ABSTRACT
At first glance, privacy and zero-knowledgeness seem to be similar properties. A scheme is private when no information is revealed on the prover and in a zero-knowledge scheme, communications should not leak provers' secrets.
Until recently, privacy threats were only partially formalized and some zero-knowledge (ZK) schemes have been proposed so far to ensure privacy. We here explain why the intended goal is not reached. Following the privacy model proposed by Vaudenay at Asiacrypt 2007, we reconsider the analysis of these schemes. We firstly propose a framework which enables to transform some generic ZK scheme into private scheme. We then apply as a relevant example this framework to the GPS scheme. This leads to efficient implementations of zero-knowledge identification schemes which respect privacy. Their security and their privacy are based on the problem of the Short Exponent Decisional Diffie-Hellman problem.
- G. Avoine, E. Dysli, and P. Oechslin. Reducing time complexity in RFID systems. In SAC, pages 291--306. Springer, 2005. Google ScholarDigital Library
- L. Batina, N. Mentens, K. Sakiyama, B. Preneel, and I. Verbauwhede. Low-cost elliptic curve cryptography for wireless sensor networks. In ESAS, pages 6--17. Springer, 2006. Google ScholarDigital Library
- M. Bellare and A. Palacio. GQ and Schnorr identification schemes: Proofs of security against impersonation under active and concurrent attacks. In CRYPTO, pages 162--177. Springer, 2002. Google ScholarDigital Library
- U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. J. Cryptology, 1(2):77--94, 1988. Google ScholarDigital Library
- M. Feldhofer, S. Dominikus, and J. Wolkerstorfer. Strong authentication for RFID systems using the AES algorithm. In CHES, pages 357--370. Springer, 2004.Google ScholarCross Ref
- A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In CRYPTO, pages 186--194. Springer, 1986. Google ScholarDigital Library
- T. E. Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. In IEEE Transactions on Information Theory, volume 31, pages 469--472, 1985.Google ScholarDigital Library
- M. Girault. An identity-based identification scheme based on discrete logarithms modulo a composite number. In EUROCRYPT, pages 481--486, 1990. Google ScholarDigital Library
- M. Girault, G. Poupard, and J. Stern. On the fly authentication and signature schemes based on groups of unknown order. J. Cryptology, 19(4):463--487, 2006.Google ScholarDigital Library
- S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270--299, 1984.Google ScholarCross Ref
- S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. SIAM J. Comput., 18(1):186--208, 1989. Google ScholarDigital Library
- L. C. Guillou and J.-J. Quisquater. A "paradoxical" indentity-based signature scheme resulting from zero-knowledge. In CRYPTO, pages 216--231. Springer, 1988. Google ScholarDigital Library
- I. S. ISO/IEC. ISO 14443--3: Identification cards -- Contactless Integrated Circuit(s) Cards -- Proximity Cards. Part 3: Initialization and Anticollision. ISO, 2001.Google Scholar
- M. Jakobsson and D. Pointcheval. Mutual authentication for low-power mobile devices. In Financial Cryptography, pages 178--195. Springer, 2001. Google ScholarDigital Library
- M. Jakobsson and D. Pointcheval. Mutual authentication for low-power mobile devices. http://www.informatics.indiana.edu/markus/papers/mutual.pdf, 2001.Google Scholar
- M. Jakobsson, K. Sako, and R. Impagliazzo. Designated verifier proofs and their applications. In EUROCRYPT, pages 143--154, 1996. Google ScholarDigital Library
- A. Juels and S. A. Weis. Authenticating pervasive devices with human protocols. In CRYPTO, pages 293--308. Springer, 2005. Google ScholarDigital Library
- A. Juels and S. A. Weis. Defining strong privacy for RFID. In PERCOMW, pages 342--347. IEEE Computer Society, 2007. Google ScholarDigital Library
- T. Koshiba and K. Kurosawa. Short exponent Diffie-Hellman problems. In PKC, pages 173--186. Springer, 2004.Google ScholarCross Ref
- F. Laguillaumie and D. Vergnaud. Designated verifier signatures: Anonymity and efficient construction from any bilinear map. In SCN, pages 105--119. Springer, 2004. Google ScholarDigital Library
- T. V. Le, M. Burmester, and B. de Medeiros. Universally composable and forward-secure RFID authentication and authenticated key exchange. In ASIACCS 2007, pages 242--252. ACM, 2007. Google ScholarDigital Library
- H. Lipmaa, G. Wang, and F. Bao. Designated verifier signature schemes: Attacks, new security notions and a new construction. In ICALP, pages 459--471. Springer, 2005. Google ScholarDigital Library
- Machine Readable Travel Documents. Development of a logical data structure -- LDS for optional capacity expansion technologies. Version 1.7. International Civil Aviation Organization., 2004.Google Scholar
- Machine Readable Travel Documents. PKI for machine readable travel documents offering ICC read-only access. Version 1.1. International Civil Aviation Organization., 2004.Google Scholar
- M. McLoone and M. J. B. Robshaw. Public key cryptography and RFID tags. In CT-RSA, pages 372--384, 2007. Google ScholarDigital Library
- S. Micali and A. Shamir. An improvement of the Fiat-Shamir identification and signature scheme. In CRYPTO, pages 244--247. Springer, 1988. Google ScholarDigital Library
- D. Molnar and D. Wagner. Privacy and security in library RFID: issues, practices, and architectures. In CCS, pages 210--219. ACM, 2004. Google ScholarDigital Library
- J. Monnerat, S. Vaudenay, and M. Vuagnoux. About machine-readable travel documents. RFID Security, 2007.Google Scholar
- M. Ohkubo, K. Suzuki, and S. Kinoshita. RFID privacy issues and technical challenges. 48(9):66--71, 2005. Google ScholarDigital Library
- T. Okamoto. Provably secure and practical identification schemes and corresponding signature schemes. In CRYPTO, pages 31--53. Springer, 1992. Google ScholarDigital Library
- H. Ong and C.-P. Schnorr. Fast signature generation with a fiat shamir-like scheme. In EUROCRYPT, pages 432--440, 1990. Google ScholarDigital Library
- D. Pointcheval. A new identification scheme based on the perceptrons problem. In EUROCRYPT, pages 319--328, 1995. Google ScholarDigital Library
- J.-J. Quisquater and L. Guillou. The new Guillou-Quisquater Scheme. In Proceedings of the RSA 2000 conference, 2000.Google Scholar
- R. L. Rivest. On the notion of pseudo-free groups. In TCC, pages 505--521. Springer, 2004.Google ScholarCross Ref
- S. Saeednia, S. Kremer, and O. Markowitch. An efficient strong designated verifier signature scheme. In ICISC, pages 40--54. Springer, 2003.Google Scholar
- C.-P. Schnorr. Efficient identification and signatures for smart cards. In CRYPTO, pages 239--252. Springer, 1989. Google ScholarDigital Library
- A. Shamir. An efficient identification scheme based on permuted kernels (extended abstract). In CRYPTO, pages 606--609. Springer, 1989. Google ScholarDigital Library
- R. Steinfeld, L. Bull, H. Wang, and J. Pieprzyk. Universal designated-verifier signatures. In ASIACRYPT, pages 523--542. Springer, 2003.Google ScholarCross Ref
- J. Stern. An alternative to the fiat-shamir protocol. In EUROCRYPT, pages 173--180, 1989. Google ScholarDigital Library
- J. Stern. A new identification scheme based on syndrome decoding. In D. R. Stinson, editor, CRYPTO, pages 13--21. Springer, 1993. Google ScholarDigital Library
- J. Stern. Designing identification schemes with keys of short size. In CRYPTO, pages 164--173. Springer, 1994. Google ScholarDigital Library
- P. C. van Oorschot and M. J. Wiener. On Diffie-Hellman key agreement with short exponents. In EUROCRYPT, pages 332--343, 1996. Google ScholarDigital Library
- S. Vaudenay. On privacy models for RFID. In ASIACRYPT, pages 68--87, 2007. Google ScholarDigital Library
- P. Véron. Improved identification schemes based on error-correcting codes. 8(1):57--69, 1996.Google Scholar
- S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels. Security and privacy aspects of low-cost radio frequency identification systems. In Security in Pervasive Computing, pages 201--212. Springer, 2003.Google Scholar
- D. S. Wong and A. H. Chan. Efficient and mutually authenticated key exchange for low power computing devices. In ASIACRYPT, pages 272--289. Springer, 2001. Google ScholarDigital Library
- D. S. Wong and A. H. Chan. Efficient and mutually authenticated key exchange for low power computing devices. http://www.cs.cityu.edu.hk/~duncan/papers/01wongetal_csake.ps, 2001.Google Scholar
Index Terms
- Efficient zero-knowledge identification schemes which respect privacy
Recommendations
Cryptanalysis of EC-RAC, a RFID Identification Protocol
CANS '08: Proceedings of the 7th International Conference on Cryptology and Network SecurityAt RFID'08, Lee <em>et al.</em> have proposed a RFID scheme based on elliptic curve cryptography. This scheme, called Elliptic Curve Random Access Control (EC-RAC) has been conceived in order to be implemented on an efficient security processor designed ...
A hybrid approach for privacy-preserving RFID tags
Recently, there have been a considerable amount of works for privacy-preserving RFID tags. However, most existing schemes have a common, inherent problem in the fact that in order to identify only one single tag they require a linear computational ...
Covert channels in privacy-preserving identification systems
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWe examine covert channels in privacy-enhanced mobile identification devices where the devices uniquely identify themselves to an authorized verifier. Such devices (e.g. RFID tags) are increasingly commonplace in hospitals and many other environments. ...
Comments