International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 259

Authentication and Agreement Protocols Preserving Anonymity

Kumar Mangipudi1, Rajendra Katti1, and Huirong Fu2∗ (Corresponding author: Huirong Fu)

Department of Electrical and Computer Engineering, 1411 Centennial Blvd, 1 North Dakota State University, Fargo, ND 58105, USA. (Email: {kumar.mangipudi, rajendra.katti}@ndsu.edu) Department of Computer Science and Engineering, 2 Oakland University, Rochester, MI 48309, USA. (Email: [email protected]) (Received Sept. 7, 2005; revised and accepted Oct. 11 & Oct. 27, 2005)

Abstract designed with an objective that the communicating par- ties execute a scheme, and when it is terminated, each Anonymity is a very important security feature in ad- of the parties should have certain assurance that they dition to authentication and key agreement features in know the other’s true identity and share a new and ran- communication protocols. In this paper, we propose two dom session-key derived from contributions of all the par- authentication and key agreement (AKA) protocols: the ties. This objective has to be accomplished irrespective AKA protocol with user anonymity (UAP) and the AKA of wired or wireless media. Client-server wireless commu- protocol with user and server anonymity (USAP). The nications, where a low end user and a server authenticate proposed protocols have the following advantages: first of each other, often demand for few message exchanges and all, they preserve anonymity, which is a security feature less computational loads. that was ignored in most of the previously proposed AKA Until now, numerous public key based protocols; secondly, they exploit the difference in capabil- AKA protocols ranging from the traditional RSA to El- ities between resource constrained clients and highly re- liptic Curve Cryptography (ECC) have been proposed. sourceful servers and thus are suitable for wireless applica- Recently, ECC has gained a lot of attention as ECC im- tions; thirdly, they resist known attacks; and finally, they plemented devices have higher strength per key bit, lower perform better in terms of the number of messages and power consumption, and smaller bandwidths as compared bits exchanged and computing time as compared to the to RSA based . Hence, it is more promis- previously proposed AKA protocols. For example, USAP ing to implement ECC in constrained platforms such as preserves user and server anonymity, exchanges 3 mes- wireless devices, handheld computers, and smart cards. sages with 1920 bits in total, and requires only 280 msec Apart from security services like authentication and of processing time on the user side when implemented on key agreement, the requirement for having anonymity is Mitsubishis M16C microprocessor. Similarly, the UAP gaining a lot of attention because transmitting a user’s is scalable, preserves user anonymity, requires 440 msec, identity in plain during the authentication process invades and exchanges 2560 bits. the user’s privacy and allows unauthorized access of his Keywords: Anonymity, authentication, Elliptic Curve personal information that may result in violation of his Cryptography (ECC), key agreement privacy and raise legal issues [5]. A literature survey on AKA protocols (included in Section 2 of this paper) re- vealed that most of the previously proposed protocols ig- 1 Introduction nored anonymity. A wireless authentication protocol that supports anonymity was proposed in [2, 3]. For the rest Authenticated Key Agreement (AKA) protocols provide of our discussion, we refer to this protocol as A-WAP. communicating parties with a random shared-key that Despite the authors’ claim, A-WAP on one hand fails to can subsequently be used to communicate confidentially. provide anonymity and on the other hand it succumbs to These protocols provide an efficient means of establish- several attacks as shown in [17, 26]. ing keys and therefore solve the problems associated with Preserving anonymity is a very broad and relative key management. Nonetheless, the AKA protocols are term. In user-server applications such as accessing or re- International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 260 questing services from a server, user anonymity is highly 2 Related Work appreciated as compared to server anonymity. In either case, the anonymity is defined with respect to the pub- There exists plethora of authentication schemes in the lit- lic. Note that in the above applications the server has to erature that are designed to address a variety of applica- identify and verify the user for accounting and billing pur- tions. The following is one of the many ways of classifying poses. As such in our design, while addressing anonymity those schemes based on the kinds of security services they we envision two kinds of applications. The first appli- support and the underlying cryptographic functions used cation is a more generic one such as in ad-hoc networks in their design: that requires only user anonymity, and the server or the 1) Hash-based password authentication protocols [11, service provider is a public entity that provides public 16, 21, 24] services. Secondly, applications where a user and a spe- cific server communicate with each other while remaining 2) Public-key based authentication and key agreement anonymous to the public. A user accessing his/her bank (AKA) protocols (as discussed below) account or a remote office server is an example for second application. The proposed protocols, AKA protocol with 3) Symmetric-key authentication protocols [22] user anonymity (UAP) and AKA protocol with user and 4) Authentication schemes based on key-chains [19, 27] server anonymity (USAP), respectively address the above two applications. A complete description of the above mentioned authen- The following are the advantages of our protocols: first tication schemes are beyond the scope of this paper. As of all, they preserve anonymity, which is a security fea- such, this paper only refers to well-known and widely-used ture that was ignored in most of the previously proposed AKA protocols based on public-key cryptography. AKA protocols; secondly, they exploit the difference in ca- Diffie and Hellman first proposed the Diffie-Hellman pabilities between resource constrained clients and highly (DH) based on the prob- resourceful servers and thus are suitable for wireless ap- lem in 1976 [10]. Since the original DH protocol is vul- plications; thirdly, they resist known attacks; and finally, nerable to a man-in-the-middle attack, modifications were they perform better in terms of the number of messages proposed to resist such attack [28]. Later, Bellovin and and bits exchanged and computing time. Since a user Merrit presented a password based key exchange protocol can be a low power device, as in wireless applications, for two-party communications known as Encrypted Key we measure the performance of our protocols from user’s Exchange (EKE) [7]. Further, an efficient and elegant perspective. The proposed USAP is computationally ef- scheme for EKE that was considered for standardization ficient with fewer message exchanges but is not scalable by the IEEE P1363 Standard working group is AuthA, as the user can communicate only with a specific server. which was later enhanced by Bresson et al. in [8] to re- Hence, the scalability as we envision is the ability of a user sist the denial-of-service attack. In [30], Zhang showed to communicate with a number of specific servers while that Strong Password only Authenticated Key Exchange preserving both user and server anonymity. On the other (SPEKE), a password authenticated key exchange pro- hand, the proposed UAP is scalable (a user can commu- tocol defined in [15] was susceptible to password guess- nicate with any arbitrary server rather than a specific ing attack. Wong and Chan [29] proposed a mutually server) but only at the cost of server anonymity and in- authenticated key exchange protocol for low power com- creased computational and communicational overhead as puting devices, which was later proven insecure against compared to USAP. For example, USAP preserves user unknown key-share attacks by Shim [23]. Zhu et al. pre- and server anonymity, exchanges 3 messages with 1920 sented a password based authenticated key exchange pro- bits, and requires only 280 msec of processing time on tocol based on RSA for imbalanced wireless networks in the user side when implemented on Mitsubishis M16C [31]. Further, protocols proposed by Beller et al. [6] and microprocessor. The UAP, preserves user anonymity, re- Aziz and Diffie [4] address mutual authentication and key quires 440 msec, and exchanges 2560 bits. These timings agreement issues for low end devices. Unfortunately, none are based on the authors’ analysis of MSR-Hybrid, a fast of the above protocols provides anonymity. A widely-used authenticated and key establishment protocol, for sensor standard for IPSec protocol suite is the Internet Key Ex- networks that does not support anonymity, requires 455 change (IKE) [12]. IKE has several drawbacks, and fur- msec, and exchanges 4448 bits in 4 messages [13]. ther, it transmits a user’s identity in clear. Just Fast The rest of this paper is organized as follows. We Keying (JFK) protocols proposed in [1] address the short- discuss various authentication schemes and review previ- comings of IKE. However, they too ignored anonymity ously proposed AKA protocols based on public-key cryp- of the communicating parties. In recent years, several tography in Section 2. Next, we introduce the design ECC-based key agreement protocols, such as the ECMQV criteria for our proposed protocols in Section 3. Then, protocol with ECC X509 certificates [25], implicit certifi- in Sections 4 and 5, we present the proposed UAP and cates and the Elliptic Curve Diffie-Hellman Ephemeral USAP, respectively. In Sections 6 and 7, we analyze the (ECDHE) protocol [9], A-WAP, and two fast authenti- security and compare the performance of our proposed cated key exchange protocols [13], were proposed. Out of protocols, respectively. Finally, we conclude in Section 8. these, only A-WAP claims that it addresses anonymity. International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 261

However, a direct application of this protocol is question- 3.2 Assumptions, Nomenclature, and able as it not only fails to provide anonymity but also Functions Used succumbs to the attacks listed in [12, 26]. As with the other public key cryptosystems, we consider that a trusted third party known as Certificating Au- 3 Protocol Design Goals thority (CA) issues a certificate (r, s) and its expiration date (t) to the communicating parties (users/servers) dur- This section presents a list of security requirements that ing the initialization phase. The certificate (r, s) is com- are considered while designing AKA protocols. Also in- puted by using Elliptic Curve Algorithm cluded in this section are initial assumptions and nomen- (ECDSA). More details on the ECDSA can be found in clature used throughout this paper. [14, 18]. In addition to issuing certificates, we also assume that CA can assign unique identities, store, and distribute any other required information to the communicating par- 3.1 Protocol Requirements ties. In real world, the latter functions of the CA can be The following security services are considered in the de- performed by some independent body. sign of our protocols. First, an elliptic curve over GF (p) (where p is a of length greater than 160 bits) with suit- 1) Mutual authentication assures the communicating able coefficients is defined. Note that the elliptic curve parties that the message has originated from the in- can also be defined over GF (2m). Then a base point tended party and that it has not been tampered with. P = (P.x, P.y)(where P.x and P.y are the x and y co- ordinates of the point P , respectively) of large order n, 2) Key agreement ensures that the communicating par- belonging to this elliptic curve group is selected and made ties agree upon a random shared session-key that is public to all users/servers. The CA selects a random independent of the previous communications. Fur- number dCA as its private key and performs the point ther, the agreed session-key is derived from the con- multiplication dCA × P to obtain its public key QCA, i.e., tribution of all the parties and thus no single party QCA = dCA ×P . We shall denote the randomly generated is able to exercise control on the selection of the key. private and public key pair as (d, Q) with appropriate sub- scripts. Thus, CA’s randomly generated private and pub- 3) Anonymity in communication ensures that no one lic key pair is (dCA,QCA). We also employ a symmetric else other than the intended parties be able to figure and decryption algorithm, such as Advanced out who is communicating with whom. Encryption Standard (AES) and a hash function, such as 4) Confidentiality protects the transmitted messages SHA-1 or MD-5 [22]. The encryption, decryption, and E, D H from eavesdropping. hash function are denoted as , and , respectively. Finally, our proposed protocols consist primarily of two 5) Non-repudiation ensures that no parties can deny phases: an initialization phase, an offline process, which is their actions after the completion of their commu- executed between a user (or a server) and the CA through nication. a ; and a mutual authentication phase, an online process that is executed in real time whenever the In addition to supporting the above security services, parties (a user and the server) want to mutually authen- the designed protocols should not only resist various at- ticate and agree upon a session-key. The users and server tacks but also should satisfy the performance require- execute the initialization phase at the end of their ex- ments. Some of the attacks on AKA protocols are re- piration dates (t) to obtain another valid certificate and play, man-in-the-middle, denial-of-service, impersonation, expiration date. In addition to the subscript CA, we will known-key, and unknown-key share attacks. Further- also use the subscripts U and S to indicate to a user and more, the designed protocols should provide forward se- the server, respectively. crecy. A full description of these terms can be obtained from [17, 26, 28]. The authors in [28] suggest the following performance requirements: 4 AKA Protocol with User

1) Minimum number of messages exchanged, Anonymity (UAP)

2) Low communication overhead (total number of bits In this section, we propose an AKA protocol with user transmitted), anonymity (UAP) that preserves user anonymity during the mutual authentication phase. Note that in UAP, we 3) Low computation overhead (total number of arith- do not consider server anonymity as the server and its metic operation involved), and services are public. This protocol addresses situations similar to ad-hoc networks, where a user and any server 4) Possibility of pre-computations that reduce the pro- need to authenticate each other before establishing se- tocol execution timings. cure communication. We describe UAP in two phases: International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 262

User CA 1. Chooses dU ∈{2,n − 2} Chooses kU ∈{2,n − 2} 2. QU = dU × P RU = kU × P 3. Sends QU → Receives QU 4. Chooses a unique IU and tU 5. rU = RU .x, eU = H(QU .x, IU ,tU ) −1 6. sU = kU (eU + dCArU ) 7. Receives QCA, IU , (rU ,sU ),tU ← Sends QCA, IU , (rU ,sU ),tU 8. Stores dU ,QU ,QCA, IU , (rU ,sU ),tU

Figure 1: Initialization phase in UAP

the initialization phase, where all users and the servers in session-key generation phase (Steps 20 and 21). What the network obtain their respective certificates and expi- follows next is the mutual authentication phase between ration dates from a CA through a secure channel and the a user, U and the server, S in detail. mutual authentication phase that is executed in real time Initially, S sends its public key QS and identity IS to for mutual authentication and key agreement between a U. Note that we do not consider the anonymity of the user and the server. The rest of this section contains the server as it is a public entity. The user anonymity is a details of UAP. required security service in order to keep his/her actions untraceable. Upon receiving the server’s public key QS, U 4.1 Initialization Phase in UAP then calculates QR = gU ×QS (gU , a random number) and transmits QR to S. Transmitting QR is not of security During the initialization phase, all the users and servers concern as will be explained in Section 6. U also calcu- in a network execute an initialization protocol similar lates QK = gU ×P to obtain the temporary-key QK.x and to the one that is shown in Figure 1 to obtain their gUS. Note gUS is the same as QK.x. First, S performs −1 respective certificates and expiration dates from CA. dS × QR to obtain the temporary-key QK.x and gUS Note that this initialization protocol is executed via a and then it encrypts (rS,sS),tS , gUS and its generated secure channel. In Steps 1 through 3 of Figure 1, a random number gS using QK.x and sends this encrypted user, U generates a random private and public key pair message to U as C0, which is the Step 8 of Figure 2. (dU ,QU ) and sends QU to CA to obtain a certificate Upon receiving C0, U decrypts C0, checks the validity of for his/her public key. Then CA first assigns an iden- gUS and tS, terminates the protocol upon a failure; oth- tity IU and an expiration date tU , calculates hash value erwise, encrypts (rU ,sU ), tU , IU , QU .x and the received eU = H(QU .x, IU ,tU ), generates a certificate (rU ,sU ) and random value gS using QK .x, sends C1 (encrypted mes- then sends IU , (rU ,sU ),tU along with its public key QCA sage, i.e., E(QK .x, (rU ,sU ), IU ,tU ,QU .x, gS))) to S, and to U. Finally, U, stores dU ,QU ,QCA, IU , (rU ,sU ),tU . A then calculates eS = H(QS.x, IS , tS) before verifying the server, S, executes a similar initialization protocol with received server’s certificates as shown in Steps 14 through CA and obtains QCA, IS, (rS ,sS), and tS. 19 of Figure 2. Similarly, S verifies the received user’s certificates. If the certificates are valid, both parties gen- M US S S U 4.2 Mutual Authentication Phase in erate a unique session-key k = H(g ,g , ,e ,e ) and UAP destroy gUS, and gS from their memory. Before establishing a secure communication channel, a user and the server execute the mutual authentication 5 AKA Protocol with User And phase, as shown in Figure 2, the details of which are given below. To make the understanding of the proto- Server Anontmity (USAP) col simple, we divide this mutual authentication phase into three sub-phases: the temporary-key generation, the In this section, we propose an AKA protocol with user certificate verification, and the session-key generation. In and server anonymity (USAP) that allows a user and a temporary-key generation sub-phase, i.e., Steps 1 through specific server to mutually authenticate each other be- 6, the communicating parties set up a temporary-key for fore establishing a secret session, while remaining anony- encrypting the messages that contain sensitive informa- mous to the public. A real world example where USAP tion such as certificates, expiration dates, random num- can be applied is when a user wants to access services bers, identities, etc. Steps 7 through 19 define the certifi- from a specific server such as his/her bank account or a cate verification sub-phase, where both parties decrypt remote office server. Anonymity is desirable in the in- the received messages and verify each other’s certificates. terests of both communicating parties. USAP is almost A new and random session-key is generated in the final similar to UAP, except for few modifications to support stages of the mutual authentication phase, which is the server anonymity in addition to user anonymity. A user International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 263

User Server 1. Generates a random number gU ∈{2,n − 2} 2. Receives QS, IS ← Sends QS, IS 3. QR = gU × QS = (gU dS) × P Generates a random number gS ∈{2,n − 2} 4. Sends QR → Receives QR −1 −1 5. QK = gU × P QK = dS × QR = (dS gU dS ) × P = gU × P 6. gUS = QK.x: Temporary-key gUS = QK .x: Temporary-key 7. C0 = E(QK .x, (rS ,sS),tS,gUS,gS) 8. Receives C0 ← Sends C0 9. D(QK .x, C0): Valid gUS,tS? 10. C1 = E(QK .x, (rU ,sU ), IU ,tU ,QU .x, gS) 11. Sends C1 → Receives C1 12. Calculates eS = H(QS.x, IS ,tS) D(QK .x, C1): Valid gS,tU ? 13. eU = H(QU .x, IU ,tU ) −1 −1 14. c = sS c = sU 15. u1 = ceS u1 = ceU 16. u2 = crS u2 = crU 17. R = u1 × P + u2 × QCA R = u1 × P + u2 × QCA 18. v = R.x v = R.x 19. if v 6= rS , then abort if v 6= rU , then abort 20. kM = H(gUS,gS,eS,eU ): Unique session-key kM = H(gUS,gS,eS,eU ): Unique session-key 21. Destroys gUS,gS Destroys gUS,gS

Figure 2: Mutual authentication phase in UAP

in USAP stores some server specific information to sup- tion phase is performed between a user and the server to port server anonymity. Hence, the scalability as we define first authenticate each other and then establish a secure is the ability of the user to store servers’ specific informa- communication channel by agreeing upon a new random tion to communicate securely with several servers while session-key. preserving both user and server anonymity. The larger is the number of servers that a user can communicate with, the higher is the memory required to store the specific 5.1 Initialization Phase in USAP information pertaining to each of the servers. In USAP, a user and the server execute two different ini- First, USAP has two different initialization phases: the tialization phases whose details are given below. server initialization phase defined for the server and the user initialization phase defined for a user. Second, all 1) Server Initialization Phase: Figure 3 shows the server initialization phase. First, the server, S, generates a users obtain the server’s public key QS and hashed value random public and private key pair (dS ,QS), then eS from CA during the user initialization phase, which −1 QS d will then be used in preserving server anonymity during sends to the CA and calculates S . Upon re- QS IS the mutual authentication phase. Note that in mutual ceiving , the CA assigns a unique identity tS authenticating phase of both UAP and USAP, the com- and an expiration date , calculates hashed value eS H QS.x, IS ,tS IS ,tS municating parties (a user and the server) first authen- = ( ), and sends and its public QCA S ticate each other and then agree upon a session-key to key to . The CA then stores the server’s pub- lic key QS and eS. Finally, S receives QCA, IS and secure the subsequent communication. Finally, USAP −1 tS d ,QCA, IS tS relieves the user from verifying server’s certificates and and stores S and . thereby lessens the computational load during the mu- 2) User Initialization Phase: All users execute the user tual authentication phase. However, the user validates initialization protocol with CA as shown in Figure 4 the server’s public key, identity and expiration date by 0 when they first subscribe. First, a user, U, generates calculating eS = H(QS.x, IS ,tS) and comparing it with a random private and public key pair (dU ,QU ) and the eS received from CA during the initialization phase. sends QU to CA to obtain a certificate and an expira- The rest of this section contains the details of USAP tion date for its public key. Then CA first assigns an and its two phases: the initialization phase and the mu- identity IU , an expiration date tU , calculates hash tual authentication phase. Again, the initialization phase value eU = H(QU .x, IU ,tU ), generates a certificate is executed between a user (or a server) and the CA pair (rU ,sU ) and then sends IU ,tU , (rU ,sU ) along through a secure channel to obtain their respective cer- with the server’s public key QS and hash value eS to tificates and expiration dates and the mutual authentica- the user. Distributing the server’s public key to all International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 264

Server CA 1. Chooses dS ∈{2,n − 2} 2. QS = dS × P 3. Sends QS → Receives QS −1 4. Calculates dS Chooses a unique IS and tS 5. eS = H(QS.x, IS ,tS) 6. Receives QCA, IS ,tS ← Sends QCA, IS ,tS −1 7. Stores dS ,QCA, IS, tS Stores QS,eS

Figure 3: Server initialization phase in USAP

the users ensures that every user knows the server’s destroy gUS, and gS from their memory. public key prior to the authentication scheme.

5.2 Mutual Authentication Phase in 6 Security Analysis USAP In this section, we provide a provably secured analysis The mutual authentication phase shown in Figure 5 is for our protocols. The following is the roadmap. First, executed in real time, i.e., whenever a user, U, wants to we define ECDLP and then prove two theorems. Based set up a secure communication with the server, S. Again, on these theorems, we show how our protocols satisfy the the mutual authentication phase is divided into three sub- design goals (security services and attack resistant) set phases, the details of which are included next. Steps 1 forth in Section 3 of this paper. through 5 of Figure 5 indicate the temporary-key agree- The security of ECC based public cryptosystems largely depends upon solving a widely studied hard prob- ment sub-phase, where U generates a random number gU , lem known as elliptic curve discrete logarithm problem calculates QR = gU × QS, and transmits QR to S. Note (ECDLP). that the user obtains the server’s public key QS during the user initialization phase (Figure 4). U also calculates Definition 1. In an elliptic curve group, the ECDLP QK = gU × P to obtain the temporary-key QK .x. Upon Q P Q d −1 is defined as finding d given and , where = × receiving QR, S first performs dS × QR to obtain the P . Here Q and P are the points on the elliptic curve, × temporary-key QK.x and then encrypts the random num- represents point multiplication (i.e., addition of point P , bers gS, gUS (gUS is the same as the key, required for data d times), and d is any integer between 2 and n − 2, where freshness) and IS, tS with QK .x and finally sends this en- n is the order of the points P and Q. crypted value C0 to U. Next is the certificate verification sub-phase (Steps 6 through 19 in Figure 5). In this sub- It is believed that ECDLP is intractable. More details phase, U is not required to verify the server’s certificate as on ECC, ECDLP, and point multiplication can be found the server’s public key was obtained from CA. However, in [9, 14]. U decrypts C0, checks for the presence of gUS and validity The public-key strategy of binding a user or server’s 0 of the expiration date tS, computes eS = H(QS.x, IS ,tS) public key with its unique identity and expiration date 0 and then compares eS with the eS obtained from CA dur- eliminates the requirement for having a large online 0 ing the user initialization phase. Comparing eS with eS database. For a successful secured communication be- is necessary because eS binds a server’s public key QS tween a user and the server, it is required for each of with its identity IS and expiration date tS. The process the parties to register with CA by executing the initial- of verifying the hash value (Step 9 of Figure 5) instead of ization phase to obtain their respective certificates, iden- verifying the server’s certificates relieves the user from the tities, and expiration dates. It is to be noted that the computationally intensive point multiplications. If valid, initialization phase is executed through a secured chan- U obtains C1 by encrypting its certificate (rU , sU ), iden- nel. As such, we shall analyze the security features of our tity IU , x-coordinate of its public key QU .x, the expira- proposed protocols UAP and USAP in the mutual au- tion date tU , and the server’s random number gS with the thentication phase which in real time will be executed via temporary-key QK .x and sends C1 to S. Upon receiving an insecure channel. Unless otherwise explicitly stated, C1, S decrypts it, checks for the presence of gS and user’s the security analysis pertains to both protocols. tU S expiration date . If the check fails, aborts the pro- Theorem 1. The security of our protocols depends upon tocol; otherwise, it calculates hash value on the received the security of the temporary-key QK.x. QU .x, IU , and tU , i.e., eU = H(QU .x, IU , tU ) and verifies U’s certificate (rU , sU ) using ECDSA as shown in Steps Proof. Recall the mutual authentication phase and its 13 through 19 of Figure 5. If valid, both parties generate three sub-phases: the temporary-key generation, the cer- the unique session-key kM = H(gUS, gS, , eS, eU ) in the tificate verification, and the session-key generation in session-key generation sub-phase (Steps 20 and 21) and UAP and USAP. The temporary-key QK.x generated in International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 265

Server CA 1. Chooses dU ∈{2,n − 2} Chooses kU ∈{2,n − 2} 2. QU = dU × P RU = kU × P 3. Sends QU → Receives QU 4. Chooses a unique IU and tU 5. rU = RU .x; eU = H(QU .x, IU ,tU ) −1 6. sU = kU (H(QU .x, IU ,tU )+ dCArU ) 7. Receives QS, IU , (rU ,sU ),tU ,eS ← Sends QS, IU , (rU ,sU ),tU ,eS 8. Stores QU ,QS, IU , (rU ,sU ),tU ,eS

Figure 4: User initialization phase in USAP

the temporary-key generation sub-phase (Step 6 and 5 1) Mutual Authentication: of Figure 2 and 5, respectively) is used to encrypt the Lemma 1. Our protocols provide mutual authenti- exchanged messages C0 and C1. Note that C0 and C1 contain sensitive information including the random num- cation of the communicating parties. bers and hashed values, which will be used in deriving the Proof. The communicating parties achieve mutual unique session-key KM . If an adversary (by some means) authentication by executing a challenge-response se- were able to determine QK.x, then he / she could easily quence and it is described as follows. Here the chal- decrypt the messages C0 and C1 and calculate the cur- lenge is sending ‘QR’ and random numbers and the rent session-key KM . Hence, the security of our protocols response is to verify the presence of expected ran- depends upon the security of the temporary-key QK.x dom numbers in the encrypted messages during the Theorem 2. Finding out the temporary-key QK .x is as run of the mutual authentication phase in UAP and hard as solving the ECDLP. USAP. Given QR, it is infeasible for an adversary to compute the correct response gUS without the knowl- Proof. The following are the ways to calculate the edge of the server’s private key. Note that solving for temporary-key QK .x. a server’s private key is the problem of ECDLP. If U is able to decrypt C0 and check the presence of gUS 1) QK = gU × P = (QK .x, QK .y) (on the user’s side) (i.e., Step 9 and 8 of Figure 2 and 5, respectively) −1 −1 then U is assured that the server, S, has the knowl- 2) QK = d × QR = (d gU dS) × P = gU × P = S S edge of the private key corresponding to its public (QK .x, QK .y) (on the server’s side) key and is able to derive the correct temporary-key QK .x gUS The point QR = gU × QS is a random point as it depends , which is also the user’s random number S C1 upon the random number gU . For any adversary A to for this session. Similarly, if is able to decrypt QK .x gS calculate the temporary-key QK .x, it is required for him using and check for the presence of in Step S to derive the server’s private key dS from public key QS. 12 of Figures 2 and 5, then can be sure that only U can produce the correct response gS. Deriving dS knowing QS(dS × P ) and the base point P is the problem of ECDLP. Similarly, deriving gU know- ing QR and QS is again the problem of ECDLP. Hence, 2) Key Agreement: Once the certificates are verified, kM H gUS, gS , eS, eU calculating QK.x generated during the mutual authenti- a unique session-key = ( , ) is cation protocol is as hard as solving the ECDLP. Further, derived from the contributions of both parties in Step in USAP, because of server anonymity, an adversary does 20 of Figures 2 and 5. Thus, no single party has not have any additional information about QS. complete control on the selection of the session-key, which is the main goal of a key agreement protocol Based on the assumption that an adversary cannot ob- [28]. tain the current session-key KM without solving for QK.x, 3) Key Freshness: we analyze the security of our proposed protocols in the next two sub-sections: security services and attack resis- Lemma 2. The included random numbers guarantee tance analysis. key freshness.

0 0 6.1 Security Services Proof. Let gU , gS, and gU , gS, be the random numbers generated in two different sessions. Since 0 0 0 In this sub-section, we prove how our protocols sup- gU 6= gU , therefore QR(gU × QS) 6= QR(gU × QS) 0 port the security services like mutual authentication, key and hence the calculated temporary-keys QK.x and 0 agreement, key confirmation, anonymity, confidentiality, QK.x and gUS and gUS are different and so are the 0 0 0 k H g ,g ,eS,eU and non-repudiation. obtained session-keys M ( ( US S, )) and International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 266

Server CA 1. Generates a random number gU ∈{2,n − 2} 2. QR = gU × QS = (gU dS) × P Generates a random number gS ∈{2,n − 2} 3. Sends QR → Receives QR −1 −1 4. QK = gU × P QK = dS × QR = (dS gU dS) × P = gU × P 5. gUS = QK .x: Temporary-key gUS = QK.x: Temporary-key

6. C0 = E(QK .x, gUS ,gS, , IS ,tS) 7. Receives C0 ← Sends C0 8. D(QK .x, C0): Valid gUS,tS? 0 0 9. Calculates eS = H(QS.x, IS, tS), Is eS = eS? 10. C1 = E(QK .x, (rU , sU ), IU ,QU .x, tU , gS) 11. Sends C1 → Receives C1 12. D(QK .x, C1) : Valid gS, tU ? 13. eU = H(QU .x, IU , tU ) −1 14. c = sU 15. u1 = ceU 16. u2 = crU 17. R = u1 × P + u2 × QCA 18. v = R.x 19. if v 6= rU , then abort 20. kM = H(gUS,gS,eS,eU ): Unique session-key kM = H(gUS ,gS,eS,eU ): Unique session-key 21. Destroys gUS,gS Destroys gUS,gS

Figure 5: Mutual authentication phase in USAP

kM (H(gUS, gS, , eS, eU )), where H is a collision free encrypted messages C0 and C1 achieve confidential- hash function [22]. ity of the exchanged messages during the mutual au- thentication phase. Furthermore, the agreed unique 4) Key Confirmation: If U does not terminate the pro- session-key kM secures the rest of the further com- tocol in Step 9 and Step 8 of Figure 2 and 5, respec- munication. tively, then S knows that C0 is received correctly and it can execute the rest of the protocol. Similarly, if S 8) Non-repudiation: A user or server’s public and pri- does not terminate the protocol in Step 12 of Figures vate key pairs together with certificates can be used 2 and 5, then U knows that C1 is received correctly to achieve non-repudiation of the communication by and it can proceed to execute the rest of the proto- way of digital signature [18]. U S col. Further, if and do not return a failure after 9) Forward Secrecy on the User Side: In both proto- verifying each other’s certificates, then they confirm cols, the session-keys can be recovered from the previ- to each other that the key is generated correctly [13]. ous runs of the mutual authentication by compromis- Thus, our protocols provide key confirmation. ing the server’s private key. However, compromising 5) User Anonymity: We note that in both protocols, the user’s private key does not help in revealing the U airs C1, which is an encrypted value of his/her session-keys. Therefore, our protocols provide for- certificate, identity, hashed value and other param- ward secrecy on the user side and thereby achieving eters. Let us assume that the encryption is secure, half forward secrecy [28]. This is justified because the then it is impossible for an adversary to determine highly resourceful severs can support much stronger any user specific data without the knowledge of the security than the resource constrained user [13]. temporary-key QK.x. Thus, our protocols achieve user anonymity. 6.2 Attack Resistance Analysis 6) Server Anonymity: In USAP, based on ECDLP, it is Now we will show that USAP and UAP resist known impossible for an adversary to determine a server’s attacks such as replay, known-key share, unknown-key public key or other sensitive information such as share, man-in-the-middle, denial-of-service, and imper- hashed value and identity from random point QR = sonation attacks. gU × QS and the aired encrypted value C0. Thus, USAP achieves server anonymity. 1) Replay Attack: The random numbers gUS and gS prevent replay attacks. Suppose an adversary A cap- 7) Confidentiality: Assuming that it is hard for an ad- tures any or all of the aired messages such as QR, C0, versary to determine the temporary-key QK.x, the and C1 and masquerades these messages either with International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 267

a previous message or any arbitrary values, the enti- received along with the server’s public key QS ties return a failure as the substituted message does during the user initialization phase. not contain the correct response for a given challenge. Lemma 3. The process of verifying the hash 2) Known-key Share Attack: Each run of the protocol value (Step 9 of Figure 5) instead of verifying between the entities should produce a unique session- the server’s certificates does not pose any addi- key. From Lemma 2, it is clear that the temporary tional threat on the security of USAP. agreed key QK.x and the session-key kM between the user and server vary every time a mutual authenti- Proof. Recall that a user in USAP receives the cation phase is initiated. server’s public key and hash value during the initialization phase for CA. After the mutual 3) Unknown-key Share Attack: Suppose an adversary authentication phase is initiated, if the user is A tries to make U believe that the temporary-key is able to check the correct response for mutual au- shared with B, while B believes that the temporary- thentication, then he/ she knows that the server key is shared with A. To launch the unknown-key possesses the private key corresponding to its share attack, A should be able to identify the ex- public key (Lemma 1). However, the user ver- 0 changed parameters. However, this is not possible ifies the computed hash value eS with the re- without the knowledge of the temporary-key QK.x. ceived hash value eS. This is necessary to check Hence, he will not succeed. the binding between QS, IS , and tS. Let us now suppose that either the received IS or tS 4) Man-in-the-middle, Denial-of-service, and Imperson- 0 or both have changed, then the eS and eS are ation Attacks: Our protocols explicitly bind a user or not equal. Hence, a user returns a failure, be- server’s identity with its public key, certificate pair 0 cause eS = H(QS, IS ,tS) 6= H(QS, IS,tS) 6= and hashed value. As such the above mentioned at- 0 0 0 0 0 H(QS, IS ,tS) 6= H(QS, IS,tS), where IS ,tS are tacks are not possible as shown below. different from IS ,tS. Thus, verifying the hash a. UAP: In UAP (Step 2 of Figure 2), a user re- value instead of certificate does not pose any ceives the server’s public key along with its iden- additional threat to the security of USAP. Un- tity whose binding with the received certificate like UAP, this check is only possible in USAP is verified during the later stage of the protocol because the server’s public key was received via (Steps 12 through 19 of Figure 2). Since the a secure channel during the initialization phase user can identify with whom he/she is commu- from CA. nicating with based on the transmitted identity and whose binding with the public key is later verified, it is impossible for an adversary A to in- 7 Performance Analysis sert himself between the communicating parties. In this section, we study the performance of our proto- This is not the case with A-WAP and hence it cols in terms of computational burden (i.e., the number succumbs to the above mentioned attacks [17]. of cryptographic and arithmetic operations performed), b. USAP: Exchange of the public keys is elimi- the total number of bits and messages exchanged during nated as CA distributes the server’s public key each run in the mutual authentication phase from a user’s to all the users. Note that distributing the perspective and compare those results with recently pro- server’s public key does not impose any addi- posed AKA protocols such as A-WAP and MSR-Hybrid tional threat on the security, which in turn de- [13]. The comparison from a user’s perspective is justi- pends on solving the ECDLP. Also note that fied because the user is a low-end resource constrained the user is assured that he/she is communicat- device with limited battery power as compared to the ing with the intended party (server) by verifying highly resourceful servers. Note that a direct compari- a valid gUS in Step 8 of Figure 5. Let us suppose son between our protocols and A-WAP and MSR-Hybrid that an adversary, A, tries to establish himself cannot be made because of the added security features as was shown in [17], then, since A cannot solve that our protocols support. For example, MSR-Hybrid 0 −1 −1 the ECDLP, therefore for some dS 6= dS , A neither provides user anonymity nor encrypts certificates 0 ends up with a different temporary-key QK.x 6= and A-WAP is susceptible to attacks and fails to preserve 0 0 −1 0 −1 QK.x(QK = dS × QR = (dS gU dS ) × P = anonymity. Also note that in the MSR-hybrid and A- 0 gU ×P ). Hence, the user returns a failure in Step WAP protocols, the user and server verify each other’s 0 8 of Figure 5 because the response received gUS certificates issued by CA in the mutual authentication is not equal to the expected value gUS. phase and do not assume the availability of an on-line In USAP, the user instead of performing certifi- CA that is similar to the one in PKI infrastructure for cate verification as described in UAP (i.e., Steps verifying the certificates. 12 through 19 of Figure 2) verifies the calculated In our analysis, we assume a key length of 160-bit and 0 hash value eS with the hash value eS that was 1024-bit for ECC and Rabin [1], respec- International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 268

Table 1: Comparison of UAP and USAP with other recently proposed AKA protocols based on ECC

USAP UAP A-WAP MSR-Hybrid 1 1 1 1 Fixed point multiplication (FP) 2 4 3 3 Symmetric encryption (E) 1 1 1 1 Symmetric decryption (D) 1 1 1 1 Inverse (s−1) - 1 1 1 Multiplication (ce) - 2 2 3 Hash (H) 2 2 1 3 Small - - - 1 Message exchanges 3 4 4 6 Total bits exchanged (number) 1920 2560 2560 4448 Total execution time (msec) 280 440 410 455

tively, and the key deriving function (KDF) and MAC op- The number of bits exchanged in USAP is calcu- eration referred in [13] are the same as the hash function, lated as follows. The user transmits/receives 1920 bits H, mentioned in this paper. Table 1 tabulates a compre- whose breakup is given as: QR (320 bits), C0 = hensive list of computational and communicational over- E(QK .x, gUS,gS, , IS ,tS) (4 × 160 = 640 bits), C1 = heads along with execution times for all four AKA pro- E(QK .x, (rU ,sU ), IU ,QU .x, tU ,gS) (6 × 160 = 960 bits) tocols that are being compared in the mutual authenti- in Steps 3, 7 and 11 of Figure 5. We do not transmit the cation phase from a user’s perspective. The timings are key QK.x and thus it is not counted. Similar calculations based on the implementation of the various operations result in exchange of 2560 bits, 2560 bits and 4448 bits in listed in Table 1 on a Mitsubishis M16C microprocessor, UAP, A-WAP and MSR-Hybrid, respectively. details of which can be found in [13]. In ECC based AKA In summary, the USAP is efficient in terms of compu- protocols, the time consuming operation is point multipli- tations and the total number of bits exchanged as com- cation. There are two kinds of point multiplications: the pared to UAP, A-WAP, and MSR-Hybrid in addition to fixed-point multiplication (FP) and random-point (RP) being secure and preserving anonymity of both the user multiplication. The only difference between the two is and server. The UAP is scalable but only at the cost of that the prior knowledge of the point in an FP operation server anonymity and increased computational and com- allows for pre-computations, resulting in a lesser execu- municational overhead as compared to USAP. tion time than that is required for an RP. Examples of an FP and RP are g × P and g × QR, respectively, where the base point P is a known public parameter and the point 8 Conclusions and Future Work QR is randomly generated during the run of the protocol. The total execution time for a protocol largely depends In this paper, we have proposed two ECC based authenti- upon the number of FP and RP operations. In [13], the cation and key agreement protocols, the UAP and USAP. authors’ report average execution times for FP and RP Both are suitable for wireless applications. The proposed operations as 130 msec and 480 msec, respectively. protocols not only provide a variety of security features but also are efficient in terms of message exchanges and A user in each of the protocols listed in Table 1 is computations. Moreover, they can easily be implemented required to perform only FP operations, while the time in a majority of applications and thus are not limited to consuming RP operations are shifted to the server side. ad-hoc networks. As a part of our future work, we will The reported execution time for MSR-Hybrid protocol concentrate on achieving both server anonymity and scal- was 455 msec whose breakup is given as follows. The ability in our AKA protocols. three FP operations and a small modular exponentiation require 390 msec and 45 msec of processing time, thereby leaving room of about 20 msec for the rest of the oper- Acknowledgment ations. Considering similar conditions for executing the rest of the protocols, the calculated execution times for This work was supported by the National Science Foun- USAP, UAP and A-WAP are 280 msec (260 msec for two dation under Grant No. 0313842 and Grant No. 0542374. FP operations + 20 msec for the rest of the operations), Any opinions, findings, and conclusions or recommenda- 440 msec (420 msec for four FP operations + 20 msec for tions expressed in this material are those of the author(s) the rest of the operations), and 410 msec (390 msec for and do not necessarily reflect the views of the National three FP operations + 20 msec for the rest of the opera- Science Foundation. We thank the anonymous reviewers tions), respectively. for their valuable suggestions in improving the quality of International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 269 this paper. [13] Q. Huang, J. Cukier, H. Kobayashi, B. Liu, and J. Zhang, “Fast authenticated key establishment pro- tocols for self organizing sensor networks,” in Pro- References ceedings of the 2nd ACM International Conference on Wireless Sensor Networks and Applications, pp. [1] W. Aiello, S. M. Bellovin, M. Blaze, J. Ioannidis, O. 141-150, San Diego, California, USA, Sep. 2003. Reingold, R. Canetti, and A. D. Keromytis, “Effi- [14] IEEE P1363, Standard Specifications for Public-key cient, DoS resistant, secure key exchange for Inter- Cryptography, Draft 13, Nov. 1999. net protocols,” in Proceedings of the 9th ACM Con- [15] D. Jablon, “Strong password-only authenticated key ference on Computer and Communications Security, exchange,” Comput. Commun. Rev., ACM SIG- pp. 48-58, Nov. 2002. COMM, vol. 26, no. 5, pp. 5-26, Oct. 1996. [2] M. Aydos, E. Savas, and C. K. Koc, “Implement- [16] L. Lamport, “Password authentication with insecure ing network security protocols based on elliptic curve communication,” Communications of the ACM, vol. cryptography,” in Proceedings of the Fourth Sympo- 24, no. 11, pp. 770-772, Nov. 1981. sium on Computer Networks, pp. 130-139, Istanbul, [17] K. Mangipudi, N. Malneedi, R. Katti, and H. Fu, Turkey, May 20-21, 1999. “Attacks and solutions on Aydos-Savas-Koc’s wire- [3] M. Aydos, T. Yanik, and C. K. Koc, “High-speed im- less authentication protocol,” Symposium on security plementation of an ECC-based wireless authentica- and network management, IEEE Global Telecommu- tion protocol on an ARM microprocessor,” in IEEE nications conference, pp. 2229-2234, Dallas, Texas, Proceedings on Communications, vol. 148, no. 5, pp. Nov.-Dec. 2004. 273-279, Oct. 2001. [18] A. J. Menezes, Elliptic Curve Public Key Cryp- [4] A. Aziz and W. Diffie, “A secure communications tosystems, Boston, MA Kluwer Academic Publishers, protocol to prevent unauthorized access, privacy 1993. and authentication for wireless local area networks,” IEEE Personal Communications, vol. 1, no. 1, pp. [19] A. Perrig, R. Szewczyk, D. Tygar, V. Men, and D. 25-31, 1994. Culler, “SPINS: security protocols for sensor net- works,” Wireless Networks, vol. 8, no. 5, pp. 521-534, [5] F. Bao and R. H. Deng, “Privacy protection for 2002. transactions of digital goods,” in Proceedings of in- ternational conference on information and communi- [20] P. Rogaway, M.Bellare, and D.Boneh, Evaluation of cations security, LNCS 2229, pp. 202-215, Springer- Security Level of Cryptography, ECMQVS, SEC1, Verlag, 2001. Jan. 2001. [6] M. J. Beller, L F. Chang, and J. Yacobi, “Privacy [21] M. Sandirigama, A. Shimizu, and M. T. Noda, and authentication on a portable communications “Simple and secure password authentication protocol systems,” IEEE Journal on Selected Areas in Com- (SAS),” IEICE Transactions on Communications, munications, vol. 11, pp. 821-829, Aug. 1993. vol. E83-B, no. 6, pp. 1363-1365, 2000. [7] S. Bellovin and M. Merritt, “Encrypted Key Ex- [22] B. Schneier, Applied Cryptography: Protocols Algo- change: password-based protocols secure against dic- rithms, and Source Code in C, Publisher, John Wiley tionary attacks,” IEEE proceedings of the Symposium & Sons, New York, 1996. on Security and Privacy, pp. 72-84, May 1992. [23] K. Shim, “ of mutual authentication [8] E. Bresson, O. Chevassut, and D. Pointcheval “New and key exchange for low power wireless communi- security results on ,” 7Th cations,” IEEE Communications Letters, vol. 7, no. International Workshop on Theory and Practice in 5, pp. 248-250, May 2003. Public Key Crtptography - PKC 2004, LNCS 2947, [24] A. Shimizu, T. Horioka, and H. Inagaki, “A password pp. 145-158, Springer-Verlag. authentication method for contents communication [9] Certicom Research, Standard for Efficient Cryptog- on the Internet,” IEICE Transactions on Communi- raphy, SEC 1: Elliptic curve cryptography, version cations, vol. ESI-B, no. 8, pp. 1666-1673, Aug. 1998. 1.0, Sep. 20, 2000, Certicom Corporation, URL: [25] R. Struik and G. Rasor, “Mandatory ECC secu- http://www.secg.org/collateral/sec1.pdf. rity algorithm suite,” submissions to IEEE P802.15 [10] W. Diffie and M. E. Hellman, “New directions in Wireless Personal Area Networks, Mar. 2002. cryptography,” IEEE Transactions on Information [26] H. M. Sun, B.T. Hsieh, and S. M. Tseng, “Cryptanal- Theory, vol. 22, no. 6, pp. 644-654, Nov. 1976. ysis of Aydos et al’s ECC-based wireless authentica- [11] L. Gong, “Optimal authentication protocols resistant tion protocol,” in Proceedings of IEEE International to password guessing attacks,” in Proceedings of the Conference on e-Technology, e-Commerce, and e- 8th IEEE Computer Security Foundation Workshop, Service, pp. 565-568, Taipei, Taiwan, Mar. 2004. pp. 24-29, 1995. [27] A. Weimerskirch and D. Westhoff, “Identity certified [12] D. Harkins and D. Carrel, The Internet key exchange authentication for Ad-hoc networks,” in Proceedings (IKE), Request for Comments (Proposed Standard) of the 1st ACM Workshop on Security of Ad hoc and 2409, Internet Engineering Task Force, Nov. 1998. Sensor Networks, pp. 33-40, Fairfax, Virginia, 2003. International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 270

[28] S. B. Wilson and A. Menezes, “Authenticated Diffie- collaborated with the IBM Almaden Research Center for Hellman key agreement protocol,” in Proceedings of the development of unidirectional error correcting codes. Selected Areas of cryptography, pp. 339-361, 1998. He is currently an Associate Professor in the Department [29] D. S. Wong and A. H. Chan, “Efficient and mutu- of Electrical and Computer Engineering at North Dakota ally authenticated key exchange for low power com- State University. puting devices,” in Proceedings of 7th International Conference on Theory and Applications of Informa- Huirong Fu joined Oakland Univer- tion Security, LNCS 2248, pp. 272-289, Gold Coast, sity as an assistant professor in 2005. Australia, Dec. 2001. Previously, she has been working as [30] M. Zhang, “Analysis of the SPEKE password- an assistant professor at North Dakota authenticated key exchange protocol,” IEEE Com- State University (NDSU) for three munications Letters, vol. 8, no.1, pp. 63-65, Jan. years, and as a post-doctoral research 2004. associate at Rice University for more [31] F. Zhu, D. S. Wong, A. H. Chan, and R. Ye, “Pass- than two years. As a lead professor word authenticated key exchange based on RSA for and the principal investigator in two projects funded by imbalanced wireless networks,” in Proceedings of the NSF, Dr. Fu has been actively conducting research in 5th International Conference on Information Secu- the area of information security. Her primary research rity, LNCS 2433, pp. 150-161, 2002. interests are in information assurance and security, net- works, Internet data centers, and multimedia system and services. She has published over twenty papers in top-tier Kumar Mangipudi received his journals and refereed conferences. Aside from research, Diploma in Electrical and Electronics Dr. Fu has contributed to a substantial growth in new Engineering in 1994 from State Board course development at NDSU, especially in the increas- of Technical Education, AP, India and ingly emerging area of information assurance and secu- his AMIE (B.S) in Electrical Engineer- rity. In addition, due to her great efforts and collabora- ing from the Institution of Engineers tion with the Designated Center of Academic Excellence (India) in 2000. While pursuing his in Information Assurance Education at George Washing- AMIE, he worked on as an Instrumen- ton University, a Portable Educational Network (PEN, tation Engineer executing the design, testing, and com- a.k.a Mobile Lab) has been successfully built up. missioning of instrumentation control systems for process industry at various places in India and Dubai, UAE. In 2002 he obtained his M.S in Electrical Engineering form South Dakota School of Mines & Technology. He is cur- rently a PhD candidate in the department of Electrical and Computer Engineering at North Dakota State Uni- versity. His interests are in Network Security, Cryptogra- phy, VLSI, and Embedded Systems.

Rajendra Katti received his B. Tech degree from the Indian Institute of Technology (Bombay), India in 1983. He received his M.S. in Mechanical En- gineering from the University of Idaho in 1985, his M.S. in Electrical Engi- neering from Washington State Uni- versity in 1987, where he also earned his PhD in Electrical Engineering in 1991. Dr. Katti teaches courses related to Digital Systems and Computer Architecture. Dr. Katti has received funding from the National Science Foundation in the area of Performance Modeling of Computer Architectures and Cryptography. His interests are in Cryptographic Hardware, Finite Field arithmetic, Fault Tolerant computing and Computer Ar- chitecture. He has published over 40 journal and confer- ence papers on these topics. He was a senior design engi- neer at the Intel Corporation in 2000 and 2001 where he worked in the Design for Testability Group. He has also taught at the Wichita State University in Kansas. He has