Efficient Public-Key Distance Bounding

Similar documents
A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

On the Need for Provably Secure Distance Bounding

Lecture 18: Message Authentication Codes & Digital Signa

1 Number Theory Basics

Notes for Lecture 17

Lecture Notes 20: Zero-Knowledge Proofs

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Cryptography and Security Midterm Exam

Notes on Zero Knowledge

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

March 19: Zero-Knowledge (cont.) and Signatures

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

A Strong Identity Based Key-Insulated Cryptosystem

Public Key Cryptography

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Additive Conditional Disclosure of Secrets

Question: Total Points: Score:

Introduction to Elliptic Curve Cryptography

Towards Secure Distance Bounding

CRYPTANALYSIS OF COMPACT-LWE

Simple SK-ID-KEM 1. 1 Introduction

Anonymous Credentials Light

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Entity Authentication

Lecture 17: Constructions of Public-Key Encryption

1 Basic Number Theory

A New Framework for RFID Privacy

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Winter 2011 Josh Benaloh Brian LaMacchia

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 15 - Zero Knowledge Proofs

Ring Group Signatures

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

A Secure and Efficient Authenticated Diffie Hellman Protocol

On The (In)security Of Fischlin s Paradigm

Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting

On the Need for Provably Secure Distance Bounding

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Authentication. Chapter Message Authentication

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Gentry IBE Paper Reading

Type-based Proxy Re-encryption and its Construction

Anonymous Proxy Signature with Restricted Traceability

A Posteriori Openable Public Key Encryption *

Applied cryptography

Non-interactive Designated Verifier Proofs and Undeniable Signatures

On Two Round Rerunnable MPC Protocols

From Secure MPC to Efficient Zero-Knowledge

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting

ID-based tripartite key agreement with signatures

CTR mode of operation

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Anonymous Credentials Light

The odd couple: MQV and HMQV

A Fair and Efficient Solution to the Socialist Millionaires Problem

ECS 189A Final Cryptography Spring 2011

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

ASYMMETRIC ENCRYPTION

Multiparty Computation

Katz, Lindell Introduction to Modern Cryptrography

Cryptography and Security Final Exam

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Designated Conrmer Signatures Revisited

New Notions of Security: Universal Composability without Trusted Setup

Lecture 1: Introduction to Public key cryptography

Lecture 10: Zero-Knowledge Proofs

Lecture 3: Interactive Proofs and Zero-Knowledge

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Keyword Search and Oblivious Pseudo-Random Functions

Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting

Lecture 28: Public-key Cryptography. Public-key Cryptography

Boneh-Franklin Identity Based Encryption Revisited

Lecture 9 - Symmetric Encryption

Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks

Security Protocols and Application Final Exam

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Public-Key Cryptosystems CHAPTER 4

Are you the one to share? Secret Transfer with Access Structure

On The (In)security Of Fischlin s Paradigm

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Multi-Input Functional Encryption

Proofs of Retrievability via Fountain Code

Introduction to Cybersecurity Cryptography (Part 4)

Digital Signatures from Challenge-Divided Σ-Protocols

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

A DAA Scheme Requiring Less TPM Resources

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Transcription:

Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1

1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 2

Introduction 3

Relay ttack 4

Distance Bounding Introduced by Brands and Chaum Verifier Prover The prover authenticates and proves its proximity to the verifier. 5

Distance Bounding Symmetric Distance Bounding: The prover and verifier share a secret Public-key Distance Bounding: The prover has the public-key of the verifier The verifier has the public-key of the prover 6

Problems in Public-key DB Slower than symmetric key operations Limited computational resources on the devices Construct an efficient and secure public-key distance bounding 7

1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 8

Public-key Distance Bounding (public key) distance bounding protocol is a two party probabilistic polynomial time (PPT) protocol and consists of a tuple (K P, K V, P, V, B). K P (sk P, pk P ), K V (sk V, pk V ) P(sk P, pk P, pk V ) is proving algorithm, V(sk V, pk V ) is verifying algorithm, B is distance bound t the end of the protocol, the verifier V(sk V, pk V ) sends a final message Out V. If Out V = 1, then the verifier accepts. If Out V = 0, then the verifier rejects. 9

Man-in-the-middle (MiM) Security Honest and far-away prover and adversary K P (sk P, pk P ), K V (sk V, pk V ) pk P, pk V If Out V = 1 and pk P wins negligible P n P n P 1 B V P V 1 P 2 P 1 V 2 V i V n = B P 2 V ni 2 V 1 P 10

Distance Fraud (DF) Security Malicious and far-away prover pk K V (sk V, pk V ) V = P genkeys(pk V ) (sk P, pk P ) If Out V = 1 and pk P P wins negligible P n P n P 1 B P P 1 B P V V 1 V 2 V i V n = V V 1i 2 P i P 2 P 2 11

Distance Hijacking (DH) Security Malicious and far-away prover and hones and close prover K V sk V, pk V K P (sk P, pk P ), pk V, pk P = P genkeys(pk V, pk P ) (sk P, pk P ) If Out V = 1 and pk P P wins negligible B P P 1 P 1 P n P n B P 1 P P 1 P V P V 1 P 2 V 2 P i V i V n P n = P i P 2 V n1 i2 P n P 2 P 2 12

Strong Privacy (HPVP Model) P 1, P 2,, P n and can corrupt the provers: learns the secret keys of the provers. s a challenge, picks to provers P i, P j Challenger picks one of them as a virtual tag and gives the virtual prover to. can send messages to the virtual tag. can send messages to the verifier. If can recognizes the virtual tag, then he wins the game. DB protocol is strong private, if wins the above game with the probability at most 1 2 + negligible 13

n Overview of Our Protocol Verifier sk V, pk V gree on a key s with using Key greement (K) Protocol Prover sk P, pk P, pk V K Efficiency Security MQV 2.5 No proof HMQV 2.5 CK KE+ 3 CK NXOS 4 eck Run a symmetric-key DB with s CMQV 3 eck What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol? 14

1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 15

uthenticated Key greement (one pass) sk, pk, pk B sk B, pk B, pk N (sk, pk, pk B, N) N D(1 n ) B(sk B, pk B, pk, N) S S 16

Decitional-uthenticated Key greement (D-K) Challenger dversary Generate sk, pk, sk B, pk B Pick s 1 Pick b {0,1} s b,n, pk B, pk pk N, s 0 Oracle B (.) N D(1 n ) run B(sk B, pk B,., N) Oracle (.,.) (sk, pk,.,. ) It can access the oracles except (pk B, N) b If b = b It wins 17

D-K Privacy Game Challenger dversary Generate sk, pk, sk B1, pk B1 pk, sk B 1, pk B1 Pick b {0,1} N D(1 n ), s = B(sk B b, pk Bb, pk, N) sk B 0, pk B0 s Pick sk B 0, pk B0 Oracle (.,.) (sk, pk,.,. ) b If b = b It wins 18

Nonce-DH D-K secure and private key agreement protocol sk Z q pk = g sk sk, pk, pk B Public parameter G order of q and g G sk B, pk B, pk sk B Z q pk B = g sk B N K Effici ency Security MQV 2.5 No proof HMQV 2.5 CK KE+ 3 CK NXOS 4 eck s = H(g, pk B, pk, pk B sk, N) Pick N 0,1 l s = H(g, pk B, pk, pk sk B, N) CMQV 3 eck Nonce-DH 1 D-K Nonce-DH is D-K secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard. 19

1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 20

Eff-pkDB Verifier sk V, pk V Prover sk P, pk P, pk V N, pk P s = (sk, pk, pk B, N) symdb(s) N D(1 n ) s = B(sk P, pk P, pk V, N) Out 21

MiM-security of Eff-pkDB If symdb is multi-verifier OT-MiM secure and the key agreement protocol is D-K secure, the Eff-pkDB is MiM-secure. 22

MiM-security of Eff-pkDB Game 0: V 1 P 1 N 1 D(1 n ) s = B(sk P, pk P, pk V, N 1 ) V 2 P 2 N 2 D(1 n ) s = B(sk P, pk P, pk V, N 2 ) V 3 P 3 N 1 D(1 n ) s = B(sk P, pk P, pk V, N 1 )... P i V i N D(1 n ) s = B(sk P, pk P, pk V, N i )... P j V j N D(1n) s = B(sk P, pk P, pk V, N i )... V n P n N n D(1 n ) s = B(sk P, pk P, pk V, N n ) V i received N and pk P The prover who generates N is the matching prover Out Vi Pr[Out Vi = 1] = p 0 23

MiM-security of Eff-pkDB Game 1: No Nonce is duplicate V 1 V 2 V 3 P 3... P i V i... P j V j... V n P 1 pick N 1 s = B(sk P, pk P, pk V, N 1 ) P 2 pick N 2 s = B(sk P, pk P, pk V, N 2 ) pick N 1 s = B(sk P, pk P, pk V, N 1 ) pick N i s = B(sk P, pk P, pk V, N i ) pick N i s = B(sk P, pk P, pk V, N i ) P n pick N n s = B(sk P, pk P, pk V, N n ) Out Vi We have at most one prover generating N p 1 p 0 is negligible. Game 0 -> Game 1 Pr[Out Vi = 1] = p 1 24

MiM-security of Eff-pkDB Game 2: Provers picks secret s randomly V 1 P 1 V 2 P 2... P i... Out Vi V V n i pick s 1 pick s 2 pick s i pick s n P n Pr[Out Vi = 1] = p 2 Simulation of Prover receive s 0, N from Oracle B send pk P, N pick s 1 store N, s 1, pk P to T run symdb(s 1 ) Simulation of Verifier receive N, pk P if N,., pk P in T retrieve s from N, s, pk P else receive s from Oracle (pk P, N ) run symdb(s 1 ) Because of D-K security p 2 p 1 is negligible. Game 0 -> Game 1 -> Game 2 25

MiM-security of Eff-pkDB Game 3: Provers picks the nonce without the oracle V 1 P 1 V 2 P 2... P i... Out Vi V V n i pick s 1 pick s 2 pick s i pick s n P n Pr[Out Vi = 1] = p 3 Simulation of Prover N D(1 n ) send pk P, N pick s 1 store N, s 1, pk P to T run symdb(s 1 ) Simulation of Verifier receive N, pk P if N,., pk P in T retrieve s from N, s, pk P else receive s from Oracle (pk P, N ) run symdb(s 1 ) p 3 = p 2. Game 0 -> Game 1 -> Game 2-> Game 3 26

MiM-security of Eff-pkDB Game 4: Multi-verifier OT-MiM game The verifier instances V 1 V i V n The prover instance generating N P j The other prover instances are simulated P 1, P 2,, P j 1, P j+1,, P n Out Vi Pr[Out Vi = 1] = p 4 p 4 is negligible because of symdb. Game 0 -> Game 1 -> Game 2-> Game 3->Game 4 p 0 is negligible 27

Strong-Private variant of Eff-pkDB Verifier sk V, pk V Prover sk P, pk P, pk V = (pk V1, pk V2 ) e N, pk P = Dec skv 1 (e) s = sk, pk, pk B, N symdb(s) N D(1 n ) e = Enc N, pk pkv 1 P s = B(sk P, pk P, pk V, N) pk P is private output Out 28

Strong-privacy of the variant of Eff-pkDB ssuming the key agreement protocol is D-K-private and the cryptosystem is IND-CC secure, then the variant of Eff-pkDB is strong private in HPVP model. 29

n instance of Eff-pkDB Nonce-DH+OTDB sk V Z q pk V = g sk V sk V, pk V, pk P Public parameter G order of q and g G sk P, pk P, pk V sk P Z q pk P = g sk P N, pk P s = H g, pk P, pk V, pk P sk V, N pick N V 0,1 2n a = N V s start timer end timer check if i rtt i < 2B and r i is correct N V for i = 0 to n c i r i Out Pick N 0,1 l sk s = H g, pk P, pk V, pk P V, N a = N V s r i = a 2i+ci 30

1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 31

Conclusion Protocol Security Privacy PK Operation Number of Computations Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection HPO (Hermans et al.) MiM, DF Weak 4 EC multiplication, 2 random string selections, 2 mappings PrivDB (Vaudenay) MiM, DF, DH Strong 1 signature, 1 IND-CC encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MC ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs eproprox (Vaudenay) MiM, DF, DH, TF Strong 1 encryption, s hashing, n+1 commitments, n ZK proofs Eff-pkDB MiM, DF, DH No Privacy 1 D-K secure K protocol 1 EC multiplication, 2 hashing, 1 random string selection, Private Variant of Eff-pkDB MiM, DF, DH Strong 1 IND-CC encryption, 1 D-K secure K protocol 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MC * ECDS for the signature scheme and ECIES for the IND-CC secure encryption scheme 32

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback