Computer Science
CSC 774 Advanced Network Security
Topic 2.5 Secret Handshake
Slides by Tong Zhou
CSC 774
Dr. Peng Ning
Goals
• Authenticate without revealing credentials
– Consider two groups G1 and G2, two parties A 
G1 and B  G2. A and B wants to authenticate each
other.
– If G1 ≠ G2: A and B only know they are not in the
same group.
– If G1 = G2: A and B can authenticate to each other.
– A third party learns nothing by observing
conversations between A and B.
Computer Science
CSC 774
Dr. Peng Ning
Preliminaries: Pairing-based Cryptography
• Bilinear Maps:
– Two cyclic groups of large prime order q: G1 and G2
– eˆ : G1  G1  G 2 is a bilinear map if
a, b  Zq ; P, Q  G1; eˆ(aP, bQ)  eˆ(P, Q)ab
• ê should be computable, non-degenerate and satisfies
Bilinear Diffie-Hellman assumption, i.e., given P, aP,
abc
ˆ
e
(
P
,
P
)
bP, cP, it is hard to compute
Computer Science
CSC 774
Dr. Peng Ning
Protocol Sketch
• Equipped with bilinear map ê and one-way
hash function H1
• CA has a master key t.
• Assume a drivers and cops scenario.
Computer Science
CSC 774
Dr. Peng Ning
Protocol Sketch
K A  eˆ( H1 (“xy6542678
d - cop”),TA ) K B  eˆ(TB , H1 (“p65748392
a - driver”))
K A me
K
B
Please show
Driver’s
licence,
your pseudonym.please.
xy6542678d
p65748392a
Driver’s Licence:
Traffic cop credential:
“p65748392a”,TA
“xy6542678d”,TB
TB = tH1(“xy6542678d-cop”)
TA = tH1(“p65748392a-driver”)
Computer Science
CSC 774
Dr. Peng Ning
Protocol Sketch – Attacker Igor
K A  eˆ( H1 (“xy6542678
d - cop”),TA )
???
This guy
is me
notI aam a cop. Driver’s
Please
show
cop.
your
pseudonym.licence, please.
xy6542678d
p65748392a
Driver’s Licence:
Obtains Bob’s pseudonym
“p65748392a”,TA
“xy6542678d”
TA = tH1(“p65748392a-driver”)
Computer Science
CSC 774
Dr. Peng Ning
Secret-Handshake Scheme (SHS)
•
SHS.CreateGroup(G): executed by an administrator,
generates the group secret GroupSecretG for G.
•
SHS.AddUser(U,G,GroupSecretG): creates user secret
UserSecretU,G for new user U.
•
SHS.HandShake(A,B): Users A and B authenticates each
other. B discovers A  G if and only if A discovers B  G.
•
SHS.TraceUser: Administrator tells the user from a
transcript T generated during conversation between A and B.
•
SHS.RemoveUser: Administrator revokes user U
Computer Science
CSC 774
Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.CreateGroup: Administrator sets GroupSecretG as a
random number sG  Zq
• PBH.AddUser: Administrator generates pseudonyms for users:
{idU 1 ,, idUt }
and then generates the corresponding secret points:
{privU1,, privUt }
where
privUi  sG H1 (idUi )
H1 is a one-way hash function.
Computer Science
CSC 774
Dr. Peng Ning
Pairing-Based Handshake (PBH)
•
PBH.Handshake:
•
•
•
id A , n A
A
B
id B , nB ,V0
A
B
V1
A
B
V0  H 2 (eˆ( H1 (id A ), privB ) | id A | id B | nA | nB | 0)
V1  H 2 (eˆ(privA , H1 (id B )) | id A | id B | nA | nB | 1)
S  H 2 (eˆ(privA ,H1 (id B )) | id A | idB | n A | n B | 2)
 H 2 (eˆ(H1(idB ),privB ) | id A | idB | n A | n B | 2)
Computer Science
CSC 774
Dr. Peng Ning
Pairing-Based Handshake (PBH)
• PBH.TraceUser: Since the conversations of
handshaking include the pseudonyms,
administrator can easily figure out the users.
• PBH.RemoveUser: Administrator removes
user U by broadcasting its pseudonyms to all
the other users, so that other users won’t accept
pseudonyms of U.
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• CreateGroup: Administrator picks (p,q,g). p and q are primes,
g is a generator of a subgroup in Z*p of order q. Also, picks up a
private key x, and computes the public key y=gx mod p
• AddUser: For user U, administrator generates idU, then
generates a pair
(w, t )  (Z*p , Z q )
so that
g t  wy H ( w, ID)
idU, w, t will be given to the user.
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• AddUser: For user U, administrator generates idU, then generates a pair
(w, t )  (Z*p , Z q )
so that
g t  wy H ( w, ID)
idU, w, t will be given to the user.
– How to generate the pair (w,t)?
Randomly pick r, compute
w  g r mod p
t  r  xH ( w, ID)
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• Handshake: Assume user A has (idA, wA, tA) and user
B has (idB, wB, tB). Define several marks (ElGamal
Encryption):
–
Recover(y, id, w)  PK  wy H ( w,id) mod p
–
EncPK (m)  [c1 , c2 ]
 [ g R mod p, m  H ' ( PK R mod p)]
–
Dect ([c1, c2 ])  m  c2  H ' (c1t mod p)
Computer Science
CSC 774
Dr. Peng Ning
Computational Diffie-Hellman Instead of
Bilinear Diffie-Hellman
• Handshake:
PKB  Recover(y,id B , wB )
randomly picks rA ,ch A
computes
CA  EncPKB (rA )
id B , wB
A
A
B
idA ,w A ,CA ,ch a
B

rB  DectA (CB ) A
CB ,resp B ,chB
resp A  H(rA ,rB ,ch B )

rA  DectB (CA )
randomly picks rB ,ch B
computes
verifies
respB

PKA  Recover(y,id A , wA )
A
Computer Science
resp A


CSC 774
CB  EncPKA (rB )
B resp  H(r ,r ,ch )

B
A B
A
B
verifies respA
Dr. Peng Ning
Intuition
• If A and B are in the same group, each of them
can decrypt the random number (ra and rb).
• If not, neither of them can get any information
about ra or rb.
Computer Science
CSC 774
Dr. Peng Ning