practical affiliation-hiding authentication from improved polynomial interpolation

1

Practical Affiliation-Hiding Authentication from Improved Polynomial Interpolation

Mark Manulis, Bertram PoetteringASIACCS ‘11 Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security,

March 2011, Pages 286-295, Citation: 4Presenter: 方竣民Date: 2012/12/03

2

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

3

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

4

Introduction

• Affiliation-hiding (AH) protocols are valuable for hiding identities of communicating users behind their membership of groups.

• Improvements advance the area of efficient polynomial interpolation in finite fields.

5

Introduction

You will see :• Implementing polynomial interpolation by lots

of mathematical ways and their pseudocode.

• One optimized multi-group Affiliation-hiding protocol.

6

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

7

Index-Hiding Message Encoding

Indices , messagesTwo algorithms iEncode and iDecode

8

Multi-Group AH Protocol

• GA creates public key (n,e,g)– n is the RSA modulus– e the public exponent– g a generator of a large subgroup of

• GA keeps private key d• Membership credential cred = • Pseudonym id• , is random exponent

t is used to generate session key.

9

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

10

Interpolation Without Precomputation

• As Algorithm1, it has quadratic running time

• Algo1 already solves the problem of polynomial interpolation in reasonable time.

11

Algorithm1 Polynomial Interpolation

12

Interpolation Without Precomputation

• Most divisions can be replaced by multiplications, e.g.

• It is solved by algorithm2 with performance:

• But, algorithm2 needs extra storage for n-1 variables

13

Algorithm2 Interpolation with Deferred Inversion

14

Interpolation With Precomputation

• In some occasions polynomial interpolations have to be computed many times in succession.

15

Algorithm3 Interpolation after Precomputiation

16

Compare Algo2 and Algo3

• Device: Intel XEON 2.66GHz.• Using gcrypt library.

Algorithm2

Algorithm3

17

Within/Without Precomputation

18

Interleaved IHME

• These fields may become rather large, e.g. .

• IHME’s running time is still ,so it will be very slow.

19

Interleaved IHME

For instance, an IHME setting with andCould split all messages into 8 chunks

Each of length We get new field

• The gain in efficiency might be superlinear.

20

V-fold IHME

=> => is a prime, is a nature number. index space message space

21

Comparison v-fold/IHME by Algo2,3

80*14=1120

22

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

23

Group Initialization Phase

• Performance in this phase is not very important, because it is only executing once.

• They improve on storage size of group parameters.

24

Group Initialization Phase

• A safe prime is a prime number such that ,where is a prime as well.

25

Implementing CreateGroup

26

User Registration Phase

• By altering the generation of user credentials to:

cred = with

27

Implementing Adduser

28

Multi-Group Handshake Protocol

• Users have a set•

• at least; in first-round messages are encoded over a much small field of elements

29

Multi-Group Handshake Protocol

• In second-round, the per-group key confirmation messages are of length

• Where bits would suffice.

• It mades the field size to be elements.

30

Multi-Group Handshake ProtocolPart1

31

Multi-Group Handshake ProtocolPart2

32

Multi-Group Handshake ProtocolPart3

33

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

34

Analysis

Symmetric Key Size Asymmetric Key Size

Is it possible < ?

35

Outline

• Introduction• Initial Technique• Polynomial Interpolation• Optimized Multi-Group AH Protocol• Analysis• Conclusion

36

Conclusion

• They heavily modified the group management and handshake algorihms to achieve considerably better performance.

• It showed that AH authentication in the multi-group setting, and provided appropriate performance measurements .