Anonymous Wireless
Authentication on a Portable
Cellular Mobile System
IEEE TRANSACTIONS ON
COMPUTERS, Vol. 53, NO.
10, OCTOBER 2004
Authors: Shiuh-Jeng Wang,
Member, IEEE
Speaker: Pen-Yi Chang, 2004/10/18
Source:
1
Outline






Introduction
Cryptographic Knapsack System
Call Set-Up Authentication Protocol
Hand-Off Authentication Protocol
Anonymous Conference Call Protocol
Conclusion
2
Introduction
 Author have proposed a secure and anonymous
conference call set-up scheme for a group of
mobile units using an identity-based concept as
well as a knapsack-like cipher mechanism.
3
Cryptographic Knapsack System
 Without loss of generality, the 0/1 knapsack
problem of larger vector length is subject to the
NP-complete problem
 0/1 Knapsack Problem.
 C : positive integer
 A : a vector (a1, a2, …, an) of positive integer
 M : a binary vector
(m1, m2, …, mn)
n
 Such that C   ai mi
i 1
4
Cryptographic Knapsack Systemcont.1
 The knapsack variant incorporated into our
scheme:
Definition1:
 A vector A=(a1, a2 , ai, …, an) is said to be
volume-increasing on i, 1≦ i ≦ n iff
ai 

1 j  n , j  i
aj
 If the vector A given in the 0/1 knapsack
problem is volume-increasing on i, then
 If C≧ai, then mi=1, otherwise, mi=0
5
Cryptographic Knapsack Systemcont.2
 Problem1:
 Find a vector A=(a1, a2, … ,ai …, an) and a set of n
constant {λ1, λ2, …, λi, …, λn} such that
λ1*A mod p = (λ1* a1 mod p, λ1*a2 mod p, …,
λ1*an mod p)
λ2*A mod p = (λ2* a1 mod p, λ2*a2 mod p, …,
λ2*an mod p)
…
λn*A mod p = (λn* a1 mod p, λn*a2 mod p, …,
λn*an mod p)
are volume-increasing on I for each (λi*A mod p) 1≦i≦n,
where p is a large prime and
6
Cryptographic Knapsack Systemcont.3
n
p   ( j a j mod p)
j 1
7
Notations
MUi : the ith mobile unit
BSi : the ith base station
RC : random check number, generate by MSC
Kc : the conference key used by MUi
Ks : the session generate by MUi, used to participate in
the construction of Kc
 PKC : public key cryptosystem
 h : a secure one-way hash function
 Ek : Encryption algorithm with private key k





8
Call Set-Up Authentication Protocol
MUi
BSi
AU MU i
MSC
{ AU MUi , IDBSi }
Compute
ARC
DB
Decrypt ( AU MU i ) d mod n
AU MUi  ( IDMUi || RC || Ks )3 mod n
Authenticate IDMU i , RC
Generate RC
Compute NR  RC  RC '
Generate ri
(0)
{SBS
, NR}
i
(0)
Compute S BS
 ( h( IDBSi || RC )  RC ) d mod n
i
(0)
Compute X BSi  g 3ri mod n and YBSi  S BS
 g ri mod n
i
{IDBSi , X BSi , YBSi , NR}
Compare
YBS3 i  X BSi
RC

 ? h IDBSi || RC

{ACK}
Compute RC '  NR  RC
(0)
BSi
Store V

 h IDBSi || RC

{ACK}
RC ' replaces RC
(0)
Store S BS
i
RC ' replaces RC
9
Hand-Off Authentication Protocol
MUi
BSi
{nB }

Prestore VBS(0)i  h IDBSi || RC

MSC
{nB }
ARC
Generate nB
DB
(0)
Prestore SBS
i

(1)
Compute S BS
 h IDBSinew
i
{EK S  nB }
BSi-new
i
(1)
{S BS
, EK S  nB }
i

d
i
Compare EK S  nB 
i
Generate ri '
Compute X BSinew  g 3ri ' mod n
(1)
Compute YBSinew  S BS
 g ri ' mod n
i
{IDBSinew , X BSinew , YBSinew }
Y
Compare
BSi new

3
 X BSinew
RC


 ?VBS(0)i  h IDBSinew

Store VBS(1)i  VBS(0)i  h IDBSinew mod n

(1)
Store SBS
i
10
(0)
 S BS
i
Anonymous Conference Call
Protocol
 Assume that there are at most m+1 mobile units MU0,
MU1, …, Mum in a communicating group of our system
 Let n=m+l, according to Problem 1, it is then solved to
obtain the vector A= (a1, a2, …, an) and the n constants
λis.
 yi, 1 ≤ i ≤ n, yi=λiai mod p
 A, p : public
 ai : the public key of the ith mobile.
 (λi, yi) : the private keys for the ith mobile
11
Anonymous Conference Call
Protocol-cont.1
MU0
ARC
Constructs vector R=  ri 1i  m , ri  0 or 1
Choose a random vector W   wi 1i l , wi  0 or 1
m
l
i 1
i 1
DB
If authentication is
successfully completed,
then MSC broadcast Z
Computes Z   ai ri    ami  wi

MSC
{Z , AU MU 0 }

3
AU MU 0  IDMU 0 || IDMU1 || ... || IDMU k || RC0 || K s 0 mod n
MUi
Receiving the broadcast signal, compute
Ri '  i  Z mod p
if Ri '  yi , then ri  0; otherwise, ri  1
12
Anonymous Conference Call
Protocol-cont.2
MUi j with ri  1
 ID
MU i j
MSC
 mod n
3
|| RCi j || K si
j
ARC
DB
Check list
Reconstruct f  z  via  a j , b j  , j  1, 2,..., k and his own
pair  IDMU , K s  .
K c is thus obtained by substituting z  0 into f  z 
Collects the coordinate
points ()



Collect IDMU0 , K s0 , IDMUi , K si , j  1, 2,..., k
j
j
Construct f  z  , and then let K c  f  0 
Select  a j , b j  , j  1, 2,..., k from the polynomial f  z 
Broadcast  a j , b j  , j  1, 2,..., k
13
Example
 There are six mobiles in the mobile system
form Problem 1
A=(a1, a2, a3, a4, a5, a6)
=(1341,5239,13954,2490,15341,4662)
p=54401
(λ1, y1)=(37341,25361), (λ2, y2)=(5965,24461)
(λ3, y3)=(52699,23529), (λ4, y4)=(6979,23791)
(λ5, y5)=(11973,20017), (λ6, y6)=(2316,25794)
assume that the participating mobiles in a conference
call are {MU2, MU4, MU6} that is, R=(0,1,0,1,0,1)
14
Example-cont.1
Z=(A)(R)=12391
λ1*Z mod 54401=11826<25361, r1=0
λ2*Z mod 54401=35757>24461, r2=1
λ3*Z mod 54401=18106<23529, r3=0
λ4*Z mod 54401=33600>23791, r4=1
λ5*Z mod 54401=5916<20017, r5=0
λ6*Z mod 54401=28229>25794, r6=1
15
Conclusion
 We have proposed an anonymous identitybased mutual authentication scheme for
holding a conference call.
 This so-called anonymity is accomplished by
the aspect of a knapsack-like cipher
mechanism among the communicating mobile.
16