DOCSLIB.ORG

Authenticated Diffie–Hellman Key Agreement Protocol Using a Single

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Authenticated Diffie–Hellman Key Agreement Protocol Using a Single Authenticated Diffie–Hellman key agreement protocol using a single cryptographic assumption L. Harn, W.-J. Hsin and M. Mehta Abstract: In modern communication systems, a popular way of providing authentication in an authenticated Diffie–Hellman key agreement protocol is to sign the result of a one-way hash function (such as MD5) of a Diffie–Hellman public key. The security of such a protocol is based on the weakest of all the cryptographic assumptions of the algorithms involved: Diffie–Hellman key distribution, digital signature and a one-way hash function. If a protocol can be constructed using one cryptographic assumption, it would be at least as secure as that with multiple assumptions. The authors propose three authenticated Diffie–Hellman key-agreement protocols, each of which is based on one cryptographic assumption. In particular, the first protocol is based on a discrete logarithm, the second on an elliptic curve and the third on RSA factoring. The main objective of the paper is to show that the security of a protocol should be assessed at the protocol level as a whole, rather than at the level of individual algorithms that are used to build the protocol. 1 Introduction Authenticated key agreement [Note 1] is a process of verifying the legitimacy of communicating parties and The security of a communication protocol is usually based establishing common secrets among the communicating on one or more assumptions. For example, a key agreement parties for subsequent use (such as data confidentiality and protocol is built on one or more cryptographic assumptions. integrity). Authenticated key agreement is very important A protocol with multiple independent assumptions with a for virtually all secure communication systems such as logic OR relationship (OR-related) is like a house with e-commerce, wireless, wireline and Internet applications. multiple outside doors with different security mechanisms. An authenticated key agreement protocol in general is The more doors a house has, the more ways a thief can constructed using multiple cryptographic algorithms which break into the house, and the weakest security mechanism are based on various cryptographic assumptions. of all is the easiest to overcome. Similarly, the more The most well known assumptions of public-key independent OR-related assumptions a protocol has, the cryptographic algorithms are the computational more ways an attacker can try to attack the protocol and problems of a discrete logarithm (DL) with complexity ð1=3Þ ð2=3Þ the weakest of all is the easiest to try. In other words, when Oðeððln pÞ ðlnðln pÞÞ ÞÞ [1], an elliptic curve (EC) with multiple independent OR-related assumptions are involved, ð1:098þoð1ÞÞn1=3ðln nÞ2=3Þ n the security of a protocol is typically reduced to that of the complexity Oðe Þ,inGFð2 Þ finite fields weakest one. Therefore, for two protocols A and B, where [2], and factoring (RSA) with the same complexity as a DL A is based on multiple independent OR-related crypto- [3]. On the other hand, the security of most well known graphic assumptions and B is based on one of the conventional cryptographic algorithms, such as the one-way assumptions in A, B is at least as secure as A. In this hash functions and block ciphers, is based on the complex- paper, we limit our scope to the area of authenticated key ity of analysing a simple iterated function of multiple agreement protocols and propose three authenticated rounds. These two types of cryptographic assumptions are Diffie–Hellman key agreement protocols, each based on completely different and most of them are even incompa- exactly one cryptographic assumption. Our main objective tible. is to show that when a protocol is built upon several For example, consider the most commonly used algorithms, the security of the protocol should be assessed authenticated Diffie–Hellman key-agreement protocols. In in its entirety, rather than at the level of individual particular, the popular SSL and IPSec standards provide algorithms. such an option. Since the Diffie–Hellman public-key distribution algorithm itself does not provide authentica- tion, the authentication in an authenticated Diffie–Hellman key agreement protocol is usually provided by signing a r IEE, 2005 Diffie–Hellman public key [4, 5]. Thus, it involves at least IEE Proceedings online no. 20041041 three cryptographic algorithms in building this protocol: the doi:10.1049/ip-com:20041041 Paper first received 10th March and in revised form 23rd July 2004 L. Harn and M. Mehta are with the School of Computing and Engineering, Note 1: We use the term ‘authenticated key agreement’ to describe the general University of Missouri - Kansas City, 5100 Rockhill Road, Kansas City, MO idea of key agreement with authentication. The term ‘authentication and key 64110, USA agreement’ (also known as AKA) has been used in 3GPP wireless networks to provide network access security. Our authenticated key agreement can be W.-J. Hsin is with the Information and Computer Science, Park University, applied to secure two-party communication networks. Additionally, AKA in Parkville, MO 64152, USA the 3GPP wireless domain is symmetric-key based whereas ours is public-key E-mail: [email protected] based. 404 IEE Proc.-Commun., Vol. 152, No. 4, August 2005 Authorized licensed use limited to: University of Missouri. Downloaded on February 10, 2009 at 14:39 from IEEE Xplore. Restrictions apply. Diffie–Hellman key-distribution algorithm, a digital signa- proposed protocols can also prevent the attacks often ture and a one-way hash function. This protocol involves at discussed in literature. least two independent cryptographic assumptions. For The work in the literature closest to what we are example, if the digital signature scheme, such as the digital proposing here is by Harn [16],andHarnandLin[10]. signal algorithm (DSA), is DL-based, the above protocol Harn [16] proposed various digital signature schemes (like the ones in [6, 7]) will have two cryptographic without using one-way functions to sign Diffie–Hellman assumptions: one is the DL and the other is the hash public keys. Harn and Lin [10] proposed a protocol that function; if the digital signature scheme is RSA-based, the utilises the digital signature schemes in [16], but the above protocol will have three cryptographic assumptions, proposed protocol provides only shared-key authentication namely, the DL, the RSA and the hash function. The and is restricted to a DL assumption. In this paper, we base security of the protocol would depend on the weakest our work on [16] and propose three one-assumption cryptographic assumption involved. To further elaborate on protocols that can achieve both user authentication and this example, suppose that in this protocol, Diffie–Hellman shared-key authentication. key distribution is based on a 512-bit DL and the digital signature is based on a 1024-bit RSA. According to [3], 2 User authentication versus shared key authen- RSA factoring has same complexity as a DL. Consequently, tication the 512-bit DL can be considered easier to break as compared to the 1024-bit RSA. An attacker can simply User authentication determines the legitimacy of the derive the session key by solving the DL problem from the intended parties in real time. For example, in a client-server exchanged key information and then use it to decipher the application, a service provider needs to ensure the subsequent exchanged messages between the communicat- legitimacy of a user before providing services to the user. ing parties without having to forge the signatures. Thus, in Similarly, a user needs to make sure that the service general, given M independent OR-related cryptographic provider is genuine so that the user is willing to send its assumptions, where M is a positive integer, a protocol with sensitive information (such as a credit card number) to the only one of the M assumptions is at least as secure as that service provider. with all M assumptions. Since communicating parties need a common key to In the existing literature, to our knowledge, there is no encrypt and decrypt data, shared-key authentication makes single-assumption authenticated Diffie–Hellman key-agree- sure that the shared common key is known only to the ment protocol [8]. The IEEE has standardised the intended parties. authenticated key-distribution protocols in the P1363 In a key-agreement protocol without user authentication, standards [9]. Here, following the classification by the IEEE an attacker can misrepresent the identity of an innocent P1363 standards, we propose three authenticated Diffie– party, leading to attacks such as replay, resource exhaustion Hellman key-agreement protocols, each based on one and unknown key-share. In the following, we discuss each cryptographic assumption. of these attacks. In modern communication protocols, there are two types First, for the replay attack, consider the current Internet of authentication, namely, user authentication and shared- environment, where authentication is based on a trusted key authentication. User authentication is to authenticate a third party certificate authority (CA). As a certificate is communicating user in real time. Shared-key authentication public information, an attacker can get hold of an innocent ensures that a shared key is known only to the legitimate user’s public certificate, and along with previously recorded users. A key-agreement protocol without either user exchanged information between innocent parties, the authentication or shared-key authentication is not secure, attacker can impersonate the innocent user, resulting in a leading to many kinds of attacks. Therefore we need both replay attack. Thus, in a protocol without user authentica- user authentication and shared-key authentication. In tion, even with the use of a certificate, impersonation is particular, we need to efficiently and securely integrate possible. both user authentication and shared-key authentication into Secondly, for the resource-exhaustion attack, consider authenticated key-agreement protocols.
Load more

Recommended publications
  • Jeffrey Hoffstein Jill Pipher Joseph H. Silverman
    Undergraduate Texts in Mathematics Je rey Ho stein Jill Pipher Joseph H. Silverman An Introduction to Mathematical Cryptography Second Edition Undergraduate Texts in Mathematics Undergraduate Texts in Mathematics Series Editors: Sheldon Axler San Francisco State University, San Francisco, CA, USA Kenneth Ribet University of California, Berkeley, CA, USA Advisory Board: Colin Adams, Williams College, Williamstown, MA, USA Alejandro Adem, University of British Columbia, Vancouver, BC, Canada Ruth Charney, Brandeis University, Waltham, MA, USA Irene M. Gamba, The University of Texas at Austin, Austin, TX, USA Roger E. Howe, Yale University, New Haven, CT, USA David Jerison, Massachusetts Institute of Technology, Cambridge, MA, USA Jeffrey C. Lagarias, University of Michigan, Ann Arbor, MI, USA Jill Pipher, Brown University, Providence, RI, USA Fadil Santosa, University of Minnesota, Minneapolis, MN, USA Amie Wilkinson, University of Chicago, Chicago, IL, USA Undergraduate Texts in Mathematics are generally aimed at third- and fourth- year undergraduate mathematics students at North American universities. These texts strive to provide students and teachers with new perspectives and novel approaches. The books include motivation that guides the reader to an appreciation of interre- lations among different aspects of the subject. They feature examples that illustrate key concepts as well as exercises that strengthen understanding. More information about this series at http://www.springer.com/series/666 Jeffrey Hoffstein • Jill Pipher Joseph
    [Show full text]
  • Security + Encryption Standards
    Security + Encryption Standards Author: Joseph Lee Email: joseph@ ripplesoftware.ca Mobile: 778-725-3206 General Concepts Forward secrecy / perfect forward secrecy • Using a key exchange to provide a new key for each session provides improved forward secrecy because if keys are found out by an attacker, past data cannot be compromised with the keys Confusion • Cipher-text is significantly different than the original plaintext data • The property of confusion hides the relationship between the cipher-text and the key Diffusion • Is the principle that small changes in message plaintext results in large changes in the cipher-text • The idea of diffusion is to hide the relationship between the cipher-text and the plaintext Secret-algorithm • A proprietary algorithm that is not publicly disclosed • This is discouraged because it cannot be reviewed Weak / depreciated algorithms • An algorithm that can be easily "cracked" or defeated by an attacker High-resiliency • Refers to the strength of the encryption key if an attacker discovers part of the key Data-in-transit • Data sent over a network Data-at-rest • Data stored on a medium Data-in-use • Data being used by an application / computer system Out-of-band KEX • Using a medium / channel for key-exchange other than the medium the data transfer is taking place (phone, email, snail mail) In-band KEX • Using the same medium / channel for key-exchange that the data transfer is taking place Integrity • Ability to determine the message has not been altered • Hashing algorithms manage Authenticity
    [Show full text]
  • 11 Digital Signatures
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 11 Digital Signatures Contents in Brief 11.1 Introduction :::::::::::::::::::::::::::::425 11.2 A framework for digital signature mechanisms ::::::::::426 11.3 RSA and related signature schemes :::::::::::::::::433 11.4 Fiat-Shamir signature schemes :::::::::::::::::::447 11.5 The DSA and related signature schemes ::::::::::::::451 11.6 One-time digital signatures :::::::::::::::::::::462 11.7 Other signature schemes ::::::::::::::::::::::471 11.8 Signatures with additional functionality ::::::::::::::474 11.9 Notes and further references ::::::::::::::::::::481 11.1 Introduction This chapter considers techniques designed to provide the digital counterpart to a handwrit- ten signature.
    [Show full text]
  • X.509V3 Certificates for SSH Authentication
    X.509v3 Certificates for SSH Authentication The X.509v3 Certificates for SSH Authentication feature uses public key algorithm (PKI) for server and user authentication, and allows the Secure Shell (SSH) protocol to verify the identity of the owner of a key pair via digital certificates, signed and issued by a Certificate Authority (CA). This module describes how to configure server and user certificate profiles for a digital certificate. • Prerequisites for X.509v3 Certificates for SSH Authentication, on page 1 • Restrictions for X.509v3 Certificates for SSH Authentication, on page 1 • Information About X.509v3 Certificates for SSH Authentication, on page 2 • How to Configure X.509v3 Certificates for SSH Authentication, on page 3 • Verifying the Server and User Authentication Using Digital Certificates , on page 6 • Configuration Examples for X.509v3 Certificates for SSH Authentication, on page 6 • Additional References for X.509v3 Certificates for SSH Authentication, on page 7 • Feature Information for X.509v3 Certificates for SSH Authentication, on page 8 Prerequisites for X.509v3 Certificates for SSH Authentication The X.509v3 Certificates for SSH Authentication feature replaces the ip ssh server authenticate user command with the ip ssh server algorithm authentication command. Configure the default ip ssh server authenticate user command to remove the ip ssh server authenticate user command from the configuration. The IOS secure shell (SSH) server will start using the ip ssh server algorithm authentication command. When you configure the ip ssh server authenticate user command, the following message is displayed: Warning SSH command accepted; but this CLI will be deprecated soon. Please move to new CLI ip ssh server algorithm authentication.
    [Show full text]
  • An Overview of Public Key Infrastructure
    AN OVERVIEW OF PUBLIC KEY INFRASTRUCTURE A Thesis Presented to the Faculty of San Diego State University In Partial Fulfillment of the Requirements for the Degree Master of Science in Applied Mathematics with a Concentration in Mathematical Theory of Communication Systems by Pavan Kandepet Fall 2013 iii Copyright c 2013 by Purushothaman Pavan Kandepet iv DEDICATION I would like to dedicate this thesis to my chair Dr. Carmelo Interlando for helping me extensively through the course of my study at San Diego State University. His valuable advice, insight and knowledge have helped me tremendously. I thank him for all the help he has provided. v ABSTRACT OF THE THESIS An Overview of Public Key Infrastructure by Pavan Kandepet Master of Science in Applied Mathematics with a Concentration in Mathematical Theory of Communication Systems San Diego State University, 2013 Security for electronic commerce has become increasingly demanding in recent years owing to its widespread adoption across geographically distributed systems. Public Key Infrastructure (PKI) is a relatively new technology with foundations in mathematics and which provides the necessary security features for digital commerce. The main goal of this work is to provide an introduction to PKI and how it can be used across geographically distributed systems. We start with an introduction to electronic commerce security and discuss its security concerns. This is followed by an introduction to cryptography, which sets the stage for the main chapter on PKI which introduces several components of this system in detail and its expectations. Next, certificates and certificate management, which are key components of electronic security, are discussed.
    [Show full text]
  • On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected]
    1 On Robust Key Agreement Based on Public Key Authentication Feng Hao Thales E-Security, Cambridge, UK [email protected] Abstract—This paper discusses public-key authenticated key Elliptic Curve Cryptography (ECC) [10]. Using ECC essen- agreement protocols. First, we critically analyze several authen- tially replaces the underlying (multiplicative) cyclic group ticated key agreement protocols and uncover various theoretical with another (additive) cyclic group defined over some elliptic and practical flaws. In particular, we present two new attacks on the HMQV protocol, which is currently being standardized curve. The essence of the protocol remains unchanged. by IEEE P1363. The first attack presents a counterexample to The acute problem with the Diffie-Hellman key agreement invalidate the basic authentication in HMQV. The second attack is that it is unauthenticated [2]. While secure against passive is applicable to almost all past schemes, despite that many of attackers, the protocol is inherently vulnerable to active attacks them have formal security proofs. These attacks highlight the such as the man-in-the-middle attack [6]. This is a serious lim- difficulty to design a crypto protocol correctly and suggest the caution one should always take. itation, which for many years has been motivating researchers We further point out that many of the design errors are caused to find a solution [3]–[5], [7], [9], [11], [13], [20]. by sidestepping an important engineering principle, namely To add authentication, we must start with assuming some “Do not assume that a message you receive has a particular shared secret. In general, there are two approaches.
    [Show full text]
  • Towards Certficateless Public Key Infrastructure: a Practical Alternative of the Traditional Pki
    Journal of Theoretical and Applied Information Technology 15th January 2020. Vol.98. No 01 © 2005 – ongoing JATIT & LLS ISSN: 1992-8645 www.jatit.org E-ISSN: 1817-3195 TOWARDS CERTFICATELESS PUBLIC KEY INFRASTRUCTURE: A PRACTICAL ALTERNATIVE OF THE TRADITIONAL PKI 1EIHAB B.M. BASHIER, 2MOHAMMED A. HASSOUNA, 3TAOUFIK BEN JABEUR 1,3Dept of Mathematics, CAAS, Dhofar University, P.O. Box: 2509, Salalah, Oman 2Faculty of Computer Studies, National Ribat University, P.O. Box: 55, Khartoum, Sudan E-mail: [email protected], [email protected], [email protected] ABSTRACT Although the maturity and efficiency of the traditional PKI in managing the public keys of the enterprise users, it still has two central and interrelated challenges or limitations when the number of users get large: Scalability and Key management. These two challenges are of great concern to the organization's information security officials, who are working to manage public key infrastructure, especially when the organization's growth rate becomes large. The most two significant alternatives for the traditional PKI are: Identity-based Cryptography and Certificateless Cryptography. The Identity-based Cryptography (IBC) provides an easy way to manage the public keys of its users, without need to any kind of certificate and its managing overhead, where the identity of a user is its public key. The private key is provided by a trusted Key Generation Centre (KGC) after an authentication process that the user must follow. IBC has many security features, and there are many schemes in the literature that are based on this new concept. It has one major problem: The Key escrow, where all the private keys of the users are generated centrally by the KGC.
    [Show full text]
  • Fault Analysis of the Ntrusign Digital Signature Scheme
    Cryptogr. Commun. (2012) 4:131–144 DOI 10.1007/s12095-011-0061-3 Fault analysis of the NTRUSign digital signature scheme Abdel Alim Kamal · Amr M. Youssef Received: 11 December 2010 / Accepted: 14 December 2011 / Published online: 6 January 2012 © Springer Science+Business Media, LLC 2012 Abstract We present a fault analysis of the NTRUSign digital signature scheme. The utilized fault model is the one in which the attacker is assumed to be able to fault a small number of coefficients in a specific polynomial during the signing process but cannot control the exact location of the injected transient faults. For NTRUsign with parameters (N, q = pl, B, standard, N ), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault, ≈ − 1 (( )t) succeeds with probability 1 p and requires O qN steps when the number of faulted polynomial coefficients is upper bounded by t. The attack is also applicable to NTRUSign utilizing the transpose NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are investigated. Keywords Side channel attacks · Lattice-based public key cryptosystems · Fault analysis and countermeasures · Digital signature schemes · NTRU Mathematics Subject Classification (2010) 94A60 1 Introduction NTRUSign [1–4] is a parameterized family of lattice-based public key digital signa- ture schemes that is currently under consideration for standardization by the IEEE P1363 working group. It was proposed after the original NTRU signature scheme (NSS) [5] was broken [6, 7]. Similar to the GGH cryptosystem [8], the security of A. A.
    [Show full text]
  • Chapter 1- Introduction
    Authenticated Trusted Server Controlled Key Establishment Astha Keshariya A thesis submitted for degree of Doctor of Philosophy At the University of Otago, Dunedin New Zealand Date: 31st Dec 2010 This page is left blank. ii Keywords Three Party Authenticated Key Establishment, Trusted-server based Key Establishment Protocols, Authentication, Computer Security, Communications Security, Cryptography, Distributed Denial of Service resilience, Key Agreement Protocols, Key Establishment Protocols, Key Transport Protocols, Asymmetric Key Encryption, RSA based Authentication, Certificate based Authentication, Non-repudiation, Key escrow, Secure Mobile environment, Mobile Payments Systems, Provably Secure Protocols, 3-D Secure Protocol, Securing Mobile Communications, Secure Electronic Transactions, Properties of Key Establishment, Securing Real-time Wireless communications. iii Abstract The trusted server based key establishment protocols are well received by the research community. In this thesis we have discussed the benefits of asymmetric key based authentication scheme mediated by a trusted server which is known to all the users in a system. We have proposed a new trusted server based key establishment protocol (and named it AK-protocol) that makes use of well known certificate based authentication scheme (or ID based scheme when medium level of security is required), and the session key generation requires equal contribution of the trusted server and the participating clients. That is, the generation of ephemeral keys exclusively lies with
    [Show full text]
  • Subliminal Channels in High-Speed Signatures
    Die approbierte Originalversion dieser Diplom-/ Masterarbeit ist in der Hauptbibliothek der Tech- nischen Universität Wien aufgestellt und zugänglich. http://www.ub.tuwien.ac.at institute of telecommunications The approved original version of this diploma or master thesis is available at the main library of the Vienna University of Technology. http://www.ub.tuwien.ac.at/eng Subliminal Channels in High-Speed Signatures Master’s Thesis for obtaining the academic degree Diplom-Ingenieur as part of the study Electrical Engineering and Information Technology carried out by Alexander Hartl student number: 01125115 Institute of Telecommunications at TU Wien Supervision: Univ. Prof. Dipl.-Ing. Dr.-Ing. Tanja Zseby Dipl.-Ing. Robert Annessi, B.Sc Acknowledgments I want to express my gratitude for everyone who assisted or encouraged me in various ways during my studies. In particular, I would like to thank Prof. Tanja Zseby and Dipl.-Ing. Robert Annessi for giving me the opportunity to write this thesis, for supporting me actively while I was working on it and for many valuable comments and suggestions. I owe special thanks to my family, especially my parents Edith and Rudolf, for their endless support during all these years. Thank you, Sabrina, for encouraging me and for so many cheerful hours in my life. Abstract One of the fundamental building blocks for achieving security in data networks is the use of digital signatures. A digital signature is a bit string which allows the receiver of a message to ensure that the message indeed originated from the apparent sender and has not been altered along the path.
    [Show full text]
  • Public-Key Cryptography
    Public-key Cryptogra; Theory and Practice ABHIJIT DAS Department of Computer Science and Engineering Indian Institute of Technology Kharagpur C. E. VENIMADHAVAN Department of Computer Science and Automation Indian Institute ofScience, Bangalore PEARSON Chennai • Delhi • Chandigarh Upper Saddle River • Boston • London Sydney • Singapore • Hong Kong • Toronto • Tokyo Contents Preface xiii Notations xv 1 Overview 1 1.1 Introduction 2 1.2 Common Cryptographic Primitives 2 1.2.1 The Classical Problem: Secure Transmission of Messages 2 Symmetric-key or secret-key cryptography 4 Asymmetric-key or public-key cryptography 4 1.2.2 Key Exchange 5 1.2.3 Digital Signatures 5 1.2.4 Entity Authentication 6 1.2.5 Secret Sharing 8 1.2.6 Hashing 8 1.2.7 Certification 9 1.3 Public-key Cryptography 9 1.3.1 The Mathematical Problems 9 1.3.2 Realization of Key Pairs 10 1.3.3 Public-key Cryptanalysis 11 1.4 Some Cryptographic Terms 11 1.4.1 Models of Attacks 12 1.4.2 Models of Passive Attacks 12 1.4.3 Public Versus Private Algorithms 13 2 Mathematical Concepts 15 2.1 Introduction 16 2.2 Sets, Relations and Functions 16 2.2.1 Set Operations 17 2.2.2 Relations 17 2.2.3 Functions 18 2.2.4 The Axioms of Mathematics 19 Exercise Set 2.2 20 2.3 Groups 21 2.3.1 Definition and Basic Properties . 21 2.3.2 Subgroups, Cosets and Quotient Groups 23 2.3.3 Homomorphisms 25 2.3.4 Generators and Orders 26 2.3.5 Sylow's Theorem 27 Exercise Set 2.3 29 2.4 Rings 31 2.4.1 Definition and Basic Properties 31 2.4.2 Subrings, Ideals and Quotient Rings 34 2.4.3 Homomorphisms 37 2.4.4
    [Show full text]
  • Lynx: Authenticated Anonymous Real-Time Reporting of Electric Vehicle Information
    2015 IEEE International Conference on Smart Grid Communications (SmartGridComm): Cyber Security and Privacy Lynx: Authenticated Anonymous Real-Time Reporting of Electric Vehicle Information Hongyang Li Gy¨orgy D´an Klara Nahrstedt University of Illinois Urbana-Champaign KTH Royal Institute of Technology University of Illinois Urbana-Champaign [email protected] [email protected] [email protected] Abstract—With the proliferation of electric vehicles (EVs), EV ture authentication. However, digital signature is computation- battery charging will be a significant load on the power grid, and ally expensive [7] and identity-revealing. Several works [8], [9] thus it will have to be optimized. Many proposed optimizations improve authentication efficiency by using symmetric keys, but rely on predicted EV information, such as future trip start time and battery State-of-Charge (SoC), for load management, charg- do not provide anonymity protection. Portunes [10] uses utility- ing scheduling, V2G profit optimization, etc. Prediction in turn issued pseudonyms to protect the EV’s privacy from third-party would benefit from real-time information about the EVs, while entities, but the utility knows the mapping between pseudonym they are on the road, i.e., before arriving at the charging facility. and EV’s true identity. Token-based approaches [11], [12] let A real-time reporting framework is thus necessary so that EVs the EV authenticate itself by revealing an authentication token can report status information to the utility in a timely fashion. In this paper we present Lynx, an authenticated anonymous real- to the utility, but the token revealing process is computationally time reporting protocol. Lynx allows an EV to send anonymous intensive and is not efficient for real-time reporting (e.g., in reports using pseudonyms that are unlinkable to its true identity.
    [Show full text]