Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Slides:



Advertisements
Similar presentations
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Advertisements

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Digital Signatures and applications Math 7290CryptographySu07.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
Copyright Justin Klein Keane InfoSec Training Encryption.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Lect. 11: Public Key Cryptography. 2 Contents 1.Introduction to PKC 2.Hard problems  IFP  DLP 3.Public Key Encryptions  RSA  ElGamal 4.Digital Signatures.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
Key Distribution CS 470 Introduction to Applied Cryptography
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
1 Introduction to Information Security , Spring 2015 Lecture 7: Applied cryptography: asymmetric Eran Tromer Slides credit: John Mitchell, Stanford.
Computer Science Public Key Management Lecture 5.
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Chapter 13 Digital Signature
8. Data Integrity Techniques
Rachana Y. Patil 1 1.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures.
EEC 688/788 Secure and Dependable Computing
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.
Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Digital Signatures, Message Digest and Authentication Week-9.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
Scott CH Huang COM 5336 Lecture 7 Other Public-Key Cryptosystems Scott CH Huang COM 5336 Cryptography Lecture 7.
An Improved Efficient Secret Handshakes Scheme with Unlinkability Author: Jie Gu and Zhi Xue Source: IEEE Comm. Letters 15 (2) (2011) Presenter: Yu-Chi.
PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 PUBLIC-KEY CRYPTOGRAPHY AND RSA – Chapter 9 Principles Applications Requirements RSA Algorithm Description.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
EEC 688/788 Secure and Dependable Computing Lecture 4 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
EEC 688/788 Secure and Dependable Computing Lecture 4 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Cryptography and Network Security Chapter 13
Cryptography CS 555 Topic 34: SSL/TLS.
The power of Pairings towards standard model security
Cryptography Lecture 26.
Presentation transcript:

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine

Public Key Authentication No Affiliation Privacy cert A = SIG UCI { “Alice, etc”, A} Alice: PK A, certified by UCI Bob proof of possession of Sec.Key SK A A Alice’s affiliation (UCI) is revealed by her certificate Can Alice authenticate herself in a way that reveals her affiliation only if the verifier passes some criteria she sets? Seems like a Chicken and Egg Problem: The party that authenticates itself first has to reveal its affiliation…

A1: Only IACR members learn Alice’s affiliation A2: Only IACR members learn that IACR  Alice’s policy B: (and vice versa for Bob), certified by IACR “Secret Handshake”: Authentication with Secrecy Properties Alice, certified by UCI Secret Handshake Protocol Bob Policy A = {IACR} cert A = SIG UCI {A} cert B = SIG IACR {B} Policy B = {UCI} Parties Exchange Pseudonyms A,B

Secret Handshake Authentication Our Results Previous Results: - Privacy for Symmetric-Key Authentication [e.g. Abadi] - Secret Handshakes (for Public-Key Authentication) introduced in [Balfanz, et al.’03], solved under “Bilinear Diffie-Hellman” assumption on El. Curves with Bilinear Maps Our Results: - Solution based on standard groups, assuming hardness of Computational Diffie-Hellman - Efficiency improvements - Blinded certificate issuance => Less trust in CA - Extension to general PKI where A and B have different CA’s - Connection with “CA-Oblivious” Encryption

Alice’s PK A, Alice’s CA UCI, cert A Alice, certified by UCI Standard Authentication using Public Key Infrastructure proof of possession of Sec.Key SK A A On input UCI and A, Bob verifies the proof cert A = SIG UCI {A} Bob Sec.Key SK A

Alice’s PK A, Alice’s CA UCI, cert A Pseudonym A, Alice’s CA UCI, cert A proof of possession of UCI’s signature on A Alice, certified by UCI PKI-based Authentication (changing the terms ) On input UCI and A, Bob verifies the proof cert A = SIG UCI {A} Certificate cert A, i.e. CA’s signature on Alice’s public key A, can serve as the only authentication secret  no need for the secret key SK A  no need for A to be a public key (any ID string will do) ? Sec.Key SK A Bob

Affiliation Privacy in Authentication: Problem for Both Parties Alice, certified by UCI Alice’s Pseudonym A Bob’s Pseudonym B cert A = SIG UCI {A} cert B = SIG IACR {B} Policy B = {UCI} Policy A = {IACR} Bob, certified by IACR proof of possession of UCI’s sign. on A proof of possession of IACR’s sign. on B

Security of the Authentication Scheme: For Alice: Semantic security of Enc => only Bob can return n For Bob: Proof of signature possession includes Bob’s nonce Our Solution: Secret Handshakes from Signature-Based Encryption (pt.1) Enc PK(IACR,B) {A, proof of poss. of SIG UCI {A} + n} n Alice, certified by UCI encryption key derived for (IACR,B) signature = decryption key cert A = SIG UCI {A} Policy B = {UCI} cert B = SIG IACR {B} Bob, certified by IACR Bob’s Pseudonym B Policy A = {IACR}

What’s needed for “Secret Handshake” Secrecy: 1. CA-obliviousness: Pseudonym B must hide Bob’s CA Ciphertext must hide CA Alice used in encryption Our Solution: Secret Handshakes from Signature-Based Encryption (pt.2) Enc PK(IACR,B) {A, proof of poss. of SIG UCI {A} + n} n Alice, certified by UCI encryption key derived for (IACR,B) signature = decryption key cert A = SIG UCI {A} Policy B = {UCI} cert B = SIG IACR {B} Bob, certified by IACR Bob’s Pseudonym B Policy A = {IACR} 2. Semantic security of Encryption under Chosen Message Attack

Chosen-Message Attack on a Signature Scheme: Unsigned message M* + Forged signature on M* MnMn Signer (PK) Sig PK (M n )M1M1 Sig PK (M 1 )

Chosen-Message Attack on Signature-Based Encryption: BnBn Sig PK (B n )B1B1 Sig PK (B 1 ) Certification Authority (PK = IACR) Unsigned Pseudonym B* m 1, m 2 Enc PK(IACR,B*) {m b } b Signature Security: inability to output  on B* Encryption Security: inability to use  B* to decrypt

Previous Results on Signature-Based Encryption Signature-Based Encryption of [Li,Du,Boneh, PODC’03] - RSA, Factoring (Rabin Sigs.), or Billinear Maps (BLS Sigs.) - No secrecy properties Here: - Computational Diffie-Hellman (Schnorr Signatures) - Affiliation secrecy for both sender and receiver Terminology Caveat: [LDB]’s “obliviousness”: sender doesn’t know if receiver decrypts Our “CA-obliviousness”: affiliation privacy for both parties

Schnorr Signature (CA is the signer): SK CA : x, PK CA : y = g x mod p Sign(“B”) = (s,r), s.t. g s = r * y H(r,“B”) mod p CA-oblivious Signature-Based Encryption secure under Comp. Diffie-Hellman [CDH] Schnorr-based Encryption (Bob is a decryptor): Pseudonym:(r,“B”), for a random string “B” Decryption Key:SK B = s Encryption Key:PK B = r * y H(r,“B”) [= g s ] ElGamal ciphertext:(c 1,c 2 ) = (g k, H( PK B k )  M) CA-obliviousness:r and c 1 are random values in Z p * Semantic Security under CMA attack: Recall [PS’96]: Schnorr sign. forger => x (DL attack) Ciphertext distinguisher => computing z x on rnd. z (CDH att.)

Contributions: “Secret Handshake” Authentication under Computational Diffie Hellman (no bilinear maps) Efficiency improvements, reduced trust in CA Open Problems: How to handle certificate chains? Linkability (our pseudonyms are constant & public) O(n 2 ) computation blow-up when Bob has n certificates and Alice has n CA’s in its policy Conclusions and Open Problems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.