Cross-Authentication Codes:
Constructions and
Applications
张筱
2015.6.4
1974 Authentication codes (Gilbert, MacWilliams
and Solane)
Key Generation Algorithm K ← KG(1n)
Authentication Algorithm T ← Auth(K, m)
Verification Algorithm b ← Ver(K, m, T).
2010 Cross-authentication codes （Serge Fehr,
Dennis Hofheinz, Eike Kiltz, and Hoeteck Wee）
Introduction to XAC
Sender
XGen → (K1 , ···，KL)
XAuth((K1 , ···，KL) → T
Receiver
XVer(Kj ,j ,T) → 0/1
Impersonation Attack
Substitution Attack
Introduction to XAC
Sender
XGen → (K1 , ···，KL)
XAuth((K1 , ···，KL) → T
Receiver
XVer(Kj ,j ,T) → 0/1
Impersonation Attack
Substitution Attack
Introduction to XAC
Sender
XGen → (K1 , ···，KL)
XAuth((K1 , ···，KL) → T
Receiver
XVer(Kj ,j ,T) → 0/1
Impersonation Attack
Substitution Attack
Introduction to XAC
Strongness
There exists a PPT algorithm to generate another key
indistinguishable from the origin one.
Semi-uniqueness
For a 2—dimensional key space, given tag T and Ka, the exists at
most one Kb , such that XVer(Ka, Kb, T) = 1.
4
Construction of XAC
Sender
XGen → (K1 , ···，KL)
XAuth((K1 , ···，KL) → T
Receiver
XVer(Kj ,j ,T) → b
Construction of XAC
Sender
XGen → (K1 , ···，KL)
XAuth((K1 , ···，KL) → T
T
Receiver
XVer(Kj ,j ,T) → b
Construction of XAC
Sender
XGen → (K1 , ···，KL)
XAuth((K1 , ···，KL) → T
T
Receiver
XVer(Kj ,j ,T) → b
Construction of XAC
This probability estimation enjoy better upper-bound estimations than the
construction in FHKW in Euro10.
4
Construction of XAC
Strongness
4
Construction of XAC
Semi-uniqueness
The XAC we constructed is a strong and strengthened one.
4
Application1: Deniable Encryption
Sender
pk
Receiver
sk
c = Encpk(m,r)
r” ← φS(m, r, m’)
m ← Decsk(c)
The ciphertext c could be opened
as a “fake” message m’!
Application1: Deniable Encryption
Sender
pk
Receiver
c = Encpk(m,r)
r”← φS(m, r, m’)
sk
m ← Decsk(c)
Adersary
1.c ← Encpk (m, r), c’ ← Encpk (m’, r’ ),r” ← φS (pk,m, r, m’ )
2. b ← { 0, 1} ;
if b = 0, (m∗, r∗, c∗ ) = (m’, r’, c’) if b = 1, (m∗, r∗, c∗ ) = (m’, r”, c )
3. b’ ←ADec (·) (pk, m∗, r∗, c∗ ).
4. Returns 1 if b’ = b , otherwise 0
Security: Pr [ Adersary = 1] ≈ 1/2
Application1: Deniable Encryption
vv Deniable Encryption
Application1:
Application1: Deniable Encryption
E = (Gen, Enc, Dec, φS )
– Gen (1k )
(hpk, hsk ) ← HashGen (1k ), outputs pk = (hpk, h), sk = hsk.
– Encpk(m, r). m∈{0,1},
r = (λ’,W1,X1’,K1’,···, WL,XL’,KL’), λ’∈RSampleL
1. To encrypt 0 (or 1), compute λ=2(λ’-1) (or λ=2λ’-1).
2. Set a mode string s = s1s2, .., sL∈{0, 1}L as s1=1, s2 =1, . . . , sλ=1,
sλ+1 = 0, . . . , sL=0.
3. For j ∈ [L], set Xj=Xj‘ if sj = 0 ; Xj=SampleL(L;Wj) if sj = 1
4. For j ∈ [L], set Kj=Kj‘ if sj = 0 ; Xj=PuEval(L;Wj) if sj = 1
and compute T = XAuth (K1, ...,KL).
5. Return the ciphertext c = (X1, ..., XL, T ).
1
Application1: Deniable Encryption
– Encpk(m, r). m∈{0,1},
r = (λ’,W1,X1’,K1’,···, WL,XL’,KL’), λ’∈RSampleL
1. To encrypt 0 (or 1), compute λ=2(λ’-1) (or λ=2λ’-1).
2. Set a mode string s = s1s2, .., sL∈{0, 1}L as s1=1, s2 =1, . . . , sλ=1,
sλ+1 = 0, . . . , sL=0.
3. For j ∈ [L], set Xj=Xj‘ if sj = 0 ; Xj=SampleL(L;Wj) if sj = 1
4. For j ∈ [L], set Kj=Kj‘ if sj = 0 ; Kj=PuEval(L;Wj) if sj = 1
and compute T = XAuth (K1, ...,KL).
5. Return the ciphertext c = (X1, ..., XL, T ).
0 – λ is a random even number
1 – λ is a random odd number
s = s1,s2, ...sλ, sλ+1 ... sL
Xj
Kj
1
L
PuEval
0
X
K
1
Application1: Deniable Encryption
– Decsk(c).
1. Parse c = (X1, . . . , XL, T), and compute t =h(X1, ...,XL).
2. For j∈[L], compute Kj= SeEval (hsk,Xj , t ) and sj = XVer (Kj, j, T).
3. Output 0 if the string s = s1s2, .., sL has an even number of 1,
otherwise output 1.
0 – λ is a random even number
1 – λ is a random odd number
s = s1,s2, ...sλ, sλ+1 ... sL
Xj
[Kj]
L
PuEval
Kj
SeEval
X
K
1
Application1: Deniable Encryption
– φS( pk, m, r, m’).
set r* := (λ*’ ,W1*,X1*’ ,K1*’ ,···, WL*,XL*’ ,KL*’ )
1. λ*’ =λ’ if (m,m*) = (1, 0); λ*’ =λ’-1 if (m,m*) = (0, 1)
2. (W1*,X1*’ ,K1*’ ) =(W1,X1’ ,K1’) for all j ≠λ;
3. Wλ* is randomly selected from RSampleL;
4. Xλ* = SampleL(L;Wλ) and Kλ*= PuEval(λ, (Kj’)j≠λ,T )
0 – λ is a random even number
1 – λ is a random odd number
s = s1,s2, ... sλ-1, sλ, sλ+1 ... sL
Xλ*
L
Kλ* PuEval
L
X
PuEval K
sλ+1 : 0 → 1 !
1
Application1: Deniable Encryption
Application1: Deniable Encryption
Security Proof （ ×）
1. abortion condition
2. abortion condition
3. Kj = SeEval (hsk,Xj ,t) → Kj = PuEval(hpk,Xj ,Wj ,t)
4. K*λ+1 = SeEval(hsk, Xj ,t*λ+1)
5. back to sj = XVer(Kj , j, T)
6. X*λ+1 is chosen from L
7. So we have Xj ∈ L, Kj = PuEval(hpk,Xj ,Wj ,t), so is the encryption of
1. Rewrite.
1
Application1: Deniable Encryption
Security Proof
1. abortion condition.
2. abortion condition
3. Kj = SeEval (hsk,Xj ,t) → Kj = PuEval(hpk,Xj ,Wj ,t)
4. K*λ+1 = SeEval(hsk, Xj ,t*λ+1)
5. back to sj = XVer(Kj, j, T))
6. X*λ+1 is chosen from L
7. So we haveAttack
Xj ∈ L, Kj = PuEval(hpk,Xj ,Wj ,t), so is the encryption of
1. Rewrite. Adversary
← c = (X1, ..., XL, T);
→ corresponding r = (λ,W1,X1,K1,···, WL,XL,KL)
→ corresponding Kj
→ forge a tag T’ such that XVer(Kj, j, T’) = 1
The security against substitution
attack of XAC is not sufficient!
1
Application1: Deniable Encryption
Security Proof（ √）
1. abortion condition (ramdomly chosen)
2. abortion condition (collision-resistant hash function)
3. Kj = SeEval (hsk,Xj ,t) → Kj = PuEval(hpk,Xj ,Wj ,t) (EHPS)
4. K*λ+1 = SeEval(hsk, Xj ,t*λ+1) (Sparseness of SMP)
5. K*λ+1 = Resample(hsk, Xj ,t*λ+1) (strongness of XAC)
6. Kj = SeEval(hsk, Xj ,t*λ+1) (security of imp&sub of XAC)
7. Xλ+1 is chosen from L (hardness of SMP)
8. So we have Xj ∈ L, Kj = PuEval(hpk,Xj ,Wj ,t), so is the encryption of
1. Rewrite.
1
Application2: The new FHKW Scheme
FHKW Scheme
new FHKW Scheme
Cross-Authentication
Code
Strengthened CrossAuthentication Code
Extended Hash proof
system
Hash Proof System
1
Application2: The new FHKW Scheme
1
Application2: The new FHKW Scheme
Thank You