Insecurity of An Anonymous Authentication For Privacy-preserving IoT Target-driven Applications Xi-Jun Lin and Lin Sun November 8, 03 Abstract: The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. Key words: Anonymous credential system; Fully decentralized protocol; Threshold cryptography; Zero-knowledge proof of knowledge; Smart community Introduction The Internet of Things (IoT) will be formed by smart objects and services interacting autonomously and in real-time. Recently, Alcaide et al. [] proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In Alcaide et al. s protocol, two roles are defined for participant nodes: Users and Data Collectors. Users are the nodes originating the data. They can anonymously and unlinkably authenticate themselves in front of data collectors proving possession of a valid Anonymous Access Credential (AAC) encoding a particular set of attributes. Data collectors are entities responsible for the collection of data from authorized users. Therefore, before collecting the data, the data collector must verify that the user holds a valid AAC encoding a particular set of attributes. The main characteristics of their protocol are: The protocol does not rely on any central organization. The users of the system jointly generate and distribute a private key that is used in a (t, n)-threshold fashion. This allows up to t nodes to be compromised without the key being compromised. X.J.Lin is with the Department of Computer Sciences and Technology, Ocean University of China. Qingdao 00, P.R.China. email: linxj77@3.com L. Sun is with the College of Liberal Arts, Qingdao University. Qingdao 07, P.R.China. email: sunlin9@.com
Users of the system can obtain an AAC encoding a set of certified attributes and use such an AAC to anonymously and unlinkably authenticate themselves to data collector entities. Data collectors can anonymously authenticate users by means of attribute-based boolean formulas, which can be defined and modified by the data collector itself at any time. Without loss of generality, their protocol is described assuming that users are authenticated based on only two attributes (x, x ), which can be derived from a standard certificate x signed by some trusted external entity (i.e., a certification authority). In the protocol, once verified, the attributes (x, x ) will be encoded into an AAC so that the user can prove possession of those attributes without disclosing their actual value. Any linear boolean formula (or a conjunction of formulas) can be used to anonymously authenticate users as legitimate participants. Such a formula can be represented as the function Φ R (x, x ). As mentioned before, users can prove that the attributes x and x, encoded in a AAC, satisfy Φ R (x, x ) = without revealing the actual attribute values. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. Alcaide et al. s Protocol Their protocol consists of three phases: Set-Up (where all parameters are generated), User Registration (users obtain AAC) and Credential Proving (users prove possession of a valid AAC to a data collector).. Set-Up In this phase, a community of n users, {U i : i =,, n}, known as founders, comes together to generate all protocol parameters. As a result of this phase, each founder U i holds two tuples: a public tuple: P ub i = (N, ε, V, V, V 3, e, g, s, c, g, g, g 3, q, h, h, h 3, h 4, h 5, h ) equal for all founders. a private tuple: P riv i = (p i, p i, ϕ i (N), d i, v i, v i, v 3i ) different for each founder U i. (N, ε, V, V, V 3, d, v, v, v 3 ) are generated by the founders in a joint and decentralized manner, where d = ε, v = V, v = V, v 3 = V3 (mod ϕ(n)) and N = 4p p + p + p + such that (p, p ) are Sophie Germain primes. q is a prime picked by a
super node such that N (q ). (e, g, c, h,, h ) are picked by the super node randomly and broadcasted to the founders. s = g d, g = g v, g = g v, g 3 = g3 v (mod N) are also broadcasted by the super node so that every founder holds them. P riv i = (p i, p i, ϕ i (N), d i, v i, v i, v 3i ) are shares that the founder U i holds of the secret values (p, p, ϕ(n), d, v, v, v 3 ) respectively. At the end of this phase, the founders have computed the necessary cryptographic material to create AACs for valid data holders later on. The detail of this phase which has nothing to do with our attack is omitted here.. User Registration In this phase, a new user U new, holding a valid certificate x, obtains the necessary material from (t + ) founders to construct its own Anonymous Access Credential AAC new, a token that encodes U new s attributes (x, x ) Z e and allows U new to anonymously and unlinkably prove to the data collector to be a legitimate participant. Before U new can participate in the system, it needs to obtain the protocol public parameters. In order to do that, U new simply requests the tuple P ub i from some founder U i and makes P ub new = P ub i. The process that U new must follow to construct AAC new is described as follows. U new picks x 3 R Z e such that gcd(x 3, ε) = and x R Z N, and then computes a = g x 3 3 xe (mod N). Then, it picks b c (mod N) randomly, and then sends ( x, a, b) to the founders. After receiving ( x, a, b), each founder U i verifies x and extracts the attributes (x, x ) from x. Then, it computes a = g x gx a (mod N) and m = (a + b) (mod N). Furthermore, it signs m with its private tuple P riv i and sends σ i (m) to U new. After receiving (t + ) partial signatures σ i (m) from the founders, U new generates the signature v = σ(m). Then, it computes a = g x gx a (mod N) and m = (a + b) (mod N), and then checks whether the equation v ε = m (mod N) holds. If the equation holds, U new obtains its own Anonymous Access Credential AAC new = (x, x, x 3, x, v). AAC new must be kept secretly at all times, only randomized versions of it will be used in the Credential Proving phase. It should be noted that U new must show its certificate to the founders..3 Credential Proving When a user U interacts with a data collector R, U must anonymously and unlinkably prove to R that it holds the appropriate attributes to satisfy the boolean formula Φ R that R uses to authenticate legitimate participants. As the process that U must follow to accomplish such a proof is the key part of the anonymous credential system. Each of the sub-processes is given as follows.. Session values and commitments: every time that U wants to authenticate to the data collector R, U must generate and commit a set of session values, which are secret random values used during a particular authentication operation. This process is given as follows. 3
(a) U picks y R Z e, and then computes ˆv = s y v (mod N) ˆm = g y m (mod N) â = g y a (mod N) ˆb = g y b (mod N) Then, it picks w, w, w 3 Z N and computes m = h ˆm hw (mod q) ā = hâ3 hw 4 (mod q) b = hˆb5 h w 3 (mod q) c = mā b (mod q) (In the original paper, ā = hâ hw 3 (mod q). According to the Appendix A.- Theorem [], we correct this typo by replacing it with ā = hâ3 hw 4 (mod q).) (b) U sends and commits the session values (â, m, b, c) to R.. Zero-Knowledge Proofs of Knowledge (ZKPoKs): once U has committed some set of values, U and R engage in a series of four ZKPoKs: In order to authenticate U, every operation that R performs at the end of each ZKPoK must succeed. Whatever data R collects from U must follow these authentication subprocess. ZKPoK: The objective of this ZKPoK is to prove that the private attributes (x, x ) that U holds in its AAC satisfy the boolean formula Φ R (x, x ). Note that Φ R can be any linear boolean formula; however, for simplicity reasons, as an example, the authors use: Φ R (x, x ) = αx + β = x : (α, β) Z α, β being chosen by data collector R. Consequently, U must prove, in a zero-knowledge manner, possession of AAC encoding attributes (x, x ) such that αx + β = x. This ZKPoK is given as follows. U picks r y, r, r 3 R Z e and r R Z N, then computes and sends t = g r y(g g α )r g r 3 3 re (mod N) to R. R picks and responds γ R Z t to U. U computes s y = γy + r y (mod e) s = γx + r (mod e) s 3 = γx 3 + r 3 (mod e) s = g (γy+r y)dive (g g α)(γx +r )dive g (γx 3+r 3 )dive 3 x γ r (mod N) It sends (s y, s, s 3, s ) to R. R checks whether the equation (âg β )γ t = g s y(g g α s )s g 3 3 se (mod N) holds. 4
ZKPoK: The goal of this ZKPoK is to prove that all session value commitments generated by U are valid. For that matter, U must prove, in a zero-knowledge manner, knowledge of the secret tuple (y, â, ˆb, ˆm). This ZKPoK is given as follows. U picks r ˆb, r, r, r 3 R Z q. Then, it computes and sends t = (h h 5 ) rˆbh r hr 4 hr 3 (mod q) to R. R picks and responds γ R Z q to U. U computes s ˆb = γˆb + r ˆb s = γw + r s = γw + r s 3 = γw 3 + r 3 It sends (s ˆb, s, s, s 3 ) to R. (In the original paper, (s y, s, s 3, s ) is sent to R, we correct this typo by replacing it with (s ˆb, s, s, s 3 ).) R checks whether the equation ( c(h h 3 ) â ) γ t = (h h 5 ) sˆbh s holds. hs 4 hs 3 (mod q) ZKPoK3: The objective of this ZKPoK is to prove that the signature v encoded in U s AAC is valid. In order to do that, U proves, in a zero-knowledge manner, knowledge of the ε-th root of the h -part, which is equivalent to proving that ˆv is the ε-th root of ˆm. This ZKPoK given below must be executed L times. U picks r, r R Z N. Then, it computes and sends t = h r ε hr R. (mod q) to R picks and responds γ R {0, } to U. U preforms as follows. If γ = 0, let s = r and s = r. If γ =, it computes s (mod N). = r ˆv (mod N) and s = r w (r ˆv ) ε U sends (s, s ) to R. R performs as follows. If γ = 0, it checks whether the equation t = h s ε hs (mod q) holds. If γ =, it checks whether the equation t = m s ε hs (mod q) holds. ZKPoK4: The goal of this ZKPoK is to prove that U knows the session value y involved in ZKPoK - 3. For that matter, U must prove, in a zero-knowledge manner, knowledge of the discrete logarithm with base g of the h 5 -part. This ZKPoK given below must be executed L times. U picks r, r R Z N. Then, it computes and sends t = h gr (mod q) to R. (In the original paper, g is used to compute t, we correct this typo by replacing it with g.) R picks and responds γ R {0, } to U. U preforms as follows. If γ = 0, let s = r and s = r. If γ =, it computes s = r y and s = r w 3c g s. U sends (s, s ) to R. 5
R performs as follows. If γ = 0, it checks whether the equation t = h gs 5 h s (mod q) holds. (In the original paper, g is used in the equation, we correct this typo by replacing it with g.) If γ =, it checks whether the equation t = ( b c ) gs h s (mod q) holds. Note that, if and only if the authentication of user U succeeds (i.e., all ZKPoK - 4 are successful), the data collector R collects data from U. 3 Cryptanalysis In this section, we present an attack to point out that an adversary A can cheat the data collector by impersonating a legitimate user. In our attack, A needs not compromise user nodes. It should be noted that if and only if A processes all ZKPoK-4 with a data collector R successfully, A can cheat R into collecting data from it. Suppose that the public parameters are (N, ε, V, V, V 3, e, g, s, c, g, g, g 3, q, h, h, h 3, h 4, h 5, h ), and R s data collection policy is the equation Φ R (x, x ) = αx + β = x : (α, β) Z. In the Credential Proving phase, the adversary A interacts with R anonymously and unlinkably as follows.. Session values and commitments: A picks y R Z e, ˆv, a R Z N and w, w, w 3 R Z N. Then, it computes â = g β ae (mod N) m = h ˆm hw (mod q), where ˆm = ˆv ε (mod N) b = hˆb 5 h w 3 (mod q), where ˆb = g y c (mod N) c = (h h 3 )â(h h 5 ) w (mod q) A sends and commits the session values (â, m, b, c) to R.. Zero-Knowledge Proofs of Knowledge(ZKPoKs): once A has committed its session values, A and R engage in ZKPoK-4 as follows. ZKPoK: A picks s y, s, s 3 R Z e, and computes t = g s y(g g α )s g s 3 3 (mod N). Then, it sends t to R. After receiving γ from R, A computes s = a γ (mod N), and then sends (s y, s, s 3, s ) to R. Correctness: Since â = g β ae (mod N), t = g s y(g g α s )s g 3 3 (mod N) and s = a γ (mod N), we have that (âg β )γ t = ((g β = a eγ t Hence, ZKPoK is preformed successfully. ae )g β )γ t = a eγ g s y(g g α )s g s 3 3 = g s y(g g α )s g s 3 3 s e (mod N)
ZKPoK: A picks s, s, s 3 R Z, and computes t = h s hs 4 hs 3 (mod q). Then, it sends t to R. After receiving γ from R, A computes s ˆb = wγ, and then sends (s ˆb, s, s, s 3 ) to R. Correctness: Since c = (h h 3 )â(h h 5 ) w (mod q), t = h s s ˆb = wγ, we have that hs 4 hs 3 ( c(h h 3 ) â ) γ t = ((h h 3 )â(h h 5 ) w (h h 3 ) â ) γ t = (h h 5 ) wγ t Hence, ZKPoK is preformed successfully. = (h h 5 ) wγ h s hs 4 hs 3 = (h h 5 ) sˆbh s hs 4 hs 3 (mod q) (mod q) and ZKPoK3: A picks r, r R Z N and computes t = h r ε hr (mod q). Then, it sends t to R. After receiving γ {0, } from R, A performs as follows. (a) if γ = 0, let s = r and s = r. (b) if γ =, let s = r ˆv (mod N) and s = r w (r ˆv ) ε (mod N) A sends (s, s ) to R. Correctness: Since t = h r ε (mod N), we have that (a) if γ = 0, t = h r ε hr (b) if γ =, we have that hr (mod q) and m = h ˆm hw (mod q), where ˆm = ˆv ε = ε hs hs (mod q) m s ε s h = (h ˆm hw ε s )s h = (h ˆm hw )(r ˆv ) ε h r w (r ˆv ) ε = (h ˆm )(r ˆv ) ε h r = (hˆvε )(r ˆv ) ε h r = h r ε hr = t (mod q) Hence, ZKPoK3 is preformed successfully. ZKPoK4: A picks r, r R Z N and computes t = h gr (mod q). Then, it sends t to R. After receiving γ {0, } from R, A performs as follows. (a) if γ = 0, let s = r and s = r. (b) if γ =, let s = r y and s = r w 3c g s A sends (s, s ) to R. Correctness: Since t = h gr (mod N), we have that (a) if γ = 0, t = h gr (b) if γ =, we have that (mod q) and b = hˆb 5 h w 3 (mod q), where ˆb = g y c = hgs 5 h s (mod q) 7
( b c ) gs h s = ((hˆb 5 h w 3 = ((hˆb 5 h w 3 )c ) gs = hˆbc g s h s )c ) gs h r w 3c g s = h (gy c)c g s = h gy g s = h gy+(r y) = h gr = t (mod q) Hence, ZKPoK4 is preformed successfully. Since all ZKPoK-4 are successful, R authenticates the adversary A as a legitimate user, and then collects data from it. Hence, the protocol is broken. Another main flaw of Alcaide et al. s protocol is given below. In User Registration phase, since the new user U new sends its certificate x in plaintext to the founders, x can be captured by A. Then, A sends ( x, a, b) to the founders by impersonating U new, where a and b are computed by A itself. Since the founders are user nodes, it is reasonable to assume that they are stateless. Hence, they do not know whether x belongs to a user who has already received its AAC. So A can obtain (t + ) partial signatures from the founders, then it can construct a valid AAC. That is, once a user s certificate is sent in plaintext in User Registration phase, the adversary A can obtain this certificate and forge a valid AAC by impersonating this user. With this AAC, A can cheat the data collectors in Credentail Proving phase. 4 Conclusion Recently, Alcaide et al. proposed a fully decentralized anonymous authentication protocol for privacy-preserving IoT target-driven applications. Their system is set up by an ad-hoc community of decentralized founding nodes. Nodes can interact, being participants of cyberphysical systems, preserving full anonymity. In this study, we point out that their protocol is insecure. The adversary can cheat the data collectors by impersonating a legitimate user. References [] A.Alcaide, E.Palomar, J.Montero-Castillo and A.Ribagorda. Anonymous authentication for privacy-preserving IoT target-driven applications. Computers & Security. 37 (03). pp:-3. 8