A Novel Privacy Preserving Authentication and Access Control …caislab.kaist.ac.kr/publication/paper_files/2006/... · 2018-09-27 · REN etal.: NOVEL PRIVACY PRESERVING AUTHENTICATION

IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 55, NO. 4, JULY 2006 1373

A Novel Privacy Preserving Authentication andAccess Control Scheme for Pervasive

Computing EnvironmentsKui Ren, Student Member, IEEE, Wenjing Lou, Member, IEEE, Kwangjo Kim, Member, IEEE, and

Robert Deng, Senior Member, IEEE

Abstract—Privacy and security are two important but seem-ingly contradictory objectives in a pervasive computing environ-ment (PCE). On one hand, service providers want to authenticatelegitimate users and make sure they are accessing their authorizedservices in a legal way. On the other hand, users want to maintainthe necessary privacy without being tracked down for whereverthey are and whatever they are doing. In this paper, a novel privacypreserving authentication and access control scheme to securethe interactions between mobile users and services in PCEs isproposed. The proposed scheme seamlessly integrates two under-lying cryptographic primitives, namely blind signature and hashchain, into a highly flexible and lightweight authentication andkey establishment protocol. The scheme provides explicit mutualauthentication between a user and a service while allowing the userto anonymously interact with the service. Differentiated serviceaccess control is also enabled in the proposed scheme by classifyingmobile users into different service groups. The correctness ofthe proposed authentication and key establishment protocol isformally verified based on Burrows–Abadi–Needham logic.

Index Terms—Access control, authentication, pervasive com-puting environments (PCEs), security.

I. INTRODUCTION

P ERVASIVE computing environments (PCEs) with theirinterconnected devices and abundant services promise

great integration of digital infrastructure into many aspects ofour lives, from our physical selves to homes, offices, streets,and so forth [1], [38]. The huge number of communicatingdevices provides seamless access to multiple dynamic networksany time from any location. Users and their autonomous agentswill be able to traverse these networks, coexist with eachother, and thus create a truly ubiquitous intelligent computingenvironment.

As networking technologies become commonplace and cen-tral to everyday life, companies, organizations, and individualsare increasingly depending on electronic means to processinformation and provide relevant services in order to takeadvantage of ambient intelligence in PCEs [2], [4]–[6], [41].

Manuscript received November 9, 2004; revised July 28, 2005; and Novem-ber 25, 2005. The review of this paper was coordinated by Dr. K. Martin.

K. Ren and W. Lou are with the Department of Electrical and ComputerEngineering, Worcester Polytechnic Institute, Worcester, MA 01609-2280 USA(e-mail: [email protected]; [email protected]).

K. Kim is with the Information and Communications University, Daejeon305-732, Korea (e-mail: [email protected]).

R. Deng is with the School of Information Systems, Singapore ManagementUniversity, Singapore 188065 (e-mail: [email protected]).

Digital Object Identifier 10.1109/TVT.2006.877704

Inevitably, many of these information transactions will be sen-sitive and critical [19], and thus, it is essential to enforce “accesscontrol” to prevent information leakage and service abuse andto stop malicious attacks. In other words, dynamic access toservices should be granted only based on preestablished (director indirect) trust between users and service providers. To thisend, trust relationship by means of mutual authentication be-tween users and service providers should be established “prior”to the access of services. Traditional authentication that focuseson identity authentication may fail to work in PCEs partlybecause it conflicts with the goal of user privacy protectionand partly because the assurance achieved by entity authen-tication will be of diminishing value [19]. For instance, aservice provider may only concern whether the accessing user isauthorized or not, but has limited interest in who she is in manynoncritical scenarios. Meanwhile, services themselves shouldbe authenticated to users. Users will only accept authenticatedinformation from genuine services they intend to interact withto avoid potential deception and other malicious attacks. Theimportance of authenticating services is discussed in [13].

Another big forthcoming challenge for actually deployingpervasive computing services on a significant scale is how tohave adequate provision for handling “user privacy,” which isconsidered as one of the fundamental security concerns that areexplicitly identified by a series of laws [3]. In environmentswith significant concentration of “invisible” computing devicesgathering and collecting the identities, locations, and transac-tion information of users, users should rightly be concernedwith their privacy. At the same time, the physical outreachof pervasive computing makes preserving the users’ privacy amuch more difficult task [10], [15], [39].

Some of the user privacy issues that should be treated inPCEs have been pointed out in [8], including location privacy,connection anonymity, and confidentiality. We further clarifythe scope of privacy in PCEs as follows.

— Anonymity: The real identity of a user should never berevealed from the communications exchanged betweenthe user and a server unless it is intentionally disclosedby the user. Different communication sessions betweenthe same user and service should not be linkable.

— Context Privacy: Neither the service nor other users ofthe service should be able to learn the exact context infor-mation (e.g., location, duration, type of service request,etc.) of a user unless the user decides to divulge such

0018-9545/$20.00 © 2006 IEEE

Authorized licensed use limited to: Korea Advanced Institute of Science and Technology. Downloaded on October 12, 2009 at 00:07 from IEEE Xplore. Restrictions apply.

1374 IEEE TRANSACTIONS ON VEHICULAR TECHNOLOGY, VOL. 55, NO. 4, JULY 2006

Fig. 1. Sample PCE.

information. Users’ context information should be pro-tected against both outsiders and service providers theyinteract with.

— Confidentialityand Integrity: The interactions betweena user and a service should have both confidentialityand integrity protections whenever such protections arerequired.

In reality, the quests for authentication/access control anduser privacy protection conflict with each other in many aspects,and the problem is highly complex in PCEs as the contextinformation of users is more of a concern. On one hand, theservice generally depends on the user identity information andcorresponding preestablished trust relationship as well as theservice contract between them to accomplish user authentica-tion and conduct access control. On the other hand, the userdoes not want to be tracked by the service for wherever she isand whatever she does. The tradeoff between the two thus posesa great challenge to security designers.

In this paper, we propose a user privacy preserving authen-tication and access control scheme at the application level toaddress the security and user privacy concerns in PCEs. Theproposed scheme is implemented at the application level with-out relying on any underlying system infrastructure such as the“Lighthouse” or “mist routers,” etc., as required by many otherapproaches [2], [7], [8], [15]. The proposed scheme providesexplicit mutual authentication between the two parties while atthe same time allowing the mobile user to interact with the de-sired service anonymously without revealing her identity. Thescheme seamlessly integrates two underlying cryptographicprimitives, namely 1) “blind signature” and 2) “hash chain,”into a highly flexible and lightweight authentication and keyestablishment protocol. The scheme possesses many desirablesecurity properties, such as anonymity, nonlinkability, nonre-pudiation, accountability, differentiated services access control,etc., with very low protocol complexity (refer to Section V).The correctness of the proposed authentication and key estab-lishment protocol is also formally verified based on Burrows–Abadi–Needham (BAN) logic. To the best of our knowledge,

this work is the first attempt to an authentication and keyestablishment protocol with formally verified correctness forprivacy preserving access control to differentiated services.

The rest of this paper is organized as follows: In Section II,we describe the system architecture of PCEs and introduce thecryptographic primitives used in our scheme. We present in de-tail the proposed scheme in Section III and show the formal ver-ification of its correctness in Section IV. Then, we discuss thesecurity features and the performance of the proposed schemein Section V. Finally, we review the related work in Section VIand conclude the paper in Section VII.

II. SYSTEM ARCHITECTURE AND

CRYPTOGRAPHIC PRIMITIVES

A sample system architecture of a campus PCE is given inFig. 1. Generally, a PCE consists of three types of entities,namely 1) mobile users, 2) services, and 3) back-end authen-tication servers, in addition to the underlying wired and wire-less communication infrastructures. Note that wireless networkaccess is itself a service. User privacy should be protected notonly from outsiders but also from network service providers.Our proposed access control scheme is designed to secure theinteractions among these three types of entities as shown inFig. 2. More specifically, our scheme aims to provide anony-mous mutual authentication between the mobile user and theservice (e.g., wireless service access point for wireless networkaccess service). It also provides confidentiality and integrityprotection for the communications between the mobile user andthe service.

Our scheme is based on two cryptographic techniques,namely 1) blind signature and 2) hash chain. A brief reviewof the two techniques is provided as follows.

A. Blind Signature

The blind signature scheme [16] is a variation of the digitalsignature scheme in which the content of a message is disguised


REN et al.: NOVEL PRIVACY PRESERVING AUTHENTICATION AND ACCESS CONTROL SCHEME FOR PCEs 1375

Fig. 2. System architecture.

from its signer. Blind signature schemes can be implementedbased on a number of well-known digital signature schemes,such as the Rivest–Shamir–Adleman (RSA) scheme [33]. Toproduce a signature on a message, a user first “blinds” themessage with a “blinding function” f , typically by combiningit with a random “blinding factor” k, and then forwards theblinded message to the signer. The signer signs the blindedmessage using a standard signing algorithm, say SA(m), whichdenotes the signature of A on m, and sends the result back tothe user, who then “unblinds” it with an “unblinding function”g to obtain the signer’s signature on the original message. Thealgorithm is designed such that g(SA(f(m))) = SA(m).

Blind signatures are used to provide nonlinkability, whichprevents the signer from linking a blinded message it signed tothe unblinded version that it may be called upon to verify. In thiscase, the signed blinded value is unblinded prior to verificationin such a way that the signature remains valid for the unblindedmessage. This can be useful in schemes where anonymity isrequired. Blind signature schemes find a great deal of use inapplications where sender privacy is important. This includesvarious digital cash schemes and voting protocols [17], [18].

B. Hash Chain

One-way hash function h is a powerful yet computationallyefficient cryptographic tool, which takes a message of arbitrarysize as its input and outputs a fixed string of digits. “Oneway” means that it is computationally infeasible to derive theoriginal input from the output. By applying h() repeatedly onan initial value m, one can obtain a chain of outputs hj(m).These outputs can be used in the reverse order of generationfor the purpose of authentication: hj−1(m) can be proven to beauthentic if hj(m) has been proven to be authentic due to theone-wayness property of hash function. Hash chains togetherwith signatures are widely used in micropayment schemes suchas Payword, iKP, and Netcard [31]. In such schemes, the effectof a digital signature is reused many times over subsequentmessages (containing pre-images of a specific hash). Theconcept of a hash chain was first proposed for use in an au-thentication scheme by Lamport [35]. Recently, Weimerskirchand Westhoff adopted a hash chain technique for efficient userrecognition based on weak authentication [37].

III. PROPOSED SCHEME

This section presents our privacy preserving authenticationand access control scheme. Consider the scenario that a mobileuser wants to be able to dynamically access wireless or otheravailable services in PCEs. Due to the insecurity of the wirelesscommunication channel, the authorization of the mobile userto the particular service she requests should be verified andthe subsequent data traffic should be protected. Moreover, themobile user should have full control of her context privacy.That is, the mobile user’s context information like location,time, transaction profiles, etc., should be known only by themobile user herself; nobody else, including the service she isinteracting with, can get the clue regarding the user’s context.Therefore, the design considerations of the proposed schemeinclude 1) providing explicit mutual authentication betweenthe mobile user and the service; 2) allowing mobile users toanonymously interact with the service; 3) enabling differenti-ated service access control among different users; 4) provid-ing flexibility and scalability to both user and service sides;5) generating fresh session keys to secure the interaction if ap-plicable; 6) having high efficiency in terms of communication,computation, and management overheads; 7) providing easyaccountability; and 8) providing formally verified correctness.

Conceptually, the proposed scheme works as follows: Themobile user first generates some specific credentials (as will bedescribed in Section III-A), and then she gets these credentialsauthorized from the services through the “user authorizationprotocol.” The mobile user then uses the authorized credentialsto access the desired services and performs mutual authenti-cation with the service before actually using it. Note that atthis stage, the mobile user identifies herself only by presentingthe authorized credentials without disclosing any of her contextinformation. Upon the successful completion of the mutualauthentication process, both parties will share fresh sessionkeys that will be used to secure the subsequent data traffic of thesession. This is done through the “user operational protocol.”A “dispute resolution protocol” is also designed to solve pos-sible disputes that might rise between mobile users and serviceproviders. Table I lists the notations used throughout the de-scription of the protocols for ease of reference. Note that weassume users are capable of manipulating the source addressesof the outgoing Medium Access Control (MAC)1 frames. Thisassumption is a prerequisite for anonymous communication;otherwise, one can easily identify a user based on her uniqueMAC address. Detailed technique on this can be found, forexample, in [20] and is out of the scope of this paper.

A. User Authorization Protocol

The purpose of the user authentication protocol is to es-tablish security credentials between mobile users and serviceproviders, which can be used as the security anchor in thesubsequent mutual authentication processes whenever a mobileuser attempts to access a service. In our user authorization

1Note that MAC is used to stand for both message authentication code andmedium access control.



TABLE INOTATION

TABLE IICREDENTIAL GENERATION

protocol, the mobile user and the corresponding service (i.e.,the authentication server) need to authenticate each other first.This is typically done through some out-of-band noncrypto-graphic technique. The mobile user needs to register herself as alegal user of some service type the service provides. She obtainsthe public keys of the services of which she is entitled to use.She also needs to obtain a certificate CertU which binds heridentity U to her public key PubKU , signed by the private keyof the service PriKS . Then, the mobile user executes the userauthorization protocol to submit her credential and to obtain thesigned credential from the authentication server.

Our user authorization protocol is based on blind signature[16], which hides the association between the authorized cre-dential and the mobile user’s real identity. The user’s context in-formation can therefore be concealed from the service. Further,through a deliberately designed combination with hash chaintechnique, a series of authorized credentials, i.e., a credentialchain2, can be obtained by the mobile user in one protocol run,which increases the protocol efficiency.

The proposed user authorization protocol contains two steps:1) “credential generation” and 2) “credential authorization.”The mobile user generates her own specific credentials asshown in Table II:

The mobile user first generates two fresh nonces. Then, shesigns her own identity together with one fresh nonce usingher private key. Next, she computes the anchor value C0 ofthe credential chain with the signature. Clearly, the signature

2The same notion is used in [43] but with a different definition. In [43], acredential chain means a delegation chain from the source of authority to therequester.

TABLE IIICREDENTIAL AUTHORIZATION

contained in C0 provides a nonrepudiation property. This istrue because only the mobile user herself can generate it, andthe fresh nonce guarantees its freshness. Then, a credentialchain is computed via hash operation. The length n can beadjusted to the proper value depending on the actual frequencyof usage and storage capability. In the last step, the mobile userblinds the credential chain tail Cn by using the blind signaturetechnique. Next, the mobile user sends out the blinded Cn forauthorization as shown in Table III. The authentication serversigns Cn with the private key of the requested service type andreturns the signed credential back to the mobile user.

• Besides the general public key PubKS for user authen-tication purposes, the service maintains a pool of publickeys corresponding to different service types. We assumethat the mapping between the service type identifier SIDand its corresponding public key is clear to the mobileuser. The authorized credentials of different service typesare actually signed by different private keys. This allowsfor differentiated access control in the subsequent stage. Ifthe scope and the meaning of service types are carefullydefined, and the services are therefore well classified, thecombinational usage of several authorized credentials atthe same time can further improve the ability to enablehigher level differentiated service access control. This willalso improve the flexibility and scalability of the proposedscheme.



• Once the signed credential is returned to the mobileuser, the computation of CS/r′U indeed results in a validsignature on Cn due to the property of blind signature.Therefore, after protocol execution, the mobile user holdsa verifiable authenticator—credential Cn and its signature.Although the authentication server does not know what thevalue of Cn is at the time it signs it, the authenticity of Cn

can be verified by the signature. Therefore, once the au-thenticator is submitted to the authentication server, theauthentication server will be able to verify and grant theservice request. However, it still has no information aboutwho the user is, except for her requested service type.

• Although the authentication server signs only the nthcredential Cn, the remaining hash chain values C0 throughCn−1 are authorized implicitly at the same time due tothe one-wayness nature of the hash function. Note thatthe values of the credential hash chain should never berevealed to any third party.

• The mobile user can also generate several different cre-dential hash chains at the same time and get each Cn

signed by the authentication server simultaneously in oneprotocol run. Hence, the protocol efficiency can be furtherimproved, as well as the flexibility.

The user authorization protocol allows the mobile user toobtain authorized credentials from the service provider. Notethat the user authorization protocol runs only when the mobileuser’s authorized credentials are exhausted or for first-timeregistration. The user authorization protocol is highly flexible.It can be accomplished via both online and offline approaches(i.e., in-person interaction and so on). It can also be accom-plished through the agent of the mobile users. We can easilyimagine that the network manager or administration staff canacquire authorized credentials from service providers on behalfof the users in a company and then distribute them to the user.This delegable feature greatly improves the usage flexibilityof the mobile users and allows dynamic authorization. It alsosignificantly simplifies the management overheads at the ser-vice side. The authentication server is now able to manageonly one certificate for each user group instead of those of allgroup members.

B. User Operational Protocol

The user operational protocol allows a mobile user to safelyenjoy different kinds of services she is authorized to in PCEsanytime from anywhere without disclosing any of her contextinformation unless she is willing to do so and it is absolutelynecessary (e.g., in case of disputes). Conceptually, the useroperational protocol works as follows:

The mobile user first sends an access request, which containsa service access capability claim and an authenticator used toprove her legitimacy to the service requested, to the serviceaccess point such as the wireless network access point ora network printer. The authenticator includes an authorizedcredential and a fresh nonce. The service access point simplyforwards this access request message to its back-end authenti-cation server for authentication. Upon receiving the forwardedaccess request, the authentication server decrypts and verifies

the authenticity of the contained credential. The authenticationserver also checks whether the current service access pointconforms to the user’s service type. If both results are positive,the authentication server ascertains that the mobile user isindeed authorized to access this particular service although ithas no idea who the mobile user is, except for the servicetype the user belongs to. Hence, it replies to the service accesspoint with an access grant, which otherwise would be anaccess deny message. The access grant message contains thedecrypted authenticator information of the mobile user it justverified. We assume that there is a secure tunnel (e.g., IPsecESP mode [26]) between the service access point and its back-end authentication server so that the former can securely getthis piece of secret information sent by the latter. Note that thisprocess is transparent to the mobile user. The service accesspoint then computes two fresh session keys (i.e., encryptionkey and integrity key) with the obtained secret information andgenerates a fresh nonce of its own. Next, the service accesspoint encrypts the obtained secret information and its ownidentity with one of the new session keys (i.e., encryption key)and finally replies to the mobile user with an access grantmessage containing the fresh nonce and the previous encryptedinformation. Upon receiving this message, the mobile usercould compute two session keys in the same manner. Afterdecrypting the access grant message with the shared encryptionkey, the mobile user now authenticates the service side bychecking the validity of the decrypted value with her own. Ifthe result is positive, the mobile user ascertains that the currentservice is legal. This concludes the mutual authentication, andnow both parties share two fresh session keys, which can beused to secure the subsequent data traffic in this session. Theuser operational protocol is outlined in Table IV, describing asuccessful protocol run.

• In the access request message 1), the mobile user encryptsa fresh nonce rU and an authorized credential Cj withthe service’s public key that is used for authenticationpurposes. The encryption operation has dual purposes: 1)keep the secrecy of rU and Cj from eavesdropping; 2)service authentication, because only the user’s intendedlegitimate service can decrypt the message correctly. TheSID is provided to claim the user’s capability to accessthe targeted service.

• When the authorized credential chain is used forthe first time, i.e., Cj = Cn, the mobile user shouldsend both Cn and its signature for authentication. Inthis case, the access request message 1) would be{rU , Cn, {Cn}PriKSID

}PubKS. Each credential is used

exactly once, that is, used in only one session and isobsoleted afterward. Hence, an authorized credential chainof length n can be used to access the services for n sessionsbefore all credentials are exhausted. The use of a differentcredential for each session is necessary to defend againstthe replay attack and possible double spending problem(e.g., for accountability).

• The authentication of the submitted credential at theservice side is as follows: If a credential is submittedtogether with its signature, that is, (Cn, {Cn}PriKSID

),



TABLE IVUSER OPERATIONAL PROTOCOL

the authentication server verifies the signature using thecorresponding public key by referring to SID the samemessage. A negative result will trigger an access denymessage sent to the service access point. A positiveresult confirms the validity of the submitted credential.A duplication check on Cn should be first executedbefore signature verification to prevent a potential doublespending of Cn. Upon success of the verification, theauthentication server saves Cn according to its servicetype. Recall that in the last subsection, we pointed outthat each different public key is used to bind a particularservice type. Thus, although the authentication servercould not know who the user is, it does know this user’scapability to access the services, that is, whether she iseligible for the requested service through the submittedcredential. Hence, a differentiated service access control iseasily realized. If the submitted credential is a single valueCj , the back-end server simply verifies whether h(Cj)matches the currently stored credential whose belonginghash chain is indexed by Cn. The authentication serverthen updates the currently stored Cj+1 with Cj . Theremaining operation is the same as above. Note that, foreach different credential chain, the authentication serverstores exactly two values: the signed Cn and the newest(current) Cj . This is for dual purposes: 1) for the easeof credential authentication on Cj , j < n; 2) preventpotential double spending of the credentials for all Cjs.

• The traffic between the service access point and its back-end server is assumed to be protected by a private or

previously established secure tunnel, which is beyond thedesign range of this protocol.

• The service access point has no responsibility for userauthentication. It simply defers this job to its back-endserver. The computation and management overheads atthe service access point are minimized, and little storagecapability is required: 1) no public key operations; 2) nolong-term key and certificate management; 3) session keysare discarded once the session is terminated; 4) hash andsymmetric key operations only. Hence, it is very simpleand efficient, which could greatly decrease its cost andhelp wide deployments.

• The service access point and the mobile user compute thefresh session keys independently, and the authenticationserver has no control over the computed session keys.The fresh nonce used in key generation guarantees thefreshness of the session keys. Two fresh session keysare generated. One is for encryption and the other is forintegrity protection, i.e., generating the message authenti-cation code (MAC) [34].

• The fresh nonces rP , rU are then used by the mobile userand the service access point to identify the session betweenthem, that is, binding the two communication parties andthe exchanged traffic together. We can see that there isno way to identify the session between the two otherwisebecause both two parties may interact with many other par-ties at the same time, especially for service access point.

• The one-time usage feature of the authorized credentialsand its linkage with the service type provide effective



accountability. Similar to the micropayment schemes, theaccounting mechanism can be easily incorporated intothe system in nearly the same manner. We point out thatdouble spending of the authorized credentials actuallydoes not affect the system security as proved in Section V.Hence, the choice between one-time or multiple usage ofthe authorized credentials can be a simple policy decision.It can also be dynamically switched according to realsituations.

C. Extension for Out-of-Order Requests

Sometimes, a mobile user might want to launch multiplesessions simultaneously. Note that if the multiple sessions arewith respect to different service types, or if the multiple sessionsare of the same service type but come to the authenticationserver in the same order as they were originated, the proposedprotocol can handle them well. However, if the multiple con-current sessions are with respect to a single service, but forsome reason (e.g., unexpected network problems, DoS attacks)the access request messages arrive out of order at the back-end authentication server, one or more legitimate requests willbe deemed illegal by the user operational protocol we justdescribed. In this subsection, we present a simple extensionto the user operational protocol to deal with such out-of-orderarrival of access requests at the authentication server.

Our solution is a sliding-window-based extension to thecredential authentication procedure at the authentication server.Recall that in the previous setting, each hash chain stores twovalues: Cn, used as the index of the hash chain, and Cj , themost recently used hash value. A submitted credential is hashedonly once and compared with Cj . In the extension, the back-endauthentication server is allowed to store up to k + 1 hash valuesfor each hash chain: Cn and a window of up to k hash values.A submitted credential may be hashed up to k − 1 times; oncea hashed value is found equal to a value already in the window,the credential may be accepted. The extension works as follows:Obviously, at the beginning, when all the requests come inorder, there is only one value kept in the window—the mostrecently used value Cj . At this time, when the next credentialCj1 comes, 1) if it comes in order, namely j1 = j − 1 or Cj =h(Cj1), the window will move forward by one place, whichmakes Cj1 the first value in the window while the rest of theplaces in the window remains empty; 2) if j − k < j1 < j − 1,which means that Cj1 is hashed more than once to be equal toCj , the window remains where it is and the value Cj1 is savedat the corresponding location, i.e., (j − j1 + 1)th place in thewindow; 3) otherwise, if a match is not found after k hashes,the credential is rejected. Similarly, when there are multiplecredentials in the window, the following process applies for thenext arrived credential Cj2 : 1) If Cj2 equals any of the existingcredentials, it is a double submission and the correspondingsession should be rejected. 2) If j2 = j − 13, the credentialis valid and the window moves forward by one place, whichmakes Cj2 the first credential in the window. Further, if itsnext position (j2 − 1) is not empty, the window will continue

3We still assume that Cj is the first credential in the window.

Fig. 3. Sliding-window-based credential authentication procedure (fork = 5).

to move forward until it reaches a value Cj3 whose nextposition (j3 − 1) is empty. This operation will ensure that thesecond location in the window is always empty. 3) If j − k <j2 < j − 1, the window remains unmoved, and the value Cj2

is saved at the corresponding empty location in the window.4) Otherwise, the credential is simply rejected. Fig. 3 shows anexample of how an out-of-order arrival of requests is handledby this extension.

Note that in this extension, k (k � n) is the maximumdistance between two access requests that go out of order. Therequests are of the same type and from the same mobile user.Since the time needed to complete the whole authentication isin a scale of milliseconds or at worst seconds, it is very unlikelythat a mobile user can launch a large number of sessions andhave them go out of order. Therefore, this number could bevery small. Note that the number of concurrent sessions theuser could have is not limited by k. A user may still have alarge number of concurrent sessions as long as she initializeseach of them with a small time separation.

In the proposed user operational protocol, we assume thatan incomplete session will always be due to the failure of themobile user. The packets lost in the network can be resent byreliable link/transport protocols or a failure notification willbe returned to the source. If a mobile user gets no reply aftersending an access request message, it would resend the samemessage again until obtaining a corresponding reply. However,to make the scheme highly robust to unexpected network prob-lems, we may allow the window to move forward when the lastposition of the window is filled while the second position hasyet not filled. On the other hand, as long as an access requestmessage is successfully received and processed (replied) by theservice access point (i.e., as long as an access acknowledgementmessage is sent back to the mobile user by the service side),the submitted credential is void thereafter even if the mobileuser may fail to continue the subsequent session. Note that theaccess acknowledgement message may be resent many timesbefore the session is aborted by the service access point. Sincewe generally consider a micropayment case, dropping a singlecredential occasionally does not affect much on accountability.

IV. CORRECTNESS VERIFICATION OF THE

PROPOSED SCHEME

In this section, we formally verify the correctness of the pro-posed user operational protocol based on the BAN logic [12],



TABLE VGOALS OF CORRECTNESS VERIFICATION

which is a formal logic widely used to reason about beliefs,encryption, and protocols. Although BAN logic does have itsown limitations, it is simple and has been successfully appliedto many protocols. Protocol correctness means that, after proto-col execution, both of the communication parties ascertain thatthey are sharing a fresh session key, and both are sure that thesame belief is held by the other side too. Table V expresses thisverification goal following the BAN logic. In order to eliminatethe expression complexity, we simplify the two protocols intotheir generic types. In the following description in this section,we use the following notations by convention: A and B are twoentities, Kab is the fresh session key shared between A and B,and (Ka, K−1

a ) and (Kb, K−1b ) are the public/private key pairs

of entities A and B, respectively; other notations follow thoseof BAN logic [12].

In the user operational protocol, the service access point andthe back-end authentication server trust the authenticity andintegrity of the messages exchanged between them becausea secure communication channel is assumed between them.Therefore, without loss of generality, we simplify the useroperational protocol into the following generic type shown inTable VI, which is further idealized in the same table. We omitthe unnecessary steps. We focus on the messages exchangedbetween the mobile user and the service access point and verifywhether both parties can ascertain that they share a fresh sessionkey Kab with each other.

The assumptions we make before the verification are

1) A |≡ Kb�→ B;

2) B |≡ Kb�→ B;3) A |≡ �(Na);4) B |≡ �(Nb);

5) A |≡ ACj

� B;

6) B |≡ ACj

� B;

7) A |≡ B |≡ ACj

� B;

8) B |≡ A |≡ ACj

� B;

9) A |≡ �(ACj

� B);

10) B |≡ �(ACj

� B);11) A |≡ B |⇒ A

Kab←→ B;

12) B |≡ AKab←→ B;

13) B |≡ A |∼ (A Kab←→ B).

The first two assumptions state that both entities A and Bbelieve that B possesses a public key Kb. Assumptions (3)and (4) mean that A and B generate two fresh nonces Na andNb, and therefore, assure their freshness. Assumptions (5)–(10)are about the authorized credentials shared between the two

TABLE VIGENERIC TYPE OF THE USER OPERATIONAL PROTOCOL

parties. When j = n, the authentication server believes thatCn is the secret shared between an authorized user and itselfbecause it can easily verify the authenticity of Cn through theattached signature. So although the authentication server has noinformation about who the mobile user is, it still believes thatCn is an authentic secret shared between the two. The blind sig-nature technique and our user authorization protocol ensure thisvery nice property. When j < n, the authentication server holdsthe same belief because of the one-wayness property of thehash chain. The Cn values, after verification, are stored in theauthentication server to prevent the possible reuse of the samevalue4, which ensures the freshness of the Cn values. EachCj ∼ (j < n) is guaranteed to be fresh, e.g., used only once,because the matching window is constantly moving whenever aCj value has been used. Formal verification on these beliefs onthe hash chain scheme can be found in [37] and is omitted heredue to space limitations. Assumption (11) tells that A believesB has jurisdiction right over Kab, because once A generates Na

and sends it to B together with shared secret Cj , the value of thefinal Kab is determined by the nonce Nb generated by B fromthe viewpoint of A. Assumptions (12) and (13) hold because Binvents the fresh session key Kab with a shared secret betweenA and B and a fresh nonce chosen by itself. The verification isoutlined in Table VII.

Equations (18), (19), (21), and (24) together accomplish theverification. Note that assumptions (9) and (10) are not usedin the verification, which means that even if the authorizedcredential is not fresh, the correctness of the protocol still holds.This property implies that the authorized credentials can bereused without affecting the system security.

V. ANALYSIS OF THE PROPOSED SCHEME

A. Security-Related Properties of the Proposed Scheme

The proposed scheme exhibits many nice security-relatedproperties as discussed below.

Mutual Authentication: In the proposed scheme, the mobileuser is authenticated based on her authorized credential inthe sense that the service knows the user is indeed legal andauthorized. The service authenticates itself to the user throughits public key certificate and by showing its knowledge of the

4In this case, a mechanism to obsolete old Cn values is necessary. Forexample, the authentication server can change the public/private key pairs forthe service types periodically.



TABLE VIIVERIFICATION OF THE USER OPERATIONAL PROTOCOL

corresponding private key. The mutual authentication is highlynecessary in the PCEs as discussed before to prevent potentialmalicious attacks from both sides.

User Context Privacy: The users’ context privacy is wellprotected by the proposed scheme; only absolutely necessaryinformation is known to the service, i.e., users’ service type, inorder to grant appropriate access. Through the blind signaturetechnique, mobile users could be authenticated anonymouslywithout disclosing any other information. All the service sideknows is that some legal users are accessing some particularservices. The information is also protected against outsiders.No third party has the ability to acquire the user’s contextinformation as all the interaction traffic is well protected.

Nonlinkability: Ideally, nonlinkability means that, for bothinsiders (i.e., service) and outsiders, 1) neither of them couldascribe any session to a particular user, and 2) neither ofthem could link two different sessions to the same user [42].In the proposed scheme, ideal nonlinkability is achieved withrespect to outsiders. Because the authorized credential is nevertransmitted in plain text and is always combined with freshnonce in the message, an outsider cannot ascribe a session to aparticular user, neither can he ascribe two sessions to the sameuser. Hence, users’ transaction profiles are well protected. Onthe other hand, using the hashing chain could allow the serviceprovider to link up to n sessions using the hash values from thesame chain to the same user, where n is the length of the hashchain. However, the service provider cannot ascribe such infor-mation to a particular user due to the underlying blind signaturetechnique used. In addition, such a linkage is limited to n ses-sions only; there is no relationship among different hash chains.Therefore, there is no interhash chain information that can beaccumulated by the service provider. Hence, users’ transactionprofile can still be well protected from the service provider.

Accountability and Nontransferability Equivalency: In theproposed scheme, the credentials are authorized only when

TABLE VIIIPROTOCOL SECURITY FEATURES COMPARISON

the mobile user is explicitly authenticated. The one-time usageproperty of the authorized credentials prevents the doublespending problem and further provides good accounting ca-pability, which allows the accounting function be easily in-corporated5. Furthermore, from the service point of view, theproposed scheme provides equivalent nontransferability. Thatis, even the credentials are delegated among users, no harm isdone to the service provider in the sense that the authorizeduser is responsible for all the service received by her authorizedcredentials. This novel feature greatly reduces the service abuseproblem worried by the service providers. Using blind signature[21] alone cannot provide this property because there is no wayto prevent the double spending problem and hence no way toprevent service abuse problem.

Data Traffic Protection: The user operational protocolgenerates fresh session keys to protect the interaction datatraffic between the mobile user and the service. Data confi-dentiality and integrity can be provided based on symmetriccryptography.

Differentiated Service Access Control: By classifying mo-bile users into different service types, differentiated serviceaccess control is enabled in our scheme. Different mobile usersare authorized accordingly based on the service types to whichthey belong. “User authorization” is therefore accomplishedin a differentiated way. Moreover, the combinational usageof the different credentials may help to provide high-leveldifferentiated service access control, which is beyond the scopeof this paper.

Formally Verified Correctness: The proposed scheme is se-cure as sound as the underlying cryptosystem against bothpassive and active attacks. We verified the correctness of theproposed scheme in the above section based on the well-knownBAN logic.

We compare our scheme to other similar approaches that areintended to provide anonymous interactions between the usersand the services (Table VIII). The advantage of our schemeis shown clearly.

5For example, we can limit the amount of service one credential is entitled,thus making the amount of service measurable.



TABLE IXPROTOCOL COMPUTATION OVERHEADS COMPARISON

B. Performance of the Proposed Scheme

Despite the number of desirable security properties provided,the proposed scheme is extremely lightweight. We analyze theoverheads introduced in this subsection.

Management Overhead: The proposed scheme involvesminimal management overheads (e.g., human interaction). Theservice provider needs to manage one certificate per user andthe corresponding user profile. Due to the delegation property,this number can be significantly reduced to that of the usergroups (i.e., one user per group). On the other side, each mobileuser needs to manage the certificates of the service provider andthe different service types she belongs to.

Storage Overhead: While the protocol is running, the back-end authentication server stores two values (Cj , Cn) for eachcurrently in-use credential chain and one value (Cn) for eachof the used but unexpired chain. The service access pointmaintains no permanent user information or key information.Each service access point only stores two session keys persession, besides two nonces to identify that session. The mobileuser stores the two random nonces (r′U , r′′U ) and the credentialchains authorized to her (e.g., C0, . . . , Cn and signature ofCn). In addition, the mobile user should store two nonces andtwo session keys for each ongoing session. The method to storea hash chain can have a computation and storage tradeoff. Themobile user can also choose to store the anchor value and thecurrent value of the hash chain only and compute the neededvalue on-the-fly.

Communication Overhead: The user operational protocolrequires two rounds to accomplish mutual authentication andsession key establishment between the user and the service.Note that two rounds is the minimum number for any authen-ticated key establishment protocol to fulfill its goal. Therefore,the proposed scheme is highly efficient in the sense of commu-nication overhead.

Computation Overhead: The mobile user performs one pub-lic key operation per session, and all the remaining are hash andsymmetric cryptographic operations. The public key operationcan be done offline. The authentication server also needs to doone public key operation per session and one additional sig-nature verification for each authorized credential chain (whichcould be used for n sessions). The service access point is com-pletely exempted from performing public key operations. Wecompare in Table IX the computation overhead of the proposedscheme with the scheme proposed in [21]. It is observed that theproposed user operational protocol is extremely lightweight.

Notice that our protocol is much more efficient than [21]despite so many additional security features as discussed above.In [21], the authentication server needs to perform one signa-

ture verification every session in addition to one public keydecryption. The server could therefore be the bottleneck of thewhole system due to the potentially large amount of concurrenttransactions. Moreover, the service access point is required toperform one public key operation for each session, which isalso a heavy burden to it. For instance, a wireless access pointwill have great trouble to perform public key operations forevery user in every session due to its constrained computationcapability.

VI. RELATED WORK

Recently, quite a few papers have been published to addressthe new security and privacy challenges in PCEs [7]–[9], [11],[15], [19], [21], [24], [25], [27], [30], [39], [40]. However, mostof these results fall in the scope of establishing general securityframework and identifying general security requirements, with-out providing concrete security protocols. Some of these effortsfocused on designing specific security infrastructures to protectuser context privacy like location information from serviceproviders. The MIST system [7], [8] provides user anonymitythrough an overlay network assuming the existence of a “Light-house,” which keeps all information of all the users. In addi-tion, performance degradation is unavoidable for systems thatutilize the MIX network style approach [14]. A proxy-basedscheme can be found in [11]. Another recent infrastructure-based approach, LEXP, can be found in [11]. Some effortstry to maximize user privacy by restricting access to users’context information. Hengartner and Steenkiste suggested anarchitecture to filter out user context information [22].

The remaining efforts mostly focused on identity manip-ulation approaches, most of which originated from Chaum’sanonymous ID-based scheme in 1985 [18]. This general schemeallows users to interact with different services anonymously us-ing pseudonyms. Pseudonyms cannot be linked, but are formedin such a way that a user can prove to one service about hisrelationship with another using a “statement.” Such a statementis called a credential. An in-depth description and analysis ofdifferent pseudonym systems can be found in [28].

Jendricke et al. [24] introduced an identity managementsystem in PCEs where a user is issued multiple identities,and the user uses them depending on applications. The paperonly presented a general framework of using virtual identitiesto protect user privacy while performing access control andauthentication, but did not give any concrete protocols. Morerecently, He et al. [21] presented a simple anonymous IDscheme for PCEs, which is a direct application of Chaum’sblind signature technique [16]. However, the scheme suffersfrom several drawbacks as discussed in Section V.

Henrici and Muller [23] utilized hash functions to recomputeidentifiers of a radio frequency identification (RFID) deviceevery time it sends a request to service providers. Their in-tention was to protect the location privacy of RFID devices.Another approach proposed by Weimerskirch et al. uses hashfunctions to realize efficient weak authentication [37]. In orderto avoid leakage of user’s MAC address or IP address at lowerlevels, Gruteser and Grunwald [20] came up with a method tohide user’s MAC address with anonymous IDs so that the usercannot be tracked in a wireless LAN environment.



VII. CONCLUSION

In pervasive computing, mobile users interact seamlesslywith abundant services anytime, anywhere. However, user pri-vacy is at great risk in PCEs because of its inherent perva-sive and heterogeneous nature. Legitimate service providersmay also suffer from abuse from unauthorized and malicioususers. The conflict between user privacy protection and userauthentication makes security design in PCEs a very chal-lenging task.

In this paper, we proposed a privacy preserving authentica-tion and access control scheme to secure interactions betweenmobile users and services in PCEs. On one hand, the proposedscheme provides explicit mutual authentication between a mo-bile user and a service; on the other hand, it allows the mobileuser to anonymously interact with the service. Hence, the pro-posed scheme successfully satisfies concerns of both parties—security and privacy. The scheme integrates two cryptographicprimitives, namely 1) blind signature and 2) hash chain, into ahighly flexible and lightweight authentication and session keyestablishment protocol. Differentiated service access controlis also enabled in the proposed scheme by classifying mo-bile users into different service types. The correctness of theproposed authentication and key establishment protocol wasformally verified based on BAN logic.

In the future, we would like to extend our scheme to context-aware services in PCEs. In this scenario, certain aspects ofuser context information should be authenticated and presentedto the services. How to disclose necessary authenticated usercontext information to context-aware services without affectinguser privacy is our future work.

ACKNOWLEDGMENT

The authors would like to thank anonymous referees for theirconstructive comments that helped improve the manuscript.

REFERENCES

[1] “Easy living,” Microsoft Research. [Online]. Available: http://research.microsoft.com/easyliving/

[2] GAIA—Active Spaces for Ubiquitous Computing, Univ. Illinois at Urbana-Champaign. [Online]. Available: http://choices.cs.uiuc.edu/gaia/

[3] Location Privacy Protection Act And Other Privacy Related Law. [On-line]. Available: http://www.techlawjournal.com/cong107/Privacy

[4] MIT Project Oxygen. [Online]. Available: http://oxygen.lcs.mit.edu/[5] National Institute of Standards and Technology (NIST), Pervasive Com-

puting SmartSpace Laboratory. [Online]. Available: http://www.nist.gov/smartspace/

[6] The Aware Home, Georgia Inst. Technol. [Online]. Available: http://www.cc.gatech.edu/fce/ahri/

[7] J. Al-Muhtadi, R. Campbell, A. Kapadia, D. Mickunas, and S. Yi, “Rout-ing through the mist: Privacy preserving communication in ubiquitouscomputing,” in Proc. ICDCS, Vienna, Austria, 2002, pp. 65–74.

[8] ——, “Routing through the mist: Design and implementation,” Mar. 2002UIUCDCS-R-2002-2267.

[9] J. Al-Muhtadi, A. Ranganathan, R. Campbell, and M. Mickunas, “A flexi-ble, privacy-preserving authentication framework for ubiquitous comput-ing environments,” in Proc. ICDCS Workshops, 2002, pp. 771–776.

[10] ——, “Cerberus: A context-aware security scheme for smart spaces,” inProc. PerCom, 2003, p. 489.

[11] M. Burnside et al., “Proxy-based security protocols in networked mobiledevices,” in Proc. ACM SAC, Madrid, Spain, 2002, pp. 265–272.

[12] M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” inProc. Royal Soc. London A, 1989, vol. 426, pp. 233–271.

[13] L. Bussard and Y. Roudier, “Authentication in ubiquitous computing,” inProc. Workshop Security UBICOMP, Goteborg, Sweden, 2002.

[14] J. Camenisch and A. Lysyanskaya, “Efficient non-transferable anonymousmulti-show credential system with optional anonymity revocation,” inProc. Advances Cryptology, EUROCRYPT, 2001, vol. 2045, pp. 93–118.

[15] R. Campbell, J. Al-Muhtadi, P. Naldurg, G. Sampemane, andM. Mickunas, “Towards security and privacy for pervasive computing,”in Proc. ISSS, 2002, pp. 1–15.

[16] D. Chaum, “Blind signatures for untraceable payments,” in Proc.Crypto—Advances Cryptology, D. Chaum, R. L. Rivest, and A. T. Sher-man, Eds. New York: Plenum, 1982, pp. 199–203.

[17] ——, “Untraceable electronic mail, return addresses, and digitalpseudonyms,” Commun. ACM, vol. 24, no. 2, pp. 84–88, Feb. 1981.

[18] ——, “Security without identification: transaction systems to make bigbrother obsolete,” Commun. ACM, vol. 28, no. 10, pp. 1030–1044,Oct. 1985.

[19] S. Creese, M. Goldsmith, B. Roscoe, and I. Zakiuddin, “Authenticationfor pervasive computing,” in Proc. Security in Pervasive Computing 2003,2004, vol. 2802, pp. 116–129.

[20] M. Gruteser and D. Grunwald, “Enhancing location privacy in wirelesslan through disposable interface identifiers: A quantitiative analysis,” inProc. WMASH, San Diego, CA, 2003.

[21] Q. He et al., “The quest for personal control over mobile location privacy,”IEEE Commun. Mag., vol. 42, no. 5, pp. 130–136, May 2004.

[22] U. Hengartner and P. Steenkiste, “Access control to information in perva-sive computing environments,” in Proc. 9th Workshop HotOS IX, Lihue,HI, May 2003.

[23] D. Henrici and P. Muller, “Tackling security and privacy issues in ra-dio frequency identification devices,” in Proc. PERVASIVE. New York:Springer-Verlag, 2004, vol. 3001, pp. 219–224.

[24] U. Jendricke, M. Kreutzer, and A. Zugenmaier, “Pervasive privacy withidentity management,” in Proc. 1st Workshop Security, UbiComp, 2002.

[25] ——, “Mobile identity management,” in Proc. 1st Security Workshop,UBICOMP, Sep. 2002.

[26] S. Kent and R. Atkinson, “Security architecture for the internet protocol,”IETF RFC 2401, 1998.

[27] M. Langheinrich, “A privacy awareness system for ubiquitous computingenvironments,” in Proc. UbiComp, 2002, vol. 2498, pp. 237–245.

[28] A. Lysyanskaya, R. Rivest, A. Sahai, and S. Wolf, “Pseudonym systems,”in Selected Areas in Cryptography, H. Heys and C. Adams, Eds. NewYork: Springer Verlag, 2000, pp. 184–199.

[29] A. Menezes et al., Handbook of Applied Cryptography. Boca Raton, FL:CRC, 1997.

[30] K. Nakanishi, J. Nakazawa, and H. Tokuda, “LEXP: Preserving user pri-vacy and certifying location information,” in Proc. 2nd Workshop SecurityUbicomp, 2003.

[31] D. Park, “Cryptographic protocols for third generation mobile communi-cation systems,” Ph.D dissertation, Queensland Univ. Technol., Brisbane,Australia, 2001.

[32] R. Rivest, Electronic Voting. [Online]. Available: http://theory.lcs.mit.edu/~rivest/Rivest-ElectronicVoting.pdf

[33] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digitalsignatures and public-key cryptosystems,” Commun. ACM, vol. 21, no. 2,pp. 120–126, Feb. 1978.

[34] R. Rivest, “The MD5 message digest algorithms,” IETF RFC 1321, 1992.[35] L. Lamport, “Password authentication with insecure communication,”

Commun. ACM, vol. 24, no. 11, pp. 770–771, Nov. 1981.[36] M. Satyanarayanan, “Pervasive computing: Vision and challenges,” IEEE

Pers. Commun., vol. 8, no. 4, pp. 10–17, Aug. 2001.[37] A. Weimerskirch and D. Westhoff, “Zero common-knowledge authentica-

tion for pervasive networks,” in Proc. SAC, 2003, pp. 73–87.[38] M. Weiser, “The computer for the 21st century,” Sci. Amer., vol. 265,

no. 3, pp. 94–104, Sep 1991.[39] M. Wu and A. Friday, “Integrating privacy enhancing services in ubiq-

uitous computing environments,” in Proc. 4th Int. UBICOMP WorkshopSecurity Ubiquitous Comput., 2002.

[40] A. Zugenmaier and A. Hohl, “Anonymity for users of ubiquitous comput-ing,” in Proc. Security Workshop—UbiComp, Seattle, WA, Oct. 2003.

[41] M. Raisinghani, A. Benoit, J. Ding, M. Gomez, K. Gupta, V. Gusila,D. Power, and O. Schmedding, “Ambient intelligence: Changing formsof human-computer interaction and their social implications,” J. DigitalInf., vol. 5, no. 4, p. 271, Aug. 24, 2004.

[42] S. Xu and M. Yung, “K-anonymous secret handshakes with reusablecredentials,” in Proc. ACM Conf. CCS, 2004, pp. 158–167.

[43] N. Li, W. Winsborough, and J. Mitchell, “Distributed credentialchain discovery in trust management,” in Proc. ACM Conf. CCS, 2001,pp. 156–165.



Kui Ren (S’04) received the B.Eng. and M.Eng. de-grees from Zhejiang University, Zhejiang Province,China, in 1998 and 2001, respectively. He is cur-rently working toward the Ph.D. degree at theElectronics and Communications Engineering De-partment, Worcester Polytechnic Institute, Worces-ter, MA.

He was a Research Assistant with the Shanghai In-stitute of Microsystem and Information Technology,Chinese Academy of Sciences, Shanghai, China,from March 2001 to January 2003; the Institute for

Infocomm Research, Singapore, from January 2003 to August 2003; and theInformation and Communications University, Daejeon, Korea, from September2003 to June 2004. His research interests include ad hoc/sensor networksecurity, wireless mesh network security, Internet security, and security andprivacy in ubiquitous computing environments.

Wenjing Lou (M’03) received the B.E. and M.E.degrees in computer science and engineering fromXi’an Jiaotong University, Xi’an, China, in 1993and 1996, respectively, the M.A.Sc. degree fromthe Nanyang Technological University, Singapore, in1998, and the Ph.D. degree in electrical and com-puter engineering from the University of Florida,Gainesville, in 2003.

From December 1997 to July 1999, she was aResearch Engineer in the Network Technology Re-search Center, Nanyang Technological University.

She is currently an Assistant Professor in the Electrical and Computer Engineer-ing Department, Worcester Polytechnic Institute, Worcester, MA. Her currentresearch interests are in the areas of ad hoc and sensor networks with emphaseson network security and routing issues.

Kwangjo Kim (M’93) received the B.Eng. andM.Sc. degrees from Yonsei University, Seoul, Ko-rea, in 1980 and 1983, respectively, and the Ph.D.degree from Yokohama National University, Yoko-hama, Japan, in 1991.

He is currently a Full Professor at the Informationand Communications University (ICU), Daejeon,Korea, the Director of the International ResearchCenter for Information Security, ICU, and the Chairof the Asiacrypt Steering Committee. He has ledCoding Technique Section #1 with the Electronics

and Telecommunication Research Institute and served as the Director of theInternational Association for Cryptologic Research and Institute for IT-GiftedYouth at the ICU. He has more than 20 patents and more than 150 technicalpublications in international conferences and journals in the areas of crytogra-phy and information security and has edited three volumes of Lecture Notes inComputer Science by Springer Verlag.

Dr. Kim has served as General Chair, Program Chair, and Program Commit-tee Member of numerous international conferences.

Robert Deng (SM’04) received the B.Eng. degreefrom the National University of Defense Technology,Hunan, China, and the M.Sc. and Ph.D. degrees fromthe Illinois Institute of Technology, Chicago.

He was a Principal Scientist and the Managerof the Infocomm Security Department, Institute forInfocomm Research. He is currently a Professor andthe Director of the SIS Research Center, School ofInformation Systems, Singapore Management Uni-versity, Singapore. He has more than 20 patents andmore than 140 technical publications in international

conferences and journals in the areas of digital communications, network anddistributed system security, and information security.

Dr. Deng has served as General Chair, Program Chair, and Program Commit-tee Member of numerous international conferences. He received the UniversityOutstanding Researcher Award from the National University of Singaporein 1999.


Documents

A Novel Privacy Preserving Authentication and Access Control …caislab.kaist.ac.kr/publication/paper_files/2006/... · 2018-09-27 · REN etal.: NOVEL PRIVACY PRESERVING AUTHENTICATION