Crypto Techniques for Authentication and Anonymous Payments Thulasi.G, 04MCMT34 Supervisors: Ashutosh Saxena and Dr. Atul Negi

Agenda Problems considered Motivation Preliminaries of Bilinear Pairings and complexity assumptions Introduction to Digital Cash Scheme for online cash Scheme for offline cash Scheme for online cash for multiple denominations Introduction to Remote User Authentication Review of Das et.al’s scheme Review of Chou et al.’s modification Cryptanalysis of Das et al.’s and Chou et al.’s schemes Improvement of Das et al.’s scheme Conclusion

Problems considered Scheme for Digital Cash using bilinear pairings in Elliptic curve cryptography for bandwidth reduction Scheme for Remote User Authentication using bilinear pairings with smart cards To avoid many users using the same account to login To reduce data to be communicated. For lost card revocation Key exchange

Motivation Elliptic Curve Cryptography requires only 163 bits to achieve the level of security achieved by 1024 bits for RSA[1]. Bandwidth reduction would be a help to the present industry. Weaknesses of previously proposed Remote User authentication schemes.

Preliminaries of Bilinear Pairings Properties Bilinear: e(aP,bQ)=e(P,Q)ab for P,Q are in G1, and a, b are in Zq*. In the other way, for P,Q and R in G1, e(P, Q+R)=e(P, Q)e(P, R) e(P+Q, R)=e(P, R)e(Q, R) Non degenerate: If P is a generator of G1, then e(P,P) is generator of G2, i.e. Computable: e(P,Q) is computable in polynomial time.

Complexity Assumptions Discrete Logarithm Problem(DLP): Given two elements P,Q in G1, find an integer a in Zq* such that Q=aP whenever such an integer exists. Computational Diffie Hellman Problem(CDHP): Given P, aP, bP in G1 for any a,b in Zq*, compute abP.

Complexity Assumptions(contd..) Decisional Diffie Hellman Problem(DDHP): Given P, aP, bP, cP in G1 for any a,b,c in Zq*, decide whether c=ab mod q. Gap Diffie Hellman Group: G1 is a GDH group if there exists an efficient polynomial time algorithm which solves DDHP in G1 and there is no probabilistic polynomial time algorithm which solves CDHP in G1 with non-negligible probability of success

Introduction to Digital Cash Properties of Digital cash Anonymity Privacy/Untraceability Entities involved Bank Customer Merchant

Introduction to Digital Cash(contd..) Types of digital cash Online digital cash Offline digital cash Phases in the scheme for digital cash System Setup Cash Issuance Payment Deposit

Scheme for online cash System setup Bank generates a prime q, two groups (G1,+) and (G2,.) of order q and bilinear map e:G1XG1->G2 Bank chooses a random generator P of G1 Defines a cryptographic hash function H0:{0,1}*->G1 Picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0).

Scheme for online cash(contd..) Cash Issuance Customer chooses a random currency number x and a blinding factor r. User/Customer supplies the bank with B=H0(x)+rP Bank will sign on the blinded currency number B as sign1=sB and withdraws 1 unit of money from the customer’s account and sends the signature sign1 back to the customer. Customer un-blinds and verifies the bank’s signature. sign=sign1-rPpub e(Ppub,H(x))==e(P,sign)

Scheme for online cash(contd..) Payment-Deposition To pay the merchant 1 unit of money, customer gives him the pair (x, Sign). The merchant calls the bank, verifying that this e-coin has not already been deposited, as the bank maintains a database of spent coins.

Scheme for offline cash System setup Bank generates a prime q, two groups (G1,+) and (G2,g) of order q and bilinear map e:G1XG1->G2 Bank chooses a random generator P of G1 Defines cryptographic hash functions H0:{0,1}*->G1 f:{0,1}*X{0,1}*->{0,1}* g:{0,1}*X{0,1}*->G1 picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0, f, g).

Scheme for offline cash(contd..) Cash Issuance Customer chooses ai,ci,di and ri, 0< i <k+1 independently at random, where k is the security parameter. u is the customer’s account number and v is the counter associated with the account u . Customer forms f(xi,yi) where xi=g(ai,ci), yi= g(ai xor u||(v+i), di) and sends to the bank k blinded candidates Bi=f(xi,yi)+riP for 0<i<k+1 . The bank chooses a random subset of k/2 blinded candidates R={ij},for 0<ij<k+1, for 0<j<(k/2 +1) and transmits it to the customer.

Scheme for offline cash(contd..) Customer displays the ai, ci, di, ri values for all i in R, and the bank checks them whether the correct information of the customer is embedded or not. To simplify the notation we will assume R={k/2, k/2 + 1,…k} The bank sums up the blinded candidates f(xi,yi)+riP and signs on the sum . Bank withdraws 1 unit of money from the customer’s account and also increments the Customer’s counter v by k. Customer can easily extract the electronic coin . Customer re-indexes the candidates in C to be lexicographic on their representation. f(x1,y1)<f(x2,y2)<…f(xk/2, yk/2). Customer also increments his counter v by k.

Scheme for offline cash(contd..) Payment Customer sends C to the merchant Merchant chooses and sends a random string z1,z2,….zk/2 to the customer. Customer responds as follows for all 0<i<(k/2 +1) the bits of the string received If the bit is 1, customer gives merchant ai,ci,yi If the bit is 0, customer gives merchant xi, ai xor(u||(v+i)), di

Scheme for offline cash(contd..) From the customers responses, merchant computes for i=1..k/2 and verifies e(Ppub, M)=e(P,C) Merchant later sends C and Customer’s responses to the bank, which verifies their correctness and credits his account.

Scheme for offline cash(contd..) Deposit Merchant submits C, his query string z1, z2,… zk/2 and the values ai (for zi=1) and ai xor u(v+i) (for zi=0). Bank checks its records to ensure that C has not been used before. If the customer double spends C, with high probability bank has both ai and ai xor u||(v+i) for at least one i. So Bank can isolate u||(v+i) and trace the payment to the customer’s account.

Scheme for online cash for multiple denominations Cookie jar Declared Note value Hidden note value Basic idea: Bank uses k secret keys for up to 2k-1 denominations.

Introduction to Remote User Authentication Objectives of the scheme Authentication with smart cards Avoiding large password tables Providing password change option Online registration of the smart card Key agreement and lost card revocation Phases Registration Login Verification Password Change

Review of Das et al.’s scheme Registration U submits his ID and password PW to RS. RS computes RegID=sH(ID)+H(PW). RS personalizes smart card with ID, RegID, H(.) and sends the smart card to U in a secure manner. Login U inserts smart card into terminal and submits ID and PW Smart card computes DID=T.RegID and V=T.H(PW). Sends login request <ID,DID,V,T> to RS over public channel where T is the timestamp.

Review of Das et al.’s scheme(contd..) Verification RS receives <ID,DID,V,T> at time T* and verifies the validity of the time interval between T* and T, by checking if . If it holds, checks whether e(DID-V,P)==e(H(ID),Ppub)T If both checks are valid RS accepts the request and rejects otherwise

Review of Das et al.’s scheme(contd..) Password Change Insert smart card into terminal and submit ID and PW. Smart card verifies the entered ID with the one stored in the smart card. If ID is matched, it prompts U for new password. U submits a new password PW* Smart card computes RegID*=RegID-H(PW)+H(PW*) =s.H(ID)+H(PW*) Smart card replaces the previously stored RegID by RegID*

Chou et al.’s analysis and modification Chou et al. pointed out that the verification in Das et al.’s scheme holds valid even with DID1=DID+a and V1=V+a where a is from G1, as shown below. e(DID1-V1, P)=e(DID-V,P) =e(H(ID),Ppub)T To avoid this, Chou et al. proposed a modified verification technique as e(DID, P)==e(TsH(ID)+V, P) to overcome the defect in verification of Das et al.’s scheme.

Analysis on Chou et al.’s modification We note that this verification also holds valid for DID1=DID+a and V1=V+a where a is from G1, as shown below. e(DID1, P)==e(DID, P)e(a, P) ==e(TsH(ID)+V, P)e(a,P) ==e(TsH(ID)+V1, P)

Cryptanalysis of Das et al.’s scheme In the login phase, the tuple <ID, DID, V, T> is being sent to RS over a public channel. Any attacker tapping this message can compute a valid tuple <ID1, DID1, V1, T1> as follows. The attacker computes T-1, and gets RegID and H(PW) by the following. RegID=T-1 DID and H(PW)=T-1 V Now, the attacker can form the valid tuple <ID1, DID1, V1, T1> for time stamp T1 computing DID1=T1.RegID, V1=T1.H(PW). Thus, the attacker can forge a user many times just by intercepting one valid login request of the user.

Improvement of Das et al.’s scheme Registration and Password change phases are not altered. Login U inserts smart card into terminal and submits ID and PW Smart Card after validating ID computes V(Vx,Vy)=r.Ppub DID=(r+h(T||Vx||Vy))[RegID-H(PW)] and sends login request <ID, DID, V, T> to RS over a public channel, where T is the timestamp. r is the random number generated by smart card.

Improvement of Das et al.’s scheme(contd..) Verification RS receives <ID,DID,V,T> at time T* and verifies the validity of the time interval between T* and T, by checking if . If it holds, checks whether e(DID, P)==e(H(ID), V+h(T||Vx||Vy)Ppub) If both checks are valid RS accepts the request, rejects otherwise

Revoking lost cards Use CID – Card Identifier in place of ID – User Identity. Maintain Registration Table with ID and CID of the issued smart card. If any user with id ID reports to server RS that he lost his smart card, the corresponding CID will be kept in revocation list and all requests coming from this CID will be cancelled.

Providing online registration of smart cards Pre-partial personalization phase RS chooses a random number r for the smart card numbered CID and stores r securely in the smart card. RS stores CID and r in the database maintained for the pre-partially personalized smart cards. RS prints CID on the smart card and covers it with scratchable ink.

Providing online registration of smart cards(contd..) U obtains a smart card after proving his credentials to the card vendor. Scratches the card and gets CID Inserts smart card into terminal and submits CID, and then ID and PW of his choice. Smart card sends ID and CID to RS over public channel RS checks its database of pre-partially personalized smart cards for CID. If exists, RS computes N=r-1sH(ID) and sends N over the public channel to Customer and waits for the acknowledgment. Smart card after receiving N, verifies the validity of N by the equation e(N, P)r==e(H(ID), Ppub).

Providing online registration of smart cards(contd..) Online Registration(contd..) Here the pairing operations can be performed by the user system resources in the form of A=e(N, P) B=e(H(ID), Ppub) and smart card which contains r securely, can verify whether Ar=B Smart card computes RID=r.N+H(PW) =s.H(ID)+H(PW) Smart card stores RID securely and destroys r. Smart card sends CID and h(Nx||Ny||r) as acknowledgement to RS. After verification of CID and h(Nx||Ny||r), RS removes the corresponding record from the database of the pre-partially personalized smart cards.

Key agreement U computes the session key as k=h(Zx||Zy) where Z=r.P RS computes the session key k=h(Wx||Wy) where W=s-1.V

Conclusion Schemes for online Digital Cash and offline digital cash are proposed using bilinear pairings in ECC. Das et al.’s Remote User Authentication scheme using bilinear pairings is analysed and improved to support online registration, key agreement and lost card revocation.

Major References Boneh D, Lynn B and Shacham H. “Short signatures form the Weil pairing”. Proc. Of Asiacrypt 2001, LNCS. Springer, pp 213-229, 2001. D.Chaum. “Blind signatures for untraceable payments” in Advances in Cryptology -CRYPTO ' 82, Plenum Press, pages 199-203, 1982. D.Chaum, A. Fiat, M. Naor. “Untraceable Electronic Cash” in Advances in Cryptology-CRYPTO ’88, Springer-Verlag, pages 319-327, 1988. “On-line cash checks” in Advances in Cryptology-EUROCRYPT'89, Springer-Verlag, pages 288—293, 1989.

Major References(contd..) D.Chaum, B. Boer, E. Heyst, S. Mjolsnes, A. Steenbeek. “Efficient Offline Electronic Checks” in Advances in Cryptology-EUROCRYPT ‘89, Springer-Verlag, pages 294-301, 1989. S. Brands. “Untraceable Off-line Cash in Wallet with Observers” in Advances in Cryptology-CRYPTO'93, Springer-Verlag, Pages 302—318, 1993. A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms in a Finite field”, IEEE Trans. on Information Theory, vol. 39(5), pp. 1639-1646, 1993. Chou JS, Chen Y, Lin JY. “Improvement of Das et al.’s remote user authentication scheme”. http://eprint.iacr.org/2005/450.pdf

Major References(contd..) Das ML, Saxena A, Gulati VP. “A Dynamic ID-based Remote User Authentication Scheme”. IEEE Trans. On Consumer Electron., vol. 50, no. 2, pp. 629-631, 2004.

Thank you thulasi.jaggernaut@gmail.com