Efficient symmetric key private authentication

Hasonló dokumentumok
Performance Modeling of Intelligent Car Parking Systems

On The Number Of Slim Semimodular Lattices

Széchenyi István Egyetem

Statistical Inference

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet Nonparametric Tests

A logaritmikus legkisebb négyzetek módszerének karakterizációi

Csima Judit április 9.

Dependency preservation

Supporting Information

Create & validate a signature

Cluster Analysis. Potyó László

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet. Hypothesis Testing. Petra Petrovics.

Correlation & Linear Regression in SPSS

Bevezetés a kvantum-informatikába és kommunikációba 2015/2016 tavasz

Computer Architecture

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet. Nonparametric Tests. Petra Petrovics.

Construction of a cube given with its centre and a sideline

EN United in diversity EN A8-0206/419. Amendment

Ensemble Kalman Filters Part 1: The basics

Phenotype. Genotype. It is like any other experiment! What is a bioinformatics experiment? Remember the Goal. Infectious Disease Paradigm

Sebastián Sáez Senior Trade Economist INTERNATIONAL TRADE DEPARTMENT WORLD BANK

Statistical Dependence

discosnp demo - Peterlongo Pierre 1 DISCOSNP++: Live demo

Lecture 11: Genetic Algorithms

Genome 373: Hidden Markov Models I. Doug Fowler

A rosszindulatú daganatos halálozás változása 1975 és 2001 között Magyarországon

Cloud computing. Cloud computing. Dr. Bakonyi Péter.

Pletykaalapú gépi tanulás teljesen elosztott környezetben

Választási modellek 3

Proxer 7 Manager szoftver felhasználói leírás

Mapping Sequencing Reads to a Reference Genome

FAMILY STRUCTURES THROUGH THE LIFE CYCLE

Local fluctuations of critical Mandelbrot cascades. Konrad Kolesko

Utasítások. Üzembe helyezés

Cloud computing Dr. Bakonyi Péter.

Dense Matrix Algorithms (Chapter 8) Alexandre David B2-206

PIACI HIRDETMÉNY / MARKET NOTICE

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet Factor Analysis

MATEMATIKA ANGOL NYELVEN

Angol Középfokú Nyelvvizsgázók Bibliája: Nyelvtani összefoglalás, 30 kidolgozott szóbeli tétel, esszé és minta levelek + rendhagyó igék jelentéssel

A modern e-learning lehetőségei a tűzoltók oktatásának fejlesztésében. Dicse Jenő üzletfejlesztési igazgató

(c) 2004 F. Estrada & A. Jepson & D. Fleet Canny Edges Tutorial: Oct. 4, '03 Canny Edges Tutorial References: ffl imagetutorial.m ffl cannytutorial.m

Cashback 2015 Deposit Promotion teljes szabályzat

Budapest, május 04. Mit tehet a munkahely a dolgozók egészségéért?

Miskolci Egyetem Gazdaságtudományi Kar Üzleti Információgazdálkodási és Módszertani Intézet. Correlation & Linear. Petra Petrovics.

GEOGRAPHICAL ECONOMICS B

Correlation & Linear Regression in SPSS

Rezgésdiagnosztika. Diagnosztika

A controlling és az értékelemzés összekapcsolása, különös tekintettel a felsőoktatási és a gyakorlati alkalmazhatóságra

INDEXSTRUKTÚRÁK III.

ENROLLMENT FORM / BEIRATKOZÁSI ADATLAP

Számítógéppel irányított rendszerek elmélete. Gyakorlat - Mintavételezés, DT-LTI rendszermodellek

KIEGÉSZÍTŽ FELADATOK. Készlet Bud. Kap. Pápa Sopr. Veszp. Kecsk Pécs Szomb Igény

INTELLIGENT ENERGY EUROPE PROGRAMME BUILD UP SKILLS TRAINBUD. Quality label system

Using the CW-Net in a user defined IP network

EEA, Eionet and Country visits. Bernt Röndell - SES

Klaszterezés, 2. rész

Abigail Norfleet James, Ph.D.

Véges szavak általánosított részszó-bonyolultsága

Probabilistic Analysis and Randomized Algorithms. Alexandre David B2-206

A BÜKKI KARSZTVÍZSZINT ÉSZLELŐ RENDSZER KERETÉBEN GYŰJTÖTT HIDROMETEOROLÓGIAI ADATOK ELEMZÉSE

Csatlakozás a BME eduroam hálózatához Setting up the BUTE eduroam network

MATEMATIKA ANGOL NYELVEN

Kvantum-informatika és kommunikáció 2015/2016 ősz. A kvantuminformatika jelölésrendszere szeptember 11.

Vállalati kockázatkezelés jelentősége

Tavaszi Sporttábor / Spring Sports Camp május (péntek vasárnap) May 2016 (Friday Sunday)

MATEMATIKA ANGOL NYELVEN

Új fenomén a magyar biztosítási jogban: a biztosítottak közvetlen perlési joga a viszontbiztosítóval szemben a direkt biztosító csődje esetén

MATEMATIKA ANGOL NYELVEN

KELER KSZF Zrt. bankgarancia-befogadási kondíciói. Hatályos: július 8.

Számítógépes Hálózatok GY 8.hét

STUDENT LOGBOOK. 1 week general practice course for the 6 th year medical students SEMMELWEIS EGYETEM. Name of the student:

SQL/PSM kurzorok rész

Block cipher modes. Cryptographic Protocols (EIT ICT MSc) Dr. Levente Buttyán

First experiences with Gd fuel assemblies in. Tamás Parkó, Botond Beliczai AER Symposium

A jövedelem alakulásának vizsgálata az észak-alföldi régióban az évi adatok alapján

Block cipher modes. - five standardized modes (operation, properties)

COOPERATION IN THE CEREAL SECTOR OF THE SOUTH PLAINS REGIONS STRÉN, BERTALAN. Keywords: cooperation, competitiveness, cereal sector, region, market.

General information for the participants of the GTG Budapest, 2017 meeting

Rotary District 1911 DISTRICT TÁMOGATÁS IGÉNYLŐ LAP District Grants Application Form

Néhány folyóiratkereső rendszer felsorolása és példa segítségével vázlatos bemutatása Sasvári Péter

BKI13ATEX0030/1 EK-Típus Vizsgálati Tanúsítvány/ EC-Type Examination Certificate 1. kiegészítés / Amendment 1 MSZ EN :2014

FÖLDRAJZ ANGOL NYELVEN

Alternating Permutations

PIACI HIRDETMÉNY / MARKET NOTICE

EN United in diversity EN A8-0206/482. Amendment

A TÓGAZDASÁGI HALTERMELÉS SZERKEZETÉNEK ELEMZÉSE. SZATHMÁRI LÁSZLÓ d r.- TENK ANTAL dr. ÖSSZEFOGLALÁS

Lexington Public Schools 146 Maple Street Lexington, Massachusetts 02420

MATEMATIKA ANGOL NYELVEN

MATEMATIKA ANGOL NYELVEN


(NGB_TA024_1) MÉRÉSI JEGYZŐKÖNYV

Gyártórendszerek modellezése: MILP modell PNS feladatokhoz

MATEMATIKA ANGOL NYELVEN

THS710A, THS720A, THS730A & THS720P TekScope Reference

Budapest By Vince Kiado, Klösz György

16F628A megszakítás kezelése

USER MANUAL Guest user

Teszt topológia E1/1 E1/0 SW1 E1/0 E1/0 SW3 SW2. Kuris Ferenc - [HUN] Cisco Blog -

There is/are/were/was/will be

Átírás:

Efficient symmetric key private authentication Cryptographic Protocols (EIT ICT MSc) Dr. Levente Buttyán Associate Professor BME Hálózati Rendszerek és Szolgáltatások Tanszék Lab of Cryptography and System Security (CrySyS) buttyan@hit.bme.hu, buttyan@crysys.hu

2 Outline - the problem - key-tree based approach - group based approach - privacy metrics and their comparison - computing the level of privacy for key-trees and groups

3 Private authentication the problem authentication protocols often reveal the identity of the authenticating party (prover) to an eavesdropper when devices move around and authenticate themselves frequently, the location of them can be tracked typical examples are RFID tags and contactless smart card based systems

4 An example ISO 9798-2 the protocol: (1) B A: r B (2) A B: E(K, r B B*) where K is a shared key between A and B, and E(.) denotes encryption it is assumed that the parties are aware of the claimed identity of the other either by context or by additional cleartext data fields (0) A B : A

5 Solutions based on public-key crypto encrypt identity information of the authenticating party with the public key of the verifier setup a confidential channel between the parties using the basic Diffie-Hellman protocol and send identity information through that channel IKE in main mode works in this way common disadvantage: public key operations may not be affordable in devices with limited resources (e.g., public transport cards, RFID tags)

6 Naïve solutions for low-cost tags encrypt (hash) identity information with a single common key drawback: compromise of a single member of the system has fatal consequences encrypt (hash) identity information with a unique key drawback: number of keys need to be tested by the verifier grows linearly with the number of potential provers doesn t scale (potentially long authentication delay in large systems)

7 Better solutions for low cost tags tree-based approach proposed by Molnar and Wagner in 2004 improved by Buttyan, Holczer, and Vajda in 2006 advantage: authentication delay is logarithmic in the number of members drawback: increased overhead (at the prover s side) level of privacy quickly decreasing as the number of compromised members increases group-based approach proposed by Avoine, Buttyan, Holczer, Vajda in 2007 advantage: higher level of privacy and smaller overhead than in the tree-based approach drawback:???

8 The tree-based approach k 1 try all these keys until one of them works k 11 k 111 k 1, k 11, k 111 tag R E(k 1, R R), E(k 11, R R), E(k 111, R R) reader k 1, k 11, k 111 tag ID

9 A problem k 1 k 11 k 111 P 0 P 1 P 2 P 3 if a member is compromised, its keys are learned by the adversary however, most of those keys are used by other members too the adversary can recognize the usage of those compromised keys consequently, the level of privacy provided by the system to noncompromised members is decreased this decrease can be minimized by careful design of the tree!

10 Anonymity sets k 1 k 11 k 111 P 0 P 1 P 2 P 3 compromised tags partition the set of all tags tags in a given partition are indistinguishable tags in different partitions can be distinguished each partition is the anonymity set of its members

11 Normalized Average Anonymity Set Size (NAASS) k 1 k 11 k 111 P 0 P 1 P 2 P 3 the level of privacy provided by the system to a randomly selected member is characterized by the average anonymity set size: where N is the total number of members we normalize this to obtain a value between 0 and 1:

12 Computing NAASS when a single tag is compromised k 1 k 11 k 111 P 0 P 1 P 2 P 3

13 A trade-off between privacy and efficiency efficiency of the system is characterized by the maximum authentication delay: examples: naïve linear key search ( l = 1 ) R = 1 2(N-1)/N 2 1 2/N 1 D = N (if N is large) binary key-tree ( l = log N ) R = 1/3 + 2/(3N 2 ) 1/3 (if N is large) D = 2 log N how to maximize R while keeping D below a threshold?

14 The optimization problem Given the total number N of tags and the upper bound D max on the maximum authentication delay, find a branching factor vector B = ( b 1, b 2,... b l ) such that is maximal, subject to the following constraints:

15 Analysis of the optimization problem Lemma 1: we can always improve a branching factor vector by ordering its elements in decreasing order Lemma 2: lower and upper bounds on R(B) (where B is ordered): Lemma 3: given two branching factor vectors (that satisfy the constraints), the one with the larger first element is always at least as good as the other Lemma 4: given two branching factor vectors the first j elements of which are equal, the vector with the larger (j+1)-st element is always at least as good as the other

16 A solution let P be the ordered vector of prime factors of N if P doesn t satisfy the conditions, then no solution exists otherwise, let P be a subset of P such that if we multiply the prime factors in P (let the product be Q), then the vector (Q, P\P ) still satisfies the constraints, and Q is maximal the first element of the optimal branching factor vector is Q if all prime factors are used (P\P = ), then stop else repeat the procedure recursively with the remaining primes

17 Operation of the algorithm illsutrated let N = 27000 and D max = 90 P P Q the optimal tree for these parameters is (72, 5, 5, 5, 3) R 0.9725 D = 90

18 Proof sketch of the algorithm let B* = (b* 1,, b* L ) be the output of the algorithm assume that there s a B = (b 1,, b K ) B* such that R(B ) > R(B*) B* is obtained by maximizing b* 1 b* 1 b 1 if b* 1 > b 1 then R(B*) R(B ) by Lemma 3 b* 1 = b 1 must hold B* is obtained by maximizing b* 2 (once b* 1 is determined) b* 2 b 2 if b* 2 > b 2 then R(B*) R(B ) by Lemma 4 b* 2 = b 2 must hold B* = B must hold, which is a contradiction

19 The general case (any tags can be compromised) <-> <1> <2> <3> <11> <12> <13> <21> <22> <23> <31> <32> <33> number and size of partitions depend on which tags are compromised

20 Approximation of NAASS for key-trees let the branching factors of the tree be b 1, b 2,, b L select a tag T randomly (without loss of generality, we assume that the left most tag of the tree is selected) we want to compute the expected size of T s anonymity set when some tags are compromised we assume that each tag is compromised with probability p = C/N the probability that a given edge (key) is compromised at level i is q i = 1 (1 - p) N i where N i = N/(b 1 b 2 b i ) is the number of tags below that edge

21 Approximation of NAASS for key-trees b L T the probability that T s anonymity set size is exactly k (k = 1, 2,, b L -1) is:

22 Approximation of NAASS for key-trees b L-1 b L T the probability that T s anonymity set size is kb L (k = 1, 2,, b L-1-1) is:

23 Approximation of NAASS for key-trees in general, the probability that T s anonymity set size is kb L b L-1 b i+1 = kn i (i = 1, 2,, L and k = 1, 2,, b i -1) is: from this, the expected size of T s anonymity set is:

24 Verification of the approximation B = [30 30 30]

25 Comparison of key-trees conclusion: first element of the branching factor vector determines the level of privacy in the general case too

28 Norm. entropy based anonymity set size (NEASS) main idea: assume that a tag is compromised and this results in two equal size (N/2) partitions the adversary can tell each tag in either one of the partitions 1 bit of information has been disclosed in general, the amount of information that is disclosed due to tag compromise is (normalized) entropy based anonymity set size:

Comparison of NAASS and NEASS (simulation) Buttyán Levente, HIT 29 B = [30 30 30]

30 The group-based approach k 1 k 2 K 1 K 2 K g............ k n k N k 1, K 1 tag R E(K 1, ID R R), E(k 1, R R) reader immediate advantage: each tag stores and uses only two keys 1.) try all group keys until one of them works 2.) authenticate the tag by using its individual key

31 Computing NAASS for the group-based appr............. partitioning depends on the number C of compromised groups NAASS can be computed as: if tags are compromised randomly, then C is a random variable we are interested in the expected value of S/N for this we need to compute E[C] and E[C 2 ]

32 Computing NAASS for the group-based appr. let c be the number of compromised tags let A i be the event that at least one tag is compromised from the i-th group the probability of A i can be computed as:

33 Computing NAASS for the group-based appr. let I Ai be the indicator function of A i E[C] =? E[C 2 ] =?

Computing NAASS for the group-based appr. Buttyán Levente, HIT 34

35 Verification of the approximation N = 27000 g = 90

36 Comparison of approaches select a privacy metric (NAASS or NEASS) for a given set of parameters (number N of tags, max authentication delay D), determine the optimal key-tree compute the privacy metric for the optimal tree (function of c) determine the corresponding parameters for the group based approach (g = D-1) compute the privacy metric for the groups (function of c)

37 Comparison in NAASS N = 2 14 D = 65 [32 16 8 4] 64 x 256

38 Comparison in NEASS N = 2 14 D = 65 [32 16 8 4] 64 x 256

Summary we studied the problem of (efficient) symmetric-key private authentication we presented two approaches: key-trees and groups we gave an overview of proposed privacy metrics NAASS, NEASS, prob. of traceability we showed some relationships between the metrics prob. of traceability ~ NAASS, NEASS < NAASS we gave precise approximations of the NAASS for trees and for groups we compared the tree and the group based approaches using NAASS and NEASS Buttyán Levente, HIT 39

40 Conclusions we obtained controversial results group-based approach achieves better privacy if we use NAASS tree-based approach achieves better privacy if we use NEASS be cautious which metric you use! yet, the difference between trees and groups does not seem to be large in terms of privacy groups may be a better trade-off, due to the smaller overhead the group-based approach is a serious alternative to the tree-based approach

41 Open problems 1. Closed form approximation of the NEASS (both for trees and groups)? 2. How to find the optimal tree when the metric is the NEASS? 3. How to preserve the efficiency of the tree and the groupbased approaches and eliminate the exponential decrease of the level of privacy at the same time???

2025 © DocPlayer.hu Adatvédelmi irányelvek | Szolgáltatási feltételek | Visszajelzés