A novel and efficient unlinkable secret handshakes scheme

Author: Hai Huang and Zhenfu Cao (PR China)

Source: IEEE Comm. Letters 13 (5) (2009)Presenter: Yu-Chi Chen

Outline

• Introduction• Huang and Cao’s scheme• Conclusions

Introduction

• A secret handshakes scheme– affiliation-hiding authentication– firstly introduced by Balfanz et al.– For example, two FBI agents, Alice and Bob, want

to discover and communicates with other agents, but they don’t want to reveal their affiliations to non-agents.

Introduction

• An unlinkable secret handshakes scheme – provide unlinkability– an adversary cannot link any two different

instances of same party.• Given C, to guess C is AB, A’B’, or other.

(blind signature)• unlinkability has been widely considered in many

applications.

Introduction

• Jarecki et al.’s scheme– an unlinkable secret handshakes scheme– not efficient, but secure at present

• Huang and Cao presented an unlinkable secret handshakes scheme– novel and efficient– Simple, so it can be published in IEEE-CL.

Outline

• Introduction• Huang and Cao’s scheme• Conclusions

Bilinear pairing

• Referred to as “bilinear maps”• e: G1 × G2→G3

• G1, G2: (+, q)• G3: (×, q)

Bilinear pairing

• Properties:– Computation: given P1 (P2) in G1 (G2), we can

obtain e(P1, P2) in G3

– Bilinear: given xP1 and bP2, where a, b in Zq, then e(aP1, bP2) = e(P1, P2)ab

– Non-degenerate: P1 (P2) is a generator of G1 (G2), then e(P1, P2) ≠ 1. (or e(P1, P2) is a generator of G3)

Huang and Cao’s scheme

This figure is copied from IEEE Comm. Letters 13 (9) (2009), page 731

Conclusions

• Huang and Cao analyzed this scheme can provide authenticated key exchange security, affiliation-hiding, and unlinkability.

• The scheme is more efficient than Jarecki et al.’s.

On the security of a novel and efficient unlinkable secret

handshakes schemeAuthor: Renwang Su (PR China)

Source: IEEE Comm. Letters 13 (9) (2009)

• Su found Huang and Cao’s scheme is not secure.– Cannot provide authenticated key exchange

security.

This figure is copied from IEEE Comm. Letters 13 (9) (2009), page 731

Security analysis of an unlinkable secret handshakes

schemeAuthor: T.-Y. Youn and Y.-H. Park (Korea)

Source: IEEE Comm. Letters 14 (1) (2009)

• Youn and Park also found Huang and Cao’s scheme is not secure.– Cannot provide authenticated key exchange

security and affiliation-hiding.

Receiving vB, then try find PK where vB=H1(KA, (PK, EA, EB), resp)