Optionally Identifiable Private Handshakes
Yanjiang Yang
RFID Security Seminar 2008
2
Agenda
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
3
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
4
Secret handshakes
• Users are increasingly concerned about individual privacy in cyberspace
– Privacy-preserving techniques are expected play a key part
– Secret handshakes• non-members learn nothing on the handshake
between the two users
• A non-member cannot impersonate a member
RFID Security Seminar 2008
5
Unlinkable secret handshakes
• Secret handshakes are linkable
• Unlinkable secret handshakes provides unlinkability
• Traceability is a feature of unlinkable secret handshakes
• Differences between unlinkable secret handshakes and anonymous credentials
RFID Security Seminar 2008
6
Project Summary - why should it be done? Private handshakes
• Traceability may not be always desired
• Hoepman proposed the concept of private handshakes
• No traceability whatsoever in private handshakes
RFID Security Seminar 2008
7
Optionally identifiable private handshakes
• Secret handshakes/private handshakes each have own applications
• A primitive optionally between them is more flexible
• We proposed the concept of optionally identifiable private handshakes
RFID Security Seminar 2008
8
Nutshell
Private handshakes(linkable) Secret
handshakes
Optionally identifiable private handshakes
No identifiability identifiability
Unlinkable secret handshakes
RFID Security Seminar 2008
9
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
10
Secret handshakes
• Balfanz et al. first formulated the notion of secret handshakes (S&P’03)
• Castelluccia et al. proposed secret handshake protocols, with security under computational Diffie-Hellman assumption (Asiacrypt’04)
RFID Security Seminar 2008
11
Secret handshakes - continued
• Jarecki et al. (CT-RSA’07) and Vergnaud et al. (coding and cryptography’05) proposed RSA-based secret handshakes
RFID Security Seminar 2008
12
Unlinkable secret handshakes
• Xu et al. proposed k-anonymous secret handshakes (CCS’04)
• Tsudik et al. proposed (full) unlinkable secret handshakes, but all members from the same group are required to share a group secret
• Jarecki et al.’s scheme does not sharing of group secret (ACNS’07)
• Ateniese et al. proposed fuzzy unlinkable secret handnhakes (NDSS’07)
RFID Security Seminar 2008
13
Private handshakes
• Hoepma proposed private handshakes (security and privacy in Ad Hoc and sensor networks’07)
RFID Security Seminar 2008
14
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
15
Project Summary - why should it be done?Model
• Entities – a set of users– a set of groups– a set of group administrators who create
groups and enrol users in groups. – a user may or may not be affiliated to a
group– if a user belongs to a group, then he is a
member of that group; otherwise, he is non-member of that group.
RFID Security Seminar 2008
16
Model - continued
• Algorithms– CreateGroup(1k)
– EnrolUser(G, u)
– HandShake(u1, u2, b)
– RevokeUser(G, u)
RFID Security Seminar 2008
17
Project Summary - why should it be done?Details of algorithms
• Parameters– e(GG1, G, G1) GG2
– H0, H1,H2
– Enc().
RFID Security Seminar 2008
18
Project Summary - why should it be done?Details of algorithms - continued
• CreateGroup(1k)– Group administrator selects sG
• EnrolUser(G, u)– Group administrator issues u a credential
xu = sGH0(u),
RFID Security Seminar 2008
19
Project Summary - why should it be done? Details of algorithms - continued
• Handshake(u1, u2, b)
R1=r1H0(u1)
u1 u2xu1=sGH0(u1) xu2=sGH0(u2)
R1, b
R2=r2H0(u2)
V2 = H1(e(R1,r2xu2), b)R2, V2
21))(),(( 2010rrsGuHuHe
u1 u2xu1=sGH0(u1) xu2=sGH0(u2)
RFID Security Seminar 2008
20
Details of algorithms - continued
u1 u2xu1=sGH0(u1) xu2=sGH0(u1)
H1(e(r1xu1, r2), b) =? V2
V1 = H1(b, e(r1xu1, R2))
sk1 = H2(e(r1xu1, R2), R1, R2)
H1(b, e(R1, r2xu2)) =? V1
sk2 = H2(e(r2xu2, R1), R1, R2)
V1
So far, private handshake is completed!
21))(),(( 2010rrsGuHuHe
RFID Security Seminar 2008
21
Details of algorithms - continued
u1 u2xu1=sGH0(u1) xu2=sGH0(u1)
C1 = Enc(sku1, r1, u1)C1
(r1’, u1’) = Enc(sku2, C1)
R1 =? r1’H0(u1’)
C2 = Enc(sku2, r2, u2)
sku2 = …C2 …
RFID Security Seminar 2008
22
Future Work
• User Revocation
RFID Security Seminar 2008
23
Security
• Impersonation resistance
• Membership detection resistance
• Unlinkability of private handshake
• Unlinkability to eavesdropper
RFID Security Seminar 2008
24
• Introduction
• Review of Related Work
• Optionally Identifiable Private Handshakes
• Conclusion
RFID Security Seminar 2008
25
Conclusion
• We proposed the concept of private handshakes with optional identifiability, interpolating between private handshakes and secret handshakes, representing a more flexible primitive
• A concrete scheme was presented, and its security was defined and proved.
RFID Security Seminar 2008
26
Project Summary - why should it be done? Q & A
THANK YOU!
Top Related