Post-quantum Security for the Extended Access Control Protocol

Abstract

The Extended Access Control (EAC) protocol for authenticated key agreement is mainly used to secure connections between machine-readable travel documents (MRTDs) and inspection terminals, but it can also be adopted as a universal solution for attribute-based access control with smart cards. The security of EAC is currently based on the Diffie-Hellman problem, which may not be hard when considering quantum computers.

In this work we present PQ-EAC, a quantum-resistant version of the EAC protocol. We show how to achieve post-quantum confidentiality and authentication without sacrificing real-world usability on smart cards. To ease adoption, we present two main versions of PQ-EAC: One that uses signatures for authentication and one where authentication is facilitated using long-term KEM keys. Both versions can be adapted to achieve forward secrecy and to reduce round complexity. To ensure backwards-compatibility, PQ-EAC can be implemented using only Application Protocol Data Units (APDUs) specified for EAC in standard BSI TR-03110. Merely the protocol messages needed to achieve forward secrecy require an additional APDU not specified in TR-03110. We prove security of all versions in the real-or-random model of Bellare and Rogaway.

To show real-world practicality of PQ-EAC we have implemented a version using signatures on an ARM SC300 security controller, which is typically deployed in MRTDs. We also implemented PQ-EAC on a VISOCORE^® terminal for border control. We then conducted several experiments to evaluate the performance of PQ-EAC executed between chip and terminal under various real-world conditions. Our results strongly suggest that PQ-EAC is efficient enough for use in border control.

Appendices

A Security Definitions

In this section we introduce the underlying primitives and their security notions for building the key exchange protocols as defined in, for example, [35].

1.1 A.1 Key Encapsulation

Definition 1 (Key Encapsulation Mechanism)

A key encapsulation mechanism \({\textsf{KEM}}=(\textsf{KeyGen},{\textsf{Encaps}}, {\textsf{Decaps}})\) consists of three efficient algorithms where:

• Key Generation: Algorithm \(\textsf{KeyGen}\) on input the security parameter \(1^n\) (in unary) outputs a key pair, \((\textsf{sk},\textsf{pk})\leftarrow \textsf{KeyGen}(1^n)\). We assume that \(1^n\) is recoverable from either key.

• Encapsulation: The encapsulation algorithm takes as input a public key \(\textsf{pk}\) and returns a ciphertext and a key, \((c,\textsf{k})\leftarrow {\textsf{Encaps}}(\textsf{pk})\). We assume usually that the key is of bit length \(n\).

• Decapsulation: The decapsulation algorithm takes as input a secret key \(\textsf{sk}\) and a ciphertext c, and returns a key or an error symbol, \(\textsf{k}\leftarrow {\textsf{Decaps}}(\textsf{sk},c)\), where \(\textsf{k}\) is either of size \(n\) or equals \(\bot \). Usually decapsulation is deterministic.

We require that decapsulation merely has a negligible error. That is, we denote by \(\textrm{Pr}\big [{{\textbf {Exp}}^{\text {decErr}}_{{\textsf{KEM}}}(n)=1}\big ]\) the probability of an encryption error for \({\textsf{KEM}}=(\textsf{KeyGen},{\textsf{Encaps}},{\textsf{Decaps}})\), where \({\textsf{Decaps}}(\textsf{sk},c)\ne \textsf{k}\) for \((\textsf{sk},\textsf{pk})\leftarrow \textsf{KeyGen}(n)\) and \((c,\textsf{k})\leftarrow {\textsf{Encaps}}(\textsf{pk})\).

We next define CPA- and CCA-security for key encapsulation mechanism in one go:

Definition 2 (IND-CPA and IND-CCA security of KEM)

For a key encapsulation mechanism \({\textsf{KEM}}=(\textsf{KeyGen},{\textsf{Encaps}},{\textsf{Decaps}})\) and adversary \(\mathcal {A}\) define experiment \({\textbf {Exp}}^{\text {IND-att}}_{{\textsf{KEM}},\mathcal {A}}(n)\) as in Fig. 6. We say that \({\textsf{KEM}}\) is IND-att secure (for att = CPA or CCA) if for any efficient adversary \(\mathcal {A}\) we have that

$$\begin{aligned} {\textbf {Adv}}^{\text {IND-att}}_{{\textsf{KEM}},\mathcal {A}}(n):=\textrm{Pr}\big [{{\textbf {Exp}}^{\text {IND-att}}_{{\textsf{KEM}},\mathcal {A}}(n)=1}\big ]-\frac{1}{2} \end{aligned}$$

is negligible.

Fig. 6.

IND-CPA/IND-CCA security experiment for key encapsulation mechanism

For our key exchange protocol KemPQEAC we also use a symmetric encryption scheme (for keys \(\textsf{k}\) from \(\{0,1\}^n\)) where \(c\leftarrow \textsf{Enc}(\textsf{k},m)\) creates a ciphertext, and \(m\leftarrow \textsf{Dec}(\textsf{k},c)\) always recovers the encrypted message m. In the protocol this encryption step provides extra privacy for the chip by encrypting its identity. We do not discuss this privacy property formally here and thus neither the security notions for the encryption scheme.

1.2 A.2 Message Authentication, Signature Schemes, and Certificate Schemes

We define message authentication schemes, signature schemes, and certificate schemes with a single definition. All schemes serve the purpose of authenticating data. The only difference between the private-key message authentication codes (MACs) and the public-key signature and certificate schemes lies in the verification key \(\textsf{vk}\): MACs use the key \(\textsf{vk}=\textsf{sk}\) to verify authenticity, whereas signatures and certificates are verified against the public key \(\textsf{vk}=\textsf{pk}\). In the descriptions and security games we thus set \(\textsf{vk}\) accordingly, and the public key for MACs to be empty and for signatures and certificates equal to \(\textsf{vk}\). We call the primitive abstractly an authentication scheme:

Definition 3 (Authenticaton Scheme)

An authentication scheme \({\mathcal{A}\mathcal{S}}=({\textsf{AKGen}},{\textsf{AAuth}},{\textsf{AVf}})\) consists of three efficient algorithms such that:

• Key Generation: Algorithm \({\textsf{AKGen}}\) on input \(1^n\) returns a key triple \((\textsf{sk},\textsf{pk},\textsf{vk})\leftarrow {\textsf{SKGen}}(1^n)\). We assume that \(n\) is recoverable from either key.

• Authentication: On input the secret key \(\textsf{sk}\) and a message \(m\in \{0,1\}^*\), the authentication algorithm outputs an authenticator, \(\sigma \leftarrow {\textsf{AAuth}}(\textsf{sk},m)\).

• Verification: On input a verification key \(\textsf{vk}\), a message m, an authenticator \(\sigma \), the verification algorithm outputs a decision bit, \(d\leftarrow {\textsf{AVf}}(\textsf{vk},m,\sigma )\). Usually, \({\textsf{AVf}}\) is deterministic.

We require that verification always succeeds. That is, it never happens that \({\textsf{AVf}}(\textsf{sk},m,\sigma )=0\) for any \((\textsf{sk},\textsf{pk},\textsf{vk})\leftarrow {\textsf{SKGen}}(1^n)\), any \(m\in \{0,1\}^*\), and any \(\sigma \leftarrow {\textsf{AAuth}}(\textsf{sk},m)\).

Unlike key encapsulation we define authentication schemes with perfect correctness since all known schemes in practice achieve this.

Definition 4 (EUF-CMA of Authentication Schemes)

For an authentication scheme \({\mathcal{A}\mathcal{S}}=({\textsf{AKGen}},{\textsf{AAuth}},{\textsf{AVf}})\) and adversary \(\mathcal {A}\) define experiment \({\textbf {Exp}}^{\text {EUF-CMA}}_{{\mathcal{A}\mathcal{S}},\mathcal {A}}(n)\) as in Fig. 7. We say that \({\mathcal{A}\mathcal{S}}\) is EUF-CMA if for any efficient adversary \(\mathcal {A}\) we have that \(\textrm{Pr}\big [{{\textbf {Exp}}^{\text {EUF-CMA}}_{{\mathcal{A}\mathcal{S}},\mathcal {A}}(n)=1}\big ]\) is negligible.

Fig. 7.

EUF-CMA security experiment for authentication schemes

A signature scheme \({\mathcal {S}}=({\textsf{SKGen}},{\textsf{Sig}},{\textsf{SVf}})\) is an authenticator scheme where \((\textsf{sk},\textsf{pk},\textsf{vk})\leftarrow {\textsf{AKGen}}(1^n)\) for \((\textsf{sk},\textsf{pk})\leftarrow {\textsf{SKGen}}(1^n)\) and \(\textsf{vk}\leftarrow \textsf{pk}\). A certificate scheme \(\mathcal {C}=(\textsf{CKGen},\textsf{CSign},\textsf{CVf})\) is an authenticator scheme where \((\textsf{sk},\textsf{pk},\textsf{vk})\leftarrow {\textsf{AKGen}}(1^n)\) for \((\textsf{sk},\textsf{pk})\leftarrow \textsf{CKGen}(1^n)\) and \(\textsf{vk}\leftarrow \textsf{pk}\). A message authentication code \({\mathcal {M}}=({\textsf{MKGen}},\textsf{MAC},{\textsf{MVf}})\) is an authenticator scheme where \((\textsf{sk},\textsf{pk},\textsf{vk})\leftarrow {\textsf{AKGen}}(1^n)\) for \(\textsf{sk}\leftarrow {\textsf{MKGen}}(1^n)\) and \(\textsf{vk}\leftarrow \textsf{sk}\) and \(\textsf{pk}\leftarrow \bot \). EUF-CMA security now follows from the general definition. We usually assume that the key generation algorithm simply generates a uniformly distributed key of \(n\) bits.

1.3 A.3 Key Derivation Functions

We assume that key derivation functions act as pseudorandom functions, as long as the keying material contains enough (min-)entropy. The latter is captured by considering arbitrary distributions \(\mathcal {D}\) which take the seucurity parameter \(1^n\) as input and output \(\textsf {IKM}\) with min-entropy \(H_\infty (\textsf {IKM})\ge n\). We call such distributions non-trivial. We follow here the presentation of Krawczyk [38].

Definition 5 (Key Derivation Function)

A key derivation function \({\textsf{KDF}}\) takes as input keying material \(\textsf {IKM}\), context information \(\textsf {ctxt}\), and an integer \(\ell \), and outputs a string of length \(\ell \). We assume that the length of \(\textsf {IKM}\) determines the security parameter \(n\).

Security now requires that the key derivation function’s output for \(\textsf {IKM}\) looks random, even if the adversary sees actual derived keys at other inputs \((\textsf {ctxt},\ell )\):

Definition 6 (Pseudorandomness of Key Derivation Function)

For a key derivation function \({\textsf{KDF}}\), adversary \(\mathcal {A}\), and distribution \(\mathcal {D}\) define experiment \({\textbf {Exp}}^{\text {PRF}}_{{\textsf{KDF}},\mathcal {A},\mathcal {D}}(n)\) as in Fig. 8. We say that \({\textsf{KDF}}\) is pseudorandom if for any efficient adversary \(\mathcal {A}\) and any non-trivial distribution (with min-entropy \(n\)), we have that

$$ {\textbf {Adv}}^{\text {PRF}}_{{\textsf{KDF}},\mathcal {A},\mathcal {D}}(n) :=\textrm{Pr}\big [{{\textbf {Exp}}^{\text {PRF}}_{{\textsf{KDF}},\mathcal {A},\mathcal {D}}(n)=1}\big ]-\frac{1}{2} $$

is negligible.

Fig. 8.

Pseudorandomness experiment for Key Derivation Functions

1.4 A.4 Key Combiners

For the forward-secure version of the PQEAC protocols we use a static KEM and an ephemeral KEM to share keys \(\textsf{k}\) and \(\textsf{k}^e\). In this case the parties need to derive a single key from the two keys. This has been discussed more broadly in the context of KEM combiners in [25] and for quantum adversaries in [12], but since we have already embedded the KEM mechanism in the key exchange protocol, we focus here on the pure key combining part. We note that we cannot immediately rely on the KEM combiner in [12], since it assumes faithfully created but potentially weak encapsulations, whereas in our setting the adversary may choose the encapsulations maliciously. While Bindel et al. [12] argue that such genuine encapsulations are sufficient to build hybrid authenticated key exchange protocols via Krawczyk’s SIGMA compiler [37], the EAC protocol does not perfectly comply to the SIGMA standard.

Definition 7 (Key Combiner)

A key combiner \({\textsf{KComb}}\) takes as input keying material \(\textsf {IKM}_0,\textsf {IKM}_1\), both of length n, and outputs a string of length n.

Security demands that \({\textsf{KComb}}\) is a dual pseudorandom function, meaning that both \({\textsf{KComb}}(\textsf {IKM}_0,\cdot )\) and \({\textsf{KComb}}(\cdot ,\textsf {IKM}_1)\) are pseudorandom functions. It follows that we can reasonably assume that HKDF resp. HMAC [7, 38] or the TLS-based nested key derivation function in [53] is an appropriate instantiation for a key combiner.

Definition 8 (Dual Pseudorandomness of Key Combiner)

For a key combiner \({\textsf{KComb}}\) and adversary \(\mathcal {A}\) define experiment \({\textbf {Exp}}^{\text {dPRF}-\beta }_{{\textsf{KComb}},\mathcal {A}}(n)\) as in Fig. 9. We say that \({\textsf{KComb}}\) is (dual) pseudorandom if for any efficient adversary \(\mathcal {A}\) we have that

$$ {\textbf {Adv}}^{\text {dPRF}}_{{\textsf{KComb}},\mathcal {A}}(n) :=\max _{\beta \in \{0,1\}}\left\{ \textrm{Pr}\big [{{\textbf {Exp}}^{\text {dPRF}-\beta }_{{\textsf{KComb}},\mathcal {A}}(n)=1}\big ]-\frac{1}{2}\right\} $$

is negligible.

Fig. 9.

Dual pseudorandomness experiment for Key Combiners

B Hybrid Schemes

KEM Combiner. To achieve hybrid security, we make use of combiner schemes as proposed by Bindel et al. [12]. In the following, let \({\textsf{KEM}}_1= (\textsf{KeyGen}_1, {\textsf{Encaps}}_1,{\textsf{Decaps}}_1)\) and \({\textsf{KEM}}_2= (\textsf{KeyGen}_2,{\textsf{Encaps}}_2,{\textsf{Decaps}}_2)\) be two KEMs and let \(\mathcal {C}[{\textsf{KEM}}_1,{\textsf{KEM}}_2] = (\textsf{KeyGen}_{\mathcal {C}},{\textsf{Encaps}}_{\mathcal {C}},{\textsf{Decaps}}_{\mathcal {C}})\) be the hybrid KEM constructed by combiner mechanism \(\mathcal {C}\) from \({\textsf{KEM}}_1\) and \({\textsf{KEM}}_2\). For all combiners, the key generation of the combined scheme will simply be the concatenation of the two scheme’s keys as shown in Fig. 10.

A combiner is called robust if it combines two or more algorithms of the same kind such that the combined scheme provides security as long as one of the components provides security.

The XOR-Combiner. A naive method to combine two KEMs would be to take the XOR of their keys \(k=k_1 \oplus k_2\) as shown in Fig. 11. As noticed by Giacon et al. [25] this results in a KEM that is IND-CPA, but not IND-CCA secure. Assuming that the challenger combines two IND-CCA secure KEMs by taking the XOR of their keys as described, then an adversary in the IND-CCA experiment can proceed as follows: Given a challenge \(({\textsf{c}}_1^*,c_2^*)\), the adversary makes two decapsulation requests for \((c_1^*,c_2)\) and \((c_1,c_2^*)\) with randomly chosen ciphertexts \(c_1=c_2\). This information then allows the adversary to compute the decapsulation of the challenge ciphertext by taking the xor: \(k = k_1^* \oplus k_2 \oplus k_1 \oplus k_2^*=k_1^* \oplus k_2^*\).

Fig. 10.

Key generation function \(\mathcal {C}[\varSigma _1,\varSigma _2].\textsf{KeyGen}(1^n)\). The security parameter m needs to be derived from n depending on the requirements of the combiner.

Fig. 11.

KEM \(\text {XOR}[{\textsf{KEM}}_1,{\textsf{KEM}}_2]\) constructed by the naive XOR combiner (not IND-CCA secure).

The XOR-then-MAC Combiner. A better way to combine two KEMs is the XOR-then-MAC combiner as specified in Fig. 12. This approach prevents the mix-and-match attack. The construction requires a strongly robust MAC combiner \(\mathcal {C}[{\textsf{MAC}}_1,{\textsf{MAC}}_2]\) that provides one-time unforgeability even if one of the keys are chosen adversarially. Such a MAC combiner can be instantiated based on the Carter-Wegman paradigm [58] using universal hash functions. The XOR-then-MAC combiner is shown by Bindel et al. [12] to be robust. One drawback of this construction is that the resulting key-length is only half of that of the underlying KEMs.

Signature Combiner. As with KEMs there are also combiners that provide hybrid security for signature schemes. One might be tempted to avoid the use of signature combiners and instead deploy hash-based signature schemes, which are well-known to provide post-quantum security based on very weak assumptions. Such kinds of schemes have been around since the 1980s, which means that the usual concerns over the maturity of post-quantum cryptography do not apply here. However, even when using hash-based signatures it might be wise to combine them with a classical scheme as a fallback. This is because hash-based signatures require careful state management that is often difficult to assure.

Let \(\varPi _1= (\textsf{KeyGen}_1,\textsf{Sig}_1,\textsf{Vf}_1)\) and \(\varPi _2= (\textsf{KeyGen}_2,\textsf{Sig}_2,\textsf{Vf}_2)\) be two signature schemes. Then denote as \(\mathcal {C}[\varPi _1,\varPi _2]=(\textsf{KeyGen}_\mathcal {C},\textsf{Sig}_\mathcal {C},\textsf{Vf}_\mathcal {C})\) the hybrid signature scheme constructed from \(\varPi _1\) and \(\varPi _2\) using combiner mechanism \(\mathcal {C}\). For all combiners, the key generation of the combined scheme will simply be the concatenation of the two scheme’s keys as shown in Fig. 10. A signature combiner is called robust if it combines two or more algorithms of the same kind such that the combined scheme provides security as long as one of its components provides security.

\(\mathcal {C}_{||}\) Combiner. This trivial combiner concatenates independent signatures from the two schemes side-by-side, as defined in Fig. 13. Even though very simple, the construction is shown to be robust by Bindel et al. [13].

Fig. 12.

KEM \(\text {XtM}[{\textsf{KEM}}_1,{\textsf{KEM}}_2]\) constructed by the XOR-then-MAC combiner.

Fig. 13.

Hybrid signature scheme \(\mathcal {C}_{||}[\varPi _1,\varPi _2]\) constructed by concatenation.

\(\mathcal {C}_{\text {str-nest}}\)-Combiner. One problem with the \(\mathcal {C}_{||}\)-Combiner is that due to downgrade attacks, separability of signatures is usually considered a liability in signature combiners. In downgrade attacks an adversary queries a signing oracle for a combined signature and later pretends to know only one of the schemes – this makes it possible for the adversary to separate a signature from a combined signature and pass it as a forgery. If downgrade attacks are to be expected – as it might be the case with an international protocol like EAC with multiple versions in concurrent use – it is recommended to use a \(\mathcal {C}_{\text {str-nest}}\)-Combiner. Here, the second signature scheme signs both the message and the signature from the first signature scheme, as defined in Fig. 14. Bindel et al. [13] show that the \(\mathcal {C}_{\text {str-nest}}\)-Combiner is robust and inseparable.

Fig. 14.

Hybrid signature scheme \(\mathcal {C}_{\text {str-nest}}[\varPi _1,\varPi _2]\) constructed by nesting.