beyond secret handshakes: affiliation-hiding authenticated key exchange
DESCRIPTION
Beyond Secret Handshakes: Affiliation-Hiding Authenticated Key Exchange. From: Cryptographers ’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter : Yi-Chun Shih. Outline. Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-Hiding AH-AKE - PowerPoint PPT PresentationTRANSCRIPT
Beyond Secret Handshakes:Affiliation-Hiding Authenticated Key Exchange
From: Cryptographers’ Track of the RSA Conference 2008
Date:2011-11-29 Reporter: Yi-Chun Shih
1
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-
Hiding AH-AKE Conclusion
Outline
Affiliation-Hiding Authentication protocol, or Secret Handshakes(SH), allow two members of the same group to authenticate each other by hiding their affiliation
- FBI agent
Introduction
Affiliation-Hiding Authenticated Key Exchange ( AH-AKE ) strengthens entity authentication schemes ( SH described in [BDS+03] and [CJT04] ) :
output the key which is authenticated satisfy the standard security requirement
of AKE protocol ( but not include Perfect Forward Secrecy )
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-
Hiding AH-AKE Conclusion
Outline
1. Strengthens the security of AH-AKE through Perfect Forward Secrecy (PFS)
Contribution
2. Formalize the exact level of protecting privacy, called Linkable Affiliation-Hiding (LAH), the guarantee of privacy does not contain unlinkablility - Linkability : (under the ideal process) in
the AH-AKE session, under the condition of player uses the same certificate, the same alias would revealed every time, so that the adversary could link this two instance, but the affiliation of the player would not be disclosed, unless the user is corrupted or the session is compromised
Contribution (cont.)
3. Under the condition of satisfying PFS and LAH, let the complexity of AH-AKE protocol ideal in Random Oracle Model (ROM)
-ROM : regarded as perfect hash function
Contribution (cont.)
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-
Hiding AH-AKE Conclusion
Outline
PFS : ensure to keep each session secure, even the participant finally corrupted and gives away long-term secrete to the adversary
LAH : AH-AKE should confront with player corrupted and session revealed
Thus, LAH implies PFS
PFS & LAH
LAH compares the view of actual execution and the view of fully-random
PFS compares the view of actual execution and the view of partial-random (only the key of tested session is random)
Lemma: If AH-AKE scheme is Linkable Affiliation-Hiding then it is Secure with Perfect Forward Secrecy
LAH Implies PFS Security
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-
Hiding AH-AKE Conclusion
Outline
AH-AKE is based on standard AKE (non affiliation-hiding), the difference is that the certification of AH-AKE is private , so the certification hierarchies and chains are not allowed
AH-AKE
AH-AKE scheme computes under the environment of a user set U and a group set G , and denote UU is a member of GG as U G
Entity
purpose : allow a pair of players to establish common secret key that is authenticated, the conditions are (1) run the protocol on the public key of the same group (2) Ui G and Uj G
In the AH-AKE scheme, if a user is a member of many groups, that would affect execution efficient, but not security and affiliation-hiding
Protocol
All the public keys of groups and CA’s, and the certificate revocation lists (CRL) are public information
The communication between users and CA’s is through anonymous and authenticated channel
The execution of AH-AKE protocol is through the channel that is not authenticated
The adversary has fully control over the network
Public Information & Network Assumption
input output / outcomeSetup k public parameter (params)KGen params group PK, SK, CRLAdd SK, UU generates a certificate (cert)
to U, and adds U to G; if cert is issued by PK, denotes as cert Certs(PK)
Revoke UU revokes cert into CRL, denotes as certRevokedCerts(CRL)
Syntax
* KGen, Add, Revoke are executed by the CA of group G
πUs : protocol session or player instance - the sth instance of player U that
execute the protocol session
sidis : session id
- the state argument that used by πis to
connect the public input and messages
Instances & Session IDs
πis and πj
t are matching : PKi
s = PKjt , certi
s Certs(PKis),
certjt Certs(PKj
t), certis
RevokedCerts(CRLjt),
certjt RevokedCerts(CRLi
s), roleis≠rolej
t
πis and πj
t are partnered : sidis = sidj
t
If πis and πj
t are matching and partnered, they would output the same key, Ki
s = Kjt
Matching & Partnered Sessions, Correctness of AH-AKE’s
Setup: -give security parameter k -define the smallest integer k’ and H1: {0,1}* -
> {0,1}k
Kgen: - generate 2k’-bit safe RSA modulus n = pq -random choose g so that g generates the largest subset
of Zn* -secret key : (p,q,d), public key : (n,g,e) -decides Hn: {0,1}* -> Zn Add: -manager chooses random string id and calculates σ =
[Hn(id)]d (mod n) -the certification of U , cert = (id, σ) Revoke: manager add id to group CRL
PFS-Secure AH-AKE Based On RSA
PFS-Secure AH-AKE Based On RSA
random choose bA, xA
initiator responser
LINKABLE
hide σAStep 1
PFS-Secure AH-AKE Based On RSA
set vAFor authentication purpose
Step 2: use the information the other side gave to compute v
If idB has been revoked
PFS-Secure AH-AKE Based On RSA
ie, H1(rA, sidA, init) = H1(rB, sidB, init)
authentication
Step 3If UA and UB belong to different groups
Prove the correctness : If A, B belong to the same group, PKA = PKB = (n, g, e) rA=(ZB)XA=(g2eXB)XA=(g2eXA)XB=(ZA)XB=rB , where ZA=(θA
ehA-1)2=g2eXA
ZB=(θBehB
-1)2=g2eXB
PFS-Secure AH-AKE Based On RSA
sender ( Alice ) message ( M )
lock
receiver ( Bob )
Commitment Schemes
Commitment phase has secrecy property : receiver can not open the box sender can not modify M
Decommitment phase has unambiguity / binding property :
sender gives the key to allow receiver to open the box to know M
Commitment Schemes
The trapdoor is used to overcome the binding property
Take sealed-bid auctions for example, the participant can use trapdoor to modify his bid
Trapdoor Commitment
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-
Hiding AH-AKE Conclusion
Outline
AH-AKE includes PFS and LAH
Use trapdoor to hide σA
Conclusion