Secret handshakes from ID-based message recovery signatures: A new generic approach,☆☆

https://doi.org/10.1016/j.compeleceng.2011.11.020Get rights and content

Abstract

Secret handshake scheme, as a relatively new cryptographic application, allows the members of a certain organization to secretly authenticate each other. In this paper, we present a new generic framework for transforming any ID-based message recovery signature to a secret handshake scheme, whose provability can be determined by the security of underlying signature. Based on our new generic framework, two concrete secret handshake schemes are elaborated, which originate from two different ID-based message recovery signatures and are provably secure against the chosen-message attack in the random oracle model.

Highlights

► A new generic framework of secret handshake scheme is proposed. ► The framework is provably secure in the random oracle model. ► Two concrete secret handshake schemes are elaborated based on the framework.

Introduction

A promising cryptosystem, also known as secret handshake scheme, was first introduced by Balfanz et al. [1] for privacy preserving during mutual authentications. Such privacy-preserving authentication means that one user will reveal his/her affiliation to the other user only if the both belong to the same organization. Thus participants can only recognize them as members of the same organization without leaking their true identities in this organization. As suggested in [1], [2], secret handshakes have many interesting applications. A representative one is the validations in social networks such as online dating, in addition to the mutual authentication of FBI agents. Practically, secret handshake scheme can include roles too, which ranges the handshakes between members from only one society to similar societies.

By following Balfanz et al.’s initial work [1], which can be viewed as a variant of Sakai et al.’s [3] non-interactive key agreement scheme, many secret handshake schemes have been proposed from different cryptographic primitives. Castelluccia et al. [4] proposed a new secret handshake scheme with a novel tool called CA-oblivious public-key encryption. The new secret handshake scheme combines ElGamal encryption and Schnorr signature based upon the weaker Computational Diffie-Hellman (CDH) assumption. According to Oblivious Signature Based Envelope (OSBE) scheme, Zhou et al. [5] constructed an improved scheme with ElGamal and DSA signature. In addition, Vergnaud [6] constructed some secret handshake schemes with the help of RSA assumption. All those works apply one-time pseudonyms to ensure the unlinkability of secret handshakes executed between the same participants.

Xu and Yung [7] first presented a weaker version of unlinkability with reusable credential. By using the blinding technique, Huang and Cao proposed a novel and efficient unlinkable secret handshake scheme [8] based on Balfanz et al.’s scheme [1]. Later, Su [9] pointed out a successful impersonation attack on Huang and Cao’s proposal [8]. After that Gu and Xue [10] proposed an improved efficient secret handshake scheme with unlinkability by amending Huang and Cao’s proposal [8]. Wen et al. [11] also presented a new unlinkable secret handshake scheme with reusable credentials under the random oracle.

Based on the construction of identity-based encryption [12], Ateniese et al. [2] first proposed an efficient unlinkable secret handshake scheme without random oracle. However, their scheme treats a set of members with identical attribute as an entity instead of different individual. It is essentially a group key agreement scheme between different sub-group members in a large group environment and thus limits the applications of secret handshakes. Due to the less efficiency of Ateniese et al.’s scheme [2], Zhao et al. [13] constructed an efficient unlinkable secret handshake protocol without random oracle. By implementing broadcast encryption mechanism, Jarecki et al. [14] provided a revokable secret handshake scheme with unlinkability. Based on Ateniese et al.’s scheme [2], Sorniotti and Molva [15] proposed a new dynamic matching scheme and revocable secret handshake schemes [16], [17]. Resorting to group signature with message recovery, Kawai et al. [18] designed a conditional unlinkable secret handshake scheme. At CRYPTO 2009, Jarecki and Liu [19] proposed a practical unlinkable secret handshake scheme that supports both traceability and revocation with reusable credentials. Inspired by Kawai et al.’s scheme [18] and Jarecki and Liu’s scheme [19], Wen and Zhang [20] proposed a new revocable secret handshake scheme with backward unlinkability.

It deserves attention that Tsudik and Xu [21] presented the first flexible framework of multi-party secret handshakes, which can seamlessly facilitate two-party and multi-party secret handshakes. Since it relies on three building blocks (a group signature scheme, a centralized group key distribution scheme, and distributed group key agreement), the framework is too complicated for practice. After this work, some results on multi-party secret handshakes are successively presented, such as [22], [23], [24].

In this paper, we propose a new generic framework for constructing two-party secret handshake schemes from ID-based message recovery signatures (ID-MRS). The security of our generic framework can depend on the underlying ID-MRS. Based on the new generic framework, two concrete secret handshake schemes are presented in detail. The two schemes are based on two different ID-based signatures with message recovery which are secure against the chosen-message attack in the random oracle model. As a new generic framework based on ID-MRS, this proposal enlarges the vision of constructing secrete handshake schemes from one-time pseudonyms.

The remainder of this paper is organized as follows. In Section 2, we recall some preliminaries which are related to our proposed schemes, including synthetic models and security definitions of ID-MRS and secret handshake schemes. In Section 3, a new generic framework for secret handshake schemes from ID-MRS is described, along with its security analysis. In Section 4, two paradigms derived from different ID-MRS are elaborated. In Section 5, the implementation and performance analyses are presented. Section 6 concludes the paper.

Section snippets

Preliminaries

In this section, we first recall the notions and definitions of bilinear pairings and complexity assumption, which will be used in later sections. We also briefly describe the ID-based message recovery signature, which plays a pivotal role for our generic framework as an underlying primitive. Finally, the model and security definitions of secret handshakes are described. The same abbreviation or acronym will obey the same definition, unless there are special claims.

A generic framework for secret handshakes from ID-MRS

With the help of the existing secret handshake schemes with one-time pseudonyms [1], [4], we find a new general approach that any basic ID-MRS can be converted to construct a secret handshake scheme. The key idea of our approach is to revise the ID-MRS, such that a signed message just can be recoverable from its signature but not publicly verifiable. The verification of a recovered message is postponed to the second round of the interactive handshake phase, by applying message authentication

Two paradigms from our generic framework

According to the above generic framework, we now present two concrete paradigms of secret handshake scheme. The first paradigm employs the first ID-MRS proposed by Zhang et al. [26], and the second paradigm applies the more efficient ID-MRS proposed by Tso et al. [29].

Performance analysis

In this section, the implementation and performance analyses will be presented. Firstly, we describe the implementation details of our schemes. For the security parameters, G is constructed from the elliptic curve E defined by y2=x3-x+1 on GF(3167), which equals no less than 1536-bit discrete-log security. The bilinear pairing e on G can be derived from the Tate pairing, as described in [30]. SHA-256 is simply used as the hash functions.

Subsequently, we give a performance analysis amongst some

Conclusion

This paper aims to propose a new generic framework which any ID-based message recovery signature can be transferred to construct a secret handshake scheme. Hence a secret handshake scheme, based on more efficient ID-based message recovery signature, will provide a good alternative. For achieving simple traceability and revocation property, our construction still uses one-time pseudonyms and achieves basic security requirements while GA is a trusted authority. Compared with Tsudik and Xu’s

Yamin Wen received her Ph.D. degree in Cryptography from School of Information Science and Technology, Sun Yat-sen University in 2011. She is currently a lecturer of Guangdong University of Business Studies. Her main research interests include cryptography and information security, in particular, cryptographic protocols.

References (31)

  • A. Sorniotti et al.

    A provably secure secret handshake with dynamic controlled matching

    Comput Sec

    (2010)
  • Balfanz D, Durfee G, Shankar N, Smetters D, Staddon J, Wong H. Secret handshakes from pairing-based key agreements. In:...
  • Ateniese G, Blanton M, Kirsch J. Secret handshakes with dynamic and fuzzy matching. In: Proceedings of the 14th annual...
  • Sakai R, Ohgishi K, Kasahara M. Cryptosystems based on pairings. In: Symposium on cryptography and information...
  • Castelluccia C, Jarecki S, Tsudik G. Secret handshakes from ca-oblivious encryption. In: ASIACRYPT 2004, LNCS 3329....
  • Zhou L, Susilo W, Mu Y. Three-round secret handshakes based on Elgamal and DSA. In: Information security practice and...
  • Vergnaud D. RSA-based secret handshakes. International workshop on coding and cryptography. Bergen, Norway, March 2005,...
  • Xu S, Yung M. K-anonymous secret handshakes with reusable credentials. In: Proceedings of the 11th ACM conference on...
  • H. Huang et al.

    A novel and efficient unlinkable secret handshake scheme

    IEEE Commun Lett

    (2009)
  • R. Su

    On the security of a novel and efficient unlinkable secret handshakes scheme

    IEEE Commun Lett

    (2009)
  • J. Gu et al.

    An improved efficient secret handshakes scheme with unlinkability

    IEEE Commun Lett

    (2011)
  • Y. Wen et al.

    Unlinkable secret handshakes from message recovery signature

    Chin J Electron

    (2010)
  • Waters B. Efficient identity-based encryption without random oracles. In: EUROCRYPT 2005, LNCS 3494. Springer-Verlag ;...
  • Zhao G, Tan C, Ren Y, Fang L. An efficient unlinkable secret handshake protocol without ROM. In: WCNIS 2010, IEEE...
  • Jarecki S, Liu X. Unlinkable secret handshakes and key-private group key management schemes. In: ACNS 2007, LNCS 4521....
  • Cited by (11)

    • A new Private Mutual Authentication scheme with group discovery

      2023, Journal of Information Security and Applications
    • A new secret handshake scheme with multi-symptom intersection for mobile healthcare social networks

      2020, Information Sciences
      Citation Excerpt :

      The pioneering work of secret handshakes is originated from Balfanz et al. [2], which makes use of pairing-based key agreement to achieve simple solutions. After that, a growing number of works were proposed by using different cryptographic primitives, such as CA-oblivious encryption [3], RSA [14], ELGamal [30] and message recovery signature [28]. Due to the technique of pseudonyms, those schemes are assured of user anonymity and effectiveness.

    • A novel fuzzy identity based signature scheme based on the short integer solution problem

      2014, Computers and Electrical Engineering
      Citation Excerpt :

      Afterwards some subsequent FIBS schemes were proposed based on number-theoretic problems (e.g., the CDH problem [8–10], the Discrete Logarithm (DL) Assumption [11,12], and the k-Diffie–Hellman Inversion (k-DHI) Assumption [13]). As an expansion of identity-based signature schemes [14–16], FIBS schemes allow a user with identity id to issue a signature which could be verified under identity id′ if and only if id and id′ are within a certain distance judged by some metric. An important feature is that a private key associated with an identity rather than a master key of the Public Key Generator is shared among signature generation servers, which is more desirable in practice.

    • Code-Based Secret Handshake Scheme, Revisited

      2024, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    • Lattice-Based Secret Handshakes with Reusable Credentials

      2021, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    View all citing articles on Scopus

    Yamin Wen received her Ph.D. degree in Cryptography from School of Information Science and Technology, Sun Yat-sen University in 2011. She is currently a lecturer of Guangdong University of Business Studies. Her main research interests include cryptography and information security, in particular, cryptographic protocols.

    Fangguo Zhang is a professor in the School of Information Science and Technology, Sun Yat-sen University, Guangzhou, China. He obtained his Ph.D. degree in Cryptography from School of Communication Engineering, Xidian University in 2001. His main research interests include elliptic curve cryptography, pairing-based cryptosystem and its applications.

    Lingling Xu received her Ph.D. degree in Cryptography from School of Information Science and Technology, Sun Yat-sen University in 2011. She is currently a lecturer of South China University of Technology. Her main research interests include public key cryptography, particularly cryptographic protocols.

    Reviews processed and proposed for publication to Editor-in-Chief by Associate Editor Prof. Remzi Seker.

    ☆☆

    This work is supported by the National Natural Science Foundation of China (Nos. 61100201, 61070168, 61003244, 60803135, 11101096).

    View full text