Skip to main content
SpringerLink
Log in

Anonymous Authentication with Shared Secrets

  • Conference paper
  • First Online:
Progress in Cryptology - LATINCRYPT 2014 (LATINCRYPT 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8895))

Abstract

Anonymity and authenticity are both important yet often conflicting security goals in a wide range of applications. On the one hand for many applications (say for access control) it is crucial to be able to verify the identity of a given legitimate party (a.k.a. entity authentication). Alternatively an application might require that no one but a party can communicate on its behalf (a.k.a. message authentication). Yet, on the other hand privacy concerns also dictate that anonymity of a legitimate party should be preserved; that is no information concerning the identity of parties should be leaked to an outside entity eavesdropping on the communication. This conflict becomes even more acute when considering anonymity with respect to an active entity that may attempt to impersonate other parties in the system.

In this work we resolve this conflict in two steps. First we formalize what it means for a system to provide both authenticity and anonymity even in the presence of an active man-in-the-middle adversary for various specific applications such as message and entity authentication using the constructive cryptography framework of [Mau11, MR11]. Our approach inherits the composability statement of constructive cryptography and can therefore be directly used in any higher-level context. Next we demonstrate several simple protocols for realizing these systems, at times relying on a new type of (probabilistic) Message Authentication Code (MAC) called key indistinguishable (KI) MACs. Similar to the key hiding encryption schemes of [BBDP01] they guarantee that tags leak no discernible information about the keys used to generate them.

The unabridged version of this paper appears in [AHM+14a].

A. Patra—Work done while the author was at ETH Zurich.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    One could also give an equivalent formulation in the UC framework.

  2. 2.

    Or more generally using the same or different states.

  3. 3.

    In particular the security proof for the probabilistic setting then automatically carries over (at least in a computational sense) by preceding the proof with a hybrid argument replacing the output of each call to the PRG with fresh random numbers.

  4. 4.

    called the “environment” in the language of UC.

  5. 5.

    And more abstractly, this property plays an important role in the composition theorem of [Mau11].

  6. 6.

    Upon each invocation the transcript oracle outputs a freshly sampled transcript between the honest server and client.

  7. 7.

    As is done for example in the separating example between the two notions in [MT12].

  8. 8.

    In the language of UC we speak of ideal functionalities and of ITM communication tapes in the language of ITMs.

  9. 9.

    We note that resources and composed systems are actually computational objects of the same type and so at times we also use calligraphic capital letters to denote a composed system.

  10. 10.

    Indeed, as shown in the so called “Dummy Lemma” for various UC type frameworks, this restriction results in no loss of generality while making security proofs far more tractable.

  11. 11.

    This stands in contrast to say game based definitions which instead guarantee certain properties of a real world system only within the particular context captured by the game. For example the anonymity of the authentication protocols defined in [Vau10, HPVP11] holds only with respect to adversaries which remain oblivious to which parties have previously authenticated themselves during the life of the system (even for the “wide adversary” variants).

  12. 12.

    More specifically in this work the underlying cryptographic assumptions used give rise to the properties of the real world resource \(\mathcal{R}\) while the implementation choices can allow for bounding properties of \(\mathsf {D}\). The final distinguishing advantage of the real and ideal systems is usually a function of both types of properties.

  13. 13.

    Indeed this is not difficult to see. For example we can modify any (say \({\varvec{\mathsf {{uf}}}} \hbox {-}{\varvec{\mathsf {{cmva}}}} \)) unforgeable scheme as follows such that it is clearly not key indistinguishable. Double the key size, use the first half of the key in conjunction with the original \({{\scriptstyle \mathsf {TAG}}}\) algorithm to tag the message and then append the second half of the key to the resulting tag. Clearly the scheme remains unforgeable however it is trivial to tell tags issued under different keys apart.

  14. 14.

    For stateful MACs it is important that the full state (and not just the secret key) be shared between matching oracles in \([k_0, k_0]\). Suppose we have a secure MAC which hides all information about the secret keys. We can modify the \({{\scriptstyle \mathsf {TAG}}}\) algorithm to keep a counter which it appends to each tag \(\tau \) it outputs. Clearly the scheme still hides all information about the secret key. However it is unclear how such a scheme might be used to achieve anonymity. Indeed it is trivial to tell say the \(10^{th}\) tag issued for key \(k_0\) from the \(3^{rd}\) tag issued for different key \(k_1\).

  15. 15.

    For some applications (such as entity authentication for light-weight devices) this reflects a design choice for senders already common in practice.

  16. 16.

    We use the standard notation \([n]\) to denote the set \(\{1,\ldots ,n\}\).

  17. 17.

    In case the relative order of clients’ responses in different sessions is known to be correlated (e.g., by one client possessing a faster hardware than the others and being always the first to respond), the unlinkability of sessions is not guaranteed.

  18. 18.

    As described in the introduction, in the language of [TM12] this corresponds precisely to \((\{C,S\}, \{S\})\)-authenticity.

  19. 19.

    A formal description can be found in [AHM+14a].

  20. 20.

    Universal unforgeability is a relaxed security notion for MACs where the adversary only wins by producing a fresh (valid) tag for a uniform random message chosen by the challenger.

  21. 21.

    The security loss arises because in addition to having to guess for which client an impersonation attack will arise (see [AHM+14b]) the reduction to universal unforgeability must also guess during which of the \(q_s\) sessions the attack occurs so as to properly plant its random challenge message from the universal unforgeability game.

References

  1. Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID tags via insubvertible encryption. In: ACM Conference on Computer and Communications Security, pp. 92–101 (2005)

    Google Scholar 

  2. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. SIGPLAN Not. 36(3), 104–115 (2001)

    Article  Google Scholar 

  3. Abadi, M., Fournet, C.: Private authentication. Theor. Comput. Sci. 322(3), 427–476 (2004)

    Article  MATH  MathSciNet  Google Scholar 

  4. Alwen, J., Hirt, M., Maurer, U., Patra, A., Raykov, P.: Anonymous authentication with shared secrets. Cryptology ePrint Archive, Report 2014/073 (2014). http://eprint.iacr.org/

  5. Alwen, J., Hirt, M., Maurer, U., Patra, A., Raykov, P.: Key-indistinguishable message authentication codes.Cryptology ePrint Archive, Report 2014/107 (2014 to appear in SCN 2014)

    Google Scholar 

  6. Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M., Golde, N., Redon, K., Borgaonkar, R.: New privacy issues in mobile telephony: fix and verification. In: ACM CCS, pp. 205–216. ACM (2012)

    Google Scholar 

  7. Arapinis, M., Mancini, L.I., Ritter, E., Ryan, M.: Formal analysis of UMTS privacy. CoRR, abs/1109.2066 (2011)

    Google Scholar 

  8. Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Burmester, M., Le, T.V., de Medeiros, B., Tsudik, G.: Universally composable RFID identification and authentication protocols. ACM Trans. Inf. Syst. Secur. 12(4), 1–33 (2009)

    Article  Google Scholar 

  10. Burmester, M., Munilla, J.: Lightweight RFID authentication with forward and backward security. ACM Trans. Inf. Syst. Secur. 14(1), 11 (2011)

    Article  Google Scholar 

  11. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  12. Barbeau, M., Robert, J.-M.: Perfect identity concealment in UMTS over radio access links. In: WiMob (2), pp. 72–77. IEEE (2005)

    Google Scholar 

  13. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001)

    Google Scholar 

  14. Choudhury, H., Roychoudhury, B., Saikia, D.K.: UMTS user identity confidentiality: An end-to-end solution. In: WOCN, pp. 1–6. IEEE (2011)

    Google Scholar 

  15. Choudhury, H., Roychoudhury, B., Saikia, D.K.: Enhancing user identity privacy in LTE. In: TrustCom, pp. 949–957. IEEE C. Soc. (2012)

    Google Scholar 

  16. Deng, R.H., Li, Y., Yung, M., Zhao, Y.: A zero-knowledge based framework for RFID privacy. J. Comp. Sec. 19(6), 1109–1146 (2011)

    Google Scholar 

  17. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)

    Chapter  Google Scholar 

  18. Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)

    Chapter  Google Scholar 

  19. Gódor, G., Varadi, B., Imre, S.: Novel authentication algorithm of future networks. In: ICN/ICONS/MCL, p. 80. IEEE Computer Society (2006)

    Google Scholar 

  20. Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 568–587. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Jarecki, S., Kim, J., Tsudik, G.: Beyond secret handshakes: affiliation-hiding authenticated key exchange. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 352–369. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  22. Khan, M., Ahmed, A., Cheema, A.R.: Vulnerabilities of UMTS access domain security architecture. In: SNPD, pp. 350–355 (2008)

    Google Scholar 

  23. Kohlweiss, M., Maurer, U., Onete, C., Tackmann, B., Venturi, D.: Anonymity-preserving public-key encryption: a constructive approach. In: De Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 19–39. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  24. Køien, G.M., Oleshchuk, V.A.: Location privacy for cellular systems; analysis and solution. In: Danezis, G., Martin, D. (eds.) PET 2005. LNCS, vol. 3856, pp. 40–58. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Lee, M.-F., Smart, N.P., Warinschi, B., Watson, G.: Anonymity guarantees of the UMTS/LTE authentication and connection protocol. Cryptology ePrint Archive, Report 2013/027 (2013). http://eprint.iacr.org/

  26. Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  27. Maurer, U., Renner, R.: Abstract cryptography. In: ICS, pp. 1–21. Tsinghua University Press (2011)

    Google Scholar 

  28. Mol, P., Tessaro, S.: Secret-key authentication beyond the challenge-response paradigm: Definitional issues and new protocols. Manuscript, December 2012

    Google Scholar 

  29. Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993)

    Chapter  Google Scholar 

  30. 3rd Generation Partnership Project. TS 33.102 - 3G security; Security architecture V11.5.0 (2012)

    Google Scholar 

  31. Sattarzadeh, B., Asadpour, M., Jalili, R.: Improved user identity confidentiality for UMTS mobile networks. In: ECUMN, pp. 401–409. IEEE Computer Society (2007)

    Google Scholar 

  32. Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)

    Google Scholar 

  33. Tsay, J.-K., Mjølsnes, S.F.: A vulnerability in the UMTS and LTE authentication and key agreement protocols. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 65–76. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  34. Vaudenay, S.: Privacy models for RFID schemes. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 65–65. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  35. Yang, G., Wong, D.S., Deng, X., Wang, H.: Anonymous Signature Schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 347–363. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, Zürich, Switzerland

    Joël Alwen, Martin Hirt, Ueli Maurer & Pavel Raykov

  2. Department of Computer Science and Automation, Indian Institute of Science, Bangalore, India

    Arpita Patra

Authors
  1. Joël Alwen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Martin Hirt
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ueli Maurer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Arpita Patra
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Pavel Raykov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pavel Raykov .

Editor information

Editors and Affiliations

  1. University of Campinas, Campinas, Brazil

    Diego F. Aranha

  2. University of Waterloo, Waterloo, Ontario, Canada

    Alfred Menezes

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Alwen, J., Hirt, M., Maurer, U., Patra, A., Raykov, P. (2015). Anonymous Authentication with Shared Secrets. In: Aranha, D., Menezes, A. (eds) Progress in Cryptology - LATINCRYPT 2014. LATINCRYPT 2014. Lecture Notes in Computer Science(), vol 8895. Springer, Cham. https://doi.org/10.1007/978-3-319-16295-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16295-9_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16294-2

  • Online ISBN: 978-3-319-16295-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation