towards bidirectional ratcheted key exchange - iacr crypto · ratcheted key exchange crypto 2018...

2018-08-20

Information Security Group

Royal Holloway, University of London

Horst Görtz Institute for IT Security

Chair for Network and Data Security

Ruhr University Bochum

Towards Bidirectional Ratcheted Key Exchange

CRYPTO 2018

Bertram Poettering Paul Rösler

What is Ratcheting?

Modeling RKE

Construction Intuition

Results

Towards Bidirectional Ratcheted Key Exchange CRYPTO 2018 | Paul Rösler | Santa Barbara | 2018-08-20 2

Introduction

• Alice and Bob communicate

• Active adversary

●

What is Ratcheting?

Modeling RKE


Results


Introduction



●

Hey Bob! ❤

Love you ❤

Darling?

1 year later? That’s a secret!

Hey Bob! ❤

Love you ❤

Darling?


What is Ratcheting?

Modeling RKE


Results


Introduction



• Long term communication

• Local (full) state temporarily exposed

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


What is Ratcheting?

Modeling RKE


Results


Introduction





• Practical protocols w/o precise security definition

• E.g., Signal

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


What is Ratcheting?

Modeling RKE


Results


What is Ratcheting?






• E.g., Signal

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


What is Ratcheting?

Modeling RKE


Results


What is Ratcheting?






• E.g., Signal

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


ga

ga

gb

What is Ratcheting?

Modeling RKE


Results


What is Ratcheting?






• E.g., Signal

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


ga

ga

gb

gab

gab

What is Ratcheting?

Modeling RKE


Results


What is Ratcheting?






• E.g., Signal

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


ga

ga

gb

gab

gab

H ( )→ k k

H ( )→ k k

What is Ratcheting?

Modeling RKE


Results


Natural Security Notion for Ratcheting?





●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


Question:

What is a natural security notion?

(Definition based only on trivial attacks)

What is Ratcheting?

Modeling RKE


Results



• Natural security notion • Definition based only

on trivial attacks

• Bellare et al. on unidirectional communication C’17

• Bob cannot be exposed

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


Question:



What is Ratcheting?

Modeling RKE


Results




on trivial attacks

• Bellare et al. on unidirectional communication C’17

• Bob cannot be exposed

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


Question:



Our models require and

constructions provide full

security under:

• Asynchronous

communication

• Exposure of both parties

What is Ratcheting?

Modeling RKE


Results


Agenda

1. The Primitive Ratcheted Key Exchange

2. General Adversary Model

3. Unidirectional Ratcheting → Model and Construction

4. Sesquidirectional Ratcheting → Model and Construction

5. Results

What is Ratcheting?

Modeling RKE


Results




on trivial attacks

• Syntax: • Initialization

●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


What is Ratcheting?

Modeling RKE


Results




on trivial attacks


●

Hey Bob! ❤

Love you ❤

Darling?


Hey Bob! ❤

Love you ❤

Darling?


init

What is Ratcheting?

Modeling RKE


Results




on trivial attacks


• Sending & receiving

●

Hey Bob! ❤

Love you ❤

Darling?


init

snd

rcv

snd

snd

What is Ratcheting?

Modeling RKE


Results




on trivial attacks



●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

What is Ratcheting?

Modeling RKE


Results




on trivial attacks



• Key exchange • Consecutive

establishment of keys in session

≠ Authenticated key exchange!

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results




on trivial attacks



• Key exchange • Composition in Bellare

et al. C’17

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results


Three Variants of Ratcheting

• Bidirectional ratcheting is complicated

→ Understand its components

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results




→ Understand its components:

• Unidirectional key establishment

●

snd

rcv kB1

kB1

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results





• Unidirectional key establishment

• Alice initiates computation of new key

• Bob does not respond

●

snd

rcv kB1

kB1

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results





• Unidirectional ratcheted key exchange (RKE)

●

snd

rcv kB1

kB1

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results





• Unidirectional RKE

• Sesquidirectional RKE

• Bob contributes (but cannot establish keys)

• Adds security (sesqui = 1.5)

●

kB1

kB1

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results







• Symmetric roles

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results







• Symmetric roles

• Bidirectional RKE = 2x Sesquid. RKE (extended version)

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results


Bidirectional RKE

Symmetric roles

(extended version)

Unidirectional RKE (+ Exposure of Bob)

No responses from Bob

Sesquidirectional RKE

Bob’s responses only help to recover

Three Variants of Ratcheting ●

kB1

kB1

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

snd

rcv kB1

kB1

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results


Agenda





5. Results

What is Ratcheting?

Modeling RKE


Results


Modeling Ratcheted Key Exchange

• Active adversary • Control whole network

traffic

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results



●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

Adversary

k$

Challenge

What is Ratcheting?

Modeling RKE


Results




traffic

• Analyze key indistinguishability

• Multi-challenge real or random key

• Model exposures of local state

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

Adversary

Expose

k$

Challenge

What is Ratcheting?

Modeling RKE


Results




traffic

• Analyze key indistinguishability

• Multi-challenge real or random key

• Model exposures of local state

• Single session

• Init abstracted

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

Adversary

Expose

k$

Challenge

What is Ratcheting?

Modeling RKE


Results


Agenda





5. Results

What is Ratcheting?

Modeling RKE


Results


snd

rcv kB1

kB1

Modeling Unidirectional RKE

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

What is Ratcheting?

Modeling RKE


Results



• Impersonation ⇒ No future Challenge on Bob

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kX1

kX2

Adversary

Expose

snd

snd

kX1

kX2

What is Ratcheting?

Modeling RKE


Results




• Expose Bob → Allowed in our model

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

Expose rcv kA3

What is Ratcheting?

Modeling RKE


Results




• Expose Bob ⇒ No future Challenge

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

Expose rcv kA3

What is Ratcheting?

Modeling RKE


Results




• Expose Bob ⇒ No future Challenge if synchronous (= if no previous active attack)

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kX1

kX2

Adversary

Expose

What is Ratcheting?

Modeling RKE


Results




• Expose Bob ⇒ No future Challenge if synchronous

⇒ Exposure of Alice (solely) “okay”

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

Expose

What is Ratcheting?

Modeling RKE


Results





⇒ Exposure of Alice (solely) “okay”

●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results


Agenda





5. Results

What is Ratcheting?

Modeling RKE


Results


Constructing Unidirectional RKE

• Expose Alice okay


●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results



• Expose Alice okay → Public key crypto


snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary pk

sk

●

What is Ratcheting?

Modeling RKE


Results



• Expose Alice okay → KEM:


snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

pk

sk

enc ( )→$ c k pk dec ( )→$ k sk c

●

Adversary

What is Ratcheting?

Modeling RKE


Results





snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary pk

sk

●


What is Ratcheting?

Modeling RKE


Results




• Expose Bob ⇒ No future Challenge if synchronous → Forward secrecy of Bob’s state

snd

rcv

rcv

snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary pk

sk

pk’

pk’’

sk’’

sk’

●


What is Ratcheting?

Modeling RKE


Results




• Expose Bob ⇒ No future Challenge if synchronous → Forward secrecy of Bob’s state → Divergence of states

snd

rcv

rcv

snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary pk

sk

pk’

pk’’

sk*

sk’

●


What is Ratcheting?

Modeling RKE


Results




• Expose Bob ⇒ No future Challenge if synchronous → Forward secrecy of Bob’s state → Divergence of states → Random oracle:

snd

rcv

rcv

snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary pk

sk

pk’

pk’’

sk*

sk’


H ( )→ kXn c k sk

●

What is Ratcheting?

Modeling RKE


Results





snd

rcv

rcv

snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary pk

sk

pk’

pk’’

sk*

sk’


H ( )→ kXn c k sk

gen ( )→ sk pk

●

What is Ratcheting?

Modeling RKE


Results





snd

rcv

rcv

snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary enc ( )→$ c k pk dec ( )→$ k sk c

gen ( )→ sk pk

H ( )→ kXn c k sk

enc H

gen

enc H

gen

enc H

gen

dec H

dec H

dec H

●

What is Ratcheting?

Modeling RKE


Results


Agenda





5. Results

What is Ratcheting?

Modeling RKE


Results



• Impersonation A → B ⇒ No future Challenge on Bob


●

snd

rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results


Modeling Sesquidirectional RKE



●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results




• Impersonation B → A ⇒ No future Challenge on Alice


●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results





• Expose Bob ⇒ No future Challenge if synchronous until Bob recovered

●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

Expose

rcv kA2

What is Ratcheting?

Modeling RKE


Results






●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

Expose

rcv kA2

What is Ratcheting?

Modeling RKE


Results






●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results


Agenda





5. Results

What is Ratcheting?

Modeling RKE


Results


Constructing Sesquidirectional RKE


●

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

What is Ratcheting?

Modeling RKE


Results



• Expose Bob ⇒ No future Challenge if synchronous until Bob recovered → Forward secrecy and recovery of Bob’s state

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

What is Ratcheting?

Modeling RKE


Results



• Expose Bob ⇒ No future Challenge if synchronous until Bob recovered → Forward secrecy and recovery of Bob’s state → Send new

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

pk

gen

What is Ratcheting?

Modeling RKE


Results



• Expose Bob ⇒ No future Challenge if synchronous until Bob recovered → Forward secrecy and recovery of Bob’s state → Send new → Divergence of states

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

pk

gen

What is Ratcheting?

Modeling RKE


Results



• Expose Bob ⇒ No future Challenge if synchronous until Bob recovered → Forward secrecy and recovery of Bob’s state → Send new → Divergence of states

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

pk

gen

Difficulty:

Diverge states independently

and forward securely

in asynchronous bidirectional

setting

What is Ratcheting?

Modeling RKE


Results



• Expose Bob ⇒ No future Challenge if synchronous until Bob recovered → Forward secrecy and recovery of Bob’s state → Send new → Divergence of states → Update key pair

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

pk

gen

Difficulty:




setting

What is Ratcheting?

Modeling RKE


Results




snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

up ( , T)→ sk sk

up ( , T)→ pk pk

pk

gen

Difficulty:




setting

What is Ratcheting?

Modeling RKE


Results




snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

Adversary

●

up ( , T)→ sk sk

up ( , T)→ pk pk

pk

gen

Difficulty:




setting

Can be instantiated from HIBE

del ( ,ID=T)→ sk sk

What is Ratcheting?

Modeling RKE


Results




snd

snd

rcv rcv

rcv

snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

●

up ( , T)→ sk sk

up ( , T)→ pk pk

pk

enc H

gen

enc H

gen

enc H

gen

dec H

dec H

dec H

up

gen

up

up

up

Adversary

What is Ratcheting?

Modeling RKE


Results


Agenda





5. Results

What is Ratcheting?

Modeling RKE


Results


• Unidirectional RKE • KEM + ROM (+ MAC)

Results

●

ia.cr/2018/296 (ext. version) @roeslpa

What is Ratcheting?

Modeling RKE


Results



• Sesquidirectional RKE • Key updatable KEM (+ signatures)

• # = #crossing ciphertexts → Depth of HIBE practically bounded

Results

●


c pk

c up ( T) sk

What is Ratcheting?

Modeling RKE


Results





• Multi encapsulation → Bounded in ping-pong pattern

→ Alternative: key updatable signatures

Results

●


pk

pk

up ( T) sk

c c

What is Ratcheting?

Modeling RKE


Results





• Multi encapsulation → Bounded in ping-pong pattern

→ Alternative: key updatable signatures

• BRKE = 2x SRKE + OT signatures → Build SRKE, BRKE too complex!

Results

●


up ( T) sk

kB1

kB1

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kB1

kA3

kA1

kB1

kA2

kA3

kB1

kB1

snd

snd

rcv rcv

rcv snd

init

rcv

snd

kA1

kA2

kA3

kA1

kA2

kA3

+

+ = gen sig vfy

towards bidirectional ratcheted key exchange - iacr crypto · ratcheted key exchange crypto 2018...

Documents