Kamil Kluczniak

Restricted Identification without Group Keys

We present a variant of the protocol stack for anonymous authentication implemented in German personal identity documents. We strengthen the system by eliminating group keys - a potential target of attack for a powerful adversary aiming to undermine Restricted Identification mechanisms. We provide a mechanism of authentication that merges Chip Authentication protocol with Restricted Identification.

Mutual Restricted Identification

We extend the idea of Restricted Identification deployed in the personal identity documents in Germany. Our protocol, Mutual Restricted Authentication (MRI for short), is designed for direct anonymous authentication between users who belong to the same domain (called also a sector). MRI requires only one private key per user. Still there are no limitations to which domain a user may belong and the domains are not fixed in advance. This enables an implementation of MRI when a strictly limited secure memory is available (like for smart cards). MRI guarantees that a user has exactly one identity within a domain, while the identities from different domains of the same user are not linkable. The main difference between RI and MRI is that for MRI the privacy of both participants are protected, while in case of RI the terminal is fully exposed. The protocol is efficient, extremely simple (in particular, it outperforms RI) and well suited for an implementation on resource limited devices such as smart cards.

A Short Paper on Blind Signatures from Knowledge Assumptions

This paper concerns blind signature schemes. We focus on two moves constructions, which imply concurrent security. There are known efficient blind signature schemes based on the random oracle model and on the common reference string model. However, constructing two move blind signatures in the standard model is a challenging task, as shown by the impossibility results of Fischlin et al. The recent construction by Garg et al. (Eurocrypt’14) bypasses this result by using complexity leveraging, but it is impractical due to the signature size (\(\approx \) 100 kB). Fuchsbauer et al. (Crypto’15) presented a more practical construction, but with a security argument based on interactive assumptions. We present a blind signature scheme that is two-move, setup-free and comparable in terms of efficiency with the results of Fuchsbauer et al. Its security is based on a knowledge assumption.

A Short Paper on How to Improve U-Prove Using Self-Blindable Certificates

U-Prove is a credential system that allows users to disclose information about themselves in a minimalistic way. Roughly speaking, in the U-Prove system a user obtains certified cryptographic tokens containing a set of attributes and is able to disclose a subset of his attributes to a verifier, while hiding the undisclosed attributes. In U-prove the actual identity of a token holder is hidden from verifiers, however each token has a static public key (i.e. token pseudonym), which makes a single token traceable, by what we mean that, if a token is presented twice to a verifier, then the verifier knows that it is the same token. We propose an extension to the U-Prove system which enables users to show U-Prove tokens in a blinded form, so even if a single token is presented twice, a verifier is not able to tell whether it is the same token or two distinct tokens. Our proposition is an optional extension, not changing the core of the U-Prove system. A verifier decides whether to use issuer signatures from U-Prove, or the blind certificates from the extension.

Controlled Randomness – A Defense Against Backdoors in Cryptographic Devices

Security of many cryptographic protocols is conditioned by quality of the random elements generated in the course of the protocol execution. On the other hand, cryptographic devices implementing these protocols are designed given technical limitations, usability requirements and cost constraints. This frequently results in black box solutions. Unfortunately, the black box random number generators enable creating backdoors. So effectively the signing keys may be stolen, authentication protocol can be broken enabling impersonation, confidentiality of encrypted communication is not guaranteed anymore.

Insecurity of Anonymous Login with German Personal Identity Cards

One of the major inventions of the new personal identity cards in Germany is supporting anonymous authentication. The Restricted Identification protocol enables to authenticate in an unlimited number of domains with passwords created with strong asymmetric cryptography and not using the insecure login-password mechanism. Moreover, the RI scheme guarantees unlinkability of users authentication in different domains. The Achilles Heel of the RI scheme is Chip Authentication procedure. The terminal must make sure that it is talking with a genuine identification card and authentication via so-called group key is used. The group key is shared by many IDs in order to create a sufficiently large anonymity set. We present an attack, where the party holding the group key and eavesdropping the communication between a card and a terminal can learn the pseudonym and later authenticate as this user in this domain. In this way the party issuing the cards may get an unlimited access to citizens accounts. We show how to solve the problem by slight changes in the protocol.

Mutual Chip Authentication

We present a Anonymous Mutual Authentication (AMA) protocol for authentication and key agreement between cryptographic devices. It is an alternative for Terminal Authentication (TA) plus Chip Authentication (ChA) developed for electronic travel documents. Unlike conventional TA, executing AMA does not provide any digital record that could be used as a proof against third parties that an interaction really took place. AMA is symmetric: the code executed by both participants is the same (apart from the sequence of operations). It eases implementation on resource limited devices such as smart cards. AMA does not require prior disclosure of identities: the protocol participants learn them in a way hidden to eavesdroppers.

A New Secure Data Deduplication Approach Supporting User Traceability

The notion of data deduplication enables a user to eliminate duplicate copies of data so that it can save the amount of storage space and network bandwidth. Convergent encryption, as the state-of-art approach, has been widely adopted to perform secure deduplication in the cross-user scenario. However, all the existing solutions cannot support user traceability. That is, there is no way to trace the identities of malicious users for instance in case a user performed a duplicate faking attack. To cope with this issue, in this paper, we propose a novel secure deduplication scheme supporting user traceability by incorporating traceable signatures with the state of the art deduplication technique, such as interactive randomized convergent encryption and proof of ownership.

TrDup: enhancing secure data deduplication with user traceability in cloud computing

Data deduplication is a special type of resource usage optimisation. It leads to reduction of the used storage space and network bandwidth by eliminating duplicate copies of the same data file. Convergent encryption, as the state-of-art approach, has been widely adopted to perform secure deduplication in the cross-user scenario. However, all prior solutions do not support user traceability: there is no way to trace the identities of malicious users in case of duplicate faking attacks. To cope with this problem, we propose a deduplication scheme called TrDup. It realises traceability of malicious users identity by incorporating traceable signatures with message-locked encryption technique. The TrDup construction is followed by its formal security analysis.

A Formal Concept of Domain Pseudonymous Signatures

We present a formal model for domain pseudonymous signatures – in particular providing a simple and strong concept and comprehensive formalization of unlinkability, which is the key property of domain pseudonymous signatures. Following the approach deployed for German personal identity cards, we consider domains that have to be registered and require a particular form of domain specifications. We introduce and formalize the deanonymization procedures that have to be implemented as one of the crucial functionalities in many application areas of domain signatures. Finally, we present two constructions that correspond to this model.