Cryptology ePrint Archive: Report 2010/055

Credential Authenticated Identification and Key Exchange

Jan Camenisch and Nathalie Casati and Thomas Gross and Victor Shoup

Abstract: Secure two-party authentication and key exchange are fundamental problems. Traditionally, the parties authenticate each other by means of their identities, using a public-key infrastucture (PKI). However, this is not always feasible or desirable: an appropriate PKI may not be available, or the parties may want to remain anonymous, and not reveal their identities.

To address these needs, we introduce the notions of credential-authenticated identification (CAID) and key exchange (CAKE), where the compatibility of the parties' \emph{credentials} is the criteria for authentication, rather than the parties' \emph{identities} relative to some PKI. We formalize CAID and CAKE in the universal composability (UC) framework, with natural ideal functionalities, and we give practical, modularly designed protocol realizations. We prove all our protocols UC-secure in the adaptive corruption model with erasures, assuming a common reference string (CRS). The proofs are based on standard cryptographic assumptions and do not rely on random oracles.

CAKE includes password-authenticated key exchange (PAKE) as a special case, and we present two new PAKE protocols. The first one is interesting in that it is uses completly different techniques than known practical PAKE protocols, and also achieves UC-security in the adaptive corruption model with erasures; the second one is the first practical PAKE protocol that provides a meaningful form of resilience against server compromise without relying on random oracles.

Category / Keywords: cryptographic protocols / key exchange, authentication, anonymous credentials, PAKE

Date: received 2 Feb 2010, last revised 25 May 2010

Contact author: shoup at cs nyu edu

Available format(s): PDF | BibTeX Citation

Version: 20100525:162928 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]