Title: Secret Hanshakes
1On Privacy-Preserving Secure Interaction
Gene Tsudik Computer Science Department University
of California, Irvine CURRENTLY Fulbright
Senior Lecturer Dipartimento di
Informatica Universita degli Studi di Roma La
Sapienza
2Why Privacy?
- Basic human right and desire
- Transcends physical and electronic worlds
- Being assaulted from many directions
- Sometimes well-meaning and legitimate
- Privacy can be good for everyone
- Individuals
- Corporations
- Governments
- Obviously, privacy has a sinister side
- Do we stop here?
3Privacy Areas
- Anonymous communication
- Asynchronous, e.g., Email
- Synchronous, e.g., HTTP
- Traffic analysis resistance
- Location/movement privacy
- E.g., Internet, MANETs, cellular, RFIDs
- Private information retrieval (PIR)
- Hiding source and access patterns
- Anonymous signing (escrowed anonymity)
- Group signatures, ring signatures, etc.
- Etc., etc., etc.
4Privacy-Preserving Secure Interaction?
- New notion of Affiliation-Hiding
- Informally
- if I dont fully trust you, you dont need to
know who issued my credentials - or
- You dont need to see my certificate
- One-sided interaction
- information delivery with a twist
- Two-sided interaction
- all-or-nothing unobservable authentication
- Many-sided interaction
- all-or-nothing unobservable group authentication
- sometimes more subtle than all-or-nothing
5References
- OSBE-s
- Du, et al., Oblivious Signature-Based
Envelopes, ACM PODC 2003. - Nasserian and Tsudik, OSBE Revisited, FC 2006.
- Secret Hanshakes
- Balfanz, et al., Secret Handshakes, IEEE SP
(Oakland) 2003. - Xu and Yung, K-Anonymous Secret Handshakes with
Reusable Credentials, ACM CCS 2004. - Castelluccia, et al., Secret Handshakes from
CA-oblivious Encryption, IACR Asiacrypt 2004. - Ateniese, et al., Secret Handshakes with Dynamic
and Fuzzy Matching, NDSS 2007. - Group Secret Handshakes
- Jarecki, et al., Authentication for Paranoids
Multi-Party Secret Handshakes, ACNS 2006. - Jarecki, et al., Affiliation-Hiding
Authenticated Group Key Agreement, CT-RSA 2007. - Tsudik and Xu, A Framework for Group Secret
Handshakes, PET 2006. - Xu and Yung, K-Anonymous Multi-Part Secret
Handshakes , Financial Cryptography 2007.
6One-Sided Private Interaction Motivation
Bob
Alice
I have a message P to give to the CIA but I want
to make sure you are a CIA agent. Please show me
your CIA certificate!
I wont/cant show my CIA certificate. Just give
me the message!
??????
- Why doesnt Bob trust Alice with his certificate?
- She might convince others that Bob is with the
CIA - Bob is not allowed to reveal his credentials to
non-CIA agents
7Public Key Certificate
- Bobs CIA certificate
- Signing PK the CIAs public key.
- M Bob is with CIA, his key is xxx,
- M could be an X.509v3 certificate template
- ? SigPK(M) lt---- signature on M (certificate).
- The secret here is ? -- the signature itself
8Oblivious Signature-Based Envelope (OSBE)
Receiver (Bob?)
Sender (Alice)
Message P
- Receiver can open the envelope IFF s/he has the
certificate - Sender cant know whether the receiver has the
certificate
9OSBE Definition
- Setup
- PK CAs public key
- M content of the certificate
- ? SigPK(M) signature on M
- S/Alice Sender of message P (P is given to S
only). - R1/Bob Intended Receiver who has ? -- Bob
- Bob-who-has-? might not exist
- R2/Eve Receiver without ? -- adversary
- PK and M are given to all three parties
10OSBE Definition (contd)
- Interaction
- One of R1 and R2 is chosen as R
- S does not know which one.
- S and R run OSBE protocol
- Open
- R outputs P if and only if R R1.
- Recall R1 has the certificate (M, ?), R2 doesnt.
11Security Requirements
- A secure OSBE scheme must be
- Sound R1 outputs P with overwhelming
probability. - Oblivious S does not learn whether it is
communicating with R1 or R2. - Semantically secure against the receiver R2
learns nothing about P. - Forward-Secure compromise of long-term secret
(?) should not result in compromise of P (i.e.,
PFS) or - Original certificate signer should be unable to
obtain P - Imposter-Oblivious after multiple interactions
involving M, S learns nothing about R1 or R2
12IBE-based OSBE
Identity Based Encryption (IBE)
System Parameters
Alice
Message P
Public encryption key derived from Bob is a
CIA member
Cipher Text
13IBE-OSBE (Du, et al. 2003)
Sender (Alice)
Receiver (Bob)
(0) my name is Bob
(1) Public key PK F(Bob is a CIA
member) F() public function
(2) EPK(M)
(3) Decrypt EPK(M) with private key
14Summary
- IBE-OSBE is one-round no real interaction
- IBE-OSBE doesnt offer perfect forward secrecy
- If Receiver is later compromised, message P is
leaked - Not compatible with existing PKI-s
- Receiver (Bob) might not have the decryption key
when message P is sent - Is this good or bad?
- IBE-OSBE can be trivially resolved with Cocks or
Boneh/Franklin IBE schemes - Cocks IBE extremely inefficient, but standard
assumptions - Boneh/Franklin IBE more efficient (yet still
expensive), but assumptions are relatively new
and untested - What about other OSBE schemes?
15RSA OSBE Scheme (Du, et al.)
- RSA Signatures
- (e, n) public key PK
- e public exponent
- n modulus
- d private key.
- h hash(M) hash value of M.
- ? SigPK(M) hd (mod n) signature.
- (hd)e (he)d h (mod n)
16RSA-OSBE Scheme Setup
- Setup
- Everybody knows h, M, (e, n)
- Sender S knows P
- Only R1 knows ? (h d mod n)
17Using Key Agreement
Sender
Receiver
P
Sender knows the key Receiver knows the key
only if he has hd mod n
18Diffie-Hellman Key Agreement
Bob
Alice
h x mod n
x
y
h y mod n
(h x) y mod n
(h y) x mod n
h x y mod n
19Transforming Diffie-Hellman
S
R1
? h d h x mod n
x
y
? h e y mod n
? e y (h dx) e y
Kr (hey) x
h e d y h e x y h y h e x y
Ks (? e y)/h y h e x y
CLAIM Ks Kr if and only if Receiver knows h
d mod n
20Properties
- RSA-OSBE is oblivious
- R1 ? hdx
- R2 ? hx
- hdx x random and hx x random are
statistically indistinguishable
- RSA-OSBE is semantically secure against the
receiver, - i.e, R2 cannot learn KsKr
21Summary
- RSA-OSBE takes 2 rounds
- But, it needs to be 2-rounds only once
- PFS (forward security) is offered if x is
generated anew each time - RSA-OSBE can be used in an existing PKI
- RSA-OSBE is imposter-oblivious
- What does S know after having two interactions?
- What about other OSBE schemes?
22El Gamal Signature FamilyTsudik and Nasserian,
FC 2006.
- Nyberg/Rueppel
- Schnorr
- El Gamal (and variants)
- DSA
- All signatures look like
- (e,s)
- where
- e one-time public key
- s actual signature
- Variations are in the details of computing e and s
23Schnorr-OSBE
- Setup
- Everyone knows
- h() hash function, M Bob, FBI Agent
- system-wide parameters (p,q,g)
- CAs public key yga mod p
- CAs secret key a
- Sender S knows P (message intended for Bob)
- Receiver R1 (Bob) knows s (e,s)
- where
- e h(M,gk)
- s (ae k) mod q ah(M,gk)k mod q
- Schnorr Verification h(M, gsy-e) ? e
24Schnorr-OSBE
S
R1
X gsy-e mod p gK mod p
(y,h)
s(e,s)
1) generate z 2) Ks yh(M,X)Xz g(aek)z
Z gz mod p
KrZsgz(aek)
Encrypt P under key derived from Ks
CLAIM Ks Kr if and only if R1 knows saek
mod q
25EG-OSBE
- Setup
- Everyone knows
- hhash(M), M Bob, FBI Agent
- system-wide parameters (p,g)
- CAs public key yga mod p
- CAs secret key a
- Sender S knows P (message for Bob)
- Receiver R1 knows s (e,s) where
- e gk mod p
- s k-1(h - ae) mod (p-1)
- El Gamal Verification esye ? gh
- Note esye g h-aeagk g h
26EG-OSBE
S
R1
e gk
(y,h)
s(e,s)
1. generate z 2. Ks yez z-hz gz(ae-h)
Z ez mod p
KrZ-se-zs
Encrypt P under key derived from Ks
CLAIM Ks Kr if and only if R1 knows
sk-1(h-ae) mod p
27Security?
- Obliviousness is easy
- Semantic security against R is hard
- Entails showing that it is infeasible for R2 to
exponentiate with s - NR ?
- DSA ?
- El Gamal ?
- Schnorr ? use Pointcheval/Stern (forking lemma)
result
28Comparison
- RSA-OSBE can be forward-secure
- ElGamal-family OSBE-s need an extra gb in the
first message for forward security - RSA-OSBE is impostor-oblivious
- None others are is there a fix?
- Costs are similar ca. 2 mod-exps for both
parties - Very little overhead over normal (non-oblivious)
PK-based envelopes ? this is surprising!
29Cost?
OSBE Schemes
Costs factors NR Schnorr
EG/DSA RSA protocol rounds 2 2 2 2
protocol msgs 2 2 2 2 mod exps for
S 3 3 3 3 mod exps for R 1 3
1 2
Observation suppose S wants to send a message P
to R w/out OSBE. With DH-based PFS, same number
of exponentiations would be needed ? OSBEs offer
more functionality at same cost!
30Measured costs
RSA optimized RSA-OSBE
31One-Sided Secret Handshake?
- What if we add a confirmation round to OSBE?
Sender
Receiver
P
F(P)
- Alice knows Bob is an FBI agent
- But, Alice cannot prove it
32Secret Handshakes example setting
- Alice and Bob are FBI agents
- FBI agents are not allowed to divulge affiliation
except to other FBI agents - Alice will authenticate to Bob only if hes an
FBI agent - Bob will authenticate to Alice only if she is an
FBI agent - Other parties (whether CIA agents or not) must
not be able to detect Alices or Bobs
affiliation - How can Alice Bob authenticate each other?
- OSBEs are one-sided
33Group Secret Handshakes ?Jarecki, et al.,
CT-RSA 2007
- How about using a long-term group-wide secret
key? - Problems (1) traceability, (2) revocation
- Each player must have a PKI-style certificate
(ID,cert)
First Goal Authenticated Group Key Agreement
Second Goal Affiliation Hiding
FBI agent
FBI agent
?
K
K
Adversary
FBI agent
FBI agent
K
Adversary cannot determine players affiliations
K
- All FBI members compute same key (assuming
Adversary is passive) - The adversary cannot compute this key (even if
Adversary is active)
34Standard Authenticated Key AgreementNo
Affiliation Privacy!
Bobs ID (B) certified by CA
Alices ID (A) certified by CA
sA SIGCAA
sB SIGCAB
ID exchange (A,B)
As Key-Agreement msg SIGCA A
Bs Key-Agreement msg SIGCA B
Even passive adversary can determine players
affilations
35Adding Affiliation Privacy to Authenticated Key
Agreement
Bobs ID (B) certified by CA
Alices ID (A) certified by CA
sA SIGCAA
sB SIGCAB
ID exchange (A,B)
?
sB
sA
Alices credential Alices policy
Bobs credential Bobs policy
?
CAB
CAA
Secure Computation of Ver(CAA,B,sB)
Ver(CAB,A,sA)
Q1 Is Bob a member of Alices organization CAA ?
True or False
( a random Key if True)
Q2 Is Alice a member of Bobs organization CAB ?
Secure Computation Protocol gt Players Inputs
are Hidden gt Affiliation Privacy
36Affiliation-Hiding in AGKA a closer look
ID A
ID B
Player 1
Player 2
?
Player 3
ID C
ID D
Player 4
- Adversary cannot assign players to groups
- Adversary who is a member of some group can
tell if other users are members of same group
only by active attack
37Related Work on Affiliation-Hiding Key Agreement
38Efficient Affiliation-Hiding Authenticated Key
Exchange Example RSA certificates
Diffie-Hellman
Bobs ID (B) certified by (n,e)
Alices ID (A) certified by (n,e)
sA SIGn,eA (sA)e H(A)
sB SIGn,eB (sB)e H(B)
ID exchange (A,B)
Consider a Diffie-Hellman Key Agreement
39Efficient Affiliation-Hiding Authenticated Key
Exchange Example RSA certificates
Diffie-Hellman
Bobs ID (B) certified by (n,e)
Alices ID (A) certified by (n,e)
sA SIGn,eA (sA)e H(A)
sB SIGn,eB (sB)e H(B)
ID exchange (A,B)
Consider a Diffie-Hellman Key Agreement (modified)
Alices view - sends ?A - computes key K if
she knows tA DL( ?A )
Idea Contribute tA in ?A implicitly
authenticated under (n,e)
40Efficient Affiliation-Hiding Authenticated Key
Exchange Example RSA certificates
Diffie-Hellman
Bobs ID (B) certified by (n,e)
Alices ID (A) certified by (n,e)
sA SIGn,eA (sA)e H(A)
sB SIGn,eB (sB)e H(B)
ID exchange (A,B)
Consider a Diffie-Hellman Key Agreement
Alices view - sends ?A - computes key K if
she knows tA DL( ?A )
Idea Contribute tA in ?A implicitly
authenticated under (n,e)
41Efficient Affiliation-Hiding via Implicitly
Authenticated Key Agreement
Bobs ID (B) certified by (n,e)
Alices ID (A) certified by (n,e)
sA SIGn,eA (sA)e H(A)
sB SIGn,eB (sB)e H(B)
ID exchange (A,B)
Under RSA assumption If Alice does not embed a
valid signature (on A) into ?A then Alice cannot
compute key KB
Consider a Diffie-Hellman Key Agreement
Alices view - sends ?A - computes key K if
she knows tA DL( ?A )
Idea Contribute tA in ?A implicitly
authenticated under (n,e)
42Efficient Affiliation-Hiding via Implicitly
Authenticated Key Agreement
Bobs ID (B) certified by (n,e)
Alices ID (A) certified by (n,e)
sA SIGn,eA (sA)e H(A)
sB SIGn,eB (sB)e H(B)
ID exchange (A,B)
To ensure Affiliation-Hiding players send
Under RSA assumption If Alice does not embed a
valid signature (on A) into ?A then Alice cannot
compute key KB
where g satisfies Zn ltggt x lt-1gt b is a
random bit, and v is random in 0,,2k/n
43Affiliation-Hiding in Authenticated Group Key
Agreement Same Idea!
Bobs ID (B) certified by (n,e)
Alices ID (A) certified by (n,e)
sA SIGn,eA (sA)e H(A)
sB SIGn,eB (sB)e H(B)
ID exchange (A,B)
Standard DH Key Agreement Pi sends gti and
then uses ti to compute the key Affiliation-Hiding
AKA Pi sends (si gti) and Pj recovers gti
via implicit-authentication Group KA protocols
Pi sends gti and then uses ti in some further
interactions Affiliation-Hiding AGKA Pi sends
(si gti) and then uses ti as in the AGKA
protocol, while Pjs recover gti via
implicit-authentication
44Adding Affiliation-Hiding Authentication to BD
GKA
Burmester-Desmedt GKA
AH-AGKA version of BD
Deliver implicitly
authenticated ( affiliation-hiding)
Step 1
Pi ?G
Compute session id, s
Step 2
Key Computation
45Summary
- Authenticated Group Key Agreement can be
Affiliation-Hiding at No Extra Cost - 2 communication rounds (the second one
broadcasts) - 3-4 exponentiations per player
- Affiliation-hiding via implicit authentication
- Secure under various assumptions (in ROM)
- Diffie-Hellman
- RSA
- Extensions
- Perfect Forward Secrecy (one extra round)
46Open Questions
- Weaker assumptions?
- Affiliation-Hiding (Group) Authentication without
ROM? - Privacy after Revocation
- How to provide Forward Privacy in case of
member revocation? - Currently, affiliation of revoked identities is
made public... - How to get rid of identities entirely
- Unlinkable Secret Handshakes?
47Group Secret Handshakes another takeXu, et al.
(PET06)
- How to achieve group secret handshakes
- with unlinkability
- and
- Avoid one-time pseudonyms/certificates
48Soundness and Security properties
- Correctness if all m parties are in G, handshake
succeeds else, failure. - Impersonation-resistance only a member can
complete a handshake - Detection-resistance a non-member cant identify
a successful handshake - Unlinkability multiple handshakes by same member
can only be linked by the CA - Eavesdropper-indistinguishability curious
insiders cant determine handshake outcome - Traceability any valid handshake transcript is
traceable - No-misattribution no coalition of members and CA
can frame an honest member - Forward-repudiability a member can only prove
its own participation in a handshake, not that of
any other member (even if former reveals all) - Tagging-resistance any adversary who reads all
memory of honest member cant track/link that
member - Self-Distinction for mgt2, each party convinced
of uniqueness of all others
49Self-distinction is unique to groups gt 2Alice
can play two roles in a group handshake
Alices Pseudonym A1
Alices Pseudonym A2
Problem A1 and A2 are UNRELATED (by design)
50Correctness?
Failure!
51Correctness take 0
PROTOCOL FAILURE
52Correctness take 1
53Correctness take 2
54Goals
- Avoid
- one-time credentials or pseudonyms
- ability of GA to frame members
- Provide
- group handshakes
- tagging-resistance
- self-distinction
55Building Block I Centralized Key Distribution
CKD (Broadcast Encryption)
- CKD.Setup GA creates group G
- CKD.Join GA admits new member, updates group
state info - CKD.Leave GA revokes existing member, updates
group state info - CKD.Update each member updates group info
- CKD.Rekey each member runs (on input of state
info)
Question Can we simply have m parties exchange
challenges/responses encrypted under a (current)
common key K?
56Building Block I Centralized Key Distribution
CKD (e.g, LKH, OFT, etc.)
- Correctness YES
- Impersonation-resistance YES
- Detection-resistance YES
- Unlinkability YES (cant be linked even by
GA) - Eavesdropper-indistinguishability NO
- Traceability NO
- No-misattribution YES
- Forward-repudiability YES
- Tagging-resistance YES
- Self-Distinction NO
57Building Block II Group Signatures
- GSS.Setup GA creates group G
- GSS.Join GA admits new member, optionally
updates group state info - GSS.Revoke GA revokes existing member, updates
group state info - GSS.Update each member updates own state info
- GSS.Sign a member signs on behalf of the group
- GSS.Verify anyone verifies a group signature
- GSS.Open GA opens a valid group signature
identifies signer
Question Can we simply have m parties exchange
group signatures?
58Building Block II Group Signatures
- Correctness YES
- Impersonation-resistance YES
- Detection-resistance NO
- Unlinkability YES
- Eavesdropper-indistinguishability NO
- Traceability YES
- No-misattribution YES
- Forward-repudiability YES
- Tagging-resistance YES?
- Self-Distinction NO
Question What if m parties exchange group
signatures encrypted under CKD group-wide key K?
59Building Blocks I II CKD GSS
- Correctness YES
- Impersonation-resistance YES
- Detection-resistance YES
- Unlinkability YES
- Eavesdropper-indistinguishability NO
- Traceability YES
- No-misattribution YES
- Forward-repudiability YES
- Tagging-resistance YES
- Self-Distinction NO
Need 3rd building block
60Building Block III Group Key Agreement GKA
(e.g., BD94, STW00, PKT00)
- Authenticated or raw group key agreement?
- Can use CKD group-wide key for authentication
61Group Handshake Protocol at a Glance
- Phase I all participants run GKA protocol and
compute one-time key k - Phase II all participants compute Kf(k,k)
where k is the broadcast (group-wide) secret key - Phase III all participants broadcast unique MACs
to confirm possession of the same K - Phase IV all participants generate and broadcast
group signatures (encrypted with K) to assert
verify membership
62Building Blocks IIIIII
- Correctness YES
- Impersonation-resistance YES
- Detection-resistance YES
- Unlinkability YES
- Eavesdropper-indistinguishability YES
- Traceability YES
- No-misattribution YES
- Forward-repudiability YES
- Tagging-resistance YES
- Self-Distinction MAYBE
Can prove that if I, II and III are secure, so
is GCD
63Example 1
- GKA BD94
- GSS ACJT00 CL02
- CKD WGL (KeyGraphs)
- No self-distinction!
64Example 2
- GKA STW00
- GSS KTY04
- CKD LKH
- Self-distinction!
65Result a Secret Handshake Framework
Distributed Group Key Agreement Protocol
Group Signature Scheme
Broadcast Encryption Scheme
If each component is secure, so is the resulting
secret handshake scheme but ITS VERY HEAVY
66To conclude
- Privacy-preserving interaction has some
compelling use cases - Protocols are tricky to design
- Naïve approaches dont work
- Security and Privacy properties must be
considered separately - If done right, very little (if any) added cost
due to privacy