Presentation is loading. Please wait.

Presentation is loading. Please wait.

Optionally Identifiable Private Handshakes Yanjiang Yang.

Similar presentations


Presentation on theme: "Optionally Identifiable Private Handshakes Yanjiang Yang."— Presentation transcript:

1 Optionally Identifiable Private Handshakes Yanjiang Yang

2 RFID Security Seminar Agenda Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion

3 RFID Security Seminar Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion

4 RFID Security Seminar Secret handshakes Users are increasingly concerned about individual privacy in cyberspace –Privacy-preserving techniques are expected play a key part –Secret handshakes non-members learn nothing on the handshake between the two users A non-member cannot impersonate a member

5 RFID Security Seminar Unlinkable secret handshakes Secret handshakes are linkable Unlinkable secret handshakes provides unlinkability Traceability is a feature of unlinkable secret handshakes Differences between unlinkable secret handshakes and anonymous credentials

6 RFID Security Seminar Project Summary - why should it be done? Private handshakes Traceability may not be always desired Hoepman proposed the concept of private handshakes No traceability whatsoever in private handshakes

7 RFID Security Seminar Optionally identifiable private handshakes Secret handshakes/private handshakes each have own applications A primitive optionally between them is more flexible We proposed the concept of optionally identifiable private handshakes

8 RFID Security Seminar Nutshell Private handshakes (linkable) Secret handshakes Optionally identifiable private handshakes No identifiabilityidentifiability Unlinkable secret handshakes

9 RFID Security Seminar Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion

10 RFID Security Seminar Secret handshakes Balfanz et al. first formulated the notion of secret handshakes (S&P’03) Castelluccia et al. proposed secret handshake protocols, with security under computational Diffie-Hellman assumption (Asiacrypt’04)

11 RFID Security Seminar Secret handshakes - continued Jarecki et al. (CT-RSA’07) and Vergnaud et al. (coding and cryptography’05) proposed RSA-based secret handshakes

12 RFID Security Seminar Unlinkable secret handshakes Xu et al. proposed k-anonymous secret handshakes (CCS’04) Tsudik et al. proposed (full) unlinkable secret handshakes, but all members from the same group are required to share a group secret Jarecki et al.’s scheme does not sharing of group secret (ACNS’07) Ateniese et al. proposed fuzzy unlinkable secret handnhakes (NDSS’07)

13 RFID Security Seminar Private handshakes Hoepma proposed private handshakes (security and privacy in Ad Hoc and sensor networks’07)

14 RFID Security Seminar Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion

15 RFID Security Seminar Project Summary - why should it be done? Model Entities –a set of users –a set of groups –a set of group administrators who create groups and enrol users in groups. –a user may or may not be affiliated to a group –if a user belongs to a group, then he is a member of that group; otherwise, he is non-member of that group.

16 RFID Security Seminar Model - continued Algorithms –CreateGroup(1 k ) –EnrolUser(G, u) –HandShake(u 1, u 2, b) –RevokeUser(G, u)

17 RFID Security Seminar Project Summary - why should it be done? Details of algorithms Parameters G, GG –e(G 1, G 1 )  G 2 –H 0, H 1,H 2 –Enc().

18 RFID Security Seminar Project Summary - why should it be done? Details of algorithms - continued CreateGroup(1 k ) –Group administrator selects s G EnrolUser(G, u) –Group administrator issues u a credential x u = s G H 0 (u),

19 RFID Security Seminar Project Summary - why should it be done? Details of algorithms - continued Handshake(u 1, u 2, b) R 1 =r 1 H 0 (u 1 ) u1u1 u2u2 x u1 =s G H 0 (u 1 ) x u2 =s G H 0 (u 2 ) R 1, b R 2 =r 2 H 0 (u 2 ) V 2 = H 1 (e(R 1,r 2 x u2 ), b) R 2, V 2 u1u1 u2u2 x u1 =s G H 0 (u 1 ) x u2 =s G H 0 (u 2 )

20 RFID Security Seminar Details of algorithms - continued u1u1 u2u2 x u1 =s G H 0 (u 1 ) x u2 =s G H 0 (u 1 ) H 1 (e(r 1 x u1, r 2 ), b) =? V 2 V 1 = H 1 (b, e(r 1 x u1, R 2 )) sk 1 = H 2 (e(r 1 x u1, R 2 ), R 1, R 2 ) H 1 (b, e(R 1, r 2 x u2 )) =? V 1 sk 2 = H 2 (e(r 2 x u2, R 1 ), R 1, R 2 ) V1V1 So far, private handshake is completed!

21 RFID Security Seminar Details of algorithms - continued u1u1 u2u2 x u1 =s G H 0 (u 1 ) x u2 =s G H 0 (u 1 ) C 1 = Enc(sk u1, r 1, u 1 ) C1C1 (r 1 ’, u 1 ’) = Enc(sk u2, C 1 ) R 1 =? r 1 ’H 0 (u 1 ’) C 2 = Enc(sk u2, r 2, u 2 ) sk u2 = … C2C2 …

22 RFID Security Seminar Future Work User Revocation

23 RFID Security Seminar Security Impersonation resistance Membership detection resistance Unlinkability of private handshake Unlinkability to eavesdropper

24 RFID Security Seminar Introduction Review of Related Work Optionally Identifiable Private Handshakes Conclusion

25 RFID Security Seminar Conclusion We proposed the concept of private handshakes with optional identifiability, interpolating between private handshakes and secret handshakes, representing a more flexible primitive A concrete scheme was presented, and its security was defined and proved.

26 RFID Security Seminar Project Summary - why should it be done? Q & A THANK YOU!


Download ppt "Optionally Identifiable Private Handshakes Yanjiang Yang."

Similar presentations


Ads by Google