Efficient Secret Handshaking Protocol

Abstract

Secret handshaking protocols allow two members of the same group to identify each other secretly, i.e., any two parties who are members of the same group will recognize each other as members, yet, a party which is not a member of this group cannot tell, by engaging some party in the handshaking protocol, whether that party is a member of this group. Unlinkability is one of the main merits of secret handshaking protocols, that is, a party engaged in at least two handshakes must not be able to link any two different handshakes to a particular party. To achieve unlinkability, almost all protocols proposed so far rely on the one-time credentials technique, where each party can use her credential only once. Hence, each party must hold enough credentials allowing her to engage in the handshakes for enough period of time (e.g. a month) without referring to the group authority for renewal. There is a severe security problem when one-time credentials are employed, that is, an active adversary may initialize with an honest party as many handshaking sessions as she can and hence, depletes all the credentials held by this party, once a party runs out of credentials she will not be able to engage in handshaking no more (Denial of Service attack, DoS). At the same time, the group authority must be able to manage enormous number of issued credentials in data structures and certificate revocation lists (CRL). Thus, on the large scale implementation (large group population), one-time credentials become impractical. In this paper, we propose a provably secure two-party secret handshaking protocol which realizes the unlinkability property using only one permanent credential for each member and avoiding the inefficient one-time credentials. At the same time, our protocol provides immediate revocation of members by the group authority without relying heavily on CRL structures. Keywords: Secret handshakes, authentication, one-time credentials, unlinkability, revocation, denial of service, anonymous RSA, mediated PKI.