Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Public-Key Distance Bounding

Published byColin Hancock Modified over 6 years ago

Similar presentations

Presentation on theme: "Efficient Public-Key Distance Bounding"— Presentation transcript:

1 Efficient Public-Key Distance Bounding
Handan kılınç and Serge vaudenay

2 Introduction

3 Relay Attack Cartman (Adversary) Cartman Butters (Adversary) (Victim)
Cartman’s Friend

4 Distance Bounding Introduced by Brands and Chaum Verifier Prover
The prover authenticates and proves its proximity to the verifier.

5 Distance Bounding Symmetric Distance Bounding: The prover and verifier share a secret Public-key Distance Bounding: The prover has the public-key of the verifier The verifier has the public-key of the prover

6 Problems in Public-key DB
Slower than symmetric key operations Limited computational resources on the devices Construct an efficient and secure public-key distance bounding

7 Formal Definitions for Security and Privacy
Weak Authenticated Key Agreement Our Protocols: Eff-pkDB and Eff-pkDB private Conclusion

8 Public-key Distance Bounding
Global Value: B (distance bound) Key Generation Algorithms Verifier Algorithm Prover Algorithm 𝐾 𝑉 𝐾 𝑃 𝑉(𝑠 𝑘 𝑉 , 𝑝 𝑘 𝑉 ) 𝑃(𝑠 𝑘 𝑃 ,𝑝 𝑘 𝑃 ,𝑝 𝑘 𝑉 ) (𝑠 𝑘 𝑉 ,𝑝 𝑘 𝑉 ) (𝑠 𝑘 𝑃 ,𝑝 𝑘 𝑃 ) 𝑂𝑢 𝑡 𝑉 𝑂𝑢 𝑡 𝑉 = 0, reject 𝑂𝑢 𝑡 𝑉 = 1, accept

9 Man-in-the-middle (MiM) Security Honest and far-away prover and adversary
𝑝 𝑘 𝑃 , 𝑝 𝑘 𝑉 𝑲 𝑷 → (𝑠 𝑘 𝑃 ,𝑝 𝑘 𝑃 ), 𝑲 𝑽 → (𝑠 𝑘 𝑉 ,𝑝 𝑘 𝑉 ) A If 𝑂𝑢 𝑡 𝑉 𝑖 = 1 and 𝑝 𝑘 𝑃 A wins negligible 𝑉 𝑖 𝑃 𝑖 A 𝑉 𝑃 A B 𝑉 1 𝑃 1 A 𝑉 2 A 𝑉 𝑛 𝑃 𝑛 A

10 Distance Fraud (DF) Security Malicious and far-away prover
𝑝 𝑘 𝑉 𝑲 𝑽 → (𝑠 𝑘 𝑉 ,𝑝 𝑘 𝑉 ) A = P genkeys(𝑝 𝑘 𝑉 )→(𝑠 𝑘 𝑃 ,𝑝 𝑘 𝑃 ) If 𝑂𝑢 𝑡 𝑉 𝑖 = 1 and 𝑝 𝑘 𝑃 P wins negligible 𝑉 𝑖 𝑃 𝑖 𝑉 𝑃 B 𝑉 1 𝑃 1 𝑉 2 𝑃 2 𝑉 𝑛 𝑃 𝑛

11 Distance Hijacking (DH) Security Malicious and far-away prover and honest and close prover
𝑝 𝑘 𝑉 , 𝑝 𝑘 𝑃′ 𝑲 𝑽 → 𝑠 𝑘 𝑉 ,𝑝 𝑘 𝑉 𝑲 𝑷 → (𝑠 𝑘 𝑃′ ,𝑝 𝑘 𝑃′ ) A = P genkeys(𝑝 𝑘 𝑉 ,𝑝 𝑘 𝑃′ )→(𝑠 𝑘 𝑃 ,𝑝 𝑘 𝑃 ) If 𝑂𝑢 𝑡 𝑉 𝑖 = 1 and 𝑝 𝑘 𝑃 P wins negligible 𝑉 𝑖 𝑃 𝑖 𝑃 𝑖 ′ 𝑉 𝑃 𝑃’ B 𝑉 1 𝑃 1 𝑃 1 ′ 𝑉 2 𝑃 2 𝑉 𝑛 𝑃 𝑛 𝑃 𝑛 ′

12 Strong Privacy (HPVP Model)
𝑃 1 , 𝑃 2 ,…, 𝑃 𝑛 and A A can corrupt the provers: learns the secret keys of the provers. As a challenge, A picks two provers 𝑃 𝑖 , 𝑃 𝑗 . Challenger picks one of them as a virtual tag and gives the virtual prover to A. A can send messages to the virtual tag. A can send messages to the verifier. If A can recognize the virtual tag, then he wins the game. A DB protocol is strong private if A wins the above game with a negligible advantage.

13 An Overview of Our Protocol
Verifier Prover KA Efficiency Security MQV 2.5 No proof HMQV CK KEA+ 3 NAXOS 4 eCK CMQV 𝑠𝑘 𝑉 ,𝑝 𝑘 𝑉 𝑠𝑘 𝑃 ,𝑝 𝑘 𝑃 , 𝑝 𝑘 𝑉 Agree on a key s with using Key Agreement (KA) Protocol Run a symmetric-key DB with s What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?

14 Formal Definitions for Security and Privacy
Weak Authenticated Key Agreement Our Protocols: Eff-pkDB and Eff-pkDB private Conclusion

15 Authenticated Key Agreement (one pass)
𝑠𝑘 𝐵 ,𝑝 𝑘 𝐵 , 𝑝 𝑘 𝐴 𝑠𝑘 𝐴 ,𝑝 𝑘 𝐴 , 𝑝 𝑘 𝐵 𝑁 𝑁←𝐷( 1 𝑛 ) 𝐵( 𝑠𝑘 𝐵 ,𝑝 𝑘 𝐵 ,𝑝 𝑘 𝐴 ,𝑁) 𝐴( 𝑠𝑘 𝐴 ,𝑝 𝑘 𝐴 ,𝑝 𝑘 𝐵 ,𝑁) 𝑠 𝑠

16 Decisional-Authenticated Key Agreement (D-AKA)
Challenger Adversary Generate 𝑠𝑘 𝐴 , 𝑝 𝑘 𝐴 , 𝑠 𝑘 𝐵 ,𝑝 𝑘 𝐵 Pick 𝑠 1 Pick 𝑏∈{0,1} 𝑠 𝑏 ,𝑁, 𝑝 𝑘 𝐵 ,𝑝 𝑘 𝐴 𝑝 𝑘 𝐴 𝑂𝑟𝑎𝑐𝑙𝑒 𝐵 (.) N←𝐷( 1 𝑛 ) run B( 𝑠𝑘 𝐵 ,𝑝 𝑘 𝐵 ,.,𝑁) It can access the oracles except (𝑝 𝑘 𝐵 ,𝑁) 𝑁, 𝑠 0 𝑏 ′ 𝑂𝑟𝑎𝑐𝑙𝑒 𝐴 (.,.) 𝐴( 𝑠𝑘 𝐴 ,𝑝 𝑘 𝐴 ,.,.) If 𝑏 ′ =𝑏 It wins

17 D-AKA Privacy Game Challenger Adversary
Generate 𝑠𝑘 𝐴 , 𝑝 𝑘 𝐴 , 𝑠 𝑘 𝐵 1 ,𝑝 𝑘 𝐵 1 Pick 𝑏∈{0,1} 𝑁←𝐷( 1 𝑛 ), 𝑠=𝐵(𝑠 𝑘 𝐵 𝑏 ,𝑝 𝑘 𝐵 𝑏 ,𝑝 𝑘 𝐴 ,𝑁) 𝑝 𝑘 𝐴 ,𝑠 𝑘 𝐵 1 , 𝑝 𝑘 𝐵 1 𝑠 𝑘 𝐵 0 ,𝑝 𝑘 𝐵 0 𝑠 Pick 𝑠 𝑘 𝐵 0 ,𝑝 𝑘 𝐵 0 𝑂𝑟𝑎𝑐𝑙𝑒 𝐴 (.,.) 𝐴( 𝑠𝑘 𝐴 ,𝑝 𝑘 𝐴 ,.,.) 𝑏 ′ If 𝑏 ′ =𝑏 It wins

18 Nonce-DH D-AKA secure and private key agreement protocol
Public parameter 𝐺 order of 𝑞 and 𝑔∈𝐺 𝑠𝑘 𝐴 ∈ ℤ 𝑞 𝑝 𝑘 𝐴 = 𝑔 𝑠 𝑘 𝐴 𝑠𝑘 𝐴 ,𝑝 𝑘 𝐴 , 𝑝 𝑘 𝐵 𝑠𝑘 𝐵 ,𝑝 𝑘 𝐵 , 𝑝 𝑘 𝐴 𝑠𝑘 𝐵 ∈ ℤ 𝑞 𝑝 𝑘 𝐵 = 𝑔 𝑠 𝑘 𝐵 𝑁 KA Efficiency Security MQV 2.5 No proof HMQV CK KEA+ 3 NAXOS 4 eCK CMQV Nonce-DH 1 D-AKA Pick 𝑁∈ 0,1 ℓ 𝑠=𝐻(𝑔,𝑝 𝑘 𝐵 ,𝑝 𝑘 𝐴 , 𝑝 𝑘 𝐴 𝑠 𝑘 𝐵 ,𝑁) 𝑠=𝐻(𝑔,𝑝 𝑘 𝐵 ,𝑝 𝑘 𝐴 , 𝑝 𝑘 𝐵 𝑠 𝑘 𝐴 ,𝑁) Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.

19 Formal Definitions for Security and Privacy
Weak Authenticated Key Agreement Our Protocols: Eff-pkDB and Eff-pkDB private Conclusion

20 Eff-pkDB Verifier Prover 𝑠𝑘 𝑃 ,𝑝 𝑘 𝑃 , 𝑝 𝑘 𝑉 𝑠𝑘 𝑉 ,𝑝 𝑘 𝑉 𝑁, 𝑝 𝑘 𝑃
𝑠=𝐴( 𝑠𝑘 𝑉 ,𝑝 𝑘 𝑉 ,𝑝 𝑘 𝑃 ,𝑁) 𝑁←𝐷( 1 𝑛 ) 𝑠=𝐵( 𝑠𝑘 𝑃 ,𝑝 𝑘 𝑃 ,𝑝 𝑘 𝑉 ,𝑁) symDB(𝑠) Out

21 Security of Eff-pkDB MiM Security: If symDB is multi-verifier OT-MiM secure and the key agreement protocol is D-AKA secure, the Eff-pkDB is MiM- secure. DF Security: If symDB is OT-DF-secure, then Eff-pkDB is DF-secure. DH security: If symDB is OT-MiM-secure, OT-DH-secure and if the key agreement protocol is D-AKA secure then Eff-pkDB is DH-secure.

22 Strong-Private variant of Eff-pkDB
Verifier Prover 𝑠𝑘 𝑉 ,𝑝 𝑘 𝑉 𝑠𝑘 𝑃 ,𝑝 𝑘 𝑃 , 𝑝 𝑘 𝑉 = (𝑝 𝑘 𝑉 1 ,𝑝 𝑘 𝑉 2 ) 𝑒 𝑁,𝑝 𝑘 𝑃 =𝐷𝑒 𝑐 𝑠 𝑘 𝑉 1 (𝑒) 𝑠=𝐴 𝑠𝑘 𝑉 ,𝑝 𝑘 𝑉 ,𝑝 𝑘 𝑃 ,𝑁 𝑝 𝑘 𝑃 is private output 𝑁←𝐷( 1 𝑛 ) 𝑒=𝐸𝑛 𝑐 𝑝 𝑘 𝑉 1 𝑁,𝑝 𝑘 𝑃 𝑠=𝐵( 𝑠𝑘 𝑃 ,𝑝 𝑘 𝑃 ,𝑝 𝑘 𝑉 ,𝑁) symDB(𝑠) Out 22

23 Strong-privacy of the variant of Eff-pkDB
Assuming the key agreement protocol is D-AKA-private and the cryptosystem is IND-CCA secure, then the variant of Eff-pkDB is strong private in HPVP model.

24 An instance of Eff-pkDB Nonce-DH+OTDB
Public parameter 𝐺 order of 𝑞 and 𝑔∈𝐺 𝑠𝑘 𝑉 ,𝑝 𝑘 𝑉 , 𝑝 𝑘 𝑃 𝑠𝑘 𝑃 ,𝑝 𝑘 𝑃 , 𝑝 𝑘 𝑉 𝑠𝑘 𝑉 ∈ ℤ 𝑞 𝑝 𝑘 𝑉 = 𝑔 𝑠 𝑘 𝑉 𝑠𝑘 𝑃 ∈ ℤ 𝑞 𝑝 𝑘 𝑃 = 𝑔 𝑠 𝑘 𝑃 𝑁, 𝑝 𝑘 𝑃 𝑠=𝐻 𝑔,𝑝 𝑘 𝑃 ,𝑝 𝑘 𝑉 , 𝑝 𝑘 𝑃 𝑠 𝑘 𝑉 ,𝑁 pick 𝑁 𝑉 ∈ 0,1 2𝑛 𝑎= 𝑁 𝑉 ⨁𝑠 start timer end timer check if ∀𝑖 𝑟𝑡 𝑡 𝑖 <2𝐵 and 𝑟 𝑖 is correct Pick 𝑁∈ 0,1 ℓ 𝑠=𝐻 𝑔,𝑝 𝑘 𝑃 ,𝑝 𝑘 𝑉 , 𝑝 𝑘 𝑉 𝑠 𝑘 𝑃 ,𝑁 𝑎= 𝑁 𝑉 ⨁𝑠 𝑟 𝑖 = 𝑎 2𝑖+ 𝑐 𝑖 𝑁 𝑉 for 𝒊 = 𝟎 to 𝒏 𝑐 𝑖 𝑟 𝑖 Out

25 Formal Definitions for Security and Privacy
Weak Authenticated Key Agreement Our Protocols: Eff-pkDB and Eff-pkDB private Conclusion

26 Conclusion Protocol Security Privacy PK Operation
Number of Computations Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection HPO (Hermans et al.) Weak 4 EC multiplication, 2 random string selections, 2 mappings PrivDB (Vaudenay) MiM, DF, DH Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MAC ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs eProProx (Vaudenay) 1 encryption, n+1 commitments, n ZK proofs Eff-pkDB 1 D-AKA secure KA protocol 1 EC multiplication, 2 hashing, 1 random string selection, Private Variant of 1 IND-CCA encryption, 1 D-AKA secure KA protocol 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MAC * ECDSA for the signature scheme and ECIES for the IND-CCA secure encryption scheme

27 LASEC-EPFL is searching for post-docs
Contact:

Download ppt "Efficient Public-Key Distance Bounding"

Similar presentations

Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Identity Based Encryption

Identity Based Encryption
A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker : LIN, KENG-CHU.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Hybrid Signcryption with Outsider Security

Hybrid Signcryption with Outsider Security
1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.

1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
How to play ANY mental game

How to play ANY mental game
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi

(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols.

SAR-SSI, 16/05/2014Cristina Onete CIDRE Keep your friends close with distance-bounding protocols.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,

Similar presentations

Ads by Google