Portal de Periódicos da CAPES

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes

2007; Springer Science+Business Media; Linguagem: Inglês

10.1007/978-3-540-72738-5_18

1611-3349

Stanisław Jarecki, Xiaomin Liu,

Security in Wireless Sensor Networks

We present the first practical unlinkable secret handshake scheme. An unlinkable secret handshake is a two-way authentication protocol in a PKI setting which protects privacy and anonymity of all information about the participants to everyone except of their intended authentication partners. Namely, if entity A certified by organization CA A wants to authenticate itself only to other entities certified by CA A , and, symmetrically, entity B certified by CA B wants to authenticate itself only to entities also certified by CA B , then a secret handshake protocol authenticates these parties and establishes a fresh shared key between them if and only if CA A = CA B and the two parties entered valid certificates for this CA into the protocol. If, however CA A ≠ CA B , or CA A = CA B but either A or B is not certified by this CA, the secret handshake protocol reveals no information to the participants except of the bare fact that their inputs do not match. In other words, an Unlinkable Secret Handshake scheme is a perfectly private authentication method in the PKI setting: One can establish authenticated communication with parties that possess the credentials required by one's policy, and at the same time one's affiliation and identity remain perfectly secret to everyone except of the parties to whom one wants to authenticate. Efficient secret handshake schemes, i.e. authentication protocols which protect the privacy of participants' affiliations, were proposed before, but participants in these schemes remained linkable. Namely, an attacker could recognize all the instances of the protocol executed by the same entity. Secondly, the previous schemes surrendered user's privacy if the certificates of this user were revoked, and our scheme alleviates this problem as well. Unlinkable schemes were proposed as well, but they either relied on single-use certificates, or did not support revocation, or required instantaneous propagation of revocation information. Crucial ingredients in our construction of unlinkable secret handshakes are chosen-ciphertext secure key-private encryption and multi-encryption schemes, and the first efficient construction of a key-private group key management scheme, which is a stateful analogue of (key-private) public key broadcast encryption.