In Chapter 3 we have highlighted a number of features of Secret Handshake schemes.
In particular, we have stressed that reusable Credentials is a key feature of a practical scheme; the same holds for revocation. In addition, we have listed Unlinkability of users as an extremely relevant security requirement, whose importance is increased by the sensitive use cases that we have sketched in Chapter 1.
In Table 3.1 unfortunately we can see that only two schemes support all three features, namely [XY04] and [JL07]. The first scheme however only supports a lim-ited version of Anonymity, namelyk-Anonymity. The second scheme follows a differ-ent approach from white/black list, namely, an epoch-based approach with short-lived Credentials. However both schemes fail to satisfy another important requirement: sep-arability. As we have seen in Chapter 3, separability is the key enabler for more flexible versions of Secret Handshake, namely Secret Handshake with Dynamic Matching and Secret Handshake with Dynamic Controlled Matching.
It is therefore evident that a scheme supporting separability, reusable Credentials, revocation and Unlinkability is missing. This is going to be the contribution of this Chapter.
A possible alternative approach to the one that we follow in the remainder of this Chapter would be the use of Zero-Knowledge Proofs of Knowledge (ZKPK) [GMW86;
GMR89; GMW91] together with Accumulators, as suggested in [CL02]. This approach allows a prover to prove to a verifier possession of valid (i.e. not revoked) Credentials in an anonymous and unlinkable way. However this accomplishes just half of the require-ments of a Secret Handshake, namely one the two parties proving to the other that
it possesses a Credential: turning this into a two-party protocol satisfying fairness ac-cording to Definition 8 is not a straightforward task. These shortcomings have already been acknowledge by Balfanz and colleagues [BDS+03], who stated that accumulators are ill-suited for Secret Handshake scenarios. For this reason we do not follow this approach.
5.2.1 Syntactic Definition
In this Section we formally define a Secret Handshake scheme supporting revocation of Credentials. The scheme is constructed using two symmetric instances of a prover-verifier protocol. The difference with the scheme of Chapter 4 is that in this case the two schemes will effectively be separated, leading to the computation of two separate keys. It is therefore essential that, at the end of the scheme, the two users can prove to one another knowledge of both keys simultaneously: this will ensure fairness according to Definition 8.
The algorithms composing the scheme are:
• Setup(k)→(param,secret) is a probabilistic polynomial-time algorithm executed by the certification authority taking a security parameterkas input and produc-ing public parametersparam and private parameterssecret;
• Certify(u, p,secret)→ (credu,p, xu,p) is a probabilistic polynomial-time algorithm executed by the certification authority upon a user’s request. The certification entity verifies that the supplicant useru∈Upossesses the propertyp∈Pwhose possession will later be proved during the protocol execution; after a successful verification, the certification entity issues touthe appropriate Credential formed by the pair (credu,p, xu,p). The user can verify the correctness of the Credential.
If the verification succeeds, the user accepts the Credential and aborts otherwise;
• Grant(u, p,secret) → (matchp) is a probabilistic polynomial-time algorithm exe-cuted by the certification entity upon a user’s request. First of all the certification entity verifies that – according to the policies of the system – the useruis entitled to verify that another user possesses propertyp∈P. If the verification is success-ful, the certification entity issues the appropriate Matching Reference matchp; the user can verify the correctness of the Matching Reference. If the verification succeeds, the user accepts the Matching Reference and aborts otherwise;
• Revoke(u, p,secret,rl) → (rlupd) is a probabilistic polynomial-time algorithm ex-ecuted by the certification entity when the Credential for property p owned by user u needs to be revoked. The certification entity executes the algorithm by updating a public revocation list rl, appending revocation information for the newly revoked Credential;
• Handshake is a probabilistic polynomial-time two-party algorithm executed by two users,ui and uj; the algorithm is composed of three sub-algorithms:
– Handshake.Init(param,state) → (n,stateupd) outputs a nonce n and updates the internal state state;
– Handshake.RandomizeCredentials(param,(credu,p1, xu,p1),state, n) → (SH, stateupd, K1) takes as input the system parameters, the user Credential, the nonce n received from the other party and produces the Secret Handshake message SH and the key K1 linked to the proof of possession of property p1; it also updates the internal state state;
– Handshake.CheckRevoked(param, SH,rl, . . .)→(b) takes as input the system parameters, the Secret Handshake message received from the other party, an updated version of the revocation listrland additional parameters; the algo-rithm outputs a boolean value set to true if the Credential used to generate SH has been revoked;
– Handshake.Match(param, SH, matchp2,state)→(K2) takes as input the sys-tem parameters,SH, the Credentials received from the other user, the local state, the Matching Referencematchu,p; the user first executes sub-algorithm Handshake.CheckRevoked to check whether the other user’s Credential has been revoked, in which case the algorithm aborts; ifHandshake.CheckRevoked gives a negative answer (i.e. if the Credential has not been revoked), the al-gorithm outputs a keyK2, linked to the verification of possession of property p2;
Assume two users ui and uj engage in the execution of Handshake; ui’s input is a Credential for property p2, (credui,p2, xui,p2) and a Matching Reference for propertyp3,matchp3;uj’s input is a Credential for propertyp1, (creduj,p1, xuj,p1)
and a Matching Reference for propertyp4,matchp4. The algorithm operates as described in Figure 5.1.
ui : Handshake.Init(param,statei)→(ni,statei,upd) ui −→ uj : ni
uj : Handshake.Init(param,statej)→(nj,statej,upd) uj −→ ui : nj
uj : Handshake.RandomizeCredentials((creduj,p1, xuj,p1),statej, ni)
→(SHj,statej,upd, Kj,1) uj −→ ui : SHj
ui : Handshake.RandomizeCredentials((credui,p2, xui,p2),statei, nj)
→(SHi,statei,upd, Ki,1) ui −→ uj : SHi
ui : Handshake.Match(SHj, matchp3,statei)→(Ki,2) uj : Handshake.Match(SHi, matchp4,statej)→(Kj,2)
Figure 5.1: TheHandshakealgorithm executed by two usersuiand uj.
The two pairs of keys Ki,1, Kj,2, and Ki,2, Kj,1 are equal under the following conditions: p1 = p3 and p2 = p4. This implies that ui’s Credential is for the same property asuj’s Matching Reference and similarly, thatuj’s Credential is for the same property asui’s Matching Reference. Otherwise at least one of the two keys is a random value with overwhelming probability.
Notice that Handshake.CheckRevoked has been purposely defined with a different set of arguments; indeed, depending on the particular instance of Secret Handshake (classic, with Dynamic Matching, with Dynamic Controlled Matching), a variable list of arguments is required, as we shall see in the rest of this Chapter.
5.2.2 Security Requirements
In this Section we analyze the security requirements of Secret Handshakes, taking revocation into consideration.
In the previous Section we have seen that two separate keys are computed; with a reference to Figure 5.1, key Ki,1 is the key that ui is able to compute if successful in the proof of possession of property p2; key Kj,2 is the key that uj is able to com-pute if successful in the verification of property p4. If both are successful in the proof
and verification (respectively), then Ki,1 =Kj,2. The same applies for Ki,2 and Kj,1. Thus, the two pairs of keys are effectively separate, in that each pair depends on the proof/verification of one property. Therefore in the security analysis we will acknowl-edge this separation by focusing only on one key at a time in the games for detection and impersonation resistance.
The handshake is sealed by a simultaneous proof of knowledge of both keys. It is a necessary prerequisite for the security of the scheme that the proof of knowledge does not – in any way – leak the actual value of the keys and that it proves knowledge of both keys simultaneously.
The security requirements of the scheme can be effectively resumed as follows:
1. Correctness: if two users Aand B engage inHandshake, and if A possesses valid Credentials for B’s Matching References and B possesses valid Credentials for A’s Matching References, they both output the same pair of keys;
2. Impersonator Resistance: given propertyp∗; let us assume two users, A and B, engage in Handshake; B has a Matching Reference for p∗; then, it is computa-tionally infeasible for A – without a non-revoked Credential for p∗ – to engage in Handshakewith B and output the correct key, linked to a successful proof of possession of p∗ by A and a successful detection ofp∗ by B;
3. Detector Resistance: given propertyp∗; let us assume two users,AandB, engage inHandshake;B has a Credential forp∗; then, it is computationally infeasible for A – without the appropriate Matching Reference forp∗ – to distinguish between the key Acomputes executingHandshake and a random value;
4. Unlinkability of Users: it is computationally unfeasible for a user – engaging in two executions ofHandshake – to tell whether he was interacting with the same user or two different ones;
5. Unlinkability of Properties: it is computationally unfeasible for a user – engaging in two executions of Handshake without the appropriate Matching References – to tell whether he was interacting with users having Credentials for the same property or for different ones;
Notice that for Impersonator Resistance we consider a weaker requirement than the one considered in Section 4.2.3: indeed the adversary is required to output the correct key instead of distinguishing between the correct key and a random value. The same holds for the security analyses of Secret Handshake schemes in the literature, such as [BDS+03; AKB07].
We consider a similar type of adversarial model as in Section 4.2.3. A substantial difference with respect to that model however, is brought forward by the fact that this scheme supports revocation. Indeed, in the present model the adversary can always obtain Credentials for any properties at his will, with no restriction; however the Cre-dentials for properties being object of impersonation attacks are revoked before the challenge.
The adversary is allowed to access a number of oracles managed by the challenger in order to interact with the system; the oracles are:
• OSetup is invoked when the adversary wants to create a new certification authority by callingSetup;
• OCertify is invoked when the adversary wants to receive a Credential for a given property through the execution ofCertify;
• OGrant is invoked when the adversary wants to receive a Matching Reference for a given property through the execution ofGrant;
• ORevoke is invoked when the adversary wants to receive a Revocation Handle for a given Credential through the execution of Revoke;
Let us now see how the security requirements listed above can be modeled with the oracles that we have introduced in this Section.
Resistance to Impersonation Attacks The goal of an adversaryAis to imperson-ate a user possessing a given property, without actually owning the corresponding Credential. Ahas access to oraclesOSetup,OCertify,OGrant,ORevoke;Athen chooses a property p∗ ∈ P; all Credentials for p∗ A received so far are revoked. Then, challenger and adversary engage in the execution of only one side of theHandshake protocol, as shown in Figure 5.2. The adversary is the challenged to output the keyK;
c : Handshake.Init(param,statec)→(nc,statec,upd) c −→ A : nc
A −→ c : SHA A −→ c : K
Figure 5.2: Challenge for an adversary attempting to break impersonation resistance.
Resistance to Detection Attacks Let us consider an adversaryAwhose goal is to verify presence of a property of his choice without owning the corresponding Matching Reference. A has access to oracles OSetup, OCertify, OGrant, ORevoke; A then chooses a property p∗ ∈ P for which no call to OGrant has been made (i.e.
A does not have a Matching Reference for p∗). Then, challenger and adversary engage in the execution of Handshakeas shown in Figure 5.3.
A −→ c : nA
c : Handshake.RandomizeCredentials((credc,p∗, xc,p∗),statec, nA)
→(SHc,statec,upd, Kc,1) c −→ A : SHc
c : K0 ←Kc,1
c : K1 ← {0,R 1}n c : b← {0,R 1}
c −→ A : Kb
Figure 5.3: Challenge for an adversary attempting to break detection resistance.
The adversary is the challenged to output a guess for b. n corresponds to the bitlength of the key Kc,1. Intuitively, this game challenges the capacity of the adversary to impersonate a user owning a Matching Reference for a given prop-erty p∗. The adversary receives a handshake message and is then required to distinguish the key linked to a successful detection ofp∗ from a random bitstring of the same length.
Unlinkability of Users Consider an adversaryAwhose goal is – given any two pro-tocol instances – to determine whether they were generated by the same user.
A has access to oracles OSetup, OCertify, OGrant, ORevoke; A is then challenged as
follows: he engages in two instances of Handshakewith the challenger and is re-quired to tell whether or not the challenger was impersonating the same user over the twoHandshakeinstances.
Unlinkability of Properties Consider an adversaryAwhose goal is – given any two protocol instances – to determine whether they were generated to prove possession of the same property. A has access to oracles OSetup, OCertify, OGrant,ORevoke; A chooses a property p∗ such that no query to OGrant has been submitted and is then challenged as follows: he engages in two instances of Handshake with the challenger and has to return true if he can decide that during both instances, the challenger has used Credentials forp∗.