|
|
the size of the returned vector is polynomial, making the probability space of exponential size. However, it is not clear whether allowing the adversary to specify one-way sampling algorithms make any practical sense.
To illustrate what can a non-simulatable adversary be, assume we have an RFID system composed of n tags with identi ers IDb;c;i, where i = 1; : : : ; n and b is a bit set to 1 when the tag is legitimate and to 0 otherwise. We further assume an adversary who issues D T queries with a sampling algorithm that runs as follows. On input a random tape , this algorithm uses an arbitrary function g and a one-way function f to compute (c1; : : : ; cn) = g( ) and
(b1; : : : ; bn) = f(c1; : : : ; cn). It then draws the n tags with identi er IDbi;ci;i, for all i. As the view of the adversary only includes b1; : : : ; bn, it is hard, due to the one-wayness of f, to nd
a consistent c1; : : : ; cn.
. . Privacy
e intuition behind the privacy de nition in the Vaudenay model is that any signi cant adversary against privacy should output a statement deduced om the interactions between the tags and the system. Unfortunately, the de nition of blinders given by Vaudenay, De nition . , fails to capture any information the adversary may get from other sources and use it to produce its statement. is intrinsic limitation comes from the fact that the blinder, as a separate entity, might not have access to all the adversary’s knowledge. Hence, it may be possible for the latter to use that extra information as an advantage against the blinder. e possibility of such senario caused Vaudenay’s impossibility result concerning Strong privacy that we detailled in Section . . .
In our de nition herea er, we correct this limitation by making the blinder being executed by the adversary so that it is aware of any extra information she has in her possession. We formalize this statement by giving the random tape of the adversary to the blinder. For reasons that will be made clearer later, we also restrict the privacy game to simulatable adversaries.
De nition . (Blinder)
We de ne a blinder B for an adversary A as a polynomial-time algorithm which sees the same view as A (i.e, all the incoming messages and the random tape), records all the adversary’s Oracle queries and simulates all the L , S R , S T , R oracles to A. e blinder does not have access to the reader’s tape so does not know the secret key nor the database. A blinded adversary AB is an adversary who does not produce any L , S R , S T , R oracles query but has them simulated by B.
De nition . (Privacy and Trivial Adversaries)
Consider a two-stage simulatable adversary who starts with an attack phase consisting of only oracle queries and some computations then pursuing an analysis phase with no oracle query. In between phases, the adversary receives the hidden table T of the D T oracle then outputs true or false. e adversary wins if the output is true.
.
|
|
An adversary is said to be trivial if there exists a blinder B for which j Pr[A ! 1] Pr[AB ! |
|
1]j is negligible. |
|
We say that the RFID scheme is P private if all the adversaries om the class P are trivial. |
|
Clearly, combining De nitions . and . , yields a (slightly) weaker privacy notion than |
|
the original one by Vaudenay. Since the adversary is not able to hide information from the |
|
blinderanymore, itsonlyadvantageinwinningtheprivacygamemustcomefromtheprotocol |
|
messages. For this reason, we argue that our proposed de nition captures the exact notion of |
|
privacy. Itisworthmentioningthatunderthisnewde nition,theproofoftheimpossibilityof |
|
Strong privacy does not hold as the blinder in this case “knows” if the adversary is simulating |
|
a forged tag or a legitimate one and can consequently predict the outcome of the protocol |
|
instance. |
|
Note that all schemes that were shown to achieve a certain level of privacy in the sense of |
|
Vaudenay achieves the same level of privacy following our de nition. is is because blinders |
|
that comply to De nition . can be seen as a special case of the ones considered in this |
|
chapter. In particular, all the results that we presented in Chapter are still valid. |
|
We further note that with these de nitions the counter-example for the impossibility of |
|
Narrow-Strong privacy and security in the case of mutual authentication given by Armknecht |
|
et al. [ASS+ ] does not hold anymore. We come back to discuss this result and its implica- |
|
tions on mutual authentication protocols in Chapter . |
|
9.7IND-CCA2 is not Suf cient for Strong Privacy
Consider the scheme of Figure . instantiated with an IND-CCA public-key encryption scheme that we construct as follows. Starting from an arbitrary IND-CCA secure encryption scheme (KeyGen0, Enc0, Dec0), we de ne another cryptosystem (KeyGen, Enc, Dec) as follows.
KeyGen. Run (sk0; pk0) KeyGen0(1k). Pick an RSA modulus N = pq, i.e, s.t. p
( ) ( ) ( )
and q are primes, and y; z 2 ZN such that Ny = +1, yp = 1, and Nz = +1. e scheme’s key pair is pk = (pk0; N; y; z) and sk = (sk0; p).
Encrypt. De ne Epk(b) = ybr2 mod N where b 2 f0; 1g and r 2R ZN . Pick randomness and compute the ciphertext
Encpk(x) = Enc0pk0 (Epk(x0); : : : ; Epk(xn 1))
where x0; : : : ; xn 1 is the binary decomposition of x.
( )
Decrypt. De ne Dsk(c) = b such that ( 1)b = pc . To decrypt, compute
Decsk(c) = Dsk(t0); : : : ; Dsk(tn 1);
. -
|
|
|
|||||
|
|
|
where t0; : : : ; tn 1 = Decsk0 0 (c). |
|
|||
|
|
We can easily see that (KeyGen, Enc, Dec) is still IND-CCA secure and that, regardless |
|||||
|
|
of the properties of the initial scheme, it is not plaintext-aware since, given an integer z 2 |
|||||
|
|
ZN |
, the ciphertext Encpk0 0 (z Epk(x0) mod N; : : : ; z Epk(xn |
1) mod N) is, depending on |
|||
|
( ) |
|
|
|
|
||
|
|
z |
, a valid encryption of either x0; : : : ; xn 1 or |
x0 |
; : : : ; |
xn 1 |
. erefore, the existence of a |
p
knowledge extractor induces the existence of a polynomial-time algorithm for distinguishing quadratic residues from non-quadratic residues.
Finally, the following Strong adversary defeats privacy.
: |
C T (ID) |
|
: |
vtag |
D T (ID) |
: |
ID KID C (vtag) |
|
: |
|
L |
: |
a |
S ( ; ) |
: Set x = ID KID a
: c Enc0pk (z E(x0); : : : ; z E(xn 1))
: S R (c; ) : b R ( ) : Output b
( )
Clearly, an adversary outputs 1 if and only if |
z |
= +1. |
erefore, a blinder that fol- |
|
p |
|
|
lows the same distribution would break the quadratic residuosity problem, i.e., the problem of distinguishing quadratic residues from non-quadratic residues.
9.8Strong Privacy Using Plaintext-Awareness
In this section, we show that using the new de nition of blinders, we can achieve Strong privacy using public-key cryptography. For this sake, we make use of the standard de nitions of public-key cryptosystems (PKC) and the notion of plaintext-aware encryption schemes.
We consider the same protocol based on a public-key cryptosystem, as depicted in Figure . . Inthis scheme, the stateof thetags is composed of their ID and a uniformly distributed-bit string KID. Upon reception of an -bit string challenge a, a tag sends the encryption of ID KID a under the public key pk to the reader. e latter decrypts the received ciphertext using its secret key sk and checks that it is well formed, that a is correctly recovered and that (ID; K) exists in the database. Note that and have to be polynomially bounded.
Although this challenge-response protocol has already been used by Vaudenay [Vau ] to achieve Narrow-Strong privacy under the assumption that the underlying encryption scheme isIND-CPAsecure,ourresultrequiresPA +plaintext-awarenessfromtheencryptionscheme. Naturally, since our de nition of security is unchanged from the original model, IND-CCA security for the encryption scheme is su cient to prove that the protocol is secure and we use the original result of Vaudenay.
e next theorem establishes the correctness, security, and Strong privacy of the scheme.
.