Efficient Unlinkable Secret Handshakes for Anonymous Communications

Transcription

1 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique of secret handshake is used as a fundamental building block for anonymous peer-to-peer communications over untrusted networks. However, the fact that most existing schemes fail to meet unlinkability causes the use of schemes to limit for practical use. In this paper, we provide new constructions for unlinkable secret handshake, allowing arbitrary two communication parties with the same role in either one single group or multiple groups to privately authenticate each other. Compared to previous works, our techniques have much better performance in terms of both computational and communication cost, while they obtain good security results. Keywords : Privacy, Security, Secret Handshake, Anonymous Communication, Unlinkability 1. Introduction A secret handshake is a cryptographic mechanism that enables anonymous and secure communication over untrusted networks by allowing arbitrary two members in a same group to privately authenticate to each other, as well as to agree on a shared key for further communication. More specifically, the secret handshake guarantees the following properties [1]. Let party A be a member of group G 1 with the role r A, and party B be a member of group G 2, respectively. 1) Neither A nor B learns anything about the other party if G 1 does not equal G 2. 2) Both A and B learn their respective group memberships only if G 1 equals G 2. 3) A third party observing the exchange between A and B does not learn anything, including whether A and B belong to the same group, the specific identities of the groups, or the roles of either A or B. For such reasons, the techniques for secret handshake are used as fundamental building blocks for anonymous peer-to-peer communications in a diverse range of applications, including military secret service, Received(October 10, 2010), Review request(october 11, 2010), Review Result(1st:October 25, 2010, 2nd:November 07, 2010) Accepted(December 31, 2010) 1 Graduate School of Electrical Engineering and Computer Science, Kyungpook National University, Daegu ekryu@ku.ac.kr 2 School of Computer Science and Engineering, Kyungpook National University, Daegu yook@knu.ac.kr 3 (Corresponding author) Division of Computer Information and Electronics, Kumi College, Kumi KeumS.Ha@gmail.com 619

2 Efficient Unlinkable Secret Handshakes for Anonymous Communications high-bandwidth digital content protection systems and anonymous routing in ad-hoc networks [2]. The first scheme for secret handshakes was introduced by Balfanz et al in [1], which adopts the concept of non-interactive key agreement in pairings-based cryptography. After that, many interesting results [2]-[6] have been shown in the literature in recent years, using various cryptographic primitives such as RSA, identity-based encryption, CA-oblivious encryption, group signature and etc. However, the fact that most existing schemes fail to meet unlinkability causes the use of schemes to limit for practical use. The unlinkability means that multiple handshake sessions involving the same party cannot be linked by a third party, which is required as a primary security property in the design of any privacy-preserving security protocol. In this paper, we describe efficient constructions for secret handshake in two-party settings and provide the security analysis of the resulting schemes. Our schemes have a number of crucial advantages. They provide the unlinkability, but do not require one-time credentials. They are also capable of preserving all desired security properties, including impersonation resistance and detection resistance. Moreover, compared to previous works, our constructions have much better performance in terms of both computational and communication cost, while they obtain good security results. The rest of this paper is organized as follows. In Section 2, we briefly review some cryptographic tools used in our solutions which include the concept of bilinear pairings and the underlying computational assumption. In Section 3, we describe our solution and provide its security analysis. We then discuss efficiency and other attributes in Section 4. We further discuss about the support for multiple-groups in Section 5. Finally, we conclude in Section Cryptographic Tools Here we briefly introduce the underlying cryptographic tools for our schemes, which include bilinear pairings and the well-known Bilinear Diffie-Hellman assumption [7]. Let G and G' be two cyclic additive groups and G T be a cyclic multiplicative group of the same prime order q. Let P be a generator of G and P' be a generator of G'. The symbol ^ denotes the exponentiation operation. A bilinear pairing is a function e : G G' G T with the following properties: Bilinear: For all P 1 G, Q 1 G' and a, b Z q, then e(ap 1, bq 1) = e(p 1, Q 1)^{ab}. Non-degenerate: There exist P 1 G and Q 1 G' such that e(p 1, Q 1 ) 1. Computable: There exists an efficient algorithm to compute e(p 1, Q 1) for any P 1 G and Q 1 G'. The above bilinear pairing is called "Type 3"[8], asymmetric pairings, which is usually implemented using the Weil or Tate pairings over elliptic curve groups G and G', with good performance and flexibility for high security parameters. The elements in G, in general, allow more compact representation than those in G'. The 620

3 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 bilinear pairings, in recent years, have been widely used to construct various cryptographic primitives, due to the advantages of its high security assurance with small-size keys and less bandwidth consumption. Definition 1. (BDH assumption) The Bilinear Diffie-Hellman (BDH) problem is defined as follows: given P, ap, bp G and P', cp' G', compute e(p, P')^{abc}, where a,b,c are randomly chosen from Z q and P, P' are generators in G, G', respectively. We say that the BDH assumption holds if no probabilistic polynomial-time algorithm can solve the BDH problem with non-negligible probability. 3. Unlinkable Secret Handshake In this section, we describe our solution for the problem of unlinkable secrete handshake. We first provide our construction with full-fledged security features and then discuss its security results. 3.1 The Construction Let H 0: {0, 1} * G' maps arbitrary strings to points in G', and H 1, H 2 be collision-resistant hash functions, taking arbitrary strings as input, such as SHA-1. Let Gen be a parameter generator that takes a security parameter k as input and outputs the bilinear parameters (q, G, G', G T, e, P, P'). We assume that a group authority for each group is associated with a unique pair (pk, sk) of keys, such that pk = sp and sk = s, where s is the group master secret. Also, each group member in the group is assumed to be associated with a group secret key S = s H 0 (gid role) G', corresponding to the group identity gid and the given role role to the party. The protocol is a 3-round interactive communication algorithm executed by arbitrary two communication parties. In what follows, we denote by the concatenation of two strings and by A, B two communication parties. ini and res are predefined constant values, representing initiator and responder, respectively. The protocol works as below. Round 1. A B: R A 1.1) Choose a random k-bit value r A 1.2) Compute R A = r A P 1.3) Send R A to B Round 2. B A: R B, resp B 2.1) Choose a random k-bit value r B 621

4 Efficient Unlinkable Secret Handshakes for Anonymous Communications 2.2) Compute R B = r BP, K B = e(r A, S B)^{r B}, and resp B = H 1(K B R A R B res) 2.3) Send R B, resp B to A Round 3. A B: resp A 3.1) Compute K A = e(r B, S A)^{r A} and verify if resp B = H 1(K A R A R B res) 3.2) If it holds, compute resp A = H 1 (K A R A R B ini) 3.3) Send resp A to B 3.4) Upon receiving resp A, B verifies it using its own key K B, in the exactly same way as A. Note that if A and B are in the same group with the same role, i.e. S A = s A H 0(gid A role A) = s B H 0(gid B role B) = S B, they will successfully authenticate their respective memberships, due to the fact that K A = e(r B, S A )^{r A } = e(p, S A )^{r A r B } = e(p, S B )^{r A r B } = e(r A, S B )^{r B } = K B. After the verifications succeeds, A and B can compute the shared key for future communication as SK A = H 2(K A R A R B resp A resp B) and SK B = H 2(K B R A R B resp A resp B), respectively. 3.2 Security We now discuss the security of our constuction, where unlinkability (UL) is examined in detail. Below our scheme is denoted by SH-RYH. Recall the BDH assumption is that it is computationally intractable to compute e(p, P')^{abc}, given (P, ap, bp G, P', cp' G' ) where a, b and c are random numbers in Z q. The security of the SH-RYH scheme relies on the BDH assumption. Theorem 1. The SH-RYH described above is an unlinkable secret handshake scheme under the BDH assumption. Proof. The property of unlinkability requires that it should be computationally hard for an adversary to link transmitted messages by the same party. Given a pair of transmitted messages, R A, R B, resp A, resp B and R A' R B' resp A', resp B' for secret handshake, the only way for an adversary to distinguish the messages by the same or different parties is to compute a type of shared secrets K A = e(r B, S A)^{r A} and K A' = e(r B', S A)^{r A'}. Suppose that there exists such an adversary E who breaks the unlinkability of the scheme. We then show a 622

5 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 simulator S that uses E to solve the BDH problem. Let {P, P', u 1 = ap, u 2 = bp, u 3 = cp'} be an instance of the BDH problem. The challenge of the simulator S is to compute e(p, P')^{abc}, as described above. The S first sets the pair of keys for the group authority as {pk = vp, s = v}, where v is a random value in Z q. Then, S gives {R A = u 1, R B = u 2, resp A = t 1, resp B = t 2} to E as a challenge, where t 1, t 2 are k-length random values. Note that this challenge defines H 0(gid A role A) = w u 3, where w is a random value in Z q. That is, t 1 = H 1 (K A u 1 u 2 ini), where K A = e(u 2, vwu 3 )^{a} = e(bp, vwcp')^{a} = e(p, P')^{abcvw}. If E replies e(p, P')^{abcvw} as the answer to its own challenge, S is able to recover e(p, P')^{abc} by raising it to the power of (v w)^{-1}. The security properties, which are required for the secret handshake scheme to be used in practice, also include impersonation resistance (IR) and detection resistance (DR). The proof of such properties for our scheme can be similarly done to that given for above Theorem 1. We omitted here. 4. Efficiency and Other Attributes We now compare our construction with some previous ones, which are built on bilinear pairings, in terms of computation and communication cost with other attributes in Table 1. For each scheme we show the computational cost per party, the size of all exchanged messages, the underlying assumptions and the security properties achieved. We denote by "pm" a point multiplication over an elliptic curve, by "pr" a pairing and by "exp" an exponentiation. [Table 1] Secret handshaking scheme comparisons Schemes Computation Message Assumptions Security Properties SH-ABK [2] 2pm + 2pr + 1exp BDH, SXDH UL, IR, DR SH-HC [6] 1pm + 1pr + 1exp broken SH-RYH 1pm + 1pr + 1exp BDH UL, IR, DR The message size is in bits. BDH and SXDH stand for the Bilinear Diffie-Hellman and the Symmetric External Diffie-Hellman assumptions, respectively. The computational cost is much cheaper in SH-HC and SH-RYH than in SH-ABK. Also, the size of all messages in SH-HC and SH-RYH is shorter than in SH-ABK. Both SH-ABK and SH-RYH support the all fundamental security properties, but the SH-HC scheme is broken, as described in [9]. For the underlying security assumption, the SH-RYH scheme requires only the BDH, while the SH-ABK scheme does an additional assumption, the SXDH. 623

6 Efficient Unlinkable Secret Handshakes for Anonymous Communications 5. The Support for Multiple Groups The scheme we presented earlier supports only for a single group. Here we show how the scheme can be applied to implement the more general case at the almost same cost, where each party is a member of multiple groups. Suppose two communication parties A and B are members of n groups with specific roles, where we assume each party is associated with n secrets S 1,..., S n corresponding one to each group. The party A wants to communicate only the party B, who is a member in the same multiple-groups with the same roles as A, in an anonymous and unlinkable manner. We obtain an extension with multiple groups by changing the SH-RYH scheme as below. Round 2. B A: R B, resp' B 2.1) Choose a random k-bit value r B 2.2) Compute R B = r BP, K' B = ^{r B}, and resp' B = H 1(K' B R A R B res) 2.3) Send R B, resp' B to A Round 3. A B: resp' A 3.1) Compute K' A = ^{r A} and verify if resp' B = H 1(K' A R A R B res) 3.2) Compute resp' A = H 1(K' A R A R B ini) if it holds 3.3) Send resp' A to B 3.4) Upon receiving resp' A, B verifies resp' A using its own key K' B, as before. Note that if A and B match on both group and role for all groups, it means for all 1 i n. This allows the two parties, A and B, to successfully identify their respective memberships in multiple groups. It is not difficult to see that this extended scheme satisfies the unlinkability property assuming the hardness of the underlying BDH problem. More specifically, an adversary, not possessing the corresponding group secret keys for the member with the specific roles in multiple groups, is not feasible to distinguish whether two executions of the protocol were performed by the same party or not, due to the exactly same reason as that in a single group. That is, in order to break the property of unlinkability for the scheme, the adversary is again 624

7 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 faced with the BDH problem. The security proof can be done in a similar way as before. 6. Concluding Remarks We have described two new schemes for secret handshake which allow arbitrary two communication parties in either a single group or multiple groups to authenticate each other in an anonymous and unlinkable manner. Our schemes have crucial advantages. They preserve all the required security properties, including unlinkability, impersonation resistance and the property of detection resistance. Furthermore, compared to previous works, they have much better performance in terms of both computation and computational cost. We believe that our schemes would provide a new building block for the construction of secure and anonymous communication services over untrusted networks. Acknowledgment This research was supported by the Research Project of Kumi College in 2008 and by the Brain Korea 21 Project in References [1] D. Balfanz, G. Durfee, N. Shankar, D. Smetters, J. Staddon, and H. Wong, "Secret Handshakes from Pairing-based Key Agreements," In Proc. IEEE Symposium on Security and Privacy, pp , [2] G. Ateniese, M. Blanton, and J. Kirschm, "Secret Handshakes with Dynamic and Fuzzy Matching," In Proc. Network and Distributed System Security Symposuim (NDSS2007), pp , [3] C. Castelluccia, S. Jarecki, and G. Tsudik, "Secret Handshakes from CA-Oblivious Encryption," In Proc. Advances in Cryptlogy (ASIACRYPT'04)}, LNCS 3329, pp , [4] S. Jarecki and X. Liu, "Unlinkable Secret Handshakes and Key-Private Group Key management Schemes," In Proc. Applied Cryptography and Network Security (ACNS'07), LNCS 4521, pp , [5] S. Jarecki, J. Kim, and G. Tsudik, "Beyond Secret Handshakes: Affiliation-Hiding Authenticated Key Exchange," In Proc. Topics in Cryptology (CT-RSA2008)}, LNCS 4964, pp , [6] H. Huang and Z. Cao, "A Novel and Efficient Unlinkable Secret Handshakes Scheme," IEEE Commun. Lett., vol. 13 (5), pp , [7] D. Boneh and M. Franklin, "Identity-Based Encryption from the Weil Pairing," In Proc. Advances Cryptology (CRYPTO2001), LNCS 2139, pp , [8] D. Page, N. Smart, and F. Vercauteren, "Comparison of MNT Curves and Supersingular Curves," Applicable Algebra in Engineering, Communication and Computing, Vol. 17(5), pp ,

8 Efficient Unlinkable Secret Handshakes for Anonymous Communications [9] R. Su, "On the Security of a Novel and Efficient Unlinkable Secret Handshakes Scheme," IEEE Commun. Lett., vol. 13(9), pp , Authors Eun-Kyung Ryu She received the Ph.D. degree in Computer Engineering from Kyungpook National University (KNU) in She worked as a visiting professor in the Depart. of Mobile Content, Daegu Haany University in In 2007, she worked as a research fellow at School of Systems Information Science, Future University Hakodate, Japan. From 2008 to 2009 she worked as a visiting professor at School of Electrical Engineering and Computer Science (EECS) in KNU. She is currently a post-doc research fellow at KNU EECS. Research Interests: Applied Cryptography, Security Protocols, and Network Security Kee-Young Yoo He received the B.Sc. degree in Education of Mathematics from Kyungpook National University in 1976 and the M.Sc. degree in Computer Engineering from Korea Advanced Institute of Science and Technology in 1978, South Korea. He received the Ph.D. degree in Computer Science from Rensselaer Polytechnic Institute, New York, USA in He is currently a professor at School of Computer Science and Engineering, Kyungpook National University. Research Interests: Cryptography, Smart Card Security, Network security, DRM Security, and Steganography Keum-Sook Ha She received the B.S. degree in Electronics Engineering at Kyungpook National University in 1983 and M.S. and Ph.D. degrees in Computer Engineering at Kyungpook National University in 1990 and 2003, respectively. She had been a researcher at KIPS corporation and worked as a research assistant at the Department of Electronics Engineering, Kyungpook National University. Currently, she is an associate professor in the Division of Computer Information and Electronics, Kumi College. Research interests: Parallel Processing and Information Security 626