Thesis

More documents

Recommendations

Info

2. PRIVATE AUTHENTICATION For each value of c, I run 100 simulations 4 . In each simulation run, the c compromised members were chosen uniformly at random from the set of all members. The exact value of the normalized expected anonymity set size ¯ S ⟨−⟩/N is computed using the expressions (2.9 – 2.11). Finally, the obtained values are averaged over all simulation runs. Moreover, for every c, I also computed the estimated value ¯ S0/N using the expressions (2.15 – 2.17). The simulation results are shown in Figure 2.4. The figure does not show the confidence interwalls, because they are very small (in the range of 10 −4 for all simulations) and thus they could be hardly visible. As we can see, ¯ S0/N approximates ¯ S ⟨−⟩/N quite well, and in general it provides a lower bound on the normalized expected anonymity set size. Normalized average anonymity set size 1 0.8 0.6 0.4 0.2 Simulation result for (S /N) Approximation (S 0 /N) 0 0 50 100 150 200 250 300 Number of compromised members (c) Normalized average anonimity set size 1 0.8 0.6 0.4 0.2 Simulation result for (S /N) Approximation (S 0 /N) 0 0 50 100 150 200 250 300 Number of compromised members (c) Figure 2.4: Simulation results for branching factor vectors (30, 30, 30) (left hand side) and (72, 5, 5, 5, 3) (right hand side). As we can see, ¯ S0/N approximates ¯ S ⟨−⟩/N quite well, and in general it provides a lower bound on it. In Figure 2.5, the value of ¯ S0/N is plotted as a function of c for different branching factor vectors. This figure illustrates, how different systems can be compared using the approximation ¯S0/N of the normalized expected anonymity set size. On the left hand side of the figure, we can see that the value of ¯ S0/N is greater for the vector B ∗ = (72, 5, 5, 5, 3) than for the vector B = (30, 30, 30) not only for c = 1 (as we saw before), but for larger values of c too. In fact, B ∗ seems to lose its superiority only when the value of c approaches 60, but at this range, the systems nearly provide no privacy in any case. Thus, we can conclude that B ∗ is a better branching factor vector yielding more privacy than B in general. We can make another interesting observation on the left hand side of Figure 2.5: ¯ S0/N starts decreasing sharply as c starts increasing, however, when c gets close to the value of the first element of the branching factor vector, the decrease of ¯ S0/N slows down. Moreover, almost exactly when c reaches the value of the first element (30 in case of B, and 72 in case of B ∗ ), ¯ S0/N seems to turn into constant, but at a very low value. We can conclude that, just as in the case of a single compromised member, in the general case too, the level of privacy provided by the system essentially depends on the value of the first element of the branching factor vector. The plot on the right hand side of the figure reinforces this observation: it shows ¯ S0/N for two branching factor vectors that have the same first element but that differ in the other elements. As we can see, the curves are almost perfectly overlapping. Thus, a practical design principle for key-tree based private authentication systems is to maximize the branching factor at the first level of the key-tree. Further optimization by adjusting the branching factors of the lower levels may still be possible, but the gain is not significant; what really counts is the branching factor at the first level. 4 All computations have been done in Matlab, and for the purpose of repeatability, the source code is available on-line at http://www.crysys.hu/∼holczer/PET2006 22
Estimated normalised average anonimity set size (S 0 /N) 1 0.8 0.6 0.4 0.2 B = [72 5 5 5 3] B = [30 30 30] 0 0 20 40 60 80 100 Number of compromised members (c) Estimated normalised average anonimity set size (S 0 /N) 1 0.8 0.6 0.4 0.2 2.5. The group-based approach B = [60 30 15] B = [60 5 5 3 3 2] 0 0 20 40 60 80 100 Number of compromised members (c) Figure 2.5: The value of ¯ S0/N as a function of c for different branching factor vectors. The figure illustrates, how different systems can be compared based on the approximation ¯ S0/N. On the left hand side, we can see that the value of ¯ S0/N is greater for the vector (72, 5, 5, 5, 3) than for the vector (30, 30, 30) not only for c = 1 (as we saw earlier), but for larger values of c too. On the right hand side, we can see that ¯ S0/N is almost the same for the vector (60, 5, 5, 3, 3, 2) as for the vector (60, 30, 15). We can conclude that ¯ S0/N is essentially determined by the value of the first element of the branching factor vector. 2.5 The group-based approach In the group based authentication scheme, the set of all tags is divided into groups of equal size, and all tags of a given group share a common group key. Since the group keys do not enable the reader to identify the tags uniquely, every tag also stores a unique identifier. Keys are secret (each group key is known only to the reader and the members of the corresponding group), but identifiers can be public. To avoid impersonation of a tag from the same group, every tag has a unique secret key as well. This key is only shared between the tag and the reader. To reduce the storage demands on the reader side, the pairwise key can be generated from a master key using the identifier of the tag. In order to authenticate a tag, the reader sends a single challenge to the tag. The answer of the tag has two parts. In the first part, the tag answers to the reader by encrypting with the group key the reader’s challenge concatenated with a nonce picked by the tag, and the tag’s identifier. In the second part, the tag encrypts the challenge concatenated with the nonce using its own secret key. Encrypting the identifier is needed since the key used for encryption does not identify uniquely the tag. Upon reception of the answer, the reader identifies the tag by trying all the group keys until the decryption succeeds. Then it checks the second part, that it was encrypted by the same tag. Without the second part, every tag could impersonate every other tag in the same group. The operation of the group-based private authentication scheme is illustrated in Figure 2.6. The complexity of the group-based scheme for the reader depends on the number of the groups. In particular, if there are γ groups, then, in the worst case, the reader must try γ keys. Therefore, if the upper bound on the worst case complexity is given as a design parameter, then γ is easily determined. For example, to get the same complexity as in the key-tree based scheme with constant branching factor, one may choose γ = (b log b N) − 1, where N is the total number of tags and b is the branching factor of the key-tree. The minus one indicates the decryption of the second part of the message. An immediate advantage of the group-based scheme with respect to the key-tree based approach is that the tags need to store only two keys and an identifier. In contrast to this, in the key-tree based scheme, the number of keys stored by the tags depends on the depth of the tree. For instance, in the case of the Molnar-Wagner scheme, the tags must store log b N keys. Moreover, by using only two keys, this scheme also has a smaller complexity for the tag in terms of computation and communication. Besides its advantages with respect to complexity, the group-based scheme provides a higher 23
Page 1: Budapest University of Technology a
Page 5 and 6: Abstract Wireless networks are used
Page 7 and 8: Kivonat Vezeték nélküli hálóza
Page 9: Acknowledgement First of all, I wou
Page 12 and 13: CONTENTS 4 Anonymous Aggregator Ele
Page 15: List of Tables 2.1 Illustration of
Page 19 and 20: Chapter 1 Introduction In this diss
Page 21 and 22: 1.2. Introduction to Vehicular Ad H
Page 23 and 24: 1.3. Introduction to Wireless Senso
Page 25: 1.3. Introduction to Wireless Senso
Page 28 and 29: 2. PRIVATE AUTHENTICATION Some year
Page 30 and 31: 2. PRIVATE AUTHENTICATION anonymity
Page 32 and 33: 2. PRIVATE AUTHENTICATION Obviously
Page 34 and 35: 2. PRIVATE AUTHENTICATION In order
Page 36 and 37: 2. PRIVATE AUTHENTICATION Proof. By
Page 38 and 39: 2. PRIVATE AUTHENTICATION 2.4 Analy
Page 42 and 43: 2. PRIVATE AUTHENTICATION Reader R
Page 44 and 45: 2. PRIVATE AUTHENTICATION P ( ( N
Page 46 and 47: 2. PRIVATE AUTHENTICATION Avoine et
Page 48 and 49: 3. LOCATION PRIVACY IN VANETS pseud
Page 50 and 51: 3. LOCATION PRIVACY IN VANETS Since
Page 52 and 53: 3. LOCATION PRIVACY IN VANETS This
Page 54 and 55: 3. LOCATION PRIVACY IN VANETS reach
Page 56 and 57: 3. LOCATION PRIVACY IN VANETS N5.1
Page 58 and 59: 3. LOCATION PRIVACY IN VANETS Succe
Page 60 and 61: 3. LOCATION PRIVACY IN VANETS Figur
Page 62 and 63: 3. LOCATION PRIVACY IN VANETS 3.7.2
Page 64 and 65: 3. LOCATION PRIVACY IN VANETS map,
Page 67 and 68: Chapter 4 Anonymous Aggregator Elec
Page 69 and 70: 4.2. System and attacker models res
Page 71 and 72: 4.3. Basic protocol The main differ
Page 73 and 74: Table 4.1: Estimated time of the bu
Page 75 and 76: Probability of being cluster aggreg
Page 77 and 78: − n∑ i=1 H = − n+1 ∑ 4.3. B
Page 79 and 80: 4.4. Advanced protocol Table 4.3: S
Page 81 and 82: 100 90 80 70 60 50 40 30 20 10 0 0
Page 83 and 84: 4.4. Advanced protocol If we consid
Page 85 and 86: 4.4.4 Query 4.4. Advanced protocol
Page 87 and 88: L N D B NM < L N (4.5) A (4.7) (4.6
Page 89 and 90: R ′ = R− N i=1 h(Q|ki) ÆÓ Å
Page 91:
4.7. Related publications systems w
Page 94 and 95:
5. APPLICATION OF NEW RESULTS an ap
Page 96 and 97:
6. CONCLUSION on this knowledge, sh
Page 99:
List of Acronyms CA Cluster Aggrega
Page 102 and 103:
LIST OF PUBLICATIONS [Holczer and B
Page 104 and 105:
BIBLIOGRAPHY [Beye and Veugen, 2011
Page 106 and 107:
BIBLIOGRAPHY [El Zarki et al., 2002
Page 108 and 109:
BIBLIOGRAPHY [Juels, 2005b] A. Juel
Page 110 and 111:
BIBLIOGRAPHY [Oliveira et al., 2008
Page 112:
BIBLIOGRAPHY [Wiedersheim et al., 2
show all

Thesis

Create successful ePaper yourself

Delete template?

Save as template?