
CRS
DDH
Strong CAID
15 © 2009 IBM Corporation

16. How to put it together and prove it UC secure?
CRS CRS
SPLIT
DDH DDH
CDH
Strong CAID CAID
16 © 2009 IBM Corporation

17. Summary [http://eprint.iacr.org/2010/055]
Corruption Adaptive corruptions with erasures
Model
System of prime order , generator .
Parameters Joint access to CRS (for & UCZK realization)
CAID* for : UC-secure under CDH.
General CAID* for : UC-secure under DDH.
Protocols Split transformation to CAID.
Split multi-session KE: UC-secure under DDH
PAKE secure against adaptive corruptions, UC-
Derived secure under DDH, w/o ROM.
Protocols PAKE* secure against adaptive corruptions and
server compromise, UC-secure under DDH.
17 © 2009 IBM Corporation

18. Jan Camenisch, Nathalie Casati, Thomas Gross and Victor Shoup
15 August 2010
Credential-Authenticated
Identification and Key Exchange
Speaker: Thomas Gross (thomasgross@acm.org, thomasgross.net)
Extended Version on IACR ePrint: http://eprint.iacr.org/2010/055
© 2009 IBM Corporation

19. BACKUP
19 © 2009 IBM Corporation

20. How to realize CAID?
Random Random
If
then
else
If
then
else CAID:
20 local data © 2009 IBM Corporation

21. How to prove the protocols UC secure?
CRS CRS
SPLIT
CDH CDH
=
CRS CRS
SPLIT
DDH DDH
=
21 © 2009 IBM Corporation