Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Composable Security of Distributed Symmetric Key Establishment Protocol

Jie Lin, Manfred von Willich, Hoi-Kwong Lo

TL;DR

This work proves the security and robustness of this protocol against any computationally unbounded adversary, who additionally may have fully compromised a bounded number of the intermediaries and can eavesdrop on all communication.

Abstract

The Distributed Symmetric Key Establishment (DSKE) protocol provides secure secret exchange (e.g., for key exchange) between two honest parties that need not have had prior contact, and use intermediaries with whom they each securely share confidential data. We show the composable security of the DSKE protocol in the constructive cryptography framework of Maurer. Specifically, we prove the security (correctness and confidentiality) and robustness of this protocol against any computationally unbounded adversary, who additionally may have fully compromised a bounded number of the intermediaries and can eavesdrop on all communication. As DSKE is highly scalable in a network setting with no distance limit, it is expected to be a cost-effective quantum-safe cryptographic solution to safeguarding the network security against the threat of quantum computers.

Composable Security of Distributed Symmetric Key Establishment Protocol

TL;DR

This work proves the security and robustness of this protocol against any computationally unbounded adversary, who additionally may have fully compromised a bounded number of the intermediaries and can eavesdrop on all communication.

Abstract

The Distributed Symmetric Key Establishment (DSKE) protocol provides secure secret exchange (e.g., for key exchange) between two honest parties that need not have had prior contact, and use intermediaries with whom they each securely share confidential data. We show the composable security of the DSKE protocol in the constructive cryptography framework of Maurer. Specifically, we prove the security (correctness and confidentiality) and robustness of this protocol against any computationally unbounded adversary, who additionally may have fully compromised a bounded number of the intermediaries and can eavesdrop on all communication. As DSKE is highly scalable in a network setting with no distance limit, it is expected to be a cost-effective quantum-safe cryptographic solution to safeguarding the network security against the threat of quantum computers.
Paper Structure (35 sections, 16 theorems, 41 equations, 5 figures, 1 table)

This paper contains 35 sections, 16 theorems, 41 equations, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Structure of this document
  3. Technical Preliminaries
  4. Notation
  5. Mathematical fundamentals
  6. Cryptographic primitives
  7. Message validation (authentication)
  8. Secret confidentiality and validation
  9. Composability and constructive cryptography
  10. Resource
  11. Converter
  12. Distinguisher and distinguishing advantage
  13. Composable security definition
  14. Composability theorem
  15. Synopsis of DSKE protocol
  16. ...and 20 more sections

Key Result

Theorem 2.1

Denote $\mathbf{v} = (v_{1},...,v_{s})$ and $\mathbf{v}^{*} = (v^{*}_{1},...,v^{*}_{s})$. Let $\Omega=F^2$ be a sample space with uniform probability. Let $h_{C,D}(\mathbf{v})=d+\sum_{j=1}^{s}c^{j} v_{j}$ define a family of functions with random variables $(C,D)\in\Omega$ as selection parameters. Le

Figures (5)

  • Figure 1: (Modified from Figure 1 of Lo2022) The results of the one-time set-up: Steps 1 (PSRD generation and distribution) and 2 (Peer identity establishment) of the protocol. DSKE users Alice, Bob and Charlie share an ordered table of PSRD with each of the Security Hubs. Each Security Hub only knows its own part of the users' tables. For this illustration only, the PSRD is shown as bits.
  • Figure 2: An ideal key distribution resource, which consists of a "secret" resource that generates a secret on interfaces $A$ and conditionally $B$ and a modified real resource system that runs the DSKE protocol whose only purpose is to determine whether the protocol aborts. The modified real resource system is the real resource system depicted in \ref{['fig:real_protocol']} with the requirement that the secret from running the $(n, k)$-threshold scheme is $S^A$ generated by the secret resource. The ideal system outputs $S^A$ at the $A$-interface, $S^B$ at the $B$-interface. Its $E$-interface is the $E$-interface of the real system with an additional ability (not shown in this diagram) to set the operation mode (i.e., honest versus compromised) of each Security Hub.
  • Figure 3: A real key distribution resource using $n$ Security Hubs. Each green box represents an authenticated channel labelled by $\mathbf{A}^+$ with a suitable subscript that identifies the communicating parties. The secret key resource $\mathbf{K}_{AP_i}$ is used to encrypt $Y_i$ and $\mathbf{K}_{P_iB}$ is used to encrypt $\overline{Y}_i$. If a Hub $P_i$ is compromised, Eve determines values of $Y_i, T_i, \overline{Y}_i, \overline{T}_i$ by accepting $(\overline{Y}^E_i, \overline{T}^E_i)$ at the $E$-interface; the system outputs $(Y^E_i, T^E_i):=(Y_i, T_i)$ at the $E$-interface. For honest Hubs, since the ciphertext of $Y_i$ ($\overline{Y}_i$) reveals no information about $Y_i$ ($\overline{Y}_i$), we simply set $Y^E_i:=\perp$ to indicate this. For each Hub $P_i$, a two-bit variable $Z^E_i$ as an input to the $E_i$-interface is used to set the behaviours of two relevant authenticated channels. The $E$-interface of the system consists of $E_1$, …, $E_n$, where the alphabets for those inputs and outputs are determined by the operation mode of each corresponding Hub. The operation mode of each Hub is predetermined and cannot be altered through the $E$-interface. Figure legend: ENC: encryption operation, DEC: decryption operation, SHARE-GEN: share generation, SEC-REC: secret reconstruction, SEC-VAL: secret validation.
  • Figure 4: An ideal key agreement resource using $n$ Security Hubs with the simulator $\sigma^E$. Hubs are reordered for drawing purposes only. The set of compromised Hubs is denoted by $C$. The simulator $\sigma^E$ sets operation modes of the Security Hubs contained inside the ideal resource system. For Hubs in the set $C$, it sets the Hub $P_i$ to operate in the compromised mode and uses $Z^E_i:=00$ it receives from its $E$-interface to set the behaviours of two authenticated channels for the Hub $P_i$. For all other Hubs that are not in the set $C$, the simulator $\sigma^E$ sets the Hub $P_j$ to operate in the honest mode and uses $Z^E_j \in \{00, 01, 10, 11\}$ to set the behaviours of two authenticated channels for the Hub $P_j$. The $E$-interface of the simulator also accepts the a pair of values $(\overline{Y}^E_i,\overline{T}^E_i)$ and it outputs $(Y^E_i, T^E_i)$ received from the ideal system. The allowed alphabets for those variables are determined by the operation mode of each corresponding Hub.
  • Figure 5: The distinguisher $\mathfrak{D}$ connects to an unknown system, interacts with it and reproduces a one-bit output that indicates its guess about the identity of the unknown system.

Theorems & Definitions (39)

  • Theorem 2.1
  • proof
  • Theorem 2.2
  • proof
  • Theorem 2.3
  • proof
  • Theorem 2.4
  • proof
  • Theorem 2.5
  • proof
  • ...and 29 more