Patent Grant
10382962
This disclosure relates generally to network authentication, and in particular but not exclusively, to authentication to protect against tampering and subversion by substitution.
An essential aspect of online communication is the ability of two endpoints to establish an authenticated channel based on their respective identities. One solution to this employs public key infrastructure (PKI), wherein public keys allow end devices to be reasonably convinced that they are communicating only with each other. In this scheme, however, an endpoint and its identity are generally independent, i.e., an arbitrary identity is generated and assigned to an endpoint.
In various device authentication schemes, physical unclonable functions (PUFs) have been used such that each device has a unique identity intrinsically linked to the device. Rührmair et al. (“Modeling Attacks on Physical Unclonable Function.” Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 237-249, ACM. 2010) define three distinct classes of PUF devices:
PUF output is noisy in that it varies slightly despite evaluating the same input. This is generally addressed with fuzzy extraction, a method developed to eliminate noise in biometric measurements. (See Juels et al., “A Fuzzy Commitment Scheme,” Proceedings of the 6th ACM conference on Computer and Communications Security, CCS '99, pages 28-36, ACM, 1999). Fuzzy extraction may in part be employed within a device having a PUF such as within an auxiliary control unit, such that the output is constant for a fixed input. Fuzzy extraction (or reverse fuzzy extraction) may for example employ a “secure sketch,” as described by Juels et al. to store a sensitive value V to be reconstructed and a helper string P for recovering V. A secure sketch SS for input string O, where ECC is a binary (n, k, 2t+1) error correcting code of length n capable of correcting t errors and V←{0, 1}k is a k-bit value, may for example be defined as SS(O;V)=O⊕ECC(V). The original value V then may be reproduced given the helper string P and an input O′ within a maximum Hamming distance t of O using a decoding scheme D for the error-correcting code ECC and O′, as D(P⊕O′)=D(O⊕ECC(V)⊕O′)=V.
A physical unclonable function Pd:{0,1}κ
P ⊂ RP,
P′ ⊂ RP,
P(c)
The game proceeds as follows:
1. The adversary issues polynomially many (w.r.t. the security parameter λ) challenges ci∈
P to the PUF device P, where the challenge set
P is a proper subset of the entire challenge space
P.
The adversary only wins the game when guess r′ is equal to P's actual response r←P(c) to 's committed challenge c. (As noted, the PUF's output is noisy and will vary slightly on any fixed input, so the equality is typically taken with respect to the output of a fuzzy extractor (e.g., Dodis et al., “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” SIAM J. Comput., volume 38, no. 1:97-139, 2008)).
b
This game proceeds as follows:
Various authentication schemes utilize zero knowledge proofs of knowledge, which is a method for proving that a given statement is true, while revealing nothing beyond this fact. The zero knowledge proof is an interaction between two parties: a prover that wishes to establish the validity of a statement, and a verifier
that must be convinced the statement is true. The verifier should be convinced with overwhelming probability that a true statement is indeed true. With a zero knowledge proof of knowledge, the verifier could not use the messages from a previous proof to convince a new party of the statement's validity, and the messages reveal only a single bit of information: whether or not the prover
possesses the secret. There are two general classes of zero knowledge proofs: interactive zero knowledge proofs, where a series of messages are exchanged between the prover
and verifier
, and non-interactive zero knowledge proofs, where the prover
conveys a single message
without interaction with
, yet
is convinced that
possesses the secret. Many (interactive) zero knowledge proof systems require multiple iterations to establish the validity of a statement. That is, each interaction may succeed with some probability, even if the prover does not possess the secret (or the statement is false). Thus, if the probability of success when the statement is false is p, the protocol is run n times until 1−(p)n is sufficiently close to 1.
An authentication system according to an embodiment of the invention facilitates the establishment of both endpoint identity, as well as a secure communication channel using a dynamically-generated key between two end devices (potentially on separate local area networks). An interactive or non-interactive authentication protocol is used to establish the identity of the target end device, and dynamic key generation is used to establish a shared symmetric session key for creating an encrypted communication channel between the end devices. In one embodiment, the shared symmetric session key may then be updated as desired, and encrypted under a new dynamically-generated key.
The present detailed description is based on the example of an embodiment utilizing elliptic curve cryptography (including the associated terminology and conventions), but the inventive concept and teachings herein apply equally to various other cryptographic schemes such as ones employing different problems like discrete logarithm or factoring. Likewise, the invention is not limited by the various additional features described herein that may be employed with or by virtue of the invention.
In order to construct an intrinsic identity of a device, a public representation of the device's identity (referred to here as an enrollment token or public key) is generated. An elliptic curve mathematical framework may be used, but those skilled in the art will realize that other frameworks (e.g., discrete logarithm frameworks, in which regard U.S. Pat. No. 8,918,647 is incorporated here by reference) will provide the same functionality. A cryptographic enrollment token (or series of tokens) {(cd, Pd, Ad mod p)} is collected from each PUF device d in response to a challenge query (or queries) by the server. Each device chooses a private key dpriv uniformly at random from the space {0, 1}λ, where λ is the security parameter (e.g., the number of bits in the modulus p) and calculates Ad=
dpriv·G mod p as the device's public key, were G is a base point of order q on an elliptic curve over
. Preferably, no sensitive information is transmitted over the communication channel or stored in non-volatile memory (for example, the device may discard
dpriv after generating Ad). When
dpriv is needed to authenticate the device, the enrollment token (cd, Pd, Ad mod p) allows the device d to regenerate
dpriv and complete the proof. Algorithm 1 describes an exemplary enrollment protocol in pseudocode.
p of order p
p
p, a base point of order q
p, a random group element
(The enrollment process preferably should be required only once, and preferably should ensure that in the event of a security breach the device can remain active through a minor change on the server side without re-enrollment. As described in U.S. Pat. No. 8,918,647 which is incorporated herein by reference, a challenge-response tree can be constructed wherein only the root node is directly derived from a PUF response, with derived tokens being generated from those collected during enrollment.
A PUF-enabled device may locally store and retrieve a sensitive value preferably without storing any sensitive information in non-volatile memory. Algorithm 2 illustrates the storing of a sensitive value (e.g., dpriv) using a PUF, and Algorithm 3 illustrates the regeneration of the sensitive value. The challenge cd and helper data helperd for device d can be public, as neither reveals anything about the sensitive value. While the present example uses encryption of the sensitive value by exclusive-or, ⊕, alternately the value could for example be used to form a key to other encryption algorithms (e.g., AES) to enable storage and retrieval of arbitrary-sized values.
p of order p
p, a base point of order q
p
Whenever O and O′ are t-close, the error correcting code ECC can be passed to a decoding algorithm D to recover the sensitive value.
The authentication phase allows a server to verify that a client device is authorized to issue a request. In an elliptic curve embodiment, upon receiving a request from a device, the server can conduct an elliptic curve variant of Chaum et al.'s (“An Improved Protocol for Demonstrating Possession of Discrete Logarithms and some Generalizations,” Proceedings of the 6th annual international conference on Theory and application of cryptographic techniques; EUROCRYPT'87, pages 127-141, Springer, 1988) zero knowledge proof protocol with the device d to establish permission to perform the request, as shown in Algorithm 4.
p, a random group element
The requirement for communication front the verifying end device in the interactive zero knowledge proof is to obtain a nonce value specific to the current proof. This prevents an eavesdropping adversary from using previous proofs from a valid device to successfully complete an authentication protocol and masquerade as the end device.
A non-interactive zero knowledge proof removes this communication requirement, and allows a proof to be completed without interacting with the verifying endpoint. A non-interactive construction of Algorithm 4 requires the device to generate the nonce on behalf of the verifier in a manner that prevents the proving end device from manipulating the proof. As one example, the proving end device may construct the nonce N as N←H(dpriv·G mod p|τ) where H is a hash function, τ is a timestamp and x|y denotes concatenation of x and y. The timestamp ensures that previous proofs constructed by the proving end device cannot be replayed by an adversary in the future, while the hash function ensures that the proving end device cannot manipulate the challenge in an adversarial manner. The timestamp preferably need not match the current timestamp on arrival at the prover, with the verifying endpoint instead checking that the timestamp is reasonably current (e.g. second granularity) and monotonically increasing to prevent replay attacks. Algorithm 5 provides a non-interactive authentication protocol.
p, a random group element
Non-interactive authentication may be employed so as to provide first packet authentication in zero knowledge. For example, the first packet sent by the proving end device may contain the following authentication token, which is sufficient for the verifying end device to establish the identity of the proving end device: auth={B=r·G mod p, m=r+h·dpriv mod p,τ}. The authentication is first packet in that no communication with the receiving (verifying) end device is necessary before constructing the authentication token. Further, verification of the sending (proving) end device completes without communication with the sending (proving) end device. An eavesdropping adversary observing packet auth will be unable to replay the packet, as the timestamp τ will no longer be current. Algorithm 6 illustrates device-to-device first packet mutual authentication.
p, a random group element
Two communicating devices can as desired (i.e., dynamically), (re)authenticate using Algorithm 6 and simultaneously establish a new session key by sending an auth-update message including the authentication token and a new session key. Referring to D1priv mod p,τD1, EA
One embodiment of such a device may comprise a Xilinx Artix 7 field programmable gate array (FPGA) platform, equipped, e.g., with 215,000 logic cells, 13 Megabytes of block random access memory, and 700 digital signal processing (DSP) slices. In an embodiment employing elliptic curve cryptography, for example, the hardware mathematics engine may be instantiated in the on-board DSP slices, with the PUF construction positioned within the logic cells, and a logical processing core including an input and output to the PUF and constructed to control those and the device's external input and output and to perform algorithms (sending elliptic curve and other mathematical calculations to the math engine) such as those described above. Devices (e.g., D1-D8 in
In another embodiment, a new ‘public key’ of the target end device can be generated without requiring communication with the target end device to encrypt a new random session key, which will supersede the current session key. The new public key may be generated, as desired, using derived tokens as described in U.S. Pat. No. 8,918,647, which is incorporated by reference in that regard.
One skilled in the art will realize that other combinations and adaptations of the exemplary features and algorithms may be used in different applications, and the use of the device's hardware identity may be applied to a variety of cryptographic authentication techniques not limited by the zero knowledge aspect of the example provided. For example, a device wishing to communicate with a system may initially perform authentication such as according to Algorithm 5 to authenticate in the first packet to the system and the system may then perform the dynamic session key establishment protocol (through an auth-update message) with the device to initiate a secure communication channel. Further, the authentication protocol need not be limited to zero knowledge, and could be based on other cryptographic constructions for establishing identity. For example, a server may send a device a challenge message, which the device digitally signs using its hardware identity e.g., using the private key regenerated by the device's PUF and a standard signature algorithm) and includes this signature in the packet header (e.g., TCP Options Header) returned to the server. Upon receipt, the server verifies the digital signature over its challenge is valid using the device's public key.
As one embodiment of the invention relies on an elliptic curve mathematical framework, one skilled in the art will realize that it may be extended to support cryptographically-enforced role based access control (RBAC). That is, data access policies and device credentials may be specified mathematically, and the RBAC algorithm computes a function ƒ(,
)
{0, 1} mapping policies
and credentials
to an access decision in {0,1}. This is typically accomplished by constructing a bilinear pairing (e.g. Well or Tate pairing).
This application claims the benefit of the priority of and incorporates by reference provisional U.S. patent application Ser. No. 62/001,979 filed May 22, 2014.
| Number | Name | Date | Kind |
|---|---|---|---|
| 7564345 | Devedas et al. | Jul 2009 | B2 |
| 7581248 | Atkins et al. | Aug 2009 | B2 |
| 7653197 | Van Dijk | Jan 2010 | B2 |
| 7702927 | Devedas et al. | Apr 2010 | B2 |
| 7839278 | Devedas et al. | Nov 2010 | B2 |
| 7926089 | Tulshibagwale et al. | Apr 2011 | B2 |
| 7962516 | Bahrs et al. | Jun 2011 | B2 |
| 8281127 | Hayes | Oct 2012 | B2 |
| 8290150 | Erhart et al. | Oct 2012 | B2 |
| 8346951 | Hayes | Jan 2013 | B2 |
| 8379856 | Potkonjak | Feb 2013 | B2 |
| 8386990 | Trimberger et al. | Feb 2013 | B1 |
| 8418006 | Trimberger et al. | Apr 2013 | B1 |
| 8458489 | Beckmann et al. | Jun 2013 | B2 |
| 8463813 | Siress et al. | Jun 2013 | B2 |
| 8468186 | Yu | Jun 2013 | B2 |
| 8510608 | Futa et al. | Aug 2013 | B2 |
| 8516269 | Hamlet et al. | Aug 2013 | B1 |
| 8525169 | Edelstein et al. | Sep 2013 | B1 |
| 8566579 | Armstrong et al. | Oct 2013 | B2 |
| 8667265 | Hamlet | Mar 2014 | B1 |
| 8782396 | Ziola et al. | Jul 2014 | B2 |
| 8848905 | Hamlet et al. | Sep 2014 | B1 |
| 8918647 | Wallrabenstein | Dec 2014 | B1 |
| 9998445 | Wallrabenstein | Jun 2018 | B2 |
| 20030048173 | Shigematsu | Mar 2003 | A1 |
| 20050149496 | Mukherjee et al. | Jul 2005 | A1 |
| 20050210252 | Freeman | Sep 2005 | A1 |
| 20050222896 | Rhyne et al. | Oct 2005 | A1 |
| 20070036353 | Reznik | Feb 2007 | A1 |
| 20080069341 | Relyea | Mar 2008 | A1 |
| 20080256549 | Liu et al. | Oct 2008 | A1 |
| 20080256600 | Schrijen et al. | Oct 2008 | A1 |
| 20090063860 | Barnett | Mar 2009 | A1 |
| 20090083833 | Ziola | Mar 2009 | A1 |
| 20100031065 | Futa et al. | Feb 2010 | A1 |
| 20100122093 | Tuyls et al. | May 2010 | A1 |
| 20100127822 | Devedas | May 2010 | A1 |
| 20100228982 | Zhu | Sep 2010 | A1 |
| 20100272255 | Devedas et al. | Oct 2010 | A1 |
| 20110033041 | Yu et al. | Feb 2011 | A1 |
| 20110215829 | Guajardo et al. | Sep 2011 | A1 |
| 20110299678 | Deas et al. | Dec 2011 | A1 |
| 20120072717 | Hayes | Mar 2012 | A1 |
| 20120072737 | Schrijen et al. | Mar 2012 | A1 |
| 20120114261 | Cheon | May 2012 | A1 |
| 20120137137 | Brickell et al. | May 2012 | A1 |
| 20120183135 | Paral et al. | Jul 2012 | A1 |
| 20130268766 | Schrecker | Oct 2013 | A1 |
| 20150195088 | Rostami et al. | Jan 2015 | A1 |
| 20150082405 | Sakemi | Mar 2015 | A1 |
| 20150134966 | Wallrabenstein | May 2015 | A1 |
| 20160021096 | Wallrabenstein | Jan 2016 | A1 |
| Number | Date | Country |
|---|---|---|
| 2005-073274 | Mar 2005 | JP |
| 2008-545323 | Dec 2008 | JP |
| 2009-517910 | Apr 2009 | JP |
| 2011-526113 | Sep 2011 | JP |
| 10-2008-0029841 | Mar 2008 | KR |
| 20090104421 | Oct 2009 | KR |
| WO 2010105993 | Sep 2010 | WO |
| Entry |
|---|
| International Search Report and Written Opinion dated Sep. 1, 2015 for Application No. PCT/US2014/064738. |
| International Preliminary Report on Patentability dated Jan. 22, 2016 for Application No. PCT/US2014/064738. |
| Invitation to Pay Additional Fees dated Aug. 26, 2015 for Application No. PCT/US2015/032320. |
| International Search Report and Written Opinion dated Nov. 6, 2015 for Application No. PCT/US2015/032320. |
| International Preliminary Report on Patentability dated Aug. 4, 2016 for Application No. PCT/US2015/032320. |
| [No Author Listed], What is MAC address/Burned In Addressses(BIA)/Ethernet addresses? Creative World9. Apr. 16, 2012. http://www.creativeworld9.com/2012/06/what-is-mac-addressburned-in.html [last accessed Mar. 26, 2017]. 1 page. |
| Abercrombie et al., Secure Cryptographic Key Management System (CKMS) Considerations for Smart Grid Devices. CSIIRW '11 Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, Oak Ridge, TN. Article No. 59. Oct. 12-14, 2011. 4 pages. |
| Armknecht et al., A Formalization of the Security Features of Physical Functions. Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11. 2011;397-412. |
| Bose et al., On a class of error correcting binary group codes. Info Control. Mar. 1960;3(1):68-79. |
| Boyko et al., Speeding up discrete log and factoring based schemes via precomputations. Advances in Cryptology, EUROCRYPT '98. 1998;1403:221-35. |
| Canetti, Universally composable security: A new paradigm for cryptographic protocols. Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, FOCS '01. Oct. 9, 2001;136-. 70 pages. |
| Chen et al., New algorithms for secure outsourcing of modular exponentiations. Computer Security, ESORICS 2012. 2012;7459:541-56. |
| Fiege et al., Zero Knowledge Proofs of Identity. Proceedings of the 19th Annual ACM Symposium on Theory of Computing (STOC). 1987:210-7. |
| Gardner et al., Toward Trusted Embedded Systems. 2nd Annual NSA Trusted Computing Conference and Exposition. Orlando, FL. Sep. 21, 2011. 25 pages. |
| Gassend et al., Silicon Physical Random Functions. Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS '02. 2002;148-60. |
| Goldwasser et al., One-Time Programs. Proceedings of the 28th Annual Conference on Cryptology: Advances in Cryptology. CRYPTO. 2008;39-56. |
| Guajardo et al., FPGA intrinsic PUFs and Their Use for IP Protection. Proceedings of the 9th Cryptographic Hardware and Embedded Systems Workshop (CHES). 2007;4727. 22 pages. |
| Guajardo et al., Physical Unclonable Functions and Public-Key Crypto for FPGA IP Protection. International Conference on Field Programmable Logic and Applications. 2007. 8 pages. |
| Handschuh et al., Hardware Intrinsic Security from Physically Unclonable Functions. Towards Hardware-Intrinsic Security, Information Security and Cryptography. 2010;39-53. |
| Katzenbeisser et al., PUFs: Myth, Fact or Busted? A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon. Cryptographic Hardware and Embedded Systems—CHES '12. 2012;283-301. 18 pages. |
| Kerr et al., PEAR: A Hardware Based Protocol Authentication System. SPRINGL '10 Proceedings of the 3rd ACM 3IGSPATIAL International Workshop on Security and Privacy in GIS and LBS. 2010. 8 pages. |
| Kerr, Secure Physical System Design Leveraging PUF Technology. Purdue University. Thesis. May 2012. 87 pages. |
| Kirkpatrick et al., Enforcing Physically Restricted Access Control for Remote Data. Proceedings of CODASPY. 2011. 10 pages. |
| Kirkpatrick et al., PUF ROKs: A Hardware Approach to Read-Once Keys. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11. 2011;155-64. |
| Kirkpatrick et al., PUF ROKS: Generating Read-Once Keys with Physically Unclonable Functions (Extended Abstract). Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research. Oak Ridge, TN. Apr. 21-23, 2010. 4 pages. |
| Kirkpatrick et at, Physically Restricted Authentication and Encryption for Cyber-physical Systems. DHS Workshop on Future Directions in Cyber-physical Systems Security. 2009. 5 pages. |
| Kish et al., Physical Uncloneable Function Hardware Keys Utilizing Kirchhoff-Law Johnson-Noise Secure Key Exchange and Noise-Based Logic. Fluctuation Noise Lett. 2013;12. 9 pages. |
| Kuppusamy, Modelling Client Puzzles and Denial-of-Service Resistant Protocols. Information Security Institute. Science and Engineering Faculty. Queensland University of Technology. Thesis. Nov. 8, 2012. 198 pages. |
| Maiti et al., Physical Unclonable Function and True Random Number Generator: a Compact and Scalable implementation. GLSVLSI '09 Proceedings of the 19th ACM Great Lakes Symposium on VLSI. 2009. 4 pages. |
| Maiti et al., The Impact of Aging on an FPGA-Based Physical Unclonable Function. International Conference on Field Programmable Logic and Applications (FPL). 2011;151-6. |
| Nabeel et al., Authentication and key management for advanced metering infrastructures utilizing physically unclonable function. IEEE Third International Conference on Smart Grid Communications (SmartGridComm). 2012;324-9. |
| Nguyen et al., Distribution of Modular Sums and the Security of the Server Aided Exponentiation. Cryptography and Computational Number Theory. 2001;20:331-42. 16 pages. |
| Paral et al., Reliable and Efficient PUF-based Key Generation using Pattern Matching. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). 2011;128-33. |
| Potkonjak et al., Differential Public Physically Unclonable Functions: Architecture and Applications. DAC '11 Proceedings of the 48th Design Automation Conference. 2011. 7 pages. |
| Ravikanth, Physical one-way functions. Massachusetts Institute of Technology. Dissertation. 2001. 154 pages. |
| Rührmair et al., PUFs in Security Protocols: Attack Models and Security Evaluations. 2013 IEEE Symposium on Security and Privacy. 2013;286-300. |
| Shao, Strong designated verifier signature scheme: new definition and construction. Zhejian University of Science and Technology. IACR Cryptology ePrint Archive. 2010. 10 pages. |
| Van Dijk et al., Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results. Cryptolgoy ePrint Archive. Report 2012/228. Apr. 25, 2012. 36 pages. |
| Wu et al., On Foundation and Construction of Physical Unclonable Functions. IACR Cryptology ePrint Archive. 2010;171. 18 pages. |
| Yu et al., Lightweight and Secure PUF Key Storage Using Limits of Machine Learning. Proceedings of the 13th International Conference on Cryptographic Hardware and Embedded Systems, CHES '11. 2011;358-73. |
| Yu et al., Recombination of Physical Unclonable Functions. GOMACTech. 2010. 4 pages. |
| Yu et al., Secure and robust error correction for physical unclonable functions. IEEE Des Test. Jan. 2010;27(1):48-65. |
| Frikken et al., “Robust Authentication using Physically Unclonable Functions,” Information Security, vol. 5735 of Lecture Notes in Computer Science, pp. 262-277 (Springer 2009). |
| Rührmair et al., “Modeling Attacks on Physical Unclonable Functions,” Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pp. 237-249 (ACM 2010). |
| Holcomb et al., “Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags,” In Proceedings of the Conference on RFID Security (2007). |
| Kumar et al., “Extended abstract: The Butterfly PUF Protecting IP on Every FPGA,” IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 67-70 (2008). |
| Lee et al., “A technique to build a secret key in integrated circuits for identification and authentication applications,” IEEE Symposium on VLSI Circuits: Digest of Technical Papers, pp. 176-179 (2004). |
| Suh et al., “Physical Unclonable Functions for Device Authentication and Secret Key Generation,” Proceedings of the 44th annual Design Automation Conference, DAC '07, pp. 9-14 (ACM 2007). |
| Tuyls et al., “Read-Proof Hardware from Protective Coatings,” Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems, CHES'06, pp. 369-383 (Springer 2006). |
| Rührmair, “Applications of High-Capacity Crossbar Memories in Cryptography,” IEEE Trans. Nanotechnol. 10:3, pp. 489-498 (2011). |
| Juels et al., “A Fuzzy Commitment Scheme,” Proceedings of the 6th ACM conference on Computer and Communications Security, CCS '99, pp. 28-36 (ACM 1999). |
| Dodis et al., “Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data,” SIAM J. Comput., 38:1, pp. 97-139 (2008). |
| Brzuska et al., “Physically Uncloneable Functions in the Universal Composition Framework,” Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, vol. 6841 of Lecture Notes in Computer Science, p. 51-70 (Springer 2011). |
| Zheng, “Digital Signcryption or How to Achieve Cost(Signature & Encryption) « Cost(Signature) + Cost(Encryption),” Advances in Cryptology, CRYPTO '97, vol. 1294 of Lecture Notes in Computer Science, pp. 165-179 (Springer 1997). |
| Zheng et al., “How to Construct Efficient Signcryption Schemes on Elliptic Curves,” Inf. Process. Lett., 68:5, pp. 227-233 (1998). |
| Chaum et al., “An improved protocol for demonstrating possession of discrete logarithms and some generalizations,” Proceedings of the 6th annual international conference on Theory and application of cryptographic techniques, EUROCRYPT'87, pp. 127-141, Berlin, Heidelberg, 1988, Springer-Verlag. |
| Khandavilli, “A Mobile Role Based Access Control System Using Identity Based Encryption With Non-Interactive Zero Knowledge Proof of Authentication,” Dalhousie University Repository, Faculty of Graduate Studies Online Theses, Apr. 5, 2012. |
| Guajardo et al., “FPGA intrinsic PUFs and Their Use for IP Protection,” Proceedings of the 9th Cryptographic Hardware and Embedded Systems Workshop (CHES), vol. 4727, 2007. |
| Extended European Search Report dated Dec. 18, 2017 in connection with European Application No. EP 15795660.8. |
| Shao, Efficient deniable authentication protocol based on generalized ElGamal signature scheme. Computer Standards & Interfaces. 2004;26:449-54. |
| Shao et al., A Non-interactive Deniable Authentication Protocol based on Elliptic Curve Discrete Logarithm Problem. Energy Procedia. Jan. 1, 2011;11:1018-25. |
| Number | Date | Country | |
|---|---|---|---|
| 20150341792 A1 | Nov 2015 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62001979 | May 2014 | US |
