Secret Handshakes from PairingBased Key Agreements
Dirk Balfanz, Glenn Durfee, Narrendar Shankar
Diana Smetters, Jessica Staddon, Hao-chi Wong
Presented by
Sen Xu, Feng Yue
11/11/2003
1
A Scenario


11/11/2003
Alice want to authenticate herself to
the server, but don’t want to reveal
her credential until the server is
authenticated.
Similarly, the server don’t want to
authenticate itself until Alice is
authenticated.
2
Solution ? – Secret handshake!



1)
2)
3)
4)
11/11/2003
non-members cannot recognize or
perform the handshake.
What happen after a handshake:
A € G1, B € G2
A, B don’t know anything about the
other party if G1 != G2
A, B know they belong to the same
organization if G1 = G2
They can choose only authenticate to
members with certain roles
A third party won’t learn anything
3
Applications of Secret Handshake



11/11/2003
Securely discover restricted services
Privacy preserving authentication
Identify roles in a certain group.
4
Group Background



11/11/2003
Cyclic group: in a group, there is an
x such that each element of the
group may be written as xk for
some integer k.
x is called the generator of the
cyclic group.
Eg. {2, 4, 8} x = 2
5
Order of a group, element



11/11/2003
Order of a group G is simply the number of
elements in G. misleading?
Order of an element g: least positive
integer k such that gk is the identity
element. In general, finding the order of
the element of a group is at least as hard
as factoring (Meijer 1996).
every group of prime order is cyclic.
6
Identity Element



11/11/2003
The identity element I (also denoted E, e)
of a group or related mathematical
structure S is the unique element such
that I*a=a*I=a for every element a €S .
The symbol "E" derives from the German
word for unity, "Einheit." An identity
element is also called a unit element.
For multiplication i = 1
For addition i = 0
7
Tate Pairing


11/11/2003
Elliptic curves: a type of cubic curve
whose solutions are confined to a
region of space
Form: y2 = x3 + ax + b
8
Y2 = x3 – x + 1
11/11/2003
Y2 = x3 – x
9
Tate Pairing continued


11/11/2003
Bilinearity
the most important
property of Tate Pairing
e(aP, bQ) = e(P, Q)ab
10
An example of secret handshake





11/11/2003
Ministry of transportation: t (Master
secrete)
Driver Alice: (“p65748392a”, TA)
TA = tH1(“p65748392a-driver”)
= tP
Cop Bob: (“xy6542678d”, TB)
TB = tH1(“xy6542678d-cop”)
= tQ
11
Procedure
“xy6542678d”





11/11/2003
Bob
Alice
“p65748392a”
Alice
Bob
KA = e(H1(“xy6542678d-cop”), TA)
= e(Q, tP) = e(P, Q)t
KB = e(H1(TB, “xy6542678d-driver”)
= e(tQ, P) = e(P, Q)t
KA = K B
12
Another Example






11/11/2003
Pro-democrocy movement master
secret m
Alice: (“y23987447y”, MA)
MA = mH1(“y23987447y-member”)
Claire: (“k61932843u”, MC)
MC = mH1(“y23987447y-member”)
Check procedure is the same
13
Imposter?






11/11/2003
Dolores
Alice follows the procedure and
generate a session key
Alice encrypt a number N with the
session key, ask for N+1
Reply is not N+1
Dolores is not in the movement.
Dolores don’t know anything about
the movement.
14
Definitions of Secret-Handshake
Scheme



11/11/2003
A set U of possible users
A set G of groups
A set A of administrators (where do
they come from?)
15
Secret-handshake scheme





11/11/2003
CreateGroup G {0,1}* (group
secret generated by administrator)
AddUser: U x G x {0, 1}*
{0,1}*
(user secret given by administrator)
Handshake (A, B)
TraceUser: {0,1}*
U
RemoveUser: {0, 1}* x U
{0,
1}* (insert u into RevokedUserlist)
16
Concrete Secret-Handshake Scheme




11/11/2003
Computable, non-degenerate
bilinear map e: G1 x G1
G2
Example: Modified Weil or Tate
pairings on supersingular elliptic
curves.
H1: {0, 1}*
G1
H2 collision-resistant hash function
17
Concrete Secret-Handshake Scheme



11/11/2003
CreateGroup: SG € Zq
AddUser: “pseudonyms” list
idU1, …, idUt € {0, 1}* for U.
The administrator calculate:
privUi = SGH1(idUi)
UserSecretU,G = id + priv
18
Concrete Handshake



A
A
A
idA, nA
idB, nB, V0
V1
B
B
B

V0 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||0) (A)
= H2(e(H1(idA), privB) ||idA||idB||nA||nB||0) (B)

V1 = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||1) (A)
= H2(e(privB, H1(idA)) ||idA||idB||nA||nB||1) (B)
11/11/2003
19
Concrete Handshake Continued

If both verification succeed, then

SA = H2(e(privA, H1(idB)) ||idA||idB||nA||nB||2)
SB = H2(e(H1(idA), privB) ||idA||idB||nA||nB||2)
e(privA, H1(idB)) = e(H1(idA), privB)
SA = S B



11/11/2003
TraceUser: given a transcript of a handshake between A and B, the
administrator can recover the pseudonyms idA and idB and their
users.
20
Concrete Secrete-Handshake scheme
with Roles


11/11/2003
CreateGroup
AddUser: “pseudonyms” list
idU1, …, idUt € {0, 1}* for U.
The administrator calculate:
privUi = SGH1(idUi||R)
21
Concrete Handshake with roles



A
A
A
idA, nA
B
idB, nB, V0
B
V1
B

V0 = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||0) (B)
= H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||0) (A)

V1 = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||1) (A)
= H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||1) (B)
11/11/2003
22
Concrete Handshake Continued

If both verification succeed, then


SA = H2(e(privA, H1(idB||R’B)) ||idA||idB||nA||nB||2)
SB = H2(e(H1(idA||R’A), privB) ||idA||idB||nA||nB||2)

TraceUser and RemoveUser are identical to PBH.
11/11/2003
23
Security for Secret-Handshake Schema
Some definitions:
 Security Parameter:


Negligible:


for all polynomials p(·), e(t)<1/p(t)
Random Simulation:

11/11/2003
Length of prime modulus (q)
R replaces all outgoing messages with
uniformly-random bit strings of the
same length.
24
Definitions

Interaction:



11/11/2003
Adversary modified
SHS.Handshake(A,B)
A interacts with B:
A.Handshake (A, B)
A interacts with a random simulation:
A.Handshake (A, R)
25
Group Member Impersonation

Adversary attempts to convince U*
that A is a member of G*


11/11/2003
If A not obtain secrets fro any U in G*,
then it should remain unable to
convince U* of its membership in G*.
Trace the user secrets a successful
adversary might be using. ( by
transcript of A’s interaction with U*)
26
Group Member Impersonation Game




Randomized, polynomial-time
adversary A
1. A interacts with Us and obtains
secrets for some users U’ in Us.
2. A select a target user U* in G*.
3. A attempts to convince U* that A
belongs to G*.

11/11/2003
SHS.Handshake (A, U*).
27
Probability A Wins the Game

A wins if it engages correctly in
SHS.Handshake (A, U*)


11/11/2003
AdvMIGA:= Pr[ A wins Member
Impersonation Game ].
Conditional advantage restricted to E:
AdvMIGEA:=Pr[ A wins Member
Impersonation Game | E ].
28
Impersonation Resistance

Impersonation Resistance

11/11/2003
Suppose A never corrupts a member of
the target group G*. Then U’ ^ G* = 0.
The secret-handshake scheme SHS is
said to ensure impersonation resistance
if AdvMIGA (U0 ^ G* = 0) is negligible
for all A.
29
Impersonator Tracing

11/11/2003
Let T be a transcript of the
interaction of A and U. The secrethandshake scheme SHS is said to
permit impostor tracing when
|Pr[SHS.TraceUser(T) in U0 ^ G*]AdvMIGA| is negligible for all A.
30
Group Member Detection


11/11/2003
Adversary A has as its goal to learn
how to identify members of a
certain group G*
A interacts with players of the
system, corrupts some users, picks
a target user U*, and attempts to
learn if U* belongs to G.
31
Group Member Detection
Required property:
 if A does not obtain secrets for any other
U in G*, then it should remain clueless
when detecting whether U* in G.
In other words, the final interaction with
U should yield no new information to the
adversary unless it has already obtained
secrets from another member of G.
11/11/2003
32
Member Detection Game





11/11/2003
1. A interacts with users of its
choice, and obtains secrets for
some users U’ in U.
2. A selects a target user U*
besides U.
3. Flip a random bit, b <- {0.1}.
4. b=0, A interacts with U;
b=1, A interacts with R.
5. A outputs a guess b* for b.
33
Probability A Wins the Game



11/11/2003
If b*=b, A wins the game.
AdvMDGA :=|Pr[A wins Member
Detection Game]-1/2|.
Conditional Advantage restricted to
occurrence of event E:
AdvMDGEA:=
|Pr[ A wins MDG|E ]-1/2| .
34
Detection Resistance


11/11/2003
Let GU* be the group to which U*
belongs, and suppose A never
corrupts a member in GU*,
Then U0 ^ GU* = 0.
The secret-handshake scheme SHS
is said to ensure detection
resistance if AdvMDGa(U0 ^ GU* =
0) is negligible for all A.
35
Detector Tracing



11/11/2003
Let T be a transcript of the
interaction of A and U*, and let GU*
be the group to which U* belongs.
The secret handshake scheme SHS
is said to permit detector tracing
when |Pr[SHS.TraceUser(T) belongs
to U’ ^ GU*]-AdvMDGA|
is negligible for all A.
36
Security of Pairing-Based Handshake
Hardness of BDH Problem:


11/11/2003
We say that the Bilinear Diffie-Hellman
Problem (BDH) is hard if, for all
probabilistic, polynomial-time
algorithms B,
AdvBDHB := Pr[e(P,aP,bP,cP) = e(P,
P)abc]
is negligible in the security parameters.
37
Security of Pairing-Based Handshake

11/11/2003
Theorem 1 Suppose A is a
probabilistic, polynomial time
(PPT) adversary. There is an PPT
algorithm B such that
AdvMIGA <= Pr[ PBH.TraceUser(T)
belongs to U’ ^ G* ] + e QH1QH2
·AdvBDHB + w,
where w is negligible in the security
parameter.
38
Security of Pairing-Based Handshake


11/11/2003
Corollary 2 (PBH Impersonator
Tracing)
Suppose A is a probabilistic,
polynomial time adversary
If the BDH problem is hard, then
|Pr[PBH.TraceUser(T) belongs to U’
^ G*]-AdvMIGA|
is negligible.
39
Security of Pairing-Based Handshake


11/11/2003
Corollary 3 (PBH Impersonation
Resistance)
Suppose A is a probabilistic,
polynomial time adversary.
If the BDH problem is hard, then
AdvMIGA (U’ ^ G* = 0)
is negligible.
40
Security of Pairing-Based Handshake

11/11/2003
Theorem 4 Suppose A is a
probabilistic, polynomial time
(PPT) adversary. There is an PPT
algorithm B such that
AdvMDGA <= Pr[ PBH.TraceUser(T)
belongs to U’ ^ G* ] + e QH1QH2
·AdvBDHB + w,
where w is negligible in the security
parameter.
41
Security of Pairing-Based Handshake


11/11/2003
Corollary 2 (PBH Detector
Tracing)
Suppose A is a probabilistic,
polynomial time adversary
If the BDH problem is hard, then
|Pr[PBH.TraceUser(T) belongs to U’
^ G*]-AdvMDGA|
is negligible.
42
Security of Pairing-Based Handshake


11/11/2003
Corollary 3 (PBH Detector
Resistance)
Suppose A is a probabilistic,
polynomial time adversary.
If the BDH problem is hard, then
AdvMDGA (U’ ^ G* = 0)
is negligible.
43
Additional Security Notions

Forward Repudiability



Indistinguishability to
Eavesdroppers.

11/11/2003
Optional
Any evidence shold not provide a noonrepudiable proof that U1 is a member.
AdvDSTA := |Pr[A(TReal) = 1]Pr[A(TRand) = 1]|.
44
Additional Security Notions

Collusion Resistance and Traitor
Tracing



11/11/2003
Remain secure even if collections of
users pool their secrets in an attempt
to undermine the system.
If a coalition of users manages to
detect or impersonate group members,
detect at least one of them.
Traditional Diffie-Hellman based key
exchange protocol broken down
45
Additional Security Notions

Unlinkability



11/11/2003
If an eavesdropper sees two different
handshakes performed by Alice, the
content of the handshakes alone are
unlinkable.
A user obtains a list of pseudonyms
Reuse a single pseudonym
46
SSL Handshake Protocol

Allow server and client to




Comprise a series of messages in phases




11/11/2003
authenticate each other
negotiate encryption and MAC algorithms
negotiate cryptographic keys to be used
Establish Security Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
47
SSL Handshake Messages
11/11/2003
48
Implementation

Small modification of two of the TLS
handshake messages.






11/11/2003
Server_Key_Exchange message
An indication that PHB is the algorithm
Server’s identity idB
Client_Key_Exchange message
Indication: PHB scheme
Client’s identity idA
49
Implementation Choices


Secure transport layer protocol
Security paramters




11/11/2003
P = 12qr – 1
P 1024bits, q 160bits
Curve E : y2 = x3 + 1.
Bilinear map: Tate Paring
50
Measurements




11/11/2003
q
p
time RSA
120 bits 512 bits 0.8sec 512 bits
160 bits 1024 bits 2.2sec 1024 bits
200 bits 2048 bits 11.8sec 2048bits
51
User and Role Authorization

11/11/2003
The new user may have to be
authorized to assume the role, in
which case the administrator has to
perform user authorization.
52
Revocation
11/11/2003
53
Protocol Deployment



11/11/2003
The two parties will exchange a
cipher suite designator that clearly
shows that they wish to engage in a
secret handshake.
be mitigated by using some form of
anonymous communication.
provide the best protection if the
number of groups that are using it
is large.
54
Conclusion


11/11/2003
A secret-handshake mechanism is a
mechanism that would allow
members of a group to authenticate
each other secretly.
Allows members of a group to
authenticate not only the fact that
they belong to the same group, but
also each other’s roles would be
very desirable.
55