Pairing-based identification schemes

We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions. Each of the schemes is more efficient and/or more secure than any known pairing-based identification scheme

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields

Recent work by Koblitz and Menezes has highlighted the existence, in some cases, of apparent separations between the hardness of breaking discrete logarithms in a particular group, and the hardness of solving in that group problems to which the security of certain cryptosystems are provably related. We consider one such problem in the context of elliptic curves over extension fields, and report potential weaknesses of the Galbraith-Lin-Scott curves from EUROCRYPT 2009, as well as two very different practical attacks on the Oakley Key Determination Protocol curves

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields

We show that for any elliptic curve E(Fqn ), if an adversary has access to a Static Diffie-Hellman Problem (Static DHP) oracle, then by making O(q1− 1/n+1) Static DHP oracle queries during an initial learning phase, for fixed n > 1 and q → ∞ the adversary can solve any further instance of the Static DHP in heuristic time O˜(q1− 1/n+1). Our proposal also solves the Delayed Target DHP as defined by Freeman, and naturally extends to provide algorithms for solving the Delayed Target DLP, the One-More DHP and One-More DLP, as studied by Koblitz and Menezes in the context of Jacobians of hyperelliptic curves of small genus. We also argue that for any group in which index calculus can be effectively applied, the above problems have a natural relationship, and will always be easier than the DLP. While practical only for very small n, our algorithm reduces the security provided by the elliptic curves defined over Fp2 and Fp4 proposed by Galbraith, Lin and Scott at EUROCRYPT 2009, should they be used in any protocol where a user can be made to act as a proxy Static DHP oracle, or if used in protocols whose security is related to any of the above problems

Provably Secure Identity-Based Remote Password Registration

One of the most significant challenges is the secure user authentication. If it becomes breached, confidentiality and integrity of the data or services may be compromised. The most widespread solution for entity authentication is the password-based scheme. It is easy to use and deploy. During password registration typically users create or activate their account along with their password through their verification email, and service providers are authenticated based on their SSL/TLS certificate. We propose a password registration scheme based on identity-based cryptography, i.e. both the user and the service provider are authenticated by their short-lived identity-based secret key. For secure storage a bilinear map with a salt is applied, therefore in case of an offline attack the adversary is forced to calculate a computationally expensive bilinear map for each password candidate and salt that slows down the attack. New adversarial model with new secure password registration scheme are introduced. We show that the proposed protocol is based on the assumptions that Bilinear Diffie-Hellman problem is computationally infeasible, bilinear map is a one-way function and Mac is existentially unforgeable under an adaptive chosen-message attack

Getting Rid of Linear Algebra in Number Theory Problems

We revisit some well-known cryptographic problems in a black box modular ring model of computation. This model allows us to compute with black box access to the ring $\mathbb{Z}/m\mathbb{Z}$. We develop new generic ring algorithms to recover $m$ even if it is unknown. At the end, Maurer\u27s generic algorithm allows to recover an element from its black box representation. However, we avoid Maurer\u27s idealized model with CDH oracle for the multiplication in the hidden ring by introducing a new representation compatible with ring operations. An element is encoded by its action over the factor basis. Consequently, we can multiply two elements with classical descent computations in sieving algorithms. As the algorithms we propose work without using an expensive linear algebra computation at the end, even though they manipulate large sparse matrices, we can exploit a high-level of parallelism. Then, we consider general groups such as imaginary quadratic class group and the Jacobian of a hyperelliptic curve, and obtain new methods for group order computation. The repeated squaring problem and the adaptive root problem used in the construction of Verifiable Delay Functions are particularly easy to solve in the black box modular ring, the high degree of parallelism provided by our method allows a reduction in the time to solve them. We improve the smoothing time, and as a result, we break Verifiable Delay Functions and factorize weak keys with lower Area-Time cost. Finally, we show new AT costs for computing a discrete logarithm over an adversarial basis in finite fields

Privacy of User Identities in Cellular Networks

This thesis looks into two privacy threats of cellular networks. For their operations, these networks have to deal with unique permanent user identities called International Mobile Subscriber Identity (IMSI). One of the privacy threats is posed by a device called IMSI catcher. An IMSI catcher can exploit various vulnerabilities. Some of these vulnerabilities are easier to exploit than others. This thesis looks into fixing the most easily exploitable vulnerability, which is in the procedure of identifying the subscriber. This vulnerability exists in all generations of cellular networks prior to 5G. The thesis discusses solutions to fix the vulnerability in several different contexts. One of the solutions proposes a generic approach, which can be applied to any generation of cellular networks, to fix the vulnerability. The generic approach uses temporary user identities, which are called pseudonyms, instead of using the permanent identity IMSI. The thesis also discusses another solution to fix the vulnerability, specifically in the identification procedure of 5G. The solution uses Identity-Based Encryption (IBE), and it is different from the one that has been standardised in 5G. Our IBE-based solution has some additional advantages that can be useful in future works. The thesis also includes a solution to fix the vulnerability in the identification procedure in earlier generations of cellular networks. The solution fixes the vulnerability when a user of a 5G network connects to those earlier generation networks. The solution is a hybridisation of the pseudonym-based generic solution and the standardised solution in 5G. The second of the two threats that this thesis deals with is related to the standards of a delegated authentication system, known as Authentication and Key Management for Applications (AKMA), which has been released in July 2020. The system enables application providers to authenticate their users by leveraging the authentication mechanism between the user and the user's cellular network. This thesis investigates what requirements AKMA should fulfil. The investigation puts a special focus on identifying privacy requirements. It finds two new privacy requirements, which are not yet considered in the standardisation process. The thesis also presents a privacy-preserving AKMA that can co-exist with a normal-mode AKMA.Väitöskirjassa tutkitaan kahta yksityisyyteen kohdistuvaa uhkaa mobiiliverkoissa. Näissä verkoissa käyttäjät tunnistetaan yksikäsitteisen pysyvän identiteetin perusteella. Hyökkääjä voi uhata käyttäjän yksityisyyttä sellaisen radiolähettimen avulla, joka naamioituu mobiiliverkon tukiasemaksi. Tällainen väärä tukiasema voi pyytää lähellä olevia mobiililaitteita kertomaan pysyvän identiteettinsä, jolloin hyökkääjä voi esimerkiksi selvittää, onko tietyn henkilön puhelin lähistöllä vai ei. Väitöskirjassa selvitetään, millaisilla ratkaisuilla tämän tyyppisiltä haavoittuvuuksilta voidaan välttyä. Viidennen sukupolven mobiiliteknologian standardiin on sisällytetty julkisen avaimen salaukseen perustuva suojaus käyttäjän pysyvälle identiteetille. Tällä ratkaisulla voidaan suojautua väärän tukiaseman uhkaa vastaan, mutta se toimii vain 5G-verkoissa. Yksi väitöskirjassa esitetyistä vaihtoehtoisista ratkaisuista soveltuu käytettäväksi myös vanhempien mobiiliteknologian sukupolvien yhteydessä. Ratkaisu perustuu pysyvän identiteetin korvaamiseen pseudonyymillä. Toinen esitetty ratkaisu käyttää identiteettiin pohjautuvaa salausta, ja sillä olisi tiettyjä etuja 5G-standardiin valittuun, julkisen avaimen salaukseen perustuvaan menetelmään verrattuna. Lisäksi väitöskirjassa esitetään 5G-standardiin valitun menetelmän ja pseudonyymeihin perustuvan menetelmän hybridi, joka mahdollistaisi suojauksen laajentamisen myös aiempiin mobiiliteknologian sukupolviin. Toinen väitöskirjassa tutkittu yksityisyyteen kohdistuva uhka liittyy 5G-standardin mukaiseen delegoidun tunnistautumisen järjestelmään. Tämä järjestelmä mahdollistaa käyttäjän vahvan tunnistautumisen automaattisesti mobiiliverkon avulla. Väitöskirjassa tutkitaan järjestelmälle asetettuja tietoturvavaatimuksia erityisesti yksityisyyden suojan näkökulmasta. Työssä on löydetty kaksi vaatimusta, joita ei ole toistaiseksi otettu huomioon standardeja kehitettäessä. Lisäksi työssä esitetään ratkaisu, jolla delegoidun tunnistautumisen järjestelmää voidaan laajentaa paremmin yksityisyyttä suojaavaksi

Cryptographic Protocols, Sensor Network Key Management, and RFID Authentication

This thesis includes my research on efficient cryptographic protocols, sensor network key management, and radio frequency identification (RFID) authentication protocols. Key exchange, identification, and public key encryption are among the fundamental protocols studied in cryptography. There are two important requirements for these protocols: efficiency and security. Efficiency is evaluated using the computational overhead to execute a protocol. In modern cryptography, one way to ensure the security of a protocol is by means of provable security. Provable security consists of a security model that specifies the capabilities and the goals of an adversary against the protocol, one or more cryptographic assumptions, and a reduction showing that breaking the protocol within the security model leads to breaking the assumptions. Often, efficiency and provable security are not easy to achieve simultaneously. The design of efficient protocols in a strict security model with a tight reduction is challenging. Security requirements raised by emerging applications bring up new research challenges in cryptography. One such application is pervasive communication and computation systems, including sensor networks and radio frequency identification (RFID) systems. Specifically, sensor network key management and RFID authentication protocols have drawn much attention in recent years. In the cryptographic protocol part, we study identification protocols, key exchange protocols, and ElGamal encryption and its variant. A formal security model for challenge-response identification protocols is proposed, and a simple identification protocol is proposed and proved secure in this model. Two authenticated key exchange (AKE) protocols are proposed and proved secure in the extended Canetti-Krawczyk (eCK) model. The proposed AKE protocols achieve tight security reduction and efficient computation. We also study the security of ElGamal encryption and its variant, Damgard’s ElGamal encryption (DEG). Key management is the cornerstone of the security of sensor networks. A commonly recommended key establishment mechanism is based on key predistribution schemes (KPS). Several KPSs have been proposed in the literature. A KPS installs pre-assigned keys to sensor nodes so that two nodes can communicate securely if they share a key. Multi-path key establishment (MPKE) is one component of KPS which enables two nodes without a shared key to establish a key via multiple node-disjoint paths in the network. In this thesis, methods to compute the k-connectivity property of several representative key predistribution schemes are developed. A security model for MPKE and efficient and secure MPKE schemes are proposed. Scalable, privacy-preserving, and efficient authentication protocols are essential for the success of RFID systems. Two such protocols are proposed in this thesis. One protocol uses finite field polynomial operations to solve the scalability challenge. Its security is based on the hardness of the polynomial reconstruction problem. The other protocol improves a randomized Rabin encryption based RFID authentication protocol. It reduces the hardware cost of an RFID tag by using a residue number system in the computation, and it provides provable security by using secure padding schemes

PAIRING-BASED IDENTIFICATION SCHEMES

public-key cryptography, identification, zero-knowledge, pairings We present several different identification schemes that make use of bilinear pairings. Each of the schemes is more efficient and/or more secure than any known pairing-based identification scheme

Implementation of identity-based and certificateless identification on android platform

An identification scheme provides an access control mechanism where a prover authenticates himself to a verifier without providing the verifier with any information about his private key. Recently, pairing-based identification schemes have gained interest, particularly identification schemes without certificates. However there have been little results of implementation of these schemes on handheld mobile devices. In this paper, we provide implementation results for identification schemes without certificates that utilize pairings, on the Android platform