Title of Invention	METHOD OF AUTHENTICATION BASED ON POLYNOMIALS
Abstract	There is provided an authentication method for a system (10) comprising several devices (30). The method involves: a) providing each device (30) with an identity value (pi: i = 1. ..., n) and a polynomial (P) for generating a polynomial key; (b) including a verifier device (p{) and a prover device (P2) amongst said devices (30); (c) arranging for the prover device (Pj); (d) arranging for the verifier device(pi) to challenge the prover device (p2) to encrypt a nonce using the prover (P2) device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (pi) to receive the encrypted nonce as a further challenge from the prover device (p2) and: (i) encrypt the challenge using the polynomial keys generated from a set of stored device identities; or (ii) decrypt the challenge received using the set of polynomial keys; until said verifier device (pi) identifies an authentication match.

Title of Invention

METHOD OF AUTHENTICATION BASED ON POLYNOMIALS

Abstract

There is provided an authentication method for a system (10) comprising several devices (30). The method involves: a) providing each device (30) with an identity value (pi: i = 1. ..., n) and a polynomial (P) for generating a polynomial key; (b) including a verifier device (p{) and a prover device (P2) amongst said devices (30); (c) arranging for the prover device (Pj); (d) arranging for the verifier device(pi) to challenge the prover device (p2) to encrypt a nonce using the prover (P2) device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (pi) to receive the encrypted nonce as a further challenge from the prover device (p2) and: (i) encrypt the challenge using the polynomial keys generated from a set of stored device identities; or (ii) decrypt the challenge received using the set of polynomial keys; until said verifier device (pi) identifies an authentication match.

Full Text	1 Method of authentication based on polynomials FIELD OF THE INVENTION The present invention relates to methods of authentication based on polynomials. Moreover, the invention also relates to systems and apparatus operable according to these methods. BACKGROUND TO THE INVENTION Authentication protocols are used in contemporary communication systems for enabling a first party to prove its identity towards a second party; for convenience, these first and second parties are conveniently denoted by prover and verifier respectively. In many known protocols, the prover first claims an identity, after which the prover proves knowledge of some secret associated with the prover's claimed identity. A protocol in which two parties are being assured of each other's identity is referred to as "mutual authentication". Such authentication is often implemented using key establishment procedures, for example using public-private key authentication protocols. These authentication protocols not only verify identity, but also often establish symmetrical session keys with which further communications can be encrypted and authenticated. The inventors have appreciated that it is desirable that identities of mutually communicating parties cannot be determined by third parties observing or eavesdropping on the mutually communicating parties. Such a situation can potentially arise in practice when a user authenticates herself using a wireless smart card presented to a smart card reader, for example a smart card reader at an entrance of a high-security building. If a standard authentication protocol is employed at the entrance, an eavesdropper could hypothetically simply detect the presence of a user at this location. Such detection can potentially provide essential initial information for executing location tracking of the user. Moreover, this location tracking can constitute an invasion of personal privacy. This problem has already been envisaged by Martin Abadi in a scientific paper with title "Private Authentication" presented at a Conference on Privacy Enhancing Technologies (PET2002), San Fracisco, USA, April 2002 whose proceedings are published in Springer Lecture Notes in Computer Science vol. 2482/2003, pp. 27-40. In the paper, M. Abadi describes two protocols which are variants of known Denning-Sacco and Needham-Schroeder protocols as elucidated in B. Schneier publication "Applied Cryptography", Second Edition published by John Wiley & Sons Inc. in 1996. A problem of these recently proposed protocols by M. Abadi is that public key cryptography is employed requiring a relatively large amount of processing power for its implementation, such processing power often not being practical and/or available on small consumer devices, for example portable battery-powered devices. A more recent polynomial-based multi-user key generation and authentication method is described in a published international PCT patent application WO 03/077470 (attorney docket PHNL020192). In this PCT application, there is described a method of generating a common secret between a first party and a second party. These parties can be, for example, devices in a home network operable in accordance with a contemporary7 Digital Rights Management (DRM) framework. The devices calculate the common secret by evaluating a product of two polynomials P(x, y) and Q(x, z) using parameters previously distributed by a Trusted Third Party (TTP) and parameters obtained from another device. Optionally, each party subsequently verifies that the other party has generated the same secret using a zero-knowledge protocol or a commitment-based protocol. Such a method described in this published PCT application is especially suitable for use in conjunction with low power devices such as Chip-In-Disc type devices. The inventors have appreciated that even this recent authentication method has drawbacks and limitations which the inventors seek to address by way of the present invention. SUMMARY OF THE INVENTION An object of the present invention is to provide an alternative authentication protocol method. According to a first aspect of the present invention, there is provided a method of authentication based on polynomials for a system comprising a plurality of devices operable to mutually communicate; said method comprising steps of: (a) providing each of said plurality of devices with a corresponding identity value (pi: i = 1, n) together with an associated polynomial (P) for generating a polynomial key; (b) arranging for the plurality of devices to include a verifier device (pi) and a prover device (p2); (c) arranging for the prover device (P2) to notify its existence to the verifier device (p.); (d) arranging for the verifier device (pi) to issue a first challenge to the prover device (p:) to encrypt a nonce using the prover (p2) device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (pi); (e) arranging for the verifier device (pi) to receive the encrypted nonce as the response from the prover device (p2) and: (i) to encrypt the first challenge using the polynomial keys -generated from a set of stored device identities; or (ii) to decrypt the encrypted response received from the prover device (P2) using the polynomial keys; until said verifier device (pi) identifies a match for said response, said match being indicative of authentication. The invention is of advantage in that it is capable of providing a more flexible procedure for authentication based on polynomials. A "polynomial key" is a numerical result of evaluating a polynomial, for example k = Ppi(p2), wherein k is a key, Ppi is a polynomial, and P2 is a value input to the polynomial. Individual devices in the system are capable of operating both as verifiers and provers. Optionally, one or more of the devices of the system are capable of concurrently functioning as both verifiers and provers. Optionally, in step (a) of the method, issuance of the identity values (pi) and associated polynomials is undertaken via a trusted third party. Such an approach results in a trusted deployment of the system Optionally, the method includes a further step of applying said method of authentication in general mutual authentication key establishment protocols in said system for providing mutual authentication for said plurality of devices. Optionally, in the method, a random value is additionally created by the prover device and encrypted together with the response from the verifier device for sending back to the verifier device, said random number being operable to function as a session key. This session key is beneficially updated so as to provide not only a record of a sequence of communication but also protect against eavesdropping on the plurality of devices. Optionally, in the method, the first challenge from the verifier device (pi) to the prover device (p2) is a random value. The use of nonces implemented as random values renders the system more difficult to eavesdrop. Optionally, the method further includes a step of configuring the system so that said plurality of devices includes multiple prover devices and multiple verifier devices, said multiple prover devices including a subset of prover devices operable to authenticate to a particular verifier device of the multiple verifier devices. Optionally, in the method, said prover devices are implemented as smart cards or tags enabling access to services related to and/or coupled to a given verifier device. Optionally, in the method, the polynomial is operable to function as a Blom-type key. Blom-types keys are elucidated in the foregoing with regard to a publication by Rolf Blom (Linkoping University) which is incorporated by reference. Optionally, in the method, the prover device is operable to apply a hash function or keyed hash function to create a response to the first challenge from the verifier device. According to a second aspect of the invention, there is provided a system operable according to the method of the first aspect of the invention. Optionally, the system is adapted for providing at least one of: (a) authentication associated with financial transactions executed within banking systems; ■(b) controlling access, for example personnel access, by way of tags or similar portable identifiers authenticating within a system operable according to the method. According to a third aspect of the invention, there is provided software on a data carrier executable on computing hardware to implement the method according to the first aspect of the invention. According to a fourth aspect of the invention, there is provided a smart card or tag for undertaking authentication in an authentication system, the system being arranged to be operable according to a method according to the first aspect of the invention. It will be appreciated that features of the invention are susceptible to being combined in any combination without departing from the scope of the invention. DESCRIPTION OF THE DIAGRAMS Embodiments of the invention will now be described, by way of example only, with reference to the following diagrams wherein: Figure 1 is an illustration of a system being established for implementing a method of authentication according to the present invention; Figure 2 is a depiction of communication exchange in a private authentication protocol in which a proving device p; authenticates to a verifying device p?; and Figure 3 is a depiction of communication exchange in a mutual authentication protocol between the devices p2 and p). DESCRIPTION OF EMBODIMENTS OF THE INVENTION in the present invention, the inventors have devised an authentication protocol operable to provide privacy and protection against eavesdropping without complications associated with utilizing public key cryptography. Moreover, the devised protocol is capable in use of providing more flexibility than purely symmetrical key-based approaches. The inventors' authentication protocol is based on a scheme proposed by Rolf Blom in a scientific paper "Non-public key distribution" published in Advances in Cryptography, Proceedings of Crypto f82, pp. 231-236, 1983; disclosure in R. Blom's scientific paper is herewith incorporated by reference for purposes of elucidating the present invention. An embodiment of the present invention implemented as a system will be described with reference to Figure 1. The system comprises a third party7 denoted by TTP which chooses a symmetrical matrix T having a size (n+1) rows by (n~l) columns; the matrix T has element entries denoted by ty wherein an index i denotes matrix column and an index j denotes matrix row. For the matrix T to exhibit symmetry, the element entries are implemented such that ty - tj;. The entries ty of this matrix T thereby form coefficients of an n-th degree polynomial denoted by P(x. y) which is defined by Equation 1 (Eq. 1): On account of the matrix T being symmetrical, it follows therefrom that the polynomials P(x, y) = P(y, x) for all x and y in a field of values GF(2k). The trusted third party TTP issues to each device i included within the system an identity value p; and a corresponding private projected polynomial denoted by Ppi (y). This private projected polynomial PPj (y) is generated by the third party TTP by assigning a first argument of polynomial P(x, y) to be equal to a devices' identity value pi as described by Equation 2 (Eq. 2): From Equation 1, it follows that the symmetry of the matrix T and the resulting symmetry of the polynomial P(x, y), Equation 3 (Eq. 3) pertains for all values of the identity values p;, pj such that p.,p -: e GF(2k): Thus, the aforesaid system operates by each device obtaining from the third party TTP a projected polynomial P corresponding to its identity value p*, this polynomial P being communicated as (n+1) coefficients gj^0 which are securely stored in the device. These coefficients are generated by the third party TTP according to Equation 4 (Eq. 4): The projected polynomial Ppi(y) of a given device having an identity value p, can thus be expressed by Equation 5 (Eq. 5): Distribution of polynomial coefficients from the trusted third party TTP to individual devices is depicted in Figure 1 wherein the aforesaid system is indicated generally by 10, the trusted third party TTP is denoted by 20, and one of the devices having an allocated identity i=4 is denoted by 30. In Figure 1, there are five devices shown although the system 10 is assumed to include d devices where d is an integer of unity value or greater. The integer d does not need to be numerically equal to aforesaid parameter n. For reducing storage and processing power required in the system 10, it is desirable to arrange for n Having described in the foregoing a manner in which the polynomials P are generated by the third party TTP 20 and allocated to the devices, for example the device 30, operation of the system 10 for providing verification of authenticity will next be elucidated. The devices in the system 10 are optionally operable to function as provers and verifiers; for example, a device with identity p2 is capable of authenticating itself as a prover to a device with identity p: operable as a verifier. In a practical application of the present invention, the device operable as a verifier can be implemented as a tag reader at an entrance door of.a high-security building. Moreover, in practice, there will then be multiple provers, for example implemented as user-wearable miniature RFID tags desirous of gaining entry into the high-security building. The verifier, for example the aforesaid tag reader, has a Configuration Table (CT) of length m stored therein. This Configuration Table comprises identity values p; of provers that can be authenticated and thereby allowed access. Optionally, the Configuration Table (CT) can be publicly accessible, namely it does not need to be maintained secret or confidential. In the system 10, the Configuration Table is only susceptible to being updated by a system administrator. Optionally, the administrator is an owner of the verifier. In amending the Configuration Table, the administrator is operable to add identity values of provers to this Table (CT) in order to grant them access. In contradistinction to known symmetrical key arrangement, the present invention is distinguished in that no new shared key needs be established between a prover and a corresponding verifier when the prover is added to the Table (CT). Such a benefit arises because the system 10 involves providing the prover and verifier beforehand with corresponding private polynomials PP2(y) and Ppi(y) respectively. Operation of the system 10 wrill now be described in a scenario when the prover (PR) notifies its presence to the verifier (VE) by sending out a "hello" message 100 received by the verifier, namely a first invocation message as depicted in Figure 2. The verifier VE then generates a random challenge e denoted by 110, after which the verifier VE sends the challenge e to the prover PR together with its identity value pi. Next, the prover PR evaluates a corresponding polynomial PP2(y) therein by equating y = pi resulting in generation of a secret key K denoted by 120 according to Equation 6 (Eq. 6): Next, the prover PR then uses this key K 120 to encrypt the challenge e 110 received thereat. The prover PR thereby generates a response A denoted by 130, the response 130 A being described by Equation 7 (Eq. 7): where a symbol E denotes an encryption operation, the response being then sent back to the verifier VE. Finally, as denoted by 140, the verifier VE checks for all the identity values in its Configuration Table (CT) to determine whether or not the received response A is a valid response. The verifier VE thereby for each identity pj in the Table (CT) is capable of constructing a secret key Ki= Ppi(pi) and encrypting the challenge e using the key K4. If the verifier VE find a match for one of the pi values in its Configuration Table (CT), namely E{Ki}(e) = A, the identity corresponding to the value pj is authenticated. In this example, the verifier VE will find a match for the identity having a value p2; such matching follows from K = Ko on account of Ppo(pi) = Ppi(p2). Thus, in Figure 2, there is presented a private authentication protocol in which a device having an identity P2. namely the prover PR, authenticated to a device having an identity pi, namely the verifier VE. The verifier VE includes the Configuration Table (CT) containing the identities of sets of devices susceptible to being authenticated. The protocol depicted in Figure 2 is such that an eavesdropper can detect the identity of the verifier VE having an identity value pi but no identity information regarding the prover PR is susceptible to leaking to the eavesdropper. A party hostile to the system 10, for example an adversary or hacker, would potentially be able to retrieve a session key K=Pp2(pi) = PP](p2)3 for example if the encryption cipher of Equation 7 is weak, but would be unable therefrom to identify the identity p]5 thus the system 10 would in such challenged circumstances maintain privacy. Moreover, on account of employing the random challenge e as in Equation 7, the response A will be different each time an attempt for authentication purposes in connection with the identifier P2; in consequence, an eavesdropping party is not able to derive an identification by frequency analysis. The prover PR in the aforementioned protocol as depicted in Figures 1 and 2 will be aware that its identity will be visible to the verifier VE. In practice, the prover optionally does not implement the aforementioned protocol with all possible verifiers, since they can then all learn the prover's identity. Potentially, in the system 10, one of the verifiers, for example if hostile, could track one of the devices within the system 10. In order to try to address such a problem, the given prover PR is provided with its own Configuration Table (CT) including the identities of verifier devices VE in the system 10 with which the given prover PR is prepared to communicate. In this mode of operation wherein the prover PR also has a Configuration Table (CT), the prover PR will not correspond to a challenge from a verifier that is not on the prover's (PR) CT table. It will be appreciated that embodiments of the invention described in the foregoing are susceptible to being modified without departing from the scope of the invention as defined by the accompanying claims. Devices in the system 10 are capable of being configured so that they are operable to provide verification and proving functions concurrently. In a first further embodiment of the invention, a symmetrical cipher is employed when mutual authentication is implemented using the aforementioned protocol. Alternatively, the prover PR is.operable to generate its response A by using a one-way hash function denoted by h(). The response A generated by the prover PR will then be according to Equation 8 (Eq. 8): Similarly, the verifier VE is operable to check the response A according to Equation 9 (Eq. 9): In a second further embodiment of the invention, instead if encrypting the challenge e with all possible keys Kj= PP] (pi) from devices in the Configuration Table (CT), the verifier VE optionally uses these keys Kj to decrypt the received response A and to check whether or not the decrypted key corresponds to e. In a third further embodiment of the invention, instead of the challenge e being chosen randomly, the verifier VE alternatively employs nonces. Nonces are defined as being unique numbers for one-time use. In a fourth further embodiment of the invention, the prover PR can transport a session key r to the verifier VE by creating a response according to Equation 10 (Eq. 10): wherein E denotes an encryption function. In Equation 10, both the challenge e and the session key r are encrypted using a key K = PP2(pi). The session key r is optionally a random number generated by the prover PR. The verifier VE is operable to find a match with a first part of the response A in order to identify the prover PR in a manner as described in the foregoing with reference to Figures 1 and 2. When a match with a given prover PR is found, the Verifier VE is able to decrypt a second part of the response A by using a key Ppi (P2) in order to retrieve the session key r value which can then be used as a session key for further subsequent communications. The protocols according to the invention elucidated in the foregoing are capable of being used for achieving mutual authentication in conjunction with key establishment. Thus, it is preferable in many practical uses of the present invention to have protocols that provide mutual authentication and produce a mutually authenticated key. Many contemporary mutual authentication protocols are based on key transport or key arrangements. All these contemporary protocols based on symmetrical key techniques assume that a mutual long-term key is available before the protocols are invoked. In contradistinction to known protocols, the aforementioned protocol according to the invention provides a long-term key by equating K = Pp2 (pi), namely Equation 6, whilst keeping the identity of the prover PR secret, the aforementioned protocol according to the invention thereby being extensible to provide a mutually authenticated key. In Figure 3. there is shown a communication exchange, namely a protocol, utilizing two random number session keys n, ra. These session keys n, r2 can be used to derive a mutual key, for example by way of h(ri, r2). It is to be noted that in such a combined protocol that identity of one of the devices involved remains secret whilst the identity of the other device is revealed. Such a protocol according to the invention is thus known as a half-private mutually authenticated key establishment protocol. The protocol depicted in Figure 3 is similar to a "point-to-point" key transport protocol with associated challenge-response presented in chapter 12 of a book having title "Handbook of Applied Cryptography" by Menezes et al; however, the protocol of Figure 3 differs in that the key K is derived using the aforesaid polynomial scheme described with reference to Figure 1. On account of the prover PR needing to stay anonymous towards observers or eavesdroppers, the prover PR does not send its identity over a communication channel, thereby requiring that the verifier VE has to search in its list CT to find a matching identitv. Steps of the protocol depicted in Figure 3 are as provided in Table 1: D(kKc) denotes decryption of cipher-text c using a key k; and E{k}(m) denotes encryption of a message m using a key k. In operation, it is important that the verifier VE does not stop the protocol elucidated in Table 1 with reference to Figure 3 if the verifier VE is unable to find an identity in its Configuration Tabk (CT) that matches with the received response A. Namely, in an event that the verifier VE halts the protocol of Table 1, an observer is potentially capable of learning that the prover PR attempting to authenticate is not an entity listed in the Table (CT); it will be. of course, appreciated from the foregoing that the Table (CT) is publicly accessible. The protocol of Table 1 is therefore optionally further refined in such a situation so that the verifier VE creates a decoy message B in the event of it being unable to find a match; the observer is then potentially unable to distinguish the decoy message B from a genuine message B. The decoy message is constructed depending upon a particular form of encryption utilized in implementing the protocol described in Table 1. The method of authentication based on polynomials described in the foregoing and illustrated in Figure 1 regarding establishment of identities and in Figures 2 and 3 regarding protocol once identities have been established are susceptible to being applied in a wide range of practical applications. Such practical applications include: (a) tag readers: for example personnel access tags in high security establishments, in prisons; use of the invention with radio frequency identification RFID is especially pertinent; (b) in communication systems where secure and authenticated communication channels are required: for example in banking systems, in health care systems where personal health records need to be stored and communicated in a secure manner; and (c) in anti-counterfeiting measures: for example where electronic tags are attached to products conforming to the present invention, said electronic tags being electronically interrogated, for example, at import/customs to check for counterfeit wares. In the accompanying claims, numerals and other symbols included within brackets are included to assist understanding of the claims and are not intended to limit the scope of the claims in any way. Expressions such as "comprise", "include", "incorporate", "contain", "is" and "have" are to be construed in a non-exclusive manner when interpreting the description and its associated claims, namely construed to allow for other items or components which are not explicitly defined also to be present. Reference to the singular is also to be construed to be a reference to the plural and vice versa. CLAIMS: 1. A method of authentication based on polynomials for a system (10) comprising a plurality of devices (30) operable to mutually communicate, said method comprising steps of: (a) providing (20) each of said plurality of devices (30) with a corresponding identity value (p\\ i = 1, n) together with an associated polynomial (P) for generating a polynomial key; (b) arranging for the plurality of devices (30) to include a verifier device (pi) and a prover device (p2); (c) arranging for the prover device (p2) to notify its existence to the verifier device (Pi); (d) arranging for the verifier device (pi) to issue a first challenge to the prover device (p2) to encrypt a nonce using the prover (p2) device's polynomial (P) key and communicate the encrypted nonce as a response back to the verifier device (pi); (e) arranging for the verifier device (pi) to receive the encrypted nonce as the response from the prover device (p2) and: (i) to encrypt the first challenge using the polynomial keys generated from a set of stored device identities; or (ii) to decrypt the response received from the prover device (p2) using the polynomial keys; until said verifier device (pi) identifies a match for said response, said match being indicative of authentication. 2. A method as claimed in Claim 1, wherein issuance of the identity values (pi) and associated polynomials is undertaken via a trusted third party (20). 3. A method as claimed in Claim 1, including a further step of applying said method of authentication in general mutual authenticated key establishment protocols in said system for providing mutual authentication for said plurality of devices, said mutual protocols providing privacy to at least one of said plurality of devices. 4. A method as claimed in Claim 1. wherein a random value is additionally created by the prover device and encrypted together with the response from the verifier device for sending back to the verifier device, said random value being operable to function as a session key. 5. A method as claimed in Claim 1. wherein the first challenge from the verifier device (pi) to the prover device (pi) is implemented such that the nonce is a random number. 6. A method as claimed in Claim L said method further including a step of configuring the system so that said plurality of devices includes multiple prover devices and multiple verifier devices, said multiple prover devices including a subset of prover devices operable to authenticate to a particular verifier device of the multiple verifier devices. 7. A method as claimed in Claim 1, wherein said prover devices are implemented as smart cards or tags enabling access to services related to and/or coupled to a given verifier device. 8. A method as claimed in Claim 1, wherein the prover device is operable to apply a hash function or keyed hash function to create a response to the first challenge from the verifier device. 9. A system operable according to the method as claimed in Claim 1. 10. A system as claimed in Claim 9, the system being adapted for providing at least one of: (a) authentication associated with financial transactions executed within banking systems; (b) controlling access, for example personnel access, by way of tags or similar portable identifiers authenticating within a system operable according to the method. 11. Software on a data carrier executable on computing hardware to implement the method as claimed in Claim 1. 12. A smart card or tag for undertaking authentication in an authentication system, the system being arranged to be operable according to a method as claimed in Claim 1.

Full Text

1
Method of authentication based on polynomials
FIELD OF THE INVENTION
The present invention relates to methods of authentication based on polynomials. Moreover, the invention also relates to systems and apparatus operable according to these methods.
BACKGROUND TO THE INVENTION
Authentication protocols are used in contemporary communication systems for enabling a first party to prove its identity towards a second party; for convenience, these first and second parties are conveniently denoted by prover and verifier respectively. In many known protocols, the prover first claims an identity, after which the prover proves knowledge of some secret associated with the prover's claimed identity. A protocol in which two parties are being assured of each other's identity is referred to as "mutual authentication". Such authentication is often implemented using key establishment procedures, for example using public-private key authentication protocols. These authentication protocols not only verify identity, but also often establish symmetrical session keys with which further communications can be encrypted and authenticated.
The inventors have appreciated that it is desirable that identities of mutually communicating parties cannot be determined by third parties observing or eavesdropping on the mutually communicating parties. Such a situation can potentially arise in practice when a user authenticates herself using a wireless smart card presented to a smart card reader, for example a smart card reader at an entrance of a high-security building. If a standard authentication protocol is employed at the entrance, an eavesdropper could hypothetically simply detect the presence of a user at this location. Such detection can potentially provide essential initial information for executing location tracking of the user. Moreover, this location tracking can constitute an invasion of personal privacy.
This problem has already been envisaged by Martin Abadi in a scientific paper with title "Private Authentication" presented at a Conference on Privacy Enhancing Technologies (PET2002), San Fracisco, USA, April 2002 whose proceedings are published in Springer Lecture Notes in Computer Science vol. 2482/2003, pp. 27-40. In the paper, M.

Abadi describes two protocols which are variants of known Denning-Sacco and Needham-Schroeder protocols as elucidated in B. Schneier publication "Applied Cryptography", Second Edition published by John Wiley & Sons Inc. in 1996. A problem of these recently proposed protocols by M. Abadi is that public key cryptography is employed requiring a relatively large amount of processing power for its implementation, such processing power often not being practical and/or available on small consumer devices, for example portable battery-powered devices.
A more recent polynomial-based multi-user key generation and authentication method is described in a published international PCT patent application WO 03/077470 (attorney docket PHNL020192). In this PCT application, there is described a method of generating a common secret between a first party and a second party. These parties can be, for example, devices in a home network operable in accordance with a contemporary7 Digital Rights Management (DRM) framework. The devices calculate the common secret by evaluating a product of two polynomials P(x, y) and Q(x, z) using parameters previously distributed by a Trusted Third Party (TTP) and parameters obtained from another device. Optionally, each party subsequently verifies that the other party has generated the same secret using a zero-knowledge protocol or a commitment-based protocol. Such a method described in this published PCT application is especially suitable for use in conjunction with low power devices such as Chip-In-Disc type devices. The inventors have appreciated that even this recent authentication method has drawbacks and limitations which the inventors seek to address by way of the present invention.
SUMMARY OF THE INVENTION
An object of the present invention is to provide an alternative authentication protocol method.
According to a first aspect of the present invention, there is provided a method of authentication based on polynomials for a system comprising a plurality of devices operable to mutually communicate; said method comprising steps of:
(a) providing each of said plurality of devices with a corresponding identity value (pi: i = 1, n) together with an associated polynomial (P) for generating a polynomial key;
(b) arranging for the plurality of devices to include a verifier device (pi) and a prover device (p2);
(c) arranging for the prover device (P2) to notify its existence to the verifier device
(p.);

(d) arranging for the verifier device (pi) to issue a first challenge to the prover device (p:) to encrypt a nonce using the prover (p2) device's polynomial (P) key and communicate the encrypted nonce as a response to the verifier device (pi);
(e) arranging for the verifier device (pi) to receive the encrypted nonce as the response from the prover device (p2) and:
(i) to encrypt the first challenge using the polynomial keys -generated
from a set of stored device identities; or
(ii) to decrypt the encrypted response received from the prover device
(P2) using the polynomial keys;
until said verifier device (pi) identifies a match for said response, said match being indicative of authentication.
The invention is of advantage in that it is capable of providing a more flexible procedure for authentication based on polynomials.
A "polynomial key" is a numerical result of evaluating a polynomial, for example k = Ppi(p2), wherein k is a key, Ppi is a polynomial, and P2 is a value input to the polynomial.
Individual devices in the system are capable of operating both as verifiers and provers. Optionally, one or more of the devices of the system are capable of concurrently functioning as both verifiers and provers.
Optionally, in step (a) of the method, issuance of the identity values (pi) and associated polynomials is undertaken via a trusted third party. Such an approach results in a trusted deployment of the system
Optionally, the method includes a further step of applying said method of authentication in general mutual authentication key establishment protocols in said system for providing mutual authentication for said plurality of devices.
Optionally, in the method, a random value is additionally created by the prover device and encrypted together with the response from the verifier device for sending back to the verifier device, said random number being operable to function as a session key. This session key is beneficially updated so as to provide not only a record of a sequence of communication but also protect against eavesdropping on the plurality of devices.
Optionally, in the method, the first challenge from the verifier device (pi) to the prover device (p2) is a random value. The use of nonces implemented as random values renders the system more difficult to eavesdrop.

Optionally, the method further includes a step of configuring the system so that said plurality of devices includes multiple prover devices and multiple verifier devices, said multiple prover devices including a subset of prover devices operable to authenticate to a particular verifier device of the multiple verifier devices.
Optionally, in the method, said prover devices are implemented as smart cards or tags enabling access to services related to and/or coupled to a given verifier device.
Optionally, in the method, the polynomial is operable to function as a Blom-type key. Blom-types keys are elucidated in the foregoing with regard to a publication by Rolf Blom (Linkoping University) which is incorporated by reference.
Optionally, in the method, the prover device is operable to apply a hash function or keyed hash function to create a response to the first challenge from the verifier device.
According to a second aspect of the invention, there is provided a system operable according to the method of the first aspect of the invention.
Optionally, the system is adapted for providing at least one of:
(a) authentication associated with financial transactions executed within banking
systems;
■(b) controlling access, for example personnel access, by way of tags or similar
portable identifiers authenticating within a system operable according to the method.
According to a third aspect of the invention, there is provided software on a data carrier executable on computing hardware to implement the method according to the first aspect of the invention.
According to a fourth aspect of the invention, there is provided a smart card or tag for undertaking authentication in an authentication system, the system being arranged to be operable according to a method according to the first aspect of the invention.
It will be appreciated that features of the invention are susceptible to being combined in any combination without departing from the scope of the invention.
DESCRIPTION OF THE DIAGRAMS
Embodiments of the invention will now be described, by way of example only, with reference to the following diagrams wherein:
Figure 1 is an illustration of a system being established for implementing a method of authentication according to the present invention;

Figure 2 is a depiction of communication exchange in a private authentication protocol in which a proving device p; authenticates to a verifying device p?; and
Figure 3 is a depiction of communication exchange in a mutual authentication protocol between the devices p2 and p).
DESCRIPTION OF EMBODIMENTS OF THE INVENTION
in the present invention, the inventors have devised an authentication protocol operable to provide privacy and protection against eavesdropping without complications associated with utilizing public key cryptography. Moreover, the devised protocol is capable in use of providing more flexibility than purely symmetrical key-based approaches. The inventors' authentication protocol is based on a scheme proposed by Rolf Blom in a scientific paper "Non-public key distribution" published in Advances in Cryptography, Proceedings of Crypto f82, pp. 231-236, 1983; disclosure in R. Blom's scientific paper is herewith incorporated by reference for purposes of elucidating the present invention.
An embodiment of the present invention implemented as a system will be described with reference to Figure 1. The system comprises a third party7 denoted by TTP which chooses a symmetrical matrix T having a size (n+1) rows by (n~l) columns; the matrix T has element entries denoted by ty wherein an index i denotes matrix column and an index j denotes matrix row. For the matrix T to exhibit symmetry, the element entries are implemented such that ty - tj;. The entries ty of this matrix T thereby form coefficients of an n-th degree polynomial denoted by P(x. y) which is defined by Equation 1 (Eq. 1):

On account of the matrix T being symmetrical, it follows therefrom that the polynomials P(x, y) = P(y, x) for all x and y in a field of values GF(2k). The trusted third party TTP issues to each device i included within the system an identity value p; and a corresponding private projected polynomial denoted by Ppi (y). This private projected polynomial PPj (y) is generated by the third party TTP by assigning a first argument of polynomial P(x, y) to be equal to a devices' identity value pi as described by Equation 2 (Eq. 2):

From Equation 1, it follows that the symmetry of the matrix T and the resulting symmetry of the polynomial P(x, y), Equation 3 (Eq. 3) pertains for all values of the identity values p;, pj such that p.,p -: e GF(2k):

Thus, the aforesaid system operates by each device obtaining from the third party TTP a projected polynomial P corresponding to its identity value p*, this polynomial P being communicated as (n+1) coefficients gj^0 which are securely stored in the device. These coefficients are generated by the third party TTP according to Equation 4 (Eq. 4):

The projected polynomial Ppi(y) of a given device having an identity value p, can thus be expressed by Equation 5 (Eq. 5):

Distribution of polynomial coefficients from the trusted third party TTP to individual devices is depicted in Figure 1 wherein the aforesaid system is indicated generally by 10, the trusted third party TTP is denoted by 20, and one of the devices having an allocated identity i=4 is denoted by 30. In Figure 1, there are five devices shown although the system 10 is assumed to include d devices where d is an integer of unity value or greater. The integer d does not need to be numerically equal to aforesaid parameter n. For reducing storage and processing power required in the system 10, it is desirable to arrange for n
Having described in the foregoing a manner in which the polynomials P are generated by the third party TTP 20 and allocated to the devices, for example the device 30, operation of the system 10 for providing verification of authenticity will next be elucidated.
The devices in the system 10 are optionally operable to function as provers and verifiers; for example, a device with identity p2 is capable of authenticating itself as a prover to a device with identity p: operable as a verifier. In a practical application of the present invention, the device operable as a verifier can be implemented as a tag reader at an entrance door of.a high-security building. Moreover, in practice, there will then be multiple provers, for example implemented as user-wearable miniature RFID tags desirous of gaining entry into the high-security building. The verifier, for example the aforesaid tag reader, has a Configuration Table (CT) of length m stored therein. This Configuration Table comprises identity values p; of provers that can be authenticated and thereby allowed access. Optionally, the Configuration Table (CT) can be publicly accessible, namely it does not need to be maintained secret or confidential.
In the system 10, the Configuration Table is only susceptible to being updated by a system administrator. Optionally, the administrator is an owner of the verifier. In amending the Configuration Table, the administrator is operable to add identity values of provers to this Table (CT) in order to grant them access. In contradistinction to known symmetrical key arrangement, the present invention is distinguished in that no new shared key needs be established between a prover and a corresponding verifier when the prover is added to the Table (CT). Such a benefit arises because the system 10 involves providing the prover and verifier beforehand with corresponding private polynomials PP2(y) and Ppi(y) respectively.
Operation of the system 10 wrill now be described in a scenario when the prover (PR) notifies its presence to the verifier (VE) by sending out a "hello" message 100 received by the verifier, namely a first invocation message as depicted in Figure 2. The verifier VE then generates a random challenge e denoted by 110, after which the verifier VE sends the challenge e to the prover PR together with its identity value pi. Next, the prover PR evaluates a corresponding polynomial PP2(y) therein by equating y = pi resulting in generation of a secret key K denoted by 120 according to Equation 6 (Eq. 6):

Next, the prover PR then uses this key K 120 to encrypt the challenge e 110 received thereat. The prover PR thereby generates a response A denoted by 130, the response 130 A being described by Equation 7 (Eq. 7):

where a symbol E denotes an encryption operation, the response being then sent back to the verifier VE. Finally, as denoted by 140, the verifier VE checks for all the identity values in its Configuration Table (CT) to determine whether or not the received response A is a valid response. The verifier VE thereby for each identity pj in the Table (CT) is capable of constructing a secret key Ki= Ppi(pi) and encrypting the challenge e using the key K4. If the verifier VE find a match for one of the pi values in its Configuration Table (CT), namely E{Ki}(e) = A, the identity corresponding to the value pj is authenticated. In this example, the verifier VE will find a match for the identity having a value p2; such matching follows from K = Ko on account of Ppo(pi) = Ppi(p2).
Thus, in Figure 2, there is presented a private authentication protocol in which a device having an identity P2. namely the prover PR, authenticated to a device having an identity pi, namely the verifier VE. The verifier VE includes the Configuration Table (CT) containing the identities of sets of devices susceptible to being authenticated.
The protocol depicted in Figure 2 is such that an eavesdropper can detect the identity of the verifier VE having an identity value pi but no identity information regarding the prover PR is susceptible to leaking to the eavesdropper. A party hostile to the system 10, for example an adversary or hacker, would potentially be able to retrieve a session key K=Pp2(pi) = PP](p2)3 for example if the encryption cipher of Equation 7 is weak, but would be unable therefrom to identify the identity p]5 thus the system 10 would in such challenged circumstances maintain privacy. Moreover, on account of employing the random challenge e as in Equation 7, the response A will be different each time an attempt for authentication purposes in connection with the identifier P2; in consequence, an eavesdropping party is not able to derive an identification by frequency analysis.
The prover PR in the aforementioned protocol as depicted in Figures 1 and 2 will be aware that its identity will be visible to the verifier VE. In practice, the prover optionally does not implement the aforementioned protocol with all possible verifiers, since they can then all learn the prover's identity. Potentially, in the system 10, one of the verifiers, for example if hostile, could track one of the devices within the system 10. In order to try to

address such a problem, the given prover PR is provided with its own Configuration Table (CT) including the identities of verifier devices VE in the system 10 with which the given prover PR is prepared to communicate. In this mode of operation wherein the prover PR also has a Configuration Table (CT), the prover PR will not correspond to a challenge from a verifier that is not on the prover's (PR) CT table.
It will be appreciated that embodiments of the invention described in the foregoing are susceptible to being modified without departing from the scope of the invention as defined by the accompanying claims.
Devices in the system 10 are capable of being configured so that they are operable to provide verification and proving functions concurrently.
In a first further embodiment of the invention, a symmetrical cipher is employed when mutual authentication is implemented using the aforementioned protocol. Alternatively, the prover PR is.operable to generate its response A by using a one-way hash function denoted by h(). The response A generated by the prover PR will then be according to Equation 8 (Eq. 8):

Similarly, the verifier VE is operable to check the response A according to Equation 9 (Eq. 9):

In a second further embodiment of the invention, instead if encrypting the challenge e with all possible keys Kj= PP] (pi) from devices in the Configuration Table (CT), the verifier VE optionally uses these keys Kj to decrypt the received response A and to check whether or not the decrypted key corresponds to e.
In a third further embodiment of the invention, instead of the challenge e being chosen randomly, the verifier VE alternatively employs nonces. Nonces are defined as being unique numbers for one-time use.
In a fourth further embodiment of the invention, the prover PR can transport a session key r to the verifier VE by creating a response according to Equation 10 (Eq. 10):

wherein E denotes an encryption function.
In Equation 10, both the challenge e and the session key r are encrypted using a key K = PP2(pi). The session key r is optionally a random number generated by the prover PR. The verifier VE is operable to find a match with a first part of the response A in order to identify the prover PR in a manner as described in the foregoing with reference to Figures 1 and 2. When a match with a given prover PR is found, the Verifier VE is able to decrypt a second part of the response A by using a key Ppi (P2) in order to retrieve the session key r value which can then be used as a session key for further subsequent communications.
The protocols according to the invention elucidated in the foregoing are capable of being used for achieving mutual authentication in conjunction with key establishment. Thus, it is preferable in many practical uses of the present invention to have protocols that provide mutual authentication and produce a mutually authenticated key. Many contemporary mutual authentication protocols are based on key transport or key arrangements. All these contemporary protocols based on symmetrical key techniques assume that a mutual long-term key is available before the protocols are invoked. In contradistinction to known protocols, the aforementioned protocol according to the invention provides a long-term key by equating K = Pp2 (pi), namely Equation 6, whilst keeping the identity of the prover PR secret, the aforementioned protocol according to the invention thereby being extensible to provide a mutually authenticated key.
In Figure 3. there is shown a communication exchange, namely a protocol, utilizing two random number session keys n, ra. These session keys n, r2 can be used to derive a mutual key, for example by way of h(ri, r2). It is to be noted that in such a combined protocol that identity of one of the devices involved remains secret whilst the identity of the other device is revealed. Such a protocol according to the invention is thus known as a half-private mutually authenticated key establishment protocol.
The protocol depicted in Figure 3 is similar to a "point-to-point" key transport protocol with associated challenge-response presented in chapter 12 of a book having title "Handbook of Applied Cryptography" by Menezes et al; however, the protocol of Figure 3 differs in that the key K is derived using the aforesaid polynomial scheme described with reference to Figure 1. On account of the prover PR needing to stay anonymous towards observers or eavesdroppers, the prover PR does not send its identity over a communication

channel, thereby requiring that the verifier VE has to search in its list CT to find a matching identitv.
Steps of the protocol depicted in Figure 3 are as provided in Table 1:

D(kKc) denotes decryption of cipher-text c using a key k; and E{k}(m) denotes encryption of a message m using a key k.
In operation, it is important that the verifier VE does not stop the protocol elucidated in Table 1 with reference to Figure 3 if the verifier VE is unable to find an identity in its Configuration Tabk (CT) that matches with the received response A. Namely, in an event that the verifier VE halts the protocol of Table 1, an observer is potentially capable of learning that the prover PR attempting to authenticate is not an entity listed in the Table (CT); it will be. of course, appreciated from the foregoing that the Table (CT) is publicly accessible. The protocol of Table 1 is therefore optionally further refined in such a situation so that the verifier VE creates a decoy message B in the event of it being unable to find a match; the observer is then potentially unable to distinguish the decoy message B from a genuine message B. The decoy message is constructed depending upon a particular form of encryption utilized in implementing the protocol described in Table 1.
The method of authentication based on polynomials described in the foregoing and illustrated in Figure 1 regarding establishment of identities and in Figures 2 and 3 regarding protocol once identities have been established are susceptible to being applied in a wide range of practical applications. Such practical applications include:

(a) tag readers: for example personnel access tags in high security establishments, in prisons; use of the invention with radio frequency identification RFID is especially pertinent;
(b) in communication systems where secure and authenticated communication channels are required: for example in banking systems, in health care systems where personal health records need to be stored and communicated in a secure manner; and
(c) in anti-counterfeiting measures: for example where electronic tags are attached to products conforming to the present invention, said electronic tags being electronically interrogated, for example, at import/customs to check for counterfeit wares.
In the accompanying claims, numerals and other symbols included within brackets are included to assist understanding of the claims and are not intended to limit the scope of the claims in any way.
Expressions such as "comprise", "include", "incorporate", "contain", "is" and "have" are to be construed in a non-exclusive manner when interpreting the description and its associated claims, namely construed to allow for other items or components which are not explicitly defined also to be present. Reference to the singular is also to be construed to be a reference to the plural and vice versa.

CLAIMS:
1. A method of authentication based on polynomials for a system (10)
comprising a plurality of devices (30) operable to mutually communicate, said method
comprising steps of:
(a) providing (20) each of said plurality of devices (30) with a corresponding identity value (p\\ i = 1, n) together with an associated polynomial (P) for generating a polynomial key;
(b) arranging for the plurality of devices (30) to include a verifier device (pi) and a prover device (p2);
(c) arranging for the prover device (p2) to notify its existence to the verifier device
(Pi);
(d) arranging for the verifier device (pi) to issue a first challenge to the prover device (p2) to encrypt a nonce using the prover (p2) device's polynomial (P) key and communicate the encrypted nonce as a response back to the verifier device (pi);
(e) arranging for the verifier device (pi) to receive the encrypted nonce as the response from the prover device (p2) and:
(i) to encrypt the first challenge using the polynomial keys generated
from a set of stored device identities; or
(ii) to decrypt the response received from the prover device (p2) using
the polynomial keys;
until said verifier device (pi) identifies a match for said response, said match being indicative of authentication.
2. A method as claimed in Claim 1, wherein issuance of the identity values (pi) and associated polynomials is undertaken via a trusted third party (20).
3. A method as claimed in Claim 1, including a further step of applying said method of authentication in general mutual authenticated key establishment protocols in said system for providing mutual authentication for said plurality of devices, said mutual protocols providing privacy to at least one of said plurality of devices.

4. A method as claimed in Claim 1. wherein a random value is additionally created by the prover device and encrypted together with the response from the verifier device for sending back to the verifier device, said random value being operable to function as a session key.
5. A method as claimed in Claim 1. wherein the first challenge from the verifier device (pi) to the prover device (pi) is implemented such that the nonce is a random number.
6. A method as claimed in Claim L said method further including a step of configuring the system so that said plurality of devices includes multiple prover devices and multiple verifier devices, said multiple prover devices including a subset of prover devices operable to authenticate to a particular verifier device of the multiple verifier devices.
7. A method as claimed in Claim 1, wherein said prover devices are implemented as smart cards or tags enabling access to services related to and/or coupled to a given verifier device.
8. A method as claimed in Claim 1, wherein the prover device is operable to apply a hash function or keyed hash function to create a response to the first challenge from the verifier device.
9. A system operable according to the method as claimed in Claim 1.
10. A system as claimed in Claim 9, the system being adapted for providing at least one of:

(a) authentication associated with financial transactions executed within banking systems;
(b) controlling access, for example personnel access, by way of tags or similar portable identifiers authenticating within a system operable according to the method.
11. Software on a data carrier executable on computing hardware to implement the
method as claimed in Claim 1.

12. A smart card or tag for undertaking authentication in an authentication system,
the system being arranged to be operable according to a method as claimed in Claim 1.

Documents:

1300-CHENP-2007 AMENDED CLAIMS 10-04-2014.pdf

1300-CHENP-2007 CORRESPONDENCE OTHERS 15-05-2014.pdf

1300-chenp-2007 correspondence others 01-10-2007.pdf

1300-CHENP-2007 CORRESPONDENCE OTHERS 10-05-2013.pdf

1300-chenp-2007 form-3 01-10-2007.pdf

1300-CHENP-2007 FORM-3 10-04-2014.pdf

1300-CHENP-2007 OTHERS 03-09-2013.pdf

1300-CHENP-2007 OTHERS 10-04-2014.pdf

1300-CHENP-2007 POWER OF ATTORNEY 03-09-2013.pdf

1300-CHENP-2007 AMENDED PAGES OF SPECIFICATION 03-09-2013.pdf

1300-CHENP-2007 AMENDED CLAIMS 03-09-2013.pdf

1300-CHENP-2007 EXAMINATION REPORT REPLY RECEIVED 03-09-2013.pdf

1300-CHENP-2007 EXAMINATION REPORT REPLY RECEIVED 10-04-2014.pdf

1300-CHENP-2007 POWER OF ATTORNEY 10-04-2014.pdf

1300-chenp-2007-abstract.pdf

1300-chenp-2007-claims.pdf

1300-chenp-2007-correspondnece-others.pdf

1300-chenp-2007-description(complete).pdf

1300-chenp-2007-drawings.pdf

1300-chenp-2007-form 1.pdf

1300-chenp-2007-form 26.pdf

1300-chenp-2007-form 3.pdf

1300-chenp-2007-form 5.pdf

1300-chenp-2007-pct.pdf

« Previous Patent

Next Patent »

Patent Number

261103

Indian Patent Application Number

1300/CHENP/2007

PG Journal Number

23/2014

Publication Date

06-Jun-2014

Grant Date

04-Jun-2014

Date of Filing

29-Mar-2007

Name of Patentee

KONINKLIJKE PHILIPS ELECTRONICS N.V.

Applicant Address

Groenewoudseweg 1, NL-5621 BA Eindhoven

Inventors:

#	Inventor's Name	Inventor's Address
1	SCHRIJEN, Geert, J.	c/o Prof. Holstlaan 6, NL-5656 AA Eindhoven
2	KEVENAAR, Thomas, A., M.	c/o Prof. Holstlaan 6, NL-5656 AA Eindhoven

PCT International Classification Number

H04L 9/32

PCT International Application Number

PCT/IB2005/053188

PCT International Filing date

2005-09-27

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	04104780.4	2004-09-30	EUROPEAN UNION