Cryptology ePrint Archive: Report 2012/284

Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages

Fabrice Ben Hamouda and Olivier Blazy and CÚline Chevalier and David Pointcheval and Damien Vergnaud

Abstract: \emph{Authenticated Key Exchange} (AKE) protocols enable two parties to establish a shared, cryptographically strong key over an insecure network using various authentication means, such as cryptographic keys, short (\emph{i.e.}, low-entropy) secret keys or \emph{credentials}. In this paper, we provide a general framework, that encompasses several previous AKE primitives such as \emph{(Verifier-based) Password-Authenticated Key Exchange} or \emph{Secret Handshakes}, we call \emph{LAKE} for \emph{Language-Authenticated Key Exchange}.

We first model this general primitive in the \emph{Universal Composability} (UC) setting. Thereafter, we show that the Gennaro-Lindell approach can efficiently address this goal. But we need \emph{smooth projective hash functions} on new languages, whose efficient implementations are of independent interest. We indeed provide such hash functions for languages defined by combinations of linear pairing product equations.

Combined with an efficient commitment scheme, that is derived from the highly-efficient UC-secure Lindell's commitment, we obtain a very practical realization of Secret Handshakes, but also \emph{Credential-Authenticated Key Exchange protocols}. All the protocols are UC-secure, in the standard model with a common reference string, under the classical Decisional Linear assumption.

Category / Keywords: cryptographic protocols / Authenticated Key Exchange, Universal Composability, Secret Handshakes

Publication Info: Full version of the PKC 2013 paper

Date: received 21 May 2012, last revised 14 Dec 2012

Contact author: David Pointcheval at ens fr

Available format(s): PDF | BibTeX Citation

Note: Clarification of the functionality and the corresponding proofs.

Version: 20121214:170517 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]