Third International Conference on Risks and Security of Internet and Systems: CRiSIS’2008

978-1-4244-3309-4/08/$25.00 ©2008 IEEE

Towards a Robust Privacy and Anonymity Preserving Architecturefor Ubiquitous Computing

Pierre E. ABI-CHARGET/INT-EDITE, UPMC-Paris 6

91011 Evry CEDEX - FrancePierre.ABI CHAR@etu.upmc.fr

Mounir MOUKHTARI, Abdallah MHAMEDGET/Institut National des Telecommunications9 rue C. Fourier - 91011 Evry CEDEX - France

{mounir moukhtari; abdallah mhamed}@int.edu.eu

Bachar EL-HASSANLebanese University

Faculty of Engineering Lebanonbachar elhassan@ul.edu.lb

Abstract

Anonymous authentication is a means of authorizing auser without revealing his/her identification. Mobile tech-nologies such as Radio Frequency Identification (RFID)Tags, PDAs and mobile phone systems are increasingly be-ing deployed in pervasive computing. These mobile de-vices have raised public concern regarding violation of pri-vacy, anonymity and information confidentiality. Consider-ing these concerns, there is a growing need to discover anddevelop techniques and methods to overcome the threats de-scribed above. In this paper we propose an architecturewhich enhances the privacy and anonymity of users in ubiq-uitous computing and yet preserves the security require-ments of the system. Our proposed architecture is based onElliptic Curve techniques, on MaptoCurve or MapToPointfunction, on Weil Pairing techniques and finally on ellipticcurve based Okamoto Identification Scheme. In addition,we present a formal validation of our protocol by using theAVISPA tool. The main comparative study of our proposedarchitecture is to provide privacy and Anonymity for mobileusers. Our proposed architecture achieves many of desir-able security requirements

1 Introduction

Ubiquitous computing or (”ubicomp”) refers to a modelof human-computer interaction in which informationprocessing has been thoroughly integrated into everydayobjects and activities. Ubiquitous computing engagesvarious computational devices and systems simultaneously.Ubiquitous computing is an emerging research area with

great potential. However, without careful considerationfor user privacy, there is a fair possibility of creating anubiquitous surveillance system instead.

In this research we aim to design a new Architecturethat protects privacy and anonymity of a Ubiquitousenvironment. The proposed scheme should allow usersto communicate freely while preserving their privacy.Our new approach will enable users to access computingresources in an authenticated manner without disclosingtheir identities, their physical locations and whereabout.Our new design will be deployed through the use of auser-interface running on their mobile devices. Thesemobile devices include mobile phone, laptop, PDA, etc.

In this paper we present a robust authenticated archi-tecture for protecting privacy and anonymity of users. Ourproposed scheme provides secure mutual authenticationand it could be extended to support key agreement process.Our scheme, Privacy and Anonymity Preserving Architec-ture, (PAPA) is based on the Elliptic Curve Cryptography[22], on Bilinear pairing [4], on the MaptoPoint or Map-ToCurve function [4, 24], and on the assumption that theECC discrete logarithm problem is secure. The main com-parative study of our proposed design is to provide privacyand anonymity for mobile users. Our proposed protocolachieves many of desirable security requirements. And asfuture work, our privacy scheme will be developed andintegrated in smart Environment dedicated for independentpeople [9].

The remainder of this paper is organized as follows.Section 2 reviews the desirable properties needed for smart

environments and ubiquitous computing. (Applicable forWireless Local Area Network). Section 3 reviews themathematical backgrounds needed for the implementationof the scheme. Section 4 presents the overall architectureof our proposed protocol. In section 5, the security analy-sis is described, it shows how security and privacy require-ments are fulfilled. In section 6, the Automatic Validationof Internet Protocols and Application (AVISPA) tool is usedto analyze the security of the protocol. Section 7, presentsan overview for performance evaluation and related signa-ture algorithms. Finally, section 8 makes concluding re-marks.

2 DESIRABLE PROPERTIES FOR PER-VASIVE ENVIRONMENTS

Previous research on Privacy and anonymity on theInternet can be classified into roughly two categories:user anonymity and anonymous communication. useranonymity aims at providing the users anonymity whilethey are using the network by letting them hide their iden-tity from the communication peers. Research on anony-mous communication focuses on providing a communi-cation channel that is immune to traffic analysis so thatthe communicating parties can be anonymous against theeavesdroppers. To solve the security risk and privacy is-sues, the following attacking model must be assumed andprevented, [7, 19, 20, 23].

Man-in-the-Middle attack: The attacker can impersonateas a legitimate reader (R) and get the information fromthe embedded device (ED), so he can impersonate asthe legitimate ED responding to the R. Thus the at-tacker easily can be authenticated by the legitimate Rbefore the next session.

Replay attack: The attackers can eavesdrop the responsemessage from ED, and retransmit the message to thelegitimate R.

Forgery: The simple copy for the information of ED byeavesdropping is enabled by the adversary.

Data loss: The protocol can be damaged from the denial-of-service (DOS) attack, power interruption, and hi-jacking.

To Protect the user privacy and anonymity, we considerthe following requirement in cryptography point of view,[23, 15].

Data Confidentiality: The private information of EDmust be kept secure to guarantee user privacy. Theinformation of ED must be meaningless for its bearereven though it is eavesdropped by an unauthorized R.

Anonymity: Although the data of ED is encrypted, theunique identification information of ED is exposedsince the encrypted data is constant. An attacker canidentify each ED with its constant encrypted data.Therefore, it is important to make the information ofED anonymous.

location Privacy: Neither the system nor the users of thesystem will be able to know the exact location of a user,unless that user decides to disclose such informationor if another person physically sees that user at thatlocation.

Data Integrity: If the memory of ED is rewritable,forgery and data modification will happen. Thus, thelinkage between the authentication information andED itself must be given in order to prevent the sim-ple copy for ED

Mutual Authentication and Reader Authentication: Inadditional to access control, the mutual authenticationbetween ED and the back-end server (DBID) mustbe provided as a measure of trust. By authenticatingmutually, the replay attack the man-in-middle attackto both ED and DBID is prevented. DBID must alsoauthenticate R to avoid the man-in-the-middle attackby an illegitimate R on the insecure channel.

3 PRELIMINARIES

in this section we briefly introduce some mathematicalbackgrounds necessary for the description of our scheme.

3.1 Elliptic Curve Cryptography, ECC:

Many researchers have examined elliptic curve cryp-tosystems, which were firstly proposed by Miller [16]and Koblitz [11]. The elliptic curves which are basedon the elliptic curve discrete logarithm problem over a fi-nite field have some advantages than other systems: thekey size can be much smaller than the other schemes sinceonly exponential-time attacks have been known so far if thecurve is carefully chosen [12], and the elliptic curve dis-crete logarithms might be still intractable even if factoringand the multiplicative group discrete logarithm are broken.In this paper we use an elliptic curve E defined over a finitefield Fp. The elliptic curve parameters to be selected [14]and [13] are:

1 -Two field elements a and b ∈ Fp,which define theequation of the elliptic curve E over Fp (i.e., y2 = x3 +ax + b in the case p ≥ 4, where 4a3 + 27b2 �= 0.

2 -Two field elements xp and yp in Fp, which define afinite point P (xp, yp) of prime order in E(Fp) (P is notequal to O, where O denotes the point at infinity).

- 126 -

3 -The order n of the point P .

The Elliptic Curve domain parameter can be verifiedto meet the following requirements [14] and [13]. Inorder to avoid the Pollard-rho [18] and Pohling-Hellmanalgorithms for the elliptic curve discrete logarithm problem,it is necessary that the number of Fp-rational points on E,denoted by #E(Fp), be divisible by a sufficiently largeprime n. To avoid the reduction algorithms of Menezes,Okamoto and Vanstone [3] and Frey and Ruck [5], thecurve should be non-supersingular (i.e., p should notdevide (p + 1 − #E(Fp))). To avoid the attack of Semaev[21] on Fp-anomalous curves, the curve should not beFp-anomalous (i.e.,#E(Fp) �= p).

In the following, we will give an introduction to theEC-discrete logarithm problem, to Diffie-Hellman keyexchange based on EC, to the elliptic curve based digitalsignature algorithm (EC-DSA) and finally to the ellipticcurve-based Elgamal signature scheme (EC-EGS).

Let E be an elliptic curve defined over a finite field Fp

and let P ∈ E(Fp) be a point of order n. Given Q whereQ ∈ E(Fq), the elliptic curve discrete logarithm problem(ECDLP) is to find the integer l, 0 ≤ l ≤ n − 1, such thatQ = l.P .

The Diffie-Hellman key agreement protocol runs asfollows: The first party selects a random number na andcomputes Ya = naB, he sends Ya to the second party.Similarly, the second entity computes Yb = nbB and sendsYb to the first party. Finally the two parties generate thesame key K = naYbB = nbYa = nanbB.

The ECDSA runs as follows: The signer selects arandom number xa, where 2 ≤ xa ≤ n − 2, as hissecret key and computes the corresponding public keyYa = xaB. Therefore the public key and the private keyare (E, Ya, B, n) and xa. To generate a signature for amessage m, the signer will select a random number k,where 2 ≤ k ≤ n − 2 computes r = x(KB)modn. Ifr �= 0, then computes s = K−1(h(m) + xa.r)modnand the signature will be (r, s). To verify the signature,the verifier will first confirm that r and s ∈ [2, n-2] andthen computes c = s−1modn and h(m), then computest1 = (h(m)∗ c)modn and t2 = (rc)modn, also the verifiercomputes T = (t1B + t2Ya)modn and v = x(T )modn.Finally the verifier will accept the signature if and only if(v == r).

The ECEGS runs as follows: The signer selects a randomnumber xa, where 2 ≤ xa ≤ n − 2, as his secret key andcomputes the corresponding public key Ya = xaB. There-

fore the public key and the private key are (E, Ya, B, n) andxa. To generate a signature for a message m, the signer willselect a random number k, where 2 ≤ k ≤ n − 2 computesR = kB and computes r = x(KB)modn. If r �= 0, thencomputes s = K−1(h(m) + xar)modn. The couple (R, s)will be the signer’s signature of m. To verify the signature,the verifier will first confirm that r and s ∈ [2, n-2] and thencomputes v1 = sR and v2 = h(m)B + rYa. Finally theverifier will accept the signature if and only if (v1 == v2).

3.2 ECDLP-Based Okamoto Identifica-tion Scheme:

In this subsection, we briefly describe the elliptic curvebased Okamoto Identification Scheme. The Okamotoidentification protocol is considered secure against activeand concurrent attack under the assumption of the hardnessof the discrete logarithm problem [22]. The set of systemparameters are (q, FR, a, b, P1, P2, n, h). The Prover’ssecret are (s1, s2) such that Z = −s1.P1 − s2.P2. the stepsof the protocol are:

A prover: the prover picks ri ∈ {0, ....., n − 1}, i = 1, 2and sends X = r1.P + r2.P to the reader.

The reader picks up a number e ∈ [1, 2t] and sends it tothe prover. The prover computes yi = ri + e.si, i = 1, 2and sends them to the reader.

The Reader checks if y.p + e.Z = X , by computingy1.P1 + y2.P2 + e.Z and comparing it to X . if they areequal, then the reader accepts else rejects.

3.3 Bilinear Pairing:

This section briefly describes the bilinear pairing, theBDHP and CDHP assumptions.

Let G1 and G2 denote two groups of prime q, where G1

is an additive group that consists of points on an ellipticcurve, and G2 is a multiplicative group of a finite field. Abilinear pairing is a computable bilinear map between twogroups, which could be the modified weil pairing or themodified Tate pairing [4, 6]. For our proposed architecturewithin this paper, we let e denote a general bilinear mape : G1 × G1 −→ G2, which has the following fourproperties:

1 -Bilinear: if P , Q, R ∈ G1 and a ∈ Z∗q , e(P +

Q, R) = e(P,R).e(Q, R), e(P,Q+R) = e(P,Q).e(P,R)and e(aP,Q) = e(P, aQ) = e(P,Q)a.

2 -Non − degenerate: There exists P,Q ∈ G1, suchthat e(P,Q) �= 1.

3 -Computability: There exist efficient algorithms tocompute e(P,Q) for all P,Q ∈ G1.

- 127 -

4 -Alternative: e(P,Q) = e(Q, P )−1.

Definition 1 -The bilinear Diffie-Hellman problem(BHDP) for a bilinear pairing is defined as follows: GivenP, aP, bP, cP ∈ G1, where a, b and c are random numbersfrom Z∗

q , compute e(P, P )abc ∈ G1.BDHP assumption: The BDHP problem is assumed to behard, that is, there is no polynomial time algorithm to solveBDHP problem with non-negligible probability.

Definition 2 -The computational Diffie-Hellman prob-lem (CDHP) is defined as follows: Given P, aP, bP ∈ G1,where a and b are random numbers from Z∗

q , computeabP ∈ G1.CDHP assumption: There exists no algorithm running inpolynomial time, which can solve the CDHP problem withnon-negligible probability.

3.4 MapToPoint/Curve Function:

A trusted Key Generation Center (TKGC) chooses twoprime order group G1 and G2. Next TKGC selects acryptography hash function denoted by h where h : {0, 1}l

for some l. Then it picks a random number s ∈ Z∗q as its

private key and compute its public key Ppub = sG, whereG is a generator of G1.For a user Ui whose identification information isIDi, TKGC maps IDi onto a point on G1 using theMapToCurve or MapToPoint algorithm:

The MapToCurve Algorithm [24]:1 -Let j = 0 and I = log21/δ where δ is a desired bound

on the probability of failure.2 -If j > I , report failure. Otherwise, xi =

h(j, IDi)(modp) and a = x3i + 1(modp).

3 -If ap−1/2(modp) = 1, let yi = min±ap+1/4(modp),output Qi = 12(xi, yi) and stop, otherwise j = j + 1 andgo to step 2.With Qi, TKGC determines Ui’s private key Si = sQi andissues it to the user Ui via a secure channel.

The MapToPoint Algorithm [4]Let p a prime such that p = 2(mod3) and p = 6.q − 1.

Let E be a supersingular curve1 -computes y0 = H(ID) and x0 = (y2

0 −1)2.p−1(modp)

2 -Let Qi = (x0, y0) ∈ E/F p2∗, and set QID = 6.Qi.

Then QID has order q as required.

4 PROPOSED ARCHITECTURE:

In this section we describe the PAPA architecture inwhich an entity is proving its identity to the verifying server

in such a way that privacy and anonymity are protected. AUser Ui represents a mobile client which has a RFID tag, amobile Phone or a PDA as an access device for accessingthe needed services. The figure below (Figure 1) shows thePAPA design architecture.

Figure 1. The PAPA Design

Mobile phone�PDA, RFID etc...�

P� R� I� N� T�

H� E�L� P�

A� L� P� H� A�

S� H� I� F� T�

E� N� T� E� R�

R� U� N�

D�

G�

E�

R�

F�

I�

A�

J�

B�

K�

C�

L�

7�

M�

8�

N�

9�

O�

D�

G�

D�

G�

D�

G�

D�

G� T�

3�

U�

0�

V�

.�

W�

X�

Y�

Z�

T� A� B�

%� �U� T� I�L� I� Z�A� T� I�O� N�

H� U� B�/� M� A� U� N� I� C�

2�

B� N� C�

4� M� b� /�s�

DB Server�

for authentication�

Smart�

Environment�

Reader�

Server�for services�

1�

2�3�

4-b�

4-a�

4.1 Parameters Initialization:

Our infrastructure involves a Trusted Key GenerationCenter (TKGC), an embedded device ED, a Reader(or readers) (R), a Database Server for authentication(DBID), a Server for providing services (SS) and usersdenoted by (Ui). The trusted Key Generation Center(TKGC) chooses two primes order group G1 and G2 ofprime order q. q is a prime which is large enough tomake solving discrete logarithm problem in G1 and G2

infeasible. The TKGC chooses G as a generator of G1,chooses Map-To-Point/Curve function H and chooses ewhere e is the bilinear pairing map. The TKGC computesPTKGC = s.G, where s ∈ Z∗

q is the TKGC ’s private keyand keep s secret. Finally, for each user Ui to be registered,TKGC calculates Qi, and determines Ui’s private keySi = s.Qi and issues it to the user via a secure channel.

The table below (Table 1) shows the ECC mathematicalparameters that are used for our proposed scheme.

4.2 Proposed Architecture Assumption

We firstly assume that the user’s public and private key(Qi, Si) are kept secure, which means that Si for each Ui

is stored on his own ED in a secure way. In additional, weassume that the communication channel between the readerand the back-end server (DBID server or the authenticationserver) is insecure. In addition, and different from the pre-vious works, a reader is no more a trusted third party, whichmeans that the reader will be authenticated by the back-endserver (DBID). Finally, the database DBID manages and

- 128 -

Table 1. EC Mathematical NotationsIndex Explanation

TKGC The trusted key generation centerG1 An additive group with prime order qG2 A multiplicative group with prime order

qG A generator of G1

Ppub The public key of TKGC, Ppub = s.Gs it is chosen from Z∗

q by TKGC, s iskept secret

IDi The identity of the user i, IDi ∈ {o, 1}∗Si The long term private key of user i,

1 ≤i≤ nQi The long term public key of user i, Qi =

s.H(IDi), where H is a Map functionH1,H2 Hash functionp, q large prime numbers, where p = 2.q+1P, Q Random points over elliptic curvea, b Random generated private keysE non-supersingular elliptic curveB B ∈ E(Fq) with order qx(Q) x coordinate of point Q

stores, for each ED or user Ui, a record pair consisting of〈Qi, Si, s1, s2〉, where (s1, s2) are the prover’s secret.

Figure 2. The PAPA Architecture

Query, X�

Reader�

E(Rx,Tx)�

E(s1,s2)�

(y1, y2)�

f, (Rx, Tx)�

User U�

DB�

4.3 Proposed Architecture Description

Before running the authentication procedure (Figure 2),the reader must be able to address a particular embeddeddevice, to singulate it, from among a population of manyothers devices. During singularization, multiple embeddeddevices responses may interfere with each other, neces-sitating an anti-collision algorithm. The Anti-Collisionalgorithm may either be probabilistic or deterministic.Following this situation, the reader R applies a collision-avoidance protocol like the secure binary tree walking

[23, 2] or the standard protocols of ISO [1] to singularizeED. Higher densities of devices will result in a highercollision rate and degraded performance. Once the readersingulate one device, the process for the algorithm will bedescribed in the following steps.

Within the first round, (From R to ED), the reader startsthe protocol by generating two fresh random nonce r1 andr2 ∈ Zn, then he calculates the point X where

X = r1 × P1 + r2 × P2 (1)

and finally he sends the pair (”request”,X) to the embed-ded device ED. (Step 1 in figure 1).

Within the second round, the queried ED generates afresh random nonce f , where f ∈R Zt

2, then computes(Rx, Tx) where (Rx, Tx) is the signature pair over theuser’s private key Si. Finally ED sends (Rx, Tx) and fto the Reader R. (Step 2 in figure 1). We can choose todeploy one of many available secure signature algorithm.The choice of the algorithm depend on the Computationand communication cost factor regarding the choice of theED’s type. For more information on choosing signaturealgorithm scheme, two available schemes are discussed insection (section 6).

Within the third round, and as we have declared in theabove assumption that the communication channel betweenthe reader and the authentication server is insecure, andupon receiving the signature pair (Rx, Tx) from the ED,the reader R will deploy a Weil Pairing-based encryp-tion algorithm on the signature pair. Finally he sendsEKe

(Rx, Tx) to the Back-end server DBID.

Our two nodes, the reader and the back-end server,can directly compute a share key between them with-out exchanging any previous message. Based on theone’s own private key and the other party’s public key,they can directly compute the share key as follows. Wedenote their private key/public key by SR = s.QR,where QR = H1(IDR) and by SDB = s.QDB , whereQDB = H1(IDDB). Now the reader computes KR/DB =e(SR, QDB) and KDB/R = e(QR, SDB). And finally theshare symmetric secret key will be

Ke = H2(KR/DB) = H2[e(QR, QDB)s] = H2(KDB/R).(2)

This approach is very efficient in terms of communicationsand computations and this feature makes it very attractiveto the environments where the entities capabilities arelimited.

Within the fourth round, and upon receiving the en-crypted signature pair message EKe

(Rx, Tx) from the R,

- 129 -

the back-end server, DBID, will decrypt the message, thenverify the signature pair, if it is valid, then the back-endserver accept, and the pair (s1, s2) associated with theauthenticated ED is extracted from the database, encryptedusing the Weil-Pairing-based encryption algorithm. Finally,the back-end server sends EKe

(s1, s2) to the reader R.

Within the fifth round, the reader, first decrypt the receiv-ing message, extracts the pair (s1, s2) and then computes

yi = (ri + (f × si))(modn) (3)

for i = 1 and 2 and finally sends (yi, with i = 1 and 2) tothe ED.

The ED computes

(∑

(yi × Pi) + f × Z) (4)

and then checks that if (∑

(yi × Pi) + f × Z) is equals toX , if so the ED accepts else rejects.

Meanwhile, the pair (s1, s2) could be encrypted and sentto a server (step 4-b, figure 1) that will associate the user Ui

with the services that are allowed to access.

5 Security And Privacy Analysis

Our proposed architecture is considered to provideprivacy and anonymity for users. In the following, weevaluate our architecture regarding the security requirementaddressed in section2

-Mutual Authentication: Considering the fact that thedigital signature pair (Rx, Tx), created by the ED, isverified by the Back-end server. Considering that the pair(s1, s2), sent by the back-end server, is recalculated by thereader under (y1, y2) and verified by the ED. Therefore,our proposed architecture guarantees the secure mutualauthentication between the embedded device ED and theback-end server.

-Passive attack: Suppose an attacker performs a passiveattack, then the session will terminate with both legitimatesparties accepting. That is, the two parties successfullyidentify themselves to each other. And regarding the factthat the exchanges messages between the reader and theED are generated from random nonce which are generatedwith every new session, so it is infeasible that an attackercomputes any useful information including the IDi ofa user Ui. Therefore the architecture resists against thepassive attack.

-Man in the middle attack (or active attack): Supposethat an attacker intercepts X and replaces it with X ′ , the

attacker then receives f and (Rx, Tx) from the ED. Hewould like to replace the pair with (R

′x, T

′x), as before.

However, and unfortunately for the attacker, he can notcompute the value of the new pair because he does notknow the users credentials and parameters and becausethe transmitted messages are meaningless. Therefore theproposed scheme thwarts the man in-the-middle attack.

-Perfect forward secrecy: Each run of the protocolcomputes a unique x, a unique Signature pair (Rx, Tx) anda unique pair (y1, y2). In addition the transmitted messagesare meaningless as they are generated for each new sessionusing new random nonce. Thus, the architecture is secureagainst perfect forward secrecy.

-Data Confidentiality: Since our architecture providessecure mutual authentication between the ED and thesystem and since the information transmitted between theED and system is meaningless, thus, our architectureprovide data confidentiality and the user privacy on data isstrongly protected.

-ED Anonymity and Location Privacy: During theauthentication processes, a signature algorithm is used toproduce the signature pair (Rx, Tx). The pair (Rx, Tx)and f that are transmitted between the ED and R arerandomized and anonymous since they are updated foreach read attempt. Thus, our architecture provides useranonymity and location privacy is not compromised.

-Unauthorized Reader Detection: Our Proposed archi-tecture is based on the insecure communication channelbetween R and back-end server. The unauthorized readerR

′is detected and prevented by the back-end server DBID

using the weil pairing based encryption algorithm betweenthe reader and the back-end server, and by verifying thepair (y1, y2) by the legitimate user or ED. Thus, ourscheme protects against Unauthorized reader.

6 AVISPA SECURITY VALIDATION:

In The AVISPA tool [8], security protocols are speci-fied using the High Level Protocol Specification Language(HLPSL). The HLPSL specification is translated into an In-termediate Format (IF). The current version of the AVISPAtool integrates four back-ends: OFMC, CL-ATSE, SATMCand TA4SP.

Before we run verifications from AVISPA and SPAN[10], our protocol was written in the High Level Proto-col Specification Language, or HLPSL. A modified modelwas written in order to be suitable for the OFMC vali-dation. Once the HLPSL specification was debugged, it

- 130 -

Figure 3. The OFMC Output

was checked automatically for attack detection using theAVISPA verification tools. Figure 3 shows the correspond-ing execution with AVISPA’s OFMC tool. No reveals at-tacks were found, and the security goals concerning privacyand anonymity are reached. The protocol is also safe and amutual strong authentication is established.

7 Performance evaluation: Efficiency andComparison:

Computation and communication cost are the most im-portant aspects of authentication protocols which affect theoverall performance. They include number of steps, expo-nentiations, large blocks, symmetric encryption and decryp-tion, hash functions and random numbers. Regarding theabove requirements and regarding the fact that our archi-tecture is designed to be implemented in the environmentswhere the entities capabilities are limited, the choice for thesignature algorithm should be well studied. Some of thewell secured signatures that could be used include ECDSA,EC-ELGAML, the ID-based signatures from Pairing on el-liptic curves [17], and An identity-based signature schemefrom the weil pairing [24]. In addition, a new signaturecould be designed to achieve our goal and to be well im-plemented for the global architecture. In the following, Webriefly describe the signatures listed above.

For the ID-based signatures from Pairing on ellipticcurves [17], and to sign a message M , a user first chooses arandom K ∈ Z∗

q and computes his signature on the messageas the pair (Rx, Tx), where

R = K.P, S = K−1(H2(M).P + H3(R).QID). (5)

To verify the signature pair (R, T ), the verifier computese(R, T ) and compares it to the value

e(P, P )H2(M).e(Ppub, QID)H3(R) (6)

The signature is accepted if these values match, otherwiseit is rejected.

For the identity-based signature scheme from the weilpairing [24], when a signer Ui signs a message m, hechooses a random number r ∈ Z∗

q and computes: R = rG,and

T = ±r.Ppub + h(m,±R).Si (7)

The signature of the signer Ui on the message m is thepair (Rx, Tx). To verify the signature pair, the verifiercomputes a and b then computes R′ and T ′. And finally,the verifier computes u and v, where u = e(T ′, G) andv = e(R′,+h(m,R′)Qi, Ppub). If u = v or u = v−1,the signature is accepted, otherwise the signature is rejected.

In the following, we show another Identity-based proto-col, called EC-based GUILLOU-QUISQUATER [22], thatcould be used instead of EC-based Okamoto Identificationscheme. The choice of another identity-based schemeis to minimize Computation and communication cost forsystems where entities capabilities are to be well consideredand are limited . EC-based GUILLOU-QUISQUATERprotocol is also considered secure against active andconcurrent attack under the assumption of the hardness ofthe discrete logarithm problem [22]. The set of systemparameters are (q, FR, a, b, P, n, h). The Prover’s secretare (s) such that Z = −s.P . the steps of the protocol are:

A prover: the prover picks r ∈ {0, ....., n− 1} and sendsX = r.P to the reader.

The reader picks up a number e ∈ [1, 2t] and sends itto the prover. The prover computes y = r + e.s and sendsthem to the reader.

The Reader checks if y.P + e.Z and comparing it to X .if they are equal, then the reader accepts else rejects.

8 Conclusion

Ubiquitous computing is an emerging research area withgreat potential. The privacy and anonymity of users inpervasive environments should be carefully considered. Inthis paper, We present an architecture to preserve privacyand anonymity which is based on elliptic curve techniques,on MaptoPoint/Curve algorithm, on Weil Pairing and onOkamoto Identification scheme. Our proposed architec-ture can be easily modified to support authenticated keyagreement mechanism and dynamic key updating. Ourscheme is simple, easy to realize, and meets security andprivacy objectives including, mutual authentication, man-in-the-middle attack, confidentiality, replay attack and usersanonymity and location privacy. Our Proposed architecturecan be configured to use one of many secure communication

- 131 -

scheme desired (signature schemes, identity-based schemesand weil pairing based encryption algorithms). For the com-munications between the reader and the back-end server, weuse the static pair wise key agreement for pair-wise commu-nications. In order to achieve more robust security betweenthe reader and the back-end server, another dynamic keyagreement could be used. In addition, the choice of the sig-nature and Identity schemes could be done regarding the im-plementation parameters and environment computing. AsFuture Work, we are currently working on validating theprotocol using SPAN tool and we are analyzing the perfor-mance in forms of computational, storage, communicationsand cost. In addition, a complete comparison with otherprotocols and prototypes will be studied and presented.

Acknowledgments

The authors would like to thanks the following depart-ments RST-INT Evry and FOE-UL for their support andcomments. Their suggestions and observations were ex-tremely helpful throughout this paper.

References

[1] I.-J. 1/SC-31/WG. Information technology aidc techniques-rfid for item management air interface. Part 3: Parametersfor air interface communications at 13.56 MHZ, Apr. 2004.

[2] R. R. A. Juels and M. Szydlo. The blocker tag: Selec-tive blocking of rfid tags for consumer privacy. Proc. of10th ACM Conference on Computer and Commnunications,pages 103 – 111, Oct. 2003.

[3] T. O. A. Menezes and S. Vanstane. Reducing elliptic curvelogarithms ina finite field. IEEE Transactions on Informa-tion Theory, vol. 39, pages 1639 – 1646, 1993.

[4] D.Boneh and M. Franklin. Identity-based encryption fromthe weil pairing. Advanced in CRYPTO2001, LNCS 2139,pages 213 – 229, 2001.

[5] G. Frey and H. Ruck. A remark concerning m-divisibilityand the discrete logarithm in the divisor class group ofcurves. Mathematics of Computation, vol 62, pages 865 –874, 1994.

[6] M. G. Frey and H.Ruck. The tate pairing and the dis-crete logarithm applied to elliptic curve cryptosystem. IEEETransaction on Information Theory, pages 1717 – 1719, Vol.45, No.5, 1999.

[7] D. Henrici and P. Muller. Hashed-based identification de-vices using varying identifiers. In Proc. of PerSec ’04 atIEEE PerCom, pages 149 – 153, Mar. 2004.

[8] http://www.avispa project.org. Automated validation of in-ternet secuirty protocols and applications. 2006.

[9] http://www.int evry.fr/rst/. 2008.[10] http://www.irisa.fr/lande/genet/span. A security protocol an-

imator for avispa. 2008.[11] N. Koblitz. Elliptic curve cryptosystems. Mathematics of

Computation, vol 48., pages 203 – 209, 1987.

[12] N. Koblitz. Cm-curves with good cryptography properties.Proc. of Crypto’ 91, Santa Barbara, USA, 1992.

[13] M. Q. J. S. L. Law, A. Menezes and S. Vanstane. An efficientprotocol for authenticated key agreement. In Designs, Codesand Cryptography, vol. 28.

[14] M. Q. J. S. L. Law, A. Menezes and S. Vanstane. An ef-ficient protocol for authenticated key agreement. Technicalreport CORR98-05, Department of CO, University of Water-loo, 1998.

[15] K. S. M. Ohkubo and S. Kinoshita. Cyptography approachto privacy-frindly tags. In RFID Privacy WorkShop, MIT,MA, USA, Nov. 2003.

[16] V. Miller. Uses of elliptic curves in cryptography. In Proc.of Crypto ’85, Santa Barbara, USA, pages 417 – 426, 1986.

[17] K. G. Paterson. Id-based signatures from pairings on ellipticcurves.

[18] J. Pollard. Monte carlo methods for index computation modp. Mathematics of Computation, vol. 32, pages 918 – 924,1978.

[19] S. W. S. Sarma and D. Engels. Rfid systems and secuirtyand privacy implication. Auto-ID, Center, 2002.

[20] R. R. S. Weis, S. Sarma and D. Engels. Security and privacyaspects of low-cost radio frequency identification systems.In Proc. of the 1 st Security Pervasive Computing, LNCS,Vol.2802, pages 201 – 212, 2004.

[21] I. Semaev. Evaluation of discrete logarithms in a group ofp-torsion points of an elliptic curve in characteristic p. Math-ematics of Computation, vol. 67, pages 353 – 356, 1998.

[22] D. R. Stinson. Cryptography Theory and Practice. Chapmanand Hall/CRC, third edition, 2006.

[23] S. Weis. Secuirty and privacy in radio frequency identifica-tion devices. In Master’s thesis, MIT, 2003.

[24] X. Yi. An identity-based signature scheme from the weilpairing. IEEE Communications Letter, Vol. 7, No. 2,FEBRUARY 2003.

- 132 -