# Authentication Based on Non-Interactive Zero-Knowledge Proofs for the Internet of Things

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Related Works

- Related to the physical nature of smart objects: cloning of smart things by untrusted manufacturers, malicious substitution of smart things during installation, firmware replacement attack and extraction of security parameters since smart things may be physically unprotected.
- Related to intercommunication between smart objects: Eavesdropping attack if the communication channel is not adequately protected, man-in-the-middle attack during key exchange, routing attacks and denial-of-service attacks.
- Related to sensible data processed by the smart objects: Privacy threats.

## 3. Preliminaries

- Completeness: For any polynomial $p(\xb7)$ and common input $x\in L$, x is accepted by V with a probability greater than $1-\u03f5$:$$Pr[V(x,R,P(x,R))=1]\ge 1-\frac{1}{p\left(\right|x\left|\right)}$$
- Soundness: For any interactive Turing machine ${P}^{\prime}$ representing a dishonest prover, any polynomial $p(\xb7)$ and any common input $x\in L$ provided by ${P}^{\prime}$ x is accepted by V with a probability at most ϵ:$$Pr[V(x,R,{P}^{\prime}(x,R))=1]<\frac{1}{P\left(\right|x\left|\right)}$$
- Zero-knowledge: For any $x\in L$ provided by P, no information is revealed from x to V that it could not compute alone before running the protocol, which means that there is a probabilistic polynomial time algorithm M, such that:$$V\left(x\right)=x,(R\in {0,1}^{c\left(\right|x\left|\right)},P(x,R)){\approx}_{c}M{\left(x\right)}_{x\in L}$$

## 4. NIZKP-Based Authentication

Notation | Meaning |
---|---|

G | Graph known by all legitimate nodes, on which they know how to solve a hard problem |

$So{l}_{G}$ | Solution to the hard problem in G |

n | Number of challenges |

$Ch{a}_{i}$ | i-th challenge proposed by the verifier |

${G}_{i}$ | i-th isomorphic graph used as a commitment |

$Is{o}_{i}$ | Isomorphism between G and ${G}_{i}$ |

$Re{s}_{i}$ | i-th response corresponding to the challenge $Ch{a}_{i}$ on the graph ${G}_{i}$ |

$h(\xb7)$ | Cryptographic hash function |

$LSB(\xb7)$ | Least significant bit of an input string |

${E}_{{k}_{i}}(\xb7)$ | Symmetric encryption with key ${k}_{i}$ |

$Subkey$ | Contribution of a node to the session key |

- Process the first segment of the message, which is not encrypted.
- Compute, using the hash function, the challenge that matches the information included in the segment.
- Check whether the response corresponds to the challenge and the isomorphic graph.
- From the challenge, compute the key it has to use to decrypt the next segment.
- Apply Steps 2 through 4 until the last segment, which once deciphered contains the information needed to establish the shared secret key.

- If $Challenge=0$, the response is the isomorphism.
- If $Challenge=1$, the response is the solution to the problem in the isomorphic graph.

Algorithm 1 Processing |

//Params: beacon, encrypted message segments |

//Params: t_seg, dimension of beacon segments |

//Params: solg, solution in the original graph |

//Return: subkey, contribution to the key |

function getData (char[] $beacon$, int tseg, char[] $solg$) |

01: var $segs$[]; // Stores the message segments |

02: // Message is divided into $tseg-size$ segments |

03: $segs$ = $beacon$.splitByTam($tseg$); |

04: // Isomorphic graph and response |

05: // First segment is not encrypted |

06: var $gi$ = getGi($segs$[0]); |

07: var $res$ = getRes($segs$[0]); |

08: // The challenge is computed |

09: var $cha$ = LSB.hash($gi$.getBytes()); |

10: // Check whether the response is correct |

11: if ($res$ != response($gi$, $cha$)) |

12: return; // If not correct, abort |

13: endif |

14: // The solution is obtained in $gi$ |

15: var $sol$ = solve($gi$); |

16: // $ki$ is the encryption key of the next segment |

17: var $ki$ = $\overline{cha}*hash\left(sol\right)\oplus cha*hash(sol\oplus solg)$ |

18: var $decryption$; |

19: // The following steps are repeated |

20: for (int $i=1;i<segs.size\left(\right)-1;i++$){ |

21: // The segment is decrypted with the key $ki$ |

22: $decryption$ = Crypto.decrypt($segs$[i], $ki$); |

23: $gi$ = getGi($decryption$); |

24: $res$ = getRes($decryption$); |

25: $cha$ = LSB.hash($gi$.getBytes()); |

26: if ($res$ != response($gi$, $cha$)) |

27: return; |

28: endif |

29: $sol$ = solve($gi$); |

30: $ki$ = $\overline{cha}*hash\left(sol\right)\oplus cha*hash(sol\oplus solg)$ |

31: } |

32: // Decryption of the last segment provides the |

33: // contribution to the shared key. |

34: return Crypto.decrypt($segs$[$segs.size\left(\right)$], $ki$); |

endfunction |

## 5. Applications to the Internet of Things

#### 5.1. Applications in Mobile Ad Hoc Networks

#### 5.2. Applications in Vehicular Ad Hoc Networks

#### 5.3. Applications in Sensors Networks

## 6. Security Proofs

#### 6.1. Attacks on the Cryptographic Operations

#### 6.2. Attacks on the Graph Problem

#### 6.3. Man in the Middle Attack

#### 6.4. Other Attacks

## 7. Implementation

#### 7.1. Package Format

- Graphs: Graphs are serialized by denoting their adjacency matrices into integers, because this is their fastest implementation. This serialization has been also improved by using hexadecimal rather than integer numbers. In this case, the storage size is smaller, but the speed serialization is quite slow. Thus, a faster serialization has been chosen compared to a slight improvement in the package size, so graphs have been serialized through their adjacency matrices.For instance, given the adjacency matrix:$$\left(\right)open="("\; close=")">\begin{array}{ccccc}0& 1& 1& 0& 1\\ 1& 0& 1& 0& 0\\ 1& 1& 0& 0& 1\\ 0& 0& 0& 0& 1\\ 1& 0& 1& 1& 0\end{array}$$it can be represented in one dimension as:0110110100110010000110110This one-dimensional representation is serialized by converting it into an integer of eight digits, formed of five integers separated by the character “,”$$13,20,25,1,22$$
- Solutions: Solutions have been serialized by using lists of integers separated by the character “,” because both types of solutions, the Hamiltonian cycle and the isomorphism between graphs, can be represented as lists. For example, if the isomorphism between two graphs is $1\to 2$, $2\to 5$, $3\to 1$, $4\to 3$, $5\to 4$, using array indexes as original nodes and the values of the array as the values of the new nodes, the isomorphism is represented as:$$2,5,1,3,4$$
- Segments: Each segment of the message is serialized in hexadecimal. Besides, all of the segments, but the first one, are encrypted as explained in previous sections. The last segment contains a secret encrypted by the key that can be obtained with the solution to the challenge of the previous segment. For instance, the aspect of a segment containing an isomorphic graph and challenge and response corresponding to the graph is the following, expressed with hexadecimal characters:$$A324D0E3F19$$
- Message or package: The complete message is the concatenation of all of the generated segments. To separate the segments, the character “|” is used. An example of a package with three segments is:$$A324D0E3F19\left|F9223B3EE34\right|DC34F212ACB$$

#### 7.2. Package Size

#### 7.3. Package Generation Time

#### 7.4. Package Processing Time

## 8. Comparative Analysis

#### 8.1. ZKP Schemes

Conf1. [39] | Conf2. [39] | Conf3. [39] | Conf4. [39] | Our Scheme | ||
---|---|---|---|---|---|---|

10 Challenges | Time Size | 469 4045 | 1302 4045 | 484 4045 | 1522 4045 | 454 17,826 |

100 Challenges | Time Size | 3422 39,595 | 8070 39,595 | 3703 39,595 | 9824 39,595 | 5665 187,132 |

#### 8.2. Schemes Based on Diffie–Hellman

- Graphs of 41 nodes, which are large enough to be considered secure in the scheme; thus, an attack on the graph isomorphism would involve $41!$ iterations, which would be unfeasible.
- Packages with 3, 4, 5, 6, 7 and 8 challenges.
- The time for these comparisons includes both package generation by the sender and unpacking the package by the user who receives it.

PAK Scheme | Our Scheme | |
---|---|---|

Time (ms) | Challenges | Time (ms) |

197 | 3 | 86 |

4 | 112 | |

5 | 153 | |

6 | 176 | |

7 | 195 | |

8 | 221 |

## 9. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## References

- Katagi, M.; Moriai, S. Lightweight Cryptography for the Internet of Things. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.227.8445&rep=rep1&type=pdf (accessed on 6 January 2016).
- Velev, D.G. Internet of Things âĂŞ Analysis and Challenges. UNWE Econ. Altern.
**2011**, 2, 99–109. [Google Scholar] - Cirani, S.; Ferrari, G.; Veltri, L. Enforcing Security Mechanisms in the IP-Based Internet of Things: An Algorithmic Overview. Algorithms Spec. Issue Sens. Netw.
**2013**, 6, 197–226. [Google Scholar] [CrossRef] - Diffie, W.; Van Oorschot, P.C.; Wiener, M.J. Authentication and authenticated key exchanges. Des. Codes Cryptogr.
**1992**, 2, 107–125. [Google Scholar] [CrossRef] - Chan, H.; Perrig, A.; Song, D. Random key predistribution schemes for sensor networks. IEEE Symp. Secur. Priv.
**2003**. [Google Scholar] [CrossRef] - Diffie, W.; Hellman, M.E. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] - Chan, A.C.F. Distributed symmetric key management for mobile ad hoc networks. In Proceeding of the Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, HongKong, China, 7–11 March 2004; pp. 2414–2424.
- Capkun, S.; Buttyan, L.; Hubaux, J.P. Self-organized public-key management for mobile ad hoc networks. IEEE Trans. Mob. Comput.
**2003**, 2, 52–64. [Google Scholar] [CrossRef] - Atzori, L.; Iera, A.; Morabito, G. The Internet of Things: A survey. Comput. Netw.
**2010**, 54, 2787–2805. [Google Scholar] [CrossRef] - Goldwasser, S.; Micali, S.; Rivest, R.L. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput.
**1988**, 17, 281–308. [Google Scholar] [CrossRef] - Maurer, U. Modelling a public-key infrastructure. Comput. Secur. ESORICS
**1996**, 96, 325–350. [Google Scholar] - Caballero-Gil, P.; Hernández-Goya, C. Efficient public key certificate management for mobile ad hoc networks. EURASIP J. Wirel. Commun. Netw.
**2011**. [Google Scholar] [CrossRef] - Goldwasser, S.; Micali, S.; Rackoff, C. The knowledge complexity of interactive proof systems. ACM Symp. Theory Comput.
**1985**. [Google Scholar] [CrossRef] - Feige, U.; Fiat, A.; Shamir, A. Zero-knowledge proofs of identity. J. Cryptol.
**1988**, 1, 77–94. [Google Scholar] [CrossRef] - Blum, M.; Feldman, P.; Micali, S. Non-interactive zero-knowledge and its applications. ACM Symp. Theory Comput.
**1988**. [Google Scholar] [CrossRef] - Rackoff, C.; Simon, D.R. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In Advances in Cryptology; Feigenbaum, J., Ed.; Springer: Berlin, Gernamy, 1992; Volume 576, pp. 433–444. [Google Scholar]
- Fiat, A.; Shamir, A. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology; Odlyzko, A.M., Ed.; Springer: Berlin, Gernamy, 1987; Volume 263, pp. 186–194. [Google Scholar]
- Feige, U.; Lapidot, D.; Shamir, A. Multiple non-interactive zero knowledge proofs randomstring. In Proceedings of the 31st Annual Symposium on Foundations of Computer Science, St. Louis, MO, USA, 22–24 October 1990; pp. 308–317.
- Bellare, M.; Yung, M. Certifying cryptographic tools: The case of trapdoor permutations. In Advances in Cryptology; Brickell, E.F., Ed.; Springer: Berlin, Gernamy, 1992. [Google Scholar]
- Lapidot, D.; Shamir, A. Publicly verifiable non-interactive zero-knowledge proofs. In Advances in Cryptology; Menezes, A.J., Vanstone, S.A., Eds.; Springer: Berlin, Gernamy, 1990; Volume 537, pp. 353–365. [Google Scholar]
- Goldreich, O.; Micali, S.; Wigderson, A. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM
**1991**, 38, 690–728. [Google Scholar] [CrossRef] - Goldwasser, S.; Micali, S.; Rackoff, C. The knowledge complexity of interactive proof systems. SIAM J. Comput.
**1989**, 18, 186–208. [Google Scholar] [CrossRef] - Garey, M.R.; Johnson, D.S. Computers and Intractability: A Guide the theory of NP-Completeness. Available online: http://dl.acm.org/citation.cfm?id=574848 (accessed on 6 January 2016).
- Bertoni, G.; Daemen, J.; Peeters, M.; Van Assche, G. Keccak sponge function family main document. Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.419.2140&rep=rep1&type=pdf (accessed on 6 January 2016).
- Bertoni, G.; Daemen, J.; Peeters, M.; Van Assche, G. The Keccak SHA-3 submission. Available online: http://keccak.noekeon.org/Keccak-submission-3.pdf (accessed on 6 January 2016).
- Ekdahl, P.; Johansson, T. SNOW - a new stream cipher. Available online: http://www.madchat.fr/crypto/hash-lib-algo/snow/snow10.pdf (accessed on 6 January 2016).
- ETSI/SAGE; Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 and UIA2. Document 2. Available online: http://www.3gpp.org/DynaReport/35-series.htm (accessed on 6 January 2016).
- Ekdahl, P.; Johansson, T. A New Version of the Stream Cipher SNOW. In Selected Areas in Cryptography; Nyberg, K., Heys, H., Eds.; Springer: Berlin, Germany, 2003; Volume 2595, pp. 37–46. [Google Scholar]
- Roman, R.; Zhou, J.; Lopez, J. On the features and challenges of security and privacy in distributed internet of things. Comput. Netw.
**2013**, 57, 2266–2279. [Google Scholar] [CrossRef] - Lin, X.; Lu, R.; Zhang, C.; Zhu, H.; Ho, P.; Shen, X. Security in Vehicular Ad Hoc Networks. IEEE Commun. Mag.
**2008**, 46, 88–95. [Google Scholar] - Martín-Fernández, F.; Caballero-Gil, P.; Caballero-Gil, C. Detection and Report of Traffic Lights Violation using Sensors and Smartphones. In Ubiquitous Computing and Ambient Intelligence. Sensing, Processing, and Using Environmental Information; García-Chamizo, J.M., Fortino, G., Ochoa, S.F., Eds.; Springer: Berlin, Germany, 2015; Volume 9454, pp. 237–248. [Google Scholar]
- Barker, E.; Barker, W.; Burr, W.; Polk, W.; Smid, M. Computer Security. Available online: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf (accessed on 6 January 2016).
- Bertoni, G.; Daemen, J.; Peeters, M.; Van Assche, G. On the Indifferentiability of the Sponge Construction. In Advances in Cryptology; Smart, N., Ed.; Springer: Berlin, Germany, 2008; Volume 4965, pp. 181–197. [Google Scholar]
- Andreeva, E.; Mennink, B.; Preneel, B. Security Reductions of the Second Round SHA-3 Candidates. In Information Security; Burmester, M., Tsudik, G., Magliveras, S., Ilić, I., Eds.; Springer: Berlin, Germany, 2010; Volume 6531, pp. 39–53. [Google Scholar]
- Kircanski, A. Cryptanalysis of Symmetric Cryptographic Primitives. Available online: https://www.iacr.org/phds/125_AleksandarKircanski_CryptanalysisSymmetricCryptogr.pdf (accessed on 6 January 2016).
- Babai, L.; Erdos, P.; Selkow, S.M. Random graph isomorphism. SIAM J. Comput.
**1980**, 9, 628–635. [Google Scholar] [CrossRef] - Corneil, D.G.; Gotlieb, C.C. An efficient algorithm for graph isomorphism. J. ACM
**1970**, 17, 51–64. [Google Scholar] [CrossRef] - Martín-Fernández, F. Source Code of The Authenticated Scheme Proposed. Available online: https://github.com/pacomf/ASD (accessed on 6 January 2016).
- Grzonkowski, S.; Zaremba, W.; Zaremba, M.; McDaniel, B. Extending Web Applications with a Lightweight Zero Knowledge Proof Authentication. In Proceedings of the 5th international conference on Soft computing as transdisciplinary science and technology, New York, NY, USA, 28–31 October 2008; pp. 65–70.
- Brusilovsky, A.; Faynberg, I.; Zeltsan, Z.; Patel, S. Password-Authenticated Key (PAK) Diffie-Hellman Exchange. Available online: http://www.rfc-editor.org/info/rfc5683 (accessed on 6 January 2016).

© 2016 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons by Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Martín-Fernández, F.; Caballero-Gil, P.; Caballero-Gil, C.
Authentication Based on Non-Interactive Zero-Knowledge Proofs for the Internet of Things. *Sensors* **2016**, *16*, 75.
https://doi.org/10.3390/s16010075

**AMA Style**

Martín-Fernández F, Caballero-Gil P, Caballero-Gil C.
Authentication Based on Non-Interactive Zero-Knowledge Proofs for the Internet of Things. *Sensors*. 2016; 16(1):75.
https://doi.org/10.3390/s16010075

**Chicago/Turabian Style**

Martín-Fernández, Francisco, Pino Caballero-Gil, and Cándido Caballero-Gil.
2016. "Authentication Based on Non-Interactive Zero-Knowledge Proofs for the Internet of Things" *Sensors* 16, no. 1: 75.
https://doi.org/10.3390/s16010075