Skip to main content
SpringerLink
Log in

Short Concurrent Covert Authenticated Key Exchange (Short cAKE)

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2023 (ASIACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14445))

  • 236 Accesses

Abstract

Von Ahn, Hopper and Langford introduced the notion of steganographic a.k.a. covert computation, to capture distributed computation where the attackers must not be able to distinguish honest parties from entities emitting random bitstrings. This indistinguishability should hold for the duration of the computation except for what is revealed by the intended outputs of the computed functionality. An important case of covert computation is mutually authenticated key exchange, a.k.a. mutual authentication. Mutual authentication is a fundamental primitive often preceding more complex secure protocols used for distributed computation. However, standard authentication implementations are not covert, which allows a network adversary to target or block parties who engage in authentication. Therefore, mutual authentication is one of the premier use cases of covert computation and has numerous real-world applications, e.g., for enabling authentication over steganographic channels in a network controlled by a discriminatory entity.

We improve on the state of the art in covert authentication by presenting a protocol that retains covertness and security under concurrent composition, has minimal message complexity, and reduces protocol bandwidth by an order of magnitude compared to previous constructions. To model the security of our scheme we develop a UC model which captures standard features of secure mutual authentication but extends them to covertness. We prove our construction secure in this UC model. We also provide a proof-of-concept implementation of our scheme.

N. Genise—This work was done while the second author was at SRI International.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The full version of this paper appears in [22].

  2. 2.

    In particular, [32] does not imply security against man in the middle attacks.

  3. 3.

    Note that Fig. 1 defines AKE as a key exchange without explicit entity authentication, but the latter can be added to any AKE by testing if parties output the same key via any key confirmation protocol.

  4. 4.

    In a standard FPK-AKE protocol party \(\textsf{P}\) can reveal either key. E.g. Sigma [36] used in TLS reveals \(\textsf{P}\)’s own key \( pk _\textsf{P}\), while SKEME [35] reveals key \( pk _\textsf{CP}\) which party \(\textsf{P}\) assumes for its counterparty, unless it employs key-private encryption [4].

  5. 5.

    This requires encryption with ciphertexts indistinguishable from random bitstrings, but this is achieved by standard block cipher modes, CBC, OFB, or RND-CTR.

  6. 6.

    Using group signatures for authentication is known as an Identity Escrow [34].

  7. 7.

    Secret Handshake [2] flips this leakage, realizing \(\mathcal {F}_\textrm{AKE}[\textsf{C}_{\textsf{G}},\textsf{L}']\) for \(\textsf{L}'\) that hides \( gpk \) but reveals a one-way function of \(\textsf{P}_i\)’s certificate. To complete comparisons, standard PKI-based AKE realizes \(\mathcal {F}_\textrm{AKE}[\textsf{C}_{\textsf{G}},\textsf{L}'']\) s.t. \(\textsf{L}''\) reveals both a root of trust \( gpk \) and a one-way function of \(\textsf{P}_i\)’s certificate, namely \(\textsf{P}_i\)’s public key with \( gpk \)’s signature.

  8. 8.

    Here we follow the verifier-local revocation model [10], but other models are possible, e.g. using cryptographic accumulators [6, 12].

  9. 9.

    Covert CKEM was called ZKSend in [15]. Variants of (covert or non-covert) CKEM notion include Conditional OT [19], Witness Encryption [26], and Implicit ZK [7].

  10. 10.

    This requires a special-purpose commitment which is hiding only in the sense of one-wayness, and which allows linking a revocation token to a committed certificate.

  11. 11.

    To see an example of how real-world parties can use scheme \(\varPi =(\textsf{KG},\textsf{CG},\textsf{Auth})\) to implement the environment’s queries to \(\mathcal {F}_{{\text {g-cAKE}}}\), please see Fig. 5 in Sect. 6.

  12. 12.

    Except if an adversarial party copies a statement of the honest party, in which case CKEM security comes from the PCA security of SPHF, see Sect. 4.2.

  13. 13.

    More generally, \(\textsf{CertBlind}\) should take witness \( v \) along with \( cert \) as input, and produce output \( v '\) along with \( bc \) as output, where \( v '\) is a validity witness for the blinded certificate \( bc \). We use simpler syntax assuming that \( v '= v \) because it declutters notation, and it suffices for IE instantiation from Pointcheval-Sanders signatures [42].

References

  1. Abdalla, M., Pointcheval, D.: Simple password-based encrypted key exchange protocols. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 191–208. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_14

    Chapter  Google Scholar 

  2. Balfanz, D., Durfee, G., Shankar, N., Smetters, D., Staddon, J., Wong, H.-C.: Secret handshakes from pairing-based key agreements. In: IEEE Symposium on Security and Privacy (S &P), pp. 180–196 (2003)

    Google Scholar 

  3. Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In: Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing (STOC), pp. 419–428 (1998)

    Google Scholar 

  4. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33

    Chapter  Google Scholar 

  5. Bellovin, S.M., Merritt, M.: Encrypted key-exchange: password-based protocols secure against dictionary attacks. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84 (1992)

    Google Scholar 

  6. Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24

    Chapter  Google Scholar 

  7. Benhamouda, F., Couteau, G., Pointcheval, D., Wee, H.: Implicit zero-knowledge arguments and applications to the malicious setting. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 107–129. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_6

    Chapter  Google Scholar 

  8. Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: elliptic-curve points indistinguishable from uniform random strings. In: CCS, pp. 967–980. ACM (2013)

    Google Scholar 

  9. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13

    Chapter  Google Scholar 

  10. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004, pp. 168–177. ACM Press, October 2004

    Google Scholar 

  11. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7

    Chapter  Google Scholar 

  12. Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5

    Chapter  Google Scholar 

  13. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145. IEEE Computer Society (2001)

    Google Scholar 

  14. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_22

    Chapter  Google Scholar 

  15. Chandran, N., Goyal, V., Ostrovsky, R., Sahai, A.: Covert multi-party computation. In: FOCS, pp. 238–248. IEEE Computer Society (2007)

    Google Scholar 

  16. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22

    Chapter  Google Scholar 

  17. Cho, C., Dachman-Soled, D., Jarecki, S.: Efficient concurrent covert computation of string equality and set intersection. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 164–179. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_10

    Chapter  Google Scholar 

  18. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4

    Chapter  Google Scholar 

  19. Di Crescenzo, G., Ostrovsky, R., Rajagopalan, S.: Conditional oblivious transfer and timed-release encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 74–89. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_6

    Chapter  Google Scholar 

  20. Damgård, I.: On \({\sum }\)-protocols (2010). https://cs.au.dk/~ivan/Sigma.pdf

  21. Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2, 107–125 (1992)

    Article  MathSciNet  Google Scholar 

  22. Eldefrawy, K., Genise, N., Jarecki, S.: Short concurrent covert authenticated key exchange (short cAKE). Cryptology ePrint Archive, Paper 2023/xxx (2023). https://eprint.iacr.org/2023/xxx

  23. Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_40

    Chapter  Google Scholar 

  24. Fischlin, M.: Trapdoor commitment schemes and their applications. Ph.D. thesis, Goethe University Frankfurt, Frankfurt am Main, Germany (2001)

    Google Scholar 

  25. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discret. Appl. Math. 156(16), 3113–3121 (2008)

    Article  MathSciNet  Google Scholar 

  26. Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Symposium on Theory of Computing Conference, STOC 2013, pp. 467–476. ACM (2013)

    Google Scholar 

  27. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM (2008)

    Google Scholar 

  28. Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: STOC, pp. 365–377. ACM (1982)

    Google Scholar 

  29. Goyal, V., Jain, A.: On the round complexity of covert computation. In: STOC, pp. 191–200. ACM (2010)

    Google Scholar 

  30. Gu, Y., Jarecki, S., Krawczyk, H.: KHAPE: asymmetric PAKE from key-hiding key exchange. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 701–730. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_24

    Chapter  Google Scholar 

  31. Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_6

    Chapter  Google Scholar 

  32. Jarecki, S.: Practical covert authentication. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 611–629. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_35

    Chapter  Google Scholar 

  33. Jarecki, S.: Efficient covert two-party computation. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 644–674. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_22

    Chapter  Google Scholar 

  34. Kilian, J., Petrank, E.: Identity escrow. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 169–185. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055727

    Chapter  Google Scholar 

  35. Krawczyk, H.: SKEME: a versatile secure key exchange mechanism for internet. In: 1996 Internet Society Symposium on Network and Distributed System Security (NDSS), pp. 114–127 (1996)

    Google Scholar 

  36. Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24

    Chapter  Google Scholar 

  37. Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33

    Chapter  Google Scholar 

  38. Kumar, R., Nguyen, K.: Covert authentication from lattices. In: Ateniese, G., Venturi, D. (eds.) Applied Cryptography and Network Security. ACNS 2022. LNCS, vol. 13269, pp. 480–500. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-09234-3_24

  39. Manulis, M., Pinkas, B., Poettering, B.: Privacy-preserving group discovery with linear complexity. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 420–437. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_25

    Chapter  Google Scholar 

  40. Marlinspike, M., Perrin, T.: The X3DH key agreement protocol (2016). https://signal.org/docs/specifications/x3dh/

  41. Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_19

    Chapter  Google Scholar 

  42. Pointcheval, D., Sanders, O.: Short randomizable signatures. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 111–126. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_7

    Chapter  Google Scholar 

  43. Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22

    Chapter  Google Scholar 

  44. Appelbaum, J., Dingledine, R.: How governments have tried to block Tor. https://oldsite.andreafortuna.org/security/files/TOR/slides-28c3.pdf

  45. Sachdeva, A.: DARPA making an anonymous and hack-proof mobile communication system. FOSSBYTES Online Article (2019). https://fossbytes.com/darpa-anonymous-hack-proof-mobile-communication-system/

  46. Shbair, W.M., Cholez, T., Goichot, A., Chrisment, I.: Efficiently bypassing SNI-based https filtering. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 990–995 (2015)

    Google Scholar 

  47. Tibouchi, M.: Elligator squared: uniform points on elliptic curves of prime order as uniform random strings. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 139–156. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_10

    Chapter  Google Scholar 

  48. Vipin, N.S., Abdul Nizar, M.: Efficient on-line spam filtering for encrypted messages. In: 2015 IEEE International Conference on Signal Processing, Informatics, Communication and Energy Systems (SPICES), pp. 1–5 (2015)

    Google Scholar 

  49. von Ahn, L., Hopper, N.J., Langford, J.: Covert two-party computation. In: STOC, pp. 513–522. ACM (2005)

    Google Scholar 

  50. Wahby, R.S., Boneh, D.: Fast and simple constant-time hashing to the BLS12-381 elliptic curve. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(4), 154–179 (2019)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SRI International, Menlo Park, USA

    Karim Eldefrawy

  2. Duality Technologies, Hoboken, USA

    Nicholas Genise

  3. University of California, Irvine, Irvine, USA

    Stanislaw Jarecki

Authors
  1. Karim Eldefrawy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nicholas Genise
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stanislaw Jarecki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stanislaw Jarecki .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jian Guo

  2. Monash University, Melbourne, VIC, Australia

    Ron Steinfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Eldefrawy, K., Genise, N., Jarecki, S. (2023). Short Concurrent Covert Authenticated Key Exchange (Short cAKE). In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14445. Springer, Singapore. https://doi.org/10.1007/978-981-99-8742-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8742-9_3

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8741-2

  • Online ISBN: 978-981-99-8742-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation