1 uohuohuohuoh university of hyderabad crypto techniques for authentication and anonymous payments...

1

UUOOHH

UNIVERSITY OF HYDERABAD

Crypto Techniques for Authentication and Anonymous Payments

Thulasi.G, 04MCMT34

Supervisors: Ashutosh Saxena and Dr. Atul Negi

2

UUOOHH


Agenda

Problems considered Motivation Preliminaries of Bilinear Pairings and complexity assumptions Introduction to Digital Cash Scheme for online cash Scheme for offline cash Scheme for online cash for multiple denominations Introduction to Remote User Authentication Review of Das et.al’s scheme Review of Chou et al.’s modification Cryptanalysis of Das et al.’s and Chou et al.’s schemes Improvement of Das et al.’s scheme Conclusion

3

UUOOHH


Problems considered

1. Scheme for Digital Cash using bilinear pairings in Elliptic curve cryptography for bandwidth reduction

2. Scheme for Remote User Authentication using bilinear pairings with smart cards • To avoid many users using the same account to login• To reduce data to be communicated.• For lost card revocation• Key exchange

4

UUOOHH


Motivation

1. Elliptic Curve Cryptography requires only 163 bits to achieve the level of security achieved by 1024 bits for RSA[1]. Bandwidth reduction would be a help to the present industry.

2. Weaknesses of previously proposed Remote User authentication schemes.

5

UUOOHH


Preliminaries of Bilinear Pairings

Properties Bilinear: e(aP,bQ)=e(P,Q)ab for P,Q are in G1, and a,

b are in Zq*.

In the other way, for P,Q and R in G1,

e(P, Q+R)=e(P, Q)e(P, R)

e(P+Q, R)=e(P, R)e(Q, R) Non degenerate: If P is a generator of G1, then

e(P,P) is generator of G2, i.e. Computable: e(P,Q) is computable in polynomial

time.

1),( PPe

6

UUOOHH


Complexity Assumptions

Discrete Logarithm Problem(DLP):

Given two elements P,Q in G1, find an integer a in Zq* such that Q=aP whenever such an integer exists.

Computational Diffie Hellman Problem(CDHP):

Given P, aP, bP in G1 for any a,b in Zq*, compute abP.

7

UUOOHH


Complexity Assumptions(contd..)

Decisional Diffie Hellman Problem(DDHP):

Given P, aP, bP, cP in G1 for any a,b,c in Zq*, decide

whether c=ab mod q.

Gap Diffie Hellman Group:

G1 is a GDH group if there exists an efficient polynomial time algorithm which solves DDHP in G1 and there is no probabilistic polynomial time algorithm which solves CDHP in G1 with non-negligible probability of success

8

UUOOHH


Introduction to Digital Cash

Properties of Digital cash1. Anonymity

2. Privacy/Untraceability

Entities involved1. Bank

2. Customer

3. Merchant

9

UUOOHH


Introduction to Digital Cash(contd..)

Types of digital cash1. Online digital cash

2. Offline digital cash

Phases in the scheme for digital cash1. System Setup

2. Cash Issuance

3. Payment

4. Deposit

10

UUOOHH


Scheme for online cash

System setup

1. Bank generates a prime q, two groups (G1,+) and (G2,.) of order q and bilinear map e:G1XG1->G2

2. Bank chooses a random generator P of G1

3. Defines a cryptographic hash function

H0:{0,1}*->G1

4. Picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0).

11

UUOOHH


Scheme for online cash(contd..)

Cash Issuance

1. Customer chooses a random currency number x and a blinding factor r.

2. User/Customer supplies the bank with B=H0(x)+rP

3. Bank will sign on the blinded currency number B as sign1=sB and withdraws 1 unit of money from the customer’s account and sends the signature sign1 back to the customer.

4. Customer un-blinds and verifies the bank’s signature.

sign=sign1-rPpub

e(Ppub,H(x))==e(P,sign)

12

UUOOHH


Scheme for online cash(contd..)

Payment-Deposition1. To pay the merchant 1 unit of money, customer gives

him the pair (x, Sign).

2. The merchant calls the bank, verifying that this e-coin has not already been deposited, as the bank maintains a database of spent coins.

13

UUOOHH


Scheme for offline cash

System setup1. Bank generates a prime q, two groups (G1,+) and (G2,g) of

order q and bilinear map e:G1XG1->G2

2. Bank chooses a random generator P of G1

3. Defines cryptographic hash functions

• H0:{0,1}*->G1

• f:{0,1}*X{0,1}*->{0,1}*

• g:{0,1}*X{0,1}*->G1

4. picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0, f, g).

14

UUOOHH


Scheme for offline cash(contd..)

Cash Issuance1. Customer chooses ai,ci,di and ri, 0< i <k+1

independently at random, where k is the security parameter. u is the customer’s account number and v is the counter associated with the account u .

2. Customer forms f(xi,yi) where xi=g(ai,ci), yi= g(ai xor u||(v+i), di) and sends to the bank k blinded candidates Bi=f(xi,yi)+riP for 0<i<k+1 .

3. The bank chooses a random subset of k/2 blinded candidates R={ij},for 0<ij<k+1, for 0<j<(k/2 +1) and transmits it to the customer.

15

UUOOHH



4. Customer displays the ai, ci, di, ri values for all i in R, and the bank checks them whether the correct information of the customer is embedded or not. To simplify the notation we will assume

R={k/2, k/2 + 1,…k}5. The bank sums up the blinded candidates f(xi,yi)+riP

and signs on the sum . Bank withdraws 1 unit of money from the customer’s account and also increments the Customer’s counter v by k.

6. Customer can easily extract the electronic coin . Customer re-indexes the candidates in C to be lexicographic on their representation. f(x1,y1)<f(x2,y2)<…f(xk/2, yk/2). Customer also increments his counter v by k.

Pr)y,f(x.1 iii sC

)Ppub(r-C1C i

16

UUOOHH



Payment1. Customer sends C to the merchant

2. Merchant chooses and sends a random string z1,z2,….zk/2 to the customer.

3. Customer responds as follows for all 0<i<(k/2 +1) the bits of the string received If the bit is 1, customer gives merchant ai,ci,yi If the bit is 0, customer gives merchant xi, ai xor(u||(v+i)),

di

17

UUOOHH



4. From the customers responses, merchant computes

for i=1..k/2 and verifies

e(Ppub, M)=e(P,C)

5. Merchant later sends C and Customer’s responses to the bank, which verifies their correctness and credits his account.

)y,f(xM ii

18

UUOOHH



Deposit1. Merchant submits C, his query string z1, z2,… zk/2 and

the values ai (for zi=1) and ai xor u(v+i) (for zi=0).

2. Bank checks its records to ensure that C has not been used before. If the customer double spends C, with high probability bank has both ai and ai xor u||(v+i) for at least one i. So Bank can isolate u||(v+i) and trace the payment to the customer’s account.

19

UUOOHH


Scheme for online cash for multiple denominations

1. Cookie jar

2. Declared Note value

3. Hidden note value

Basic idea:

Bank uses k secret keys for up to 2k-1 denominations.

20

UUOOHH


Introduction to Remote User Authentication

Objectives of the scheme1. Authentication with smart cards

2. Avoiding large password tables

3. Providing password change option

4. Online registration of the smart card

5. Key agreement and lost card revocation

Phases1. Registration

2. Login

3. Verification

4. Password Change

21

UUOOHH


Review of Das et al.’s scheme

Registration• U submits his ID and password PW to RS. • RS computes RegID=sH(ID)+H(PW). • RS personalizes smart card with ID, RegID, H(.) and

sends the smart card to U in a secure manner.

Login• U inserts smart card into terminal and submits ID and

PW• Smart card computes DID=T.RegID and V=T.H(PW).• Sends login request <ID,DID,V,T> to RS over public

channel where T is the timestamp.

22

UUOOHH


Review of Das et al.’s scheme(contd..)

Verification• RS receives <ID,DID,V,T> at time T* and verifies

the validity of the time interval between T* and T, by checking if . If it holds, checks whether e(DID-V,P)==e(H(ID),Ppub)T

• If both checks are valid RS accepts the request and rejects otherwise

TT-T*

23

UUOOHH


Review of Das et al.’s scheme(contd..)

Password Change• Insert smart card into terminal and submit ID and PW.

Smart card verifies the entered ID with the one stored in the smart card. If ID is matched, it prompts U for new password. U submits a new password PW*

• Smart card computes RegID*=RegID-H(PW)+H(PW*)

=s.H(ID)+H(PW*)• Smart card replaces the previously stored RegID by

RegID*

24

UUOOHH


Chou et al.’s analysis and modification

Chou et al. pointed out that the verification in Das et al.’s scheme holds valid even with DID1=DID+a and V1=V+a where a is from G1, as shown below.

e(DID1-V1, P)=e(DID-V,P)

=e(H(ID),Ppub)T

To avoid this, Chou et al. proposed a modified verification technique as e(DID, P)==e(TsH(ID)+V, P) to overcome the defect in verification of Das et al.’s scheme.

25

UUOOHH


Analysis on Chou et al.’s modification

We note that this verification also holds valid for DID1=DID+a and V1=V+a where a is from G1, as shown below.

e(DID1, P)==e(DID, P)e(a, P)

==e(TsH(ID)+V, P)e(a,P)

==e(TsH(ID)+V1, P)

26

UUOOHH


Cryptanalysis of Das et al.’s scheme

In the login phase, the tuple <ID, DID, V, T> is being sent to RS over a public channel. Any attacker tapping this message can compute a valid tuple <ID1, DID1, V1, T1> as follows.

The attacker computes T-1, and gets RegID and H(PW) by the following.

RegID=T-1 DID and H(PW)=T-1 V

Now, the attacker can form the valid tuple <ID1, DID1, V1, T1> for time stamp T1 computing DID1=T1.RegID, V1=T1.H(PW). Thus, the attacker can forge a user many times just by intercepting one valid login request of the user.

27

UUOOHH


Improvement of Das et al.’s scheme

Registration and Password change phases are not altered.

Login• U inserts smart card into terminal and submits ID and

PW• Smart Card after validating ID computes

V(Vx,Vy)=r.Ppub

DID=(r+h(T||Vx||Vy))[RegID-H(PW)]

and sends login request <ID, DID, V, T> to RS over a public channel, where T is the timestamp. r is the random number generated by smart card.

28

UUOOHH


Improvement of Das et al.’s scheme(contd..)

Verification• RS receives <ID,DID,V,T> at time T* and verifies the

validity of the time interval between T* and T, by checking if . If it holds, checks whether e(DID, P)==e(H(ID), V+h(T||Vx||Vy)Ppub)

• If both checks are valid RS accepts the request, rejects otherwise

TT-T*

29

UUOOHH


Revoking lost cards

• Use CID – Card Identifier in place of ID – User Identity.• Maintain Registration Table with ID and CID of the

issued smart card.

If any user with id ID reports to server RS that he lost his smart card, the corresponding CID will be kept in revocation list and all requests coming from this CID will be cancelled.

30

UUOOHH


Providing online registration of smart cards

Pre-partial personalization phase• RS chooses a random number r for the smart card

numbered CID and stores r securely in the smart card.• RS stores CID and r in the database maintained for the

pre-partially personalized smart cards. • RS prints CID on the smart card and covers it with

scratchable ink.

31

UUOOHH


Providing online registration of smart cards(contd..)

Online Registration• U obtains a smart card after proving his credentials to

the card vendor. Scratches the card and gets CID• Inserts smart card into terminal and submits CID, and

then ID and PW of his choice.• Smart card sends ID and CID to RS over public channel• RS checks its database of pre-partially personalized

smart cards for CID. If exists, RS computes

N=r-1sH(ID) and sends N over the public channel to Customer and waits for the acknowledgment.

• Smart card after receiving N, verifies the validity of N by the equation e(N, P)r==e(H(ID), Ppub).

32

UUOOHH


Providing online registration of smart cards(contd..)

Online Registration(contd..)Here the pairing operations can be performed by the user system resources in the form of A=e(N, P) B=e(H(ID), Ppub) and smart card which contains r securely, can verify whether Ar=B

• Smart card computes RID=r.N+H(PW) =s.H(ID)+H(PW)

• Smart card stores RID securely and destroys r.• Smart card sends CID and h(Nx||Ny||r) as

acknowledgement to RS.• After verification of CID and h(Nx||Ny||r), RS removes

the corresponding record from the database of the pre-partially personalized smart cards.

33

UUOOHH


Key agreement

• U computes the session key as k=h(Zx||Zy) where Z=r.P

• RS computes the session key k=h(Wx||Wy) where

W=s-1.V

34

UUOOHH


Conclusion

Schemes for online Digital Cash and offline digital cash are proposed using bilinear pairings in ECC.

Das et al.’s Remote User Authentication scheme using bilinear pairings is analysed and improved to support online registration, key agreement and lost card revocation.

35

UUOOHH


Major References

1. Boneh D, Lynn B and Shacham H. “Short signatures form the Weil pairing”. Proc. Of Asiacrypt 2001, LNCS. Springer, pp 213-229, 2001.

2. D.Chaum. “Blind signatures for untraceable payments” in Advances in Cryptology -CRYPTO ' 82, Plenum Press, pages 199-203, 1982.

3. D.Chaum, A. Fiat, M. Naor. “Untraceable Electronic Cash” in Advances in Cryptology-CRYPTO ’88, Springer-Verlag, pages 319-327, 1988.

4. “On-line cash checks” in Advances in Cryptology-EUROCRYPT'89, Springer-Verlag, pages 288—293, 1989.

36

UUOOHH


Major References(contd..)

5. D.Chaum, B. Boer, E. Heyst, S. Mjolsnes, A. Steenbeek. “Efficient Offline Electronic Checks” in Advances in Cryptology-EUROCRYPT ‘89, Springer-Verlag, pages 294-301, 1989.

6. S. Brands. “Untraceable Off-line Cash in Wallet with Observers” in Advances in Cryptology-CRYPTO'93, Springer-Verlag, Pages 302—318, 1993.

7. A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms in a Finite field”, IEEE Trans. on Information Theory, vol. 39(5), pp. 1639-1646, 1993.

8. Chou JS, Chen Y, Lin JY. “Improvement of Das et al.’s remote user authentication scheme”. http://eprint.iacr.org/2005/450.pdf

37

UUOOHH


Major References(contd..)

9. Das ML, Saxena A, Gulati VP. “A Dynamic ID-based Remote User Authentication Scheme”. IEEE Trans. On Consumer Electron., vol. 50, no. 2, pp. 629-631, 2004.

38

UUOOHH


Thank you

[email protected]

1 uohuohuohuoh university of hyderabad crypto techniques for authentication and anonymous payments...

Documents