Detection Resistance

LetAbe an adversary whose goal is to engage in Secret Handshake protocol instances and detect the other user’s property, without owning the appropriate Matching Refer-ence. We call detector resistance the resilience to such kind of an attacker.

At first,Acan accessOSetup,OCertify,OGrant,ORevoke. At the end of the query phase, Apicks a property p∗ for which no call toOGrant has been made. The adversary then

engages in a protocol execution with the challenger, and asked at the end to distin-guish the correct key that Handshake.Match would output with the correct Matching Reference from a random value of the same length. We call this gameDetect.

Lemma 9. If an adversary Ahas a non-null advantage

AdvDetect_A:=P r[A wins the gameDetect]

then a probabilistic, polynomial time algorithm B can create an environment where it usesA’s advantage to solve any given instance of the Decisional Diffie-Hellman problem (DDH).

Proof. We defineBas follows. Bis given an instance

g, g^a, g^b, g^σ

of the DDH problem inG1 and wishes to use Ato decide ifσ=ab. The algorithmB simulates an environ-ment in whichAoperates, usingA’s advantage in the gameDetectto help compute the solution to the DDH problem. In particular,B implements the oraclesOSetup,OCertify, OGrant,ORevoke as follows:

OSetup : B uses g as the one received from the DDH challenge; f(p) is implemented as follows: on a query forf(p), ifphas never been queried before,Bpicks a random value rp R

← Z^∗q, storing the pair (p, rp) in a table. Then B flips a random biased coinguess(p)∈ {0,1}biased as follows: guess(p) equals 1 with probabilityδand is equal to 0 with probability 1−δ. B answers as follows: if guess(p) = 0, B looks up r_p in the table and answers with f(p) = r_p. Instead, if guess(p) = 1, B answers with f(p) =br_p; finally,B picks and publishes the public parameters according to the rules of the protocol;

OCertify : B answers according to the rules of the protocol;

OGrant : A queries the challenger to obtain a Matching Reference for property pi; as-suming that guess(p_i) = 0, Banswers according to the rules of the protocol;

ORevoke : B answers according to the rules of the protocol;

Setup and Queries The adversaryAcan interact with the oraclesOSetup,OCertify, OGrant,ORevoke;

Challenge At the end of this phase, A chooses a property p∗, such that no query to the oracle OGrant has been submitted. Let us assume that guess(p∗) = 1:

as a consequence, f(p∗) = br_p∗. B then engages in an instances of Handshake with

A; in particular, B receives a nonce ˜g^m; B then picks x, s ←^R Z^∗q sets r⁰ = a and

Finally, A receives the key that Handshake.RandomizeCredentials computes: in order to compute such key, B assumes that σ = ab, and therefore computes ˆe(g^a,˜g^m)^x0 = ˆ

e(g^a,˜g^m)^x. A answers the challenge with a bit b;A wins the game ifb= 0 if the key is a random bitstring, andb= 1 if the key is correct.

Analysis of A’s answer It is straightforward to verify that, ifA wins the game, B can give the same answer to solve the DDH problem. Indeed, if A wins the game and answersb= 1, it means that the keyB generated was correct. Then, the same key must be computable using Equation 5.3 with the Matching Reference for propertyp∗,

˜

g^{f(p∗)h(p∗)} = ˜g^{brp∗h(p∗)}. Then we can write

(ax+σr_p∗h(p∗)−abr_p∗h(p∗))m=max

However this equation is satisfied only if σ =ab, which is the positive answer to the DDH problem. If not, Bcan give the negative answer to DDH.

A detailed analysis shows that if guess(p∗) = 1 and guess(p) = 0 for all other queries toOGrant such thatp6=p∗, then the execution environment is indistinguishable from the actual gameDetect. This happens with probability

P r[guess(p∗) = 1 and guess(p) = 0 for allp6=p∗] =δ·(1−δ)^Qp (5.24) whereQp is the number of different propertiesAqueries toOGrantoracle. By setting δ ≈ _Q¹

p we know that the probability in 5.24 is greater than _e·¹_Q

p. So in conclusion, we can bound the probability of success of the adversaryAdvDetect_A asAdvDetect_A ≤ e·Qp·AdvDDH_B.

5.3.3.4 Impersonation Resistance

The analysis of the impersonation resistance requirement is slightly more complex than the analysis of other requirements. Before venturing in the actual analysis, we shall give

an overview of how we approach it. At first we define a broad game, calledImpersonate, where the attacker has to be able to conduct a successful Secret Handshake for a given property, having access to an arbitrary number of Credentials that are revoked before the challenge phase.

Then, we create two sub-games, Impersonate1 and Impersonate2: each game is the same asImpersonatewith an additional requirement that the adversary needs to satisfy.

The additional requirement (namely the satisfaction of an equality) creates a clear cut between the two games, whose union generates Impersonate. Then we present two separate proofs for the hardness of theImpersonate1 and Impersonate2 games.

Then the adversary is challenged to engage in the Impersonategame against the at-tacker. The game is defined as follows: before the beginning of the game, the challenger flips a coin and based on its outcome, plays either theImpersonate1or theImpersonate2 game. If the adversary wins the game, the challenger gains an advantage on one of the two hard problems: which problem depends on the adversary’s behaviour. As the chal-lenger must commit to one game in advance the advantage that the chalchal-lenger receives is decreased by a factor ¹₂.

Now, let us begin with the description ofImpersonate. LetA’s goal be the imperson-ation of a user owning a Credential for a given property. Acan access OSetup,OCertify, OGrant, ORevoke. A eventually decides that this phase of the game is over. The chal-lenger then revokes each Credential handed out to the attacker in the previous phase.

Athen declares p∗ ∈P which will be the object of the challenge;Ais then challenged to engage in Handshake with the challenger, and has to be able to convince that he owns a Credential for property p∗. A is then asked to output the key computed. As mentioned before, we consider a weaker version of Impersonation Resistance than the one adopted in Section 4.4.2.1, where the adversary was not required to compute the key but to distinguish it from a random value.

In order to successfully win the game, it must not be possible for the challenger to abort the handshake due to the fact that the Credentials used by the attacker have been revoked. We call this game Impersonate.

Now let us show how we construct the two sub-games. At the end of the Query phase of theImpersonategame,Areceives a nonce ˜g^mand is then asked to produce the hand-shake tuplehg^α, g^β,˜g^γ,˜g^δiand the keye^kcomputed byHandshake.RandomizeCredentials.

If the attacker is successful, the challenger should be able to compute the same key using Handshake.Matchand the Matching Reference for p∗.

This means that the challenger can check that e(gˆ ^β,g˜^γ)

Recall that the attacker receives a number of Credentials during the query phase.

The attacker can win the game in two ways: (i) forge a brand new Credential or (ii) use an old Credential yet circumventing the revocation check, notably Equation 5.1 of the Handshake.CheckRevoked sub-algorithm. Let us setXu,p =xu,p+f(p)h(p). When the attacker is challenged, we have seen that he produces the valueg^{rsw(xu∗,p∗+f(p∗)h(p∗))} = g^rsXu∗,p∗. If we define the set

Q_A ={X_u,p∈Z^∗q :A has receivedg^zwXu,p,˜g^(zw)−1,˜g^z−1 from a query to Certify}

then (i) implies X_u∗,p∗ ∈/ Q_A and (ii) implies X_u∗,p∗ ∈ Q_A. X_u∗,p∗ is the value the attacker uses in the challenge handshake instance. We then define two different games: Impersonate1, the aforementioned Impersonate game when Xu∗,p∗ ∈/ Q_A, and Impersonate2 whenXu∗,p∗∈Q_A.

Lemma 10. If an adversary A has a non-null advantage

AdvImpersonate1_A:=P r[Awins the game Impersonate1]

then a probabilistic, polynomial time algorithm B can create an environment where it usesA’s advantage to solve a given instance of the SM Problem.

Proof. The challengerB is defined as follows. Breceives an instance D simulates an environment in whichAoperates. In particular,B implements the oracles OSetup,OCertify,OGrant,ORevoke as follows:

OSetup : B sets public parameters g,g˜ as the ones received from the challenge. B sets W ←g^w, ˜g0 = ˜g^y. It then picks {y_i}ⁿ_i=1←^R Z^∗q and sets ˜g1 = ˜g^y1, . . . ,g˜n= ˜g^yn. B then publishes the public parameter according to the rules of the protocol;

OCertify : A queries B for Credentials for an arbitrary number of user u_i and property p_i; B answers by picking a random Identification Handle x_ui,pi ←^R Z^∗_q and by

OGrant : A queriesB for Matching References for an arbitrary number of properties p_i; B answers withmatchpi = ˜g^f(pi)h(pi), and also gives toAthe value g^f(pi); ORevoke : A queries B for an arbitrary number of Revocation Handles for user ui and

property p_i;B answers withrev_ui,pi = ˜g^xui,pi;

Setup and Queries The adversaryAcan interact with the oraclesOSetup,OCertify, OGrant,ORevoke;

Challenge Athen declares that this phase of the game is over. B therefore revokes each of the CredentialsArequested in the previous phase. Athen chooses a property p∗ ∈ P. B challenges A by sending ˜g^m and A answers the challenge with the tuple hg^α, g^β,g˜^γ,˜g^δ, e^ki.

Analysis of A’s response IfA wins the game,B can check that e(gˆ ^β,g˜^γ)

as mandated by theHandshake.Matchsub-algorithm detailed in Section 5.3.2.

Let us set α=r,k=rx∗mandδ =s⁻¹, for some integersr, x∗, s∈Z^∗_q unknown to B. Then, from Equation 5.28 we derive that γ = (ws)⁻¹ and from Equation 5.27 that β =rswf(p∗)(_f(p^x∗

∗)+y+P

i∈V(p∗)y_i). Notice that by the definition of the game, the attacker has not received a Credential containing the termg^zwXu∗,p∗ =g^{zw(x∗+f(p∗)h(p∗))} from a query to theOCertify oracle.

This implies in turn that the valuev∗ = _f(p^x∗

∗)+P

i∈V(p∗)y_ihas never been queried by the challenger to the oracleOw,y in the execution of aOCertify query: as a consequence, v∗ does not belong to the set O. Therefore we conclude that, if A wins the game, B can provide

D

(g^α)^f(p∗), g^β,g˜^γ,g˜^δ,ˆe(g,g)˜ ^k·eˆ(g^α,g˜^m)^f(p∗)

P

i∈V(p∗)yiE as an answer to the SM problem.

We now turn our attention to the Impersonate2 game, focusing on an adversary reusing an already received Credential and yet able to circumvent revocation. Given that the revocation check involves the Matching Reference for a property, the only way for the attacker is to use a Credential received for a property – sayp◦ – in the attempt to impersonate a different property – sayp∗.

Lemma 11. If an adversary A has a non-null advantage

AdvImpersonate2_A:=P r[Awins the game Impersonate2]−¹₂

then a probabilistic, polynomial time algorithm B can create an environment where it usesA’s advantage to solve a given instance of the Decisional Diffie-Hellman Problem (DDH).

Proof. We defineBas follows. Bis given an instance

˜

g,˜g^a,g˜^b,˜g^σ

of the DDH problem and wishes to use A to decide if σ = ab. The algorithm B simulates an environment in which A operates. In particular, B implements the oracles OSetup, OCertify, OGrant, ORevoke as follows:

OSetup : B sets the public parameter ˜g as the ones received from the DDH challenge;

it then picks {y_i}ⁿ_i=0 ←^R Z^∗q and sets ˜g0 = (˜g^a)^y0, ˜g1 = (˜g^a)^y1, . . . ˜gn = (˜g^a)^yn; notice that with such a setting of parameters, we can writeh⁰(p) =ah(p) where h(p) = y0 +P

i∈V(p)yi; the other parameters are then picked and published following the rules of the protocol;

OCertify : AqueriesB for Credentials for an arbitrary number of pairs (u, p)∈U×P;B answers by first of all picking xu,p R

←Z^∗q and by giving it to A. Then, the chal-lenger givescred_u,p = hC_u,p,1, C_u,p,2, C_u,p,3i to A, whereC_u,p,1 =g^(zw), C_u,p,2 =

˜

g^{(zw)−1(xu,p+f(p)h0(p))} = ˜g^{(zw)−1(xu,p+f(p)ah(p))} and Cu,p,3 = ˜g^{z−1(xu,p+f(p)h0(p))} =

˜

g^z−1(xu,p+f(p)ah(p)); A also receives g^f(p). This representation of Credentials is

indistinguishable from the ones mandated by the protocol: indeed notice that we can set z = z⁰(xu,p +f(p)h⁰(p)) and we can rewrite Cu,p,1 = g^{z0w(xu,p+f(p)h0(p))}, C_u,p,2 = ˜g^(z0w)−1 and C_u,p,3 = ˜g^z0−1 which is exactly the way Credentials are for-mulated according to the algorithmCertify described in Section 5.3.2. B adds to a list V the tuple (˜g^{xu,p+h0(p)f(p)}, u, p, xu,p) for each query of A and keeps it for later use.

OGrant : A queriesB for Matching References for an arbitrary number of properties p;

B answers withmatchp = ˜g^f(p)h0(p)= ˜g^f(p)ah(p);Aalso receivesg^f(p);

ORevoke : A queries B for an arbitrary number of Revocation Handles for user ui and property p_i;B answers withrev_ui,pi = ˜g^xui,pi;

Setup and Queries The adversaryAcan interact with the oraclesOSetup,OCertify, OGrant,ORevoke;

Challenge Athen declares that this phase of the game is over. B therefore revokes each Credential requested by A in the previous phase. A then chooses a property p∗ ∈ P. B challenges A by sending ˜g^b and A answers the challenge with the tuple hg^α, g^β,g˜^γ,˜g^δ,eˆ(g,g)˜ ^ki.

Analysis of A’s response IfAwins the game, B can check that e(gˆ ^β,g˜^γ)

as mandated by theHandshake.Matchsub-algorithm detailed in Section 5.3.2.

Let us set α =r,k=rx∗b andδ =s⁻¹, for some integers r, x∗, s∈Z^∗q unknown to B. Then, from Equation 5.32 we derive thatγ = (ws)⁻¹; if we setv∗ =x∗+f(p∗)h⁰(p∗), from Equation 5.31 we can write β =rswv∗.

We know by definition that the attacker has already received C_u◦,p◦,1 = g^zwv∗ = g^{zw(xu◦,p◦+f(p◦)h0(p◦))} during the previous query phase. Consequently, the Revocation Handle rev_u◦,p◦ = ˜g^xu◦,p◦ has also been published. B can easily recover u◦ and p◦,

since he can check which ˜g^{xu◦,p◦+h0(p◦)f(p◦)} in the list V satisfies the following equality ˆ

e(g^β,˜g^γ) = ˆe(g^α,g˜^{xu◦,p◦+h0(p◦)f(p◦)});B can then look up the respective xu◦,p◦.

If p◦ = p∗, then A has lost the game, since a successful answer of the attacker cannot be revoked by any of the issued Revocation Handles, whereas this Credential can be revoked with revu◦,p◦ = ˜g^xu◦,p◦. Then it must be that p◦ 6= p∗; in this case The challenger is therefore able to compute

ˆ

Now we address the security of impersonation resistance as a whole, by presenting a Lemma that unifiesImpersonate1 and Impersonate2.

Lemma 12. If an adversary A has a non-null advantage

AdvImpersonate_A:=P r[Awins the game Impersonate]

then a probabilistic, polynomial time algorithm B can create an environment where it uses A to gain either an advantage AdvImpersonate_A

2 on the Decisional Diffie-Hellman problem (DDH) or an advantage AdvImpersonate_A

2 on the SM Problem.

Proof. At the beginning of the game, the challenger flips a fair coin b ∈ {1,2} and starts to play Impersonateb with the adversary. The adversary does not know which game the challenger plays.

If the adversary wins, the challenger succeeds in obtaining a reduction for at least one of the two games: which game depends on the behaviour of the attacker; however the challenger cannot predict this as it must commit to one game in advance, before knowing the behaviour of the adversary.

Let us assume that the attacker wins with some probability p; then, the advantage p will be decreased by a factor of ¹₂ to turn it into an actual advantage against the game that has actually been chosen.

Lemmas 10 and 11 tell us that this advantage can be turned into an advantage over the DDH or SM problems.

5.4 Secret Handshake with Dynamic Matching and

Dans le document Secret handshake protocols (Page 123-132)