No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability

Similar documents
A Prover-Anonymous and Terrorist-Fraud Resistant Distance-Bounding Protocol

Efficient Public-Key Distance Bounding

Notes on Zero Knowledge

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

arxiv: v1 [cs.cr] 22 May 2014

Round-Efficient Multi-party Computation with a Dishonest Majority

Keyword Search and Oblivious Pseudo-Random Functions

Towards Secure Distance Bounding

On the Need for Provably Secure Distance Bounding

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

An Identification Scheme Based on KEA1 Assumption

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

A New Framework for RFID Privacy

Ring Group Signatures

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

CPSC 467b: Cryptography and Computer Security

Entity Authentication

Rate-Limited Secure Function Evaluation: Definitions and Constructions

Private Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5

Introduction to Cryptography Lecture 13

Lecture 3: Interactive Proofs and Zero-Knowledge

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Introduction to Modern Cryptography Lecture 11

Lecture 1: Introduction to Public key cryptography

PAPER An Identification Scheme with Tight Reduction

Lecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting

6.897: Selected Topics in Cryptography Lectures 7 and 8. Lecturer: Ran Canetti

NSL Verification and Attacks Agents Playing Both Roles

Anonymous Proxy Signature with Restricted Traceability

Are you the one to share? Secret Transfer with Access Structure

Breaking and Fixing the HB+DB protocol

Computing on Encrypted Data

Lecture 15: Privacy Amplification against Active Attackers

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Group Diffie Hellman Protocols and ProVerif

CRYPTANALYSIS OF COMPACT-LWE

Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Smooth Projective Hash Function and Its Applications

CPSC 467b: Cryptography and Computer Security

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Multi-Party Computation with Conversion of Secret Sharing

Complexity of automatic verification of cryptographic protocols

Lecture 9 - Symmetric Encryption

Dr George Danezis University College London, UK

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

The odd couple: MQV and HMQV

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

A Zero-One Law for Secure Multi-Party Computation with Ternary Outputs

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

On the Need for Provably Secure Distance Bounding

A DAA Scheme Requiring Less TPM Resources

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Quantum Symmetrically-Private Information Retrieval

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

ECS 189A Final Cryptography Spring 2011

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

From Secure MPC to Efficient Zero-Knowledge

A Note on the Cramer-Damgård Identification Scheme

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

Lecture Notes, Week 10

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

KEY DISTRIBUTION 1 /74

Fast Lattice-Based Encryption: Stretching SPRING

Remove Key Escrow from The Identity-Based Encryption System

Interactive Zero-Knowledge with Restricted Random Oracles

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Secure Multi-Party Computation

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Lecture 38: Secure Multi-party Computation MPC

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Credential Authenticated Identification and Key Exchange

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Group Undeniable Signatures

6.892 Computing on Encrypted Data October 28, Lecture 7

Introduction to Modern Cryptography. Benny Chor

Multiparty Computation (MPC) Arpita Patra

George Danezis Microsoft Research, Cambridge, UK

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Improved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant

Probabilistically Checkable Arguments

Lecture 18: Message Authentication Codes & Digital Signa

Benny Pinkas Bar Ilan University

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Lecture 3,4: Multiparty Computation

Zero-Knowledge Against Quantum Attacks

Selections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

CPSC 467: Cryptography and Computer Security

Question: Total Points: Score:

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

Quantitative Approaches to Information Protection

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

A FEW E-COMMERCE APPLICATIONS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 9 of Trappe and Washington

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Transcription:

No#ons of Privacy: ID- Hiding, Untrace- ability, Anonymity & Deniability Paris, 19/03/2014 CIDRE Cristina Onete

Meet the girl Need authentication Marie-Claire Cris%na Onete 19/03/2014 2

Secure Authentication 1 = Accept 0 = Reject Prover Verifier Adversary Cris%na Onete 19/03/2014 3

PKES: Correctness Cris%na Onete 19/03/2014 4

PKES: Impersonation Cris%na Onete 19/03/2014 5

Privacy Notions Who is the adversary? Ø A MIM-adversary (passive or active) Ø A legitimate verifier (honest-but-curious, malicious) Ø A third party (in or outside the system) Private in what way? Ø Identity remains hidden Ø Authentication sessions are unlinkable Ø I can deny having authenticated Ø Can t even tell that authentication took place How private? Ø Nothing can be said about the identity (strong) Ø Can tell something, but not something useful Cris%na Onete 19/03/2014 6

Contents Ø Privacy in Authentication Authentication protocols Privacy notions Identity Hiding and Untraceability Ø Privacy in Distance-Bounding Protocols From Authentication to Distance Bounding MIM Privacy in Distance-Bounding From MIM privacy to full anonymity Deniability Ø Conclusion & some next steps

Part I: Privacy in Authentication

Secure Authentication 1 = Accept 0 = Reject Ø Secure authentication Correctness: legitimate prover always authenticates Impersonation: MIM adversary is always rejected Cris%na Onete 19/03/2014 9

Privacy Notions ID Hiding Ø Identity hiding: Prover s identity remains hidden With respect to a MIM adversary With respect to the verifier (honest-but-curious or malicious) Cris%na Onete 19/03/2014 10

Privacy Notions Untraceability DrawProver Corrupt Ø Untraceability: cannot link sessions vs. MIM adversary: with or without corruptions vs. Insider, in possession of the verifier s state Cris%na Onete 19/03/2014 11

Privacy Notions Untraceability Corrupt Ø Classes in terms of Corruptions Narrow/wide: know/ don t know authentication result Weak: no corruptions; Forward: corruption follows corruption; Strong: no restrictions Cris%na Onete 19/03/2014 12

Privacy Notions Deniability τ??? State τ* Ø Deniability: can deny authentication took place No difference: real vs simulated transcript Always with respect to third party Cris%na Onete 19/03/2014 13

What to use and where Always give each party only minimal information Minimal Pre-Snowden Post-Snowden ID-Hiding Untraceability Deniability MIM Verifier Ø Verifiers connected to central server or not Collect information on provers, tracking them Must forward information, and may even sell it Minimize data leaks; introduce deniability. Cris%na Onete 29/01/2014 14

ID-Hiding Authentication Retrieve g N v Enc(Certificate P ) Certificate V Compute K= g N pnv Retrieve g N p Hides identity Sessions linked R V PRF K (R V ) Check PRF K (R V ) Cris%na Onete 07/02/2014 15

MIM-Untraceable Authentication [Vau07] K Pick random N P N V Pick random N V Compute PRF K (N P N V ) N P, PRF K (N P N V ) Verify PRF K (N P N V ) Corruption: learn K and trace it all back Forward privacy requires key updates or PK primitives Cris%na Onete 07/02/2014 16

MIM-Untraceable Authentication Ø Wide-strong private authentication [PH12] kp, yp r 1 P Random r 1 Random r 2 r 2 P Compute DH tuple d = [[r 1 y P] x P] x ; e = r 1 [r 1 r 2 P] x s= dk + e hides dk, fresh Check: d -1 (sp r 2 r 1 r 1 P) == kp? Cris%na Onete 19/03/2014 29/01/2014 17

Part II: Privacy in Distance-Bounding

Relay Attacks Far-away Prover helps Adversary N V N V N V Leech N P PRF K (N P N V ) Ghost Works for Bluetooth, smartcards, Keeloq, PKES (cars) Cris%na Onete 07/02/2014 19

Distance-Bounding Protocols Ø Distance-bounding idea: proximity = trust if comm. speed & complexity are constant distance time c, Use r must timer! be bits minimal processing t max t max c t r check r check t t max Cris%na Onete 29/01/2014 20

Distance-Bounding Protocols Ø Distance-bounding idea: use timer! if comm. speed & complexity are constant t max t max c c t r r check r check t t max Do proximity test N times for reliability Cris%na Onete 29/01/2014 21

Distance-Bounding Protocol Ø Basic structure round slow fast Cris%na Onete 07/02/2014 22

Distance-Bounding Properties Ø Mafia Fraud Resistance No relays! Ø Terrorist Fraud Resistance Help is one-time Ø Distance Fraud Resistance t max Cris%na Onete 07/02/2014 23

Distance-Bounding Attacks Ø Mafia Fraud Resistance Marie-Claire has unique e-key to gym locker Marie-Claire is at party with Leech Ghost is at gym, wants to get into the locker Ø Terrorist Fraud Resistance Marie-Claire and Adv. are friends Marie-Claire wants to let Adv. to use her locker But Adv. shouldn t enter again without permission Ø Distance Fraud Resistance Marie-Claire runs a red light, wants to prove she was at the gym, but she is far away Cris%na Onete 07/02/2014 24

MIM-Untraceable Authentication Ø Wide-strong private authentication kp, yp Random r 1 r 1 P r 2 P Random r 2 Compute d = [[r 1 y P] x P] x ; e = r 1 [r 1 r 2 P] x s= dk + e Check: d -1 (sp r 2 r 1 r 1 P) == kp? Cris%na Onete 19/03/2014 29/01/2014 25

Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; DH tuple r 0 r 1 = xcoord {r 1 r 3 P} 2n n times c i r i ci s = k+er 1 +r 2 +d e = c r s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 26

Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; n times r 0 r 1 = xcoord {r 1 r 3 P} 2n c i r i ci e = c r Mafia fraud s = k+er 1 +r 2 +d s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 27

Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; n times r 0 r 1 = xcoord {r 1 r 3 P} 2n c i r i ci e = c r Dist. fraud s = k+er 1 +r 2 +d s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 28

Privacy in Distance Bounding Ø Auth. + relay: adapt/compose auth. and prox. check [HPO13] r 1 P, r 2 P Random r 1, r 2 r 3 P Random c, r, r 3 Compute d = xcoord [r 1 yp]; n times r 0 r 1 = xcoord {r 1 r 3 P} 2n c i r i ci e = c r MIM-untraceability Impersonation s = k+er 1 +r 2 +d s Check: (s-d)p e R 1 -R 2 == kp? Cris%na Onete 29/01/2014 29

Anonymity in Distance Bounding Ø [HPO13]: response depends on K (known to Verifier) s = k+er 1 +r 2 +d Ø [GOR14]: create ring structure for legitimate users S = rq+er 1 +R 2 +D Q = x j (rq j ) Register x i, Q i Board Q j = i=1;i j n x i P Cris%na Onete 29/01/2014 30

Anonymity in Distance Bounding Ø [HPO13]: response depends on K (known to Verifier) s = k+er 1 +r 2 +d Ø [GOR14]: create ring structure for legitimate users S = rq+er 1 +R 2 +D Q = x j (rq j ) Board Q, Q 1, Q 2, Q n Cris%na Onete 29/01/2014 30

Anonymity in Distance Bounding Ø [HPO13]: response depends on K (known to Verifier) s = k+er 1 +r 2 +d Ø [GOR14]: create ring structure for legitimate users S = rq+er 1 +R 2 +D Q = x j Q j HEnc( Q i ), proof(enc well done) x i, Q i HEnc(r Q i ) Protocol as [HPO13] S = rq+er 1 +R 2 +D Choose r Cris%na Onete 29/01/2014 30

Privacy in Distance Bounding Ø Properties: Soundness: x i hidden effectively by S S = r x j Q j +er 1 +R 2 +D Prover anonymity: v HEnc hides auxiliary key Q i v A maliciously chosen r has same effect for all provers v All provers authenticate with the same credential: rq Deniability w.r.t. server v Verifier receives authentication strings S = r x j Q j +er 1 +R 2 +D v Simulator can use state V to compute rq and simulate rest Generate Enc keys, use HEnc, generate proof Cris%na Onete 29/01/2014 31

Present and Future Minimal Pre-Snowden Post-Snowden ID-Hiding Untraceability Deniability MIM Verifier OPACITY [DFG +13] [PH12] [HPO13] [GOR14] Ø Composition: secure DB + anonymous channels Ø Future: AKE + Secure channel protocols Identity hiding, full prover anonymity, and deniability Old and new protocols and their properties Cris%na Onete 19/03/2014 32

Thanks! CIDRE

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback