Abstract
Anonymity and authenticity are both important yet often conflicting security goals in a wide range of applications. On the one hand for many applications (say for access control) it is crucial to be able to verify the identity of a given legitimate party (a.k.a. entity authentication). Alternatively an application might require that no one but a party can communicate on its behalf (a.k.a. message authentication). Yet, on the other hand privacy concerns also dictate that anonymity of a legitimate party should be preserved; that is no information concerning the identity of parties should be leaked to an outside entity eavesdropping on the communication. This conflict becomes even more acute when considering anonymity with respect to an active entity that may attempt to impersonate other parties in the system.
In this work we resolve this conflict in two steps. First we formalize what it means for a system to provide both authenticity and anonymity even in the presence of an active man-in-the-middle adversary for various specific applications such as message and entity authentication using the constructive cryptography framework of [Mau11, MR11]. Our approach inherits the composability statement of constructive cryptography and can therefore be directly used in any higher-level context. Next we demonstrate several simple protocols for realizing these systems, at times relying on a new type of (probabilistic) Message Authentication Code (MAC) called key indistinguishable (KI) MACs. Similar to the key hiding encryption schemes of [BBDP01] they guarantee that tags leak no discernible information about the keys used to generate them.
The unabridged version of this paper appears in [AHM+14a].
A. Patra—Work done while the author was at ETH Zurich.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
One could also give an equivalent formulation in the UC framework.
- 2.
Or more generally using the same or different states.
- 3.
In particular the security proof for the probabilistic setting then automatically carries over (at least in a computational sense) by preceding the proof with a hybrid argument replacing the output of each call to the PRG with fresh random numbers.
- 4.
called the “environment” in the language of UC.
- 5.
And more abstractly, this property plays an important role in the composition theorem of [Mau11].
- 6.
Upon each invocation the transcript oracle outputs a freshly sampled transcript between the honest server and client.
- 7.
As is done for example in the separating example between the two notions in [MT12].
- 8.
In the language of UC we speak of ideal functionalities and of ITM communication tapes in the language of ITMs.
- 9.
We note that resources and composed systems are actually computational objects of the same type and so at times we also use calligraphic capital letters to denote a composed system.
- 10.
Indeed, as shown in the so called “Dummy Lemma” for various UC type frameworks, this restriction results in no loss of generality while making security proofs far more tractable.
- 11.
This stands in contrast to say game based definitions which instead guarantee certain properties of a real world system only within the particular context captured by the game. For example the anonymity of the authentication protocols defined in [Vau10, HPVP11] holds only with respect to adversaries which remain oblivious to which parties have previously authenticated themselves during the life of the system (even for the “wide adversary” variants).
- 12.
More specifically in this work the underlying cryptographic assumptions used give rise to the properties of the real world resource \(\mathcal{R}\) while the implementation choices can allow for bounding properties of \(\mathsf {D}\). The final distinguishing advantage of the real and ideal systems is usually a function of both types of properties.
- 13.
Indeed this is not difficult to see. For example we can modify any (say \({\varvec{\mathsf {{uf}}}} \hbox {-}{\varvec{\mathsf {{cmva}}}} \)) unforgeable scheme as follows such that it is clearly not key indistinguishable. Double the key size, use the first half of the key in conjunction with the original \({{\scriptstyle \mathsf {TAG}}}\) algorithm to tag the message and then append the second half of the key to the resulting tag. Clearly the scheme remains unforgeable however it is trivial to tell tags issued under different keys apart.
- 14.
For stateful MACs it is important that the full state (and not just the secret key) be shared between matching oracles in \([k_0, k_0]\). Suppose we have a secure MAC which hides all information about the secret keys. We can modify the \({{\scriptstyle \mathsf {TAG}}}\) algorithm to keep a counter which it appends to each tag \(\tau \) it outputs. Clearly the scheme still hides all information about the secret key. However it is unclear how such a scheme might be used to achieve anonymity. Indeed it is trivial to tell say the \(10^{th}\) tag issued for key \(k_0\) from the \(3^{rd}\) tag issued for different key \(k_1\).
- 15.
For some applications (such as entity authentication for light-weight devices) this reflects a design choice for senders already common in practice.
- 16.
We use the standard notation \([n]\) to denote the set \(\{1,\ldots ,n\}\).
- 17.
In case the relative order of clients’ responses in different sessions is known to be correlated (e.g., by one client possessing a faster hardware than the others and being always the first to respond), the unlinkability of sessions is not guaranteed.
- 18.
As described in the introduction, in the language of [TM12] this corresponds precisely to \((\{C,S\}, \{S\})\)-authenticity.
- 19.
A formal description can be found in [AHM+14a].
- 20.
Universal unforgeability is a relaxed security notion for MACs where the adversary only wins by producing a fresh (valid) tag for a uniform random message chosen by the challenger.
- 21.
The security loss arises because in addition to having to guess for which client an impersonation attack will arise (see [AHM+14b]) the reduction to universal unforgeability must also guess during which of the \(q_s\) sessions the attack occurs so as to properly plant its random challenge message from the universal unforgeability game.
References
Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID tags via insubvertible encryption. In: ACM Conference on Computer and Communications Security, pp. 92–101 (2005)
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. SIGPLAN Not. 36(3), 104–115 (2001)
Abadi, M., Fournet, C.: Private authentication. Theor. Comput. Sci. 322(3), 427–476 (2004)
Alwen, J., Hirt, M., Maurer, U., Patra, A., Raykov, P.: Anonymous authentication with shared secrets. Cryptology ePrint Archive, Report 2014/073 (2014). http://eprint.iacr.org/
Alwen, J., Hirt, M., Maurer, U., Patra, A., Raykov, P.: Key-indistinguishable message authentication codes.Cryptology ePrint Archive, Report 2014/107 (2014 to appear in SCN 2014)
Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: ACM CCS, pp. 205–216. ACM (2012)
Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M.: Formal analysis of UMTS privacy. CoRR, abs/1109.2066 (2011)
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001)
Burmester, M., Le, T.V., de Medeiros, B., Tsudik, G.: Universally composable RFID identification and authentication protocols. ACM Trans. Inf. Syst. Secur. 12(4), 1–33 (2009)
Burmester, M., Munilla, J.: Lightweight RFID authentication with forward and backward security. ACM Trans. Inf. Syst. Secur. 14(1), 11 (2011)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Barbeau, M., Robert, J.-M.: Perfect identity concealment in UMTS over radio access links. In: WiMob (2), pp. 72–77. IEEE (2005)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001)
Choudhury, H., Roychoudhury, B., Saikia, D.K.: UMTS user identity confidentiality: An end-to-end solution. In: WOCN, pp. 1–6. IEEE (2011)
Choudhury, H., Roychoudhury, B., Saikia, D.K.: Enhancing user identity privacy in LTE. In: TrustCom, pp. 949–957. IEEE C. Soc. (2012)
Deng, R.H., Li, Y., Yung, M., Zhao, Y.: A zero-knowledge based framework for RFID privacy. J. Comp. Sec. 19(6), 1109–1146 (2011)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)
Gódor, G., Varadi, B., Imre, S.: Novel authentication algorithm of future networks. In: ICN/ICONS/MCL, p. 80. IEEE Computer Society (2006)
Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 568–587. Springer, Heidelberg (2011)
Jarecki, S., Kim, J., Tsudik, G.: Beyond secret handshakes: affiliation-hiding authenticated key exchange. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 352–369. Springer, Heidelberg (2008)
Khan, M., Ahmed, A., Cheema, A.R.: Vulnerabilities of UMTS access domain security architecture. In: SNPD, pp. 350–355 (2008)
Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: Anonymity-preserving public-key encryption: a constructive approach. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 19–39. Springer, Heidelberg (2013)
Køien, G.M., Oleshchuk, V.A.: Location privacy for cellular systems; analysis and solution. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 40–58. Springer, Heidelberg (2006)
Lee, M.-F., Smart, N.P., Warinschi, B., Watson, G.: Anonymity guarantees of the UMTS/LTE authentication and connection protocol. Cryptology ePrint Archive, Report 2013/027 (2013). http://eprint.iacr.org/
Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)
Maurer, U., Renner, R.: Abstract cryptography. In: ICS, pp. 1–21. Tsinghua University Press (2011)
Mol, P., Tessaro, S.: Secret-key authentication beyond the challenge-response paradigm: Definitional issues and new protocols. Manuscript, December 2012
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)
3rd Generation Partnership Project. TS 33.102 - 3G security; Security architecture V11.5.0 (2012)
Sattarzadeh, B., Asadpour, M., Jalili, R.: Improved user identity confidentiality for UMTS mobile networks. In: ECUMN, pp. 401–409. IEEE Computer Society (2007)
Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)
Tsay, J.-K., Mjølsnes, S.F.: A vulnerability in the UMTS and LTE authentication and key agreement protocols. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 65–76. Springer, Heidelberg (2012)
Vaudenay, S.: Privacy models for RFID schemes. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 65–65. Springer, Heidelberg (2010)
Yang, G., Wong, D.S., Deng, X., Wang, H.: Anonymous Signature Schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 347–363. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Alwen, J., Hirt, M., Maurer, U., Patra, A., Raykov, P. (2015). Anonymous Authentication with Shared Secrets. In: Aranha, D., Menezes, A. (eds) Progress in Cryptology - LATINCRYPT 2014. LATINCRYPT 2014. Lecture Notes in Computer Science(), vol 8895. Springer, Cham. https://doi.org/10.1007/978-3-319-16295-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-16295-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16294-2
Online ISBN: 978-3-319-16295-9
eBook Packages: Computer ScienceComputer Science (R0)