Thesis

More documents

Recommendations

Info

2. PRIVATE AUTHENTICATION P ( ( N − 2n ) ) Ai ∩ Aj = c ( N c ) = (2.29) c−1 ∏ ( = 1 − 2n ) N − j (2.30) j=0 j=0 P ( ) ( ) ( ) Ai ∩ Aj = P Ai|Aj P Aj = (2.31) ⎡ c−1 ∏ ( ) = ⎣1 n − 1 − N − n − j ⎤ ⎦ · (2.32) c−1 ∏ ( · 1 − n ) N − j j=0 (2.33) Based on the above formulae, the expected value of R is computed as a function of c for N = 2 14 and γ = 64. The results are plotted on the left hand side of Figure 2.8. The same plot also contains the results of a Matlab simulation with the same parameters, where we chose the c compromised tags uniformly at random. For each value of c, 10 simulations are run, computed the exact values of the average anonymity set size using (2.19) directly, and averaged the results. As it can be seen in the figure, the analytical results match the results of the simulation. I performed the same verification for several other values of N and γ, and in each case, I obtained the same matching results. 2.7 Comparison of the group and the key-tree based approach In this section, I compare the group-based scheme to the key-tree based scheme. The methodology is the following: for a given number N of tags and upper bound γ on the worst case complexity for the reader, I determine the optimal key-tree using the algorithm proposed in 2.3. Then, I compare the level of privacy provided by this optimal key-tree to that provided by the group-based scheme with γ groups and N tags. The comparison is performed by means of simulations. A simulation run consists in randomly choosing c compromised tags, and computing the resulting normalized average anonymity set size R for both the optimal key-tree and the group-based scheme. For the former, we can use the formulae (2.15 – 2.17), while for the latter, I use formula (2.19) directly. For each value of c, I run several simulation runs, and average the results. The simulation parameters were the following: for the number N of tags, only powers of 2 are considered, because in practice, that number is related to the size of the identifier space, and identifiers are usually represented as binary strings. Thus, in the simulations, N = 2 x , and x is varied between 10 and 15 with a step size of 1. The values for the worst case complexity γ (which coincides with the number of groups in the group-based scheme) were 64, 128, and 256. Finally, the number c of compromised tags from 1 to 3γ is varied. For each combination of these values, 100 simulation runs were performed. The right hand side of Figure 2.8 shows the results that we can obtain for N = 2 10 and γ = 64. The plots corresponding to the other simulation settings are not included, because they are very similar to the one in Figure 2.8. As we can see, the group-based scheme provides a higher level of privacy when the number of compromised tags does not exceed a threshold. Above the threshold, the key-tree based scheme becomes better, however, in this region, both schemes provide virtually 26
Level of privacy (R) 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 Simulation result Formal result 0 0 50 100 150 200 Number of compromised members (c) Level of privacy(R) 1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 2.8. Related work Tree based authentication Group based authentication 0 0 50 100 150 200 Number of compromised members (c) Figure 2.8: On the left hand side: The analytical results obtained for the expected value of R match the averaged results of ten simulations. The parameters are: N = 2 14 and γ = 64. On the right hand side: Results of the simulation aiming at comparing the key-tree based scheme and the group-based scheme. The curves show the level R of privacy as a function of the number c of the compromised tags. The parameters are: N = 2 10 and γ = 64. The confidence intervals are not shown, because they are in the range of 10 −3 , and therefore, they would be hardly visible. As we can see, the group-based scheme achieves a higher level of privacy when c is below a threshold. Above the threshold, the key-tree based approach is slightly better, however, in this region, both schemes provide virtually no privacy. no privacy. Thus, for any practical purposes, the group-based scheme is better than the key-tree based scheme (even if optimal key-trees are used). 2.8 Related work The problem of private authentication has been extensively studied in the literature recently, but most of the proposed solutions are based on public key cryptography. One example is Idemix, which is a practical anonymous credential system proposed by Camenisch and Lysyanskaya in [Camenisch and Lysyanskaya, 2001]. Idemix allows for unlinkable demonstration of the possession of various credentials, and it can be used in many applications. However, it is not applicable in resource constraint scenarios, such as low-cost RFID systems. For such applications, solutions based on symmetric key cryptography seem to be the only viable options. A comprehensive bibliography of RFID related privacy problems is maintained by Avoine in [Avoine, 2012]. A recent survey of RFID privacy approaches is published by Langheinrich [Langheinrich, 2009], where he overviews 60 papers in this field. Another important paper by Syamsuddin et al. survey the hash chain based RFID authentication protocols in [Syamsuddin et al., 2008]. In the following I try to focus on the methods similar to the ones described in this thesis, and encourage the reader to read the aforementioned surveys for a broader view. The key-tree based approach for symmetric key private authentication has been proposed by Molnar and Wagner in [Molnar and Wagner, 2004]. However, they use a simple b-ary tree, which means that the tree has the same branching factor at every level. Moreover, they do not analyze the effects of compromised members on the level of privacy provided. They only mention that compromise of a member has a wider effect than in the case of public key cryptography based solutions. An entropy based analysis of key trees can be found in [Nohara et al., 2005]. Nohara et al. prove that their K-steps ID matching scheme (which is very similar to [Molnar and Wagner, 2004]) is secure against one compromised tag, if the number of nodes are large enough. They consider only b-ary trees, no variable branching factors. 27
Page 1: Budapest University of Technology a
Page 5 and 6: Abstract Wireless networks are used
Page 7 and 8: Kivonat Vezeték nélküli hálóza
Page 9: Acknowledgement First of all, I wou
Page 12 and 13: CONTENTS 4 Anonymous Aggregator Ele
Page 15: List of Tables 2.1 Illustration of
Page 19 and 20: Chapter 1 Introduction In this diss
Page 21 and 22: 1.2. Introduction to Vehicular Ad H
Page 23 and 24: 1.3. Introduction to Wireless Senso
Page 25: 1.3. Introduction to Wireless Senso
Page 28 and 29: 2. PRIVATE AUTHENTICATION Some year
Page 30 and 31: 2. PRIVATE AUTHENTICATION anonymity
Page 32 and 33: 2. PRIVATE AUTHENTICATION Obviously
Page 34 and 35: 2. PRIVATE AUTHENTICATION In order
Page 36 and 37: 2. PRIVATE AUTHENTICATION Proof. By
Page 38 and 39: 2. PRIVATE AUTHENTICATION 2.4 Analy
Page 40 and 41: 2. PRIVATE AUTHENTICATION For each
Page 42 and 43: 2. PRIVATE AUTHENTICATION Reader R
Page 46 and 47: 2. PRIVATE AUTHENTICATION Avoine et
Page 48 and 49: 3. LOCATION PRIVACY IN VANETS pseud
Page 50 and 51: 3. LOCATION PRIVACY IN VANETS Since
Page 52 and 53: 3. LOCATION PRIVACY IN VANETS This
Page 54 and 55: 3. LOCATION PRIVACY IN VANETS reach
Page 56 and 57: 3. LOCATION PRIVACY IN VANETS N5.1
Page 58 and 59: 3. LOCATION PRIVACY IN VANETS Succe
Page 60 and 61: 3. LOCATION PRIVACY IN VANETS Figur
Page 62 and 63: 3. LOCATION PRIVACY IN VANETS 3.7.2
Page 64 and 65: 3. LOCATION PRIVACY IN VANETS map,
Page 67 and 68: Chapter 4 Anonymous Aggregator Elec
Page 69 and 70: 4.2. System and attacker models res
Page 71 and 72: 4.3. Basic protocol The main differ
Page 73 and 74: Table 4.1: Estimated time of the bu
Page 75 and 76: Probability of being cluster aggreg
Page 77 and 78: − n∑ i=1 H = − n+1 ∑ 4.3. B
Page 79 and 80: 4.4. Advanced protocol Table 4.3: S
Page 81 and 82: 100 90 80 70 60 50 40 30 20 10 0 0
Page 83 and 84: 4.4. Advanced protocol If we consid
Page 85 and 86: 4.4.4 Query 4.4. Advanced protocol
Page 87 and 88: L N D B NM < L N (4.5) A (4.7) (4.6
Page 89 and 90: R ′ = R− N i=1 h(Q|ki) ÆÓ Å
Page 91: 4.7. Related publications systems w
Page 94 and 95:
5. APPLICATION OF NEW RESULTS an ap
Page 96 and 97:
6. CONCLUSION on this knowledge, sh
Page 99:
List of Acronyms CA Cluster Aggrega
Page 102 and 103:
LIST OF PUBLICATIONS [Holczer and B
Page 104 and 105:
BIBLIOGRAPHY [Beye and Veugen, 2011
Page 106 and 107:
BIBLIOGRAPHY [El Zarki et al., 2002
Page 108 and 109:
BIBLIOGRAPHY [Juels, 2005b] A. Juel
Page 110 and 111:
BIBLIOGRAPHY [Oliveira et al., 2008
Page 112:
BIBLIOGRAPHY [Wiedersheim et al., 2
show all

Thesis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?