From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 Affiliation-Hiding Authentication protocol, or Secret Handshakes(SH), allow two members of the same group to authenticate each other by hiding their affiliation - FBI agent

 Affiliation-Hiding Authenticated Key Exchange ( AH-AKE ) strengthens entity authentication schemes ( SH described in [BDS + 03] and [CJT04] ) ：  output the key which is authenticated  satisfy the standard security requirement of AKE protocol ( but not include Perfect Forward Secrecy )

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

1. Strengthens the security of AH-AKE through Perfect Forward Secrecy (PFS)

2. Formalize the exact level of protecting privacy, called Linkable Affiliation-Hiding (LAH), the guarantee of privacy does not contain unlinkablility - Linkability : (under the ideal process) in the AH-AKE session, under the condition of player uses the same certificate, the same alias would revealed every time, so that the adversary could link this two instance, but the affiliation of the player would not be disclosed, unless the user is corrupted or the session is compromised

3. Under the condition of satisfying PFS and LAH, let the complexity of AH-AKE protocol ideal in Random Oracle Model (ROM) -ROM : regarded as perfect hash function

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 PFS : ensure to keep each session secure, even the participant finally corrupted and gives away long-term secrete to the adversary  LAH : AH-AKE should confront with player corrupted and session revealed  Thus, LAH implies PFS

 LAH compares the view of actual execution and the view of fully-random  PFS compares the view of actual execution and the view of partial-random (only the key of tested session is random)  Lemma: If AH-AKE scheme is Linkable Affiliation-Hiding then it is Secure with Perfect Forward Secrecy

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 AH-AKE is based on standard AKE (non affiliation-hiding), the difference is that the certification of AH-AKE is private ， so the certification hierarchies and chains are not allowed

 AH-AKE scheme computes under the environment of a user set U and a group set G, and denote U  U is a member of G  G as U G

 purpose ： allow a pair of players to establish common secret key that is authenticated, the conditions are (1) run the protocol on the public key of the same group (2) U i G and U j G  In the AH-AKE scheme, if a user is a member of many groups, that would affect execution efficient, but not security and affiliation- hiding

 All the public keys of groups and CA’s, and the certificate revocation lists (CRL) are public information  The communication between users and CA’s is through anonymous and authenticated channel  The execution of AH-AKE protocol is through the channel that is not authenticated  The adversary has fully control over the network

inputoutput / outcome Setupkpublic parameter (params) KGenparamsgroup PK, SK, CRL AddSK, U  U generates a certificate (cert) to U, and adds U to G; if cert is issued by PK, denotes as cert  Certs(PK) RevokeUUUU revokes cert into CRL, denotes as cert  RevokedCerts(CRL) * KGen, Add, Revoke are executed by the CA of group G

 π U s : protocol session or player instance - the s th instance of player U that execute the protocol session  sid i s : session id - the state argument that used by π i s to connect the public input and messages

 π i s and π j t are matching : PK i s = PK j t, cert i s  Certs(PK i s ), cert j t  Certs(PK j t ), cert i s  RevokedCerts(CRL j t ), cert j t  RevokedCerts(CRL i s ), role i s ≠role j t  π i s and π j t are partnered : sid i s = sid j t  If π i s and π j t are matching and partnered, they would output the same key, K i s = K j t

 Setup: -give security parameter k -define the smallest integer k’ and H 1 : {0,1}* -> {0,1} k  Kgen: - generate 2k’-bit safe RSA modulus n = pq -random choose g so that g generates the largest subset of Zn* -secret key : (p,q,d), public key : (n,g,e) -decides H n : {0,1}* -> Zn  Add: -manager chooses random string id and calculates σ = [H n (id)] d (mod n) -the certification of U, cert = (id, σ)  Revoke: manager add id to group CRL

random choose b A, x A initiator responser LINKABLE hide σ A Step 1

set v A For authentication purpose Step 2 ： use the information the other side gave to compute v If id B has been revoked

ie, H 1 (r A, sid A, init) = H 1 (r B, sid B, init) authentication Step 3 If U A and U B belong to different groups

 Prove the correctness ： If A, B belong to the same group, PK A = PK B = (n, g, e) r A =(Z B ) XA =(g 2eXB ) XA =(g 2eXA ) XB =(Z A ) XB =r B, where Z A =(θ A e h A -1 ) 2 =g 2eXA Z B =(θ B e h B -1 ) 2 =g 2eXB

sender ( Alice ) message ( M ) lock receiver ( Bob )

 Commitment phase has secrecy property ：  receiver can not open the box  sender can not modify M  Decommitment phase has unambiguity / binding property ： sender gives the key to allow receiver to open the box to know M

 The trapdoor is used to overcome the binding property  Take sealed-bid auctions for example, the participant can use trapdoor to modify his bid

 Introduction  Contribution  Perfect Forward Secrecy & Linkable Affiliation- Hiding  AH-AKE  Conclusion

 AH-AKE includes PFS and LAH  Use trapdoor to hide σ A