beyond secret handshakes: affiliation-hiding authenticated key exchange

Beyond Secret Handshakes:Affiliation-Hiding Authenticated Key Exchange

From: Cryptographers’ Track of the RSA Conference 2008

Date:2011-11-29 Reporter: Yi-Chun Shih

1

Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation-

Hiding AH-AKE Conclusion

Outline

Affiliation-Hiding Authentication protocol, or Secret Handshakes(SH), allow two members of the same group to authenticate each other by hiding their affiliation

- FBI agent

Introduction

Affiliation-Hiding Authenticated Key Exchange ( AH-AKE ) strengthens entity authentication schemes ( SH described in [BDS+03] and [CJT04] ) ：

output the key which is authenticated satisfy the standard security requirement

of AKE protocol ( but not include Perfect Forward Secrecy )



Outline

1. Strengthens the security of AH-AKE through Perfect Forward Secrecy (PFS)

Contribution

2. Formalize the exact level of protecting privacy, called Linkable Affiliation-Hiding (LAH), the guarantee of privacy does not contain unlinkablility　 - Linkability : (under the ideal process) in

the AH-AKE session, under the condition of player uses the same certificate, the same alias would revealed every time, so that the adversary could link this two instance, but the affiliation of the player would not be disclosed, unless the user is corrupted or the session is compromised

Contribution (cont.)

3. Under the condition of satisfying PFS and LAH, let the complexity of AH-AKE protocol ideal in Random Oracle Model (ROM)

-ROM : regarded as perfect hash function

Contribution (cont.)



Outline

PFS : ensure to keep each session secure, even the participant finally corrupted and gives away long-term secrete to the adversary

LAH : AH-AKE should confront with player corrupted and session revealed

Thus, LAH implies PFS

PFS & LAH

LAH compares the view of actual execution and the view of fully-random

PFS compares the view of actual execution and the view of partial-random (only the key of tested session is random)

Lemma: If AH-AKE scheme is Linkable Affiliation-Hiding then it is Secure with Perfect Forward Secrecy

LAH Implies PFS Security



Outline

AH-AKE is based on standard AKE (non affiliation-hiding), the difference is that the certification of AH-AKE is private ， so the certification hierarchies and chains are not allowed

AH-AKE

AH-AKE scheme computes under the environment of a user set U and a group set G , and denote UU is a member of GG as U G

Entity

purpose ： allow a pair of players to establish common secret key that is authenticated, the conditions are (1) run the protocol on the public key of the same group (2) Ui G and Uj G

In the AH-AKE scheme, if a user is a member of many groups, that would affect execution efficient, but not security and affiliation-hiding

Protocol

All the public keys of groups and CA’s, and the certificate revocation lists (CRL) are public information

The communication between users and CA’s is through anonymous and authenticated channel

The execution of AH-AKE protocol is through the channel that is not authenticated

The adversary has fully control over the network

Public Information & Network Assumption

input output / outcomeSetup k public parameter (params)KGen params group PK, SK, CRLAdd SK, UU generates a certificate (cert)

to U, and adds U to G; if cert is issued by PK, denotes as cert Certs(PK)

Revoke UU revokes cert into CRL, denotes as certRevokedCerts(CRL)

Syntax

* KGen, Add, Revoke are executed by the CA of group G

πUs : protocol session or player instance 　　 - the sth instance of player U that

execute 　　　 the protocol session

sidis : session id

　　 - the state argument that used by πis to

　　　 connect the public input and messages

Instances & Session IDs

πis and πj

t are matching : PKi

s = PKjt , certi

s Certs(PKis),

　 certjt Certs(PKj

t), certis

RevokedCerts(CRLjt), 　

　 certjt RevokedCerts(CRLi

s), roleis≠rolej

t

πis and πj

t are partnered : sidis = sidj

t

If πis and πj

t are matching and partnered, they would output the same key, Ki

s = Kjt

Matching & Partnered Sessions, Correctness of AH-AKE’s

Setup: -give security parameter k -define the smallest integer k’ and H1: {0,1}* -

> {0,1}k

Kgen: - generate 2k’-bit safe RSA modulus n = pq -random choose g so that g generates the largest subset

of Zn* -secret key : (p,q,d), public key : (n,g,e) -decides Hn: {0,1}* -> Zn Add: -manager chooses random string id and calculates σ =

[Hn(id)]d (mod n) -the certification of U , cert = (id, σ) Revoke: manager add id to group CRL

PFS-Secure AH-AKE Based On RSA


random choose bA, xA

initiator responser

LINKABLE

hide σAStep 1


set vAFor authentication purpose

Step 2： use the information the other side gave to compute v

If idB has been revoked


ie, H1(rA, sidA, init) = H1(rB, sidB, init)

authentication

Step 3If UA and UB belong to different groups

Prove the correctness ：　 If A, B belong to the same group, PKA = PKB = (n, g, e) rA=(ZB)XA=(g2eXB)XA=(g2eXA)XB=(ZA)XB=rB , where ZA=(θA

ehA-1)2=g2eXA

ZB=(θBehB

-1)2=g2eXB

sender ( Alice ) message ( M )

lock

receiver ( Bob )

Commitment Schemes

Commitment phase has secrecy property ： receiver can not open the box sender can not modify M

Decommitment phase has unambiguity / binding property ：

sender gives the key to allow receiver to open the box to know M

Commitment Schemes

The trapdoor is used to overcome the binding property

Take sealed-bid auctions for example, the participant can use trapdoor to modify his bid

Trapdoor Commitment



Outline

AH-AKE includes PFS and LAH

Use trapdoor to hide σA

Conclusion

beyond secret handshakes: affiliation-hiding authenticated key exchange

Documents

ahake session

ahake scheme

security of ah

certification of ah

complexity of ah

standard ake

ake protocol ideal

ake scheme computes