Philip D. MacKenzie

Provably secure password-authenticated key exchange using Diffie-Hellman

When designing password-authenticated key exchange protocols (as opposed to key exchange protocols authenticated using cryptographically secure keys), one must not allow any information to be leaked that would allow verification of the password (a weak shared key), since an attacker who obtains this information may be able to run an off-line dictionary attack to determine the correct password. We present a new protocol called PAK which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more efficient protocol called PPK that is provably secure in the implicit -authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a verifier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for password-authenticated key exchange is new, and may be of independent interest.

Abuse-Free Optimistic Contract Signing

We introduce the notion of abuse-free distributed contract signing, that is, distributed contract signing in which no party ever can prove to a third party that he is capable of choosing whether to validate or invalidate the contract. Assume Alice and Bob are signing a contract. If the contract protocol they use is not abuse-free, then it is possible for one party, say Alice, at some point to convince a third party, Val, that Bob is committed to the contract, whereas she is not yet. Contract protocols with this property are therefore not favorable to Bob, as there is a risk that Alice does not really want to sign the contract with him, but only use his willingness to sign to get leverage for another contract. Most existing optimistic contract signing schemes are not abuse-free. (The only optimistic contract signing scheme to date that does not have this property is inefficient, and is only abuse-free against an off-line attacker.) We give an efficient abuse-free optimistic contract-signing protocol based on ideas introduced for designated verifier proofs (i.e., proofs for which only a designated verifier can be convinced). Our basic solution is for two parties. We show that straightforward extensions to n > 2 party contracts do not work, and then show how to construct a three-party abuse-free optimistic contract-signing protocol. An important technique we introduce is a type of signature we call a private contract signature. Roughly, these are designated verifier signatures that can be converted into universally-verifiable signatures by either the signing party or a trusted third party appointed by the signing party, whose identity and power to convert can be verified (without interaction) by the party who is the designated verifier.

Robust efficient distributed RSA-key generation

The invention provides for robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test “circuit size”, while a robust protocol allows correct completion even in the presence of a minority of arbitrarily misbehaving malicious parties. The disclosed protocol is secure against any minority of malicious parties (which is optimal). The disclosed method is useful in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities), as well as other applications besides RSA (namely: composite ElGamal, identification schemes, simultaneous bit exchange, etc.). The disclosed method can be combined with proactive function sharing techniques to establish the first efficient, optimal-resilience, robust and proactively-secure RSA-based distributed trust services where the key is never entrusted to a single entity (i.e., distributed trust totally “from scratch”). The disclosed method involves new efficient “robustness assurance techniques” which guarantee “correct computations” by mutually distrusting parties with malicious minority.

Password-authenticated key exchange based on RSA

There have been many proposals in recent years for password-authenticated key exchange protocols, i.e., protocols in which two parties who share only a short secret password perform a key exchange authenticated with the password. However, the only ones that have been proven secured against offline dictionary attacks were based on Diffie–Hellman key exchange. We examine how to design a secure password-authenticated key exchange protocol based on RSA. In this paper, we first look at the OKE and protected-OKE protocols (both RSA-based) and show that they are insecure. Then we show how to modify the OKE protocol to obtain a password-authenticated key exchange protocol that can be proven secure (in the random oracle model). This protocol is very practical; in fact, it requires about the same amount of computation as the Diffie–Hellman-based protocols. Finally, we present an augmented protocol that is resilient to server compromise, meaning (informally) that an attacker who compromises a server would not be able to impersonate a client, at least not without running an offline dictionary attack against that client’s password.

Networked cryptographic devices resilient to capture

We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications and whose local private key is activated with a password or PIN can be immunized to offline dictionary attacks in case the device is captured. Our techniques do not assume tamper resistance of the device but rather exploit the networked nature of the device in that the device’s private key operations are performed using a simple interaction with a remote server. This server, however, is untrusted – its compromise does not reduce the security of the device’s private key unless the device is also captured – and need not have a prior relationship with the device. We further extend this approach with support for key disabling, by which the rightful owner of a stolen device can disable the device’s private key even if the attacker already knows the user’s password.

Universally composable password-based key exchange

We propose and realize a definition of security for password-based key exchange within the framework of universally composable (UC) security, thus providing security guarantees under arbitrary composition with other protocols. In addition, our definition captures some aspects of the problem that were not adequately addressed by most prior notions. For instance, it does not assume any underlying probability distribution on passwords, nor does it assume independence between passwords chosen by different parties. We also formulate a definition of password-based secure channels, and show that such a definition is achievable given password-based key exchange. Our protocol realizing the new definition of password-based key exchange is in the common reference string model and relies on standard number-theoretic assumptions. The components of our protocol can be instantiated to give a relatively efficient solution which is conceivably usable in practice. We also show that it is impossible to satisfy our definition in the “plain” model (e.g., without a common reference string).

Strengthening Zero-Knowledge Protocols Using Signatures

AbstractRecently there has been an interest in zero-knowledge protocols with stronger properties, such as concurrency, simulation soundness, non-malleability, and universal composability. In this paper we show a novel technique to convert a large class of existing honest-verifier zero-knowledge protocols into ones with these stronger properties in the common reference string model. More precisely, our technique utilizes a signature scheme existentially unforgeable against adaptive chosen-message attacks, and transforms any Σ-protocol (which is honest-verifier zero-knowledge) into a simulation sound concurrent zero-knowledge protocol. We also introduce Ω-protocols, a variant of Σ-protocols for which our technique further achieves the properties of non-malleability and/or universal composability. In addition to its conceptual simplicity, a main advantage of this new technique over previous ones is that it avoids the Cook-Levin theorem, which tends to be rather inefficient. Indeed, our technique allows for very efficient instantiation based on the security of some efficient signature schemes and standard number-theoretic assumptions. For instance, one instantiation of our technique yields a universally composable zero-knowledge protocol under the Strong RSA assumption, incurring an overhead of a small constant number of exponentiations, plus the generation of two signatures.

Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions

We initiate the investigation of the class of relations that admit extremely efficient perfect zero knowledge proofs of knowledge: constant number of rounds, communication linear in the length of the statement and the witness, and negligible knowledge error. In its most general incarnation, our result says that for relations that have a particular three-move honest-verifier zero-knowledge (HVZK) proof of knowledge, and which admit a particular three-move HVZK proof of knowledge for an associated commitment relation, perfect zero knowledge (against a general verifier) can be achieved essentially for free, even when proving statements on several instances combined under under monotone function composition. In addition, perfect zero-knowledge is achieved with an optimal 4-moves. Instantiations of our main protocol lead to efficient perfect ZK proofs of knowledge of discrete logarithms and RSA-roots, or more generally, q-one-way group homomorphisms. None of our results rely on intractability assumptions.

Threshold Password-Authenticated Key Exchange

AbstractIn most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values) rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an off-line dictionary attack on the users password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers with known public keys, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an off-line dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.

On Simulation-Sound Trapdoor Commitments

We study the recently introduced notion of a simulation-sound trapdoor commitment (SSTC) scheme. In this paper, we present a new, simpler definition for an SSTC scheme that admits more efficient constructions and can be used in a larger set of applications. Specifically, we show how to construct SSTC schemes from any one-way functions, and how to construct very efficient SSTC schemes based on specific number-theoretic assumptions. We also show how to construct simulation-sound, non-malleable, and universally-composable zero-knowledge protocols using SSTC schemes, yielding, for instance, the most efficient universally-composable zero-knowledge protocols known. Finally, we explore the relation between SSTC schemes and non-malleable commitment schemes by presenting a sequence of implication and separation results, which in particular imply that SSTC schemes are non-malleable.