A Provably Secure Scheme for Remote User Authentication

Similar documents
Topic 6. Digital Signatures and Identity Based Encryption

Identity-based Hierarchical Designated Decryption *

Lecture 8: Period Finding: Simon s Problem over Z N

Clustering Methods without Given Number of Clusters

Codes Correcting Two Deletions

Lecture 9: Shor s Algorithm

Evolutionary Algorithms Based Fixed Order Robust Controller Design and Robustness Performance Analysis

7.2 INVERSE TRANSFORMS AND TRANSFORMS OF DERIVATIVES 281

Memory Erasability Amplification

CHAPTER 8 OBSERVER BASED REDUCED ORDER CONTROLLER DESIGN FOR LARGE SCALE LINEAR DISCRETE-TIME CONTROL SYSTEMS

Shannon s Theory. Objectives

A Study on Simulating Convolutional Codes and Turbo Codes

A BATCH-ARRIVAL QUEUE WITH MULTIPLE SERVERS AND FUZZY PARAMETERS: PARAMETRIC PROGRAMMING APPROACH

Social Studies 201 Notes for November 14, 2003

Hybrid Projective Dislocated Synchronization of Liu Chaotic System Based on Parameters Identification

Optimizing Cost-sensitive Trust-negotiation Protocols

Lecture 21. The Lovasz splitting-off lemma Topics in Combinatorial Optimization April 29th, 2004

Gain and Phase Margins Based Delay Dependent Stability Analysis of Two- Area LFC System with Communication Delays

A Simplified Methodology for the Synthesis of Adaptive Flight Control Systems

Optimal Coordination of Samples in Business Surveys

CHAPTER 4 DESIGN OF STATE FEEDBACK CONTROLLERS AND STATE OBSERVERS USING REDUCED ORDER MODEL

Design By Emulation (Indirect Method)

Bogoliubov Transformation in Classical Mechanics

Simple Observer Based Synchronization of Lorenz System with Parametric Uncertainty

Fast explicit formulae for genus 2 hyperelliptic curves using projective coordinates

Chapter 2 Sampling and Quantization. In order to investigate sampling and quantization, the difference between analog

ON A CERTAIN FAMILY OF QUARTIC THUE EQUATIONS WITH THREE PARAMETERS. Volker Ziegler Technische Universität Graz, Austria

Hardware Implementation of Canonic Signed Digit Recoding

Preemptive scheduling on a small number of hierarchical machines

One Class of Splitting Iterative Schemes

Introduction to Laplace Transform Techniques in Circuit Analysis

The Hassenpflug Matrix Tensor Notation

Microblog Hot Spot Mining Based on PAM Probabilistic Topic Model

REPRESENTATION OF ALGEBRAIC STRUCTURES BY BOOLEAN FUNCTIONS. Logic and Applications 2015 (LAP 2015) September 21-25, 2015, Dubrovnik, Croatia

A Constraint Propagation Algorithm for Determining the Stability Margin. The paper addresses the stability margin assessment for linear systems

An Inequality for Nonnegative Matrices and the Inverse Eigenvalue Problem

Lqr Based Load Frequency Control By Introducing Demand Response

Beyond Cut-Set Bounds - The Approximate Capacity of D2D Networks

White Rose Research Online URL for this paper: Version: Accepted Version

Multicast Network Coding and Field Sizes

Unavoidable Cycles in Polynomial-Based Time-Invariant LDPC Convolutional Codes

ON A CERTAIN FAMILY OF QUARTIC THUE EQUATIONS WITH THREE PARAMETERS

Problem Set 8 Solutions

SMALL-SIGNAL STABILITY ASSESSMENT OF THE EUROPEAN POWER SYSTEM BASED ON ADVANCED NEURAL NETWORK METHOD

Jan Purczyński, Kamila Bednarz-Okrzyńska Estimation of the shape parameter of GED distribution for a small sample size

[Saxena, 2(9): September, 2013] ISSN: Impact Factor: INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY

5.5 Application of Frequency Response: Signal Filters

Lecture 7: Testing Distributions

On the Big Gap Between p and q in DSA

Cryptography and Security Final Exam

On the Isomorphism of Fractional Factorial Designs 1

By Xiaoquan Wen and Matthew Stephens University of Michigan and University of Chicago

1. The F-test for Equality of Two Variances

FUNDAMENTALS OF POWER SYSTEMS

Control Systems Analysis and Design by the Root-Locus Method

Fermi Distribution Function. n(e) T = 0 T > 0 E F

ON TESTING THE DIVISIBILITY OF LACUNARY POLYNOMIALS BY CYCLOTOMIC POLYNOMIALS Michael Filaseta* and Andrzej Schinzel 1. Introduction and the Main Theo

ON THE APPROXIMATION ERROR IN HIGH DIMENSIONAL MODEL REPRESENTATION. Xiaoqun Wang

EME : extending EME to handle arbitrary-length messages with associated data

The machines in the exercise work as follows:

Statistics and Data Analysis

Chapter 4. The Laplace Transform Method

Jul 4, 2005 turbo_code_primer Revision 0.0. Turbo Code Primer

Flag-transitive non-symmetric 2-designs with (r, λ) = 1 and alternating socle

Theoretical Computer Science. Optimal algorithms for online scheduling with bounded rearrangement at the end

Lecture 17: Analytic Functions and Integrals (See Chapter 14 in Boas)

SERIES COMPENSATION: VOLTAGE COMPENSATION USING DVR (Lectures 41-48)

Control of Delayed Integrating Processes Using Two Feedback Controllers R MS Approach

Acceptance sampling uses sampling procedure to determine whether to

arxiv: v1 [math.mg] 25 Aug 2011

LOW ORDER MIMO CONTROLLER DESIGN FOR AN ENGINE DISTURBANCE REJECTION PROBLEM. P.Dickinson, A.T.Shenton

A FUNCTIONAL BAYESIAN METHOD FOR THE SOLUTION OF INVERSE PROBLEMS WITH SPATIO-TEMPORAL PARAMETERS AUTHORS: CORRESPONDENCE: ABSTRACT

arxiv: v1 [math.ac] 30 Nov 2012

Computers and Mathematics with Applications. Sharp algebraic periodicity conditions for linear higher order

S_LOOP: SINGLE-LOOP FEEDBACK CONTROL SYSTEM ANALYSIS

MATEMATIK Datum: Tid: eftermiddag. A.Heintz Telefonvakt: Anders Martinsson Tel.:

Security Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05

CDMA Signature Sequences with Low Peak-to-Average-Power Ratio via Alternating Projection

Online Parallel Scheduling of Non-uniform Tasks: Trading Failures for Energy

Physics 741 Graduate Quantum Mechanics 1 Solutions to Final Exam, Fall 2014

Exploiting Transformations of the Galois Configuration to Improve Guess-and-Determine Attacks on NFSRs

List coloring hypergraphs

IEOR 3106: Fall 2013, Professor Whitt Topics for Discussion: Tuesday, November 19 Alternating Renewal Processes and The Renewal Equation

Digital Control System

Chapter 4: Applications of Fourier Representations. Chih-Wei Liu

Suggested Answers To Exercises. estimates variability in a sampling distribution of random means. About 68% of means fall

Proactive Serving Decreases User Delay Exponentially: The Light-tailed Service Time Case

Electronic Theses and Dissertations

Social Studies 201 Notes for March 18, 2005

Convex Hulls of Curves Sam Burton

New Variant of ElGamal Signature Scheme

SOME RESULTS ON INFINITE POWER TOWERS

Avoiding Forbidden Submatrices by Row Deletions

Reliability Analysis of Embedded System with Different Modes of Failure Emphasizing Reboot Delay

Stochastic Optimization with Inequality Constraints Using Simultaneous Perturbations and Penalty Functions

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Multi Constrained Optimization model of Supply Chain Based on Intelligent Algorithm Han Juan School of Management Shanghai University

Sampling and the Discrete Fourier Transform

Analysis of Step Response, Impulse and Ramp Response in the Continuous Stirred Tank Reactor System

Finding the location of switched capacitor banks in distribution systems based on wavelet transform

Transcription:

A Provably Secure Scheme for Remote Uer Authentication Fuw-Yi Yang 1, Su-Hui Chiu 2 1 Department of Computer Science and Information Engineering, Chaoyang Univerity of Technology Taichung County 41349, Taiwan, yangfy@cyut.edu.tw 2 Office of Accounting, Chaoyang Univerity of Technology Taichung County 41349, Taiwan, uhui@cyut.edu.tw Abtract Thi paper propoe a one-way uer authentication cheme. The propoed cheme ha everal advantage over previou cheme: 1. Thi cheme i provably ecure. 2. It atifie the forward ecrecy property. 3. It i ecure even under the colluion of uer. 1. INTRODUCTION A one-way uer authentication cheme enable an acce erver (receiver, ytem) to ditinguih between intruder and legitimate uer. By holding a paword table, the work in [1] propoed a remote paword authentication cheme with inecure communication. The paword table contain the account and paword of uer that have regitered in the ytem. A a uer enter the ytem, he mut key in the correct account number and paword. An authentication cheme that ue a paword table may not be uitable for non-repudiation application, ince both the ytem and uer know the paword tored in the paword table. The tored paword may alo be tolen by an intruder. The problem aociated with maintaining a paword table can be olved uing a mart card to tore the uer ecret data. The ytem tore each regitered uer authentication data in the mart card. The uer i authenticated by inpecting the data iued from the mart card. Thu, there i no paword table on the erver ide and the mart card olve the above mentioned problem. 1.1 Related work Thi ubection urvey ome authentication cheme that ue recently developed mart card. The ecurity weaknee in thee ytem are dicued. The cheme in [2] authenticate uer baed on the Chinee remainder theorem. The ytem generate authentication data (paword, algorithm, and other neceary parameter) and tore thee data in a mart card. Thi ytem can therefore authenticate uer without uing a paword table. Subequent to the cheme preented in [2], many imilar authentication cheme were developed. The cheme in [3] authenticate remote uer by applying imple geometric propertie on the Euclidean plane. The central authority aign a unique line to each regitered uer. A mart card i iued to the uer in a ecure way. Thi card contain ome ueful information including two ditinct point on the line. The line i deigned uch that the uer can calculate the third point on the line uing hi paword. With three ditinct point on the line, the uer i able to recontruct the line whenever he want to login to the erver. The ability to recontruct the predetermined line how that he i a genuine uer. Another cheme alo ue the geometric property propoed in [4]. A uer i authenticated baed on the n-dimenional circle property. Some cheme take advantage of public key cryptography to authenticate uer. The cheme preented in [5-6] authenticate uer baed on the famou ElGamal public key cryptoytem [7]. The cheme in [8] further extended the cheme in [5] to provide the forward ecrecy property, which mean that the uer paword are ecure even if the ytem ecret key i compromied. Uing only colliion-reitant hah function, the cheme in [9-10] are additional authentication method. Since thee two cheme do not require modular exponential operation, they are more efficient than cheme baed on the public key cryptoytem. However, the authentication cheme urveyed above are not provably ecure. Thee cheme lack formalized ecurity treatment. Therefore, the weaknee of ome cheme are uncovered oon after thee cheme are propoed. The work in [11] propoe an imperonation attack on the cheme in [2]. The cheme in [12] demontrate a method to recontruct the line hared with the ytem, and thu launche a replay attack on the cheme in [3]. Similarly, by recontructing the preet circle, the cheme in [13] preent an imperonation attack on the cheme in [4]. The cheme in [6], [8], and [14-16] apply a imple algebraic property to mount the homomorphim attack on the cheme in [5]. Similarly, the cheme in [6] i vulnerable to the ame attack illutrate for the cheme in [8] and [16]. The cheme in [17] propoe a gueing attack for the cheme in [9] and a parallel eion

attack on the cheme in [10]. Depite thee ecurity weaknee, the uer in cheme [2], [5-6], and [8] have no freedom to chooe their paword. The central authority aign paword. Having no right to chooe a paword could be inappropriate in ome circumtance, e.g., non-repudiation application. 1.2 Contribution The propoed cheme enable uer to chooe their private key on their own volition and keep it ecret. Guaranteeing ecurity, a formal proof i given to verify that the propoed cheme i ecure againt adaptively choen meage attack [18]. In thi attack model, it i aumed that the adverary ha acce to a login oracle, which generate login meage (login requet). The adverary i allowed to collect login meage by aking the login oracle a he wihe, except for the meage that the adverary i forging. Thi level of ecurity i ufficient to prevent the ytem from being attacked by the colluion of mart card holder. The mart card require only one modular exponentiation for off-line computation. The on-line computation involve one modular multiplication and one hah operation. The cot i quite efficient compared with the cheme in [5-6] and [8]. Thee cheme require two off-line modular exponentiation and one on-line modular exponentiation to iue a login requet. 1.3 Organization Section 2 decribe the notation and detail of the propoed cheme. Section 3 dicue the communicational bandwidth and computational complexity. Section 4 prove that the propoed cheme i ecure under the adaptively choen meage attack model. Section 5 conclude the paper. 2. THE PROPOSED SCHEME Aume that p i a large prime uch that (p - 1) i diviible by another large prime q. g i an element of order q in the multiplicative group of integer modulo p, i.e., g Z * p. G denote the ubgroup generated by g. h(.) i a colliion freene hah function that map arbitrary bit tring to the multiplicative group of integer modulo q, i.e., h(.): {0, 1} * Z * q. a b denote the concatenation of tring a and b. The ymbol a R G denote that a i randomly elected from the et G. a denote the bit length of a. The propoed cheme conit of three entitie: a Central Authority (CA), acce erver, and uer. For each authorized uer, the CA tore ome piece of ecret data in a mart card and end the mart card to the uer through a ecure channel. The mart card may contain the uer identity, the certificate iued from the CA, expiration date, uer ecret key, and other ueful information. Whenever a uer want to login to the acce erver, he inert hi mart card into an input device. The mart card will contruct a login meage and end it to the acce erver. After paing the authenticating procedure, the uer i uccefully logged-in to the acce erver. Each acce erver tore reource and provide ome acce ervice. Although the acce erver i reponible for uer authentication, it doe not hold any ecret uer information. There are four phae in the implementation, i.e., Initialization phae, Regitration phae, Login phae, and Authentication phae. The detail for each phae are decribed a follow. Initialization phae: Aume that CA ha a ecret key x R Z q and the correponding public key i y = g x mod p. CA publihe p, q, g, h(.) and y. Regitration phae: Aume that uer u want to regiter at the acce ytem. The CA and uer u execute cooperatively the following tep to complete the regitration phae. 1. Uer u chooe an integer x u R Z q a hi ecret key and the correponding public key i ID u = g x u mod p. He then tore the ecret number x u in a ecret place and regiter hi/her uer name and ID u in the CA. 2. The CA chooe an integer k R Z q and k compute r = g mod p. If r = 0 mod q repeat thi tep again. 3. The CA compute from the linear congruence equation, = h(r, ID u ) k + r x mod q. The tuple (ID u, r, ) i eentially a certificate iued by the CA. Any one can verify the validity of an ID u by checking g h( r, ID ) = r u r y mod p. 4. The certificate, expiration date and other neceary data are tored in the mart card. Thi card enable uer u to contruct a login meage for entering the acce erver. Login phae: Uer u mut inert hi mart card into a terminal and contruct a login meage according to the following tep, whenever he want to enter the acce erver at time T. 1. Uer u chooe an integer k R Z q, and compute the quantitie r = g k mod p, H = h(r, T, ID u, r, ), = (k H + x u r ) mod q. If r = 0 mod q, repeat thi tep again. Namely, the pair (r, ) i a ignature for uer u on the timetamp T and certificate (ID u, r, ).

2. Uer u end login meage L = {r,, T, ID u, r, } to erver. Authentication phae: The login requet L contain two ignature: the certificate (ID u, r, ) and the ignature ((T, ID u, r, ), r, ). CA contructed the firt ignature, which certifie that the ID u (uer u) i an authorized uer. Uer ID u ign on the meage (T, ID u, r, ), i.e., generate the econd ignature, when he want to acce the erver. Therefore, the authentication phae conit of two procedure to check whether thee ignature are valid. The erver perform the following tep to conclude the authentication proce. Aume that the login meage L arrived at time T'. 1. Server check whether (T' - T) i le than the legal tranmiion time. If not, reject the requet. 2. Server reject uer requet if the equation g h( r, ID ) = u r r y mod p doe not hold, i.e., verify the certificate (ID u, r, ). 3. Server compute hah value, H = h(r, T, ID u, r, ). 4. Accept the uer ID u a legal if the verifying equation g = r H IDu r mod p hold, otherwie deny the login requet. Note that if uing timetamp i not ufficient to defeat replay attack, then a traditional identification cheme with three move i required. In thi paper, we aumed that timetamp i appropriate. 3. PERFORMANCE AND CORRECTNESS To implify the computational cot etimation, we count only the modular exponentiation operation, which i the mot expenive computation among the cryptographic computation. Thi etimation i baed on the efficient imultaneou multiple exponentiation technique [19]. During the login phae, the propoed cheme require only one modular exponentiation, while the cheme in [5-6] and [8] require 2.17 modular exponentiation. Since the computation in thi phae are performed by the mart card, aving i valuable. The computational cot for the mart card can be further divided into on-line cot and off-line cot. The off-line cot mean that ome computation can be calculated during the idle time or computed by a powerful computer. The on-line computation for the propoed cheme are one hah operation and one modular multiplication compared with thoe required by the cheme in [5-6] and [8] which require one modular exponentiation and one hah operation. Note that a modular exponentiation require 1.5 q = 240 modular multiplication on average, if the generator, i.e. g, ha an order of q and q i 160 bit. The propoed cheme demand 2.5 modular exponentiation for authentication, while the cheme in [5-6] and [8] require 1.17 modular exponentiation. Our cheme require 3 p + 2 q + T for the login meage ize, wherea the cheme in [5-6] and [8] require 3 p + T. For a practical cryptoytem [20], i.e., p = 1024 bit and q = 160 bit, the communicational cot of our cheme i about 10% larger than that for the other ytem. Theorem 1 give the correctne of the propoed cheme. Theorem 3 and 5 in the next ection preent the oundne of the propoed cheme. Theorem 1. The authentication phae correctly determine whether a login meage i valid or not. Proof: In the authentication phae, checking the timetamp in tep 1 enure that the login meage i not a replay attack. In tep 2, the equation g h( r, ID ) = u r r y mod p prove that ID u ha been authorized by the CA to enter the acce erver. The equation g = r H ID u r mod p in tep 4 confirm that the login meage L i really contructed by the uer ID u. Thu, the authentication phae correctly check the login meage L. 4. ANALYSIS OF SECURITY The original ElGamal ignature cheme in [7] i well known to be exitentially forgeable. By replacing the earliet igning equation = k -1 (m - x r) mod (p - 1) with = k -1 (h(m, r) - x r) mod (p - 1), where r = g k * mod p and k, x R Z p 1, the modified cheme had been proven ecure againt the adaptively choen meage attack [21-22] under the random oracle model [23]. Conidering the limited computation capability of the mart card, the propoed cheme ue = (h(m, r)k + x r) mod q a the igning equation which ha the advantage of aving an invere computation. Baed on the work in [21-22], thi variant of the ElGamal ignature cheme (henceforth called V ignature cheme) can be proven ecure againt the adaptively choen meage attack in a rather brief way, ince the modulu i a prime q. Lemma 2. (The forking lemma) Let A denote an adverary, which i a Probabilitic Polynomial Time Turing machine given only the public data (g, y) a input. Replaying thi machine with the ame random tape and a different hah oracle,

with non-negligible probability, will generate two valid ignature (m, r, h(m, r), ) and (m, r, h 1 (m, r), 1 ) uch that h(m, r) h 1 (m, r), if A can find a valid ignature (m, r, h(m, r), ) with non-negligible probability [21-22]. Theorem 3. The dicrete logarithm problem can be olved in polynomial time, if the V ignature cheme i exitentially forgeable with non-negligible probability. Proof: Aume that (m, r, h(m, r), ) and (m, r, h 1 (m, r), 1 ) are two valid ignature by replaying the adverary A (the forking lemma). From thee two ignature, the following verification equation hold true. g = r h(m, r) y r = r h(m, r) g x r mod p (1) g 1 = r h 1 (m, r) y r = r h 1 (m, r) g x r mod p (2) Solving x in (1) and (2), we obtain the following expreion for the dicrete logarithm of y y, i.e., x = log g. x = [ h 1 (m, r) 1 h(m, r)] / [r h 1 (m, r) r h(m, r)] mod q (3) Becaue the dicrete logarithm of y i olvable with a non-negligible probability by replaying A, the dicrete logarithm of a random number z R G can alo be olved with a non-negligible probability. We how the detail a follow. Let u, v R Z q. Giving A the public data (g u, z g v ) a input, with non-negligible probability, A output x uch that (g u ) x = z g v. Thu, the dicrete logarithm of the random number z i calculated z uing the equation log g = u x - v. The reult contradict the intractability of the dicrete logarithm problem. Therefore, the V ignature cheme i exitential forgeable with negligible probability. Lemma 4. Knowing none of the igner ecret data, a imulator can imulate the igner of the V ignature cheme uch that the imulated ignature and the genuine ignature contructed by the igner are tatitical inditinguihable. Proof: The imulator chooe a R Z q, b R Z and calculate r = g a y b mod p, = - a r / b mod q, e = -r / b mod q. The quadruple (m, r, h(m, r), ) i an effective ignature of a meage m, if e = h(m, r). Let P(u) denote the probability ditribution of r choen by the imulator and P(i) denote the probability ditribution of r computed by the igner. Clearly, P(u) and P(i) are both uniformly ditributed over Z * p. A imilar dicuion applie to the repone. Therefore, in pite of the ignature being imulated by a imulator or truly igned by the igner, all of them are tatitical * q inditinguihable. Theorem 5. The dicrete logarithm problem can be olved in polynomial time, if the V ignature cheme i exitentially forgeable with non-negligible probability under the adaptively choen meage attack. Proof: In cae of an adaptively choen meage attack, the attacker adaptively chooe meage and ak the igning oracle to ign them. Hence, the attacker obtain a et of genuine ignature. Auming that the attacker could generate a new valid ignature from thee ignature, upplying the attacker with imulated ignature, he could alo generate a new valid ignature, becaue the attacker cannot ditinguih the imulated ignature from the genuine ignature. Thu, colluion between the attacker and the imulator could compute the dicrete logarithm of a random number z R G, by Lemma 4. Thi concluion contradict the hardne of olving the dicrete logarithm problem. Thu, the V ignature cheme i exitentially forgeable with negligible probability under the adaptively choen meage attack. Theorem 6. The propoed new cheme i ecure againt the adaptively choen meage attack. Proof: The requet meage L = {r,, T, ID u, r, } contain two ignature: 1. (ID u, r, ) and 2. ((T, ID u, r, ), r, ). The firt ignature guarantee that the uer ID u i legitimate and authorized by the CA. The econd ignature prove that the requet meage {r,, T, ID u, r, } i really preented by the uer ID u. Taking (T, ID u, r, ) a meage, L repreent a ignature iued by the uer ID u. Needle to ay, the requet meage L i not malleable even under the adaptively choen meage attack, by Theorem 5. 5. CONCLUSION The propoed cheme doe not merely mend the weaknee of the cheme mentioned in Section 1. The new cheme ha everal advantage over the cheme in [1-6] and [8-10]: 1. The propoed cheme i provably ecure. 2. The propoed cheme poee the property of non-repudiation. 3. The mart card require only one on-line modular multiplication and hah operation to contruct a login requet. 4. The new cheme ha the property of forward ecrecy. Among the previou cheme, only the cheme in [8] ha thi property. 5. A a reult of Theorem 6, no login meage can be counterfeited, even under the colluion of mart card holder. The acce ytem, which ha large number uer, i thu ecure. Thi advantage might be the mot important. REFERENCES

[1] L. Lamport, Paword authentication with inecure communication, Communication of ACM, Vol. 24, pp. 770-772, 1981. [2] C. C. Chang and T. C. Wu, Remote paword authentication with mart card, IEE Proceeding-E, Vol. 138, No. 3, pp. 165-168, 1991. [3] T. C. Wu, Remote login authentication cheme baed on a geometric approach, Computer Communication, Vol. 18, No. 12, pp. 959-963, 1995. [4] S. J. Wang, Yet another log-in authentication uing n-dimenional contruction baed on circle property, IEEE Tranaction on Conumer Electronic, Vol. 49, No. 2, pp. 337-341, 2003. [5] M. S. Hwang and L. H. Li, A new remote uer authentication cheme uing mart card, IEEE Tranaction on Conumer Electronic, Vol. 46, No. 1, pp. 28-30, 2000. [6] J. J. Shen, C. W. Lin, and M. S. Hwang, A modified remote uer authentication cheme uing mart card, IEEE Tranaction on Conumer Electronic, Vol. 49, No. 2, pp. 414-416, 2003. [7] T. ElGamal, A public key cryptoytem and a ignature cheme baed on dicrete logarithm, IEEE Tran. Inform. Theory, IT-31, (4), pp. 469-472, 1985. [8] A. K. Awathi and S. Lal, A remote uer authentication cheme uing mart card with forward ecrecy, IEEE Tranaction on Conumer Electronic, Vol. 49, No. 4, pp. 1246-1248, 2003. [9] H. M. Sun, An efficient remote uer authentication cheme uing mart card, IEEE Tranaction on Conumer Electronic, Vol. 46, No. 4, pp. 958-961, 2000. [10] H. Y. Chien, J. K. Jan, and Y. M. Teng, An efficient and practical olution to remote authentication: Smart Card, Computer and Security, Vol. 21, No. 4, pp. 372-375, 2002. [11] C. C. Chang and C. S. Laih, Correpondence--Remote paword authentication with mart card, IEE Proceeding-E, Vol. 139, No. 4, pp. 372, 1992. [12] M. S. Hwang, Cryptanalyi of a remote login authentication cheme, Computer Communication, Vol. 22, No. 8, pp. 742-744, 1999. [13] F. Y. Yang and J. K. Jan, Cryptanalyi of Log-in Authentication Baed on Circle Property, IEEE Tranaction on Conumer Electronic, Vol. 50, Iue 2, to appear, 2004. [14] C. K. Chan and L. M. Cheng, Cryptanalyi of a remote uer authentication cheme uing mart card, IEEE Tranaction on Conumer Electronic, Vol. 46, No. 4, pp. 992-993, 2000. [15] C. C. Chang and K. F. Hwang, Some forgery attack on a remote uer authentication cheme uing mart card, Informatic, Vol. 14, No. 3, pp. 289-294, 2003. [16] K. C. Leung, L. M. Cheng, A. S. Fong, and C. K. Chan, Cryptanalyi of a modified remote uer authentication cheme uing mart card, IEEE Tranaction on Conumer Electronic, Vol. 49, No. 4, pp. 1243-12455, 2003. [17] C. L. Hu, Security of two remote uer authentication cheme uing mart card, IEEE Tranaction on Conumer Electronic, Vol. 49, No. 4, pp. 1196-1198, 2003. [18] S. Goldwaer, S. Micali, and R. Rivet, A digital ignature cheme ecure againt adaptive choen-meage attack, SIAM journal of computing, Vol. 17, No. 2, pp. 281-308,1988. [19] A. Meneze, P. van Oorchot, and S. Vantone, Handbook of Applied Cryptography, CRC Pre, pp. 617-627, 1996. [20] A. Lentra and E. Verheul, Selecting cryptographic key ize, The Third International Workhop on Practice and Theory in Public Key Cryptography (PKC2000), LNCS 1751, pp. 446-465, 2000. [21] D. Pointcheval and J. Stern, Security proof for ignature cheme, Advance in Cryptology-EUROCRYPT 96, LNCS 1070, pp. 387-398, 1996. [22] D. Pointcheval and J. Stern, Security argument for digital ignature and blind ignature, Journal of Cryptology, Vol. 13, N0. 3, pp. 361-396, 2000. [23] M. Bellare and P. Rogaway, Random oracle are practical: a paradigm for deigning efficient protocol, Proc. of the 1t ACM Conference on Computer and Communication Security CCS 93, ACM pre, pp. 62-73, 1993.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback