Download presentation
Presentation is loading. Please wait.
Published byKelley Pierce Modified over 9 years ago
1
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1
2
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation- Hiding AH-AKE Conclusion
3
Affiliation-Hiding Authentication protocol, or Secret Handshakes(SH), allow two members of the same group to authenticate each other by hiding their affiliation - FBI agent
4
Affiliation-Hiding Authenticated Key Exchange ( AH-AKE ) strengthens entity authentication schemes ( SH described in [BDS + 03] and [CJT04] ) : output the key which is authenticated satisfy the standard security requirement of AKE protocol ( but not include Perfect Forward Secrecy )
5
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation- Hiding AH-AKE Conclusion
6
1. Strengthens the security of AH-AKE through Perfect Forward Secrecy (PFS)
7
2. Formalize the exact level of protecting privacy, called Linkable Affiliation-Hiding (LAH), the guarantee of privacy does not contain unlinkablility - Linkability : (under the ideal process) in the AH-AKE session, under the condition of player uses the same certificate, the same alias would revealed every time, so that the adversary could link this two instance, but the affiliation of the player would not be disclosed, unless the user is corrupted or the session is compromised
8
3. Under the condition of satisfying PFS and LAH, let the complexity of AH-AKE protocol ideal in Random Oracle Model (ROM) -ROM : regarded as perfect hash function
9
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation- Hiding AH-AKE Conclusion
10
PFS : ensure to keep each session secure, even the participant finally corrupted and gives away long-term secrete to the adversary LAH : AH-AKE should confront with player corrupted and session revealed Thus, LAH implies PFS
11
LAH compares the view of actual execution and the view of fully-random PFS compares the view of actual execution and the view of partial-random (only the key of tested session is random) Lemma: If AH-AKE scheme is Linkable Affiliation-Hiding then it is Secure with Perfect Forward Secrecy
12
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation- Hiding AH-AKE Conclusion
13
AH-AKE is based on standard AKE (non affiliation-hiding), the difference is that the certification of AH-AKE is private , so the certification hierarchies and chains are not allowed
14
AH-AKE scheme computes under the environment of a user set U and a group set G, and denote U U is a member of G G as U G
15
purpose : allow a pair of players to establish common secret key that is authenticated, the conditions are (1) run the protocol on the public key of the same group (2) U i G and U j G In the AH-AKE scheme, if a user is a member of many groups, that would affect execution efficient, but not security and affiliation- hiding
16
All the public keys of groups and CA’s, and the certificate revocation lists (CRL) are public information The communication between users and CA’s is through anonymous and authenticated channel The execution of AH-AKE protocol is through the channel that is not authenticated The adversary has fully control over the network
17
inputoutput / outcome Setupkpublic parameter (params) KGenparamsgroup PK, SK, CRL AddSK, U U generates a certificate (cert) to U, and adds U to G; if cert is issued by PK, denotes as cert Certs(PK) RevokeUUUU revokes cert into CRL, denotes as cert RevokedCerts(CRL) * KGen, Add, Revoke are executed by the CA of group G
18
π U s : protocol session or player instance - the s th instance of player U that execute the protocol session sid i s : session id - the state argument that used by π i s to connect the public input and messages
19
π i s and π j t are matching : PK i s = PK j t, cert i s Certs(PK i s ), cert j t Certs(PK j t ), cert i s RevokedCerts(CRL j t ), cert j t RevokedCerts(CRL i s ), role i s ≠role j t π i s and π j t are partnered : sid i s = sid j t If π i s and π j t are matching and partnered, they would output the same key, K i s = K j t
20
Setup: -give security parameter k -define the smallest integer k’ and H 1 : {0,1}* -> {0,1} k Kgen: - generate 2k’-bit safe RSA modulus n = pq -random choose g so that g generates the largest subset of Zn* -secret key : (p,q,d), public key : (n,g,e) -decides H n : {0,1}* -> Zn Add: -manager chooses random string id and calculates σ = [H n (id)] d (mod n) -the certification of U, cert = (id, σ) Revoke: manager add id to group CRL
21
random choose b A, x A initiator responser LINKABLE hide σ A Step 1
22
set v A For authentication purpose Step 2 : use the information the other side gave to compute v If id B has been revoked
23
ie, H 1 (r A, sid A, init) = H 1 (r B, sid B, init) authentication Step 3 If U A and U B belong to different groups
24
Prove the correctness : If A, B belong to the same group, PK A = PK B = (n, g, e) r A =(Z B ) XA =(g 2eXB ) XA =(g 2eXA ) XB =(Z A ) XB =r B, where Z A =(θ A e h A -1 ) 2 =g 2eXA Z B =(θ B e h B -1 ) 2 =g 2eXB
26
sender ( Alice ) message ( M ) lock receiver ( Bob )
27
Commitment phase has secrecy property : receiver can not open the box sender can not modify M Decommitment phase has unambiguity / binding property : sender gives the key to allow receiver to open the box to know M
28
The trapdoor is used to overcome the binding property Take sealed-bid auctions for example, the participant can use trapdoor to modify his bid
29
Introduction Contribution Perfect Forward Secrecy & Linkable Affiliation- Hiding AH-AKE Conclusion
30
AH-AKE includes PFS and LAH Use trapdoor to hide σ A
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.