Efficient UC-Secure Authenticated Key-Exchange for Algebraic Languages

Transcription

1 Ths s the Full Verson of the Extended Abstract that appears n the Proceedngs of the 16th Internatonal Conference on Practce and Theory n Publc-Key Cryptography (PKC 13) (26 February 1 March 2013, Nara, Japan) Kaoru Kurosawa Ed., Sprnger-Verlag, Effcent UC-Secure Authentcated Key-Exchange for Algebrac Languages Fabrce Ben Hamouda 1, Olver Blazy 2, Célne Chevaler 3, Davd Pontcheval 1, and Damen Vergnaud 1 1 ENS, Pars, France 2 Ruhr-Unverstät Bochum, Germany 3 Unversté Panthéon-Assas, Pars, France Abstract Authentcated Key Exchange (AKE) protocols enable two partes to establsh a shared, cryptographcally strong key over an nsecure network usng varous authentcaton means, such as cryptographc keys, short (.e., lowentropy) secret keys or credentals. In ths paper, we provde a general framework, that encompasses several prevous AKE prmtves such as (Verfer-based) Password-Authentcated Key Exchange or Secret Handshakes, we call LAKE for Language-Authentcated Key Exchange. We frst model ths general prmtve n the Unversal Composablty (UC) settng. Thereafter, we show that the Gennaro-Lndell approach can effcently address ths goal. But we need smooth projectve hash functons on new languages, whose effcent mplementatons are of ndependent nterest. We ndeed provde such hash functons for languages defned by combnatons of lnear parng product equatons. Combned wth an effcent commtment scheme, that s derved from the hghly-effcent UC-secure Lndell s commtment, we obtan a very practcal realzaton of Secret Handshakes, but also Credental-Authentcated Key Exchange protocols. All the protocols are UC-secure, n the standard model wth a common reference strng, under the classcal Decsonal Lnear assumpton. 1 Introducton The man goal of an Authentcated Key Exchange (AKE) protocol s to enable two partes to establsh a shared cryptographcally strong key over an nsecure network under the complete control of an adversary. AKE s one of the most wdely used and fundamental cryptographc prmtves. In order for AKE to be possble, the partes must have authentcaton means, e.g. (publc or secret) cryptographc keys, short (.e., low-entropy) secret keys or credentals that satsfy a (publc or secret) polcy. Motvaton. PAKE, for Password-Authentcated Key Exchange, was formalzed by Bellovn and Merrtt [BM92] and followed by many proposals based on dfferent cryptographc assumptons (see [ACP09, CCGS10] and references theren). It allows users to generate a strong cryptographc key based on a shared human-memorable (.e. low-entropy) password wthout requrng a publc-key nfrastructure. In ths settng, an adversary controllng all communcaton n the network should not be able to mount an off-lne dctonary attack. The concept of Secret Handshakes has been ntroduced n 2003 by Balfanz, Durfee, Shankar, Smetters, Staddon and Wong [BDS + 03] (see also [JL09, AKB07]). It allows two members of the same group to dentfy each other secretly, n the sense that each party reveals hs afflaton to the other only f they are members of the same group. At the end of the protocol, the partes can set up an ephemeral sesson key for securng further communcaton between them and an outsder s unable to determne f the handshake succeeded. In case of falure, the players do not learn any nformaton about the other party s afflaton. More recently, Credental-Authentcated Key Exchange (CAKE) was presented by Camensch, Casat, Groß and Shoup [CCGS10]. In ths prmtve, a common key s establshed f and only f a specfc relaton s satsfed between credentals hold by the two players. Ths prmtve ncludes varants of PAKE and Secret Handshakes, and namely Verfer-based PAKE, where the clent owns a password pw and the server knows a one-way transformaton v of the password only. It prevents massve password recoverng n case of server corrupton. The two players eventually agree on a common hgh entropy secret f and only f pw and v match together, and off-lne dctonary attacks are prevented for thrd-party players. Our Results. We propose a new prmtve that encompasses most of the prevous notons of authentcated key exchange. It s closely related to CAKE and we call t LAKE, for Language-Authentcated Key-Exchange, snce partes establsh a common key f and only f they hold credentals that belong to specfc (and possbly ndependent) languages. The defnton of the prmtve s more practce-orented than the defnton of CAKE from [CCGS10] but the two notons are very smlar. In partcular, the new prmtve enables prvacy-preservng ENS, CNRS & INRIA UMR 8548 c IACR 2013.

2 2 authentcaton and key exchange protocols by allowng two members of the same group to secretly and prvately authentcate to each other wthout revealng ths group beforehand. In order to defne the securty of ths prmtve, we use the UC framework and an approprate defnton for languages that permts to dssocate the publc part of the polcy, the prvate common nformaton the users want to check and the (possbly ndependent) secret values each user owns that assess the membershp to the languages. We provde an deal functonalty for LAKE and gve effcent realzatons of the new prmtve (for a large famly of languages) secure under classcal mld assumptons, n the standard model (wth a common reference strng CRS), wth statc corruptons. We sgnfcantly mprove the effcency of several CAKE protocols [CCGS10] for specfc languages and we enlarge the set of languages for whch we can construct practcal schemes. Notably, we obtan a very practcal realzaton of Secret Handshakes and a Verfer-based Password-Authentcated Key Exchange. Our Technques. A general framework to desgn PAKE n the CRS model was proposed by Gennaro and Lndell [GL03] n Ths approach was appled to the UC framework by Canett, Halev, Katz, Lndell, and MacKenze [CHK + 05], and mproved by Abdalla, Chevaler and Pontcheval [ACP09]. It makes use of the smooth projectve hash functons (SPHF), ntroduced by Cramer and Shoup [CS02]. Such a hashng famly s a famly of hash functons that can be evaluated n two ways: usng the (secret) hashng key, one can compute the functon on every pont n ts doman, whereas usng the (publc) projecton key one can only compute the functon on a specal subset of ts doman. Our frst contrbuton s the descrpton of smooth projectve hash functons for new nterestng languages: Abdalla, Chevaler and Pontcheval [ACP09] explaned how to make dsjunctons and conjunctons of languages, we study here languages defned by lnear parng product equatons on commtted values. In 2011, Lndell [Ln11] proposed a hghly-effcent commtment scheme, wth a non-nteractve openng algorthm, n the UC framework. We wll not use t n black-box, but nstead we wll patch t to make the ntal Gennaro and Lndell s approach to work, wthout zero-knowledge proofs [CHK + 05], usng the equvocablty of the commtment. Language Defnton. In [ACP09], Abdalla et al. already formalzed languages to be consdered for SPHF. But, n the followng, we wll use a more smple formalsm, whch s nevertheless more general: we consder any effcently computable bnary relaton R : {0, 1} P S {0, 1}, where the addtonal parameters pub {0, 1} and prv P defne a language L R (pub, prv) S of the words W such that R(pub, prv, W ) = 1: pub are publc parameters; prv are prvate parameters the two players have n mnd, and they should thnk to the same values: they wll be commtted to, but never revealed; W s the word the sender clams to know n the language: t wll be commtted to, but never revealed. Our LAKE prmtve, specfc to two relatons R a and R b, wll allow two users, Alce and Bob, ownng a word W a L Ra (pub, prv a ) and W b L Rb (pub, prv b ) respectvely, to agree on a sesson key under some specfc condtons: they frst both agree on the publc parameter pub, Bob wll thnk about prv a for hs expected value of prv a, Alce wll do the same wth prv b for prv b; eventually, f prv a = prv a and prv b = prv b, and f they both know words n the languages, then the key agreement wll succeed. In case of falure, no nformaton should leak about the reason of falure, except the nputs dd not satsfy the relatons R a or R b, or the languages were not consstent. We stress that each LAKE protocol wll be specfc to a par of relatons (R a, R b ) descrbng the way Alce and Bob wll authentcate to each other. Ths par of relatons (R a, R b ) specfes the sets P a, P b and S a, S b (to whch the prvate parameters and the words should respectvely belong). Therefore, the formats of prv a, prv b and W a and W b are known n advance, but not ther values. When R a and R b are clearly defned from the context (e.g., PAKE), we omt them n the notatons. For example, these relatons can formalze: Password authentcaton: The language s defned by R(pub, prv, W ) = 1 W = prv, and thus pub =. The classcal settng of PAKE requres the players A and B to use the same password W, and thus we should have prv a = prv b = prv b = prv a = W a = W b ; Sgnature authentcaton: R(pub, prv, W ) = 1 Verf(pub 1, pub 2, W ) = 1, where pub = (pub 1 = vk, pub 2 = M) and prv =. The word W s thus a sgnature of M vald under vk, both specfed n pub;

3 Credental authentcaton: we can consder any mx for vk and M n pub or prv, and even n W, for whch the relaton R verfes the valdty of the sgnature. When M and vk are n prv or W, we acheve afflaton-hdng property. In the two last cases, the parameter pub can thus consst of a message on whch the user s expected to know a sgnature vald under vk: ether the user knows the sgnng key and can generate the sgnature on the fly to run the protocol, or the user has been gven sgnatures on some messages (credentals). As a consequence, we just assume that, after havng publcly agreed on a common pub, the two players have vald words n the approprate languages. The way they have obtaned these words does not matter. Followng our generc constructon, prvate elements wll be commtted usng encrypton schemes, derved from Cramer-Shoup s scheme, and wll thus have to be frst encoded as n-tuples of elements n a group G. In the case of PAKE, authentcaton wll check that a player knows an approprate password. The relaton s a smple equalty test, and accepts for one word only. A random commtment (and thus of a random group element) wll succeed wth neglgble probablty. For sgnature-based authentcaton, the verfcaton key can be kept secret, but the sgnature should be unforgeable and thus a random word W should qute unlkely satsfy the relaton. We wll often make ths assumpton on useful relatons R: for any pub, {(prv, W ) P S, R(pub, prv, W ) = 1} s sparse (neglgble) n P S, and a fortor n the set G n n whch elements are frst embedded. 3 2 Defntons In ths secton, we frst brefly recall the notatons and the securty notons of the basc prmtves we wll use n the rest of the paper, and namely publc key encrypton and sgnature. More formal defntons, together wth the classcal computatonal assumptons (CDH, DDH, and DLn) are provded n the Appendx A.1: A publc-key encrypton scheme s defned by four algorthms: param Setup(1 k ), (ek, dk) KeyGen(param), c Encrypt(ek, m; r), and m Decrypt(dk, c). We wll need the classcal noton of IND-CCA securty. A sgnature scheme s defned by four algorthms: param Setup(1 k ), (vk, sk) KeyGen(param), σ Sgn(sk, m; s), and Verf(vk, m, σ). We wll need the classcal noton of EUF-CMA securty. In both cases, the global parameters param wll be gnored, ncluded n the CRS. We wll furthermore make use of collson-resstant hash functon famles. 2.1 Unversal Composablty Our man goal wll be to provde protocols wth securty n the unversal composablty framework. The nterested reader s referred to [Can01,CHK + 05] for detals. More precsely, we wll work n the UC framework wth jont state proposed by Canett and Rabn [CR03] (wth the CRS as the jont state). Snce players are not ndvdually authentcated, but just afterward f the credentals are mutually consstent wth the two players languages, the adversary wll be allowed to nteract on behalf of any player from the begnnng of the protocol, ether wth the credentals provded by the envronment (statc corrupton) or wthout (mpersonaton attempt). As wth the Splt Functonalty [BCL + 05], accordng to whom sends the frst flow for a player, ether the player tself or the adversary, we know whether ths s an honest player or a dshonest player (corrupted or mpersonaton attempt, but anyway controlled by the adversary). Then, our goal wll be to prove that the best an adversary can do s to try to play aganst one of the other players, as an honest player would do, wth a credental t guessed or obtaned n any possble way. Ths s exactly the so-called one-lne dctonary attack when one consders PAKE protocols. In the adaptve corrupton settng, the adversary could get complete access to the prvate credentals and the nternal memory of an honest player, and then get control of t, at any tme. But we wll restrct to the statc corrupton settng n ths paper. It s enough to deal wth most of the concrete requrements: related credentals, arbtrary compostons, and forward-secrecy. To acheve our goal, for a UC-secure LAKE, we wll use some other prmtves whch are secure n the classcal settng only. 2.2 Commtment Commtments allow a user to commt to a value, wthout revealng t, but wthout the possblty to later change hs mnd. It s composed of three algorthms: Setup(1 k ) generates the system parameters, accordng to a securty parameter k; Commt(l, m; r) produces a commtment c on the nput message m M usng the random cons

4 4 r $ R, under the label l, and the openng nformaton d; whle Decommt(l, c, m, d) opens the commtment c wth the message m and the openng nformaton d that proves the correct openng under the label l. Such a commtment scheme should be both hdng, whch says that the commt phase does not leak any nformaton about m, and bndng, whch says that the decommt phase should not be able to open to two dfferent messages. Addtonal features wll be requred n the followng, such as non-malleablty, extractablty, and equvocablty. We also ncluded a label l, whch can be empty or an addtonal publc nformaton that has to be the same n both the commt and the decommt phases. A labeled commtment that s both non-malleable and extractable can be nstantated by an IND-CCA labeled encrypton scheme (see the Appendx A.1). We wll use the Lnear Cramer-Shoup encrypton scheme [Sha07, CKP07]. We wll then patch t, usng a technque nspred from [Ln11], to make t addtonally equvocable (see Secton 3). It wll have an nteractve commt phase, n two rounds: Commt(l, m; r) and a challenge ε from the recever, whch wll defne an mplct full commtment to be open latter. 2.3 Smooth Projectve Hash Functons Smooth projectve hash functon (SPHF) systems have been defned by Cramer and Shoup [CS02] n order to buld a chosen-cphertext secure encrypton scheme. They have thereafter been extended [GL03,ACP09,BPV12] and appled to several other prmtves. Such a system s defned on a language L, wth fve algorthms: Setup(1 k ) generates the system parameters, accordng to a securty parameter k; HashKG(L) generates a hashng key hk for the language L; ProjKG(hk, L, W ) derves the projecton key hp, possbly dependng on a word W ; Hash(hk, L, W ) outputs the hash value from the hashng key; ProjHash(hp, L, W, w) outputs the hash value from the projecton key and the wtness w that W L. The correctness of the scheme assures that f W s n L wth w as a wtness, then the two ways to compute the hash values gve the same result: Hash(hk, L, W ) = ProjHash(hp, L, W, w). In our settng, these hash values wll belong to a group G. The securty s defned through two dfferent notons: the smoothness property guarantees that f W L, the hash value s statstcally ndstngushable from a random element, even knowng hp; the pseudo-randomness property guarantees that even for a word W L, but wthout the knowledge of a wtness w, the hash value s computatonally ndstngushable from a random element, even knowng hp. 3 Double Lnear Cramer-Shoup Encrypton (DLCS) As explaned earler, any IND-CCA labeled encrypton scheme can be used as a non-malleable and extractable labeled commtment scheme: one could use the Cramer-Shoup encrypton scheme (see the Appendx A.4), but we wll focus on the DLn-based prmtves, and thus the Lnear Cramer-Shoup scheme (see the Appendx A.3), we call LCS. Commtted/encrypted elements wll ether drectly be group elements, or bt-strngs on whch we apply a reversble mappng G from {0, 1} n to G. In order to add the equvocablty, one can use a technque nspred from [Ln11]. See the Appendx B for more detals, but we brefly present the commtment scheme we wll use n the rest of ths paper n conjuncton wth SPHF. Lnear Cramer-Shoup Commtment Scheme. The parameters, n the CRS, are a group G of prme order p, wth three ndependent generators (g 1, g 2, g 3 ) $ G 3, a collson-resstant hash functon H K, and possbly an addtonal reversble mappng G from {0, 1} n to G to commt bt-strngs. From 9 scalars (x 1, x 2, x 3, y 1, y 2, y 3, z 1, z 2, z 3 ) $ Z 9 p, one also sets, for = 1, 2, c = g x g x 3 3, d = g y gy 3 3, and h = g z gz 3 3. The publc parameters consst of the encrypton key ek = (G, g 1, g 2, g 3, c 1, c 2, d 1, d 2, h 1, h 2, H K ), whle the trapdoor for extracton s dk = (x 1, x 2, x 3, y 1, y 2, y 3, z 1, z 2, z 3 ). One can defne the encrypton process: LCS(l, ek, M; r, s) def = (u = (g1, r g2, s g3 r+s ), e = M h r 1h s 2, v = (c 1 d ξ 1 )r (c 2 d ξ 2 )s ) where ξ = H K (l, u, e). When ξ s specfed from outsde, one addtonally denotes t LCS (l, ek, M, ξ; r, s). The commtment to a message M G, or M = G(m) for m {0, 1} n, encrypts M under ek: LCSCom(l, M; r, s) def = LCS(l, ek, M; r, s). The decommt process conssts of M and (r, s) to check the correctness of the encrypton. It s possble to do mplct verfcaton, wthout any decommt nformaton, but just an SPHF on the language of the cphertexts of M that s prvately shared by the two players. Snce the underlyng encrypton scheme s IND-CCA, ths commtment scheme s non-malleable and extractable.

5 5 Commt(l, M; r, s, a, b, t) : for (r, s, a, b, t) $ Z 5 p (C, C ) DLCSCom(l, M, 1 G ; r, s, a, b) χ = H K(C ), C = g t 1ζ χ C, C ε? 0 mod p z = (z r = r + εa mod p, z s = s + εb mod p) Decommt(l, C, C, ε) : ε ε $ Z p C, t χ = H K(C ), C? = g t 1ζ χ Wth z = (z r, z s), mplct check of C C ε? = LCS (l, ek, M, ξ; z r, z s) Fgure 1. DLCSCom Commtment Scheme for SPHF Double Lnear Cramer-Shoup Commtment Schemes. To make t equvocable, we double the commtment process, n two steps. The CRS addtonally contans a scalar ℵ $ Z p, one also sets, ζ = g1 ℵ. The trapdoor for equvocablty s ℵ. The Double Lnear Cramer-Shoup encrypton scheme, denoted DLCS and detaled n the Appendx B s DLCS(l, ek, M, N; r, s, a, b) def = (C LCS(l, ek, M; r, s), C LCS (l, ek, N, ξ; a, b)) where ξ = H K (l, u, e) s computed durng the generaton of C and transfered for the generaton of C. As above, we denote DLCSCom denotes the use of DLCS wth the encrypton key ek. The usual commt/decommt processes are descrbed on Fgure 6 n the Appendx B. On Fgure 1, one can fnd the DLCSCom scheme where one can mplctly check the openng wth an SPHF. These two constructons essentally dffer wth χ = H K (C ) (for the SPHF mplct check) nstead of χ = H K (M, C ) (for the explct check). We stress that wth ths alteraton, the DLCSCom scheme s not a real commtment scheme (not formally extractable/bndng): n DLCSCom, the sender can ndeed encrypt M n C and N 1 G n C, and then, the global cphertext C C ε contans M = MN ε M, whereas one would have extracted M from C. But M s unknown before ε s sent, and thus, f one checks the membershp of M to a sparse language, t wll unlkely be true. Mult-Message Schemes. One can extend these encrypton and commtment schemes to vectors of n messages (see the Appendx B). We wll denote them n-dlcscom or n-dlcscom for the commtment schemes. They consst n encryptng each message wth ndependent random cons n C = (u, e, v ) but the same ξ = H K (l, (u ), (e )), together wth ndependent companon cphertexts C of 1 G, stll wth the same ξ for the doubled verson. In the latter case, n ndependent challenges ε $ Z p are then sent to lead to the full commtment (C C ε ) wth random cons z r = r + ε a and z s = s + ε b. Agan, f one of the companon cphertext C does not encrypt 1 G, the full commtment encrypts a vector wth at least one unpredctable component M. Several non-unty components n the companon cphertexts would lead to ndependent components n the full commtment. For languages sparse enough, ths defntely turns out not to be n the language. 4 SPHF for Implct Proofs of Membershp In [ACP09], Abdalla et al. presented a way to compute a conjuncton or a dsjuncton of languages by some smple operatons on ther projecton keys. Therefore all languages presented afterward can easly be combned together. However as the orgnal set of manageable languages was not really developed, we are gong to present several steps to extend t, and namely n order to cover some languages useful n varous AKE nstantatons. We wll show that almost all the vast famly of languages covered by the Groth-Saha methodology [GS08] can be addressed by our approach too. More precsely, we can handle all the lnear parng product equatons, when wtnesses are commtted usng our above (mult-message) DLCSCom commtment scheme, or even the non-equvocable LCSCom verson. Ths wll be strong enough for our applcatons. For usng them n black-box to buld our LAKE protocol, one should note that the projecton key s computed from the cphertext C when usng the smple LCSCom commtment, but also when usng the DLCSCom verson. The full commtment C C ε s not requred, but ξ only, whch s known as soon as C s gven (or the vector (C ) for the mult-message verson). Of course, the hash value wll then depend on the full commtment (ether C for the LCSCom commtment, or C C ε for the DLCSCom commtment). Ths wll be relevant to our AKE problem: equalty of two passwords, n PAKE protocols; correspondng sgnng/verfcaton keys assocated wth a vald sgnature on a pseudonym or a hdden dentty, n secret

6 6 handshakes; vald credentals, n CAKE protocols. All those tests are qute smlar: one has to show that the cphertexts are vald and that the plantexts satsfy the expected relatons n a group. We frst llustrate that wth commtments of Waters sgnatures of a publc message under a commtted verfcaton key. We then explan the general method. The formal proofs are provded n the Appendx C. 4.1 Commtments of Sgnatures Let us consder the Waters sgnature [Wat05] n a symmetrc blnear group, as revewed n the Appendx A.3, and then we just need to recall that, n a parng-frendly settng (p, G, G T, e), wth publc parameters (F, g, h), and a verfcaton key vk, a sgnature σ = (σ 1, σ 2 ) s vald wth respect to the message M under the key vk f t satsfes e(σ 1, g) = e(h, vk) e(f(m), σ 2 ). A smlar approach has already been followed n [BPV12], however not wth a Lnear Cramer-Shoup commtment scheme, nor wth such general languages. We ndeed frst consder the language of the sgnatures (σ 1, σ 2 ) G 2 of a message M {0, 1} k under the verfcaton key vk G, where M s publc but vk s prvate: L(pub, prv), where prv = vk and pub = M. One wll thus commt the par (vk, σ 1 ) G 2 wth the label l = (M, σ 2 ) usng a 2-DLCSCom commtment and then prove the commtment actually contans (vk, σ 1 ) such that e(σ 1, g) = e(h, vk) e(f(m), σ 2 ). We nsst on the fact that σ 1 only has to be encrypted, and not σ 2, n order to hde the sgnature, snce the latter σ 2 s a random group element. If one wants unlnkablty between sgnature commtments, one smply needs to re-randomze (σ 1, σ 2 ) before encrypton. Hence σ 2 can be sent n clear, but bounded to the commtment n the label, together wth the pub part of the language. In order to prove the above property on the commtted values, we wll use conjunctons of SPHF: frst, to show that each commtment s well-formed (vald cphertexts), and then that the assocated plantexts verfy the lnear parng equaton, where the commtted values are underlned: e(σ 1, g) = e(h, vk) e(f(m), σ 2 ) Note that vk s not used as a commtted value for ths verfcaton of the membershp of σ to the language snce ths s the verfcaton key expected by the verfer, specfed n the prvate part prv, whch has to be ndependently checked wth respect to the commtted verfcaton key. Ths s enough for the afflaton-hdng property. We could consder the smlar language where M {0, 1} k s n the word too: e(σ 1, g) = e(h, vk) e(f(m), σ 2 ), and then one should commt M, bt-by-bt, and then use a (k + 2)-DLCSCom commtment. 4.2 Lnear Parng Product Equatons Instead of descrbng n detals the SPHF for the above examples, let us show t for a more general framework: we consdered e(σ 1, g) = e(h, vk) e(f(m), σ 2 ) or e(σ 1, g) = e(h, vk) e(f(m), σ 2 ), where the unknowns are underlned. These are partcular nstantatons of t smultaneous equatons ( ) ( ) z e(y, A k, ) Z k, = B k, for k = 1,..., t, A k B k where A k, G, B k G T, and z k, Z p, as well as A k {1,..., m} and B k {m+1,..., n} are publc, but the Y G and Z G T are smultaneously commtted usng the mult-message DLCSCom or LCSCom commtments scheme, n G or G T respectvely. Ths s more general than the relatons covered by [CCGS10], snce one can also commt scalars bt-by-bt. In the Appendx C.4, we detal how to buld the correspondng SPHF, and prove the soundness of our approach. For the sake of clarty, we focus here to a sngle equaton only, snce multple equatons are just conjunctons. We can even consder the smpler equaton =m =1 Z z = B, snce one can lft any cphertext from G to a cphertext n G T, settng Z = e(y, A ), as well as, for j = 1, 2, 3, G,j = e(g j, A ) and for j = 1, 2, H,j = e(h j, A ), C,j = e(c j, A ), D,j = e(d j, A ), to lft all the group bass elements. Then, one transforms C = LCS (l, ek, Y, ξ; z ) = (u = (g zr 1, gzs 2, gzr +zs 3 ), e = h zr 1 hzs 2 Y, v = (c 1 d ξ 1 )zr (c 2 d ξ 2 )zs ) nto (U = (G zr,1, Gzs,2, Gzr +zs,3 ), E = H zr,1 Hzs,2 Z, V = (C,1 D ξ,1 )zr (C,2 D ξ,2 )zs ). Encryptons of Z orgnally n G T use constant bass elements for j = 1, 2, 3, G,j = G j = e(g j, g) and for j = 1, 2, H,j = H j = e(h j, g), C,j = C j = e(c j, g), D,j = D j = e(d j, g). The commtments have been generated n G and G T smultaneously usng the m-dlcscom verson, wth a common ξ, where the possble combnaton wth the companon cphertext to the power ε leads to the above C,

7 thereafter lfted to G T. For the hashng keys, one pcks random scalars (λ, (η, θ, κ, µ ) =1,...,m ) $ Z 4m+1 p, and sets hk = (η, θ, κ, λ, µ ). One then computes the projecton keys as hp = (g η 1 gκ 3 hλ 1 (c 1d ξ 1 )µ, g θ 2 gκ 3 hλ 2 (c 2d ξ 2 )µ ) G 2. The hash value s e(u η,1 uθ,2 uκ,3 eλ v µ, A ) B λ = e(hp zr,1 hpzs,2, A ), where A s the constant used to compute Z = e(y, A ) and to lft cphertexts from G to G T, or A = g z f the cphertext was already n G T. These evaluatons can be computed ether from the commtments and the hashng keys, or from the projecton keys and the wtnesses. We nsst on the fact that, whereas the hash values are n G T, the projecton keys are n G even f the cphertexts are ntally n G T. We stress agan that the projecton keys requre the knowledge of ξ only: known from the LCSCom commtment or the frst part C of the DLCSCom commtment. 5 Language-Authentcated Key Exchange 5.1 The Ideal Functonalty We generalze the Password-Authentcated Key Exchange functonalty F pake (frst provded n [CHK + 05]) to more complex languages: the players agree on a common secret key f and only f they own words that le n the languages the partners have n mnd. More precsely, after an agreement on pub between P and P j (modeled here by the use of the splt functonalty, see below), player P uses a word W belongng to L = L R (pub, prv ) and t expects ts partner P j to use a word W j belongng to the language L j = L R j (pub, prv j ), and vce-versa for P j and P. We assume relatons R and R j to be specfed by the knd of protocol we study (PAKE, Verferbased PAKE, secret handshakes,... ) and so the languages are defned by the addtonal parameters pub, prv and prv j only: they both agree on the publc part pub, to be possbly parsed n a dfferent way by each player for each language accordng to the relatons. Note however that the respectve languages do not need to be the same or to use smlar relatons: authentcaton means could be totally dfferent for the 2 players. The key exchange should succeed f and only f the two followng pars of equatons hold: (L = L and W L ) and (L j = L j and W j L j ). Descrpton. In the ntal F pake functonalty [CHK + 05], the adversary was gven access to a TestPwd-query, whch modeled the on-lne dctonary attack. But t s known snce [BCL + 05] that t s equvalent to use the splt functonalty model [BCL + 05], generate the NewSesson-queres correspondng to the corrupted players and tell the adversary (on behalf of the corrupted player) whether the protocol should succeed or not. Both methods enable the adversary to try a credental for a player (on-lne dctonary attack). The second method (that we use here) mples allowng S to ask NewSesson-queres on behalf of the corrupted player, and lettng t to be aware of the success or falure of the protocol n ths case: the adversary learns ths nformaton only when t plays on behalf of a player (corrupton or mpersonaton attempt). Ths s any way an nformaton t would learn at the end of the protocol. We nsst that thrd partes wll not learn whether the protocol succeeded or not, as requred for secret handshakes. To ths am, the NewKey-query nforms n ths case the adversary whether the credentals are consstent wth the languages or not. In addton, the splt functonalty model guarantees from the begnnng whch player s honest and whch one s controlled by the adversary. Ths fnally allows us to get rd of the TestPwd-query. The F lake functonalty s presented n Fgure 2 and the correspondng splt functonalty sf lake n Fgure 3, where the languages are formally descrbed and compared usng the pub and prv parts. The securty goal s to show that the best attack for the adversary s a basc tral executon wth a credental of ts guess or choce: the proof wll thus consst n emulatng any real-lfe attack by ether a tral executon by the adversary, playng as an honest player would do, but wth a credental chosen by the adversary or obtaned n any way; or a denal of servce, where the adversary s clearly aware that ts behavor wll make the executon fal. 5.2 A Generc UC-Secure LAKE Constructon Intuton. Usng smooth projectve hash functons on commtments, one can genercally defne a LAKE protocol as done n [ACP09]. The basc dea s to make the player commt to ther prvate nformaton (for the expected 7

8 8 The functonalty F lake s parametrzed by a securty parameter k and a publc parameter pub for the languages. It nteracts wth an adversary S and a set of partes P 1,...,P n va the followng queres: New Sesson: Upon recevng a query (NewSesson : sd, P, P j, W, L = L(pub, prv ), L j = L(pub, prv j )) from P, If ths s the frst NewSesson-query wth dentfer sd, record the tuple (P, P j, W, L, L j, ntator). Send (NewSesson; sd, P, P j, pub, ntator) to S and P j. If ths s the second NewSesson-query wth dentfer sd and there s a record (P j, P, W j, L j, L, ntator), record the tuple (P j, P, W j, L j, L, ntator, W, L, L j, recever). Send (NewSesson; sd, P, P j, pub, recever) to S and P j. Key Computaton: Upon recevng a query (NewKey : sd) from S, f there s a record of the form (P, P j, W, L, L j, ntator, W j, L j, L, recever) and ths s the frst NewKey-query for sesson sd, then If (L = L and W L ) and (L j = L j and W j L j), then pck a random key sk of length k and store (sd, sk). If one player s corrupted, send (sd, success) to the adversary. Else, store (sd, ), and send (sd, fal) to the adversary f one player s corrupted. Key Delvery: Upon recevng a query (SendKey : sd, P, sk) from S, then f there s a record of the form (sd, sk ), then, f both players are uncorrupted, output (sd, sk ) to P. Otherwse, output (sd, sk) to P. f there s a record of the form (sd, ), then pck a random key sk of length k and output (sd, sk ) to P. Fgure 2. Ideal Functonalty F lake Gven the functonalty F lake, the splt functonalty sf lake proceeds as follows: Intalzaton: Upon recevng (Int, sd, pub ) from party P, send (Int, sd, P, pub ) to the adversary. Upon recevng a message (Int, sd, P, H, pub, sd H) from S, where H = {P, P j} s a set of party denttes, check that P has already sent (Int, sd, pub ) and that for all recorded (H, pub, sd H ), ether H = H, pub = pub and sd H = sd H or H and H are dsjont and sd H sd H. If so, record the par (H, pub, sd H), send (Int, sd, sd H, pub) to P, and nvoke a new functonalty (F lake, sd H, pub) denoted as F (H,pub) lake and wth set of honest partes H. Computaton: Upon recevng (Input, sd, m) from party P, fnd the set H such that P H, the publc value pub recorded, and forward m to F (H,pub) lake. Upon recevng (Input, sd, P j, H, m) from S, such that P j / H, forward m to F (H,pub) lake as f comng from P j. When F (H,pub) lake generates an output m for party P H, send m to P. If the output s for P j / H or for the adversary, send m to the adversary. Fgure 3. Splt Functonalty sf lake languages and the owned words), and eventually the smooth projectve hash functons wll be used to make mplct valdty checks of the global relaton. To ths am, we use the commtments and assocated smooth projectve hash functons as descrbed n Sectons 3 and 4. More precsely, all examples of SPHF n Secton 4 can be used on extractable commtments dvded nto one or two parts (the non-equvocable LCSCom or the equvocable DLCSCom commtments, see Fgure 1). The relatons on the commtted values wll not be explctly checked, snce the values wll never be revealed, but wll be mplctly checked usng SPHF. It s nterestng to note that n both cases (one-part or two-part commtment), the projecton key wll only depend on the frst part of the commtment. As t s often the case n the UC settng, we need the ntator to use stronger prmtves than the recever. They both have to use non-malleable and extractable commtments, but the ntator wll use a commtment that s addtonally equvocable, the DLCSCom n two parts ((C, C ) and Com = C C ε ), whle the recever wll only need the basc LCSCom commtment n one part (Com j = C j ). As already explaned, SPHF wll be used to mplctly check whether (L = L and W L ) and (L j = L j and W j L j ). But snce n our nstantatons prvate parameters prv and words W wll have to be commtted, the structure of these commtments wll thus be publcly known n advance: commtments of P-elements and S-elements. Secton 6 dscusses on the languages captured by our defnton, and llustrates wth some AKE protocols. However, whle these P and S sets are embedded n G n from some n, t mght be mportant to prove that the commtted values are actually n P and S (e.g., one can have to prove t commts bts, whereas messages are frst embedded as group elements n G of large order p). Ths wll be an addtonal language-membershp to prove on the commtments. Ths leads to a very smple protocol descrbed on Fgure 4. Note that f a player wants to make external adversares thnk he owns an approprate word, as t s requred for Secret Handshakes, he can stll play, but

9 9 Executon between P and P j, wth sesson dentfer sd. Prelmnary Round: each user generates a par of sgnng/verfcaton keys (SK, VK) and sends VK together wth ts contrbuton to the publc part of the language. We denote by l = (sd, ssd, P, P j, pub, VK, VK j) and by l j = (sd, ssd, P, P j, pub, VK j, VK ), where pub s the combnaton of the contrbutons of the two players. The ntator now uses a word W n the language L(pub, prv ), and the recever uses a word W j n the language L(pub, prv j ), possbly re-randomzed from ther long-term secrets (*). We assume commtments and assocated smooth projectve hash functons exst for these languages. Frst Round: user P (wth random tape ω ) generates a mult-dlcscom commtment on (prv, prv j, W ) n (C, C ), where W has been randomzed n the language, under the label l. It also computes a Pedersen commtment on C n C (wth random exponent t). It then sends (C, C ) to P j; Second Round: user P j (wth random tape ω j) computes a mult-lcs commtment on (prv j, prv, Wj) n Comj = Cj, wth wtness r, where W j has been randomzed n the language, under the label l j. It then generates a challenge ε on C and hashng/projecton keys (**) hk and hp assocated to C (whch wll be assocated to the future Com ). It fnally sgns all the flows usng SK j n σ j, and sends (C j, ε, hp, σ j) to P ; Thrd Round: user P frst checks the sgnature σ j, computes Com = C C ε and wtness z (from ε and ω ), t generates hashng/projecton keys hk j and hp j assocated to Com j. It fnally sgns all the flows usng SK n σ, and sends (C, t, hp j, σ ) to P j; Hashng: P j frst checks the sgnature σ and the correct openng of C nto C, t computes Com = C C ε. P computes K and P j computes K j as follows: K = Hash(hk j, {(prv j, prv )} L(pub, prv j), l j, Com j) ProjHash(hp, {(prv, prv j)} L(pub, prv ), l, Com ; z) K j = ProjHash(hp j, {(prv j, prv )} L(pub, prv j ), l j, Com j; r) Hash(hk, {(prv, prv j )} L(pub, prv ), l, Com ) (*) As explaned n Secton 1, recall that the languages consdered depend on two possbly dfferent relatons, namely L = L R (pub, prv ) and L j = L Rj (pub, prv j ), but we omt them for the sake of clarty. We assume they are both selfrandomzable. (**) Recall that the SPHF s constructed n such a way that ths projecton key does not depend on C and s ndeed assocated to the future whole Com. Fgure 4. Language-based Authentcated Key Exchange from a Smooth Projectve Hash Functon on Commtments wll compute everythng wth dummy words, and wll replace the ProjHash evaluaton by a random value, whch wll lead to a random key at the end. Securty Analyss. Snce we have to assume common pub, we make a frst round (wth flows n each drecton) where the players send ther contrbuton, to come up wth pub. These flows wll also be used to know f there s a player controlled by the adversary (as wth the Splt Functonalty [BCL + 05]). In case the languages have empty pub, these addtonal flows are not requred, snce the Splt Functonalty can be appled on the commtted values. The sgnng key for the recever s not requred anymore snce there s one flow only from ts sde. Ths LAKE protocol s secure aganst statc corruptons. The proof s provded n the Appendx D, and s n the same ven as the one n [CHK + 05, ACP09]. However, t s a bt more ntrcate: n PAKE, when one s smulatng a player, and knows the adversary used the correct password, one smply uses ths password for the smulated player. In LAKE, when one knows the language expected by the adversary for the smulated player and has to smulate a successful executon (because of success announced by the NewKey-query), one has to actually nclude a correct word n the commtment: smooth projectve hash functons do not allow the smulator to cheat, equvocablty of the commtment s the unque trapdoor, but wth a vald word. The languages must allow the smulator to produce a vald word W n L(pub, prv), for any pub and prv P provded by the adversary or the envronment. Ths wll be the case n all the nterestng applcatons of our protocol (see Secton 6): f prv defnes a Waters verfcaton key vk = g x, wth the master key s such that h = g s, the sgnng key s sk = h x = vk s, and thus the smulator can sgn any message; f such a master key does not exst, one can restrct P, and mplctly check t wth the SPHF (the addtonal language-membershp check, as sad above). But snce a random word s generated by the smulator, we need the real player to derve a random word from hs own word, and the language to be self-randomzable. In addton, as already noted, our commtment DLCSCom s not formally bndng (contrarly to the much less effcent one used n [ACP09]). The adversary can ndeed make the extracton gve M from C, whereas

10 10 Com wll eventually contan M f C does not encrypt (1 G) n. However, snce the actual value M depends on the random challenge ε, and the language s assumed sparse (otherwse authentcaton s easy), the protocol wll fal: ths can be seen as a denal of servce from the adversary. Theorem 1. Our LAKE scheme from Fgure 4 realzes the sf lake functonalty n the F crs -hybrd model, n the presence of statc adversares, under the DLn assumpton and the securty of the One-Tme Sgnature. Actually, from a closer look at the full proof, one can notce that Com j = C j needs to be extractable, but IND CPA securty s enough, whch leads to a shorter cphertext (2 group elements less f one uses a Lnear cphertext nstead of LCS). Smlarly, one wll not have to extract W from C when smulatng sessons where P s corrupted. As a consequence, only the prvate parts of the languages have to be commtted to n Com n the frst and thrd rounds, whereas W can be encrypted ndependently wth an IND CPA encrypton scheme n the thrd round only (5 group elements less n the frst round, and 2 group elements less n the thrd round f one uses a Lnear cphertext nstead of LCS). 6 Concrete Instantatons and Comparsons In ths secton, we frst gve some concrete nstantatons of several AKE protocols, usng our generc protocol of LAKE, and compare the effcences of those nstantatons. 6.1 Possble Languages As explaned above, our LAKE protocol s provably secure for self-randomzable languages only. Whle ths noton may seem qute strong, most of the usual languages fall nto t. For example, n a PAKE or a Verferbased PAKE scheme, the languages consst of a sngle word and so trvally gven a word, each user s able to deduce all the words n the language. One may be a lttle more worred about Waters Sgnature n our Secret Handshake, and/or Lnear parng equatons. However the self-randomzablty of the languages s easy to show: Gven a Waters sgnature σ = (σ 1, σ 2 ) over a message m vald under a verfcaton key vk, one s able to randomze the sgnature nto any sgnature over the same message m vald under the same verfcaton key vk smply by pckng a random s and computng σ = (σ 1 F(m) s, σ 2 g s ). For lnear parng equatons, wth publc parameters A for = 1,..., m and γ for = m + 1,..., n, and B, gven (X 1,..., X m, Z m+1,..., Z n ) verfyng m =1 e(x, A ) n =m+1 Zγ = B, one can randomze the word n the followng way: If m < n, one smply pcks random (X 1,..., X m), (Z m+1,..., Z n 1 ) and sets Z n = (B/( m, A ) n 1 =m+1 Z =1 e(x γ )) 1/γn, Else, f m = n > 1, one pcks random r 1,..., r n 1 and set X = X A r n, for = 1,..., m 1 and X m = X m m 1 =1 A r, Else m = n = 1, ths means only one word satsfes the equaton. So we already have ths word. As we can see most of the common languages manageable wth a SPHF are already self-randomzable. We now show how to use them n concrete nstantatons. 6.2 Concrete Instantatons Password-Authentcated Key Exchange. Usng our generc constructon, we can easly obtan a PAKE protocol, as descrbed on Fgure 5, where we optmze from the generc constructon, snce pub =, removng the agreement on pub, but stll keepng the one-tme sgnature keys (SK, VK ) to avod man-n-the-mddle attacks snce t has another later flow: P uses a password W and expects P j to own the same word, and thus n the language L j = L = {W }; P j uses a password W j and expects P to own the same word, and thus n the language L = L j = {W j }; The relaton s the equalty test between prv and prv j, whch both have no restrcton n G (hence P = G). As the word W, the language prvate parameters prv of a user and prv j of the expected language for the other user are the same, each user can commt n the protocol to only one value: ts password. We kept the general descrpton and notatons n Fgure 5, but C j can be a smply IND CPA encrypton scheme. It s qute effcent and reles on the DLn assumpton, wth DLCS for (C, C ) and thus 10 group elements,

11 11 P uses a password W and P j uses a password W j. We denote l = (sd, ssd, P, P j). Frst Round: P (wth random tape ω ) frst generates a par of sgnng/verfcaton keys (SK, VK ) and a DLCSCom commtment on W n (C, C ), under l = (l, VK ). It also computes a Pedersen commtment on C n C (wth random exponent t). It then sends (VK, C, C ) to P j; Second Round: P j (wth random tape ω j) computes a LCSCom commtment on W j n Com j = C j, wth wtness r, under the label l. It then generates a challenge ε on C and hashng/projecton keys hk and the correspondng hp for the equalty test on Com ( Com s a vald commtment of W j, ths only requres the value ξ computable thanks to C ). It then sends (C j, ε, hp ) to P ; Thrd Round: user P can compute Com = C C ε and wtness z (from ε and ω ), t generates hashng/projecton keys hk j and hp j for the equalty test on Com j. It fnally sgns all the flows usng SK n σ and send (C, t, hp j, σ ) to P j; Hashng: P j frst checks the sgnature and the valdty of the Pedersen commtment (thanks to t), t computes Com = C C ε. P computes K and P j computes K j as follows: K = Hash(hk j, L j, l, Com j) ProjHash(hp, L, l, Com ; z) K j = ProjHash(hp j, L j, l, Com j; r) Hash(hk, L, l, Com ) Fgure 5. Password-based Authentcated Key Exchange but a Lnear encrypton for C j and thus 3 group elements. Projecton keys are both 2 group elements. Globally, P sends 13 groups elements plus 1 scalar, a verfcaton key and a one-tme sgnature, whle P j sends 5 group elements and 1 scalar: 18 group elements and 2 scalars n total. We can of course nstantate t wth the Cramer- Shoup and ElGamal varants, under the DDH assumpton: P sends 8 groups elements plus 1 scalar, a verfcaton key and a one-tme sgnature, whle P j sends 3 group elements and 1 scalar (all group elements can be n the smallest group): 11 group elements and 2 scalars n total. Verfer-based PAKE. The above scheme can be modfed nto an effcent PAKE protocol that s addtonally secure aganst server compromse: the so-called verfer-based PAKE, where the clent owns a password pw, whle the server knows a verfer only, such as g pw, so that n case of break-n to the server, the adversary wll not mmedately get all the passwords. To ths am, as usually done, one frst does a PAKE wth g pw as common password, then asks the clent to addtonally prove t can compute the Dffe-Hellman value h pw for a bass h chosen by the server. Ideally, we could mplement ths trck, where the clent P j just consders the equalty test between the g pw and the value commtted by the server for the language L = L j, whle the server P consders the equalty test wth (g pw, h pw ), where h s sent as ts contrbuton to the publc part of the language by the server L = L j. Snce the server chooses h tself, t chooses t as h = g α, for an ephemeral random α, and can thus compute h pw = (g pw ) α. On ts sde, the clent can compute ths value snce t knows pw. The clent could thus commt to (g pw, h pw ), n order to prove ts knowledge of pw, whereas the server could just commt to g pw. Unfortunately, from the extractablty of the server commtment, one would just get g pw, whch s not enough to smulate the clent. To make t n a provable way, the server chooses an ephemeral h as above, and they both run the prevous PAKE protocol wth (g pw, h pw ) as common password, and mutually checked: h s seen as the pub part, hence the prelmnary flows are requred. Credental-Authentcated Key Exchange. In [CCGS10], the authors proposed nstantatons of the CAKE prmtve for conjunctons of atomc polces that are defned algebracally by relatons of the form k j=1 gf j j = 1 where the g j s are elements of an abelan group and F j s are nteger polynomals n the varables commtted by the users. The core of ther constructons reles on ther practcal UC zero-knowledge proof. There s no precse nstantaton of such proof, but t s very lkely to be neffcent. Ther proof technque ndeed requres to transform the underlyng Σ-protocols nto correspondng Ω-protocols [GMY06] by verfably encryptng the wtness. An Ω-protocol s a Σ-protocol wth the addtonal property that t admts a polynomal-tme straght-lne extractor. Snce the wtnesses are scalars n ther algebrac relatons, ther approach requres ether neffcent bt-per-bt encrypton of these wtnesses or Paller encrypton n whch case the problem of usng group wth dfferent orders n the representaton and n the encrypton requres addtonal overhead. Even when used wth Σ-protocols, ther PAKE scheme wthout UC-securty, requres at least two proofs of knowledge of representatons that nvolve at least 30 group elements (f we assume the encrypton to be lnear

12 12 Cramer Shoup), and some extra for the last proof of exstence (cf. [CKS11]), where our PAKE requres less than 20 group elements. Anyway they say, ther PAKE scheme s less effcent than [CHK + 05], whch needed 6 rounds and around 30 modular exponentatons per user, whle our effcent PAKE requres less than 40 exponentatons, n total, n only 3 rounds. Our scheme s therefore more effcent than the scheme from [CHK + 05] for the same securty level (.e. UC-securty wth statc corruptons). Secret-Handshakes. We can also nstantate a (lnkable) Secret Handshakes protocol, usng our scheme wth two dfferent languages: P wll commt to a vald sgnature σ on a message m (hs dentty for example), under a prvate verfcaton key vk, and expects P j to commt to a vald sgnature on a message m j under a prvate verfcaton key vk j; but P j wll do analogously wth a sgnature σ j on m j under vk j, whle expectng a sgnature on m under vk. The publc parts of the sgnature (the second component) are sent n clear wth the commtments. In a regular Secret Handshakes both users should use the same languages. But here, we have a more general stuaton (called dynamc matchng n [AKB07]): the two partcpants wll have the same fnal value f and only f they both belong to the organzaton the other expects. If one les, our protocol guarantees no nformaton leakage. Furthermore, the semantc securty of the sesson s even guaranteed wth respect to the authortes, n a forward-secure way (ths property s also acheved n [JL09] but n a weaker securty model). Fnally, our scheme supports revocaton and can handle roles as n [AKB07]. Standard secret handshakes, lke [AKB07], usually work wth credentals delvered by a unque authorty, ths would remove our need for a hdden verfcaton key, and prvate part of the language. Both users would only need to commt to sgnatures on ther dentty/credental, and show that they are vald. Ths would requre a dozen of group elements wth our approach. Ther constructon requres only 4 elements under BDH, however t reles on the asymmetrc Waters IBE wth only two elements, whereas the only securty proof known for such IBE [Duc10] requres an extra term n G 2 whch would render ther technque far less effcent, as several extra terms would be needed to expect a provably secure scheme. Whle sometmes less effectve, our LAKE approach can manage Secret Handshakes, and provde addtonal functonaltes, lke more granular control on the credental as part of them can be expressly hdden by both the users. More precsely, we provde afflatonhdng property and let thrd partes unaware of the success/falure of the protocol. Unlnkable Secret-Handshakes. Movng the users dentty from the publc pub part to ndvdual prvate prv part, and combnng our technque wth [BPV12], t s also possble to desgn an unlnkable Secret Handshakes protocol [JL09] wth practcal effcency. It llustrates the case where commtted values have to be proven n a strct subset of G, as one has to commt to bts: the sgned message M s now commtted and not n clear, t thus has to be done bt-by-bt snce the encodng G does not allow algebrac operatons wth the content to apply the Waters functon on the message. It s thus possble to prove the knowledge of a Waters sgnature on a prvate message (dentty) vald under a prvate verfcaton key. Addtonal relatons can be requred on the latter to make authentcaton even stronger. Acknowledgments Ths work was supported n part by the European Commsson through the FP7-ICT-2011-EU-Brazl Program under Contract SecFuNet and the ICT Program under Contract ICT ECRYPT II. References [ACGP11] Mchel Abdalla, Célne Chevaler, Lous Granboulan, and Davd Pontcheval. Contrbutory password-authentcated group key exchange wth jon capablty. In Aggelos Kayas, edtor, Topcs n Cryptology CT-RSA 2011, volume 6558 of Lecture Notes n Computer Scence, pages Sprnger, February [ACP09] Mchel Abdalla, Célne Chevaler, and Davd Pontcheval. Smooth projectve hashng for condtonally extractable commtments. In Sha Halev, edtor, Advances n Cryptology CRYPTO 2009, volume 5677 of Lecture Notes n Computer Scence, pages Sprnger, August [AKB07] Guseppe Atenese, Jonathan Krsch, and Marna Blanton. Secret handshakes wth dynamc and fuzzy matchng. In ISOC Network and Dstrbuted System Securty Symposum NDSS The Internet Socety, February / March [BBS04] Dan Boneh, Xaver Boyen, and Hovav Shacham. Short group sgnatures. In Matthew Frankln, edtor, Advances n Cryptology CRYPTO 2004, volume 3152 of Lecture Notes n Computer Scence, pages Sprnger, August 2004.