Optionally Identifiable Private Handshakes

Yanjiang Yang

RFID Security Seminar 2008

2

Agenda

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

3

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

4

Secret handshakes

• Users are increasingly concerned about individual privacy in cyberspace

– Privacy-preserving techniques are expected play a key part

– Secret handshakes• non-members learn nothing on the handshake

between the two users

• A non-member cannot impersonate a member

RFID Security Seminar 2008

5

Unlinkable secret handshakes

• Secret handshakes are linkable

• Unlinkable secret handshakes provides unlinkability

• Traceability is a feature of unlinkable secret handshakes

• Differences between unlinkable secret handshakes and anonymous credentials

RFID Security Seminar 2008

6

Project Summary - why should it be done? Private handshakes

• Traceability may not be always desired

• Hoepman proposed the concept of private handshakes

• No traceability whatsoever in private handshakes

RFID Security Seminar 2008

7

Optionally identifiable private handshakes

• Secret handshakes/private handshakes each have own applications

• A primitive optionally between them is more flexible

• We proposed the concept of optionally identifiable private handshakes

RFID Security Seminar 2008

8

Nutshell

Private handshakes(linkable) Secret

handshakes

Optionally identifiable private handshakes

No identifiability identifiability

Unlinkable secret handshakes

RFID Security Seminar 2008

9

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

10

Secret handshakes

• Balfanz et al. first formulated the notion of secret handshakes (S&P’03)

• Castelluccia et al. proposed secret handshake protocols, with security under computational Diffie-Hellman assumption (Asiacrypt’04)

RFID Security Seminar 2008

11

Secret handshakes - continued

• Jarecki et al. (CT-RSA’07) and Vergnaud et al. (coding and cryptography’05) proposed RSA-based secret handshakes

RFID Security Seminar 2008

12

Unlinkable secret handshakes

• Xu et al. proposed k-anonymous secret handshakes (CCS’04)

• Tsudik et al. proposed (full) unlinkable secret handshakes, but all members from the same group are required to share a group secret

• Jarecki et al.’s scheme does not sharing of group secret (ACNS’07)

• Ateniese et al. proposed fuzzy unlinkable secret handnhakes (NDSS’07)

RFID Security Seminar 2008

13

Private handshakes

• Hoepma proposed private handshakes (security and privacy in Ad Hoc and sensor networks’07)

RFID Security Seminar 2008

14

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

15

Project Summary - why should it be done?Model

• Entities – a set of users– a set of groups– a set of group administrators who create

groups and enrol users in groups. – a user may or may not be affiliated to a

group– if a user belongs to a group, then he is a

member of that group; otherwise, he is non-member of that group.

RFID Security Seminar 2008

16

Model - continued

• Algorithms– CreateGroup(1k)

– EnrolUser(G, u)

– HandShake(u1, u2, b)

– RevokeUser(G, u)

RFID Security Seminar 2008

17

Project Summary - why should it be done?Details of algorithms

• Parameters– e(GG1, G, G1) GG2

– H0, H1,H2

– Enc().

RFID Security Seminar 2008

18

Project Summary - why should it be done?Details of algorithms - continued

• CreateGroup(1k)– Group administrator selects sG

• EnrolUser(G, u)– Group administrator issues u a credential

xu = sGH0(u),

RFID Security Seminar 2008

19

Project Summary - why should it be done? Details of algorithms - continued

• Handshake(u1, u2, b)

R1=r1H0(u1)

u1 u2xu1=sGH0(u1) xu2=sGH0(u2)

R1, b

R2=r2H0(u2)

V2 = H1(e(R1,r2xu2), b)R2, V2

21))(),(( 2010rrsGuHuHe

u1 u2xu1=sGH0(u1) xu2=sGH0(u2)

RFID Security Seminar 2008

20

Details of algorithms - continued

u1 u2xu1=sGH0(u1) xu2=sGH0(u1)

H1(e(r1xu1, r2), b) =? V2

V1 = H1(b, e(r1xu1, R2))

sk1 = H2(e(r1xu1, R2), R1, R2)

H1(b, e(R1, r2xu2)) =? V1

sk2 = H2(e(r2xu2, R1), R1, R2)

V1

So far, private handshake is completed!

21))(),(( 2010rrsGuHuHe

RFID Security Seminar 2008

21

Details of algorithms - continued

u1 u2xu1=sGH0(u1) xu2=sGH0(u1)

C1 = Enc(sku1, r1, u1)C1

(r1’, u1’) = Enc(sku2, C1)

R1 =? r1’H0(u1’)

C2 = Enc(sku2, r2, u2)

sku2 = …C2 …

RFID Security Seminar 2008

22

Future Work

• User Revocation

RFID Security Seminar 2008

23

Security

• Impersonation resistance

• Membership detection resistance

• Unlinkability of private handshake

• Unlinkability to eavesdropper

RFID Security Seminar 2008

24

• Introduction

• Review of Related Work

• Optionally Identifiable Private Handshakes

• Conclusion

RFID Security Seminar 2008

25

Conclusion

• We proposed the concept of private handshakes with optional identifiability, interpolating between private handshakes and secret handshakes, representing a more flexible primitive

• A concrete scheme was presented, and its security was defined and proved.

RFID Security Seminar 2008

26

Project Summary - why should it be done? Q & A

THANK YOU!