Advertisement

Rethinking Identification Protocols from the Point of View of the GDPR

  • Mirosław KutyłowskiEmail author
  • Łukasz Krzywiecki
  • Xiaofeng Chen
Conference paper
  • 572 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)

Abstract

An identification protocol has to deliver a proof that the protocol participants are who they claim to be. Related to the circumstances, the proof must be sufficiently convincing for the addressee. On the other hand, as long as the data minimality principle is concerned, the proof should be useless for any party that is not the intended addressee. While the first goal has attracted a lot of attention, the second one has been rather neglected.

In this paper we discuss requirements for identification protocols from the point of view of privacy protection requirements of the GDPR regulation introduced in Europe. We concern the problem of cryptographic data created by identification protocols and misusing them as an evidence presented to third parties. We concern in particular the case when it appears that a malicious participant follows the protocol, however the privacy protection guarantees supposedly provided by the scheme are effectively broken.

We show that from the point of view of GDPR the classical schemes like static Diffie-Hellman, Schnorr, Wu, Stinson-Wu, and Di Raimondo-Gennaro fail to comply with the EU Regulation even if they are deniable.

Keywords

Identification scheme Privacy protection GDPR Attack Deniability Simulatability 

References

  1. 1.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976).  https://doi.org/10.1109/TIT.1976.1055638MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Blake-Wilson, S., Menezes, A.: Authenticated Diffe-Hellman key agreement protocols. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 339–361. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48892-8_26CrossRefGoogle Scholar
  3. 3.
    The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ec (General Data Protection Regulation). Off. J. Eur. Union 119(1) (2016)Google Scholar
  4. 4.
    Hanzlik, L., Kluczniak, K., Kutyłowski, M.: Controlled randomness – a defense against backdoors in cryptographic devices. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 215–232. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-61273-7_11CrossRefzbMATHGoogle Scholar
  5. 5.
    Young, A.L., Yung, M.: Malicious Cryptography - Exposing Cryptovirology. Wiley, Hoboken (2004)Google Scholar
  6. 6.
    Błaśkiewicz, P., et al.: Pseudonymous signature schemes. In: Li, K.-C., Chen, X., Susilo, W. (eds.) Advances in Cyber Security: Principles, Techniques, and Applications, pp. 185–255. Springer, Singapore (2019).  https://doi.org/10.1007/978-981-13-1483-4_8CrossRefGoogle Scholar
  7. 7.
    Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. J. Cryptol. 22(4), 572–615 (2009).  https://doi.org/10.1007/s00145-009-9044-3MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE\(|\)AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32946-3_25CrossRefGoogle Scholar
  9. 9.
    Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_36CrossRefGoogle Scholar
  10. 10.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefGoogle Scholar
  11. 11.
    Wu, J.: Cryptographic protocols, sensor network key management, and RFID authentication. Ph.D. thesis, University of Waterloo, Ontario, Canada (2009). http://hdl.handle.net/10012/4501
  12. 12.
    Stinson, D.R., Wu, J.: An efficient and secure two-flow zero-knowledge identification protocol. J. Math. Cryptol. 1(3), 201–220 (2007).  https://doi.org/10.1515/JMC.2007.010MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Mirosław Kutyłowski
    • 1
    • 2
    Email author
  • Łukasz Krzywiecki
    • 1
  • Xiaofeng Chen
    • 2
  1. 1.Department of Computer Science, Faculty of Fundamental Problems of TechnologyWrocław University of TechnologyWrocławPoland
  2. 2.School of Cyber EngineeringXidian UniversityXi’anPeople’s Republic of China

Personalised recommendations