1 uohuohuohuoh university of hyderabad crypto techniques for authentication and anonymous payments...
TRANSCRIPT
1
UUOOHH
UNIVERSITY OF HYDERABAD
Crypto Techniques for Authentication and Anonymous Payments
Thulasi.G, 04MCMT34
Supervisors: Ashutosh Saxena and Dr. Atul Negi
2
UUOOHH
UNIVERSITY OF HYDERABAD
Agenda
Problems considered Motivation Preliminaries of Bilinear Pairings and complexity assumptions Introduction to Digital Cash Scheme for online cash Scheme for offline cash Scheme for online cash for multiple denominations Introduction to Remote User Authentication Review of Das et.al’s scheme Review of Chou et al.’s modification Cryptanalysis of Das et al.’s and Chou et al.’s schemes Improvement of Das et al.’s scheme Conclusion
3
UUOOHH
UNIVERSITY OF HYDERABAD
Problems considered
1. Scheme for Digital Cash using bilinear pairings in Elliptic curve cryptography for bandwidth reduction
2. Scheme for Remote User Authentication using bilinear pairings with smart cards • To avoid many users using the same account to login• To reduce data to be communicated.• For lost card revocation• Key exchange
4
UUOOHH
UNIVERSITY OF HYDERABAD
Motivation
1. Elliptic Curve Cryptography requires only 163 bits to achieve the level of security achieved by 1024 bits for RSA[1]. Bandwidth reduction would be a help to the present industry.
2. Weaknesses of previously proposed Remote User authentication schemes.
5
UUOOHH
UNIVERSITY OF HYDERABAD
Preliminaries of Bilinear Pairings
Properties Bilinear: e(aP,bQ)=e(P,Q)ab for P,Q are in G1, and a,
b are in Zq*.
In the other way, for P,Q and R in G1,
e(P, Q+R)=e(P, Q)e(P, R)
e(P+Q, R)=e(P, R)e(Q, R) Non degenerate: If P is a generator of G1, then
e(P,P) is generator of G2, i.e. Computable: e(P,Q) is computable in polynomial
time.
1),( PPe
6
UUOOHH
UNIVERSITY OF HYDERABAD
Complexity Assumptions
Discrete Logarithm Problem(DLP):
Given two elements P,Q in G1, find an integer a in Zq* such that Q=aP whenever such an integer exists.
Computational Diffie Hellman Problem(CDHP):
Given P, aP, bP in G1 for any a,b in Zq*, compute abP.
7
UUOOHH
UNIVERSITY OF HYDERABAD
Complexity Assumptions(contd..)
Decisional Diffie Hellman Problem(DDHP):
Given P, aP, bP, cP in G1 for any a,b,c in Zq*, decide
whether c=ab mod q.
Gap Diffie Hellman Group:
G1 is a GDH group if there exists an efficient polynomial time algorithm which solves DDHP in G1 and there is no probabilistic polynomial time algorithm which solves CDHP in G1 with non-negligible probability of success
8
UUOOHH
UNIVERSITY OF HYDERABAD
Introduction to Digital Cash
Properties of Digital cash1. Anonymity
2. Privacy/Untraceability
Entities involved1. Bank
2. Customer
3. Merchant
9
UUOOHH
UNIVERSITY OF HYDERABAD
Introduction to Digital Cash(contd..)
Types of digital cash1. Online digital cash
2. Offline digital cash
Phases in the scheme for digital cash1. System Setup
2. Cash Issuance
3. Payment
4. Deposit
10
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for online cash
System setup
1. Bank generates a prime q, two groups (G1,+) and (G2,.) of order q and bilinear map e:G1XG1->G2
2. Bank chooses a random generator P of G1
3. Defines a cryptographic hash function
H0:{0,1}*->G1
4. Picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0).
11
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for online cash(contd..)
Cash Issuance
1. Customer chooses a random currency number x and a blinding factor r.
2. User/Customer supplies the bank with B=H0(x)+rP
3. Bank will sign on the blinded currency number B as sign1=sB and withdraws 1 unit of money from the customer’s account and sends the signature sign1 back to the customer.
4. Customer un-blinds and verifies the bank’s signature.
sign=sign1-rPpub
e(Ppub,H(x))==e(P,sign)
12
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for online cash(contd..)
Payment-Deposition1. To pay the merchant 1 unit of money, customer gives
him the pair (x, Sign).
2. The merchant calls the bank, verifying that this e-coin has not already been deposited, as the bank maintains a database of spent coins.
13
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for offline cash
System setup1. Bank generates a prime q, two groups (G1,+) and (G2,g) of
order q and bilinear map e:G1XG1->G2
2. Bank chooses a random generator P of G1
3. Defines cryptographic hash functions
• H0:{0,1}*->G1
• f:{0,1}*X{0,1}*->{0,1}*
• g:{0,1}*X{0,1}*->G1
4. picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0, f, g).
14
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for offline cash(contd..)
Cash Issuance1. Customer chooses ai,ci,di and ri, 0< i <k+1
independently at random, where k is the security parameter. u is the customer’s account number and v is the counter associated with the account u .
2. Customer forms f(xi,yi) where xi=g(ai,ci), yi= g(ai xor u||(v+i), di) and sends to the bank k blinded candidates Bi=f(xi,yi)+riP for 0<i<k+1 .
3. The bank chooses a random subset of k/2 blinded candidates R={ij},for 0<ij<k+1, for 0<j<(k/2 +1) and transmits it to the customer.
15
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for offline cash(contd..)
4. Customer displays the ai, ci, di, ri values for all i in R, and the bank checks them whether the correct information of the customer is embedded or not. To simplify the notation we will assume
R={k/2, k/2 + 1,…k}5. The bank sums up the blinded candidates f(xi,yi)+riP
and signs on the sum . Bank withdraws 1 unit of money from the customer’s account and also increments the Customer’s counter v by k.
6. Customer can easily extract the electronic coin . Customer re-indexes the candidates in C to be lexicographic on their representation. f(x1,y1)<f(x2,y2)<…f(xk/2, yk/2). Customer also increments his counter v by k.
Pr)y,f(x.1 iii sC
)Ppub(r-C1C i
16
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for offline cash(contd..)
Payment1. Customer sends C to the merchant
2. Merchant chooses and sends a random string z1,z2,….zk/2 to the customer.
3. Customer responds as follows for all 0<i<(k/2 +1) the bits of the string received If the bit is 1, customer gives merchant ai,ci,yi If the bit is 0, customer gives merchant xi, ai xor(u||(v+i)),
di
17
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for offline cash(contd..)
4. From the customers responses, merchant computes
for i=1..k/2 and verifies
e(Ppub, M)=e(P,C)
5. Merchant later sends C and Customer’s responses to the bank, which verifies their correctness and credits his account.
)y,f(xM ii
18
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for offline cash(contd..)
Deposit1. Merchant submits C, his query string z1, z2,… zk/2 and
the values ai (for zi=1) and ai xor u(v+i) (for zi=0).
2. Bank checks its records to ensure that C has not been used before. If the customer double spends C, with high probability bank has both ai and ai xor u||(v+i) for at least one i. So Bank can isolate u||(v+i) and trace the payment to the customer’s account.
19
UUOOHH
UNIVERSITY OF HYDERABAD
Scheme for online cash for multiple denominations
1. Cookie jar
2. Declared Note value
3. Hidden note value
Basic idea:
Bank uses k secret keys for up to 2k-1 denominations.
20
UUOOHH
UNIVERSITY OF HYDERABAD
Introduction to Remote User Authentication
Objectives of the scheme1. Authentication with smart cards
2. Avoiding large password tables
3. Providing password change option
4. Online registration of the smart card
5. Key agreement and lost card revocation
Phases1. Registration
2. Login
3. Verification
4. Password Change
21
UUOOHH
UNIVERSITY OF HYDERABAD
Review of Das et al.’s scheme
Registration• U submits his ID and password PW to RS. • RS computes RegID=sH(ID)+H(PW). • RS personalizes smart card with ID, RegID, H(.) and
sends the smart card to U in a secure manner.
Login• U inserts smart card into terminal and submits ID and
PW• Smart card computes DID=T.RegID and V=T.H(PW).• Sends login request <ID,DID,V,T> to RS over public
channel where T is the timestamp.
22
UUOOHH
UNIVERSITY OF HYDERABAD
Review of Das et al.’s scheme(contd..)
Verification• RS receives <ID,DID,V,T> at time T* and verifies
the validity of the time interval between T* and T, by checking if . If it holds, checks whether e(DID-V,P)==e(H(ID),Ppub)T
• If both checks are valid RS accepts the request and rejects otherwise
TT-T*
23
UUOOHH
UNIVERSITY OF HYDERABAD
Review of Das et al.’s scheme(contd..)
Password Change• Insert smart card into terminal and submit ID and PW.
Smart card verifies the entered ID with the one stored in the smart card. If ID is matched, it prompts U for new password. U submits a new password PW*
• Smart card computes RegID*=RegID-H(PW)+H(PW*)
=s.H(ID)+H(PW*)• Smart card replaces the previously stored RegID by
RegID*
24
UUOOHH
UNIVERSITY OF HYDERABAD
Chou et al.’s analysis and modification
Chou et al. pointed out that the verification in Das et al.’s scheme holds valid even with DID1=DID+a and V1=V+a where a is from G1, as shown below.
e(DID1-V1, P)=e(DID-V,P)
=e(H(ID),Ppub)T
To avoid this, Chou et al. proposed a modified verification technique as e(DID, P)==e(TsH(ID)+V, P) to overcome the defect in verification of Das et al.’s scheme.
25
UUOOHH
UNIVERSITY OF HYDERABAD
Analysis on Chou et al.’s modification
We note that this verification also holds valid for DID1=DID+a and V1=V+a where a is from G1, as shown below.
e(DID1, P)==e(DID, P)e(a, P)
==e(TsH(ID)+V, P)e(a,P)
==e(TsH(ID)+V1, P)
26
UUOOHH
UNIVERSITY OF HYDERABAD
Cryptanalysis of Das et al.’s scheme
In the login phase, the tuple <ID, DID, V, T> is being sent to RS over a public channel. Any attacker tapping this message can compute a valid tuple <ID1, DID1, V1, T1> as follows.
The attacker computes T-1, and gets RegID and H(PW) by the following.
RegID=T-1 DID and H(PW)=T-1 V
Now, the attacker can form the valid tuple <ID1, DID1, V1, T1> for time stamp T1 computing DID1=T1.RegID, V1=T1.H(PW). Thus, the attacker can forge a user many times just by intercepting one valid login request of the user.
27
UUOOHH
UNIVERSITY OF HYDERABAD
Improvement of Das et al.’s scheme
Registration and Password change phases are not altered.
Login• U inserts smart card into terminal and submits ID and
PW• Smart Card after validating ID computes
V(Vx,Vy)=r.Ppub
DID=(r+h(T||Vx||Vy))[RegID-H(PW)]
and sends login request <ID, DID, V, T> to RS over a public channel, where T is the timestamp. r is the random number generated by smart card.
28
UUOOHH
UNIVERSITY OF HYDERABAD
Improvement of Das et al.’s scheme(contd..)
Verification• RS receives <ID,DID,V,T> at time T* and verifies the
validity of the time interval between T* and T, by checking if . If it holds, checks whether e(DID, P)==e(H(ID), V+h(T||Vx||Vy)Ppub)
• If both checks are valid RS accepts the request, rejects otherwise
TT-T*
29
UUOOHH
UNIVERSITY OF HYDERABAD
Revoking lost cards
• Use CID – Card Identifier in place of ID – User Identity.• Maintain Registration Table with ID and CID of the
issued smart card.
If any user with id ID reports to server RS that he lost his smart card, the corresponding CID will be kept in revocation list and all requests coming from this CID will be cancelled.
30
UUOOHH
UNIVERSITY OF HYDERABAD
Providing online registration of smart cards
Pre-partial personalization phase• RS chooses a random number r for the smart card
numbered CID and stores r securely in the smart card.• RS stores CID and r in the database maintained for the
pre-partially personalized smart cards. • RS prints CID on the smart card and covers it with
scratchable ink.
31
UUOOHH
UNIVERSITY OF HYDERABAD
Providing online registration of smart cards(contd..)
Online Registration• U obtains a smart card after proving his credentials to
the card vendor. Scratches the card and gets CID• Inserts smart card into terminal and submits CID, and
then ID and PW of his choice.• Smart card sends ID and CID to RS over public channel• RS checks its database of pre-partially personalized
smart cards for CID. If exists, RS computes
N=r-1sH(ID) and sends N over the public channel to Customer and waits for the acknowledgment.
• Smart card after receiving N, verifies the validity of N by the equation e(N, P)r==e(H(ID), Ppub).
32
UUOOHH
UNIVERSITY OF HYDERABAD
Providing online registration of smart cards(contd..)
Online Registration(contd..)Here the pairing operations can be performed by the user system resources in the form of A=e(N, P) B=e(H(ID), Ppub) and smart card which contains r securely, can verify whether Ar=B
• Smart card computes RID=r.N+H(PW) =s.H(ID)+H(PW)
• Smart card stores RID securely and destroys r.• Smart card sends CID and h(Nx||Ny||r) as
acknowledgement to RS.• After verification of CID and h(Nx||Ny||r), RS removes
the corresponding record from the database of the pre-partially personalized smart cards.
33
UUOOHH
UNIVERSITY OF HYDERABAD
Key agreement
• U computes the session key as k=h(Zx||Zy) where Z=r.P
• RS computes the session key k=h(Wx||Wy) where
W=s-1.V
34
UUOOHH
UNIVERSITY OF HYDERABAD
Conclusion
Schemes for online Digital Cash and offline digital cash are proposed using bilinear pairings in ECC.
Das et al.’s Remote User Authentication scheme using bilinear pairings is analysed and improved to support online registration, key agreement and lost card revocation.
35
UUOOHH
UNIVERSITY OF HYDERABAD
Major References
1. Boneh D, Lynn B and Shacham H. “Short signatures form the Weil pairing”. Proc. Of Asiacrypt 2001, LNCS. Springer, pp 213-229, 2001.
2. D.Chaum. “Blind signatures for untraceable payments” in Advances in Cryptology -CRYPTO ' 82, Plenum Press, pages 199-203, 1982.
3. D.Chaum, A. Fiat, M. Naor. “Untraceable Electronic Cash” in Advances in Cryptology-CRYPTO ’88, Springer-Verlag, pages 319-327, 1988.
4. “On-line cash checks” in Advances in Cryptology-EUROCRYPT'89, Springer-Verlag, pages 288—293, 1989.
36
UUOOHH
UNIVERSITY OF HYDERABAD
Major References(contd..)
5. D.Chaum, B. Boer, E. Heyst, S. Mjolsnes, A. Steenbeek. “Efficient Offline Electronic Checks” in Advances in Cryptology-EUROCRYPT ‘89, Springer-Verlag, pages 294-301, 1989.
6. S. Brands. “Untraceable Off-line Cash in Wallet with Observers” in Advances in Cryptology-CRYPTO'93, Springer-Verlag, Pages 302—318, 1993.
7. A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms in a Finite field”, IEEE Trans. on Information Theory, vol. 39(5), pp. 1639-1646, 1993.
8. Chou JS, Chen Y, Lin JY. “Improvement of Das et al.’s remote user authentication scheme”. http://eprint.iacr.org/2005/450.pdf
37
UUOOHH
UNIVERSITY OF HYDERABAD
Major References(contd..)
9. Das ML, Saxena A, Gulati VP. “A Dynamic ID-based Remote User Authentication Scheme”. IEEE Trans. On Consumer Electron., vol. 50, no. 2, pp. 629-631, 2004.