Abstract
We study witness-authenticated key exchange (WAKE), in which parties authenticate through knowledge of a witness to any NP statement. WAKE achieves generic authenticated key exchange in the absence of trusted parties; WAKE is most suitable when a certificate authority is either unavailable or undesirable, as in highly decentralized networks. In practice WAKE approximates witness encryption, its elusive non-interactive analogue, at the cost of minimal interaction.
This work is the first to propose, model and build witness-authenticated key exchange amongst groups of more than two parties, as well as the first to provide practical and provably secure constructions in the two-party case for general NP statements. Specifically our contributions are:
-
1.
both game-based and universally composable (Canetti, FOCS ’01) definitions for WAKE along with equivalence conditions between the two definitions,
-
2.
a highly general compiler that introduces witness-authentication to any key exchange protocol along with, as a direct consequence, a three-round group WAKE protocol from DDH and signatures of knowledge (SOK), and
-
3.
an optimized two-round group WAKE construction from DDH and SOK along with experimental benchmarks to demonstrate concrete practicality.
Additionally, we study the specialized two-party case and provide a critique of prior work on this topic (Ngo et al., Financial Crypto ’21) by pinpointing nontrivial weaknesses in the model, constructions and security proofs seen therein. We rectify those limitations with this work, significantly diverging in our techniques, design and approach.
K. Melissaris—Work done while affiliated with The City University of New York.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
That is, not requiring certification by an authority and not the output of a specific key generation algorithm.
- 2.
If every language in NP admits a smooth projective hash function then the polynomial hierarchy collapses.
- 3.
First, a note on terminology: WAKE and WKA aim at modeling similar settings but the models in our work are more general. In light of the observations in this section we chose to reflect these major differences in approach by further differentiating WAKE from WKA in name.
- 4.
A full version of our paper can be found on eprint: https://eprint.iacr.org/2022/382.
- 5.
If Alice and Bob authenticate using witness w the adversary should not learn their key even with knowledge of w. Our definition models this case while the definition of WKA is silent.
- 6.
If the same party wants to run multiple key agreements for the same relation this setup could potentially be reused.
- 7.
An ideal functionality for SOK can be found in the full version of our paper.
- 8.
Our subscript notation is overloaded for ease of understanding; it is convenient to associate participants \(P_i\), statements \(\phi _i\) and witnesses \(\textsf{w}_i\) with the same index i when listing or assigning values, but it is also often convenient to index statements \(\phi _P\) and witnesses \(\textsf{w}_P\) by the associated participant P when discussing a single instance.
- 9.
Our syntax requires one setup per relation but can easily be extended to a single universal setup [19].
- 10.
As the session identifier is the transcript of the session, two parties store matching session identifiers if those instances have recorded the same transcript, i.e. received the same messages, and therefore were participating in the same session.
- 11.
Instances are participating in the same protocol session if the stored session identifiers agree on the first round messages.
- 12.
Observe that this is a perhaps a slightly stronger variant of forward secrecy than that modelled via the corruption oracle in [23].
- 13.
This can also be seen as an adaptation of Unilaterally Authenticated Key Exchange [13] to the witness-based setting, and is further explored in the full version of our paper.
- 14.
The UC framework is discussed in detail in the full version of our paper.
- 15.
See the full version of our paper for more information on the experimental setting.
- 16.
More specifically, 192 bytes for the group elements and 32 bytes for the SHA256.
- 17.
As an example consider a prime-testing program \(C_{\textsf{buggy}}\). Here, the bug could consist of an even number greater than 2 that the program erroneously recognizes as a prime. In this case we could have for example \(C_{\textsf{expect}}(z) := ``z \text { is odd} \vee z = 2\)”. Anything not satisfying the latter would be a false positive. This is not just a toy setting but it is relevant in real world systems [6].
References
Barta, O., Ishai, Y., Ostrovsky, R., Wu, D.J.: On succinct arguments and witness encryption from groups. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 776–806. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_26
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, 4–6 May 1992, pp. 72–84. IEEE Computer Society (1992). https://doi.org/10.1109/RISP.1992.213269
Birrell, E., Chung, K.-M., Pass, R., Telang, S.: Randomness-dependent message security. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 700–720. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_39
Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18
BLS12-381 curve. www.electriccoin.co/blog/new-snark-curve/
Bug in primes testing in swiss post voting system. www.gitlab.com/swisspost-evoting/crypto-primitives/crypto-primitives/-/issues/13
Camenisch, J., Casati, N., Gross, T., Shoup, V.: Credential authenticated identification and key exchange. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 255–276. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_14
Campanelli, M., Gennaro, R., Goldfeder, S., Nizzardo, L.: Zero-knowledge contingent payments revisited: attacks and payments for services. In: Thuraisingham, B., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 229–243. ACM (2017). https://doi.org/10.1145/3133956.3134060
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. IACR Cryptology ePrint Archive, Paper 2000/067 (2000). https://eprint.iacr.org/2000/067
Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_5
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (1976). https://doi.org/10.1109/TIT.1976.1055638
Dodis, Y., Fiore, D.: Unilaterally-authenticated key exchange. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 542–560. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_31
Dupont, P.-A., Hesse, J., Pointcheval, D., Reyzin, L., Yakoubov, S.: Fuzzy password-authenticated key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 393–424. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_13
Ethereum Name Service. www.ens.domains/
Ganesh, C., Khoshakhlagh, H., Kohlweiss, M., Nitulescu, A., Zajac, M.: What makes Fiat-Shamir zkSNARKs (updatable SRS) simulation extractable? Cryptology ePrint Archive, Report 2021/511 (2021). www.ia.cr/2021/511
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 467–476. ACM (2013). https://doi.org/10.1145/2488608.2488667
Greg Maxwell’s zero knowledge contingent payment (bitcoin Wiki). www.en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment
Groth, J., Kohlweiss, M., Maller, M., Meiklejohn, S., Miers, I.: Updatable and universal common reference strings with applications to zk-SNARKs. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 698–728. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_24
Groth, J., Maller, M.: Snarky signatures: minimal signatures of knowledge from simulation-extractable SNARKs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 581–612. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_20
Ben Hamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: Efficient UC-secure authenticated key-exchange for algebraic languages. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 272–291. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_18
Handshake: Decentralized naming and certificate authority. www.handshake.org
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_7
Kolesnikov, V., Krawczyk, H., Lindell, Y., Malozemoff, A.J., Rabin, T.: Attribute-based key exchange with general policies. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1451–1463. ACM (2016). https://doi.org/10.1145/2976749.2978359
MeetWallet: The Meet JS SDK Library for MEET.ONE Client. www.meet-common.gitlab.io/fe/meet-js-sdk/classes/meetwallet.html
Ngo, C.N., Massacci, F., Kerschbaum, F., Williams, J.: Practical witness-key-agreement for blockchain-based dark pools financial trading. In: Borisov, N., Diaz, C. (eds.) FC 2021. LNCS, vol. 12675, pp. 579–598. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-662-64331-0_30
Protocol Labs: Filecoin. www.filecoin.io/
Protocol Labs: IPFS: Interplanetary file system. www.ipfs.io
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978). https://doi.org/10.1145/359340.359342
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_27
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
CWEB3. www.npmjs.com/package/cweb3
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Financial Cryptography Association
About this paper
Cite this paper
Campanelli, M., Gennaro, R., Melissaris, K., Nizzardo, L. (2024). Witness-Authenticated Key Exchange, Revisited: Extensions to Groups, Improved Models, Simpler Constructions. In: Baldimtsi, F., Cachin, C. (eds) Financial Cryptography and Data Security. FC 2023. Lecture Notes in Computer Science, vol 13950. Springer, Cham. https://doi.org/10.1007/978-3-031-47754-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-47754-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47753-9
Online ISBN: 978-3-031-47754-6
eBook Packages: Computer ScienceComputer Science (R0)