ccs’16 - tca.iscas.ac.cntca.iscas.ac.cn/userfiles/file/4_1-张振峰-practical anonymous... ·...
TRANSCRIPT
October 24–28, 2016Vienna, Austria
CCS’16Proceedings of the 2016 ACM SIGSAC Conference on
Computer and Communications Security
Sponsored by:
ACM SIGSAC
Supported by:
National Science Foundation, SBA Research, CISCO, Huawei, Baidu, IBM Research, Office of Naval Research,Hewlett-Packard Enterprise, Bosch, Google, SAP, and Cyan Security Group
v
Table of Contents
CCS 2016 Conference Organization ......................................................................................... xxiii
CCS 2016 Sponsors & Supporters ............................................................................................ xxxii
Keynote
Cybersecurity, Nuclear Security, Alan Turing, and Illogical Logic ............................................... 1 Martin E. Hellman (Stanford University)
Paper Session 1A: Blockchain I
On the Security and Performance of Proof of Work Blockchains ................................................ 3 Arthur Gervais (ETH Zurich), Ghassan O. Karame (NEC Laboratories), Karl Wüst, Vasileios Glykantzis, Hubert Ritzdorf, Srdjan Čapkun (ETH Zurich)
A Secure Sharding Protocol for Open Blockchains ....................................................................... 17 Loi Luu, Viswesh Narayanan, Chaodong Zheng, Kunal Baweja, Seth Gilbert, Prateek Saxena (National University of Singapore)
The Honey Badger of BFT Protocols ................................................................................................... 31 Andrew Miller (University of Illinois at Urbana-Champaign), Yu Xia (Massachusetts Institute of Technology),
Kyle Croman, Elaine Shi (Cornell University), Dawn Song (University of California, Berkeley)
Paper Session 1B: Differential Privacy
Differential Privacy as a Mutual Information Constraint ................................................................ 43 Paul Cuff, Lanqing Yu (Princeton University)
Advanced Probabilistic Couplings for Differential Privacy .......................................................... 55 Gilles Barthe (IMDEA Software Institute), Noémie Fong (Ecole Normale Superieure), Marco Gaboardi (University at Buffalo, SUNY), Benjamin Grégoire (INRIA), Justin Hsu (University of Pennsylvania), Pierre-Yves Strub (IMDEA Software Institute)
Differentially Private Bayesian Programming ................................................................................... 68 Gilles Barthe (IMDEA Software), Gian Pietro Farina, Marco Gaboardi (University a Buffalo, SUNY), Emilio Jesús Gallego Arias (CRI Mines-ParisTech), Andy Gordon (Microsoft Research), Justin Hsu (University of Pennsylvania), Pierre-Yves Strub (IMDEA Software)
Paper Session 1C: Android Security
The Misuse of Android Unix Domain Sockets and Security Implications ................................ 80 Yuru Shao (University of Michigan), Jason Ott (University of California, Riverside), Yunhan Jack Jia (University of Michigan), Zhiyun Qian (University of California, Riverside), Z. Morley Mao (University of Michigan)
Call Me Back! Attacks on System Server and System Apps in Android through Synchronous Callback ............................................................................................................ 92 Kai Wang, Yuqing Zhang (University of Chinese Academy of Sciences), Peng Liu (The Pennsylvania State University)
Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android...................................................................................................................... 104 Guliz Seray Tuncay, Soteris Demetriou, Carl A. Gunter (University of Illinois at Urbana-Champaign)
Paper Session 1D: Hardware Protection
Strong Non-Interference and Type-Directed Higher-Order Masking ....................................... 116 Gilles Barthe (IMDEA Software Institute), Sonia Belaïd (Thales Communications & Security), François Dupressoir (IMDEA Software Institute), Pierre-Alain Fouque (Université de Rennes 1), Benjamin Grégoire (Inria Sophia-Antipolis – Méditerranée), Pierre-Yves Strub (IMDEA Software Institute), Rébecca Zucchini (Inria Sophia-Antipolis – Méditerranée & École Normale Supérieure de Cachan)
vi
MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection .......................................................................................................................... 130 Yuanwen Huang, Swarup Bhunia, Prabhat Mishra (University of Florida)
Private Circuits III: Hardware Trojan-Resilience via Testing Amplification ........................... 142 Stefan Dziembowski (University of Warsaw), Sebastian Faust (Ruhr-University Bochum), François-Xavier Standaert (Universite catholique de Louvain)
Paper Session 2A: Blockchain II
On the Instability of Bitcoin without the Block Reward ............................................................... 154 Miles Carlsten, Harry Kalodner, S. Matthew Weinberg, Arvind Narayanan (Princeton University)
Transparency Overlays and Applications ........................................................................................ 168 Melissa Chase (Microsoft Research), Sarah Meiklejohn (University College London)
Paper Session 2B: Differentially Private Systems I
EpicRec: Towards Practical Differentially Private Framework for Personalized Recommendation .................................................................................................... 180 Yilin Shen, Hongxia Jin (Samsung Research America)
Heavy Hitter Estimation over Set-Valued Data with Local Differential Privacy .................... 192 Zhan Qin (Hamad Bin Khalifa University & State University of New York at Buffalo), Yin Yang, Ting Yu, Issa Khalil (Hamad Bin Khalifa University), Xiaokui Xiao (Nanyang Technological University), Kui Ren (State University of New York at Buffalo)
Paper Session 2C: Access Control
AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems .............. 204 Talia Ringer, Dan Grossman, Franziska Roesner (University of Washington)
Mix&Slice: Efficient Access Revocation in the Cloud .................................................................. 217 Enrico Bacis (Università di Bergamo),
Sabrina De Capitani di Vimercati, Sara Foresti (Università degli Studi di Milano),
Stefano Paraboschi, Marco Rosa (Università di Bergamo), Pierangela Samarati (Università degli Studi di Milano)
Paper Session 2D: Security and Persistence
Safe Serializable Secure Scheduling: Transactions and the Trade-Off Between Security and Consistency ..................................................................................................................... 229 Isaac Sheff, Tom Magrino, Jed Liu, Andrew C. Myers, Robbert van Renesse (Cornell University)
ProvUSB: Block-level Provenance-Based Data Protection for USB Storage Devices ....... 242 Dave (Jing) Tian (University of Florida), Adam Bates (University of Illinois at Urbana-Champaign), Kevin R.B. Butler (University of Florida), Raju Rangaswami (Florida International University)
Paper Session 3A: Smart Contracts
Making Smart Contracts Smarter ....................................................................................................... 254 Loi Luu, Duc-Hiep Chu (National University of Singapore),
Hrishi Olickel (Yale-NUS College), Prateek Saxena (National University of Singapore), Aquinas Hobor (Yale-NUS College & National University of Singapore)
Town Crier: An Authenticated Data Feed for Smart Contracts ................................................. 270 Fan Zhang, Ethan Cecchetti, Kyle Croman (Cornell University), Ari Juels (Cornell Tech, Jacobs Institute), Elaine Shi (Cornell University)
The Ring of Gyges: Investigating the Future of Criminal Smart Contracts ........................... 283 Ari Juels (Cornell Tech, Jacobs Institute), Ahmed Kosba (University of Maryland), Elaine Shi (Cornell University)
vii
Paper Session 3B: Differentially Private Systems II
DPSense: Differentially Private Crowdsourced Spectrum Sensing......................................... 296 Xiaocong Jin (Arizona State University), Rui Zhang (University of Delaware), Yimin Chen, Tao Li, Yanchao Zhang (Arizona State University)
Deep Learning with Differential Privacy ........................................................................................... 308 Martín Abadi, Andy Chu (Google), Ian Goodfellow (Open AI), H. Brendan McMahan, Ilya Mironov, Kunal Talwar, Li Zhang (Google)
Membership Privacy in MicroRNA-based Studies......................................................................... 319 Michael Backes, Pascal Berrang, Mathias Humbert, Praveen Manoharan (Saarland University)
Paper Session 3C: Mobile Software Analysis
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime .............................................................................................................................. 331 Mingshen Sun (The Chinese University of Hong Kong), Tao Wei (Baidu, Inc.), John C. S. Lui (The Chinese University of Hong Kong)
Statistical Deobfuscation of Android Applications ....................................................................... 343 Benjamin Bichsel, Veselin Raychev, Petar Tsankov, Martin Vechev (ETH Zurich)
Reliable Third-Party Library Detection in Android and its Security Applications ............... 356 Michael Backes (Saarland University & MPI-SWS), Sven Bugiel, Erik Derr (Saarland University)
Paper Session 3D: Kernel Memory Security
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR ..................................... 368 Daniel Gruss, Clémentine Maurice (Graz University of Technology), Anders Fogh (G DATA Advanced Analytics), Moritz Lipp, Stefan Mangard (Graz University of Technology)
Breaking Kernel Address Space Layout Randomization with Intel TSX ................................ 380 Yeongjin Jang, Sangho Lee, Taesoo Kim (Georgia Institute of Technology)
Enforcing Least Privilege Memory Views for Multithreaded Applications ............................ 393 Terry Ching-Hsiang Hsu (Purdue University), Kevin Hoffman (eFolder Inc.), Patrick Eugster (Purdue University & TU Darmstadt), Mathias Payer (Purdue University)
Paper Session 4A: Secure MPC I
Improvements to Secure Computation with Penalties ................................................................. 406 Ranjit Kumaresan, Vinod Vaikuntanathan, Prashant Nalini Vasudevan (Massachusetts Institute of Technology)
Amortizing Secure Computation with Penalties ............................................................................ 418 Ranjit Kumaresan (Massachusetts Institute of Technology), Iddo Bentov (Cornell University)
MPC-Friendly Symmetric Key Primitives ......................................................................................... 430 Lorenzo Grassi, Christian Rechberger (Graz University of Technology), Dragos Rotaru, Peter Scholl, Nigel P. Smart (University of Bristol)
Paper Session 4B: Attacks on Ciphers
Message-Recovery Attacks on Feistel-Based Format Preserving Encryption ..................... 444 Mihir Bellare (University of California, San Diego), Viet Tung Hoang (Florida State University), Stefano Tessaro (University of California, Santa Barbara)
On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN ......................................................................................................................... 456 Karthikeyan Bhargavan, Gaëtan Leurent (Inria)
A Systematic Analysis of the Juniper Dual EC Incident .............................................................. 468 Stephen Checkoway (University of Illinois at Chicago), Jacob Maskiewicz (University of California, San Diego),
Christina Garman (Johns Hopkins University), Joshua Fried, Shaanan Cohney (University of Pennsylvania),
Matthew Green (Johns Hopkins University), Nadia Heninger (University of Pennsylvania), Ralf-Philipp Weinmann (Comsecuris), Eric Rescorla, Hovav Shacham (University of California, San Diego)
viii
Paper Session 4C: Big Data Meets Security
Scalable Graph-based Bug Search for Firmware Images ........................................................... 480 Qian Feng, Rundong Zhou, Chengcheng Xu, Yao Cheng (Syracuse University),
Brian Testa (Syracuse University & Air Force Research Lab), Heng Yin (Syracuse University & University of California, Riverside)
SmartWalk: Enhancing Social Network Security via Adaptive Random Walks ................... 492 Yushan Liu (Princeton University), Shouling Ji (Zhejiang University & Georgia Tech), Prateek Mittal (Princeton University)
High Fidelity Data Reduction for Big Data Security Dependency Analyses ......................... 504 Zhang Xu (NofutzNetworks Inc.),
Zhenyu Wu, Zhichun Li, Kangkook Jee, Junghwan Rhee, Xusheng Xiao (NEC Laboratories America Inc.),
Fengyuan Xu (Nanjing University), Haining Wang (University of Delaware), Guofei Jiang (NEC Laboratories America Inc.)
Paper Session 4D: Types and Memory Safety
TypeSan: Practical Type Confusion Detection ............................................................................... 517 Istvan Haller (Vrije Universiteit Amsterdam), Yuseok Jeon, Hui Peng, Mathias Payer (Purdue University), Cristiano Giuffrida, Herbert Bos, Erik van der Kouwe (Vrije Universiteit Amsterdam)
CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump ............................................................................................................................. 529 Jun Xu (The Pennsylvania State University),
Dongliang Mu (Nanjing University & The Pennsylvania State University), Ping Chen, Xinyu Xing, Pei Wang, Peng Liu (The Pennsylvania State University)
Twice the Bits, Twice the Trouble: Vulnerabilities Induced by Migrating to 64-Bit Platforms ................................................................................................................................... 541 Christian Wressnegger, Fabian Yamaguchi, Alwin Maier, Konrad Rieck (TU Braunschweig)
Paper Session 5A: Secure MPC II
Alternative Implementations of Secure Real Numbers ................................................................ 553 Vassil Dimitrov (University of Calgary), Liisi Kerik (Cybernetica), Toomas Krips (STACC), Jaak Randmets (Cybernetica), Jan Willemson (Cybernetica & STACC)
Garbling Gadgets for Boolean and Arithmetic Circuits ............................................................... 565 Marshall Ball, Tal Malkin (Columbia University), Mike Rosulek (Oregon State University)
Optimizing Semi-Honest Secure Multiparty Computation for the Internet ............................ 578 Aner Ben-Efraim (Ben-Gurion University), Yehuda Lindell (Bar-Ilan University), Eran Omri (Ariel University)
Paper Session 5B: Physically Based Authentication
MEMS Gyroscopes as Physical Unclonable Functions ............................................................... 591 Oliver Willers, Christopher Huth (Robert Bosch GmbH), Jorge Guajardo (Robert Bosch LLC), Helmut Seidel (Saarland University)
On the Security and Usability of Segment-based Visual Cryptographic Authentication Protocols ...................................................................................................................... 603 Tianhao Wang, Huangyi Ge, Omar Chowdhury, Hemanta K. Maji, Ninghui Li (Purdue University)
Instant and Robust Authentication and Key Agreement among Mobile Devices ................ 616 Wei Xi (Xi’an Jiaotong University), Chen Qian (University of California Santa Cruz), Jinsong Han, Kun Zhao (Xi’an Jiaotong University), Sheng Zhong (Nanjing University), Xiang-Yang Li (University of Science and Technology of China), Jizhong Zhao (Xi’an Jiaotong University)
Paper Session 5C: Web Security
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem .................... 628 Frank Cangialosi (University of Maryland), Taejoong Chung, David Choffnes (Northeastern University), Dave Levin (University of Maryland), Bruce M. Maggs (Duke University & Akamai Technologies), Alan Mislove, Christo Wilson (Northeastern University)
ix
Chainsaw: Chained Automated Workflow-based Exploit Generation ..................................... 641 Abeer Alhuzali, Birhanu Eshete, Rigel Gjomemo, V.N. Venkatakrishnan (University of Illinois at Chicago)
CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites .................................................................................................................... 653 Xiang Pan (Northwestern University), Yinzhi Cao (Lehigh University),
Shuangping Liu, Yu Zhou (Northwestern University),
Yan Chen (Zhejiang University & Northwestern University), Tingzhe Zhou (Lehigh University)
Paper Session 5D: Security Bug Finding
How I Learned to be Secure: A Census-Representative Survey of Security Advice Sources and Behavior ............................................................................................................................ 666 Elissa M. Redmiles (University of Maryland), Sean Kross (Johns Hopkins University), Michelle L. Mazurek (University of Maryland)
Practical Detection of Entropy Loss in Pseudo-Random Number Generators .................... 678 Felix Dörre, Vladimir Klebanov (Karlsruhe Institute of Technology)
Build It, Break It, Fix It: Contesting Secure Development ........................................................... 690 Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek (University of Maryland), Piotr Mardziel (Carnegie Mellon University)
Paper Session 6A: Phone Security using Formal Methods
SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles ....................................... 704 Luke Deshotels (North Carolina State University),
Razvan Deaconescu, Mihai Chiroiu (University Politehnica of Bucharest),
Lucas Davi (Technische Universitat Darmstadt), William Enck (North Carolina State University), Ahmad-Reza Sadeghi (Technische Universitat Darmstadt)
Computational Soundness for Dalvik Bytecode ............................................................................ 717 Michael Backes, Robert Künnemann (Saarland University & MPI-SWS), Esfandiar Mohammadi (ETH Zurich)
Paper Session 6B: Attestation
SANA: Secure and Scalable Aggregate Network Attestation .................................................... 731 Moreno Ambrosin, Mauro Conti (University of Padua), Ahmad Ibrahim (Technische Universität Darmstadt),
Gregory Neven (IBM Research - Zurich), Ahmad-Reza Sadeghi (Technische Universität Darmstadt), Matthias Schunter (Intel Labs - Darmstadt)
C-FLAT: Control-Flow Attestation for Embedded Systems Software ..................................... 743 Tigist Abera (Technische Universität Darmstadt), N. Asokan (Aalto University), Lucas Davi (Technische Universität Darmstadt), Jan-Erik Ekberg (Trustonic), Thomas Nyman (Aalto University & Trustonic), Andrew Paverd (Aalto University), Ahmad-Reza Sadeghi (Technische Universität Darmstadt), Gene Tsudik (University of California, Irvine)
Paper Session 6C: Mine your Literature
Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence ...................................................................................... 755 Xiaojing Liao (Georgia Institute of Technology), Kan Yuan, XiaoFeng Wang (Indiana University Bloomington),
Zhou Li (ACM Member), Luyi Xing (Indiana University Bloomington), Raheem Beyah (Georgia Institute of Technology)
FeatureSmith: Automatically Engineering Features for Malware Detection by Mining the Security Literature ........................................................................................................ 767 Ziyun Zhu, Tudor Dumitras (University of Maryland, College Park)
x
Paper Session 6D: Security Studies
An In-Depth Study of More Than Ten Years of Java Exploitation ............................................ 779 Philipp Holzinger, Stefan Triller (Fraunhofer SIT), Alexandre Bartel (Technische Universität Darmstadt), Eric Bodden (Paderborn University & Fraunhofer IEM)
“The Web/Local” Boundary Is Fuzzy: A Security Study of Chrome’s Process-based Sandboxing ................................................................................................................. 791 Yaoqi Jia, Zheng Leong Chua, Hong Hu (National University of Singapore), Shuo Chen (Microsoft Research), Prateek Saxena, Zhenkai Liang (National University of Singapore)
Paper Session 7A: Secure MPC III
High-Throughput Semi-Honest Secure Three-Party Computation with an Honest Majority ......................................................................................................................... 805 Toshinori Araki, Jun Furukawa (NEC Corporation), Yehuda Lindell, Ariel Nof (Bar-Ilan University), Kazuma Ohara (NEC Corporation)
Efficient Batched Oblivious PRF with Applications to Private Set Intersection .................. 818 Vladimir Kolesnikov (Bell Labs), Ranjit Kumaresan (Massachusetts Institute of Technology), Mike Rosulek, Ni Trieu (Oregon State University)
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer ...... 830 Marcel Keller, Emmanuela Orsini, Peter Scholl (University of Bristol)
Paper Session 7B: Side-Channel Attacks
Covert Channels through Random Number Generator: Mechanisms, Capacity Estimation and Mitigations ................................................................................................................... 843 Dmitry Evtyushkin, Dmitry Ponomarev (SUNY Binghamton)
Return-Oriented Flush-Reload Side Channels on ARM and Their Implications for Android Devices ................................................................................................................................ 858 Xiaokuan Zhang, Yuan Xiao, Yinqian Zhang (The Ohio State University)
A Software Approach to Defeating Side Channels in Last-Level Caches .............................. 871 Ziqiao Zhou, Michael K. Reiter (University of North Carolina), Yinqian Zhang (The Ohio State University)
Paper Session 7C: Acoustic Attacks
Leave Your Phone at the Door:Side Channels that Reveal Factory Floor Secrets ............. 883 Avesta Hojjati (University of Illinois at Urbana-Champaign), Anku Adhikari (University of Illinois at Urbana-Champaign & Advanced Digital Sciences Center), Katarina Struckmann, Edward Chou (University of Illinois at Urbana-Champaign), Thi Ngoc Tho Nguyen (Advanced Digital Sciences Center), Kushagra Madan (University of Illinois at Urbana-Champaign), Marianne S. Winslett (University of Illinois at Urbana-Champaign & Advanced Digital Sciences Center), Carl A. Gunter, William P. King (University of Illinois at Urbana-Champaign)
My Smartphone Knows What You Print: Exploring Smartphone-based Side-channel Attacks Against 3D Printers ................................................................................................................. 895 Chen Song, Feng Lin, Zhongjie Ba, Kui Ren, Chi Zhou, Wenyao Xu (University at Buffalo, SUNY)
The Sounds of the Phones: Dangers of Zero-Effort Second Factor Login based on Ambient Audio .................................................................................................................................... 908 Babins Shrestha, Maliheh Shirvanian, Prakash Shrestha, Nitesh Saxena (University of Alabama at Birmingham)
Paper Session 7D: Protection Across Executions
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages ....................... 920 Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee (Georgia Institute of Technology)
iLock: Immediate and Automatic Locking of Mobile Devices against Data Theft ............... 933 Tao Li, Yimin Chen, Jingchao Sun, Xiaocong Jin, Yanchao Zhang (Arizona State University)
Hypnoguard: Protecting Secrets across Sleep-wake Cycles .................................................... 945 Lianying Zhao, Mohammad Mannan (Concordia University)
xi
Paper Session 8A: Lattices and Obfuscation
5Gen: A Framework for Prototyping Applications Using Multilinear Maps and Matrix Branching Programs ............................................................................................................................... 981 Kevin Lewi (Stanford University), Alex J. Malozemoff (Galois), Daniel Apon (University of Maryland), Brent Carmer (Oregon State University), Adam Foltzer, Daniel Wagner, David W. Archer (Galois), Dan Boneh (Stanford University), Jonathan Katz (University of Maryland), Mariana Raykova (Yale University)
Λολ: Functional Lattice Cryptography .............................................................................................. 993 Eric Crockett, Chris Peikert (University of Michigan)
Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE .............. 1006 Joppe Bos (NXP Semiconductors), Craig Costello (Microsoft Research), Leo Ducas (CWI), Ilya Mironov (Google, Inc.), Michael Naehrig (Microsoft Research), Valeria Nikolaenko (Stanford University), Ananth Raghunathan (Google, Inc.), Douglas Stebila (McMaster University)
Paper Session 8B: Attacks and Defenses
On Code Execution Tracking via Power Side-Channel .............................................................. 1019 Yannan Liu, Lingxiao Wei, Zhe Zhou, Kehuan Zhang (The Chinese University of Hong Kong), Wenyuan Xu (Zhejiang University), Qiang Xu (The Chinese University of Hong Kong)
Coverage-based Greybox Fuzzing as Markov Chain.................................................................. 1032 Marcel Böhme, Van-Thuan Pham, Abhik Roychoudhury (National University of Singapore)
Error Handling of In-vehicle Networks Makes Them Vulnerable ............................................ 1044 Kyong-Tak Cho, Kang G. Shin (The University of Michigan)
Paper Session 8C: Phone Security
Using Reflexive Eye Movements for Fast Challenge-Response Authentication ............... 1056 Ivo Sluganovic, Marc Roeschlin, Kasper B. Rasmussen , Ivan Martinovic (University of Oxford)
When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals ...................................................................................................................................... 1068 Mengyuan Li, Yan Meng, Junyi Liu, Haojin Zhu (Shanghai Jiao Tong University), Xiaohui Liang (University of Massachusetts at Boston), Yao Liu (University of South Florida), Na Ruan (Shanghai Jiao Tong University)
VoiceLive: A Phoneme Localization based Liveness Detection for Voice Authentication on Smartphones ....................................................................................................... 1080 Linghan Zhang, Sheng Tan, Jie Yang (Florida State University), Yingying Chen (Stevens Institute of Technology)
Paper Session 8D: Infrastructure Attacks
Limiting the Impact of Stealthy Attacks on Industrial Control Systems ............................... 1092 David I. Urbina, Jairo Giraldo, Alvaro A. Cardenas (University of Texas at Dallas), Nils Ole Tippenhauer (Singapore University of Technology and Design), Junia Valente, Mustafa Faisal, Justin Ruths (University of Texas at Dallas), Richard Candell (National Institute of Standards and Technology), Henrik Sandberg (KTH Royal Institute of Technology)
Over-The-Top Bypass: Study of a Recent Telephony Fraud.................................................... 1106 Merve Sahin (Eurecom & Monaco Digital Security Agency), Aurélien Francillon (Eurecom)
New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks ............... 1118 Guan-Hua Tu (Michigan State University), Chi-Yu Li (National Chiao Tung University), Chunyi Peng (Ohio State University), Yuanjie Li, Songwu Lu (University of California, Los Angeles)
Paper Session 9A: Order-Revealing and Searchable Encryption
POPE: Partial Order Preserving Encoding .................................................................................... 1131 Daniel S. Roche (United States Naval Academy), Daniel Apon (University of Maryland), Seung Geol Choi (United States Naval Academy), Arkady Yerukhimovich (MIT Lincoln Laboratory)
Σοφος – Forward Secure Searchable Encryption ........................................................................ 1143 Raphael Bost (Université de Rennes 1)
xii
What Else is Revealed by Order-Revealing Encryption? .......................................................... 1155 F. Betül Durak (Rutgers University), Thomas M. DuBuisson (Galois, Inc.), David Cash (Rutgers University)
Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds ................................................................................................................................ 1167 Kevin Lewi, David J. Wu (Stanford University)
Paper Session 9B: Authentication
Practical Anonymous Password Authentication and TLS with Anonymous Client Authentication ........................................................................................................................................ 1179 Zhenfeng Zhang, Kang Yang, Xuexian Hu, Yuchen Wang (Chinese Academy of Sciences)
Efficient Cryptographic Password Hardening Services from Partially Oblivious Commitments .......................................................................................................................................... 1192 Jonas Schneider, Nils Fleischhacker (Saarland University), Dominique Schröder (Friedrich-Alexander-University), Michael Backes (Saarland University)
A Comprehensive Formal Security Analysis of OAuth 2.0 ....................................................... 1204 Daniel Fett, Ralf Küsters, Guido Schmitz (University of Trier)
Paper Session 9C: Passwords
An Empirical Study of Mnemonic Sentence-based Password Generation Strategies ........................................................................................................................... 1216 Weining Yang, Ninghui Li, Omar Chowdhury, Aiping Xiong, Robert W. Proctor (Purdue University)
On the Security of Cracking-Resistant Password Vaults .......................................................... 1230 Maximilian Golla, Benedict Beuscher, Markus Dürmuth (Ruhr-University Bochum)
Targeted Online Password Guessing: An Underestimated Threat ........................................ 1242 Ding Wang, Zijian Zhang, Ping Wang (Peking University), Jeff Yan (Lancaster University), Xinyi Huang (Fujian Normal University)
Paper Session 9D: Internet Security
PIPSEA: A Practical IPsec Gateway on Embedded APUs ........................................................ 1255 Jungho Park (Seoul National University & ManyCoreSoft Co., Ltd.), Wooken Jung (Seoul National University),
Gangwon Jo (Seoul National University & ManyCoreSoft Co., Ltd.), Ilkoo Lee, Jaejin Lee (Seoul National University)
MiddlePolice: Toward Enforcing Destination-Defined Policies in the Middle of the Internet .......................................................................................................................................... 1268 Zhuotao Liu (University of Illinois at Urbana-Champaign), Hao Jin (Nanjing University), Yih-Chun Hu, Michael Bailey (University of Illinois at Urbana-Champaign)
Protecting Insecure Communications with Topology-aware Network Tunnels ................. 1280 Georgios Kontaxis, Angelos D. Keromytis (Columbia University)
Paper Session 10A: Specialized Crypto Tools
Function Secret Sharing: Improvements and Extensions ........................................................ 1292 Elette Boyle (IDC Herzliya), Niv Gilboa (Ben Gurion University), Yuval Ishai (Technion and University of California, Los Angeles)
Hash First, Argue Later: Adaptive Verifiable Computations on Outsourced Data ............ 1304 Dario Fiore (IMDEA Software Institute), Cédric Fournet (Microsoft Research), Esha Ghosh (Brown University), Markulf Kohlweiss, Olga Ohrimenko, Bryan Parno (Microsoft Research)
Practical Non-Malleable Codes from l-more Extractable Hash Functions ........................... 1317 Aggelos Kiayias (University of Edinburgh), Feng-Hao Liu (Florida Atlantic University), Yiannis Tselekounis (University of Edinburgh)
xiii
Paper Session 10B: Crypto Implementations -- used to be 11B
A Surfeit of SSH Cipher Suites .......................................................................................................... 1480 Martin R. Albrecht, Jean Paul Degabriele, Torben Brandt Hansen, Kenneth G. Paterson (Royal Holloway, University of London)
Systematic Fuzzing and Testing of TLS Libraries ....................................................................... 1492 Juraj Somorovsky (Ruhr University Bochum)
Attacking OpenSSL Implementation of ECDSA with a Few Signatures ............................... 1505 Shuqin Fan (State Key Laboratory of Cryptology), Wenbo Wang (Luoyang University of Foreign Languages),
Qingfeng Cheng (Xidian University)
Paper Session 10C: Measuring Security in the Wild
Content Security Problems? Evaluating the Effectiveness of Content Security Policy in the Wild............................................................................................. 1365 Stefano Calzavara, Alvise Rabitti, Michele Bugliesi (Università Ca’ Foscari)
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy ..................................................................................... 1376 Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc (Google, Inc.)
Online Tracking: A 1-million-site Measurement and Analysis ................................................. 1388 Steven Englehardt, Arvind Narayanan (Princeton University)
Paper Session 10D: Network Security I
PhishEye: Live Monitoring of Sandboxed Phishing Kits .......................................................... 1402 Xiao Han (Orange Labs & Eurecom), Nizar Kheir (Orange Labs), Davide Balzarotti (Eurecom)
All Your DNS Records Point to Us: Understanding the Security Threats of Dangling DNS Records ................................................................................................................... 1414 Daiping Liu (University of Delaware), Shuai Hao (College of William and Mary), Haining Wang (University of Delaware)
Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks .... 1426 Johannes Krupp (Saarland University), Michael Backes (Saarland University & MPI-SWS), Christian Rossow (Saarland University)
Paper Session 11A: Key Exchange
A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3) ............................................................. 1438 Hugo Krawczyk (IBM Research)
Attribute-based Key Exchange with General Policies ................................................................ 1451 Vladimir Kolesnikov (Bell Labs), Hugo Krawczyk (IBM Research), Yehuda Lindell (Bar-Ilan University), Alex Malozemoff (Galois), Tal Rabin (IBM Research)
Identity-Concealed Authenticated Encryption and Key Exchange ........................................ 1464 Yunlei Zhao (Fudan University)
Paper Session 11B: Attacks using a Little Leakage – used to be 10B
Generic Attacks on Secure Outsourced Databases ................................................................... 1329 Georgios Kellaris (Boston University & Harvard University), George Kollios (Boston University), Kobbi Nissim (Ben-Gurion University & Harvard University), Adam O’Neill (Georgetown University)
The Shadow Nemesis: Inference Attacks on Efficiently Deployable, Efficiently Searchable Encryption .................................................................................................... 1341 David Pouliot, Charles V. Wright (Portland State University)
Breaking Web Applications Built On Top of Encrypted Data .................................................. 1353 Paul Grubbs (Cornell University), Richard McPherson (University of Texas at Austin), Muhammad Naveed (University of Southern California), Thomas Ristenpart, Vitaly Shmatikov (Cornell Tech)
xiv
Paper Session 11C: More Attacks
Host of Troubles: Multiple Host Ambiguities in HTTP Implementations .............................. 1516 Jianjun Chen (Tsinghua University & Tsingua National Laboratory for Information Science and Technology), Jian Jiang (University of California, Berkeley),
Haixin Duan (Tsinghua University & Tsingua National Laboratory for Information Science and Technology),
Nicholas Weaver (University of California, Berkeley & ICSI), Tao Wan (Huawei Canada), Vern Paxson (University of California, Berkeley & ICSI)
Accessorize to a Crime: Real and Stealthy Attacks on State-of-the-Art Face Recognition ................................................................................................................................... 1528 Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer (Carnegie Mellon University), Michael K. Reiter (University of North Carolina)
Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service .......................................................................................................................... 1541 Xiaojing Liao (Georgia Institute of Technology),
Sumayah Alrwais, Kan Yuan, Luyi Xing, XiaoFeng Wang (Indiana University Bloomington),
Shuang Hao (University of California Santa Barbara), Raheem Beyah (Georgia Institute of Technology)
Paper Session 11D: Network Security II
Safely Measuring Tor ............................................................................................................................ 1553 Rob Jansen, Aaron Johnson (US Naval Research Laboratory)
PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-of-Registration ........................................................................................................................ 1568 Shuang Hao, Alex Kantchelian (University of California, Berkeley), Brad Miller (Google, Inc.), Vern Paxson (University of California, Berkeley & International Computer Science Institute), Nick Feamster (Princeton University)
Stemming Downlink Leakage from Training Sequences in Multi-User MIMO Networks ............................................................................................................ 1580 Yunlong Mao, Yuan Zhang, Sheng Zhong (Nanjing University)
Paper Session 12A: Secure Protocols
A Protocol for Privately Reporting Ad Impressions at Scale ................................................... 1591 Matthew Green (Johns Hopkins University), Watson Ladd (University of California, Berkeley), Ian Miers (Johns Hopkins University)
Secure Stable Matching at Scale ...................................................................................................... 1602 Jack Doerner, David Evans (University of Virginia), abhi shelat (Northeastern University)
BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme ............................. 1614 Pyrros Chaidos (University College London), Véronique Cortier (LORIA, CNRS & INRIA & Université de Lorraine), Georg Fuchsbauer (Inria, ENS, CNRS, PSL Research University), David Galindo (University of Birmingham)
Paper Session 12B: DSA/ECDSA
ECDSA Key Extraction from Mobile Devices via Nonintrusive Physical Side Channels ....................................................................................................................... 1626 Daniel Genkin (Technion and Tel Aviv University),
Lev Pachmanov, Itamar Pipman, Eran Tromer (Tel Aviv University),
Yuval Yarom (The University of Adelaide & Data61, CSIRO)
“Make Sure DSA Signing Exponentiations Really are Constant-Time” ................................ 1639 Cesar Pereida García (Aalto University), Billy Bob Brumley (Tampere University of Technology), Yuval Yarom (The University of Adelaide & Data61)
On the Provable Security of (EC)DSA Signatures ....................................................................... 1651 Manuel Fersch, Eike Kiltz, Bertram Poettering (Ruhr University Bochum)
xv
Paper Session 12C: Even more Attacks
Android ION Hazard: The Curse of Customizable Memory Management System ............ 1663 Hang Zhang, Dongdong She, Zhiyun Qian (University of California, Riverside)
Drammer: Deterministic Rowhammer Attacks on Mobile Platforms ..................................... 1675 Victor van der Veen (Vrije Universiteit Amsterdam),
Yanick Fratantonio, Martina Lindorfer (University of California, Santa Barbara), Daniel Gruss, Clémentine Maurice (Graz University of Technology), Giovanni Vigna (University of California, Santa Barbara), Herbert Bos, Kaveh Razavi, Cristiano Giuffrida (Vrije Universiteit Amsterdam)
SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning ..................................................................................... 1690 George Argyros (Columbia University), Ioannis Stais (University of Athens), Suman Jana, Angelos D. Keromytis (Columbia University), Aggelos Kiayias (University of Edinburgh)
Paper Session 12D: Anonymous Communication
Slitheen: Perfectly Imitated Decoy Routing through Traffic Replacement .......................... 1702 Cecylia Bocovich, Ian Goldberg (University of Waterloo)
Practical Censorship Evasion Leveraging Content Delivery Networks ................................ 1715 Hadi Zolfaghari, Amir Houmansadr (University of Massachusetts, Amherst)
GAME OF DECOYS: Optimal Decoy Routing Through Game Theory ................................... 1727 Milad Nasr, Amir Houmansadr (University of Massachusetts, Amherst)
Posters
POSTER: An Educational Network Protocol for Covert Channel Analysis Using Patterns ...................................................................................................................... 1739 Steffen Wendzel (Worms University of Applied Sciences), Wojciech Mazurczyk (Warsaw University of Technology)
POSTER: A Behavioural Authentication System for Mobile Users ........................................ 1742 Md Morshedul Islam, Reihaneh Safavi-Naini (University of Calgary)
POSTER: A Keyless Efficient Algorithm for Data Protection by Means of Fragmentation ................................................................................................................ 1745 Katarzyna Kapusta, Gerard Memmi, Hassan Noura (Telecom ParisTech Universite Paris-Saclay)
POSTER: Accuracy vs. Time Cost: Detecting Android Malware through Pareto Ensemble Pruning ................................................................................................................................. 1748 Lingling Fan (East China Normal University), Minhui Xue (East China Normal University & NYU Shanghai),
Sen Chen, Lihua Xu (East China Normal University), Haojin Zhu (Shanghai Jiao Tong University)
POSTER: Attack on Non-Linear Physical Unclonable Function ............................................. 1751 Jing Ye, Yu Hu, Xiaowei Li (Chinese Academy of Sciences)
POSTER: ConcurORAM: High-Throughput Parallel Multi-Client ORAM .............................. 1754 Anrin Chakraborti, Radu Sion (Stony Brook University)
POSTER: DataLair - A Storage Block Device with Plausible Deniability .............................. 1757 Anrin Chakraborti, Chen Chen, Radu Sion (Stony Brook University)
POSTER: DroidShield: Protecting User Applications from Normal World Access ........... 1760 Darius Suciu, Radu Sion (Stony Brook University)
POSTER: Efficient Cross-User Chunk-Level Client-Side Data Deduplication with Symmetrically Encrypted Two-Party Interactions ....................................................................... 1763 Chia-Mu Yu (National Chung Hsing University)
POSTER: Fingerprinting Tor Hidden Services ............................................................................. 1766 Asya Mitseva, Andriy Panchenko (University of Luxembourg), Fabian Lanze (Huf Secure Mobile GmbH), Martin Henze, Klaus Wehrle (RWTH Aachen University), Thomas Engel (University of Luxembourg)
Practical Anonymous Password Authentication and TLSwith Anonymous Client Authentication ∗
Zhenfeng ZhangTrusted Computing and Information Assurance
Laboratory, SKLCS, Institute of Software,Chinese Academy of [email protected]
Kang Yang†
Trusted Computing and Information AssuranceLaboratory, Institute of Software,Chinese Academy of Sciences
Institute of Software, Chinese Academy ofSciences & State Key Lab of Mathematical
Engineering and Advanced [email protected]
Yuchen WangTrusted Computing and Information Assurance
Laboratory, Institute of Software,Chinese Academy of Sciences
ABSTRACTAnonymous authentication allows one to authenticate her-self without revealing her identity, and becomes an impor-tant technique for constructing privacy-preserving Internetconnections. Anonymous password authentication is high-ly desirable as it enables a client to authenticate herselfby a human-memorable password while preserving her pri-vacy. In this paper, we introduce a novel approach fordesigning anonymous password-authenticated key exchange(APAKE) protocols using algebraic message authenticationcodes (MACs), where an algebraic MAC wrapped by a pass-word is used by a client for anonymous authentication, anda server issues algebraic MACs to clients and acts as theverifier of login protocols. Our APAKE construction is se-cure provided that the algebraic MAC is strongly existential-ly unforgeable under random message and chosen verifica-tion queries attack (suf-rmva), weak pseudorandom and tag-randomization simulatable, and has simulation-sound ex-tractable non-interactive zero-knowledge proofs (SE-NIZKs).
To design practical APAKE protocols, we instantiate analgebraic MAC based on the q-SDH assumption which sat-isfies all the required properties, and construct credentialpresentation algorithms for the MAC which have optimal ef-ficiency for a randomize-then-prove paradigm. Based on thealgebraic MAC, we instantiate a highly practical APAKEprotocol and denote it by APAKE, which is much more efficien-
∗The work is supported by National Basic Research Programof China (No.2013CB338003) and National Natural ScienceFoundation of China (No.U1536205, 61572485, 61502527).†Corresponding author
Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full cita-tion on the first page. Copyrights for components of this work owned by others thanACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-publish, to post on servers or to redistribute to lists, requires prior specific permissionand/or a fee. Request permissions from [email protected].
CCS’16, October 24-28, 2016, Vienna, Austriac© 2016 ACM. ISBN 978-1-4503-4139-4/16/10. . . $15.00
DOI: http://dx.doi.org/10.1145/2976749.2978354
t than the mechanisms specified by ISO/IEC 20009-4. Anefficient revocation mechanism for APAKE is also proposed.
We integrate APAKE into TLS to present an anonymousclient authentication mode where clients holding passwordscan authenticate themselves to a server anonymously. Ourimplementation with 128-bit security shows that the aver-age connection time of APAKE-based ciphersuite is 2.8 ms.With APAKE integrated into the OpenSSL library and us-ing an Apache web server on a 2-core desktop computer,we could serve 953 ECDHE-ECDSA-AES128-GCM-SHA256 HTTP-S connections per second for a 10 KB payload. Comparedto ECDSA-signed elliptic curve Diffie-Hellman ciphersuitewith mutual authentication, this means a 0.27 KB increasedhandshake size and a 13% reduction in throughput.
1. INTRODUCTIONPrivacy protection has become a major concern with the
rapid growth of cloud computing, big data and internet ofthings. For example, contact details of 1.5 million customersof Verizon Enterprise were put up for sale on a Dark Web fo-rum recently [1]. Most people typically associate the loss ofprivacy with a feeling of invasion or loss of control [45]. Theimportance of user privacy in authentication systems hasbeen emphasized by the European privacy standard [31] andby the US government in the National Strategy for Trust-ed Identities in Cyberspace [52]. NIST has developed threeprivacy engineering objectives - predictability, manageabili-ty, and disassociability [47], where disassociability capturesone of the essential elements of privacy-enhancing systemsthat the system actively protects or “blinds” an individual’sidentity or associated activities from unnecessary exposure.
Authentication of participants is usually required in com-puter systems-based applications to establish trust relations.An effective approach to protect users’ privacy in authentica-tion systems is anonymous authentication which achieves se-cure authentication and anonymity simultaneously [45], i.e.,no unauthorized user can fool a server into granting it ac-cess, and the server should not know which user it is in-teracting with. As stated in [21], privacy-conscious serviceproviders (SPs) have a strong incentive to adopt anonymousauthentication, and it is in their best interest to keep clientinformation private on technical unavailability grounds.
1179
Password-based authentication systems have been wide-ly deployed in information systems to guarantee authorizedaccess to desktop, mobile and web applications, as pass-words have advantages of being memorable, avoiding com-prehensive public key infrastructure for distributing clientcertificates and dedicated hardware for storing secret keys.Password-based authentication with key exchange protocolshave been extensively explored [7, 4, 14, 44, 49, 8] and widelystandardized [39, 57, 40]. The TLS ciphersuite using secureremote password protocol [57] is provided in OpenSSL.
In traditional password-based authentication systems, auser keeps a password confidential but pays no attentionto privacy protection of herself [2], since the identity infor-mation is usually transmitted explicitly so that the servercan determine which password should be used. Therefore,anonymous authentication that can work with password-based technology are highly desirable [45].
Anonymous password authentication protocols have beenproposed by Viet et al. [58] via integrating an oblivioustransfer protocol within a two-party password-authenticatedkey exchange protocol, and later improved in [60, 54]. Suchprotocols allow a client holding a password to authenticateherself to the server, while preserving her privacy. However,these protocols have an inherent limitation for computationefficiency, i.e., a server performs O(N) computations perprotocol execution, where N is the total number of users.
Another approach for anonymous password authentica-tion was proposed in [61, 62], where a user obtains a (CL[17] or BBS [12]) signature from a server, wraps the signa-ture with her password and stores it on some extra storage,such as a smartphone, a tablet (e.g., iPad), a USB flashmemory, or even in a public directory (e.g., cloud). The ex-tra storage is only needed to be integrity-protected, whichis weaker than a dedicated hardware. To login the server,the user recovers the signature from a password-wrappedcredential using her password, and then proves possessionof the signature. In these schemes, the server’s cost is in-dependent of the scale of user set. However, homomorphicencryption is needed in [61, 62] to resist off-line dictionaryattacks. For 80-bit security level, a user with a 2.53GHznotebook costs 385 ms and a server with a 3.0GHz desktopcomputer costs 430 ms per login protocol run.
Anonymous password authentication also attracts the in-terest of industry standard organizations. In a standard foranonymous entity authentication, the mechanisms based onweak secrets are named as ISO/IEC 20009-4 and developedby ISO/IEC JTC 1, SC 27, IT Security techniques. Threemechanisms have been included in ISO/IEC 20009-4 [43].
For the Transport Layer Security (TLS) protocol [28],there are three modes supported: mutual authentication,server authentication (with no client authentication), andtotal anonymity. The first mode needs client certificates tooffer authentication, and thus provides no client-anonymity.The last two modes do not provide any authentication ofclients, and the mode of total anonymity is inherently vul-nerable to man-in-the-middle attacks and strongly discour-aged. A TLS mode of anonymous client authentication isof great interest, where clients can authenticate to a serverwithout revealing their identities, the server is assured thatonly authorized clients can provide secure authentication.
In CCS 2015, Cassola et al. [21] consider a practical s-cenario of anonymous authentication for Wi-Fi connectivityusing open hotspots hosted on untrusted Access Points (AP-
s). A dishonest ISP may track which APs a client connectsto and when, revealing clients’ mobility patterns and othersensitive information. A protocol was proposed in [21] thatallows SPs to authenticate their clients, but hides clients’identities from APs and SPs at the time of authentication.
1.1 Our ContributionsIn this paper, we propose a novel approach for design-
ing anonymous password authentication protocols by usingalgebraic MACs which are constructed using only group op-erations rather than block ciphers or hash functions [24].Specifically, an algebraic MAC is issued by a server to a us-er, and then used as a credential for authentication. Thealgebraic MAC is protected by a user’s password and storedon some extra storage with integrity-protection. The under-lying algebraic MAC is required to be weak pseudorandomin order to resist off-line dictionary attacks, and admits ef-ficient zero-knowledge proofs so that a user can prove pos-session of a credential. Thus, only registered users owningalgebraic MACs can authenticate themselves to the serverwhile preserving their privacy. This approach sufficientlyincorporates the symmetric feature of algebraic MACs withthat of anonymous password authentication, eliminates thedependence of homomorphic encryption, and yields concep-tually simple and provably secure constructions.
To construct practical APAKE protocols, we instantiatean algebraic MAC scheme based on the q-SDH assump-tion [11], and show that it is suf-rmva secure, weak pseudo-random and tag-randomization simulatable, and allows la-beled SE-NIZKs. For credential presentation, the Show algo-rithm costs one exponentiation and one multi-exponentiationto generate a presentation proof and the ShowVerify algorith-m costs one multi-exponentiation for verification, which areoptimal for the randomize-then-prove paradigm.
Based on the instantiated algebraic MAC scheme, we ob-tain a highly practical APAKE protocol, which is denot-ed by APAKE. Compared with the mechanisms specified byISO/IEC 20009-4 [43], APAKE provides significant perfor-mance advantages, and may invoke interest of the standardcommunity. An efficient revocation mechanism for APAKE isproposed, and the resulting protocol is denoted by APAKEr.
We integrate APAKE and APAKEr into the TLS protocol toprovide a mode of anonymous client authentication. For anECDSA-signed elliptic curve Diffie-Hellman ciphersuite, wedenote the ciphersuite with anonymous client authenticationby ECDHE3, and denote the ciphersuite with only server au-thentication (resp., mutual authentication) by ECDHE1 (resp.,ECDHE2). Let ECDHE4 be the ECDHE3 supporting revocation.Based on OpenSSL library, we implemented in C the ECDHEiciphersuite at a 128-bit security level for i = 1, · · · 4. HTTPSconnections per second supported by the server are report-ed in Figure 1. When using the secp256r1 elliptic curveand an Apache web server on a 2-core desktop computer,the server can handle 953 ECDHE-ECDSA-AES128-GCM-SHA256HTTPS connections with anonymous client authenticationper second for a 10 KB payload, and a factor 1.13x fewerthan ECDHE2. While the average connection time of ECDHE3ciphersuite is 2.8 ms, that of ECDHE4 ciphersuite is 3.4 ms.
1.2 Related WorkTo enhance users’ privacy, anonymous signature schemes,
such as group signatures [27], blind signatures [25] and Di-rect Anonymous Attestation (DAA) [15] have been exten-
1180
0
500
1000
1500
2000
2500
10B 1KB 10KB 100KB
ECDHE1 ECDHE2 ECDHE3 ECDHE4C
onne
ctio
ns p
er s
econ
d
HTTP payload size
Figure 1: HTTPS connections per second supported by
the server at a 128-bit security level
sively investigated. DAA has been adopted by the TrustedComputing Group and standardized by ISO/IEC [41, 42].
Anonymous credentials are introduced by Chaum [26],and a series of schemes [19, 18, 16] have been proposed. Sev-eral privacy-enhancing attribute-based credential systems[51] have been developed, including IBM’s Idemix system[38], and Microsoft’s U-Prove system [48].
In CCS’14, Chase et al. [24] constructed keyed-verificationanonymous credentials based on two algebraic MACs, whereone is uf-cmva secure [29] in the generic group model [55],and the other is uf-cmva secure under the DDH assumption.
Cesena et al. [22] proposed a solution for anonymous au-thentication via integrating DAA into TLS, and obtaineda ciphersuite which has a factor about 25x fewer HTTPSconnections per second than ECDHE2, even if the compu-tations of TPM are performed on a PC. Walker and Li [59]presented a key exchange protocol with anonymous authen-tication by combining DAA and the SIGMA family of keyexchange protocols from IPsec and IKE.
In CCS’15, Fett et al. [32] proposed the first privacy-respecting Single Sign-On system (SPRESSO) for users tologin web sites, and prove that it enjoys strong authenti-cation and privacy properties. SPRESSO is a new systembuilt from scratch and involves a forwarder (FWD) to for-ward messages from Identity Providers to Relying Parties.
2. BUILDING BLOCKSIn this section, we present the building blocks used in our
APAKE construction. Firstly, we describe the notation andthe assumptions used in this paper.
Notation. Throughout this paper, λ denotes the security
parameter, x$← S denotes x is sampled uniformly at random
from a set S, [n] denotes the set {1, . . . , n}. For an algorith-m A, (y1, y2, . . . ) ← A(x1, x2, . . . ) denotes the process ofrunning A on input (x1, x2, . . . ) and getting (y1, y2, . . . ) asoutput. A function f : N → [0, 1] is negligible if for anypositive c, we have f(λ) < 1/λc for sufficient large λ.
Let G be a multiplicative group of prime order p generatedby g, 1 be the identity element of G and G∗ denote G\{1}.
2.1 Assumptionsq-SDH Assumption [11]. Given (g, gx, . . . , gx
q
) for x$←
Z∗p, it is hard to output a pair(c, g1/(x+c)
)for c ∈ Zp\{−x}.
q-DDHI Assumption [10]. Given (g, gx, . . . , gxq
) for x$←
Z∗p, it is hard to distinguish g1/x from a random element.
DDH Assumption. Given (g, gx, gy) for x, y$← Z∗p, it is
hard to distinguish gxy from a random element in G∗.
2.2 Non-Interactive Zero-Knowledge ProofsNon-interactive zero-knowledge proofs (NIZKs) enable a
prover to prove in zero-knowledge that a statement x is ina given language L defined by an NP-relation R, i.e., L ={x| ∃w s.t. R(x, w) = 1}. An NIZK could also be extended tosupport (optional) labels, meaning that both a prover anda verifier are given a label ` as input.
A labeled NIZK should satisfy soundness and unboundedzero-knowledge, where the former requires that no adversarycan prove any false statement, and the latter means thatthere exists a simulator which is able to simulate any prooffor any statement x and any label ` without knowing thewitness w. If a labeled NIZK also provides simulation-soundextractability, then it is called a labeled simulation-soundextractable non-interactive zero-knowledge proof (SE-NIZK)[36], where there exists an online extractor [34] works even ifthe adversary sees simulated proofs and information aboutpreviously extracted values. In this paper, we consider la-beled SE-NIZKs in the random oracle model (ROM) [6], andrefer to [9] for a formal definition.
We adopt the notations of [20] to abstract labeled NIZKs.Let Σ ← SPK{(witness) : statement}(`) denote a labeledSE-NIZK on a label `, π ← NIZK{(witness) : statement}be an NIZK. We write VerifySPK(statement,Σ, `) for the pro-cedure that verifies a labeled SE-NIZK proof Σ, and writeVerifyNIZK(statement, π) for verifying an NIZK proof π.
2.3 Algebraic MACFollowing [24], an algebraic MAC schemeMAC is defined
as a triple of algorithmsMAC = (KeyGen,MAC,Verify) withassociated message space Mc and tag space T .
• KeyGen(1λ) : On input a security parameter 1λ, the keygeneration algorithm outputs a secret key sk and a set ofparameters parmac which is an implicit input in the follow-ing algorithms.
• MAC(sk,m) : On input the secret key sk and a messagem, the MAC algorithm outputs an authentication tag σ.
• Verify(sk,m, σ) : On input the secret key sk, a messagem and a tag σ, the deterministic verification algorithmoutputs 1 if σ is valid on m under sk and 0 otherwise.
We assume that the key generation algorithm KeyGen satis-fies the key-parameter consistency [24], meaning that theredoes not exist two keys sk and sk′ such that (parmac, sk) ∈KeyGen(1λ), (parmac, sk
′) ∈ KeyGen(1λ) and sk 6= sk′.Given the parameters parmac and a message-tag pair (m,σ),
we assume that there exists a proof system NIZK{(sk) :Verify(sk,m, σ) = 1∧(parmac, sk) ∈ KeyGen(1λ)} proving thatσ is a valid tag on m under sk associated with parmac.
Unforgeability. Based on the security notions of algebra-ic MACs [29, 24], we define a security notion of algebraicMACs, i.e., strongly existentially unforgeable under randommessage and chosen verification queries attack (suf-rmva).
Definition 1. An algebraic MAC scheme MAC is said tobe suf-rmva secure if for any probabilistic polynomial time
1181
(PPT) adversary A, there exists a negligible function ν such
that Advsuf-rmvaMAC (A)
def=
Pr
(parmac, sk)← KeyGen(1λ);
(m∗, σ∗)← Amac(sk),verify(sk,·,·)(parmac) :(m∗, σ∗) /∈ Q ∧ Verify(sk,m∗, σ∗) = 1
≤ ν(λ),
where for each query mac returns m$← Mc and σ ←
MAC(sk,m) and adds (m,σ) to the set Q which is initiallyempty, for each query (m,σ) verify returns Verify(sk,m, σ).
Weak pseudorandomness. Based on the definition ofweak pseudorandom functions (wPRFs) [46], we define a no-tion of weak pseudorandomness of algebraic MACs. For sim-plicity, we assume that the size of Mc is super-polynomial.
Definition 2. An algebraic MAC scheme MAC is said tobe weak pseudorandom if for any PPT adversary A, there
exists a negligible function ν, such that AdvwprMAC(A)
def=
2 Pr
b = b′
∣∣∣∣∣∣∣(parmac, sk)← KeyGen(1λ); b
$← {0, 1};m
$←Mc;σ0 ← MAC(sk,m);σ1$← T ;
b′ ← Amac(sk)(parmac,m, σb)
− 1
≤ ν(λ), where for each query, the mac oracle returns a ran-dom m ∈Mc and σ ← MAC(sk,m).
Credential Presentation. A tag σ is used as a creden-tial in this paper. The credential presentation consistingof (Show,ShowVerify) algorithms, is a procedure of provingpossession of a valid message-tag pair (m,σ), and is gener-ally constructed via the randomize-then-prove paradigm.
In the randomize-stage, there are two algorithms Rerandand Derand such that Rerand(σ) returns a randomized cre-dential T and a randomness a, and Derand(T, a) returns σ.For algebraic MACs, both a prover and a verifier can com-pute the same value V = fp(parmac, T,m, a) = fv(T, sk) us-ing (m, a) and sk respectively, where fp and fv are efficientlycomputable functions specified by a concrete mechanism.
In the prove-stage, the prover proves knowledge of (m, a)such that fp(parmac, T,m, a) = V using a labeled SE-NIZK.
• Show(parmac,m, σ, `) : On input parmac, a message-tag pair(m,σ) and a label ` ∈ {0, 1}∗, the Show algorithm runs(T, a)← Rerand(σ), then computes V ← fp(parmac, T,m, a),and executes Σ← SPK{(m, a) : fp(parmac, T,m, a) = V }(`).Finally, it outputs a presentation proof σC ← (T, V,Σ).
• ShowVerify(parmac, σC , `, sk) : On input parmac, a presen-tation proof σC = (T, V,Σ), a label ` and the secret key
sk, algorithm ShowVerify computes V ← fv(T, sk). If Tis correctly formed and VerifySPK((parmac, T, V ),Σ, `) = 1
and V = V , then ShowVerify returns 1, else it returns 0.
We say that the tag-randomization is simulatable, if there ex-ists an efficient algorithm TVSim that takes as input parmac,and returns a pair (T ′, V ′) such that V ′ = fv(T ′, sk) and T ′
has the same distribution as T produced by Rerand(σ).
2.4 Password-based EncryptionLet Me be a message space of super-polynomial size, C
be a ciphertext space. A password-based encryption schemePE with a password pw drawn uniformly at random from adictionary D, is defined as PE = (Enc,Dec).
• Encpw(M): On input a password pw ∈ D and a mes-sage M ∈ Me, the encryption algorithm outputs aciphertext C ∈ C, which is also denoted by [M ]pw.
• Decpw(C): On input pw and a ciphertext C ∈ C, thedecryption algorithm outputs a plaintext M for C.
We define a security notion of password-based encryptioncalled indistinguishability under equality test (IND-ET), wherean equality test oracle is used to model an adversary’s abilitydeciding whether an online password guess is correct.
Definition 3. A password-based encryption scheme PE issaid to be IND-ET secure, if for any PPT adversary A, there
exists a negligible function ν, we have Advind-etPE,D(A)def=
2 Pr
[b = b′
∣∣∣∣∣ b $← {0, 1}; pw $← D;M$←Me;C0
$← C;C1 ← Encpw(M); b′ ← AOet(M,·)(Cb)
]− 1
≤ qet/|D|+ ν(λ),
where Oet(M, ·) takes as input a M ′ ∈Me and outputs 1 ifM = M ′ and 0 otherwise, qet is the number of oracle queries.
2.5 Digital SignatureA digital signature scheme DS is defined as a triple of
algorithms DS = (Gen, Sign,Ver). The key generation algo-rithm Gen(1λ) returns the public and secret keys (pk, sk).The signing algorithm Sign(sk,M) returns a signature σ ona message M . The verification algorithm Ver(pk,M, σ) re-turns 1 if σ is valid on M under pk and 0 otherwise.
The security notion of digital signatures is existential un-forgeability under adaptive chosen message attacks (EUF-CMA) [35], which states that for any PPT adversary A,there exists a negligible function ν, such that Adveuf-cmaDS (A)
def= Pr
[(pk, sk)← Gen(1λ); (M∗, σ∗)← ASign(sk,·)(pk) :
Ver(pk,M∗, σ∗) = 1 ∧M∗ /∈ Q
]≤ ν(λ), where for each query M , Sign returns a signatureσ on M and adds M to the set Q which is initially empty.
3. SECURITY MODELWe formalise a security model for APAKE protocols in
the extra-storage setting, meaning that a client needs tomemorize a password and store a password-wrapped cre-dential on some extra storage. The definitions of authen-ticated key exchange (AKE) security and client authentica-tion combine the security model for PAKE protocols by Bel-lare, Pointcheval and Rogaway [4] and the model for anony-mous authentication by Lindell [45]. The security model foranonymity is based on indistinguishability-based definitionof anonymity for group signatures [3].
3.1 AKE Security and Client AuthenticationProtocol participants. The participants of an APAKEprotocol P involve a set of clients C = {C1, · · · , CN} and aset of servers S. For simplicity, we assume that C is fixedand S contains only one server S, i.e., S = {S}.
Long-lived keys. The server S holds a long-term secretSK for issuing credentials and authenticating himself andpublishes the system parameters params which are publiclyavailable for all parties. Each client Ci ∈ C holds a pass-word pwi that is drawn independently and uniformly from
1182
a dictionary D, and a password-protected credential credCi
generated by wrapping a credential issued by S with pwi.
Protocol execution. Each participant U ∈ C ∪ S is mod-eled as a PPT Turing machine, and the δ-th instance of U isdenoted by Uδ. An adversary A is given a set of password-protected credentials Cred = {credi}i∈C and params, and isassumed to have full control of the communication network.Adversary A is a PPT algorithm with a distinguished querytape. Queries written on this tape are answered accordingto the description of P. The allowed queries are as below:
• Send(U, δ,M): causes message M to be sent to instanceUδ for U ∈ C ∪ S. The instance Uδ computes what theprotocol says to, and sends back the computation resultto A. If this query causes Uδ to accept or terminate, itwill also be made visible to A.
• Execute(Ci, ρ, S, δ): carries out an honest execution of Pbetween a client instance Cρi and a server instance Sδ
and outputs the transcript of the execution. Althoughthis queries could be simulated with Send queries, sepa-rate Execute queries are essential for dealing with off-linedictionary attacks [4].
• Reveal(U, δ): returns the session key held by instance Uδ.
• Test(U, δ): If instance Uδ for U ∈ C ∪ S has acceptedand holds a session key skδU , the following happens. A bitb ∈ {0, 1} is picked uniformly at random. If b = 1, skδUis returned to A. Otherwise, a string picked at randomfrom the space of session keys is returned. Adversary Ais allowed to ask the Test query only once.
Partnering. Since the anonymity property implies thatthe server can only know that a client is a legitimate entityfrom a group C, a partner identifier of the server is the groupC. An instance Uδ that accepts, holds a partner identifierpidδU , a session identifier sidδU (which is the transcript of thewhole protocol) and a session key skδU . A client instanceCρi and a server instance Sδ are said to be partnered if bothaccept, they hold (pidρCi
, sidρCi, skρCi
) and (pidδS , sidδS , sk
δS)
respectively, with sidρCi= sidδS , skρCi
= skδS , pidρCi= S,
pidδS = C and Ci ∈ C, and no other instance accepts withsession identifier equal to sidρCi
.
Freshness. An instance Uδ is said to be fresh unless eithera Reveal(U, δ) query occurs or a Reveal(V, ρ) query occurs,where V ρ is the partner of Uδ (if exists).
AKE security. Let SuccAKEP,D (A) be the event that A makes
a single Test(U, δ) query such that the instance Uδ has ter-minated and is fresh, and eventually outputs a bit b′ suchthat b = b′, where b is chosen in the Test query. A protocolP is said to be AKE secure, if for any PPT adversary A,there exists a negligible function ν such that
AdvAKEP,D (A)
def= 2 Pr[SuccAKE
P,D (A)]− 1 ≤ qse/|D|+ ν(λ),
where qse is the number of Send(S, ·, ·) queries.
Client authentication. Due to the anonymity require-ment, an adversary against client authentication is declaredsuccessful if it impersonates any client in the group C to theserver while the server fails to detect.
To capture the security of client authentication, A is pro-vided the same information and abilities as that in the AKE
experiment, except that the Test query is ignored. LetSuccC2S
P,D(A) be the event that some server instance Sδ ac-cepts but has no partner instance. We say that a protocolP achieves clients-to-server authentication if for any PPTadversary A, there exists a negligible function ν such that
AdvC2SP,D(A)
def= Pr[SuccC2S
P,D(A)] ≤ qse/|D|+ ν(λ),
where qse is the number of Send(S, ·, ·) queries.
3.2 AnonymityThe anonymity property requires that the server cannot
determine whether two key exchange transactions are madeby the same client. To model anonymity against the server,an adversary is given the server’s secret key as in [24].1 A Reg
oracle is also provided to model the registration protocol.
Protocol participants. The participants of a protocol Pconsist of a set of clients C = {C1, · · · , CN} and a server S.
Long-lived keys. An adversary A impersonating as theserver S is given the system parameters params and the se-cret key SK . Each client Ci ∈ C holds a password pwi. Herpassword-protected credential credCi is initiated as ⊥ andwill be generated in the execution of the protocol.
Protocol execution. At the beginning of the protocol, arandom bit b is chosen. A is provided the following queries:
• Reg(U,M): If U ∈ C and credU = ⊥, the following hap-pens. Message M is sent to client U , and the client com-putes what the registration protocol says to and send-s back the computation result to A. If U accepts, apassword-protected credential is generated by U and as-signed to credU which is sent to A.
• Send(U, δ,M): causes message M to be sent to instanceUδ for U ∈ C and credU 6= ⊥. Uδ computes what theprotocol says to, and the computation result is sent to A.
• CH(i0, i1, δ,M): If i0, i1 ∈ C, credi0 6= ⊥, credi1 6= ⊥and neither i0
δ nor i1δ is used, the following happens.
The instance ibδ with password pwib and credib computes
what the protocol says to, and sends back the output ofthe computation to A.
For any above query, if this query causes the client or theinstance to accept or terminate, this will also be shown to A.A is allowed to make arbitrary number of queries to CH.
Anonymity. Let SuccanonP (A) be the event that A outputsa bit b′ such that b = b′, where the bit b was picked at thebeginning of the protocol. An APAKE protocol P is said tobe anonymous if for any PPT adversary A, there exists anegligible function ν such that
AdvanonP (A)def= 2 Pr[SuccanonP (A)]− 1 ≤ ν(λ).
4. OUR APAKE PROTOCOLIn this section, we present a new APAKE protocol in the
extra-storage setting. It employs an algebraic MAC schemeMAC = (KeyGen,MAC,Verify) with credential presentation
1A model allowing A to generate the server’s public keyis applicable if the domain parameters are selected from astandard. It does not undermine anonymity if a proof ofknowledge of SK is published.
1183
algorithm (Show,ShowVerify), a password-based encryptionscheme PE = (Enc,Dec) and a digital signature schemeDS = (Gen, Sign,Ver), which are described in Section 2. Weprove that our construction achieves AKE security, clientauthentication and anonymity in the random oracle model.
4.1 Our ConstructionOur construction consists of the following phases.
Setup. Given a security parameter λ, a server chooses a setof domain parameters (G, p, g), where G is a group of primeorder p and generated by g. The server runs (parmac, sk)← KeyGen(1λ) and (pk, sk)← Gen(1λ). Let H1 : {0, 1}∗ →Mc and H2 : {0, 1}∗ → {0, 1}κ be cryptographic hash func-tions, where κ is the length of session keys. The serverpublishes params← (G, p, g, parmac, pk) as the set of systemparameters and sets SK = (sk, sk) as his secret key.
Registration. Each client needs to register to the server inadvance. The registration phase is executed over a securechannel, which can be established, e.g., using TLS with theserver’s public key pk. The registration protocol is shownin Figure 2, and details are described as follows.
1. A client sends her identity ID to the server and authenti-cates herself to the server according to the server’s policy.
2. If the server accepts the registration request from clientID, he does the following. The server computes a messagem ← H1(ID), and generates an authentication tag σ onmessage m using sk. Then he generates an NIZK proofπ proving knowledge of sk such that Verify(sk,m, σ) = 1and (parmac, sk) ∈ KeyGen(1λ) hold. Finally, the serversends a credential σ and its proof π to the client.
3. When receiving a pair (σ, π), the client computes m ←H1(ID), and verifies if π is valid on statement (parmac,m, σ).If π is valid, the client encrypts the credential σ withher password pw into a ciphertext [σ]pw, and puts thepassword-protected credential cred ← (ID, [σ]pw) to herpreferred storage with integrity-protection.
Login. To login the server, a client authenticates herselfto the server and establishes a session key with the server.Suppose that the client has already obtained her password-protected credential cred = (ID, [σ]pw). The login protocolis shown in Figure 3, and details are described as follows.
1. Upon a login request, the server picks y$← Z∗p and com-
putes Y ← gy. Then, he generates a signature σS onmessage Y using sk, and sends (Y, σS) to the client.
2. When receiving a pair (Y, σS), the client verifies whetherσS is valid on message Y under pk. If she accepts σS ,she computes m← H1(ID), and decrypts ciphertext [σ]pwwith her password pw to recover credential σ. Then she
chooses x$← Z∗p and calculates X ← gx. Next, the client
runs algorithm Show on input parmac, (m,σ) and a label` = (X,Y, σS) to generate a presentation proof σC =(T, V,Σ). Finally, the client sends (X,σC) to the server.
3. Upon receiving a pair (X,σC), the server executes theShowVerify algorithm on input parmac, a presentation proofσC , a label ` = (X,Y, σS) and sk to verify if σC is valid.
4. If they both do not abort, then the client and the servercan compute the same session key K via H2(Y, σS , X, σC ,Y x) and H2(Y, σS , X, σC , X
y) respectively.
4.2 Security ProofsWe prove the security of the proposed APAKE protocol
(denoted by P) in Theorems 1, 2, and 3 respectively.
Theorem 1 (AKE security). IfMAC is suf-rmva se-cure and weak pseudorandom, the tag-randomization is sim-ulatable, SPK is a labeled SE-NIZK, PE is IND-ET secure,DS is EUF-CMA secure, the DDH assumption holds in G,and both H1 and H2 are random oracles, then our APAKEprotocol guarantees the AKE security. In particular, we have
AdvAKEP,D (A) ≤ qse/|D|+O
(AdvuzkSPK(B1) + Advss-extSPK (B2)
)+ Advsuf-rmva
MAC (B3) +N2/ |Mc|+ q2s/p+NAdvwprMAC(B4)+
O (N |D|/|Me|) + Adveuf-cmaDS (B6) +O(NqcqsAdv
DDHG (B7)
),
where qc is the maximum number of sessions per client, qsis the maximum number of server sessions, AdvuzkSPK (resp.,Advss-extSPK ) is the advantage for the unbounded zero-knowledge(resp., simulation-sound extractability) of SPK,and AdvDDH
Gis the advantage for the DDH assumption.
Proof. Firstly, we construct an algorithm CredSim whocan generate presentation proofs without knowledge of skand any credential using a zero-knowledge simulator Simfor SPK. We also construct an algorithm CredExt who canextract a message-tag pair from any presentation proof pro-duced by A using an online extractor Ext for SPK.
CredSim(parmac, `) : Given parmac and a label `, CredSim runs(T ′, V ′)← TVSim(parmac) and Σ′ ← Sim((parmac, T
′, V ′), `)and outputs a presentation proof σC ← (T ′, V ′,Σ′), whereTVSim is defined in Section 2.3.
CredExt(parmac, σC , `) : Given parmac, σC = (T, V,Σ) and alabel `, CredExt runs Ext((parmac, T, V ),Σ, `). If T is notcorrectly formed or Ext returns invalid,2 CredExt outputsinvalid. Otherwise (Ext returns witness (m,a)), CredExtcomputes σ ← Derand(T, a) and outputs (m,σ).
Let A be an adversary who aims at breaking the AKE secu-rity of our APAKE protocol P. This proof will proceed viaa sequence of games G0, G1, . . . , G7. We will bound the de-crease in A’s advantage between two successive games, anduse Advi(A) to denote the advantage of A in game Gi.
Game G0. This is the real game. Recall that A is given ac-cess to Cred = {credi = (IDi, [σi]pwi)}Ni=1, params, and allthe oracles specified in the security model, where σi is a cre-dential on mi = H1(IDi). We have AdvAKE
P,D (A) = Adv0(A).
Game G1 (Simulate and Extract). This game is the sameas game G0, except that using CredSim to generate presen-tation proofs for client instances, for each presentation proofσC created by A, rejecting σC if CredExt outputs invalid
or Verify(sk,m, σ) = 0 for (m,σ) ← CredExt(parmac, σC , `),and accepting σC otherwise, where ` = (X,Y, σS).
Analysis. When CredExt(parmac, (T, V,Σ), `) outputs (m,σ),Verify(sk,m, σ) = 1 if and only if V = fv(T, sk). Moreover,simulated T ′ has the same distribution as real T . Thus, G1
has the same distribution as G0, except that the proofs ofSPK are simulated by Sim and Ext fails for extraction. Let B1(resp., B2) be an algorithm that breaks the unbounded zero-knowledge (resp., simulation-sound extractability) of SPKby interacting with A. Then, we have2If VerifySPK((parmac, T, V ),Σ, `) = 0, Ext returns invalid.
1184
Client (params, pw) secure channel Server (params,SK )
ID−−−−−−−−−→ m← H1(ID), σ ← MAC(sk,m)
m← H1(ID) π ← NIZK{
(sk) : Verify(sk,m, σ) = 1 ∧Abort if VerifyNIZK((parmac,m, σ), π) = 0 (σ, π)
←−−−−−−−−−(parmac, sk) ∈ KeyGen(1λ)
}[σ]pw ← Encpw(σ)
Store cred← (ID, [σ]pw)
Figure 2: Registration Protocol of Our APAKE Protocol
Client (params, pw, cred = (ID, [σ]pw)) Server (params,SK )
Abort if Ver(pk, Y, σS) = 0 y$← Z∗p, Y ← gy
m← H1(ID), σ ← Decpw([σ]pw) (Y, σS)←−−−−−−−−−−
σS ← Sign(sk, Y )
x$← Z∗p, X ← gx
σC ← Show(parmac,m, σ, (X,Y, σS)) (X,σC)−−−−−−−−−−→
Abort if ShowVerify(parmac, σC , (X,Y, σS), sk) = 0
K ← H2(Y, σS , X, σC , Yx) K ← H2(Y, σS , X, σC , X
y)
Figure 3: Login Protocol of Our APAKE Protocol
Adv0(A) = Adv1(A) +O(AdvuzkSPK(B1) + Advss-extSPK (B2)
).
Game G2 (MAC Forgery). This game is the same as G1,except that rejecting any presentation proof σC producedby A such that CredExt(parmac, σC , `) outputs (m,σ) and(m,σ) /∈ {(mi, σi)}Ni=1.
Analysis. We bound the decrease in A’s advantage from G1
to G2 using a reduction from the suf-rmva security ofMAC.Let B3 be an algorithm that has access to parmac, an oraclemac and a verification oracle verify. B3 executes just as inG1 and interacts with A, with the following exceptions:
• B3 generates the system parameters params using parmac.Then B3 makes N queries to oracle mac and obtains
{(mi, σi)}Ni=1 for mi$← Mc. For each i ∈ [N ], B3 pro-
grams random oracle H1 such that H1(IDi) = mi.
• For each (m,σ) ← CredExt(parmac, σC , `), B3 accepts σCif and only if oracle verify(sk,m, σ) returns 1.
If A behaves differently between G1 and G2, there existsa pair (m∗, σ∗) ← CredExt(parmac, σ
∗C , `∗) such that oracle
verify(sk,m∗, σ∗) returns 1 and (m∗, σ∗) /∈ {(mi, σi)}Ni=1.Then B3 can output (m∗, σ∗) as its forgery. Thus, we have
Adv1(A) = Adv2(A) + Advsuf-rmvaMAC (B3).
Game G3 (Exclude Collisions). This game is the sameasG2, except that aborting if the event abort1 thatmi = mj
for some i, j ∈ [N ] and i 6= j occurs, for each (m,σ) ←CredExt(parmac, σC , `) such that m = mi for some i ∈ [N ],accepting σC iff σ = σi, aborting if the event abort2 that themessages from server instances encounter a collision occurs.
Analysis. SinceH1 is a random oracle, Pr[abort1] ≤ N2/ |Mc|.Clearly, Pr[abort2] ≤ q2s/p. So we have
Adv2(A) ≤ Adv3(A) +N2/ |Mc|+ q2s/p.
Game G4 (Randomize Credentials). This game is thesame as G3, except that replacing [σi]pwi with [Ri]pwi for
each i ∈ [N ] whereRi$← T , for each (m,σ)← CredExt(parmac,
σC , `) such that m = mi for some i ∈ [N ], accepting σC ifand only if σ = Ri.
Analysis. We bound the decrease in A’s advantage fromG3 to G4 using a reduction from the weak pseudorandom-ness of MAC. We use a hybrid argument to complete thereduction. For each j ∈ [N ] ∪ {0}, let game G3,j be thesame as G3, except that setting credi ← (IDi, [Ri]pwi) for
each i ∈ [j] where Ri$← T , and using {Ri}i∈[j] to veri-
fy the presentation proofs produced by A. It is clear thatG3,0 and G3,N are the same as G3 and G4 respectively. IfA behaves differently between G3 and G4 with probabili-ty ε, then A must behave differently between G3,j−1 andG3,j for some j ∈ [N ] with probability at least ε/N . Wecan construct an algorithm B4 which breaks the weak pseu-dorandomness of MAC with probability at least ε/N viainteracting with A. B4 is given parmac, a challenge (m∗, σ∗),and an oracle mac. B4 makes N − j mac queries and ob-tains N − j message-tag pairs {(mi, σi)}Ni=j+1. Then, B4programs random oracle H1 such that H1(IDj) = m∗ andH1(IDi) = mi for each i ∈ {j + 1, . . . , N}. B4 also picksj − 1 random values {Ri}j−1
i=1 in T . Next, B4 executes asin G3, except that B4 sets credi ← (IDi, [Ri]pwi) for eachi ∈ [j − 1], credj ← (IDj , [σ
∗]pwj ) and credi ← (IDi, [σi]pwi)
for each i ∈ [N ]\[j], and B4 uses({Ri}j−1
i=1 , σ∗, {σi}Ni=j+1
)to verify the presentation proofs produced by A. If σ∗ =MAC(sk,m∗), B4 behaves exactly as in G3,j−1. Otherwise(i.e., σ∗ is uniformly random in T ), B4 behaves exactly asin G3,j . Then, Adv3,j−1(A) = Adv3,j(A) + Advwpr
MAC(B4).Thus, we have Adv3(A) ≤ Adv4(A) +NAdvwpr
MAC(B4).
Game G5 (Randomize Ciphertexts). This game is thesame as G4, except that replacing [Ri]pwi with a randomciphertext Ci ∈ C for each i ∈ [N ], and rejecting all clientmessages created by A.
Analysis. In game G4, since Ri is uniform at random inMe = T for each i ∈ [N ] and presentation proofs for clientinstances are simulated by CredSim, the only way for guess-ing passwords is to amount on-line dictionary attacks bymaking Send queries to the server. Thus, we can boundthe decrease in A’s advantage from G4 to G5 using a re-
1185
duction from the IND-ET security of PE . The reduction iscompleted via a hybrid argument. For each j ∈ [N ] ∪ {0},let game G4,j be the same as G4, except that replacing[Ri]pwi with a random ciphertext Ci ∈ C for each i ∈ [j],and rejecting any client message (X,σC) produced by A if(m,σ) ← CredExt(parmac, σC , `) and m ∈ {mi}ji=1, where` = (X,Y, σS). Clearly, G4,0 and G4,N are the same asG4 and G5 respectively. If A behaves differently betweenG4,j−1 and G4,j for some j ∈ [N ] with probability εj , thenwe can construct an algorithm B5,j that breaks the IND-ET security of PE via interacting with A with almost thesame probability. Specifically, B5,j is given a challenge ci-phertext C and an equality test oracle Oet(M, ·), where M
is a random message in Me. Then B5,j picks Ci$← C for
each i ∈ [j − 1] and Ri$← Me for each i ∈ [N ]\[j]. B5,j
executes just as in game G4, with the following exceptions:
• For each i ∈ [N ], B5,j sets the ciphertext in credi as Ci ifi ∈ [j − 1], C if i = j, and [Ri]pwi if i ∈ [N ]\[j].• For each (m,σ) ← CredExt(parmac, σC , `) such that m =mi for some i ∈ [N ] where σC is produced by A, B5,jrejects σC if i ∈ [j − 1], or i = j ∧ Oet(M,σ) = 0, ori ∈ [N ]\[j] ∧ σ 6= Ri, and accepts σC otherwise.
If C = Encpw(M) where pw acts as the password pwj of clientIDj , then B5,j behaves exactly as in game G4,j−1. Otherwise(i.e., C is uniform at random in C), Oet(M, ·) returns 0 for allqueries with probability at least 1− (|D|+ 1)/|Me|, since Cis independent from M and the probability that there existsa pw′ ∈ D such that Decpw′(C) = M is at most |D|/|Me|.Thus, B5,j behaves exactly as in game G4,j with probabilityat least 1− (|D|+ 1)/|Me|. As a result, we have
Adv4(A)− Adv5(A) =
N∑j=1
(Adv4,j−1(A)− Adv4,j(A)) ≤
N∑j=1
(Advind-etPE,D(B5,j) +
|D|+ 1
|Me|
)≤ qse|D| +O
(N |D||Me|
),
where the total number of queries to Oet is bounded by qse.
Game G6 (Signature Forgery). This game is the sameas G5, except for aborting if the event abort3 that the firsttime some client instance accepts after receiving a signatureσ∗S on Y ∗ that was not output by a server instance occurs.
Analysis. Game G6 has the same distribution as G5 ifabort3 does not occur. Thus, the difference between G5
and G6 can be bounded by a reduction from the EUF-CMA security of DS. Let B6 be an algorithm that break-s the EUF-CMA security of DS via interacting with A.B6 is given a public key pk∗, and sets pk∗ as the serv-er’s public key. B6 simulates the protocol execution as inG5, except that B6 generates signatures for all server in-stances by querying the signing oracle. If abort3 occurs,B6 outputs (Y ∗, σ∗S) as its forgery for DS. Thus, we haveAdv5(A) = Adv6(A) + Adveuf-cmaDS (B6).
Game G7 (Randomize Session Key). This game is thesame as G6, except for replacing session key in test session
U δ and its partner V ρ with an independently random string.
Analysis. In this game, all client messages created by A arerejected, andA cannot replay presentation proofs from clientinstances since a message (Y, σS) from any server instance
could act as a nonce and collision of the nonces is excluded ingame G3. Thus, we can bound the decrease in A’s advantagefrom G6 to G7 using a reduction from the DDH assumptionas follows. We construct an algorithm B7 that breaks theDDH assumption by interacting with A. B7 is given aninstance (g, gu, gv,W ) of DDH and aims to distinguish W =guv from a random element W ∈ G∗. B7 simulates theprotocol execution as in G6 with the following exceptions.B7 distinguishes two cases. For case 1 that the test session
is a server session, B7 picks i∗$← [qs] and aborts if i∗ 6= δ.
If B7 does not abort, it sets Y = gv and X = gu as the
ephemeral Diffie-Hellman (DH) values for U δ and its partner
V ρ respectively. For case 2 that the test session is a client
session, B7 picks (U , δ, j∗)$← [N ] × [qc] × [qs], and aborts
if (U , δ) 6= (U , δ) or client instance U δ receives the messagethat is not the output of the j∗-th session of the server. If B7does not abort, it sets X = gu as the ephemeral DH value
for U δ and Y = gv as the one for the j∗-th server session.In both cases, B7 can respond all Reveal queries (includingthe sessions for Y = gv) by computing the session keys usingephemeral DH exponents at the client side, since all acceptedmessages from clients are generated by B7. For both cases,B7 returns H2(Y, σS , X, σC ,W ) as the session key of the testsession. If B7 does not abort, then B7 behaves exactly asin G6 if W = guv, and behaves exactly as in G7 if W isuniformly random in G∗ since H2 is a random oracle. Thus,
Adv6(A) = Adv7(A) +O(NqcqsAdv
DDHG (B7)
).
Overall, we obtain the bound claimed in the theorem.
Theorem 2 (Client authentication). Our APAKEprotocol P obtains clients-to-server authentication, providedthat MAC is suf-rmva secure and weak pseudorandom, thetag-randomization is simulatable, SPK is a labeled SE-NIZK,PE is IND-ET secure, and H1 is modeled as a random ora-cle. In particular, we have
AdvC2SP,D(A) ≤ qse/|D|+O
(AdvuzkSPK(B1) + Advss-extSPK (B2)
)+ Advsuf-rmva
MAC (B3) +N2/ |Mc|+ q2s/p+NAdvwprMAC(B4)
+O (N |D|/|Me|) .
Proof. (Sketch) This proof is proceeded by a series ofgames G0, G1, . . . , G5, where G0 is the real game for clientauthentication, and G1, . . . , G5 are essentially the same asthat in the proof of Theorem 1. In game G5, all client mes-sages produced by A are rejected, and A cannot replay pre-sentation proofs from client instances since a message (Y, σS)from any server instance could act as a nonce and collisionof the nonces is excluded in game G3. Thus, A cannot au-thenticate itself to the server in game G5.
Theorem 3 (Anonymity). If NIZK is sound, SPK isunbounded zero-knowledge, the tag-randomization is simu-latable, and KeyGen satisfies key-parameter consistency, thenour protocol P is anonymous. In particular, we have
AdvanonP (A) = AdvsoundNIZK (B1) + AdvuzkSPK(B2).
where AdvsoundNIZK is the advantage for the soundness of NIZK.
Proof. Let A be an adversary that breaks anonymi-ty of P. This proof will proceed via a series of gamesG0, G1, G2, G3, where G0 is the real game. By Advi(A) wedenote A’s advantage in Gi, and AdvanonP (A) = Adv0(A).
1186
Game G1 (Soundness). This game is the same as G0, ex-cept for aborting if the first time some client accepts a proofπ on a statement (parmac,m, σ) such that Verify(sk,m, σ) = 0.
Analysis. Since KeyGen satisfies key-parameter consistency,there exists the unique secret key sk such that (parmac, sk) ∈KeyGen(1λ). Thus, if Verify(sk,m, σ) = 0, then (parmac,m, σ)is a false statement on NIZK. Then, we can construct analgorithm B1 that breaks the soundness of NIZK by inter-acting with A. If A behaves differently between G0 andG1, then B1 can find a valid proof π on a false statement(parmac,m, σ) such that Verify(sk,m, σ) = 0. Thus, we haveAdv0(A) = Adv1(A) + AdvsoundNIZK (B1).
Game G2 (Simulate Proofs). This game is the same asG1, except for using the zero-knowledge simulator Sim togenerate a proof w.r.t. SPK for each challenge query.
Analysis. G2 behaves exactly like G1, except for the sim-ulation of the proofs for SPK. From the unbounded zero-knowledge property of SPK, we have Adv1(A) = Adv2(A) +AdvuzkSPK(B2), where B2 is an algorithm that breaks the un-bounded zero-knowledge of SPK by interacting with A.
Game G3 (Simulate Tag-Randomization). This gameis the same as G2, except that for each challenge query re-placing (T, V ) with (T ′, V ′)← TVSim(parmac).
Analysis. In G3, any message-tag pair (m,σ) accepted byany client ID satisfies Verify(sk,m, σ) = 1 wherem = H1(ID).Thus, (T ′, V ′) simulated by TVSim has the same distribu-tion as real (T, V ). Then, we have Adv2(A) = Adv3(A).
Overall, we obtain the bound claimed in the theorem.
5. INSTANTIATION OF APAKEIn this section, we instantiate the building blocks used
in our APAKE construction. In particular, we give an ex-ample of suf-rmva secure and weak pseudorandom algebraicMACs with efficient labeled SE-NIZKs, which is a pairing-free variant of the weak Boneh-Boyen signature scheme [11].We denote the algebraic MAC scheme by MACSDH. Thepassword-based encryption scheme PE is instantiated withan example recommended by Bellare and Rogaway [5] forthe AuthA mechanism of IEEE P1363.2 standard [39], whichsatisfies the IND-ET security in the ROM. We use ECDSAto instantiate digital signature scheme DS. Our instantia-tion assumes that MACSDH, PE , DS and key exchange usethe same domain parameters par = (G, p, g).
When applying the instantiations of the building blocks tothe APAKE construction described in Section 4, we obtain ahighly-efficient APAKE protocol, which is denoted by APAKE.
5.1 An SDH-based Algebraic MACThe construction of MACSDH is described as follows.
KeyGen(1λ) takes as input a security parameter 1λ, choosesthe group parameters (G, p, g) such that p is a 2λ-bit prime,
picks γ$← Z∗p, computes w ← gγ , and outputs sk = γ
and parmac = (G, p, g, w). We assume that (G, p, g) is animplicit input in all the following algorithms.
MAC(sk,m) takes as input sk = γ and a message m ∈Zp\{−γ}, computes A← g1/(γ+m), and outputs σ ← A.
Verify(sk,m, σ) takes as input sk = γ, a message m and atag σ = A, and outputs 1 if Aγ+m = g and 0 otherwise.
Using the techniques in [11], we can prove that MACSDH
is suf-rmva secure under the q-SDH assumption. Using thetechniques in [11, 30], we can also prove that MACSDH isweak pseudorandom under the q-DDHI assumption. Thedetailed proofs can be found in Appendix A.
It is easy to see that KeyGen satisfies the key-parameterconsistency, as (g, w) uniquely determines the secret key γ.
The MACSDH allows an efficient proof system NIZK{(γ) :Aγ = A−mg∧ gγ = w}, which is constructed using the Fiat-Shamir heuristic [33] to transform the corresponding Sigmaprotocol, and is shown as follows.
• On input a statement (g, w,m,A) and a witness γ, the
prover picks r$← Zp, computes R1 ← Ar, R2 ← gr, c ←
H3(g, w,m,A,R1, R2) and s ← r + cγ mod p. Finally, itoutputs a proof π = (c, s).
• The verification algorithm VerifyNIZK takes as input a state-ment (g, w,m,A) and a proof π = (c, s), and calculatesc′ ← H3(g, w,m,A,As+cmg−c, gsw−c). Then it outputs 1if c = c′ and 0 otherwise.
Using the techniques in [50], one can prove that the NIZK issound and unbounded zero-knowledge in the ROM.
Credential Presentation. The credential presentation al-gorithms Show and ShowVerify for MACSDH are constructedby SPK{(m, a) : T−mga = V }(`) for T = Aa, and the SPKis instantiated by Fiat-Shamir transformed Sigma protocol.
• Show(m,σ, `) : On input a message m, a credential σ = A
and a label `, Show picks a$← Z∗p and computes T ← Aa.
Then it picks rm, ra$← Zp, computes R← T−rmgra , c←
H4(g, T,R, `), sm ← rm + cm mod p and sa ← ra + camod p, and sets Σ = (c, sm, sa). Finally, Show outputs apresentation proof σC = (T,Σ).
• ShowVerify(σC , `, sk) : On input a presentation proof σC =(T, (c, sm, sa)), a label ` and sk = γ, ShowVerify computesV ← T γ , R′ ← T−smgsaV −c and c′ ← H4(g, T,R′, `).ShowVerify returns 1 if T 6= 1 and c = c′, and 0 otherwise.
It is easy to see that Rerand, Derand, fp and fv are spec-
ified as follows: Rerand(A) picks a$← Z∗p, computes T ←
Aa, and outputs (T, a); Derand(T, a) outputs A ← T 1/a;fp(parmac, T,m, a) = T−mga and fv(T, sk) = T γ .
The simulator TVSim is constructed as follows: given
parmac = (G, p, g, w), TVSim chooses t$← Z∗p, computes
T ′ ← gt and V ′ ← wt, and outputs (T ′, V ′). Note thatV ′ = wt = (T ′)γ and T ′ has the same distribution as Tgenerated by Rerand(A).
To obtain better efficiency, we do not involve V to σCfollowing [24]. The reason behind this is that an online ex-tractor Ext for SPK without knowing V can be obtained inthe combined random oracle and generic group model fol-lowing along the lines of [53, 56, 24]. The zero-knowledgesimulator Sim for SPK can be constructed as follows: giv-en a statement (g, T, V ) and a label `, Sim randomly picksc, sm, sa ← Zp and programs the random oracle H4 suchthat H4(g, T,R, `) = c with R = T−smgsaV −c, and outputsΣ← (c, sm, sa). Overall, the SPK is a labeled SE-NIZK.
Efficiency of Credential Presentation. For anonymouscredentials, a presentation proof is usually generated using
1187
Table 1: Comparison of APAKE Protocols
APAKEComputation overhead
Comm.Client Server
[60] 4EG (N + 3)EG N + 4
[54] 5EG + 1Dec (N+5)EG+NEnc 2N + 8
[62]8EG1
+ 1E2G1
+ 3EG1+ 3E2
G1+
181E5
G1+ 2P 1E5
G1+ 2P
APAKE 3EG + 2E2G 3EG + 1E2
G 8
Legend: N is the total number of users, EG denotes one expo-nentiation in G, EnG denotes a multi-exponentiation of n values inG, P represents a bilinear pairing operation, Enc (resp., Dec) de-notes a symmetric-key encryption (resp., decryption) operation,and Comm. denotes the communication overhead.
the randomize-then-prove paradigm, where a credential isfirst randomized, and the randomized credential is then pre-sented with a zero-knowledge proof. In general, the first stepcosts at least one exponentiation and the second step cost-s at least one multi-exponentiation, and the verification ofpresentation proofs costs at least one multi-exponentiation.Note that R′ can be computed via T−(sm+cγ)gsa in an ex-ecution of ShowVerify. Therefore, the efficiency of MACSDH-based credential presentation is optimal.
5.2 An Example Password-Based EncryptionLet H : D → G∗ be a cryptographic hash function mod-
eled as a random oracle. An example of password-basedencryption PE is described as follows.
Encpw(M) takes as input pw and a message M ∈ G∗, com-putes C ←M ·H(pw), and outputs C.
Decpw(C) takes as input pw and a ciphertext C ∈ G, com-putes M ← C/H(pw), and outputs M .
One can easily prove this example of PE is IND-ET secure,since the outputs of H are uniformly random.
5.3 Comparison of APAKE ProtocolsWe compare our protocol APAKE with the mechanisms spec-
ified by ISO/IEC 20009-4 in Table 1. For computation over-head, we only list the most time-consuming operations, andcount the number of group elements in the login protocol.The output size of a hash function or a MAC algorithm iscounted as a group element.
Table 1 shows that APAKE is much more efficient than themechanisms [60, 54] in the password-only setting in termsof computation cost at the server side and communicationoverhead, and APAKE is also much more efficient than themechanism [62] in the extra-storage setting.
6. SUPPORT OF REVOCATIONWe present an accumulator-based revocation mechanism
for APAKE, which enables non-membership proofs to be ver-ified by a server with a secret key γ.
A server picks a random γ ∈ Z∗p, computes w ← gγ , andadds w to params and γ to sk. The server maintains arevocation list RL = {(mi, Vi)}ri=1, where mi = H1(IDi)
for a revoked user IDi and Vi = g1/(∏i
j=1(γ+mj)) for eachi ∈ [r]. Let V0 = g. For a registration request from a client
ID, the server issues a witness Wr ← V1/(γ+m)r along with
π ← NIZK{(γ) : W γr = VrW
−mr ∧ gγ = w}, and the client
stores (ID, [A]pw,Wr), where m = H1(ID).
Client ServerClientHello -------->
ServerHello
Certificate?
ServerKeyExchange?
CertificateRequest?
<-------- ServerHelloDone
Certificate?
ClientKeyExchange
CertificateVerify?
[ChangeCipherSpec]Finished -------->
[ChangeCipherSpec]<-------- Finished
Application Data <-------> Application Data
Figure 4: TLS Message Flows
Witness Update. Given the current revocation list RL =
{(mi, Vi)}r′i=1, an un-revoked user ID can update off-line her
witness Wr iteratively with m = H1(ID) as follows:
Wj+1 ← (Wj/Vj+1)1/(mj+1−m), for each r ≤ j ≤ r′ − 1.
Non-membership Proof. To prove that she has not beenrevoked, the client computes m ← H1(ID), randomizes the
witness as T ← W zr with a random z ∈ Z∗p, and generates
Σ← SPK{(m, z) : T−mV zr = V }, where V = T γ .
Note that a revoked user IDj+1 (r ≤ j < r′) cannot updateher witness, as the denominator mj+1 −m = 0. Using thetechnique in [11, Lemma 3.2], we can prove that no revokeduser can forge a witness under the q-SDH assumption.
To support revocation, we extend the Show and ShowVerifyalgorithms in Section 5.1 by replacing the underlying SPKwith SPK′{(m, a, z) : T−mga = V ∧ T−mV zr = V }(`). ByAPAKEr we denote the APAKE protocol with above revocation.
7. APPLICATION OF APAKE TO TLSWe integrate APAKE into the TLS protocol to provide a
TLS mode of server authentication with anonymous clientauthentication, where a client holding a password-wrappedcredential and the password can authenticate herself to theserver without revealing her identity, and denote the ECDSA-signed elliptic curve Diffie-Hellman ciphersuite with anony-mous client authentication by ECDHE3.
Since a labeled SE-NIZK is also a signature of knowledge[23] where a label ` is the message to be signed, we considerShow and ShowVerify for MACSDH as a signing algorithmand a verification algorithm respectively, where (m,A) isthe secret key for generating signatures, and a signature σCon message ` is verified using sk. We refer to the “signaturealgorithm”as SigMAC, where SigMAC = (Show,ShowVerify).
We also integrate APAKEr into TLS in the same way asAPAKE except for using the extended (Show, ShowVerify) tosupport revocation and additionally publishing Sign(sk, w).We denote the resulting ciphersuite by ECDHE4.
7.1 Integration into TLSAssume that the server holds a certificate certS on his
ECDSA public key pk. The set of domain parameters par =
1188
Table 2: Performance of HTTPS using Apache with OpenSSL
CiphersuiteConnections / second Connection Handshake Client
10 B payload 1 KB payload 10 KB payload 100 KB payload time (ms) (bytes) Auth.
ECDHE1 2043.678 (1.06) 2022.282 (1.61) 1833.658 (1.80) 943.266 (1.09) 1.54 (0.05) 2200 None
ECDHE2 1133.08 (1.50) 1129.442 (1.69) 1075.69 (0.48) 718.736 (0.21) 2.39 (0.05) 3806 plain sigs
ECDHE3 1007.308 (2.25) 999.994 (1.74) 953.698 (1.28) 661.652 (1.02) 2.80 (0.01) 4078 anon. sigs
ECDHE4 863.712 (1.49) 860.364 (1.32) 826.032 (0.92) 602.928 (0.24) 3.40 (0.02) 4179anon. sigs
w/revoc.
Legend: mean, (std. dev.) in columns 2-6; Client Auth. represents the type of signatures used to provide client authentication.
(G, p, g) is selected from a trusted published source such asa standard, and its identifier is denoted by parid. The serv-er acts as a Certification Authority to generate an ECDSAsigned certificate certmac on a dummy entity “apake” andpublic key w. Then certmac is published and used by allclients who provide anonymous authentication with SigMAC.In the registration phase, each client should first check thevalidity of certS and certmac, and then stores certmac alongwith a password-wrapped credential (ID, [A]pw).
When using the X.509 certificate with ASN.1 data type,the certificate certmac is defined as follows:
Certificate ::= SEQUENCE {
toBeSigned TBSCertificate,
algorithmIdentifier {ECDSA},
encrypted certsig,
... }
TBSCertificate ::= SEQUENCE { ...
subjectPublicKeyInfo SubjectPublicKeyInfo,
... }
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm {SigMAC},
subjectPublicKey parid||w,
... },where SigMAC specifies the SigMAC = (Show, ShowVerify)algorithm, parid||w denotes the bit-string of (parid, w),certsig = Sign(sk, TBSCertificate), and the omitted field-s are specified following the X.509 specification.
Below, we show how to integrate the APAKE into TLS [28].We assume that a client has already recovered the “secretkey” (m = H1(ID), A) from a password-protected creden-tial (ID, [A]pw) with her password pw, before initiating theTLS protocol. The ciphersuite ECDHE3 is the same as theECDSA-signed elliptic curve Diffie-Hellman ciphersuite withclient authentication using ECDSA signatures, except that
the messages marked with rectangles in Figure 4 are dif-
ferent. The server adds apake and (SigMAC, SHA256) to thefields of CertificateRequest, which is showed as follows:
struct {
ClientCertificateType {...,apake};
SignatureAndHashAlgorithm {...,(SigMAC, SHA256)};
... } CertificateRequest;
A client then utilizes certmac in Certificate, and invokesthe SigMAC to sign the handshake messages with the “secretkey” (m,A) and generates CertificateVerify. The servercan check the validity of certmac, and verify the validity ofa “signature” σC using SigMAC and his secret key sk.
7.2 ImplementationWe implemented in C the ECDHE3 and ECDHE4, based on
the OpenSSL v1.0.2g. For comparison, we also implemented
the ECDSA-signed elliptic curve Diffie-Hellman ciphersuitewith only server authentication (resp., mutual authentica-tion), which is denoted by ECDHE1 (resp., ECDHE2) and isincluded in TLSv1.2. Our implementation take places at a128-bit security level, and uses the secp256r1 curve. Apartfrom digital signature algorithms for client authentication,the ciphersuites ECDHE1, ECDHE2, ECDHE3 and ECDHE4 sharethe same ingredients, i.e., ECDHE-ECDSA-AES128-GCM-SHA256,where AES128-GCM denotes authenticated encryption (withassociated data) using AES-128 in GCM (Galois CounterMode). In the implementation of ECDHE4, we assume thatthe client has already updated off-line her witness Wr.
Experiment environment. Our experimental results areobtained in two desktop computers. The “client” computerhas an Intel i5-3470 processor with 4 cores running at 3.2GHz each. The “server” computer has an Intel Core2 DuoE7300 processor with 2 cores running at 2.66 GHz each.Both computers run the operating system of Ubuntu 15.04.Our softwares were both complied for the x86 64 architec-ture with -O2 optimizations using g++ 4.9.2.
7.3 Performance EvaluationThe performance of ECDHE1, ECDHE2, ECDHE3 and ECDHE4
within the context of an HTTPS connection is shown inTable 2. The approach for analyzing the performance inTLS/HTTPS follows that of Gupta et al. [37]. Besides, wefollow the method of [13] to achieve the experimental data.The client and server computation platforms were connectedover an isolated local area network with less than 1 ms pingtime. The server was running Apache httpd 2.4.20 with theprefork multi-threading module.
The first section of Table 2 shows the number of simulta-neous connections supported by the server. The client com-puter was running siege 4.0.1 tool3 to create many HTTPconnections in parallel for TLS. We did separate tests in thedifferent HTTP payloads (10 bytes, 1 KB=1024 bytes, 10KB, and 100 KB), so that simulating a variety of web pagesizes. Each test was run for 100 seconds, and the resultsreported in Table 2 are the average of 5 runs with standarddeviation listed in parentheses. During all tests, the clientcomputer and network configuration was enough to ensurethat the server’s processor had at least 95% utilization. Notethat session resumption was disabled. The second section ofthis table reports the average time which is required for aclient to establish a connection, and is measured by usingWireshark from when the client opens the TCP connectionto the server’s IP address to when the client starts to re-ceive the first packet of application data. The third sectionof Table 2 reports the size of the handshakes.
3http://download.joedog.org/siege/siege-4.0.1.tar.gz
1189
Table 2 shows that ECDHE3 obtains between a factor 1.43-2.03x fewer HTTPS connections per second than ECDHE1,and between a factor 1.09-1.13x fewer HTTPS connectionsper second than ECDHE2. The ECDHE4 obtains between afactor 1.10-1.17x fewer HTTPS connections per second thanECDHE3. The average connection time and the size of thehandshakes for ECDHE3 and ECDHE4 are attractive.
8. REFERENCES[1] https://krebsonsecurity.com/2016/03/crooks-steal-
sell-verizon-enterprise-customer-data/.
[2] M. Abdalla. Password-based authenticated key exchange:An overview. In Provable Security 2014, volume 8782 ofLNCS, pages 1–9. Springer, 2014.
[3] M. Bellare, D. Micciancio, and B. Warinschi. Foundationsof group signatures: Formal definitions, simplifiedrequirements, and a construction based on generalassumptions. In EUROCRYPT 2003, pages 614–629.
[4] M. Bellare, D. Pointcheval, and P. Rogaway. Authenticatedkey exchange secure against dictionary attacks. InEUROCRYPT 2000, pages 139–155. Springer.
[5] M. Bellare and P. Rogaway. The AuthA protocol forpassword-based authenticated key exchange. Contributionto IEEE P1363.
[6] M. Bellare and P. Rogaway. Random oracles are practical:A paradigm for designing efficient protocols. In ACMCCS’93, pages 62–73. ACM Press, 1993.
[7] S. M. Bellovin and M. Merritt. Encrypted key exchange:password-based protocols secure against dictionary attacks.In IEEE Computer Society Symposium on Research inSecurity and Privacy, pages 72–84, 1992.
[8] F. Benhamouda, O. Blazy, C. Chevalier, D. Pointcheval,and D. Vergnaud. New techniques for SPHFs and efficientone-round PAKE protocols. In CRYPTO 2013, volume8042 of LNCS, pages 449–475. Springer, 2013.
[9] D. Bernhard, M. Fischlin, and B. Warinschi. Adaptiveproofs of knowledge in the random oracle model. InPublic-Key Cryptography - PKC 2015, pages 629–649.
[10] D. Boneh and X. Boyen. Efficient selective-ID secureidentity based encryption without random oracles. InEUROCRYPT 2004, pages 223–238. Springer-Verlag.
[11] D. Boneh and X. Boyen. Short signatures without randomoracles. In EUROCRYPT 2004, pages 56–73.
[12] D. Boneh, X. Boyen, and H. Shacham. Short groupsignatures. In M. Franklin, editor, CRYPTO 2004, volume3152 of LNCS, pages 41–55. Springer-Verlag, 2004.
[13] J. W. Bos, C. Costello, M. Naehrig, and D. Stebila.Post-quantum key exchange for the TLS protocol from thering learning with errors problem. In 2015 IEEESymposium on Security and Privacy, 2015.
[14] V. Boyko, P. MacKenzie, and S. Patel. Provably securepassword-authenticated key exchange using Diffie-Hellman.In EUROCRYPT 2000, pages 156–171.
[15] E. Brickell, J. Camenisch, and L. Chen. Direct anonymousattestation. In ACM CCS 2004, pages 132–145. ACM Press.
[16] J. Camenisch, M. Dubovitskaya, K. Haralambiev, andM. Kohlweiss. Composable and modular anonymouscredentials: Definitions and practical constructions. InASIACRYPT 2015, pages 262–288. Springer.
[17] J. Camenisch and A. Lysyanskaya. A signature scheme withefficient protocols. In SCN 2002, pages 268–289. Springer.
[18] J. Camenisch and A. Lysyanskaya. Signature schemes andanonymous credentials from bilinear maps. In CRYPTO2004, volume 3152 of LNCS, pages 56–72. Springer-Verlag.
[19] J. Camenisch and A. Lysyanskaya. An efficient system fornon-transferable anonymous credentials with optionalanonymity revocation. In EUROCRYPT 2001, volume 2045of LNCS, pages 93–118. Springer-Verlag, 2001.
[20] J. Camenisch and M. Stadler. Efficient group signatureschemes for large groups. In CRYPTO 1997, pages 410–424.
[21] A. Cassola, E.-O. Blass, and G. Noubir. Authenticatingprivately over public Wi-Fi hotspots. In ACM CCS, pages1346–1357. ACM, 2015.
[22] E. Cesena, H. Lohr, G. Ramunno, A.-R. Sadeghi, andD. Vernizzi. Anonymous authentication with TLS andDAA. In TRUST 2010, pages 47–62. Springer.
[23] M. Chase and A. Lysyanskaya. On signatures of knowledge.In CRYPTO 2006, pages 78–96. Springer-Verlag.
[24] M. Chase, S. Meiklejohn, and G. Zaverucha. AlgebraicMACs and keyed-verification anonymous credentials. InACM CCS 2014, pages 1205–1216. ACM Press. Full versionis available at http://eprint.iacr.org/2013/516.
[25] D. Chaum. Blind signatures for untraceable payments. InCRYPTO 1982, pages 199–203, 1982.
[26] D. Chaum. Security without identification: Transactionsystems to make big brother obsolete. Communications ofthe ACM, pages 1030–1044, 1985.
[27] D. Chaum and E. van Heyst. Group signatures. InEUROCRYPT 1991, pages 257–265. Springer-Verlag.
[28] T. Dierks and E. Rescorla. The transport layer security(TLS) protocol version 1.2. RFC 5246 (ProposedStandard), August 2008.
[29] Y. Dodis, E. Kiltz, K. Pietrzak, and D. Wichs. Messageauthentication, revisited. In EUROCRYPT’12, volume7237 of LNCS, pages 355–374. Springer-Verlag, 2012.
[30] Y. Dodis and A. Yampolskiy. A verifiable random functionwith short proofs and keys. In Public Key Cryptography –PKC 2005, pages 416–431. Springer-Verlag, 2005.
[31] European Parliament and Council of the European Union.Directive 2009/136/EC. Official Journal of the EuropeanUnion, 2009.
[32] D. Fett, R. Kusters, and G. Schmitz. SPRESSO: A secure,privacy-respecting single sign-on system for the web. InACM CCS 2015, pages 1358–1369.
[33] A. Fiat and A. Shamir. How to prove yourself: Practicalsolutions to identification and signature problems. InCRYPTO 1986, pages 186–194. Springer-Verlag.
[34] M. Fischlin. Communication-efficient non-interactive proofsof knowledge with online extractors. In CRYPTO 2005,volume 3621 of LNCS, pages 152–168. Springer-Verlag.
[35] S. Goldwasser, S. Micali, and R. L. Rivest. A digitalsignature scheme secure against adaptive chosen-messageattacks. SIAM Journal on Computing, pages 281–308, 1988.
[36] J. Groth. Simulation-sound NIZK proofs for a practicallanguage and constant size group signatures. InASIACRYPT 2006, pages 444–459. Springer-Verlag.
[37] V. Gupta, D. Stebila, S. Fung, S. C. Shantz, N. Gura, andH. Eberle. Speeding up secure web transactions usingelliptic curve cryptography. In NDSS, 2004.
[38] IBM. Specification of the Identity Mixer CryptographicLibrary. IBM Research Report RZ 3730, 2010.
[39] IEEE 1363.2. IEEE standard specifications for passwordbased public-key cryptographic techniques. IEEE Std1363.2-2008, pages 1–127, 2009.
[40] ISO/IEC 11770-4. Information technology – Securitytechniques – Key management – Part 4: Mechanisms basedon weak secrets, 2006.
[41] ISO/IEC 11889:2015. Information technology - TrustedPlatform Module Library, 2015.
[42] ISO/IEC 20008. Information technology - Securitytechniques - Anonymous digital signatures, 2013.
[43] ISO/IEC DIS 20009-4. Information technology – Securitytechniques – Anonymous entity authentication – Part 4:Mechanisms based on weak secrets, 2015.
[44] J. Katz, R. Ostrovsky, and M. Yung. Efficientpassword-authenticated key exchange using humanmemorable passwords. In EUROCRYPT 2001, volume2045 of LNCS, pages 475–494. Springer-Verlag.
[45] Y. Lindell. Anonymous authentication. Journal of Privacyand Confidentiality, 2(2):4, 2007.
[46] M. Naor and O. Reingold. Synthesizers and their
1190
application to the parallel construction of pseudo-randomfunctions. Computer and Systems Sciences, 58(2):336–375,April 1999.
[47] NISTIR 8062. Privacy risk management for federalinformation systems, May 2015.
[48] C. Paquin and G. Zaverucha. U-Prove CryptographicSpecification V1.1 (Revision 3). Microsoft, 2013.
[49] D. Pointcheval. Password-based authenticated keyexchange. In PKC 2012, pages 390–397. Springer.
[50] D. Pointcheval and J. Stern. Security arguments for digitalsignatures and blind signatures. Journal of Cryptology,13(3):361–396, 2000.
[51] K. Rannenberg, J. Camenisch, and A. Sabouri.Attribute-based Credentials for Trust - Identity in theInformation Society. Springer, 2015.
[52] H. A. Schmidt. National strategy for trusted identities incyberspace. Cyberwar Resources Guide, Item 163, 2010.
[53] C. Schnorr. Security of blind discrete log signatures againstinteractive attacks. In Information and CommunicationsSecurity, volume 2229 of LNCS, pages 1–12. 2001.
[54] S. Shin and K. Kobara. Anonymous passwordauthenticated key exchange: New construction and itsextensions. IEICE, 93(1):102–115, 2010.
[55] V. Shoup. Lower bounds for discrete logarithms and relatedproblems. In EUROCRYPT 1997, pages 256–266.
[56] N. P. Smart. The exact security of ECIES in the genericgroup model. In Cryptography and Coding, pages 73–84.Springer, 2001.
[57] D. Taylor, T. Wu, N. Mavrogiannopoulos, and T. Perrin.Using the secure remote password (SRP) protocol for TLSauthentication. RFC 5054, 2007.
[58] D. Q. Viet, A. Yamamura, and H. Tanaka. Anonymouspassword-based authenticated key exchange. InINDOCRYPT 2005, volume 3797 of LNCS, pages 244–257.
[59] J. Walker and J. Li. Key exchange with anonymousauthentication using DAA-SIGMA protocol. In TrustedSystems, volume 6802 of LNCS, pages 108–127. 2011.
[60] J. Yang and Z. Zhang. A new anonymous password-basedauthenticated key exchange protocol. In INDOCRYPT2008, volume 5365 of LNCS, pages 200–212. Springer.
[61] Y. Yang, J. Zhou, J. Weng, and F. Bao. A new approachfor anonymous password authentication. In ACSAC 2009,pages 199–208. IEEE.
[62] Y. Yang, J. Zhou, J. W. Wong, and F. Bao. Towardspractical anonymous password authentication. In ACSAC2010, pages 59–68. ACM.
APPENDIXA. SECURITY PROOFS OF MACSDH
In this section, we prove that MACSDH is suf-rmva securein Theorem 4 and weak pseudorandom in Theorem 5.
Theorem 4. If the q-SDH assumption holds in G, thenthe MACSDH scheme is suf-rmva secure.
Proof. If there exists an adversary A that makes qmqueries to oracle mac and qv queries to oracle verify, andbreaks the suf-rmva security of MACSDH with probability ε,then we can construct an algorithm B that breaks the q-SDHassumption with probability ε/(qv + 1) by interacting withA, where q = qm + 1.
Given a q-SDH instance (g, gγ , . . . , gγq
) ∈ (G∗)q+1 for some
unknown γ ∈ Z∗p, B aims to output a solution (c, g1/(γ+c))
for some c ∈ Zp\{−γ}. B picks i∗$← [qv + 1] as the guess
that the first fresh and valid forgery appears in the i∗-thverification query if 1 ≤ i∗ ≤ qv or the final output of A if
i∗ = qv + 1. Then B chooses m1,m2, . . . ,mq−1$← Zp. Let
f(x) =∏q−1j=1(x+mj) =
∑q−1j=0 αjx
j and fi(x) = f(x)/(x+
mi) =∏q−1j=1,j 6=i(x+mj) =
∑q−2j=0 βi,jx
j for each i ∈ [q − 1].
Using the tuple (g, gγ , . . . , gγq
) and the technique of Boneh-
Boyen [11, Lemma 3.2], B can compute g′ =∏q−1j=0(gγ
j
)αj =
gf(γ), w =∏qj=1(gγ
j
)αj−1 = gγf(γ) = (g′)γ , and Ai =∏q−2j=0(gγ
j
)βi,j = gfi(γ) = gf(γ)/(γ+mi) = (g′)1/(γ+mi) for
each i ∈ [q − 1]. Next, B returns parmac = (G, p, g′, w) to Aand responds the queries made by A as below:
For i-th MAC query, B returns (mi, Ai) to A.For i-th verification query (m′i, A
′i), B responds as follows:
• If i = i∗, B sets (m,A) = (m′i, A′i) and aborts.
• Otherwise (i.e., i < i∗), B returns 1 if (m′i, A′i) =
(mj , Aj) for some 1 ≤ j ≤ q − 1 and 0 otherwise.
Finally, if B does not abort, A outputs a forgery (m∗, A∗).In this case (i∗ = qv + 1), B sets (m,A) = (m∗, A∗).
If B guesses correctly with probability 1/(qv+1), B’s sim-ulation is perfect, and (m,A) is a fresh and valid forgery,i.e., (m,A) /∈ {(mi, Ai)}q−1
i=1 and Aγ+m = g′. Thus, we havem /∈ {m1, . . . ,mq−1}, since for any valid message-tag pair
(m, A) under g′ and γ, A is uniquely determined by m. Letf(x) = f ′(x)(x+m) + η for some η ∈ Z∗p, and write f ′(x) =∑q−2j=0 δjx
j . Note that A = (g′)1/(γ+m) = gf(γ)/(γ+m) =
gf′(γ)+η/(γ+m). B computes g1/(γ+m) =
(A/gf
′(γ))1/η
with
gf′(γ) =
∏q−2j=0(gγ
j
)δj , and outputs (m, g1/(γ+m)) as a solu-tion of the q-SDH problem.
Theorem 5. If the q-DDHI assumption holds in groupG, then MACSDH is weak pseudorandom.
Proof. If there exists an adversary A that makes qmqueries to oracle mac and breaks the weak pseudorandom-ness of MACSDH with probability ε, then we can construct analgorithm B that breaks the q-DDHI assumption with prob-ability at least ε − (q − 1)/p via interacting with A, whereq = qm + 1.
Given (g, gα, . . . , gαq
, T ) ∈ (G∗)q+2 for some unknown
α ∈ Z∗p, B aims to distinguish T = g1/α from a random ele-
ment T . Firstly, B picks m1, . . . ,mq−1,m$← Zp. Using the
Binomial Theorem, B can compute the tuple (g, gγ , . . . , gγq
)where γ = α −m. Then, as in the proof of Theorem 4, Bgenerates g′ = gf(γ), w = (g′)γ , and Ai = (g′)1/(γ+mi) foreach i ∈ [q − 1], where f(x) =
∏q−1j=1(x + mj). Next, B
returns parmac = (G, p, g′, w) to A. For i-th query to or-acle mac, B returns a pair (mi, Ai) to A. If m is equalto one of m1, . . . ,mq−1, B aborts. Otherwise, the poly-nomial f(x) is not divisible by (x + m). In this case, wehave f(x) = q(x)(x + m) + η for some η 6= 0, and write
q(x) =∑q−2j=0 δjx
j . Then, B computes gq(γ) =∏q−2j=0(gγ
j
)δj .
Next, B returns (m,σ = gq(γ) · T η) to A as the challenge.Finally, A outputs a guess b′, and B outputs b′.
It is easy to see that the simulation of oracle mac is per-fect. If T = g1/α, then
σ = gq(γ)T η = gq(γ)gη/(γ+m) = gf(γ)/(γ+m) = (g′)1/(γ+m).
If T is uniformly distributed in G∗, then so is σ. If B doesnot abort, B succeeds if A wins. As Pr
[∃i ∈ [q−1] s.t. m =
mi
]≤ (q−1)/p, we have the claimed bound.
1191