SlideShare ist ein Scribd-Unternehmen logo

Certified Pseudonym Colligated with Master Secret Key

Vijay Pasupathinathan, PhD
Vijay Pasupathinathan, PhD
Technologie
1 von 21
Downloaden Sie, um offline zu lesen
Certified Pseudonym Colligated with Master Secret Key ! Vijay Pasupathinathan Macquarie University, Sydney. joint work with Josef Pieprzyk, Macquarie University, Sydney. and, Huaxiong Wang, NTU, Singapore.
Outline ๏ Introduction ๏ Why a new system? ๏ Contribution ๏ How to achieve? ๏ Anonymous Certification systems ๏ Proposed Protocol ๏ Assumptions ๏ Protocol settings ๏ Security ๏ Applications, Advantages and open problem
What is a Pseudonym? ! ! A mechanism to hide a user’s identity by providing anonymity, while being still suitable to authenticate the holder of the pseudonym in a communication system. (Chaum, 1985).
How are they achieved? ๏ Chaum and Evertse (1986) developed a pseudonym system and proposed an RSA based implementation while relying on a trusted centre who must sign all credentials. ๏ Chen (1995) extended the scheme and presented its discrete-logarithm version that relies on a trusted centre. ๏ However, these schemes have a common weakness. Although the identity of the user is hidden, the credentials (such as certificates of his/her public key) or pseudonyms can be easily shared (unauthorised transfer) with other users.
How are they achieved? part 2 ๏ Based on security of preserving a high-value (master) secret key, Canettie et al. (2000) and Lysayanskaya et al.(1999) independently proposed non-transferable pseudonym systems. ๏ Security is also based on the idea that “to force a user to reveal the master secret key if they choose to share their credentials”. ๏ The problem is during the registration phase, users are required to disclose their true identity (master public key) to a CA. ๏ Makes them prone to collusion between a CA and a Verifier.
What do we want! ๏ Pseudonym system based on a single trusted master secret-public key pair. ๏ Pseudonyms should be independent of the master public key. (Anonymity) ๏ Ability to generate multiple pseudonyms easily from a single trusted secret-key. (Colligation) ๏ Verifiable using certificates that were issued against pseudonyms.
Desired System Pseudonym 1 Pseudonym 2 User Trusted SK0/PK0 SK0 PK 1 PK 2 . . . Pseudonym i Cert<PK1> PK i . . . Pseudonym n Certifier PK n Cert<PK2> ..... Cert<PKn>
Desired System Pseudonym 1 PK 1 Certifier Cert<PK1> User Trusted SK0/PK0 SK0 SK0{M} PK 1 ? Cert<PK1> Verify Message using PK1 Think as group signatures looking through a mirror! Verifier
Proposed Protocol ๏ Make use of an ACS (to certify pseudonyms) ๏ Make use of squaring (to provide colligation) ๏ There exits an underlying link between all pseudonyms and the root secret key.
Anonymous Certification System ๏ Anonymous certification system (ACS) represents the certification process of a public key by a certifier who does not know the public key. ๏ This could essentially be a blind signature on the public key of the user. ๏ That is, it provides anonymity to the receiver. ๏ Whereas, group signature schemes as employed by provide anonymity to the source.
Anonymous Certification System ๏ Consists of four (4) entities: a user, verifier, certifier and a trustee (tracer). ๏ The protocol suites include: ๏ a certification protocol, where an user interacts with the certifier to obtain a certified pseudonym, i.e., the pseudonym is blindly signed. ๏ An identification protocol, where verifier interacts with the user to authenticate the user's credential and provide services. ๏ A trace protocol, where the trustee participates and is invoked to trace the real identity associated with the user's pseudonym.
Security Assumptions ๏ Factoring: The probability that any probabilistic polynomial time algorithm, can factor a composite formed from two primes is negligible. ๏ Square Root: the probability that a probabilistic polynomial time algorithm can output b such that b2 ≡ a mod N, where a ∈ QRN, is negligible. ๏ Square Decisional Diffie-Hellmann: Distinguish between distributions of the form (g, ga , ga2) from (g, ga , gr), where r is random and uniformly chosen. We assume that there is no probabilistic polynomial-time algorithm that can solve a random instance of the SDDH problem.
The U master public-secret key-pair is generated as in Section 2.1.1. U then obtains a certificate on the master public key PKU 0 from a certification authority C , which represents the U ’s true identity. The public key of the certification authority is obabilistic SKC and the trustee is PK = gSKT , where PKC = g T 1 on input NAn user and SK are the corresponding secret keysthe SKC generates new identities using for ๏ T two prime the certification authority generation process and the trustee respectively. a quadratic put b, such 3.2 Identity Generation ๏ Which takes the inputs, e probabil- gorithm A , negligible maller than al Diffiee-Hellman ws. Disthe form andom and N − 1}. We olynomiala random probability onstruction Identity Generation following key U generates secret key. ๏ Nj, g, master new identities using the following key generation process, which takes the inputs, N j , g, a counter value i i (indicating the total number new ๏ a counter value(indicating the total number of of new identities being identities being generated), identity level l (number generated), of identities generated previously) and the master ๏ identity level U(number of identities generated previously). secret key SKl 0 . I-Generation(g,i,l,SKU 0 ) 2 SKU For j = l,. . . ,i do PKU j = g Return(PKU l ,. . . ,PKU j ) j 0 mod N j EndFor During the first run the value of identity level l
r user aining raphic s. ter public key is certified by the manufacturer, and the following describes the certification of the pseudonyms. The user, U , generates pseudonyms of the form Certifier User ๏ A modified Certification scheme (PKU 1 , . . . , PKU l ) using the identity generation pror∈ Z based on blind signature x = PK cess described in Section 3.2. The user then identifies g −−−−−− −−−−−→ scheme by (Pointcheval, 2000) β, γ, s ∈ Z himself/herself (using, s)the master public key) to the (X, Y ) = EncElg (P K PK α = x ·engages g certifier andIHI(PK ∥(X,· Y )∥α) in a ๏ Signature scheme now includes certify protocol to obtain a δ= =δ− the . The public key of i certificate e on γa pseudonym PKU i mastervalue of PKUthe ←−−−−− −−−−−− y = r − eSK user which is used by the is −−−−−−−−−−−→ never revealed to the certifier. We shall express this certifier to form the = phase as x = yg + β P K ρ Certification User m R N0 r U0 a1 = g w ; a2 x Verifier k, w ∈R ZNi = (PKT · PKU0 )w k h = I I(g 2 ) H h,(a1 ,a2 ),(X,Y ) −−−−−− −−−−−→ R nts the er who ially a public he re- N0 β−SKU P KT −γ C 0 c1 ∈R ZNi c2 = I I(X, Y, a1 , a2 ) H U0 c1 ,c2 ←−−−−− −−−−−− i z1 = 2k − c1 · SK2 0 U Ui z1 ,z2 ,CERTC ⟨P KU ⟩ z2 = w − s · c2 − − − − − −i −−−−−→ e Verify CERTC ⟨P KUi ⟩ and obtain (α, δ) C y ? ? y+SKU δ ′ = I I(PKUi ∥(X, Y )∥α) H ? a1 = g z2 X c2 ; a2 = PKz2 Y c2 T e C 0 commitment and is later verified by the , C , Figure 1: (PKU , CERTC ⟨PKU ⟩) ← Certi f y(Uuser.CERTC ⟨PKU ⟩) Modified Blind Certification Protocol of Figure 2: Identification Protocol i i 0 (Pointcheval, 2000) - The signature on PK is (α, δ, ρ) and ? c h = I I(g z P KUi ) H Ui d threea receiver can verify using the relation α = g PKC between the verifier V and the trustee T . To trigger i.e. “ U (e.g. applications in the certify protocol with C protocol parengages based on the protocol V has to provide proof of usfier V ,but certain applications TPM) require the new identities to beU ⟩ to obtain a certificate on PKU , ing CERTC ⟨PK protected even ticipation by U . We shall express this phase as 0 otocolfrom the certifier. So, we propose a modification to (PKU ) ← Trace(V , T , PKU , CERTC ⟨PKU ⟩,i⟨PROOFU ⟩) CERTC ⟨PKU i ⟩”. the certification scheme based on a blind signature U in-scheme using a composite modulus by Pointcheval 2000). The blind scheme now .e. the(Pointcheval,master public keysignatureuser which is includes the the 2.1.3 to form theofcommitment and is Protocol Identify proto-used by the certifier ? ρ δ i 0 Verifier i Trustee σ = SIGNV ⟨c, z, h⟩ σ,α,δ,ρ,PKU ,PKC i i
ol ne oee y U0 , s) = h d on even s on to ature rheval now e ch is nd is us ol of ) and i 0 CERTC ⟨PKU i ⟩”. Identification Protocol 2.1.3 Protocol Identify ๏ Based offered by a A user U who wishes to avail serviceson Pointcheval verifier V , engages in a identification protocol to conoptimised identification vince that he/she possess the necessary (Pointcheval, scheme credentials. We shall express this phase as 2000) User Verifier k, w ∈R ZNi a1 = g w ; a2 = (PKT · PKU0 )w k h = I I(g 2 ) H h,(a1 ,a2 ),(X,Y ) −−−−−− −−−−−→ c1 ∈R ZNi c2 = I I(X, Y, a1 , a2 ) H c1 ,c2 ←−−−−− −−−−−− i z1 = 2k − c1 · SK2 0 U z1 ,z2 ,CERTC ⟨P KU ⟩ z2 = w − s · c2 − − − − − −i −−−−−→ Verify CERTC ⟨P KUi ⟩ and obtain (α, δ) ๏ Now also includes the DLEQ logg C = log ⟩, Y ⟨PROOFU i ⟩ ← Identi f y(U , V , PKU i , CERTX ⟨PKU iPKTPKT ) ? δ ′ = I I(PKUi ∥(X, Y )∥α) H ? a1 = g z2 X c2 ; a2 = ? c h = I I(g z P KUi ) H PKz2 Y c2 T Figure 2: Identification Protocol i.e. “ U engages in an identification protocol with a verifier V using the psuedonymn PKU i and (PKCERT ⟨PK , ⟩ and ⟩, ⟨PROOF ⟩) contains the encryption of ) ← Trace(V , T , PK CERT ⟨PK which C Ui the identity under the public key PKT ”. between the verifier V and the trustee T . To trigger the protocol V has to provide proof of protocol participation by U . We shall express this phase as U0 Ui Verifier C Ui Trustee σ = SIGNV ⟨c, z, h⟩ σ,α,δ,ρ,PKU ,PKC 2.1.4 Protocol Trace −−−−−− − − − −i − → CERTC ⟨P KUi ⟩ VERIFY ⟨σ⟩ Ui
ρ) and sed on d even ion to nature cheval me now hich is and is nature ccomFigure ol trivl’s pa- based cheme cheme DL-EQ ses his with a verifier in the ted by Figure 2: Identification Protocol ⟩ the trustee T . To trigger CERTC ⟨PKU iand and which contains the encryption of between the verifier V the provide proof theprotocol V .has to under thisof protocol par- key PKT ”. identityshall express the public ticipation by U We phase as Tracing Protocol (PKU 0 ) ← Trace(V , T , PKU i , CERTC ⟨PKU i ⟩, ⟨PROOFU i ⟩) 2.1.4 Protocol Trace Verifier Trustee σ = SIGNV ⟨c, z, h⟩ ๏ Invoked by a verifier after a user has misused a pseudonym. A verifier who needs to trace the identity of the user ๏ Verifier provides proof of a contacts the trustee T by providing with the transcript users participation. from an identification protocol ⟨PROOFU i ⟩. We shall ๏ Trustee can reveal a user’s express this phase as σ,α,δ,ρ,PKU ,PKC −−−−−− − − − −i − → CERTC ⟨P KUi ⟩ VERIFYPKV ⟨σ⟩ ? h = I I(g z PKc i ) H U ? α = g ρ PKδ C Verify CERTC ⟨P KUi ⟩ Obtain (X, Y ) from ⟨PROOFUi ⟩ P KU0 = DecElgSK (X, Y ) T Figure 3: Tracing Protocol master public key. (PKU 0 ) ← Trace(V , T , PKU i , CERTC ⟨PKU i ⟩, ⟨PROOFU i ⟩) 4 SECURITY i.e. “ V engages in the tracing protocol with T using 4.1 Adversary Goals the values PKU i , CERTC ⟨PKU i ⟩ and proof of identity We assume an active adversary A , who is capable of use ⟨PROOFU i ⟩ messages in the commu- master identity PKU 0 ”. eavesdropping and injecting to obtain the nication medium. We also assume that an adversary may be also be a legitimate (but dishonest) participant in a protocol, i.e. either the certifier or the verifier or both may be dishonest. As in (Damgard, 1988; Lysyanskaya et al., 1999),
Security ๏ The proposal is secure against (as identified by Damgard, 1988; Lysyanskaya,1999): ๏ Pseudonym forgery: where an adversary tries to forge a pseudonym for some user. ๏ Identity compromise: An adversary in association with other participants tries to obtain information regarding the user's master public-secret key-pair ๏ Pseudonym linking and colligation: An adversary tries to obtain information that links a pair of pseudonyms to the same user or to a user's master public key.
Application to TPM ๏ We are considering a TPM setting because of tamper resistant protection offered to the master secret key, but the protocols can be applied to other structures like directory based services (e.g. active directory, LDAP) ๏ The endorsement (EK) in a TPM will be of the form (PK0 ,SK0) ๏ A user who wishes to obtain services from an application software on a machine generates a pseudonym of the form (PKi ,SKi ) ๏ At the end of the protocol run the application software is provided a guarantee on the identity of the user and the associated TPM, but the system still protects the identity of both the TPM and the user associated with it.
Advantages ๏ Compared to other pseudonym schemes, our scheme has an efficient identification protocol. ๏ Computations may be performed on the module itself, whereas the DAA scheme requires computation to be distributed among the TPM and the host computer. ๏ there are no new secret key to be generated for each pseudonyms, only counter values of the pseudonym ๏ no appreciable increase in storage requirement even when the number of pseudonyms required are high ๏ ideally suited for storage constraint devices
What’s Missing? Future Work? ๏ Needs a strong composite modulus. (May be 4096 bits) ๏ Prime modulus method ruled out, as SDDH is trivial. ๏ Every generated pseudonym needs to fall with the same group as the master secret key. ๏ Identity Transfer ๏ Pseudonym chains cannot be formed. (NOT YET!) ๏ That is, using PK1 to generate new pseudonyms, but still verifiable using SK0.
Thank You vijay@cprotocol.com

Empfohlen

Asssignment2
Asssignment2 Asssignment2
Asssignment2
AnnamalikAnnamalik
 
Tools and Techniques for Understanding Threading Behavior in Android*
Tools and Techniques for Understanding Threading Behavior in Android*Tools and Techniques for Understanding Threading Behavior in Android*
Tools and Techniques for Understanding Threading Behavior in Android*
Intel® Software
 
Yash Agarwal
Yash AgarwalYash Agarwal
Yash Agarwal
dezyneecole
 
Voce Tem Orgulho Do Seu Codigo
Voce Tem Orgulho Do Seu CodigoVoce Tem Orgulho Do Seu Codigo
Voce Tem Orgulho Do Seu Codigo
Victor Hugo Germano
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
James Clause
 
Tai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhTai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinh
Hồ Trường
 
Java Basics - Part2
Java Basics - Part2Java Basics - Part2
Java Basics - Part2
Vani Kandhasamy
 
Accelerating Habanero-Java Program with OpenCL Generation
Accelerating Habanero-Java Program with OpenCL GenerationAccelerating Habanero-Java Program with OpenCL Generation
Accelerating Habanero-Java Program with OpenCL Generation
Akihiro Hayashi
 

Empfohlen

Asssignment2
Asssignment2 Asssignment2
Asssignment2
AnnamalikAnnamalik
 
Tools and Techniques for Understanding Threading Behavior in Android*
Tools and Techniques for Understanding Threading Behavior in Android*Tools and Techniques for Understanding Threading Behavior in Android*
Tools and Techniques for Understanding Threading Behavior in Android*
Intel® Software
 
Yash Agarwal
Yash AgarwalYash Agarwal
Yash Agarwal
dezyneecole
 
Voce Tem Orgulho Do Seu Codigo
Voce Tem Orgulho Do Seu CodigoVoce Tem Orgulho Do Seu Codigo
Voce Tem Orgulho Do Seu Codigo
Victor Hugo Germano
 
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)
James Clause
 
Tai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinhTai lieu ky thuat lap trinh
Tai lieu ky thuat lap trinh
Hồ Trường
 
Java Basics - Part2
Java Basics - Part2Java Basics - Part2
Java Basics - Part2
Vani Kandhasamy
 
Accelerating Habanero-Java Program with OpenCL Generation
Accelerating Habanero-Java Program with OpenCL GenerationAccelerating Habanero-Java Program with OpenCL Generation
Accelerating Habanero-Java Program with OpenCL Generation
Akihiro Hayashi
 
Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keys
Dr. Edwin Hernandez
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
GuardSquare
 
Writing Good Tests
Writing Good TestsWriting Good Tests
Writing Good Tests
Matteo Baglini
 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Dimitrios Platis
 
How Data Flow analysis works in a static code analyzer
How Data Flow analysis works in a static code analyzerHow Data Flow analysis works in a static code analyzer
How Data Flow analysis works in a static code analyzer
Andrey Karpov
 
cs8project
cs8projectcs8project
cs8project
Kevin Zhang
 
Eric Lafortune - ProGuard and DexGuard for optimization and protection
Eric Lafortune - ProGuard and DexGuard for optimization and protectionEric Lafortune - ProGuard and DexGuard for optimization and protection
Eric Lafortune - ProGuard and DexGuard for optimization and protection
GuardSquare
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategy
ereddick
 
Inheritance and-polymorphism
Inheritance and-polymorphismInheritance and-polymorphism
Inheritance and-polymorphism
Usama Malik
 
Blockchain: Developer Perspective
Blockchain: Developer PerspectiveBlockchain: Developer Perspective
Blockchain: Developer Perspective
Artur Skowroński
 
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعةشرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
جامعة القدس المفتوحة
 
Blockchain - a formal introduction
Blockchain - a formal introductionBlockchain - a formal introduction
Blockchain - a formal introduction
Sander Demeester
 
The art of reverse engineering flash exploits
The art of reverse engineering flash exploitsThe art of reverse engineering flash exploits
The art of reverse engineering flash exploits
Priyanka Aash
 
PHP Benelux 2012: Magic behind the numbers. Software metrics in practice
PHP Benelux 2012: Magic behind the numbers. Software metrics in practice PHP Benelux 2012: Magic behind the numbers. Software metrics in practice
PHP Benelux 2012: Magic behind the numbers. Software metrics in practice
Sebastian Marek
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
iosrjce
 
TypeScript - All you ever wanted to know - Tech Talk by Epic Labs
TypeScript - All you ever wanted to know - Tech Talk by Epic LabsTypeScript - All you ever wanted to know - Tech Talk by Epic Labs
TypeScript - All you ever wanted to know - Tech Talk by Epic Labs
Alfonso Peletier
 
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Pujana Paliyawan
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in Android
Intel® Software
 
Qt Memory Management & Signal and Slots
Qt Memory Management & Signal and SlotsQt Memory Management & Signal and Slots
Qt Memory Management & Signal and Slots
Jussi Pohjolainen
 
Java весна 2013 лекция 2
Java весна 2013 лекция 2Java весна 2013 лекция 2
Java весна 2013 лекция 2
Technopark
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
Pau Freixes
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...
TELKOMNIKA JOURNAL
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keys
Dr. Edwin Hernandez
 
Blockchain: Developer Perspective
Blockchain: Developer PerspectiveBlockchain: Developer Perspective
Blockchain: Developer Perspective
Artur Skowroński
 
The art of reverse engineering flash exploits
The art of reverse engineering flash exploitsThe art of reverse engineering flash exploits
The art of reverse engineering flash exploits
Priyanka Aash
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
iosrjce
 
Qt Memory Management & Signal and Slots
Qt Memory Management & Signal and SlotsQt Memory Management & Signal and Slots
Qt Memory Management & Signal and Slots
Jussi Pohjolainen
 
Java весна 2013 лекция 2
Java весна 2013 лекция 2Java весна 2013 лекция 2
Java весна 2013 лекция 2
Technopark
 

Was ist angesagt? (20)

Tutorial s crypto api session keys
Tutorial s crypto api session keysTutorial s crypto api session keys
Tutorial s crypto api session keys
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Writing Good Tests
Writing Good TestsWriting Good Tests
Writing Good Tests
 
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]Writing SOLID C++ [gbgcpp meetup @ Zenseact]
Writing SOLID C++ [gbgcpp meetup @ Zenseact]
 
How Data Flow analysis works in a static code analyzer
How Data Flow analysis works in a static code analyzerHow Data Flow analysis works in a static code analyzer
How Data Flow analysis works in a static code analyzer
 
cs8project
cs8projectcs8project
cs8project
 
Eric Lafortune - ProGuard and DexGuard for optimization and protection
Eric Lafortune - ProGuard and DexGuard for optimization and protectionEric Lafortune - ProGuard and DexGuard for optimization and protection
Eric Lafortune - ProGuard and DexGuard for optimization and protection
 
Technology, Process, and Strategy
Technology, Process, and StrategyTechnology, Process, and Strategy
Technology, Process, and Strategy
 
Inheritance and-polymorphism
Inheritance and-polymorphismInheritance and-polymorphism
Inheritance and-polymorphism
 
Blockchain: Developer Perspective
Blockchain: Developer PerspectiveBlockchain: Developer Perspective
Blockchain: Developer Perspective
 
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعةشرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
شرح مقرر البرمجة 2 لغة جافا - الوحدة الرابعة
 
Blockchain - a formal introduction
Blockchain - a formal introductionBlockchain - a formal introduction
Blockchain - a formal introduction
 
The art of reverse engineering flash exploits
The art of reverse engineering flash exploitsThe art of reverse engineering flash exploits
The art of reverse engineering flash exploits
 
PHP Benelux 2012: Magic behind the numbers. Software metrics in practice
PHP Benelux 2012: Magic behind the numbers. Software metrics in practice PHP Benelux 2012: Magic behind the numbers. Software metrics in practice
PHP Benelux 2012: Magic behind the numbers. Software metrics in practice
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
 
TypeScript - All you ever wanted to know - Tech Talk by Epic Labs
TypeScript - All you ever wanted to know - Tech Talk by Epic LabsTypeScript - All you ever wanted to know - Tech Talk by Epic Labs
TypeScript - All you ever wanted to know - Tech Talk by Epic Labs
 
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
Games, AI, and Research - Part 2 Training (FightingICE AI Programming)
 
Tools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in AndroidTools and Techniques for Understanding Threading Behavior in Android
Tools and Techniques for Understanding Threading Behavior in Android
 
Qt Memory Management & Signal and Slots
Qt Memory Management & Signal and SlotsQt Memory Management & Signal and Slots
Qt Memory Management & Signal and Slots
 
Java весна 2013 лекция 2
Java весна 2013 лекция 2Java весна 2013 лекция 2
Java весна 2013 лекция 2
 

Ähnlich wie Certified Pseudonym Colligated with Master Secret Key

Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...
TELKOMNIKA JOURNAL
 
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEM
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEMAN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEM
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEM
Zac Darcy
 
Analysis and improvement of pairing free certificate-less two-party authentic...
Analysis and improvement of pairing free certificate-less two-party authentic...Analysis and improvement of pairing free certificate-less two-party authentic...
Analysis and improvement of pairing free certificate-less two-party authentic...
ijsptm
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
IJCSIS Research Publications
 
Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...
Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...
Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...
IJECEIAES
 
Verifiable secure computation of linear fractional programming using certific...
Verifiable secure computation of linear fractional programming using certific...Verifiable secure computation of linear fractional programming using certific...
Verifiable secure computation of linear fractional programming using certific...
International Journal of Power Electronics and Drive Systems
 
One to many (new scheme for symmetric cryptography)
One to many (new scheme for symmetric cryptography)One to many (new scheme for symmetric cryptography)
One to many (new scheme for symmetric cryptography)
TELKOMNIKA JOURNAL
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
Vasanth Mca
 
Certificate less key management scheme in
Certificate less key management scheme inCertificate less key management scheme in
Certificate less key management scheme in
IJNSA Journal
 
CERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHY
CERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHYCERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHY
CERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHY
IJNSA Journal
 

Ähnlich wie Certified Pseudonym Colligated with Master Secret Key (20)

Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
 
Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...Guillou-quisquater protocol for user authentication based on zero knowledge p...
Guillou-quisquater protocol for user authentication based on zero knowledge p...
 
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEM
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEMAN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEM
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEM
 
SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and Scheduling
 
Analysis and improvement of pairing free certificate-less two-party authentic...
Analysis and improvement of pairing free certificate-less two-party authentic...Analysis and improvement of pairing free certificate-less two-party authentic...
Analysis and improvement of pairing free certificate-less two-party authentic...
 
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
 
Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...
Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...
Cryptanalysis on Privacy-aware Two-factor Authentication Protocol for Wireles...
 
IRJET- Secure Kerberos System in Distributed Environment
IRJET- Secure Kerberos System in Distributed EnvironmentIRJET- Secure Kerberos System in Distributed Environment
IRJET- Secure Kerberos System in Distributed Environment
 
SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)SSL/TLS for Mortals (GOTO Berlin)
SSL/TLS for Mortals (GOTO Berlin)
 
A secure framework for authentication and encryption using improved ECC for I...
A secure framework for authentication and encryption using improved ECC for I...A secure framework for authentication and encryption using improved ECC for I...
A secure framework for authentication and encryption using improved ECC for I...
 
Verifiable secure computation of linear fractional programming using certific...
Verifiable secure computation of linear fractional programming using certific...Verifiable secure computation of linear fractional programming using certific...
Verifiable secure computation of linear fractional programming using certific...
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
38
3838
38
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
 
One to many (new scheme for symmetric cryptography)
One to many (new scheme for symmetric cryptography)One to many (new scheme for symmetric cryptography)
One to many (new scheme for symmetric cryptography)
 
Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...Decentralized access control with anonymous authentication of data stored in ...
Decentralized access control with anonymous authentication of data stored in ...
 
SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)SSL/TLS for Mortals (J-Fall)
SSL/TLS for Mortals (J-Fall)
 
Certificate less key management scheme in
Certificate less key management scheme inCertificate less key management scheme in
Certificate less key management scheme in
 
CERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHY
CERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHYCERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHY
CERTIFICATE LESS KEY MANAGEMENT SCHEME IN MANET USING THRESHOLD CRYPTOGRAPHY
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Certified Pseudonym Colligated with Master Secret Key

  • 1. Certified Pseudonym Colligated with Master Secret Key ! Vijay Pasupathinathan Macquarie University, Sydney. joint work with Josef Pieprzyk, Macquarie University, Sydney. and, Huaxiong Wang, NTU, Singapore.
  • 2. Outline ๏ Introduction ๏ Why a new system? ๏ Contribution ๏ How to achieve? ๏ Anonymous Certification systems ๏ Proposed Protocol ๏ Assumptions ๏ Protocol settings ๏ Security ๏ Applications, Advantages and open problem
  • 3. What is a Pseudonym? ! ! A mechanism to hide a user’s identity by providing anonymity, while being still suitable to authenticate the holder of the pseudonym in a communication system. (Chaum, 1985).
  • 4. How are they achieved? ๏ Chaum and Evertse (1986) developed a pseudonym system and proposed an RSA based implementation while relying on a trusted centre who must sign all credentials. ๏ Chen (1995) extended the scheme and presented its discrete-logarithm version that relies on a trusted centre. ๏ However, these schemes have a common weakness. Although the identity of the user is hidden, the credentials (such as certificates of his/her public key) or pseudonyms can be easily shared (unauthorised transfer) with other users.
  • 5. How are they achieved? part 2 ๏ Based on security of preserving a high-value (master) secret key, Canettie et al. (2000) and Lysayanskaya et al.(1999) independently proposed non-transferable pseudonym systems. ๏ Security is also based on the idea that “to force a user to reveal the master secret key if they choose to share their credentials”. ๏ The problem is during the registration phase, users are required to disclose their true identity (master public key) to a CA. ๏ Makes them prone to collusion between a CA and a Verifier.
  • 6. What do we want! ๏ Pseudonym system based on a single trusted master secret-public key pair. ๏ Pseudonyms should be independent of the master public key. (Anonymity) ๏ Ability to generate multiple pseudonyms easily from a single trusted secret-key. (Colligation) ๏ Verifiable using certificates that were issued against pseudonyms.
  • 7. Desired System Pseudonym 1 Pseudonym 2 User Trusted SK0/PK0 SK0 PK 1 PK 2 . . . Pseudonym i Cert<PK1> PK i . . . Pseudonym n Certifier PK n Cert<PK2> ..... Cert<PKn>
  • 8. Desired System Pseudonym 1 PK 1 Certifier Cert<PK1> User Trusted SK0/PK0 SK0 SK0{M} PK 1 ? Cert<PK1> Verify Message using PK1 Think as group signatures looking through a mirror! Verifier
  • 9. Proposed Protocol ๏ Make use of an ACS (to certify pseudonyms) ๏ Make use of squaring (to provide colligation) ๏ There exits an underlying link between all pseudonyms and the root secret key.
  • 10. Anonymous Certification System ๏ Anonymous certification system (ACS) represents the certification process of a public key by a certifier who does not know the public key. ๏ This could essentially be a blind signature on the public key of the user. ๏ That is, it provides anonymity to the receiver. ๏ Whereas, group signature schemes as employed by provide anonymity to the source.
  • 11. Anonymous Certification System ๏ Consists of four (4) entities: a user, verifier, certifier and a trustee (tracer). ๏ The protocol suites include: ๏ a certification protocol, where an user interacts with the certifier to obtain a certified pseudonym, i.e., the pseudonym is blindly signed. ๏ An identification protocol, where verifier interacts with the user to authenticate the user's credential and provide services. ๏ A trace protocol, where the trustee participates and is invoked to trace the real identity associated with the user's pseudonym.
  • 12. Security Assumptions ๏ Factoring: The probability that any probabilistic polynomial time algorithm, can factor a composite formed from two primes is negligible. ๏ Square Root: the probability that a probabilistic polynomial time algorithm can output b such that b2 ≡ a mod N, where a ∈ QRN, is negligible. ๏ Square Decisional Diffie-Hellmann: Distinguish between distributions of the form (g, ga , ga2) from (g, ga , gr), where r is random and uniformly chosen. We assume that there is no probabilistic polynomial-time algorithm that can solve a random instance of the SDDH problem.
  • 13. The U master public-secret key-pair is generated as in Section 2.1.1. U then obtains a certificate on the master public key PKU 0 from a certification authority C , which represents the U ’s true identity. The public key of the certification authority is obabilistic SKC and the trustee is PK = gSKT , where PKC = g T 1 on input NAn user and SK are the corresponding secret keysthe SKC generates new identities using for ๏ T two prime the certification authority generation process and the trustee respectively. a quadratic put b, such 3.2 Identity Generation ๏ Which takes the inputs, e probabil- gorithm A , negligible maller than al Diffiee-Hellman ws. Disthe form andom and N − 1}. We olynomiala random probability onstruction Identity Generation following key U generates secret key. ๏ Nj, g, master new identities using the following key generation process, which takes the inputs, N j , g, a counter value i i (indicating the total number new ๏ a counter value(indicating the total number of of new identities being identities being generated), identity level l (number generated), of identities generated previously) and the master ๏ identity level U(number of identities generated previously). secret key SKl 0 . I-Generation(g,i,l,SKU 0 ) 2 SKU For j = l,. . . ,i do PKU j = g Return(PKU l ,. . . ,PKU j ) j 0 mod N j EndFor During the first run the value of identity level l
  • 14. r user aining raphic s. ter public key is certified by the manufacturer, and the following describes the certification of the pseudonyms. The user, U , generates pseudonyms of the form Certifier User ๏ A modified Certification scheme (PKU 1 , . . . , PKU l ) using the identity generation pror∈ Z based on blind signature x = PK cess described in Section 3.2. The user then identifies g −−−−−− −−−−−→ scheme by (Pointcheval, 2000) β, γ, s ∈ Z himself/herself (using, s)the master public key) to the (X, Y ) = EncElg (P K PK α = x ·engages g certifier andIHI(PK ∥(X,· Y )∥α) in a ๏ Signature scheme now includes certify protocol to obtain a δ= =δ− the . The public key of i certificate e on γa pseudonym PKU i mastervalue of PKUthe ←−−−−− −−−−−− y = r − eSK user which is used by the is −−−−−−−−−−−→ never revealed to the certifier. We shall express this certifier to form the = phase as x = yg + β P K ρ Certification User m R N0 r U0 a1 = g w ; a2 x Verifier k, w ∈R ZNi = (PKT · PKU0 )w k h = I I(g 2 ) H h,(a1 ,a2 ),(X,Y ) −−−−−− −−−−−→ R nts the er who ially a public he re- N0 β−SKU P KT −γ C 0 c1 ∈R ZNi c2 = I I(X, Y, a1 , a2 ) H U0 c1 ,c2 ←−−−−− −−−−−− i z1 = 2k − c1 · SK2 0 U Ui z1 ,z2 ,CERTC ⟨P KU ⟩ z2 = w − s · c2 − − − − − −i −−−−−→ e Verify CERTC ⟨P KUi ⟩ and obtain (α, δ) C y ? ? y+SKU δ ′ = I I(PKUi ∥(X, Y )∥α) H ? a1 = g z2 X c2 ; a2 = PKz2 Y c2 T e C 0 commitment and is later verified by the , C , Figure 1: (PKU , CERTC ⟨PKU ⟩) ← Certi f y(Uuser.CERTC ⟨PKU ⟩) Modified Blind Certification Protocol of Figure 2: Identification Protocol i i 0 (Pointcheval, 2000) - The signature on PK is (α, δ, ρ) and ? c h = I I(g z P KUi ) H Ui d threea receiver can verify using the relation α = g PKC between the verifier V and the trustee T . To trigger i.e. “ U (e.g. applications in the certify protocol with C protocol parengages based on the protocol V has to provide proof of usfier V ,but certain applications TPM) require the new identities to beU ⟩ to obtain a certificate on PKU , ing CERTC ⟨PK protected even ticipation by U . We shall express this phase as 0 otocolfrom the certifier. So, we propose a modification to (PKU ) ← Trace(V , T , PKU , CERTC ⟨PKU ⟩,i⟨PROOFU ⟩) CERTC ⟨PKU i ⟩”. the certification scheme based on a blind signature U in-scheme using a composite modulus by Pointcheval 2000). The blind scheme now .e. the(Pointcheval,master public keysignatureuser which is includes the the 2.1.3 to form theofcommitment and is Protocol Identify proto-used by the certifier ? ρ δ i 0 Verifier i Trustee σ = SIGNV ⟨c, z, h⟩ σ,α,δ,ρ,PKU ,PKC i i
  • 15. ol ne oee y U0 , s) = h d on even s on to ature rheval now e ch is nd is us ol of ) and i 0 CERTC ⟨PKU i ⟩”. Identification Protocol 2.1.3 Protocol Identify ๏ Based offered by a A user U who wishes to avail serviceson Pointcheval verifier V , engages in a identification protocol to conoptimised identification vince that he/she possess the necessary (Pointcheval, scheme credentials. We shall express this phase as 2000) User Verifier k, w ∈R ZNi a1 = g w ; a2 = (PKT · PKU0 )w k h = I I(g 2 ) H h,(a1 ,a2 ),(X,Y ) −−−−−− −−−−−→ c1 ∈R ZNi c2 = I I(X, Y, a1 , a2 ) H c1 ,c2 ←−−−−− −−−−−− i z1 = 2k − c1 · SK2 0 U z1 ,z2 ,CERTC ⟨P KU ⟩ z2 = w − s · c2 − − − − − −i −−−−−→ Verify CERTC ⟨P KUi ⟩ and obtain (α, δ) ๏ Now also includes the DLEQ logg C = log ⟩, Y ⟨PROOFU i ⟩ ← Identi f y(U , V , PKU i , CERTX ⟨PKU iPKTPKT ) ? δ ′ = I I(PKUi ∥(X, Y )∥α) H ? a1 = g z2 X c2 ; a2 = ? c h = I I(g z P KUi ) H PKz2 Y c2 T Figure 2: Identification Protocol i.e. “ U engages in an identification protocol with a verifier V using the psuedonymn PKU i and (PKCERT ⟨PK , ⟩ and ⟩, ⟨PROOF ⟩) contains the encryption of ) ← Trace(V , T , PK CERT ⟨PK which C Ui the identity under the public key PKT ”. between the verifier V and the trustee T . To trigger the protocol V has to provide proof of protocol participation by U . We shall express this phase as U0 Ui Verifier C Ui Trustee σ = SIGNV ⟨c, z, h⟩ σ,α,δ,ρ,PKU ,PKC 2.1.4 Protocol Trace −−−−−− − − − −i − → CERTC ⟨P KUi ⟩ VERIFY ⟨σ⟩ Ui
  • 16. ρ) and sed on d even ion to nature cheval me now hich is and is nature ccomFigure ol trivl’s pa- based cheme cheme DL-EQ ses his with a verifier in the ted by Figure 2: Identification Protocol ⟩ the trustee T . To trigger CERTC ⟨PKU iand and which contains the encryption of between the verifier V the provide proof theprotocol V .has to under thisof protocol par- key PKT ”. identityshall express the public ticipation by U We phase as Tracing Protocol (PKU 0 ) ← Trace(V , T , PKU i , CERTC ⟨PKU i ⟩, ⟨PROOFU i ⟩) 2.1.4 Protocol Trace Verifier Trustee σ = SIGNV ⟨c, z, h⟩ ๏ Invoked by a verifier after a user has misused a pseudonym. A verifier who needs to trace the identity of the user ๏ Verifier provides proof of a contacts the trustee T by providing with the transcript users participation. from an identification protocol ⟨PROOFU i ⟩. We shall ๏ Trustee can reveal a user’s express this phase as σ,α,δ,ρ,PKU ,PKC −−−−−− − − − −i − → CERTC ⟨P KUi ⟩ VERIFYPKV ⟨σ⟩ ? h = I I(g z PKc i ) H U ? α = g ρ PKδ C Verify CERTC ⟨P KUi ⟩ Obtain (X, Y ) from ⟨PROOFUi ⟩ P KU0 = DecElgSK (X, Y ) T Figure 3: Tracing Protocol master public key. (PKU 0 ) ← Trace(V , T , PKU i , CERTC ⟨PKU i ⟩, ⟨PROOFU i ⟩) 4 SECURITY i.e. “ V engages in the tracing protocol with T using 4.1 Adversary Goals the values PKU i , CERTC ⟨PKU i ⟩ and proof of identity We assume an active adversary A , who is capable of use ⟨PROOFU i ⟩ messages in the commu- master identity PKU 0 ”. eavesdropping and injecting to obtain the nication medium. We also assume that an adversary may be also be a legitimate (but dishonest) participant in a protocol, i.e. either the certifier or the verifier or both may be dishonest. As in (Damgard, 1988; Lysyanskaya et al., 1999),
  • 17. Security ๏ The proposal is secure against (as identified by Damgard, 1988; Lysyanskaya,1999): ๏ Pseudonym forgery: where an adversary tries to forge a pseudonym for some user. ๏ Identity compromise: An adversary in association with other participants tries to obtain information regarding the user's master public-secret key-pair ๏ Pseudonym linking and colligation: An adversary tries to obtain information that links a pair of pseudonyms to the same user or to a user's master public key.
  • 18. Application to TPM ๏ We are considering a TPM setting because of tamper resistant protection offered to the master secret key, but the protocols can be applied to other structures like directory based services (e.g. active directory, LDAP) ๏ The endorsement (EK) in a TPM will be of the form (PK0 ,SK0) ๏ A user who wishes to obtain services from an application software on a machine generates a pseudonym of the form (PKi ,SKi ) ๏ At the end of the protocol run the application software is provided a guarantee on the identity of the user and the associated TPM, but the system still protects the identity of both the TPM and the user associated with it.
  • 19. Advantages ๏ Compared to other pseudonym schemes, our scheme has an efficient identification protocol. ๏ Computations may be performed on the module itself, whereas the DAA scheme requires computation to be distributed among the TPM and the host computer. ๏ there are no new secret key to be generated for each pseudonyms, only counter values of the pseudonym ๏ no appreciable increase in storage requirement even when the number of pseudonyms required are high ๏ ideally suited for storage constraint devices
  • 20. What’s Missing? Future Work? ๏ Needs a strong composite modulus. (May be 4096 bits) ๏ Prime modulus method ruled out, as SDDH is trivial. ๏ Every generated pseudonym needs to fall with the same group as the master secret key. ๏ Identity Transfer ๏ Pseudonym chains cannot be formed. (NOT YET!) ๏ That is, using PK1 to generate new pseudonyms, but still verifiable using SK0.