the legitimate cmmuicatrs, called Alice ad Bb, ad the adversary (which may therwise iitiate a cversati with Alice pretedig t be Bb). We list sme ppula

Transcription

1 Sessi-Key Geerati usig Huma Passwrds Oly Oded Gldreich? ad Yehuda Lidell Departmet f Cmputer Sciece ad Applied Math, Weizma Istitute f Sciece, Rehvt, Israel. fded,lidellg@wisdm.weizma.ac.il Abstract. We preset sessi-key geerati prtcls i a mdel where the legitimate parties share ly a huma-memrizable passwrd. The security guaratee hlds with respect t prbabilistic plymial-time adversaries that ctrl the cmmuicati chael (betwee the parties), ad may mit, isert ad mdify messages at their chice. Lsely speakig, the eect f such a adversary that attacks a executi f ur prtcl is cmparable t a attack i which a adversary is ly allwed t make a cstat umber f queries f the frm \is w the passwrd f Party A". We stress that the result hlds als i case the passwrds are selected at radm frm a small dictiary s that it is feasible (fr the adversary) t sca the etire directry. We te that prir t ur result, it was t clear whether r t such prtcls were attaiable withut the use f radm racles r additial setup assumptis. 1 Itrducti This wrk deals with the ldest ad prbably mst imprtat prblem f cryptgraphy: eablig private ad reliable cmmuicati amg parties that use a public cmmuicati chael. Lsely speakig, privacy meas that bdy besides the legitimate cmmuicatrs may lear the data cmmuicated, ad reliability meas that bdy may mdify the ctets f the data cmmuicated (withut the receiver detectig this fact). Needless t say, a vast amut f research has bee ivested i this prblem. Our ctributi refers t a dicult ad yet atural settig f tw parameters f the prblem: the adversaries ad the iitial set-up. We csider ly prbabilistic plymial-time adversaries. Still eve withi this framewrk, a imprtat disticti refers t the type f adversaries e wishes t prtect agaist: passive adversaries ly eavesdrp the chael, whereas active adversaries may als mit, isert ad mdify messages set ver the chael. Clearly, reliability is a prblem ly with respect t active adversaries (ad hlds by deiti w.r.t passive adversaries). We fcus active adversaries. The secd parameter metied abve is the iitial set-up assumptis. Sme assumpti f this frm must exist r else there is dierece betwee? Supprted by the MINERVA Fudati, Germay.

2 the legitimate cmmuicatrs, called Alice ad Bb, ad the adversary (which may therwise iitiate a cversati with Alice pretedig t be Bb). We list sme ppular iitial set-up assumptis ad briey discuss what is kw abut them. Public-key ifrastructure: Here e assumes that each party has geerated a secret-key ad depsited a crrespdig public-key with sme trusted server(s). The latter server(s) may be accessed at ay time by ay user. It is easy t establish private ad reliable cmmuicati i this mdel (cf. [15, 33]). (Hwever, eve i this case, e may wat t establish \sessi keys" as discussed belw.) Shared (high-quality) secret keys: By high-quality keys we mea strigs cmig frm distributis f high mi-etrpy (e.g., uifrmly chse 56- bit (r rather 192-bit) lg strigs, uifrmly chse 1024-bit primes, etc). Furthermre, these keys are selected by a suitable prgram, ad cat be memrized by humas. I case a pair f parties shares such a key, they ca cduct private ad reliable cmmuicati (cf., [9, 36, 19, 4]). Shared (lw-quality) secret passwrds: I ctrast t high-quality keys, passwrds are strigs that may be easily selected, memrized ad typed-i by humas. A illustratig (ad simplied) example is the case i which the passwrd is selected uifrmly frm a relatively small dictiary; that is, the passwrd is uifrmly distributed i D f0; 1g, where jdj = ply(). Nte that usig such a passwrd i the rle f a cryptgraphic key (i schemes as metied abve) will yield a ttally isecure scheme. A mre sigicat bservati is that the adversary may try t guess the passwrd, ad iitiate a cversati with Alice pretedig t be Bb ad usig the guessed passwrd. S thig ca prevet the adversary frm successfully impersatig Bb with prbability 1=jDj. But ca we limit the adversary's success t abut this much? The latter questi is the fcus f this paper. Sessi-keys: The prblem f establishig private ad reliable cmmuicati is cmmly reduced t the prblem f geeratig a secure sessi-key (a.k.a \autheticated key exchage"). Lsely speakig, e seeks a prtcl by which Alice ad Bb may agree a key (t be used thrughut the rest f the curret cmmuicati sessi) s that this key will remai ukw t the adversary. 1 Of curse, the adversary may prevet such agreemet (by simply blckig all cmmuicati), but this will be detected by either Alice r Bb. 1 We stress that may famus key-exchage prtcls, such as the e f Die ad Hellma [15], refer t a passive adversary. I ctrast, this paper refers t active adversaries.

3 1.1 What security may be achieved based passwrds Let us csider the related (althugh seemigly easier) task f mutual autheticati. Here Alice ad Bb merely wat t establish that they are talkig t e ather. Repeatig a bservati made abve, we te that if the adversary iitiates m jdj istaces f the mutual autheticati prtcl, guessig a differet passwrd i each f them, the with prbability m=jdj it will succeed i impersatig Alice t Bb (ad furthermre d the passwrd). The questi psed abve is rephrased here as fllws: Ca e cstruct a passwrd-based scheme i which the success prbability f ay prbabilistic plymial-time impersati attack is buded by O(m=jDj) + (), where m is the umber f sessis iitiated by the adversary, ad () is a egligible fucti i the security parameter? We reslve the abve questi i the armative. That is, assumig the existece f trapdr e-way permutatis, we prve that schemes as abve d exist (fr ay D ad specically fr jdj = ply()). Our prf is cstructive. We actually prvide a prtcl f cmparable security fr the mre demadig gal f autheticated sessi-key geerati. Passwrd-based autheticated sessi-key geerati: Our deiti fr the task f autheticated sessi-key geerati is based the simulati paradigm. That is, we require that a secure prtcl emulates a ideal executi f a sessi-key geerati prtcl (cf. [1, 29, 12]). I such a ideal executi, a trusted third party hads idetical, uifrmly distributed sessi-keys t the hest parties. The ly pwer give t the adversary i this ideal mdel is t prevet the trusted party frm hadig keys t e f bth parties. (We stress that, i this ideal mdel, the adversary lears thig f the parties' jit passwrd r utput sessi-key). Next, we csider a real executi f a prtcl (where there is trusted party ad the adversary has full ctrl ver the cmmuicati chael betwee the hest parties). I geeral, a prtcl is said t be secure if real-mdel adversaries ca be emulated i the ideal-mdel such that the utput distributis are cmputatially idistiguishable. Sice i a passwrd-ly settig the adversary ca always succeed with prbability 1=jDj, it is impssible t achieve cmputatial idistiguishability betwee the real mdel ad abve-described ideal mdel (where the adversary has zer prbability f success). Therefre, i the ctext f a passwrd-ly settig, a autheticated sessi-key geerati prtcl is said t be secure if the abve-metied ideal-mdel emulati results i a utput distributi that ca be distiguished frm a real executi by (a gap f) at mst O(1=jDj) + (). Mai result (ifrmally stated): Assumig the existece f trapdr e-way permutatis, there exists a secure autheticated sessi-key geerati prtcl i the passwrd-ly settig.

4 The abve (ifrmal) deiti implies the ituitive prperties f autheticated sessi-key geerati (e.g., security f the geerated sessi-key ad f the iitial passwrd). I particular, the utput sessi-key ca be distiguished frm a radm key by (a gap f) at mst O(1=jDj)+(). 2 Similarly, the distiguishig gap betwee the parties' jit passwrd ad a uifrmly distributed elemet i D is at mst O(1=jDj) + (). (As we have metied, the fact that the adversary ca distiguish with gap O(1=jDj) is a iheret limitati f passwrdbased security.) The parties are als guarateed that, except with prbability O(1=jDj) + (), they either ed-up with the same sessi-key r detect that their cmmuicati has bee tampered with. Our deiti als implies additial desirable prperties f sessi-key prtcls such as frward secrecy ad security i the case f sessi-key lss (r kw-key attacks). Furthermre, ur prtcl prvides imprved (i.e., egligible gap) security i case the adversary ly eavesdrps the cmmuicati (durig the prtcl executi). We meti that a suitable level f idistiguishability (f the real ad ideal executis) hlds whe m sessis (referrig t the same passwrd) are cducted sequetially: i this case the distiguishig gap is O(m=jDj)+() rather tha O(1=jDj) + () (which agai is ptimal). This hlds als whe ay (plymial) umber f ther sessis w.r.t idepedetly distributed passwrds are cducted ccurretly t the abve m sessis. Caveat: Our prtcl is prve secure ly whe assumig that the same pair f parties (usig the same passwrd) des t cduct several ccurret executis f the prtcl. We stress that ccurret sessis f ther pairs f parties (r f the same pair usig a dieret passwrd), are allwed. See further discussi i Sectis 1.4 ad Cmparis t prir wrk The desig f secure mutual autheticati ad key-exchage prtcls is a majr ert f the applied cryptgraphy cmmuity. I particular, much ert has bee directed twards the desig f passwrd-based schemes that shuld withstad active attacks. 3 A imprtat restricted case f the mutual autheticati 2 This implies that whe usig the sessi-key as a key t a MAC, the prbability that the adversary ca geerate a valid MAC-tag t a message t set by the legitimate party is small (i.e., O(1=jDj)). Likewise, whe usig the sessi-key fr privatekey ecrypti, the adversary lears very little abut the ecrypted messages: fr every partial-ifrmati fucti, the adversary ca guess the value f the fucti applied t the messages with ly small (i.e., O(1=jDj)) advatage ver the a-priri prbability. 3 A specic fcus f this research has bee prevetig -lie dictiary attacks. I such a -lie attack, the adversary recrds its view frm past prtcl executis ad the scas the dictiary fr a passwrd csistet with this view. If checkig csistecy i this way is pssible ad the dictiary is small, the the adversary ca derive the crrect passwrd. Clearly, a secure sessi-key geerati prtcl (as imfrmally deed abve) withstads ay -lie dictiary attack.

5 prblem is the asymmetric case i which a huma user autheticates himself t a server i rder t access sme service. The desig f secure access ctrl mechaisms based ly passwrds is widely recgized as a cetral prblem f cmputer practice ad as such has received much atteti. The rst prtcl suggested fr passwrd-based sessi-key geerati was by Bellvi ad Merritt [5]. This wrk was very iuetial ad became the basis fr much future wrk i this area [6, 34, 24, 27, 31, 35]. Hwever, these prtcls have t bee prve secure ad their cjectured security is based mere heuristic argumets. Despite the strg eed fr secure passwrd-based prtcls, the prblem was t treated rigrusly util quite recetly. Fr a survey f wrks ad techiques related t passwrd autheticati, see [28, 26] (a brief survey ca be fud i [23]). A rst rigrus treatmet f the access ctrl prblem was prvided by Halevi ad Krawczyk [23]. They actually csidered a asymmetric hybrid mdel i which e party (the server) may hld a high-quality key ad the ther party (the huma) may ly hld a passwrd. The huma is als assumed t have secure access t a crrespdig public-key f the server (either by reliable access t a reliable server r by keepig a \digest" f that public-key, which they call a public-passwrd). The Halevi{Krawczyk mdel capitalizes the asymmetry f the access ctrl settig, ad is iapplicable t settigs i which cmmuicati has t be established betwee tw humas (rather tha a huma ad a server). Furthermre, requirig the huma t keep the umemrizable publicpasswrd (althugh t secretly) is udesirable eve i the access ctrl settig. Fially, we stress that the Halevi{Krawczyk mdel is a hybrid f the \shared-key mdel" ad the \shared-passwrd mdel" (ad s their results d't apply t the \shared-passwrd mdel"). Thus, it is f bth theretical ad practical iterest t aswer the rigial questi as psed abve (i.e., withut the public-passwrd relaxati): Is it pssible t implemet a secure access ctrl mechaism (ad autheticated key-exchage) based ly passwrds? Psitive aswers t the rigial prblem have bee prvided i the radm racle mdel. I this mdel, all parties are assumed t have racle access t a ttally radm (uiversal) fucti [3]. Secure (passwrd-based) access ctrl schemes i the radm racle mdel were preseted i [2, 11]. The cmm iterpretati f such results is that security is LIKELY t hld eve if the radm racle is replaced by a (\reasable") ccrete fucti kw explicitly t all parties. We war that this iterpretati is t supprted by ay sud reasig. Furthermre, as pited ut i [14], there exist prtcls that are secure i the radm racle mdel but becme isecure if the radm fucti is replaced by ay specic fucti (r eve a fucti uifrmly selected frm ay family f fuctis). T summarize, this paper is the rst t preset sessi-key geerati (as well as mutual autheticati) prtcls based ly passwrds (i.e., i the shared-passwrd mdel), usig ly stadard cryptgraphic assumptis (e.g., the existece f trapdr e-way permutatis, which i tur fllws frm the itractability assumpti regardig iteger factrizati). We stress that prir

6 t this wrk it was t clear whether such prtcls exist at all (i.e., utside f the radm racle mdel). Necessary cditis fr mutual autheticati: Halevi ad Krawczyk [23] prved that mutual-autheticati i the shared-passwrd mdel implies (uautheticated) secret-key exchage, which i tur implies e-way fuctis. Csequetly, Byarsky [10] pited ut that, i the shared-passwrd mdel, mutualautheticati implies Oblivius Trasfer. 1.3 Techiques Oe cetral idea uderlyig ur prtcl is due t Nar ad Pikas [30]. They suggested the fllwig prtcl fr the case f passive adversaries, usig a secure prtcl fr plymial evaluati. 4 I rder t geerate a sessi-key, party A rst chses a radm liear plymial Q() ver a large eld (which ctais the dictiary f passwrds). Next, A ad B execute a secure plymial evaluati i which B btais Q(w), where w is their jit passwrd. The sessi-key is the set t equal Q(w). I [10] it was suggested t make the abve prtcl secure agaist active adversaries, by usig -malleable cmmitmets. This suggesti was re-iterated t us by Mi Nar, ad i fact ur wrk grew ut f his suggesti. I rder t btai a prtcl secure agaist active adversaries, we augmet the abvemetied prtcl f [30] by several additial mechaisms. Ideed, we use malleable cmmitmets [16], but i additi we als use a specic zer-kwledge prf [32], rdiary cmmitmet schemes [7], a specic pseudradm geeratr (f [9, 36, 8]), ad message autheticati schemes (MACs). The aalysis f the resultig prtcl is very cmplicated, eve whe the adversary iitiates a sigle sessi. As explaied belw, we believe that these cmplicatis are uavidable give the curret state-f-art regardig ccurret executi f prtcls. Althugh t explicit i the prblem statemet, the prblem we deal with actually ccers ccurret executis f a prtcl. Eve i case the adversary attacks a sigle sessi amg tw legitimate parties, its ability t mdify messages meas that it may actually cduct tw ccurret executis f the prtcl (e with each party). 5 Ccurret executis f sme prtcls were aalyzed i the past, but these were relatively simple prtcls. Althugh the high-level structure f ur prtcl ca be simply stated i terms f a small umber f mdules, the curretly kw implemetatis f sme f these mdules are quite cmplex. Furthermre, these implemetatis are t kw t be secure whe tw cpies are executed ccurretly. Thus, at the curret state 4 I the plymial evaluati fuctiality, party A has a plymial Q() ver sme ite eld ad Party B has a elemet x f the eld. The evaluati is such that A lears thig, ad B lears Q(x); i.e., the fuctiality is deed by (Q; x) 7! (; Q(x)). 5 Specically, the adversary may execute the prtcl with Alice while claimig t be Bb, ccurretly t executig the prtcl with Bb while claimig t be Alice, where these tw executis refer t the same jit Alice{Bb passwrd.

7 f aairs, the aalysis cat prceed by applyig sme cmpsiti therems t (tw-party) prtcls satisfyig sme ccurret-security prperties (because suitable ccurretly-secure prtcls ad cmpsiti therems are curretly ukw). Istead, we have t aalyze ur prtcl directly. We d s by reducig the aalysis f (tw ccurret executis f) ur prtcl t the aalysis f -ccurret executis f related prtcls. Specically, we shw hw a successful adversary i the ccurret settig ctradicts the security requiremets i the -ccurret settig. Such \reductis" are perfrmed several times, each time establishig sme prperty f the rigial prtcl. Typically, the prperty refers t e f the tw ccurret executis, ad it is shw t hld eve if the adversary is give sme secrets f the legitimate party i the secd executi. This is de by givig these secrets t the adversary, eablig him t eectively emulate the secd executi iterally. Thus, ly the rst executi remais ad the relevat prperty is prve (i this stadard -ccurret settig). See Secti 4 fr a illustrati f sme f these prf techiques. 1.4 Discussi We view ur wrk as a theretical study f the very pssibility f achievig private ad reliable cmmuicati amg parties that share ly a secret (lwquality) passwrd ad cmmuicate ver a chael that is ctrlled by a active adversary. Our mai result is a demstrati f the feasibility f this task. That is, we demstrate the feasibility f perfrmig sessi-key geerati based ly (lw-quality) passwrds. Dig s, this wrk is merely the rst (rigrus) step i a research prject directed twards prvidig a gd sluti t this practical prblem. We discuss tw aspects f this prject that require further study. Ccurret executis: Our prtcl is prve secure ly whe the same pair f parties (usig the same passwrd) des t cduct several ccurret executis f the prtcl. (We d allw ccurret executis that use dieret passwrds.) Thus, actual use f ur prtcl requires a mechaism fr esurig that the same passwrd is ever used i ccurret executis. A simple mechaism efrcig the abve is t disallw a party t eter a executi with a particular passwrd if less tha uits f time have passed sice a previus executi with the same passwrd. Furthermre, a executi must be cmpleted withi uits f time; that is, if time uits have elapsed the the executi is suspeded. See Secti 2.5 fr further details. Ideed, it is desirable t t emply such a timig mechaism, ad t prve that security hlds als whe may executis are cducted ccurretly usig the same passwrd. Eciecy: It is ideed desirable t have mre eciet prtcls tha the e preseted here. Sme f ur techiques may be useful twards this gal.

8 1.5 Idepedet wrk Idepedetly f ur wrk, Katz, Ostrvsky ad Yug [25] preseted a prtcl fr sessi-key geerati based passwrds. Their prtcl is icmparable t urs. O e had, their prtcl uses a strger set-up assumpti (i.e., public parameters selected by a trusted party), ad a seemigly strger itractability assumpti (i.e., the Decisial Die-Hellma). O the ther had, their prtcl seems practical ad is secure i a urestricted ccurret settig. Recall that the thrust f ur wrk is i demstratig the feasibility f perfrmig sessi-key geerati based passwrds ly (i.e., withut ay additial set-up assumptis). 2 Frmal Settig I this secti we preset tati ad deitis that are specic t ur settig, culmiatig i a deiti f Autheticated Sessi-Key Geerati. Give these, we state ur mai result. 2.1 Basic Ntatis Typically, C detes the chael (prbabilistic plymial-time adversary) via which parties A ad B cmmuicate. We adpt the tati f Bellare ad Rgaway [4] ad mdel the cmmuicati by givig C racle access t A ad B. We stress that, as i [4], these racles have memry ad mdel parties wh participate i a sessi-key geerati prtcl. Ulike i [4], whe A ad B share a sigle passwrd, C has racle access t ly a sigle cpy f each party. We dete by C A(x);B(y) (), a executi f C (with auxiliary iput ) whe it cmmuicates with A ad B, hldig respective iputs x ad y. Chael C's utput frm this executi is deted by utput C A(x);B(y) (). The passwrd dictiary is deted by D f0; 1g, ad is xed fr the etire discussi. We let = 1. We dete by U jdj the uifrm distributi ver strigs f legth. Fr a set S, we dete x 2 R S whe x is chse uifrmly frm S. We use \ppt" as shrthad fr prbabilistic plymial time. We dete a uspecied egligible fucti by (). That is, fr every plymial p() ad fr all sucietly large 's, () < 1. Fr fuctis f ad g (deed p() ver the itegers), we dete f g if jf() g()j < (). Fially, we dete cmputatial idistiguishability by. c A security parameter is fte implicit i ur tati ad discussis. Thus, fr example, by the tati D fr the dictiary, ur iteti is actually D (where D f0; 1g ). Recall that we make assumptis regardig the size f D, ad i particular it may by plymial i. 2.2 (1 )-idistiguishability ad pseudradmess Extedig the stadard deiti f cmputatial idistiguishability [22, 36], we dee the ccept f (1 )-idistiguishability. Tw esembles are (1 )-

9 idistiguishable if fr every ppt machie, the prbability f distiguishig betwee them (via a sigle sample) is at mst egligibly greater tha. (Nte that (1 )-idistiguishability is t preserved uder multiple samples, but fr ecietly cstructible esembles (1 )-idistiguishability implies (1 m)- idistiguishability f sequeces f m samples.) Thus, cmputatial idistiguishability cicides with 1-idistiguishability. The frmal deiti is as fllws. Deiti 1 ((1 )-idistiguishability): Let : N! [0; 1] be a fucti, ad let fx g 2N ad fy g 2N be prbability esembles, s that fr ay the distributi X (resp., Y ) rages ver strigs f legth plymial i. We say that the esembles are (1 )-idistiguishable, deted fx g 2N fy g 2N, if fr every prbabilistic plymial time distiguisher D, ad all auxiliary ifrmati z 2 f0; 1g ply() jpr[d(x ; 1 ; z) = 1] Pr[D(Y ; 1 ; z) = 1]j < + () We say that fx g 2N is (1 )-pseudradm if it is (1 )-idistiguishable frm fu g 2N. The deiti f pseudradm fuctis [19] is similarly exteded t (1 )-pseudradm fuctis. 2.3 Autheticated Sessi-Key Geerati: Deiti ad Discussi The prblem f passwrd-based autheticated sessi-key geerati ca be cast as a three-party fuctiality ivlvig hest parties A ad B, ad a adversary C. Parties A ad B shuld iput their jit passwrd ad receive idetical, uifrmly distributed sessi-keys. O the ther had, the adversary C shuld have utput (ad specically shuld t btai ifrmati the passwrd r utput sessi-key). Furthermre, C shuld have pwer t maliciusly iuece the utcme f the prtcl (ad thus, fr example, cat aect the chice f the key r cause the parties t receive dieret keys). Hwever, recall that i a real executi, C ctrls the cmmuicati lie betwee the (hest) parties. Thus, it ca blck all cmmuicati betwee A ad B, ad cause ay prtcl t fail. This (uavidable) adversarial capability is mdeled i the fuctiality by lettig C iput a sigle bit b idicatig whether r t the executi is t be successful. Specically, if b = 1 (i.e., success) the bth A ad B receive the abve-described sessi-key. O the ther had, if b = 0 the A receives a sessi-key, whereas B receives a special abrt symbl? istead. 6 We stress that C is give ability t iuece the utcme beyd determiig this sigle bit (i.e., b). I cclusi, the prblem f passwrd-based sessi-key 6 This lack f symmetry i the deiti is iheret as it is t pssible t guaratee that A ad B bth termiate with the same \success/failure bit". Fr sake f simplicity, we (arbitrarily) chse t have A always receive a uifrmly distributed sessi-key ad t have B always utput? whe b = 0.

10 geerati is cast as the fllwig three-party fuctiality: (w A ; w B ; b) 7! (U ; U ; ) if b = 1 ad w A = w B ; (U ;?; ) therwise: where w A ad w B are A ad B's respective passwrds. Our deiti fr passwrd-based autheticated sessi-key geerati is based the \simulati paradigm" (cf. [1, 29, 12]). That is, we require a secure prtcl t emulate a ideal executi f the abve sessi-key geerati fuctiality. I such a ideal executi, cmmuicati is via a trusted third party wh receives the parties iputs ad (hestly) returs t each party its utput, as desigated by the fuctiality. A imprtat bservati i the ctext f passwrd-based security is that, i a real executi, a adversary ca always attempt impersati by simply guessig the secret passwrd ad participatig i the prtcl, claimig t be e f the parties. If the adversary's guess is crrect, the impersati always succeeds (ad, fr example, the adversary kws the geerated sessi-key). Furthermre, by executig the prtcl with e f the parties, the adversary ca verify whether r t its guess is crrect, ad thus ca lear ifrmati abut the passwrd (e.g., it ca rule ut a icrrect guess frm the list f pssible passwrds). Sice the dictiary may be small, this ifrmati leared by the adversary i a prtcl executi may t be egligible at all. Thus, we cat hpe t btai a prtcl that emulates a ideal-mdel executi (i which C lears thig) up t cmputatial idistiguishability. Rather, the iheret limitati f passwrd-based security is accuted fr by (ly) requirig that a real executi ca be simulated i the ideal mdel such that the utput distributis (i the ideal ad real mdels) are (1 O())-idistiguishable (rather tha 1-idistiguishable), where (as deed abve) = 1=jDj. We te that the abve limitati applies ly t active adversaries wh ctrl the cmmuicati chael. Therefre, i the case f a passive (eavesdrppig) adversary, we demad that the ideal ad real mdel distributis be cmputatially idistiguishable (ad t just (1 O())-idistiguishable). We w dee the ideal ad real mdels ad preset the frmal deiti f security. The ideal mdel: Let ^A ad ^B be hest parties ad let ^C be ay ppt idealmdel adversary (with arbitrary auxiliary iput ). A ideal-mdel executi prceeds i the fllwig phases: Iitializati: A passwrd w 2 R D is uifrmly chse frm the dictiary ad give t bth ^A ad ^B. Sedig iputs t trusted party: ^A ad ^B bth sed the trusted party the passwrd they have received i the iitializati stage. The adversary ^C seds either 1 (detig a successful prtcl executi) r 0 (detig a failed prtcl executi). The trusted party aswers all parties: I the case ^C seds 1, the trusted party chses a uifrmly distributed strig k 2 R f0; 1g ad seds k t bth ^A

11 ad ^B. I the case ^C seds 0, the trusted party seds k 2R f0; 1g t ^A ad? t ^B. I bth cases, ^C receives utput. 7 The ideal distributi is deed as fllws: def ideal ^C (D; ) = (w; utput( ^A); utput( ^B); utput( ^C())) where w 2 R D is the iput give t ^A ad ^B i the iitializati phase. Thus, (w; ideal (D; ) = U ; U ; utput( ^C())) if sed( ^C()) = 1; ^C (w; U ;?; utput( ^C())) therwise: where sed( ^C()) detes the value set by ^C (t the trusted party), auxiliary iput. The real mdel: Let A ad B be hest parties ad let C be ay ppt realmdel adversary with arbitrary auxiliary iput. As i the ideal mdel, the real mdel begis with a iitializati stage i which bth A ad B receive a idetical, uifrmly distributed passwrd w 2 R D. The, the prtcl is executed with A ad B cmmuicatig via C. 8 The executi f this prtcl is deted C A(w);B(w) () ad we augmet C's view with the accept/reject decisi bits f A ad B (this decisi bit detes whether a party's private utput is a sessi-key r?). This frmal requiremet is ecessary, sice i practice this ifrmati ca be implicitly uderstd frm whether r t the parties ctiue cmmuicati after the sessi-key geerati prtcl has termiated. (We te that i ur specic frmulati, A always accepts ad thus it is ly ecessary t prvide C with the decisi-bit utput by B.) The real distributi is deed as fllws: real C (D; ) def = (w; utput(a); utput(b); utput(c A(w);B(w) ())) where w 2 R D is the iput give t A ad B i the iitializati phase. The deiti f security: Lsely speakig, the deiti requires that a secure prtcl (i the real mdel) emulates the ideal mdel (i which a trusted party participates). This is frmulated by sayig that adversaries i the ideal mdel are able t simulate the executi f a real prtcl, s that the iput/utput distributi f the simulati is (1 O())-idistiguishable frm i a real executi. We further require that passive adversaries ca be simulated i the ideal-mdel 7 Sice ^A ad ^B are always hest, we eed t deal with the case that they had the trusted third party dieret passwrds. 8 We stress that there is a fudametal dierece betwee the real mdel as deed here ad as deed i stadard multi-party cmputati. Here, the parties A ad B d t have the capability f cmmuicatig directly with each ther. Rather, A ca ly cmmuicate with C ad likewise fr B. This is i ctrast t stadard multi-party cmputati where all parties have direct cmmuicati liks r where a bradcast chael is used.

12 s that the utput distributis are cmputatially idistiguishable (ad t just (1 O())-idistiguishable). 9 Deiti 2 (passwrd-based autheticated sessi-key geerati): A prtcl fr passwrd-based autheticated sessi-key geerati is secure if the fllwig tw requiremets hld: 1. Passive adversaries: Fr every ppt real-mdel passive adversary C there exists a ppt ideal-mdel adversary ^C such that fr every dictiary D f0; 1g ad every auxiliary iput 2 f0; 1g ply() ideal (D; ) c ^C freal D; C (D; )g D; 2. Arbitrary (active) adversaries: Fr every ppt real-mdel adversary C there exists a ppt ideal-mdel adversary ^C such that fr every dictiary D f0; 1g ad every auxiliary iput 2 f0; 1g ply() ideal (D; ) O() ^C freal D; C (D; )g D; where def = 1. We stress that the cstat i O() is a uiversal e. jdj Prperties f Deiti 2: Deiti 2 asserts that the jit iput/utput distributi frm a real executi is at mst \O()-far" frm a ideal executi i which the adversary lears thig (ad has iuece the utput except t cause B t reject). This immediately implies that the utput sessi-key is (1 O())-pseudradm (which, as we have metied, is the best pssible fr passwrd-based key geerati). Thus, if such a key is used fr ecrypti the fr ay (partial ifrmati) predicate P, the prbability that a adversary lears P (m) give the ciphertext E(m) is at mst O() + () greater tha the a-priri prbability (whe the adversary is t give E(m)). Likewise, if the key is used fr a message autheticati cde (MAC), the the prbability that a adversary ca geerate a crrect MAC-tag a message t set by A r B is at mst egligibly greater tha O(). We stress that the security f the utput sessi-key des t deterirate with its usage; that is, it ca be used fr plymially-may ecryptis r MACs ad the security remais O(). Ather imprtat prperty f Deiti 2 is that, except with prbability O(), (either e party detects failure r) bth parties termiate with the same sessi-key. Deiti 2 als implies that the passwrd used remais (1 O())-idistiguishable frm a radmly chse (ew) passwrd ~w 2 R D. (This ca be see frm the fact that i the ideal mdel, the adversary lears thig f the passwrd w, which is part f the ideal distributi.) I particular, this implies that a secure 9 A passive adversary is e that des t mdify, mit r isert ay messages set betwee A r B. That is, it ca ly eavesdrp ad thus is limited t aalyzig the trascript f a prtcl executi betwee tw hest parties. Passive adversaries are als referred t as semi-hest i the literature (e.g., i [21]).

13 prtcl is resistat t ie dictiary attacks (whereby a adversary scas the dictiary i search f a passwrd that is \csistet" with its view f a prtcl executi). Other desirable prperties f sessi-key prtcls are als guarateed by Deiti 2. Specically, we meti frward secrecy ad security i the face f lss f sessi-keys (als kw as kw-key attacks). Frward secrecy states that the sessi-key remais secure eve if the passwrd is revealed after the prtcl executi. Aalgusly, security i the face f lss f sessi-keys meas that the passwrd ad the curret sessi-key maitai their security eve if prir sessi-keys are revealed. These prperties are immediately implied by the fact that, i the ideal-mdel, there is depedece betwee the sessi-key ad the passwrd ad betwee sessi-keys frm dieret sessis. Thus, learig the passwrd des t cmprmise the security f the sessi-key ad visa versa. 10 A additial prperty that is desirable is that f itrusi detecti. That is, if the adversary mdies ay message set i a sessi, the with prbability at least (1 O()) this is detected ad at least e party rejects. This prperty is t guarateed by Deiti 2 itself; hwever, it des hld fr ur prtcl. Cmbiig this with Item 1 f Deiti 2 (i.e., the requiremet regardig passive adversaries), we cclude that i rder fr C t take advatage f its ability t lear \O()-ifrmati" C must expse itself t the dager f beig detected with prbability 1 O(). Fially, we bserve that the abve deiti als eables mutual-autheticati. This is because A's utput sessi-key is always (1 O())-pseudradm t the adversary. As this key is secret, it ca be used fr explicit autheticati via a (mutual) challege/respse prtcl. 11 By addig such a step t ay secure sessi-key prtcl, we btai explicit mutual-autheticati. Augmetig the deiti: Althugh Deiti 2 seems t capture all that is desired frm autheticated sessi-key geerati, there is a subtlety that it fails t address (as pited ut by Rack t the authrs f [4]). The issue is that the tw parties d t ecesssarily termiate the sessi-key geerati prtcl simultaeusly, ad s e party may termiate the prtcl ad start usig the sessi-key while the ther party is still executig istructis f the sessi-key geerati prtcl (i.e., determiig its last message). I this exteded abstract, we te ly that Deiti 2 ca be augmeted t deal with this issue, ad that ur prtcl is secure als with respect t the augmeted deiti. A full treatmet f this issue is prvided i the full versi f the paper. 10 The idepedece f sessi-keys frm dieret sessis relates t the multi-sessi case, which is discussed i Secti 2.5. Fr w, it is eugh t te that the prtcl behaves as expected i that after t executis f the real prtcl, the passwrd alg with the utputs frm all t sessis are (1 O(t))-idistiguishable frm t ideal executis. 11 It is easy t shw that such a key ca be used directly t btai a (1 O())- pseudradm fucti, which ca the be used i a stadard challege/respse prtcl.

14 2.4 Our Mai Result Give Deiti 2, we ca w frmally state ur mai result. Therem 3 Assumig the existece f trapdr permutatis, there exist secure prtcls fr passwrd-based autheticated sessi-key geerati. 2.5 Multi-Sessi Security The deiti abve relates t tw parties executig a sessi-key geerati prtcl ce. Clearly, we are iterested i the mre geeral case where may dieret parties ru the prtcl ay umber f times. It turs ut that ay prtcl that is secure fr a sigle ivcati betwee tw parties (i.e., as i Deiti 2), is secure i the multi-party ad sequetial ivcati case. May Ivcatis by Tw Parties Let A ad B be parties wh ivke t sequetial executis f a sessi-key geerati prtcl. Give that we wish that a adversary gais mre tha O(1) passwrd guesses up each ivcati, the security up the t'th ivcati shuld be O(t). That is, we csider ideal ad real distributis csistig f the utputs frm all t executis. The, we require that these distributis be (1 O(t))-idistiguishable. It ca be shw that ay secure prtcl fr passwrd-based autheticated sessi-key geerati maitais O(t) security after t sequetial ivcatis. Details are give i the full versi f this wrk. Sequetial vs Ccurret Executis fr Tw Parties: Our sluti is prve secure ly if A ad B d t ivke ccurret executis f the sessi-key geerati prtcl (with the same passwrd). We stress that a sceari whereby the adversary ivkes B twice r mre (sequetially) durig a sigle executi with A is t allwed. Therefre, i rder t actually use ur prtcl, sme mechaism must be used t esure that such ccurret executis d t take place. This ca be achieved by havig A ad B wait uits f time betwee prtcl executis (where is greater tha the time take t ru a sigle executi). Nte that parties d t usually eed t iitiate sessi-key geerati prtcls immediately e after the ther. Therefre, this delay mechaism eed ly be emplyed whe a attempted sessi-key geerati executi fails. This meas that parties t \uder attack" by a adversary are t icveieced i ay way. We te that this limitati des t prevet the parties frm peig a umber f dieret (idepedetly-keyed) cmmuicati lies. They may d this by ruig the sessi-key prtcl sequetially, ce fr each desired cmmuicati lie. Hwever, i this case, they icur a delay f uits f time betwee each executi. Alteratively, they may ru the prtcl ce ad btai a (1 O())-pseudradm sessi-key. This key may the be used as a shared, high-quality key fr (ccurretly) geeratig ay plymial umber f (1 O())-pseudradm sessi-keys; e fr each cmmuicati lie (simple ad eciet prtcls exist fr this task, see [4]).

15 May Parties I the case where may parties execute the sessi-key prtcl simultaeusly, we claim that fr m ivcatis f the prtcl (which must be sequetial fr the same pair f parties ad may be ccurret therwise), the security is O(m). We assume that dieret pairs f parties (executig ccurretly) have idepedetly distributed passwrds. The, the security is derived frm the sigle-sessi case by tig that sessis with idepedetly distributed passwrds ca be perfectly simulated by a adversary. 3 Our Sessi-Key Geerati Prtcl All arithmetic belw is ver the ite eld GF(2 ) which is idetied with f0; 1g. I ur prtcl, we use a secure prtcl fr evaluatig -cstat, liear plymials (actually, we culd use ay 1{1 Uiversal 2 family f hash fuctis). This prtcl ivlves tw parties A ad B; party A has a -cstat, liear plymial Q() 2 f0; 1g 2 ad party B has a strig x 2 f0; 1g. The fuctiality is (Q; x) 7! (; Q(x)); that is, A receives thig ad B receives the value Q(x) (ad thig else). The fact that A is suppsed t iput a cstat, liear plymial ca be efrced by simply mappig all pssible iput strigs t the set f such plymials (this cveti is used fr all refereces t plymials frm here ). We actually augmet this fuctiality by havig A als iput a cmmitmet t the plymial Q (i.e., c A 2 Cmmit(Q)) ad its crrespdig decmmitmet r (i.e., c A = C(Q; r)). Furthermre, B als iputs a cmmitmet value c B. The augmetati is such that if c A 6= c B, the B receives a special failure symbl. This is eeded i rder t tie the plymial evaluati t a value previusly cmmitted t i the mai (higher level) prtcl. The fuctiality is deed as fllws: Deiti 4 (augmeted plymial evaluati): Iput: Party A iputs a cmmitmet c A ad its crrespdig decmmitmet r, ad a liear, -cstat plymial Q. Party B iputs a cmmitmet c B ad a value x. Output: 1. Crrect Iput Case: If c A = c B ad c A = C(Q; r), the B receives Q(x) ad A receives thig. 2. Icrrect Iput Case: If c A 6= c B r c A 6= C(Q; r), the B receives a special failure symbl, deted?, ad A receives thig. We te that by [37, 21], this fuctiality ca be securely cmputed (bserve that the iput cditis ca be checked i plymial time because A als prvides the decmmitmet r). 3.1 The Prtcl Let f be a e-way permutati ad b a hard-cre f f.

16 Prtcl 5 (passwrd-based autheticated sessi-key geerati) Iput: Parties A ad B begi with a jit passwrd w, which is suppsed t be uifrmly distributed i D. Output: A ad B each utput a accept/reject bit as well as sessi-keys k A ad k B respectively (where k A \shuld" equal k B ). The Prtcl: 1. Stage 1: (N-Malleable) Cmmit (a) A chses a radm, liear, -cstat plymial Q ver GF(2 ). (b) A ad B egage i a -malleable (perfectly bidig) cmmitmet prtcl i which A cmmits t the strig (Q; w) 2 f0; 1g 3. Dete the radm cis used by B i the cmmitmet prtcl by r B ad dete B's view f the executi f the cmmitmet prtcl by NMC(Q; w). 12 Fllwig the cmmitmet prtcl, B seds his radm cis r B t A. (This has eect the security, sice the cmmitmet scheme is perfectly bidig ad the cmmitmet prtcl has already termiated.) 2. Stage 2: Pre-Key Exchage { I this stage the parties \exchage" strigs A ad B, frm which the utput sessi-keys (as well as validati checks) are derived. Thus, A ad B are called pre-keys. (a) A seds B a cmmitmet c = C(Q; r), fr a radmly chse r. (b) A ad B egage i a augmeted plymial evaluati prtcl. A iputs Q ad (c; r); B iputs w ad c. (c) We dete B's utput by B. (Nte that B is suppsed t equal Q(w).) (d) A iterally cmputes A = Q(w). 3. Stage 3: Validati (a) A seds the strig y = f 2 ( A ) t B. (b) A prves t B i zer-kwledge that she iput the same plymial i bth the -malleable cmmitmet (perfrmed i Stage 1) ad the rdiary cmmitmet (perfrmed i Stage 2(a)), ad that the value y is \csistet" with the -malleable cmmitmet. Frmally, A prves the fllwig statemet: There exists a strig (X 1 ; x 2 ) 2 f0; 1g 3 ad radm cis r A;1 ; r A;2 (where r A;1 ad r A;2 are A's radm cis i the -malleable ad rdiary cmmitmets, respectively) such that i. B's view f the -malleable cmmitmet, NMC(Q; w), is idetical t the receiver's view f a -malleable cmmitmet t 12 Recall that B's view csists f his radm cis ad all messages received durig the cmmitmet prtcl executi.

17 (X 1 ; x 2 ), where the seder ad receiver's respective radm cis are r A;1 ad r B. (Recall that r B detes B's radm cis i the -malleable cmmitmet.) 13 ii. c = C(X 1 ; r A;2 ), ad iii. y = f 2 (X 1 (x 2 )). The zer-kwledge prf used here is the specic zer-kwledge prf f Richards ad Kilia [32], with a specic settig f parameters. 14 (c) Let t A be the etire sessi trascript as see by A (i.e., the sequece f all messages set ad received by A) ad let MAC k be a message autheticati cde, keyed by k. The, A cmputes k 1 ( A ) def = b( A ) b(f 1 ( A )), ad seds m = MAC k1 (A)(t A ) t B. 4. Decisi Stage (a) A always accepts ad utputs k 2 ( A ) def = b(f ( A )) b(f 2 1 ( A )). (b) B accepts if ad ly if all the fllwig cditis are fullled: y = f 2 ( B ), where y is the strig set by A t B i Step 3(a) abve ad B is B's utput frm the plymial evaluati. (Nte that if B =? the y fullls this equality, ad B always rejects.) B accepts the zer-kwledge prf i Step 3(b) abve, ad Verify k1(b )(t B ; m) = 1, where t B is the sessi-trascript as see by B, the strig m is the alleged MAC-tag that B receives, ad vericati is with respect t the MAC-key deed by k 1 ( B ) = b( B ) b(f 1 ( B )). If B accepts, the he utputs k 2 ( B ) = b(f ( B )) b(f 2 1 ( B )), therwise he utputs?. (Recall that the accept/reject decisi bit is csidered a public utput.) We stress that A ad B always accept r reject based slely these criteria, ad that they d t halt (befre this stage) eve if they detect malicius behavir. See Figure 1 belw fr a schematic diagram f Prtcl The view f a prtcl executi is a fucti f the parties' respective iputs ad radm strigs. Therefre, (X 1; x 2), ra;1 ad rb dee a sigle pssible view. Furthermre, recall that B set rb t A fllwig the cmmitmet prtcl. Thus A has NMC(Q; w) (which icludes rb), the cmmitted-t value (Q; w) ad ra;1, eablig her t ecietly prve the statemet. 14 The settig f parameters referred t relates t the umber f iteratis m i the rst part f the Richards-Kilia prf. We set m t equal the umber f ruds i all ther parts f ur prtcl plus ay -cstat fucti f the security parameter.

18 w w?? Party A Q 2 R f0; 1g 2 NM-Cmmit(Q; w) - Party B Q H HHj w Secure Plymial Evaluati f 2 (Q(w)) H Hj - Q(w) ZK-prf f csistecy - Output key: k 2 (Q(w)) MAC f trascript - Decisi If accept, utput key: k 2 (Q(w)) Fig. 1. Schematic Diagram f the Prtcl. I ur descripti f the prtcl, we have referred ly t parties A ad B. That is, we have igred the existece (ad pssible impact) f the chael C. That is, whe A seds a strig z t B, we \preted" that B actually received z ad t smethig else. I a real executi, this may t be the case at all. I the actual aalysis we will subscript every value by its wer, as we have de fr A ad B i the prtcl. Fr example, we shall say that i Step 3(a), A seds a strig y A ad the strig received by B is y B. 3.2 Mtivati fr the security f the prtcl The cetral mdule f Prtcl 5 is the secure plymial evaluati. This, i itself, is eugh fr achievig security agaist passive chaels ly. Specically, csider the fllwig prtcl. Party A chses a radm, liear plymial Q ad iputs it it a secure plymial evaluati with party B wh iputs the jit passwrd w. By the deiti f the plymial evaluati, B receives Q(w) ad A receives thig. Next, A iterally cmputes Q(w) (she ca d this

19 as she kws bth Q ad w), ad bth parties use this value as the sessi-key. The key is uifrmly distributed (sice Q is radm ad liear) ad due t the secrecy requiremets f the plymial evaluati, the prtcl reveals thig f w r Q(w) t a passive eavesdrpper C (sice therwise this wuld als be revealed t party A wh shuld lear thig frm the evaluati). Oe key prblem i extedig the abve argumet t ur settig (where C may be active) is that the security deitis f tw-party cmputati guaratee thig abut the simulatability f C's view i this ccurret settig. We w prvide sme ituiti it hw simulati f ur prtcl is evertheless achieved. First, assume that the MAC-value set by A at the cclusi f the prtcl is such that uless C behaved passively (ad relayed all message withut mdicati), the B rejects (with sme high prbability). Nw, if C behaves passively, the B clearly accepts (as i the case f hest parties A ad B that execute the prtcl withut ay iterferece). O the ther had, if C des t behave passively, the (by ur assumpti regardig the security f the MAC) B rejects. Hwever, C itself kws whether r t it behaved passively ad therefre ca predict whether r t B will reject. I ther wrds, the accept/reject bit utput by B is simulatable (by C itself). We prceed by bservig that this bit is the ly meaigful message set by B durig the prtcl: apart frm i the plymial evaluati, the ly messages set by B are as the receiver i a -malleable cmmitmet prtcl ad the verier i a zer-kwledge prf (clearly, kwledge f the passwrd w is used by B i these prtcls). Furthermre, the plymial evaluati is such that ly B receives utput. Therefre, ituitively, the iput used by B is t revealed by the executi; equivaletly, the view f C is (cmputatially) idepedet f B's iput w (this ca be shw t hld eve i ur ccurret settig). We cclude that all messages set by B durig the executi ca be simulated withut kwledge f w. Therefre, by ideed simulatig B, we ca reduce the ccurret sceari ivlvig A, C ad B t a (stadard) tw-party settig betwee A ad C. I this settig, we ca the apply stadard tls ad techiques fr simulatig C's view i its iteracti with A, ad cclude that the etire real executi is simulatable i the ideal mdel. Thus, the basis fr simulatig C's view lies i the security f the MAC i ur sceari. Ideed, the MAC is secure whe the parties usig it (a priri) share a radm MAC-key; but i ur case the parties establish the MAC-key durig the prtcl, ad it is t clear that this key is radm r the same i the view f bth parties. I rder t justify the security f the MAC (i ur settig), we shw that tw prperties hld. Firstly, we must shw that with high prbability either A ad B hld the same MAC key r B is gig t reject ayhw (ad C kws this). Secdly, we eed t shw that this (idetical) MAC-key held by A ad B has \suciet pseudradmess" t prevet C frm successfully frgig a MAC. The prf f these prperties (especially the rst e) is very ivlved ad makes up a majr part f the prf, which is preseted i the full versi f this wrk.

20 3.3 Prperties f Prtcl 5 The mai prperties f Prtcl 5 are captured by the fllwig therem. Therem 6 Prtcl 5 cstitutes a secure prtcl fr passwrd-based autheticated sessi-key geerati (as deed i Deiti 2). All the cryptgraphic tls used i Prtcl 5 ca be securely implemeted assumig the existece f trapdr permutatis. Thus, at the very least, Therem 6 implies the feasibility result captured by Therem 3. Ufrtuately, due t lack f space i this abstract, we d t prvide a prf f Therem 6. Hwever, a demstrati f sme f the prf techiques used t prve Therem 6 is prvided i Secti 4. 4 A Illustrati f Our Prf Techiques I this secti, we illustrate ur prf techiques fr a simplied sceari i which A ad B execute a secure plymial evaluati ly, while cmmuicatig via a adversarial chael C. Recall that the plymial evaluati fuctiality is deed (i the stad-ale settig) by (Q; x) 7! (; Q(x)). That is, A has a plymial Q() ver sme ite eld ad B has a elemet x i that eld. The evaluati is such that A lears thig while B btais Q(x). I the sceari that we are csiderig, A's iput is a radm, liear plymial ad B's iput is a radm passwrd w 2 R D (as is the case i Prtcl 5). Recall that i this settig C may mit, isert ad mdify ay message set betwee A ad B. Thus, i a sese C cducts tw separate executis f the plymial evaluati: e with A i which C impersates B (called the (A; C)-executi), ad e with B i which C impersates A (called the (C; B)-executi). These tw executis are carried ut ccurretly (by C), ad there is explicit executi betwee A ad B. We remid the reader that the deiti f (stad-ale) secure tw-party cmputati des t apply t the ccurret settig that we csider here. Furthermre, there are curretly tls fr dealig with (geeral) ccurret cmputati i the tw-party case. Therefre, ur aalysis f these executis uses specic prperties f the prtcl t remve the ccurrecy ad btai a reducti t the stad-ale settig. That is, we shw hw a adversarial success i the ccurret settig ca be traslated it a related adversarial success i the stad-ale settig. This eables us t aalyze the adversary's capability i the ccurret settig, based the security f tw-party stad-ale prtcls. I rder t demstrate ur prf techiques, we shw that C lears \little" f w ad Q(w) frm the abve ccurret executi. Our frmal statemet f this has a ideal-mdel/real-mdel avr. Specically, we shw that fr every ppt adversary C iteractig with A ad B, there exists a -iteractive ppt machie ^C (wh receives iput r utput), such that fw; Q(w); utput(c A(Q);B(w) g

21 15 is (1 )-idistiguishable frm fw; U ; utput( ^C)g. (Recall that C A(Q);B(w) detes a executi f C with A ad B hldig respective iputs Q ad w.) Oe ca thik f C as beig a real-mdel adversary ad ^C a ideal-mdel adversary, where i this ideal mdel ^C seds iput t the trusted third party ad likewise receives utput. We te that such a view is rather simplistic as we claim thig here regardig the utputs f A ad B frm the executi (as is usually required i secure cmputati). I ther wrds, here we prve a statemet regardig privacy, but make claims t crrectess; fr example, there is guaratee that C des t maul r skew the parties' utputs i sme udesired way. Frmally, we prve the fllwig: Therem 7 (illustrati): Fr every ppt adversarial chael C iteractig with A ad B, there exists a ppt machie ^C (iteractig with bdy) such that fr every dictiary D f0; 1g, w; Q(w); utput(c A(Q);B(w) ) w; U ; utput( ^C) where w 2 R D, Q is a radm liear plymial, ad = 1 jdj. Prf: We prve the therem by rst shwig hw the (C; B) executi ca be simulated s that C's view i the simulati is egligibly clse t i a real iteracti. The, we remai with a stad-ale executi betwee A ad C ly. I this sceari, we apply the stadard deiti f secure tw-party cmputati t cclude that C lears at mst \-ifrmati" abut w ad Q(w). The fact that the (C; B) executi ca be simulated is frmally stated as fllws (i the statemet f the lemma belw, C 0 A(Q) detes a stad-ale executi f C with A up iput Q): Lemma 8 (simulatig the (C; B) executi): Fr every ppt adversary C iteractig with bth A ad B, there exists a ppt adversary C 0 iteractig with A ly, such that fr every dictiary D f0; 1g, c w; Q(w); utput(c ) A(Q);B(w) w; Q(w); utput(c 0 A(Q)) where w 2 R D ad Q is a radm liear plymial. Prf: Lsely speakig, we prve this lemma by shwig that B's rle i the (C; B) executi ca be simulated withut ay kwledge f w. Thus, C 0 is able t simulate B's rle fr C ad we btai the lemma. We begi by shwig that C lears thig f B's iput w frm the (C; B) plymial evaluati. This is trivial i a stad-ale settig by the deiti f the fuctiality; here we claim that it als hlds i ur ccurret settig. Frmally, we shw that 15 As i Deiti 2, this implies that fllwig the executi, with respect t C's view, the passwrd w is (1 )-idistiguishable frm a (ew) radmly chse passwrd ~w. It als implies that the value Q(w) (used i Prtcl 5 t derive the MAC ad sessi keys) is (1 )-pseudradm with respect t C's view.