Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crypto Techniques for Authentication and Anonymous Payments

Published byClare Warner Modified over 9 years ago

Similar presentations

Presentation on theme: "Crypto Techniques for Authentication and Anonymous Payments"— Presentation transcript:

1 Crypto Techniques for Authentication and Anonymous Payments
Thulasi.G, 04MCMT34 Supervisors: Ashutosh Saxena and Dr. Atul Negi

2 Agenda Problems considered Motivation
Preliminaries of Bilinear Pairings and complexity assumptions Introduction to Digital Cash Scheme for online cash Scheme for offline cash Scheme for online cash for multiple denominations Introduction to Remote User Authentication Review of Das et.al’s scheme Review of Chou et al.’s modification Cryptanalysis of Das et al.’s and Chou et al.’s schemes Improvement of Das et al.’s scheme Conclusion

3 Problems considered Scheme for Digital Cash using bilinear pairings in Elliptic curve cryptography for bandwidth reduction Scheme for Remote User Authentication using bilinear pairings with smart cards To avoid many users using the same account to login To reduce data to be communicated. For lost card revocation Key exchange

4 Motivation Elliptic Curve Cryptography requires only 163 bits to achieve the level of security achieved by 1024 bits for RSA[1]. Bandwidth reduction would be a help to the present industry. Weaknesses of previously proposed Remote User authentication schemes.

5 Preliminaries of Bilinear Pairings
Properties Bilinear: e(aP,bQ)=e(P,Q)ab for P,Q are in G1, and a, b are in Zq*. In the other way, for P,Q and R in G1, e(P, Q+R)=e(P, Q)e(P, R) e(P+Q, R)=e(P, R)e(Q, R) Non degenerate: If P is a generator of G1, then e(P,P) is generator of G2, i.e. Computable: e(P,Q) is computable in polynomial time.

6 Complexity Assumptions
Discrete Logarithm Problem(DLP): Given two elements P,Q in G1, find an integer a in Zq* such that Q=aP whenever such an integer exists. Computational Diffie Hellman Problem(CDHP): Given P, aP, bP in G1 for any a,b in Zq*, compute abP.

7 Complexity Assumptions(contd..)
Decisional Diffie Hellman Problem(DDHP): Given P, aP, bP, cP in G1 for any a,b,c in Zq*, decide whether c=ab mod q. Gap Diffie Hellman Group: G1 is a GDH group if there exists an efficient polynomial time algorithm which solves DDHP in G1 and there is no probabilistic polynomial time algorithm which solves CDHP in G1 with non-negligible probability of success

8 Introduction to Digital Cash
Properties of Digital cash Anonymity Privacy/Untraceability Entities involved Bank Customer Merchant

9 Introduction to Digital Cash(contd..)
Types of digital cash Online digital cash Offline digital cash Phases in the scheme for digital cash System Setup Cash Issuance Payment Deposit

10 Scheme for online cash System setup
Bank generates a prime q, two groups (G1,+) and (G2,.) of order q and bilinear map e:G1XG1->G2 Bank chooses a random generator P of G1 Defines a cryptographic hash function H0:{0,1}*->G1 Picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0).

11 Scheme for online cash(contd..)
Cash Issuance Customer chooses a random currency number x and a blinding factor r. User/Customer supplies the bank with B=H0(x)+rP Bank will sign on the blinded currency number B as sign1=sB and withdraws 1 unit of money from the customer’s account and sends the signature sign1 back to the customer. Customer un-blinds and verifies the bank’s signature. sign=sign1-rPpub e(Ppub,H(x))==e(P,sign)

12 Scheme for online cash(contd..)
Payment-Deposition To pay the merchant 1 unit of money, customer gives him the pair (x, Sign). The merchant calls the bank, verifying that this e-coin has not already been deposited, as the bank maintains a database of spent coins.

13 Scheme for offline cash
System setup Bank generates a prime q, two groups (G1,+) and (G2,g) of order q and bilinear map e:G1XG1->G2 Bank chooses a random generator P of G1 Defines cryptographic hash functions H0:{0,1}*->G1 f:{0,1}*X{0,1}*->{0,1}* g:{0,1}*X{0,1}*->G1 picks a random s and sets public key Ppub=sP . Bank keeps the master key s secretly and publishes the public parameters (G1, G2, e, P, Ppub, H0, f, g).

14 Scheme for offline cash(contd..)
Cash Issuance Customer chooses ai,ci,di and ri, 0< i <k+1 independently at random, where k is the security parameter. u is the customer’s account number and v is the counter associated with the account u . Customer forms f(xi,yi) where xi=g(ai,ci), yi= g(ai xor u||(v+i), di) and sends to the bank k blinded candidates Bi=f(xi,yi)+riP for 0<i<k+1 . The bank chooses a random subset of k/2 blinded candidates R={ij},for 0<ij<k+1, for 0<j<(k/2 +1) and transmits it to the customer.

15 Scheme for offline cash(contd..)
Customer displays the ai, ci, di, ri values for all i in R, and the bank checks them whether the correct information of the customer is embedded or not. To simplify the notation we will assume R={k/2, k/2 + 1,…k} The bank sums up the blinded candidates f(xi,yi)+riP and signs on the sum Bank withdraws 1 unit of money from the customer’s account and also increments the Customer’s counter v by k. Customer can easily extract the electronic coin . Customer re-indexes the candidates in C to be lexicographic on their representation. f(x1,y1)<f(x2,y2)<…f(xk/2, yk/2). Customer also increments his counter v by k.

16 Scheme for offline cash(contd..)
Payment Customer sends C to the merchant Merchant chooses and sends a random string z1,z2,….zk/2 to the customer. Customer responds as follows for all 0<i<(k/2 +1) the bits of the string received If the bit is 1, customer gives merchant ai,ci,yi If the bit is 0, customer gives merchant xi, ai xor(u||(v+i)), di

17 Scheme for offline cash(contd..)
From the customers responses, merchant computes for i=1..k/2 and verifies e(Ppub, M)=e(P,C) Merchant later sends C and Customer’s responses to the bank, which verifies their correctness and credits his account.

18 Scheme for offline cash(contd..)
Deposit Merchant submits C, his query string z1, z2,… zk/2 and the values ai (for zi=1) and ai xor u(v+i) (for zi=0). Bank checks its records to ensure that C has not been used before. If the customer double spends C, with high probability bank has both ai and ai xor u||(v+i) for at least one i. So Bank can isolate u||(v+i) and trace the payment to the customer’s account.

19 Scheme for online cash for multiple denominations
Cookie jar Declared Note value Hidden note value Basic idea: Bank uses k secret keys for up to 2k-1 denominations.

20 Introduction to Remote User Authentication
Objectives of the scheme Authentication with smart cards Avoiding large password tables Providing password change option Online registration of the smart card Key agreement and lost card revocation Phases Registration Login Verification Password Change

21 Review of Das et al.’s scheme
Registration U submits his ID and password PW to RS. RS computes RegID=sH(ID)+H(PW). RS personalizes smart card with ID, RegID, H(.) and sends the smart card to U in a secure manner. Login U inserts smart card into terminal and submits ID and PW Smart card computes DID=T.RegID and V=T.H(PW). Sends login request <ID,DID,V,T> to RS over public channel where T is the timestamp.

22 Review of Das et al.’s scheme(contd..)
Verification RS receives <ID,DID,V,T> at time T* and verifies the validity of the time interval between T* and T, by checking if If it holds, checks whether e(DID-V,P)==e(H(ID),Ppub)T If both checks are valid RS accepts the request and rejects otherwise

23 Review of Das et al.’s scheme(contd..)
Password Change Insert smart card into terminal and submit ID and PW. Smart card verifies the entered ID with the one stored in the smart card. If ID is matched, it prompts U for new password. U submits a new password PW* Smart card computes RegID*=RegID-H(PW)+H(PW*) =s.H(ID)+H(PW*) Smart card replaces the previously stored RegID by RegID*

24 Chou et al.’s analysis and modification
Chou et al. pointed out that the verification in Das et al.’s scheme holds valid even with DID1=DID+a and V1=V+a where a is from G1, as shown below. e(DID1-V1, P)=e(DID-V,P) =e(H(ID),Ppub)T To avoid this, Chou et al. proposed a modified verification technique as e(DID, P)==e(TsH(ID)+V, P) to overcome the defect in verification of Das et al.’s scheme.

25 Analysis on Chou et al.’s modification
We note that this verification also holds valid for DID1=DID+a and V1=V+a where a is from G1, as shown below. e(DID1, P)==e(DID, P)e(a, P) ==e(TsH(ID)+V, P)e(a,P) ==e(TsH(ID)+V1, P)

26 Cryptanalysis of Das et al.’s scheme
In the login phase, the tuple <ID, DID, V, T> is being sent to RS over a public channel. Any attacker tapping this message can compute a valid tuple <ID1, DID1, V1, T1> as follows. The attacker computes T-1, and gets RegID and H(PW) by the following. RegID=T-1 DID and H(PW)=T-1 V Now, the attacker can form the valid tuple <ID1, DID1, V1, T1> for time stamp T1 computing DID1=T1.RegID, V1=T1.H(PW). Thus, the attacker can forge a user many times just by intercepting one valid login request of the user.

27 Improvement of Das et al.’s scheme
Registration and Password change phases are not altered. Login U inserts smart card into terminal and submits ID and PW Smart Card after validating ID computes V(Vx,Vy)=r.Ppub DID=(r+h(T||Vx||Vy))[RegID-H(PW)] and sends login request <ID, DID, V, T> to RS over a public channel, where T is the timestamp. r is the random number generated by smart card.

28 Improvement of Das et al.’s scheme(contd..)
Verification RS receives <ID,DID,V,T> at time T* and verifies the validity of the time interval between T* and T, by checking if If it holds, checks whether e(DID, P)==e(H(ID), V+h(T||Vx||Vy)Ppub) If both checks are valid RS accepts the request, rejects otherwise

29 Revoking lost cards Use CID – Card Identifier in place of ID – User Identity. Maintain Registration Table with ID and CID of the issued smart card. If any user with id ID reports to server RS that he lost his smart card, the corresponding CID will be kept in revocation list and all requests coming from this CID will be cancelled.

30 Providing online registration of smart cards
Pre-partial personalization phase RS chooses a random number r for the smart card numbered CID and stores r securely in the smart card. RS stores CID and r in the database maintained for the pre-partially personalized smart cards. RS prints CID on the smart card and covers it with scratchable ink.

31 Providing online registration of smart cards(contd..)
U obtains a smart card after proving his credentials to the card vendor. Scratches the card and gets CID Inserts smart card into terminal and submits CID, and then ID and PW of his choice. Smart card sends ID and CID to RS over public channel RS checks its database of pre-partially personalized smart cards for CID. If exists, RS computes N=r-1sH(ID) and sends N over the public channel to Customer and waits for the acknowledgment. Smart card after receiving N, verifies the validity of N by the equation e(N, P)r==e(H(ID), Ppub).

32 Providing online registration of smart cards(contd..)
Online Registration(contd..) Here the pairing operations can be performed by the user system resources in the form of A=e(N, P) B=e(H(ID), Ppub) and smart card which contains r securely, can verify whether Ar=B Smart card computes RID=r.N+H(PW) =s.H(ID)+H(PW) Smart card stores RID securely and destroys r. Smart card sends CID and h(Nx||Ny||r) as acknowledgement to RS. After verification of CID and h(Nx||Ny||r), RS removes the corresponding record from the database of the pre-partially personalized smart cards.

33 Key agreement U computes the session key as k=h(Zx||Zy) where Z=r.P
RS computes the session key k=h(Wx||Wy) where W=s-1.V

34 Conclusion Schemes for online Digital Cash and offline digital cash are proposed using bilinear pairings in ECC. Das et al.’s Remote User Authentication scheme using bilinear pairings is analysed and improved to support online registration, key agreement and lost card revocation.

35 Major References Boneh D, Lynn B and Shacham H. “Short signatures form the Weil pairing”. Proc. Of Asiacrypt 2001, LNCS. Springer, pp , 2001. D.Chaum. “Blind signatures for untraceable payments” in Advances in Cryptology -CRYPTO ' 82, Plenum Press, pages , 1982. D.Chaum, A. Fiat, M. Naor. “Untraceable Electronic Cash” in Advances in Cryptology-CRYPTO ’88, Springer-Verlag, pages , 1988. “On-line cash checks” in Advances in Cryptology-EUROCRYPT'89, Springer-Verlag, pages 288—293, 1989.

36 Major References(contd..)
D.Chaum, B. Boer, E. Heyst, S. Mjolsnes, A. Steenbeek. “Efficient Offline Electronic Checks” in Advances in Cryptology-EUROCRYPT ‘89, Springer-Verlag, pages , 1989. S. Brands. “Untraceable Off-line Cash in Wallet with Observers” in Advances in Cryptology-CRYPTO'93, Springer-Verlag, Pages 302—318, 1993. A. Menezes, T. Okamoto and S. Vanstone, “Reducing elliptic curve logarithms in a Finite field”, IEEE Trans. on Information Theory, vol. 39(5), pp , 1993. Chou JS, Chen Y, Lin JY. “Improvement of Das et al.’s remote user authentication scheme”.

37 Major References(contd..)
Das ML, Saxena A, Gulati VP. “A Dynamic ID-based Remote User Authentication Scheme”. IEEE Trans. On Consumer Electron., vol. 50, no. 2, pp , 2004.

38 Thank you

Download ppt "Crypto Techniques for Authentication and Anonymous Payments"

Similar presentations

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Digital Cash Mehdi Bazargan Fall 2004.

Digital Cash Mehdi Bazargan Fall 2004.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :11.23 1.

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中 日期 :
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1.

1 A practical off-line digital money system with partially blind signatures based on the discrete logarithm problem From: IEICE TRANS. FUNDAMENTALS, VOL.E83-A,No.1.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Similar presentations

Ads by Google