Efficient Public-Key Distance Bounding HNDN KILINÇ ND SERGE VUDENY 1
1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 2
Introduction 3
Relay ttack 4
Distance Bounding Introduced by Brands and Chaum Verifier Prover The prover authenticates and proves its proximity to the verifier. 5
Distance Bounding Symmetric Distance Bounding: The prover and verifier share a secret Public-key Distance Bounding: The prover has the public-key of the verifier The verifier has the public-key of the prover 6
Problems in Public-key DB Slower than symmetric key operations Limited computational resources on the devices Construct an efficient and secure public-key distance bounding 7
1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 8
Public-key Distance Bounding (public key) distance bounding protocol is a two party probabilistic polynomial time (PPT) protocol and consists of a tuple (K P, K V, P, V, B). K P (sk P, pk P ), K V (sk V, pk V ) P(sk P, pk P, pk V ) is proving algorithm, V(sk V, pk V ) is verifying algorithm, B is distance bound t the end of the protocol, the verifier V(sk V, pk V ) sends a final message Out V. If Out V = 1, then the verifier accepts. If Out V = 0, then the verifier rejects. 9
Man-in-the-middle (MiM) Security Honest and far-away prover and adversary K P (sk P, pk P ), K V (sk V, pk V ) pk P, pk V If Out V = 1 and pk P wins negligible P n P n P 1 B V P V 1 P 2 P 1 V 2 V i V n = B P 2 V ni 2 V 1 P 10
Distance Fraud (DF) Security Malicious and far-away prover pk K V (sk V, pk V ) V = P genkeys(pk V ) (sk P, pk P ) If Out V = 1 and pk P P wins negligible P n P n P 1 B P P 1 B P V V 1 V 2 V i V n = V V 1i 2 P i P 2 P 2 11
Distance Hijacking (DH) Security Malicious and far-away prover and hones and close prover K V sk V, pk V K P (sk P, pk P ), pk V, pk P = P genkeys(pk V, pk P ) (sk P, pk P ) If Out V = 1 and pk P P wins negligible B P P 1 P 1 P n P n B P 1 P P 1 P V P V 1 P 2 V 2 P i V i V n P n = P i P 2 V n1 i2 P n P 2 P 2 12
Strong Privacy (HPVP Model) P 1, P 2,, P n and can corrupt the provers: learns the secret keys of the provers. s a challenge, picks to provers P i, P j Challenger picks one of them as a virtual tag and gives the virtual prover to. can send messages to the virtual tag. can send messages to the verifier. If can recognizes the virtual tag, then he wins the game. DB protocol is strong private, if wins the above game with the probability at most 1 2 + negligible 13
n Overview of Our Protocol Verifier sk V, pk V gree on a key s with using Key greement (K) Protocol Prover sk P, pk P, pk V K Efficiency Security MQV 2.5 No proof HMQV 2.5 CK KE+ 3 CK NXOS 4 eck Run a symmetric-key DB with s CMQV 3 eck What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol? 14
1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 15
uthenticated Key greement (one pass) sk, pk, pk B sk B, pk B, pk N (sk, pk, pk B, N) N D(1 n ) B(sk B, pk B, pk, N) S S 16
Decitional-uthenticated Key greement (D-K) Challenger dversary Generate sk, pk, sk B, pk B Pick s 1 Pick b {0,1} s b,n, pk B, pk pk N, s 0 Oracle B (.) N D(1 n ) run B(sk B, pk B,., N) Oracle (.,.) (sk, pk,.,. ) It can access the oracles except (pk B, N) b If b = b It wins 17
D-K Privacy Game Challenger dversary Generate sk, pk, sk B1, pk B1 pk, sk B 1, pk B1 Pick b {0,1} N D(1 n ), s = B(sk B b, pk Bb, pk, N) sk B 0, pk B0 s Pick sk B 0, pk B0 Oracle (.,.) (sk, pk,.,. ) b If b = b It wins 18
Nonce-DH D-K secure and private key agreement protocol sk Z q pk = g sk sk, pk, pk B Public parameter G order of q and g G sk B, pk B, pk sk B Z q pk B = g sk B N K Effici ency Security MQV 2.5 No proof HMQV 2.5 CK KE+ 3 CK NXOS 4 eck s = H(g, pk B, pk, pk B sk, N) Pick N 0,1 l s = H(g, pk B, pk, pk sk B, N) CMQV 3 eck Nonce-DH 1 D-K Nonce-DH is D-K secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard. 19
1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 20
Eff-pkDB Verifier sk V, pk V Prover sk P, pk P, pk V N, pk P s = (sk, pk, pk B, N) symdb(s) N D(1 n ) s = B(sk P, pk P, pk V, N) Out 21
MiM-security of Eff-pkDB If symdb is multi-verifier OT-MiM secure and the key agreement protocol is D-K secure, the Eff-pkDB is MiM-secure. 22
MiM-security of Eff-pkDB Game 0: V 1 P 1 N 1 D(1 n ) s = B(sk P, pk P, pk V, N 1 ) V 2 P 2 N 2 D(1 n ) s = B(sk P, pk P, pk V, N 2 ) V 3 P 3 N 1 D(1 n ) s = B(sk P, pk P, pk V, N 1 )... P i V i N D(1 n ) s = B(sk P, pk P, pk V, N i )... P j V j N D(1n) s = B(sk P, pk P, pk V, N i )... V n P n N n D(1 n ) s = B(sk P, pk P, pk V, N n ) V i received N and pk P The prover who generates N is the matching prover Out Vi Pr[Out Vi = 1] = p 0 23
MiM-security of Eff-pkDB Game 1: No Nonce is duplicate V 1 V 2 V 3 P 3... P i V i... P j V j... V n P 1 pick N 1 s = B(sk P, pk P, pk V, N 1 ) P 2 pick N 2 s = B(sk P, pk P, pk V, N 2 ) pick N 1 s = B(sk P, pk P, pk V, N 1 ) pick N i s = B(sk P, pk P, pk V, N i ) pick N i s = B(sk P, pk P, pk V, N i ) P n pick N n s = B(sk P, pk P, pk V, N n ) Out Vi We have at most one prover generating N p 1 p 0 is negligible. Game 0 -> Game 1 Pr[Out Vi = 1] = p 1 24
MiM-security of Eff-pkDB Game 2: Provers picks secret s randomly V 1 P 1 V 2 P 2... P i... Out Vi V V n i pick s 1 pick s 2 pick s i pick s n P n Pr[Out Vi = 1] = p 2 Simulation of Prover receive s 0, N from Oracle B send pk P, N pick s 1 store N, s 1, pk P to T run symdb(s 1 ) Simulation of Verifier receive N, pk P if N,., pk P in T retrieve s from N, s, pk P else receive s from Oracle (pk P, N ) run symdb(s 1 ) Because of D-K security p 2 p 1 is negligible. Game 0 -> Game 1 -> Game 2 25
MiM-security of Eff-pkDB Game 3: Provers picks the nonce without the oracle V 1 P 1 V 2 P 2... P i... Out Vi V V n i pick s 1 pick s 2 pick s i pick s n P n Pr[Out Vi = 1] = p 3 Simulation of Prover N D(1 n ) send pk P, N pick s 1 store N, s 1, pk P to T run symdb(s 1 ) Simulation of Verifier receive N, pk P if N,., pk P in T retrieve s from N, s, pk P else receive s from Oracle (pk P, N ) run symdb(s 1 ) p 3 = p 2. Game 0 -> Game 1 -> Game 2-> Game 3 26
MiM-security of Eff-pkDB Game 4: Multi-verifier OT-MiM game The verifier instances V 1 V i V n The prover instance generating N P j The other prover instances are simulated P 1, P 2,, P j 1, P j+1,, P n Out Vi Pr[Out Vi = 1] = p 4 p 4 is negligible because of symdb. Game 0 -> Game 1 -> Game 2-> Game 3->Game 4 p 0 is negligible 27
Strong-Private variant of Eff-pkDB Verifier sk V, pk V Prover sk P, pk P, pk V = (pk V1, pk V2 ) e N, pk P = Dec skv 1 (e) s = sk, pk, pk B, N symdb(s) N D(1 n ) e = Enc N, pk pkv 1 P s = B(sk P, pk P, pk V, N) pk P is private output Out 28
Strong-privacy of the variant of Eff-pkDB ssuming the key agreement protocol is D-K-private and the cryptosystem is IND-CC secure, then the variant of Eff-pkDB is strong private in HPVP model. 29
n instance of Eff-pkDB Nonce-DH+OTDB sk V Z q pk V = g sk V sk V, pk V, pk P Public parameter G order of q and g G sk P, pk P, pk V sk P Z q pk P = g sk P N, pk P s = H g, pk P, pk V, pk P sk V, N pick N V 0,1 2n a = N V s start timer end timer check if i rtt i < 2B and r i is correct N V for i = 0 to n c i r i Out Pick N 0,1 l sk s = H g, pk P, pk V, pk P V, N a = N V s r i = a 2i+ci 30
1. Introduction of Distance Bounding 2. Formal Definitions for Security and Privacy 3. Weak uthenticated Key greement 4. Our Protocols: Eff-pkDB and Eff-pkDB private 5. Conclusion 31
Conclusion Protocol Security Privacy PK Operation Number of Computations Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection HPO (Hermans et al.) MiM, DF Weak 4 EC multiplication, 2 random string selections, 2 mappings PrivDB (Vaudenay) MiM, DF, DH Strong 1 signature, 1 IND-CC encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MC ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs eproprox (Vaudenay) MiM, DF, DH, TF Strong 1 encryption, s hashing, n+1 commitments, n ZK proofs Eff-pkDB MiM, DF, DH No Privacy 1 D-K secure K protocol 1 EC multiplication, 2 hashing, 1 random string selection, Private Variant of Eff-pkDB MiM, DF, DH Strong 1 IND-CC encryption, 1 D-K secure K protocol 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MC * ECDS for the signature scheme and ECIES for the IND-CC secure encryption scheme 32