Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine."— Presentation transcript:

1 Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine

2 Public Key Authentication No Affiliation Privacy cert A = SIG UCI { “Alice, etc”, A} Alice: PK A, certified by UCI Bob proof of possession of Sec.Key SK A A Alice’s affiliation (UCI) is revealed by her certificate Can Alice authenticate herself in a way that reveals her affiliation only if the verifier passes some criteria she sets? Seems like a Chicken and Egg Problem: The party that authenticates itself first has to reveal its affiliation…

3 A1: Only IACR members learn Alice’s affiliation A2: Only IACR members learn that IACR  Alice’s policy B: (and vice versa for Bob), certified by IACR “Secret Handshake”: Authentication with Secrecy Properties Alice, certified by UCI Secret Handshake Protocol Bob Policy A = {IACR} cert A = SIG UCI {A} cert B = SIG IACR {B} Policy B = {UCI} Parties Exchange Pseudonyms A,B

4 Secret Handshake Authentication Our Results Previous Results: - Privacy for Symmetric-Key Authentication [e.g. Abadi] - Secret Handshakes (for Public-Key Authentication) introduced in [Balfanz, et al.’03], solved under “Bilinear Diffie-Hellman” assumption on El. Curves with Bilinear Maps Our Results: - Solution based on standard groups, assuming hardness of Computational Diffie-Hellman - Efficiency improvements - Blinded certificate issuance => Less trust in CA - Extension to general PKI where A and B have different CA’s - Connection with “CA-Oblivious” Encryption

5 Alice’s PK A, Alice’s CA UCI, cert A Alice, certified by UCI Standard Authentication using Public Key Infrastructure proof of possession of Sec.Key SK A A On input UCI and A, Bob verifies the proof cert A = SIG UCI {A} Bob Sec.Key SK A

6 Alice’s PK A, Alice’s CA UCI, cert A Pseudonym A, Alice’s CA UCI, cert A proof of possession of UCI’s signature on A Alice, certified by UCI PKI-based Authentication (changing the terms ) On input UCI and A, Bob verifies the proof cert A = SIG UCI {A} Certificate cert A, i.e. CA’s signature on Alice’s public key A, can serve as the only authentication secret  no need for the secret key SK A  no need for A to be a public key (any ID string will do) ? Sec.Key SK A Bob

7 Affiliation Privacy in Authentication: Problem for Both Parties Alice, certified by UCI Alice’s Pseudonym A Bob’s Pseudonym B cert A = SIG UCI {A} cert B = SIG IACR {B} Policy B = {UCI} Policy A = {IACR} Bob, certified by IACR proof of possession of UCI’s sign. on A proof of possession of IACR’s sign. on B

8 Security of the Authentication Scheme: For Alice: Semantic security of Enc => only Bob can return n For Bob: Proof of signature possession includes Bob’s nonce Our Solution: Secret Handshakes from Signature-Based Encryption (pt.1) Enc PK(IACR,B) {A, proof of poss. of SIG UCI {A} + n} n Alice, certified by UCI encryption key derived for (IACR,B) signature = decryption key cert A = SIG UCI {A} Policy B = {UCI} cert B = SIG IACR {B} Bob, certified by IACR Bob’s Pseudonym B Policy A = {IACR}

9 What’s needed for “Secret Handshake” Secrecy: 1. CA-obliviousness: Pseudonym B must hide Bob’s CA Ciphertext must hide CA Alice used in encryption Our Solution: Secret Handshakes from Signature-Based Encryption (pt.2) Enc PK(IACR,B) {A, proof of poss. of SIG UCI {A} + n} n Alice, certified by UCI encryption key derived for (IACR,B) signature = decryption key cert A = SIG UCI {A} Policy B = {UCI} cert B = SIG IACR {B} Bob, certified by IACR Bob’s Pseudonym B Policy A = {IACR} 2. Semantic security of Encryption under Chosen Message Attack

10 Chosen-Message Attack on a Signature Scheme: Unsigned message M* + Forged signature on M* MnMn Signer (PK) Sig PK (M n )M1M1 Sig PK (M 1 )

11 Chosen-Message Attack on Signature-Based Encryption: BnBn Sig PK (B n )B1B1 Sig PK (B 1 ) Certification Authority (PK = IACR) Unsigned Pseudonym B* m 1, m 2 Enc PK(IACR,B*) {m b } b Signature Security: inability to output  on B* Encryption Security: inability to use  B* to decrypt

12 Previous Results on Signature-Based Encryption Signature-Based Encryption of [Li,Du,Boneh, PODC’03] - RSA, Factoring (Rabin Sigs.), or Billinear Maps (BLS Sigs.) - No secrecy properties Here: - Computational Diffie-Hellman (Schnorr Signatures) - Affiliation secrecy for both sender and receiver Terminology Caveat: [LDB]’s “obliviousness”: sender doesn’t know if receiver decrypts Our “CA-obliviousness”: affiliation privacy for both parties

13 Schnorr Signature (CA is the signer): SK CA : x, PK CA : y = g x mod p Sign(“B”) = (s,r), s.t. g s = r * y H(r,“B”) mod p CA-oblivious Signature-Based Encryption secure under Comp. Diffie-Hellman [CDH] Schnorr-based Encryption (Bob is a decryptor): Pseudonym:(r,“B”), for a random string “B” Decryption Key:SK B = s Encryption Key:PK B = r * y H(r,“B”) [= g s ] ElGamal ciphertext:(c 1,c 2 ) = (g k, H( PK B k )  M) CA-obliviousness:r and c 1 are random values in Z p * Semantic Security under CMA attack: Recall [PS’96]: Schnorr sign. forger => x (DL attack) Ciphertext distinguisher => computing z x on rnd. z (CDH att.)

14 Contributions: “Secret Handshake” Authentication under Computational Diffie Hellman (no bilinear maps) Efficiency improvements, reduced trust in CA Open Problems: How to handle certificate chains? Linkability (our pseudonyms are constant & public) O(n 2 ) computation blow-up when Bob has n certificates and Alice has n CA’s in its policy Conclusions and Open Problems

Download ppt "Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine."

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Digital Signatures and applications Math 7290CryptographySu07.

Digital Signatures and applications Math 7290CryptographySu07.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:

A novel and efficient unlinkable secret handshakes scheme Author: Hai Huang and Zhenfu Cao (PR China) Source: IEEE Comm. Letters 13 (5) (2009) Presenter:
Copyright Justin Klein Keane InfoSec Training Encryption.

Copyright Justin Klein Keane InfoSec Training Encryption.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Lect. 11: Public Key Cryptography. 2 Contents 1.Introduction to PKC 2.Hard problems  IFP  DLP 3.Public Key Encryptions  RSA  ElGamal 4.Digital Signatures.

Lect. 11: Public Key Cryptography. 2 Contents 1.Introduction to PKC 2.Hard problems  IFP  DLP 3.Public Key Encryptions  RSA  ElGamal 4.Digital Signatures.
1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine

1 A few challenges in security & privacy in the context of ubiquitous computing Gene Tsudik SCONCE: Secure Computing and Networking Center UC Irvine
Identity Based Encryption

Identity Based Encryption

Similar presentations

Ads by Google