Practical Covert Authentication Stanislaw Jarecki University of California at Irvine Public Key Cryptography 2014

Presentation Plan 1. Introduction to Covert Computation 2. Practical Covert Authentication Protocol O(1) rounds, group elements, exponentiations… 1. Main Tool: Compiler for Covert Conditional OT’s ZKPK + (Σ-protocol) for language L  Covert Conditional OT for L 4. Extensions / Open Problems

Background: Secure Computation Secure Computation hides all except for what’s revealed by output A F(x,y) F x A A π for F B(y) ~  (eff.) adversary A  (eff.) simulator à s.t.  inputs y A’s interaction with à F(y) ≈ A π (y)  (eff.) adversary A  (eff.) simulator à s.t.  inputs y A’s interaction with à F(y) ≈ A π (y) ≈ ~ y B

 Voting protocol attempt reveals a potential voter  Petition signing attempt reveals a potential signer  …  Authentication attempt reveals a member of some organization which uses the authentication protocol, no matter how credential/policy/attribute-hiding that protocol is! A F(x,y) xy B π for F Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F, which is an information in itself! Secure computation hides everything it can about B’s input… But not the fact that B engages in computation of F, which is an information in itself! Background: Secure Computation

Covert Computation Can we hide the fact that computation is taking place? Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F A Q: How can we hide that B follows protocol π ? A: Make π ’s messages indistinguishable from $ bits B/? π for F

Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F A Q: How can we hide that B follows protocol π ? A: Make π ’s messages indistinguishable from $ bits Q: How can we hide that B follows some protocol ? A: Run π over a steganographic channel (= always sends $ bits)  Network control messages, padding, timing  Pictures, music, voice, …  Encryption (e.g. VPN router), other crypto (e.g. “kleptography”) B/$ Covert Computation Can we hide the fact that computation is taking place? π for F

Covert Computation (for functionality F) should hide even whether party B engages in a sec. comp. protocol for F A F(x,y) x Q: But doesn’t A’s output z=F(x,y) reveal that B inputs some y? A: Yes, but F outputs can look $ for many (x,y)’s  Authenticated Key Exchange  Any authenticated computation… π for F B/$ y/? Covert Computation Can we hide the fact that computation is taking place?

A B x yDyD Distinguishability of F from $ beacon in the ideal world: F/$ ~~ A π /$ B(y) yDyD CovDist F,D,Ã = | Pr[1Ã F(y) | yD] - Pr[1Ã $(F) ] | CovDist π,D,A = | Pr[1A π (y) | yD] - Pr[1A $( π ) ] | π covert if A Ã s.t. (1) [standard secure computation requirements] (2)  dist. D CovDist F,D,Ã ≈ CovDist π,D,A π covert if A Ã s.t. (1) [standard secure computation requirements] (2)  dist. D CovDist F,D,Ã ≈ CovDist π,D,A Distinguishability of π from $ beacon in the real world: Covert Computation Covert π = as “random” as the ideal F [vAHL05] (refined in [CGOS07])

Covert Computation What is currently known? A B x yDyD [vAHL05]: Defined covert 2PC, O(sec.par.)-round protocol for any F [CGOS07]: Defined covert MPC, O(sec.par.)-round protocol for any F [GJ10]: Ω(sec.par.) rounds necessary for covert 2/MPC in plain model F/$ ~~ A π /$ B(y) yDyD  Can 2PC/MPC be covert in O(1) rounds in CRS model? Probably (see the last slide)  How about a covert authentication (not necessarily a covert 2PC)? This work: 5 rounds (3 in ROM), ≈30 RSA exp.’s/party

Covert Authentication Definition KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] A B (PK,Cert A ) If A has no valid (& unrevoked) cert then F Auth ≈ $[F Auth ] Covertness  w/o valid (& unrevoked) cert π Auth ≈ $[ π Auth ] F Auth If Ver(PK,Cert A ) and Ver(PK,Cert B ) then K A = K B ( $) o/w K A  K B ( $  $) (PK,Cert B ) KAKA KBKB [ + handling of CRL’s ] Our work: Game-based definition, no extraction of PK (public input) & K B

Covert Authentication Protocol Idea: (1) Use a “typical” Group Signature Sch. A B C A = COM(Cert A )  Revocation e.g. by ZKP that certificate in C is not on the CRL  Our work uses “verifier-local” revocation (w/o ZKP) [BS’04]  Revocation e.g. by ZKP that certificate in C is not on the CRL  Our work uses “verifier-local” revocation (w/o ZKP) [BS’04] (PK,Cert B ) (PK,Cert A ) ZKP [ (PK,C A )  L ComCert ] C B = COM(Cert B ) ZKP [ (PK,C B )  L ComCert ] L ComCert = { x=(PK,C) s.t.  w=(cert,dec) s.t. Ver(PK,cert)=1 and Decommit(C,cert,dec)=1 } KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme]

Covert Authentication Protocol Idea: (1) Use a “typical” Group Signature Sch. A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) ZKP [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] P F ZKP for L If w witness for x in L then b  1, o/w b  0 V b ZKP (for non-trivial L) makes a protocol inherently non-covert ! witness w statement x = (cert,dec)= (PK,C)

Covert Authentication Protocol Idea: (2) Replace ZKP by Covert COT for L GrSig A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] F COT for L If w witness for x in L then K R =K S, o/w K R  K S KRKR KSKS R witness w = (cert,dec) S statement x = (PK,C) & K S Covertness: (1) In R’s view π COT ≈ $[ π COT ] if R has no valid w for S’s x (2) In S’s view π COT ≈ $[ π COT ] for all x Covertness: (1) In R’s view π COT ≈ $[ π COT ] if R has no valid w for S’s x (2) In S’s view π COT ≈ $[ π COT ] for all x Covert Conditional Oblivious Transfer (COT) for L (KEM version) Strong-soundness: Efficient extraction of w from covertness-breaking R

Covert Authentication Protocol Idea: (2) Replace ZKP by Covert COT for L GrSig A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] F COT for L If w witness for x in L then K R =K S, o/w K R  K S KRKR KSKS R witness w = (cert,dec) S statement x = (PK,C) & K S Encryption Conditional OT (COT) Strongly-Sound COT  Signature ZK Proof ZK Proof of Knowledge Encryption Conditional OT (COT) Strongly-Sound COT    Signature ZK Proof ZK Proof of Knowledge Covert Conditional Oblivious Transfer (COT) for L (KEM version)

Covert Authentication Full Protocol A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] KARKAR KBSKBS C B = COM(Cert B ) COT [ (PK,C B )  L ComCert ] KASKAS KBRKBR K B = K B S  K B R Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ K A = K A R  K A S & K B S

Covert Authentication Full Protocol A B C A = COM(Cert A ) (PK,Cert B ) (PK,Cert A ) COT [ (PK,C A )  L ComCert ] KeyGen  PK + (Cert A,Cert B,Cert C,…) [unforgeable cert. scheme] KARKAR KBSKBS C B = COM(Cert B ) COT [ (PK,C B )  L ComCert ] KASKAS KBRKBR Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ Covertness (assume A has no valid Cert): (1) A’s view of first COT together with K B S is ≈ $[ π COT S ] (2) A’s view of C B and of second COT is ≈ $[ π COT R ]  A’s view of the whole interaction together with K B is ≈ $ COT needs to assure extraction of witness w from covertness-breaking Receiver  If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery) COT needs to assure extraction of witness w from covertness-breaking Receiver  If Adv who breaks covertness of Authentication Protocol then Reduction extracts a valid certificate (forgery)

& K S KRKR KSKS witness w S statement x Assume L = { x=([g ij ]) s.t. exits w=[w j ] s.t. g 1 = (g 11 ) w 1  (g 12 ) w 2  …  (g 1n ) w n     g m = (g m1 ) w 1  (g m2 ) w 2  …  (g 1n ) w n } Smooth Projective Hash Function (SPHF)  Covert COT but no extraction of witness w from covertness-breaking R Smooth Projective Hash Function (SPHF)  Covert COT but no extraction of witness w from covertness-breaking R [ + additive and multiplicative relations between a j ’s ] Constructing Covert COT for L ComCert F COT for L If w witness for x in L then K R =K S, o/w K R  K S R

R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R a = g r L = { x s.t. w s.t. x = g w } e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] If COM = ElGamal PKE then SPHF for DDH tuple [CS’98] (+ 2/3 exp’s / party) KSKS KRKR  covert COT for L SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e

R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R L = { x s.t. w s.t. x = g w } SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e Covertness from malicious S: covert COM [ElGamal] z  $ (by ZKPK + ) SPHF non-interactive a = g r e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] KSKS KRKR  covert COT for L

R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R L = { x s.t. w s.t. x = g w } SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e Covertness from malicious R: (case1) C  COM(F(x,e,z)) then K S  R’s view of SPHF a = g r e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] KSKS KRKR  covert COT for L

R Compiler from ZKPK + for L ComCert to Covert COT KRKR KSKS witness w S statement x F COT for L If w witness for x in L then K R =K S, o/w K S  K R L = { x s.t. w s.t. x = g w } SIM for this ZKPK + : z  $, e  $ a = F(x,e,z) = g z / x e Covertness from malicious R: (case2) C = COM(F(x,e,z)) then Forking Lemma  w  Ext( (e,z), (e’,z’) ) a = g r e  $ z = r + e  w (HV)ZKPK for L C=COM( ) SPHF[ C=COM(F(x,e,z)) ] KSKS KRKR  covert COT for L

Extensions / Open Problems 1. Covert 2PC for any F in CRS in O(1) rounds 2. Definitions: Composable Covert MPC ? 3. Shorter Covert Authentication (EC with Bilinear Map) 4. Stronger Covert Authentication: Full-Fledged AKE 5. Other Revocation Models 6. Other Applications of Covertness  (?) (?)

Extensions / Open Problems 1. Covert 2PC for any F in CRS in O(1) rounds 2. Shorter Covert Authentication (EC with Bilinear Map) 3. Stronger Covert Authentication: Full-Fledged AKE 4. Other Revocation Models 5. Other Applications of Covertness … Many Others Topics in Covert Computation to Explore!  