Improvement of Hwang-Lo-Lin scheme based on an ID-based
cryptosystem
No author given
(Korea information security Agency)
Presented by J.Liu
Outline • Introduction
• Review of the Hwang-Lo-Lin scheme
• Cryptanalysis
• The modified ID-based identification scheme
• Security analysis
• Performance analysis
• Conclusions
Introduction
• ID-based public key cryptosystem.
• Maurer-Yacobi(1996)Tseng-Jan(1998) Hwang-Lo-Lin(2004)Horng-Liu-Liu(2005)
This Letter(2005)
• Hwang et al. developed the improved scheme was suitable for the wireless environment.
Review of the Hwang-Lo-Lin scheme
• TA setup the system parameters as following:1. N = p1p2 p3p4, where pi are primes and their
decimal digits are between 60-70, (pi-1)/2 are odd and pair wise relatively prime.
2. DLP is feasible but factoring N is infeasible.
3. g is a primitive root in each GF(pi).
4. h(.) is an one way hash function.
5. ed = 1 mod (N) and tv = 1 mod (N).
Cont
6. IDb, IDm: identity of base station(BS) and mobile device(M), respectively.
7. sb = et logg(IDb2) mod (N) is secret key for
BS.
8. sm = et logg(IDm2) mod (N) is secret key for
M.
9. T: timestamp
{N, g, e, h(.)}are public parameters and keep {p1, p
2 , p3, p4 , t, v, d } secret.
Login and authentication
1. Choose kR ZN*, computes Y = (IDm2)k mo
d N , Z = (IDb2)ksmT mod N
2. Sends {IDm, Y, Z, T } to BS.
3. BS computes Z’ = (Y)sbT, checks Z = Z’
If yes then… else….
?
Key points
)(mod')(
)()()(.2
}mod){(
mod)(
)(mod)(log
)(mod)(log.1
2
2
2
2
2
2
NZYID
ggIDZ
NgID
NgID
NIDdvs
NIDets
TsTksm
TksdvsTksdvsTksb
dvsm
dvsb
bgb
bgb
bb
bmmbm
m
b
Cryptanalysis
• Attacker forge {IDm, Y1, Z1, T’ } from a valid login message {IDm, Y, Z, T } by Y1 = YrT mod N and Z1 = ZrT’ mod N.
'1
'
''1
)(
)(TsTsrT
rTTsrT
bb
b
YY
YZZ
The modified ID-based identification scheme
• The parameters are the same of Hwang’s scheme, but the 4 primes have bit size more than 1024 bits. (DLP OK? about 300 decimal digits)
1. M sends {IDm, Z, T} to BS, where Z = H((IDb
2)smT mod N)
2. BS verifies by Z = H((IDm2)sbT mod N)
bm sm
ss IDID )()( 22
Security analysis
1. Passive replay attack: Changes timestamp T. H((IDm
2)sbT mod N) H((IDm2)sbT’ mod N)
2. Active replay attack: The attacker can not change Z and T without sm and sb.
3. ID-stolen attack: The same with 2.
Performance analysis
• Without random number generator(hash function).
• Shorter message length (1/2).
• Fewer exponential operation (21).
• More suitable in wireless environment.
Conclusion
• Secure
• More suitable.
Top Related