Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.
-
Upload
savion-gillson -
Category
Documents
-
view
214 -
download
1
Transcript of Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.
![Page 1: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/1.jpg)
Pairwise Key Agreement in Broadcasting Networks
- 2005.11.11- Ik Rae Jeong
![Page 2: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/2.jpg)
Contents
I. Security Notions of Key ExchangeII. Type of NetworksIII. Key Agreement for Key Graphs
![Page 3: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/3.jpg)
I. Security Notions of Key Exchange
• IA (Implicit Authentication)– Only a designated party can calculate the same sessio
n key. Dishonest parties can not get any information about the session key.
• KI (Key Independence)– security against Denning-Sacco attacks (known key attacks)– for the cases when other session keys are revealed
• FS (Forward Secrecy)– for the cases when long-term secrets are revealed
![Page 4: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/4.jpg)
II. Types of Network
• half-duplex
• full-duplex
1m
2m
3m
4m
1m
2m
3m
4m
4 Rounds
2 Rounds
Alice Bob
Alice Bob
![Page 5: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/5.jpg)
II. Types of Network
• Broadcasting Network
11m 21m 31m 41mRound 1
P1 P4P3P2
12m 22m 32m 42mRound 2
![Page 6: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/6.jpg)
DH (half-duplex)
ag
bg
( )b ask g ( )a bsk g
Alice Bob
2 Rounds
![Page 7: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/7.jpg)
DH (full-duplex)
ag
bg
( )b ask g ( )a bsk g
Alice Bob
1 Round
![Page 8: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/8.jpg)
Session Identifier
• The unique string per session• Used to define matching session in
the definition of security of key exchange
• In the full-duplex channel: the message concatenation by the
ordering of owners
![Page 9: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/9.jpg)
III. Key Agreement for Key Graphs
• We have constructed more efficient key exchange schemes which provides pairwise key exchange between parties via randomness re-use technique.
![Page 10: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/10.jpg)
Sequential Key Exchangebetween Parties
P1
P4 P3
P2
![Page 11: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/11.jpg)
Concurrent Key Exchangebetween Parties
P1
P4 P3
P2
![Page 12: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/12.jpg)
Motivation
• How do we efficiently do concurrent execution of the two-party key exchange scheme ?
![Page 13: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/13.jpg)
Our Results
• An efficient one-round key exchange scheme providing key independence in the standard model
• A two-round key exchange scheme providing forward secrecy in the standard model
![Page 14: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/14.jpg)
Key Graphfor Session keys (1)
P1
P4 P3
P2G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P1,P3),(P1,P4)}
G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P2,P3),(P3,P4), (P4,P1)}
P1
P4 P3
P2
![Page 15: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/15.jpg)
Key Graphfor Session keys (2)
G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P1,P3), (P2,P4), (P2,P5), (P3,P6), (P3,P7)}
G={V,E}V={P1,P2,P3,P4}E={(P1,P2),(P1,P3),(P1,P4), (P2,P3),(P2,P4),(P3,P4)}
P1
P4 P3
P2
P1
P4
P3P2
P5 P6 P7
![Page 16: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/16.jpg)
Key Exchange Model for Key Graphs
• Broadcasting network• Several session keys in a single
session
![Page 17: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/17.jpg)
One-Round Two-Party Diffie-Hellman Key Exchange
P1 P2
1g2g
1 2sk g
![Page 18: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/18.jpg)
One-Round Concurrent Key Exchange using Two-Party Key Exchange
P1
P4 P3
P2
1,1g2g
1,1 2
1,2sk g
3g4g
1,2 3
1,3sk g 1,3 4
1,4sk g
1,2g1,3g
P1 requires three random values.
![Page 19: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/19.jpg)
One-Round Concurrent Key Exchange using randomness re-use technique
P1
P4 P3
P2
1g 2g1 2
1,2sk g
3g4g
1 31,3sk g
1 41,4sk g
P1 requires one random values.
![Page 20: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/20.jpg)
Randomness Re-useunder the DDH assumption
• Pairwise DDH assumption 1
11 1 2
1,2 1,1
1 1,2 1,
{0,1};
,..., , ,..., [1, ];
1, ( ,..., , ,..., );
( ,..., , ,..., );
' ( );
n n n
n nn
n n n
w w
b
w w q
if b I g g g g
else I g g g g
b A I
Exp
2Pr[ '] 1AAdv b b
![Page 21: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/21.jpg)
Randomness Re-useunder the DDH assumption
• Pairwise DDH assumption 2
' ' 11 2
11 2
1
1
{0,1};
,..., , [1, ];
', ' ( ,..., )
1, ( ,..., ,..., );
( ,..., ,..., );
' ( );
i j n n
n n
n
n
w
b
w q
i j A
if b I g g g
else I g g g
b A I
Exp
2Pr[ '] 1AAdv b b
![Page 22: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/22.jpg)
PKA1
P1 P4P3P2
1r 2r 3r 4r
11
xy g 22
xy g 33
xy g 44
xy g
1 2
1 3
1 4
1,2
1,3
2 3
1 4
1 4
,
( )
(
|| ||
)
( )
||
x x
x x
x x
g
g
g
sk F sid
sk F sid
s
sid r r r r
k F sid
Round 1:
KI in the standard model
F is a pseudo random function
![Page 23: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/23.jpg)
PKA2
P1 P4P3P2
11
xy g 22
xy g 33
xy g 44
xy g
. ( )iii xS gen g
11||g 2
2||g 33||g 4
4||g Round 1:
1 2
1 3
1 4
1,2
1,3
1,4
sk g
sk g
sk g
FS in the standard model
![Page 24: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/24.jpg)
Security
• PKA1 and PKA2 – reduced to the DDH problem in the
standard model
![Page 25: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/25.jpg)
Discussion
• Key exchange for key graph is an extension of two-party key exchange.
• Key exchange for key graph can be used as a subprotocol of another protocol such as group key exchange protocols.
![Page 26: Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.](https://reader035.fdocuments.us/reader035/viewer/2022062712/56649c765503460f9492a9a5/html5/thumbnails/26.jpg)
Thank You !