Abstract
An identification protocol has to deliver a proof that the protocol participants are who they claim to be. Related to the circumstances, the proof must be sufficiently convincing for the addressee. On the other hand, as long as the data minimality principle is concerned, the proof should be useless for any party that is not the intended addressee. While the first goal has attracted a lot of attention, the second one has been rather neglected.
In this paper we discuss requirements for identification protocols from the point of view of privacy protection requirements of the GDPR regulation introduced in Europe. We concern the problem of cryptographic data created by identification protocols and misusing them as an evidence presented to third parties. We concern in particular the case when it appears that a malicious participant follows the protocol, however the privacy protection guarantees supposedly provided by the scheme are effectively broken.
We show that from the point of view of GDPR the classical schemes like static Diffie-Hellman, Schnorr, Wu, Stinson-Wu, and Di Raimondo-Gennaro fail to comply with the EU Regulation even if they are deniable.
This work has been initiated under support of the Polish National Science Centre, contract OPUS no 2014/15/B/ST6/02837, and later supported by grant S50129/K1102 at Wrocław University of Science and Technology. This work was also partially supported by China 111 Project (No. B16037) and Key Project of Natural Science Basic Research Plan in Shaanxi Province of China (No. 2016JZ021).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976). https://doi.org/10.1109/TIT.1976.1055638
Blake-Wilson, S., Menezes, A.: Authenticated Diffe-Hellman key agreement protocols. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 339–361. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48892-8_26
The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ec (General Data Protection Regulation). Off. J. Eur. Union 119(1) (2016)
Hanzlik, L., Kluczniak, K., Kutyłowski, M.: Controlled randomness – a defense against backdoors in cryptographic devices. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 215–232. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61273-7_11
Young, A.L., Yung, M.: Malicious Cryptography - Exposing Cryptovirology. Wiley, Hoboken (2004)
Błaśkiewicz, P., et al.: Pseudonymous signature schemes. In: Li, K.-C., Chen, X., Susilo, W. (eds.) Advances in Cyber Security: Principles, Techniques, and Applications, pp. 185–255. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1483-4_8
Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. J. Cryptol. 22(4), 572–615 (2009). https://doi.org/10.1007/s00145-009-9044-3
Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE\(|\)AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_25
Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_36
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Wu, J.: Cryptographic protocols, sensor network key management, and RFID authentication. Ph.D. thesis, University of Waterloo, Ontario, Canada (2009). http://hdl.handle.net/10012/4501
Stinson, D.R., Wu, J.: An efficient and secure two-flow zero-knowledge identification protocol. J. Math. Cryptol. 1(3), 201–220 (2007). https://doi.org/10.1515/JMC.2007.010
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kutyłowski, M., Krzywiecki, Ł., Chen, X. (2019). Rethinking Identification Protocols from the Point of View of the GDPR. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-20951-3_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20950-6
Online ISBN: 978-3-030-20951-3
eBook Packages: Computer ScienceComputer Science (R0)