 Hello everyone, welcome to my Crypto 2020 virtual talk. I hope everyone is safe. So in this talk, I will present universally composable relaxed password authentication key exchange. And this is joint work with Michelle Abdallah, Manuel Barbosa, Tatiana Bradley, Sanyi Swaf Yaretsky, and Jonathan Kass. And we also have two guest stars here. So this is Ada Loveless and this is Charles Barbic, replacing Alison Bob. So these were joined by my co-author Tatiana and Tatiana also contributed a lot to the slides in general. Okay. So let me first introduce the concept of password authenticated key exchange or plate. So this is a two-party protocol and the goal is to establish a shared cryptographic key in the super password only setting, which means that the only information shared by the two parties in advance is a low entropy password. So as you can see here, Ada inputs a password, her password PW and Charles enters his password PW prime. And at the end of the interaction, if their passwords match, then they will output the same key. And otherwise if their passwords don't match, then they will output independent keys. So here's a very brief overview of the previous constructions of plate protocols. So there have been two major paradigms. The first one is to take different key exchange and then you somehow blind the protocol messages using the password. And this line of research started from the groundbreaking work by Belovin at Merritt in 1992 called Encrypted Key Exchange or EKE. And since then there have been many subsequent works in this paradigm and the most efficient type protocols fall into this category. But on the other hand, they require their security analysis require some idealized model such as the random oracle model. And another paradigm is to use encryption plus most projective hash function. And this usually allows a plate protocol to be proven secure in the standard model. So you usually still need a common reference stream but no random oracle is needed. But the cause is that they are usually less efficient. For a very long time, there has been really no adoption of pike in practice. But very recently from last year to this year, the IETF, the Internet Engineering Task Force has two competitions on pikes. One on pike and one on an extension called asymmetric pikes. And this sparked much interest in the practical aspects of pike. And perhaps we will see pike implementations used in real life say on the internet in some years. This work is about the security models of pike. So again, for pike security models, there are also two prominent paradigms. One is a game-based model and the other is a universally compatible or UC model. So UC as long as a game-based in general because UC allows for arbitrary protocol composition. But in particular for pike, UC also has some additional advantages such as modeling password reuse, which means that a user can use the same password for multiple accounts. And this is simply not covered by the game-based definition. So for these reasons, UC has been viewed as a goal standard for pike security analysis. And indeed, since UC allows for arbitrary protocol composition, there are some previous results showing that a UC pike can be composed to get some extensions that has asymmetric pike and an even stronger variant cause strong asymmetric pike. Unfortunately, the most efficient pike protocols are proven secure in the game-based setting only and not in the UC setting. But on the other hand, there has also been no explicit attack shown for any of them. So a very natural question is, is there really a gap between these efficient pike protocols and the UC pike model? And this is indeed the motivation of our work and our work is exactly to fill this gap. We propose two relaxations of the standard pike functionality. One is called the lazy extraction pike or LE pike and this is the main one we use. And the other is a slightly stronger variant called relaxed UC pike or R pike. And then we show that all of these, aspect two, TB peak, S peak and C pace. So all of these efficient pike protocols, which were proven secure in the game-based setting only previously, all of these actually realize you'll see a lazy extraction pike in the random oracle model. So in other words, we show that they are actually UC secure. As long as you are willing to slightly relax the UC functionality itself. And third, we show that some of T confirmation converts a lazy extraction pike to the stronger relaxed pike. And finally, we also do a sanity check that any UC relaxed pike is game-based secure with the so-called perfect forward secrecy property. So even if the pike functionality is relaxed, it still implies the basic game-based security. So our key observation is as this. In an active attack, the standard UC pike functionality requires the simulator to extract the password, to extract the adverse password before the session completes. So that is before the attack party out for the key. So if we take a look at the standard UC pike functionality, so here this picture is directly copied and pasted from the original paper, which proposed the standard UC pike functionality. So as you can see here, the test password query corresponds to the simulator extracting the password, the adverse password. And this query will be ignored by the functionality unless the protocol session is fresh. And it is fresh only before the session completes. So again, the standard UC pike functionality requires that the extraction of the password must happen before the session completes. So now we can take an example and see why this aspect tool protocol does not seem to realize the standard pike functionality. So this is a one-round protocol and the only method is sent during a session as a group elements, X and Y. And if you look at how X and Y are computed, there are Peterson commitments of the password, which means that the password is information theoretically hidden and there's simply no hope to extract the password during the online session. However, after those online messages X and Y are sent, if the adversary wants to get, say, Ada's key, then it needs to make a random protocol query at the end, which can't be seen by the simulator. So maybe the simulator can extract the password after the online session completes. So to summarize, the simulator cannot extract the password during an online session and that is why aspect tool doesn't seem to realize the standard UC pike functionality, but there's still some hope that the password can be extracted afterwards. And indeed, this is exactly the idea of our relaxation of the UC pike functionality, that is to allow the post-execution password extraction. So even after all protocol messages are sent and the online party already computes its key, the simulator can still extract the password by observing the adversary's local computation, such as the random protocol queries. And as in the standard UC pike functionality, we require that for obsession, only a single password can be tested. But the difference is that the difference with the standard functionality is that here, a password test can be done either during the session or after the session completes. And what will happen in a late password test? So we recall that we have two relaxations. So in this lazy extraction pike functionality, the ideal adversary learns a session key, which is real if the late password test is real. Or if the late password test is correct. And otherwise it is random. So in the stronger relaxed pike functionality, the ideal adversary only learns whether the late password test is correct or not. As you can see, relaxed pike is indeed stronger because the adversary learns less information. So here's the details of our relaxations of the UC pike functionality. So first of all, if the adversary wants to do a late password test, then it needs to register the late password test during the session. And secondly, in the late test password query, which reflects the post execution password extraction, the ideal adversary may learn a key here as in lazy extraction pike or learn a bit, whether the late password test is correct or not. As in relaxed pike. So now we can look a little bit closer on how exactly the simulator can extract the password post execution in the aspect tool. So we prove that aspect tool, UC realizes the lazy extraction pike functionality in the random oracle model under the gap deferralment assumption. And we stress that the reduction here is tight. So now let's say that Charles is the adversary and either needs to be simulated. So first of all, there are two random group elements in the common reference stream, M and N. And because it is the simulator who sets the CRS, of course the simulator can't know the discrete log of M and N. And secondly, the simulator also needs to simulate the protocol message of AIDA, which is the group element X. So we call that X is the Peterson commitment of AIDA's password. So at this point, the simulator doesn't know AIDA's password. And this X is a random group element. So what the simulator will do is to just sample group element uniformly. And again, the simulator knows the discrete log of X. So now the simulator has three triples, the discrete logs of M, N, and X. If the adversary wants to learn the session key of AIDA, then it needs to make a random oracle query here, because this is how AIDA's session key is computed. So now, in particular, the input of the random oracle contains the password and also a group element here and here. So aspect two is designed in such a way that there's a relation between these two, the password and the group element such that a correct RL query, always in a correct RL query, these two always satisfy such a relation. And this relation can be checked given all these three triples. So what does this mean? This means that when trials when this adversary queries the random oracle, the simulator can check if the query is correct. That is if the query corresponds to a password test. And if this is the case, then the simulator can extract the password test. So why does it only realize the lazy extraction type functionality? So this is because the simulator after extracting the AIDA's password, it really needs to learn the key from the functionality in order to program the random oracle. So why do we need that development here? Recall that the lazy extraction type functionality only allows a single password test per session. So this means that if Charles makes two random oracle queries for the same session and both of them are correct, then the simulator would get stuck because it doesn't know which password should be sent to the functionality. But we can show that this essentially means that the adversary Charles solves computational development on the CRS group elements, M and N. So in the reduction to CDH, the reduction doesn't know the triples for M and N. And to get around, it needs a CDH decisional development oracle. And that is why the gap development assumption is needed. Okay. Our second result is about adding explicit the mutual authentication. Recall that in a normal pick, in a pick with the so-called implicit authentication. If the two parties' passwords don't match, then they will output independent keys. But here, the difference is that if the password don't match, then the parties will just abort. So we show the results that you'll see lazy extraction pick plus standard key confirmation use a stronger UC relaxed pick with explicit authentication. So how is the key confirmation done? So you'll just use the lazy extraction pick output, a small key here and you'll derive an authenticator called tallish here and then you'll exchange the authenticator. And after you'll receive the authenticator from the counter party, you'll check if it is correct. And if it is not correct, then you'll abort. So now let's see on a very high level, why the theorem holds. So this is because if the adversary doesn't match, do a password test on the correct password, then the adversary cannot simply cannot come up with the correct authenticator. And since the lazy extraction pick key, since this key is hidden, the honest party will just abort. In other words, if the honest party doesn't abort, then the adversary must do a correct password guess. Yes, which allows the simulator to extract the password. Unlike aspect tool here, the simulator doesn't really need a key to program the random oracle. Learning whether the password test is correct or not is sufficient for computing the final certainty. So we get an RPIC, which is slightly stronger than LE page. And there are some subtleties here which prevents this to realize the standard page functionality. So roughly speaking, this is because the adversary can make a late password test even after assertion abort. For the more, we also do a sanity check here involving game-based page security notion and the property of perfect forward secrecy or PFS. So recall that perfect forward secrecy means that when after a party corruption, all private sessions are still secure. So we show that UC relaxed page implies game-based, both game-based security and PFS. And the proof of this fact is very similar to the previous results that the standard UC page functionality has this property. And we also show that so weaker UC lazy extraction page, it also implies game-based page security and a weaker form of PFS. We measure some related work here. There has been some previous work modeling this post execution extraction data in UC. First in the context of another primitive quote of Livia's pseudo random function and then in a symmetric page. And there's the concurrent work by Schrupp which shows that aspect tool with key confirmation actually realizes a functionality which is essentially equivalent to our relaxed page. And the difference is that our analysis is done moderately. So first we analyze the plain aspect tool as a lazy extraction page. And then we add key confirmation to obtain the stronger, the relaxed page. And we also analyzed some other efficient page protocols. But on the other hand, Schrupp's analysis is based on a slightly weaker assumptions than ours. And finally, there is the very recent result which shows that encrypted key exchange, the first page protocol ever proposed, already realizes the standard UC page functionality when the encrypted scheme is some specific ones. But regarding the computational costs of their protocol and ours, there is some trade-off in the comparison. And at this moment, it is not completely clear which one is more efficient when implemented. And also, their security reduction is not as tight as ours. So in conclusion, we show that practical page protocols are actually UC SQL as long as we slightly relax the standard UC page functionality to lazy extraction page. And secondly, adding key confirmation has two effects. So first one is it allows explicit authentication. And the second is it upgrades lazy extraction page with a slightly stronger relaxed page. And finally, we show that every UC page is actually game-based secure with perfect forward secrecy. There are many interesting open questions and here I only want to mention one of them. And that is, is lazy extraction page we propose really weaker than the standard UC page? And if that is the case, then in what cases or in what sense are they weaker? Okay, so this is the end of the talk. Our paper is on E-Print. You can check it out if you are interested. Thank you very much.