ArticlePDF Available

Abstract and Figures

In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future access to services and applications. This type of interaction can make authentication schemes challenging in terms of security and availability. From a security perspective, a main threat is theft of authentication reference data stored with identity providers. An adversary could easily abuse such data to mount an offline dictionary attack for obtaining the underlying password or biometric. From a privacy perspective, identity providers are able to track user activity and control sensitive user data. In terms of availability, users rely on trusted third-party servers that need to be available during authentication. We propose a novel decentralized privacy-preserving single sign-on scheme through the Decentralized Anonymous Multi-Factor Authentication (DAMFA), a new authentication scheme where identity providers no longer require sensitive user data and can no longer track individual user activity. Moreover, our protocol eliminates dependence on an always-on identity provider during user authentication, allowing service providers to authenticate users at any time without interacting with the identity provider. Our approach builds on threshold oblivious pseudorandom functions (TOPRF) to improve resistance against offline attacks and uses a distributed transaction ledger to improve availability. We prove the security of DAMFA in the universal composibility (UC) model by defining a UC definition (ideal functionality) for DAMFA and formally proving the security of our scheme via ideal-real simulation. Finally, we demonstrate the practicability of our proposed scheme through a prototype implementation.
This content is subject to copyright. Terms and conditions apply.
Research Article
Decentralized, Privacy-Preserving, Single Sign-On
Omid Mir ,
1
Michael Roland ,
2
and Ren´
eMayrhofer
2
1
Johannes Kepler University Linz, LIT Secure and Correct Systems Lab, Linz, Austria
2
Johannes Kepler University Linz, Institute of Networks and Security, Linz, Austria
Correspondence should be addressed to Omid Mir; mir@ins.jku.at
Received 2 April 2021; Accepted 11 November 2021; Published 22 January 2022
Academic Editor: David Meghias
Copyright ©2022 Omid Mir et al. is is an open access article distributed under the Creative Commons Attribution License,
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set
up authentication data during a registration phase and receive a token (credential) for future access to services and applications.
is type of interaction can make authentication schemes challenging in terms of security and availability. From a security
perspective, a main threat is theft of authentication reference data stored with identity providers. An adversary could easily abuse
such data to mount an offline dictionary attack for obtaining the underlying password or biometric. From a privacy perspective,
identity providers are able to track user activity and control sensitive user data. In terms of availability, users rely on trusted third-
party servers that need to be available during authentication. We propose a novel decentralized privacy-preserving single sign-on
scheme through the Decentralized Anonymous Multi-Factor Authentication (DAMFA), a new authentication scheme where
identity providers no longer require sensitive user data and can no longer track individual user activity. Moreover, our protocol
eliminates dependence on an always-on identity provider during user authentication, allowing service providers to authenticate
users at any time without interacting with the identity provider. Our approach builds on threshold oblivious pseudorandom
functions (TOPRF) to improve resistance against offline attacks and uses a distributed transaction ledger to improve availability.
We prove the security of DAMFA in the universal composibility (UC) model by defining a UC definition (ideal functionality) for
DAMFA and formally proving the security of our scheme via ideal-real simulation. Finally, we demonstrate the practicability of
our proposed scheme through a prototype implementation.
1. Introduction
Authenticated Key Exchange (AKE) is one of the most
broadly used cryptographic primitives that enable two
parties to create a shared key over a public network. Typ-
ically, the parties need to have authentication tokens, e.g.,
cryptographic keys (asymmetric or symmetric high-entropy
keys) or short secret values (low-entropy passwords). ey
also securely store these authentication tokens in a trusted
service provider during the registration phase. ere are
various types of authentication factors such as knowledge,
possession, and physical presence; low-entropy passwords
are widely present in practice. An example of an authen-
tication protocol that relies on passwords is Password-Based
Authenticated Key Exchange (PAKE) [1].
However, passwords are usually vulnerable to both
online and offline attacks [2, 3]. An attacker who
compromises the data stored with the service provider (user
account data, consisting of usernames and associated (po-
tentially salted) password hashes) can run an offline dic-
tionary attack on that data. Such an attack leads to the
disclosure of user accounts and this has happened several
times in the past, cf. [2, 4, 5]. Even if low-entropy passwords
are correctly salted and hashed, they still do not resist the
brute force of modern hardware. Already in 2012, a rig of 25
GPUs could test up to 350 billion guesses per second in an
offline dictionary attack [6].
Multi-Factor Authentication (MFA) schemes overcome
this risk by adding additional authentication factors. MFA
combines (low-entropy) passwords with, e.g., secret values
stored in physical tokens. Recent advancements in finger-
print readers and other sensors have led to the increased
usage of smartphones and biometric factors in MFA
schemes (e.g, the use of biometrics to securely retrieve
Hindawi
Security and Communication Networks
Volume 2022, Article ID 9983995, 18 pages
https://doi.org/10.1155/2022/9983995
private information [8]) Figure 1, although these methods
make the guessing of authentication factors more difficult.
However, some MFA schemes incorporate password au-
thentication and second-factor authentication as separate
mechanisms and store a salted password hash (or biometric)
on the server, leading to different vulnerabilities such as
spoofing and offline attacks [7, 9]. In other words, an ad-
versary compromising the server is still able to recover the
actual password (even if that password is no longer usable
without the additional associated factors). Moreover, mobile
devices (smartphones, wearables, FIDO U2F, etc.) are
considered more likely to be subject to loss or theft, and
particularly smartphones and wearables open a large, high-
risk attack surface for malware [10, 11].
In general, authentication schemes are designed to
uniquely identify a user. Consequently, they do not aim at
protecting user privacy, and users’ activity in the digital
world can easily be logged and analyzed. Leakage of indi-
vidual information may have serious consequences for users
(including financial losses). To meet the increasing need of
privacy protection in the digital world, multi-factor au-
thentications are enhanced with privacy-preserving tech-
nologies. For instance, anonymous authentication schemes
allow a member of a legitimate group, called a prover, to
convince a verifier that it is a member of the group without
revealing any information that would uniquely identify the
prover within the group. Various schemes for anonymous
password authentication have been proposed, e.g., [12–15].
In particular, anonymous password authentication promises
unlinkability: e prover (e.g., the server of a service or
identity provider) should not be able to link user authen-
tications. erefore, for any two authentication sessions, the
prover is unable to determine if they have been performed by
the same user or two different users.
1.1. Building a Fully Decentralized Authentication
Architecture. An Identity Provider (IDP) with a centralized
database of authentication data of all users could easily
provide an MFA scheme and offer convenient single sign-on
(SSO) to other services for its users [16]. SSO allows users to
once receive a single token (identity) provided by IDP and
repeatedly authenticate themselves to servics providers.
Several initiatives such as PRIMA [17], OAuth [18], SAML
[19], and OpenID [16] let service providers take advantage of
another centralized identity provider to authenticate users
without becoming responsible for managing account pass-
words. In all these systems, the authentication follows a
similar scheme (see Figure 2) [20]:
(1) In the registration phase, the user creates credentials
(e.g., a username/ID and a password) and passes
them to the IDP (a trusted server) which stores the
username together with the hash of the password.
(2) In the authentication phase, the IDP verifies the user-
supplied sign-on credential by matching the user-
name and password hash.
(3) After successful verification, the IDP issues an au-
thentication credential (a digital signature or a
message authentication code) using a master secret
key that authenticates the user to the service provider
(e.g., a website) they want to visit.
However, this kind of centralized system poses several
challenges:
(1) e IDP represents a single point of failure and an
obvious target for attacks, such as:
(a) extraction of the secret key to forge tokens, which
enable access to arbitrary services and data in the
system; (b) capturing hashed passwords (or bio-
metrics) to run offline dictionary attacks in order to
recover user credentials, both potentially resulting in
severe damage to the reliability of the system [20].
(2) e IDP is actively involved in each authentication
session and can, therefore, track user activity, leading
to serious privacy issues [21, 22].
(3) e IDP takes a significant amount of control over
the digital identity away from the user. Users cannot
fully manage and store their identity by themselves
but always need to rely on and interact with an
available IDP that offers the identity management
system to them and the service provers they want to
interact with (active verification).
1.2. Our Contribution. To address the above challenges, we
construct a novel decentralized privacy-preserving single
sign-on scheme using a new Decentralized Anonymous
Multi-Factor Authentication (DAMFA) scheme, where the
process of user authentication no longer depends on a single
trusted third party. Instead, it is fully decentralized onto a
shared ledger to preserve user privacy while maintaining the
single sign-on property. at is, users do not need to register
their credentials with each service provider individually. e
scheme also permits services where authenticating users
remain anonymous within a group of users. Subsequently,
our scheme does not require the IDP to be online during the
verification (passive verification). Moreover, since there is
no single third party (i.e., the IDP) in control of the whole
authentication process, user and usage tracking by the IDP is
inhibited.
e passive verification property of our scheme allows
service providers to authenticate users at any time without
requiring additional interaction with an IDP except what is
available on the shared ledger. is property removes the
cost of running secure channels between the service provider
and the identity provider. Simultaneously, the IDP is
eliminated as a single point of failure and attack within the
authentication process.
e scheme relies on personal identity agents as auxiliary
devices that assist the user in the authentication process. e
personal identity agents participate in a threshold secret
sharing scheme to store the distributed private key of their
users. In the authentication phase, the user unlocks their
private key through a combination of biometrics and a
password, combining biometric, knowledge, and possession
factors. e distributed architecture prevents offline attacks
2Security and Communication Networks
against data extracted from compromised agents, as long as
only a set of agents below the threshold is compromised or
corrupted.
We define the ideal functionality and real-world defi-
nitions for the security of our DAMFA scheme. We prove
our construction’s security via ideal-real simulation,
showing the impossibility of offline dictionary attacks. Fi-
nally, we demonstrate that our protocol is efficient and
practical through a prototypical implementation and
through a comparison of our scheme with other SSO works.
2. Related Work
2.1. Single-Factor (Password) Authentication Key Exchange.
For a long time, knowledge was (and still is) used as a
primary means of authentication. Single-factor authenti-
cation based on passwords and PINs is a mechanism that is
well-studied. Bellovin and Merritt [24] proposed Encrypted
Key Exchange (EKE) where a client and a server share a
password and use it to exchange encrypted information to
agree on a common session key. EKE was followed by several
enhancements (cf. [25–27]). Bellare et al. [1] expanded this
to a general formal provable model for Password Authen-
tication Key Exchange (PAKE). After that, two generic
schemes of PAKE were proposed by Gennaro and Lindell
[28] and by Groce and Katz [29] which are among the most
efficient ways of constructing PAKE in the standard model.
Benhamouda and Pointcheval [30] explicitly introduce a
verifier into the authenticated key exchange, where a verifier
is a hash value or transformation VH(s, pw)of the secret
password pw with a public salt s, and the server stores the
pair (s, V)for each user.
2.2. Multi-Factor Authentication. A single knowledge-based
authentication factor has the disadvantage that an adversary
needs to only compromise that single factor. Multi-factor
authentication (MFA) overcomes this by combining mul-
tiple different factors. e widely used combination is long-
term passwords with secret keys, possibly stored in tokens
(e.g., FIDO U2F). Shirvanian et al. [31] introduce a
framework to analyze such two-factor authentication pro-
tocols. In their framework, the participants are a user, a
client (e.g., a web browser), a server, and a device (e.g., a
smartphone). In the authentication phase, the user sends a
password and some additional information provided by the
device. In most existing solutions, including Refs. [31–33],
during the registration process, the user gets a value called
the “token,” while the server records a hashed password.
During the authentication phase, the two required factors
(the password and the token) are sent to a verifier.
Jarecki et al. [34] provide a device-enhanced password-
authenticated key exchange protocol employing mobile
device storage as a token. is setting serves two purposes:
Firstly, for an adversary to successfully mount an offline
dictionary attack, they must corrupt the login server in
addition to the mobile device storage. Secondly, the user
must confirm access to the mobile device storage during
login.
Another popular factor used to authenticate users to
remote servers is biometrics [35–38]. Fleischhacker et al.
[39] also propose a modular framework called MFAKE
which models biometrics following the liveness assumption
of Pointcheval and Zimmer [37]. However, Zhang et al. [40]
demonstrate that their scheme does not adequately protect
privacy. Indeed, biometric authentication becomes a weak
point when the framework directly uses the biometric
template for authentication. In addition, it requires to, re-
spectively, execute a lot of sub-protocols which makes the
scheme inefficient.
2.3. Anonymous Authentication. Another approach towards
user authentication is the anonymous password authenti-
cation protocol proposed by Viet et al. [12]. ey combine an
oblivious transfer protocol and a password-authenticated
key exchange scheme. Further enhancements were proposed
by Refs. [14, 15, 38].
An anonymous authentication protocol permits users to
authenticate themselves without disclosing their identity and
Multi-factor authentication
Biometric factor:
Fingerprint, face recognition,
behavior recognition
Two-factor authentication
Ownership factor:
Smartphone, key-card
one-time password
Single-factor authentication
****
Knowledge factor:
PIN, password,
security questions
Figure 1: Evolution of authentication methods from SFA to MFA [7].
Identity
provider
Service
provider
(3). Token/Fail
(2). If (usr, h) & (usr, h*)
Matches then generate
a token
(4). Token
User
(5). Succ/
Fail
(1). {usr, h* =
H(pwd*)}
Figure 2: e generic flow diagram shows the authentication phase
of a password-based token method. e figure does not include the
registration phase where the users store their username (usr) and
hashed password (h) with the identity provider.
Security and Communication Networks 3
becomes an important method for constructing privacy-
preserving authenticated public channels.
Zhang et al. [40] presented a new anonymous authen-
tication protocol that relies on a fuzzy extractor. ey
consider a practical application and suggest several au-
thentication factors such as passwords, biometrics (e.g.,
fingerprint), and hardware with reasonably secure storage
(e.g., smartphone).
2.4. Summary of Related Works. Single-factor authentication
based on passwords is a primary means of many authen-
tication protocols [1, 25, 28, 41]. Multi-factor authentication
(MFA) overcomes the problem of compromise in a single
factor by combining multiple different factors
[31, 34, 40, 42, 43]. An anonymous authentication protocol
permits users to authenticate themselves without disclosing
their identity [12, 14, 15, 44]. Finally, SSO allows users to
once receive a single token provided by IDP and repeatedly
authenticate themselves to service providers
[16, 17, 19, 45, 46].
3. Building Blocks
3.1. Pointcheval and Sanders Signature. Our work relies on
the credentials scheme proposed by Pointcheval and Sanders
[47]. e scheme works in a bilinear group (G1,G2,GT)of
type 3, with a bilinear map e:G1×G2GTand has the
following algorithms:
(1) Setup(1λ)(params): Choose a bilinear group
(G1,G2,GT)with order p, where pis a prime
number. Let g1be a generator of G1, and g2a
generator of G2. e system parameters are
params G1,G2,GT, p, g1, g2
 􏼁.(1)
(2) KeyGen(params)(sk, vk): Choose a random
secret key sk � (x, y)Zp. Parse params, and
publish the verification key
vk g2, X, Y
􏼁 g2, gx
2, gy
2
 􏼁.(2)
(3) Sign(params, sk, m)(σ): Parse sk � (x, y). Pick
a random element hG1, and output
σ� (h, s) � h, hx+y·m
 􏼁.(3)
(4) Verify(pk, m, σ): Parse σas (σ1,σ2)and check
whether σ11G1and e(σ1, X ·Ym) � e(σ2, g2)are
both satisfied. In the positive case, it outputs 1,
otherwise 0.
e signature σ� (h, s)is randomizable by choosing a
random rZpand computing σ� (hr, sr). e above
scheme can be modified to obtain a signature on a hidden
message (commitment) and also offers a protocol to show a
zero-knowledge proof of a signature σ� (σ1,σ2).
3.2. Oblivious Pseudo-random Function (OPRF). A pseudo-
random function (PRF) Fis a function that takes two
inputs: a secret function key kand a value xto compute
on. It outputs Fk(x), a function picked randomly from a
PRF family, which is secure if it is distinguishable from a
random function with the same domain and range with a
negligible probability for all probabilistic polynomial time
(PPT) distinguishers. An oblivious PRF (OPRF, cf. [48]) is
a protocol between two parties (a sender and a receiver)
that securely computes Fk(x)where both xand kare the
inputs of sender and receiver, respectively, such that no
party learns anything except for the input holder that
learns Fk(x).
A threshold OPRF (TOPRF, cf. [49]) is an extension of
the OPRF which allows a group of servers to secret share a
key kfor a PRF Fwith a shared PRF evaluation protocol
which lets the user compute Fk(x)on an input x, so that
both xand kare secret if no more than tof nservers are
corrupted (see Figure 3).
A formal definition of the TOPRF protocol as a reali-
zation of the TOPRF functionality is given in Figure 4. Note
that we just duplicate these functionalities so that readers
can easily follow our ideal functionality and construction
(for more details see [49]).
3.3. Secret Sharing Scheme. A secret sharing scheme consists
of two PPTalgorithms [50]: First, TSSGen generates nshares
of the secret key Kas k1,. . . , knTSSGen(K), and
second TSSRecon uses tshares to retrieve the primary secret
value Kas KTSSRecon(s1,. . . , st). e security as-
sumption of this scheme is that any amount of shares below
the threshold does not disclose any info about the secret key.
3.4. Public Append-Only Ledger. A ledger allows us to keep a
list of public information and maintains the integrity of the
dataset. It guarantees a consistent view of the ledger for every
party. Every user can insert information into the ledger and,
once some data are uploaded, nobody can delete or modify
it. Moreover, the ledger assures the correctness of pseu-
donyms and guarantees that no one can impersonate an-
other participant to release information. Furthermore, it
distributes up-to-date data to all participants. In this paper,
we assume this assumption holds and construct our system
on the blockchain technique as a public append-only ledger
(blockchain). ere are already some works constructing
advanced applications based on this assumption, such as
Refs. [51–53]. Yang et al. [54] formally define a public ap-
pend-only ledger, which we use for constructing our
DAMFA system (see Figure 5).
FBexecutes the following steps with parties
PA1,. . . , PAn
􏼈 􏼉 and an ideal adversary Sas follows:
(1) Initialize. Initialize creates an empty list Lpin the
beginning.
(2) Store. On input (Store, PAi,Nymo
u, M), checks that
Nymo
uis a valid pseudonym for PAi, then stores the
tuple (Nymo
u, M)to Lpand declares to Sthat a new
item was appended to the list Lp.
4Security and Communication Networks
(3) Retrieve. On input (Retrieve, PAi), returns the list Lp
to PAi.
3.5. Zero-Knowledge Proof of Knowledge. In a zero-
knowledge proof of knowledge system [55], a prover
proves to a verifier that it possesses the witness for a
statement without revealing any additional information.
In this paper, we use noninteractive zero-knowledge
proofs known as Fiat-Shamir heuristic [56] as they have
the advantage of being noninteractive. For example,
NIZKPoK denotes a noninteractive zero-knowledge
proof of the elements xand yas NIZKPoK (x, y)
􏼈:h
gxcgy}that satisfies both hgxand cgy. Values
(x, y)are assumed to be hidden from the verifier. Sim-
ilarly, the algorithm can admit a message as input, thus it
is also called signature proof of knowledge denoted as
ZKSoK[m] (x, y):
􏼈hgxcgy}.
3.6. Dynamic Accumulators. A dynamic accumulator is a
primitive allowing a large set of values to be accumulated
into a single quantity, the accumulator. For each value, there
exists a witness which is the evidence attesting that the value
is indeed contained in the accumulator. e proof of
showing that a value is part of an accumulator can be zero-
knowledge proof, which reveals neither the value nor the
witness to the verifier. Camenisch et al. [57] define a concrete
construction of dynamic accumulators with the five algo-
rithms AccSetup, AccAdd, AccUpdate, AccWitUpdate, and
AccVerify:
(1) AccSetup: is is the algorithm to output the public
parameters. Select bilinear groups paramsBM � (q,
G,GT, e, g)with a prime order pand a bilinear map
e. Select gG. Select cZp. Generate a key pair
msk and pk for a secure signature scheme. Compute
and publish p, G, T, e, g,
􏼈g1gc1,. . . , gngcn,
gn+2gcn+2,. . . , g2ngc2n}and ze(g, g)cn+1as the
public parameters.
(2) AccAdd (skA, i, accV, stateU). Compute ω􏽑ji
jV
gn+1j+iand a signature σion giiunder signing key
sk. e algorithm outputs witi� (ω,σi, gi), an
updated accumulator value accViaccV·gn+1i,
and stateUi� (Ui
{ }, g1,. . . , gn, gn+2,. . . , g2n).
(3) AccUpdate: is is the algorithm to compute the
accumulator using the public parameters. e ac-
cumulator accVof Vis computed as
accV􏽙
iV
gn+1i,(4)
(4) AccWitUpdate: is is the algorithm to compute the
witness that values are included in an accumulator,
using the public parameters. Given Vand the ac-
cumulator accV, the witness of values i1,. . . , ikin Uis
computed as
ωω·􏽑jV/Vωgn+1j+i
􏽑jVw/Vgn+1j+i
.(5)
(5) AccVerify: is is the algorithm to verify that values
in Uare included in an accumulator, using the
witness and the public parameters. Given accV,
stateU, and ω, accept if
Figure 3: (n, t)-threshold computation in a TOPRF protocol [49].
Figure 4: Functionality FTOPRF [49].
Figure 5: Functionality FB[54].
Security and Communication Networks 5
e gi, accV
 􏼁
e(g, ω)z. (6)
As Camenisch et al. [57] point out, the purpose of an
accumulator is to have accumulator and witnesses of size
independent of the number of accumulated elements.
3.7. Pedersen Commitments. Using a commitment scheme,
users can bind themselves to a chosen value without re-
vealing the actual value to a third party receiving the
commitment. ereby, a user cannot change their choice
(binding), and, at the same time, the recipient of a com-
mitment does not learn anything about the actual value the
user committed to (hiding of the value). Pedersen com-
mitments [58] have a group Gof prime order qand gen-
erators (g0,. . . , gm)as public parameters. For committing
to the value (z1,. . . , zm)Zq, a user picks a random rZq
and sets CPedCom(z1,. . . , zm;r) � gr
0􏽑m
i1gzi
i.
4. Decentralized Anonymous Multi-Factor
Authentication (DAMFA)
We build a new practical decentralized multi-factor au-
thentication scheme, Decentralized Anonymous Multi-
Factor Authentication (DAMFA), where the process of user
authentication no longer depends on a single trusted third
party. e scheme also permits services where authenticating
users remain anonymous within a group of users. Subse-
quently, our scheme does not require the IDP to be online
during the verification. To protect the private key of their
user, we use personal identity agents as auxiliary devices that
participate in a threshold secret sharing scheme to store the
distributed private key of the user.
4.1. System Model. e overall system model of DAMFA is
shown in Figure 6. e protocol is executed between four
participants:
(1) User U: A user who wants to access various services
offered by different service providers. During the
registration phase (which runs only once), Uobtains
a biometric template Bio from a sensor and chooses a
password pw. In the authentication phase, users U
interact with a set of personal identity agents to
authenticate themselves in an anonymous manner.
(2) Personal identity agent PAi: We associate each user
with a set of personal agents which are auxiliary
devices that assist a user in creating a credential for
authentication. ese personal agents remain under
the administrative control of their associated users,
who can freely choose where to run them. For ex-
ample, they could be run on a smart home controller,
at a cloud provider, or even on a mobile phone. U
generates a private key and executes threshold secret
sharing on the private key to generate secret shares of
that private key. e user stores the secret shares
among their personal agents such that each PA
i
has
one share of the overall secret key.
(3) Service provider (verifier) SP: ese are the service
providers (untrusted and distributed servers) that
require authentication from a user U. After verifying
a user’s credentials, they provide access to the cor-
responding service.
(4) Identity provider IDP: e identity provider is an
entity that issues credentials to users. ese cre-
dentials grant permission to use specific services by
proving membership of a specific permission group
(clients, employees, department members, account
holders, subscribed users, etc.).
In addition, users act as nodes in the blockchain net-
work: ey collaboratively maintain a list of credentials in a
public ledger (blockchain) and enforce a specific credential
issuing policy when adding to that list. For more details on
how these steps work, we refer to subsection 4.3., High-Level
View.
4.2. reat Model. In order to demonstrate the security of
the proposed protocol, we determine the capabilities and
possible actions of an attacker. We consider a PPT attacker
who has perfect control of the communication channels.
ey can eavesdrop all messages in public channels and also
modify, add, and remove messages on the network. e
attacker can, at any time, corrupt (t1)of the user’s agents
(no more than threshold t), in which case the attacker knows
all the long-term secrets (such as private keys or master
shared keys).
In the proposed protocol, we consider some privacy
requirements such as unlinkability, identity privacy, and
user data privacy: Unlinkability means that an adversary
cannot distinguish a user who is authenticating from any
(other) user who has authenticated in the past. Identity
privacy means that an adversary cannot determine if a given
authentication credential belongs to a specific user. User
data privacy means that an adversary cannot learn anything
about the user’s sensitive authentication data (i.e., biometric
data, password).
4.3. High-Level View. To build a fully decentralized au-
thentication architecture, we need to set up a small dis-
tributed shared database (to store credentials) between
nodes. Data are highly available, but nobody has control over
the database. Furthermore, users would never want to
modify data in the past. User data need to be immutable, and
data should be publicly accessible. We employ a public
append-only ledger in order to fulfill our requirements. A
ledger (blockchain) maintains the integrity of the dataset
and guarantees a consistent view of the data for every party.
Every participant can append information to the ledger and,
once uploaded, nobody can delete or modify the data.
Definition 1 (DAMFA). A DAMFA system consists of a
global transaction ledger instead of a single party
6Security and Communication Networks
representing the organization. Moreover, the DAMFA
scheme consists of the following phases:
(1) Setup: In the setup phase, we define the public pa-
rameters and execute the following algorithm: U
generates a private key and executes threshold secret
sharing (TSS) on the private key to generate shares of
that secret. e user stores the secret shares among
their personal agents (similar to the initialization of
TOPRF [49], done via a distributed key generation
for discrete-log-based systems, e.g. Ref. [59]).
(2) Registration: In the registration phase, the user U
first selects a password pw and collects their bio-
metric Bio at a sensor. en, Uruns the TOPRF
protocol by interacting with personal agents to re-
construct the TOPRF secret key. After that, the IDP
issues a membership credential that shows that Uis a
valid member (employee, account holder, subscribed
user, etc.). For this purpose, Usends a request with a
pseudonym and a (noninteractive) zero-knowledge
proof (NIZK) which indicates they are the owner of
the pseudonym (they know the secret key that be-
longs to the pseudonym) and authenticate them-
selves to the IDP. en, Ureceives a membership
credential, which is a signature on their pseudonym.
e user Ucreates a pseudonym Nymo
uand verifi-
cation information, namely, a protected credential
PCi, by encrypting the membership credential with
the TOPRF secret key. Subsequently, Ucomputes a
NIZK proof that (1) the credential PCiand the
pseudonym contain the same secret key and (2)
proof of knowledge of the signature which is issued
by the ID provider (i.e., she has valid group mem-
bership). Note that the user can execute these actions
in an offline state because no interaction with the
public ledger is required. Finally, nodes accept the
credential to the ledger if and only if this proof is
valid.
(3) Authentication: e user Uattempts to access the
services of an SP in an anonymous and unlinkable
way. SP authenticates the user if and only if the user
provides a valid credential. First, a service provider
sends an authentication request (which is a signa-
ture) to U. e user inserts the password pwand the
biometric Bioand runs the TOPRF protocol by
interacting with personal agents to reconstruct the
TOPRF secret value. Ufirst scans the public ledger to
obtain the accumulator AC, which is a set
PC
PC1,. . . ,PCn
􏼈 􏼉 consisting of all credentials
belonging to a specific IDP. en, Ufinds their own
protected credential PC
iwithin this set (via the
pseudonym Nymo
u). Udecrypts PC
iusing the
TOPRF secret key and recovers the initial credential
(a signature from IDP). Upresents the credential
under a different pseudonym Nymv
uby proving in
zero-knowledge that (1) they know a credential PCi
on the ledger from IDP, (2) the credential opens to
the same secret key as their own pseudonym Nymv
u,
and (3) they prove possession of a membership
credential from IDP (the signature), cf. [52]. SP scans
the public ledger to obtain the accumulator AC
which is a set PC
PC1,. . . ,PCn
􏼈 􏼉 consisting of all
credentials belonging to a specific organization.
Personal agents
1. Request
2. Response
3. Credential
ID Provider
User
6. Protected credential
4. Request membership credential
7. Upload credential 10. Collect data
8. Login request
9. Authentication message
11. Accept/reject
3. Recovery
secret key
SP
Figure 6: A system model of the DAMFA scheme.
Security and Communication Networks 7
en, it checks the validity of the candidate cre-
dential by finding the candidate credential in the set
PC
iPC
and checking proof of knowledge on the
credential and pseudonym.
4.4. e DAMFA Functionality. We formally define the
proposed scheme’s security by presenting its ideal func-
tionality that is implemented via a trusted party FTOPRF with
a public ledger. All communication takes place through this
ideal trusted party. In the UC framework [60, 61], there may
be some copies of the ideal functionality running in parallel.
Each one is supposed to have a unique session identifier
(SID). Each time a message is sent to a specific copy of
functionality, such that this message contains the SID of the
copy that is intended for. As noted in Ref. [49], we also use
the ticketing mechanism, which ensures that in order to test
a password and biometric guess, the attacker must imper-
sonate t+1 agents. To this end, they define a counter
tx(p, PAi)for each PAiSI in which the parameter pis also
used to identify it. In addition, when an agent PAiSI
completes its interaction, the functionality increases the
counter tx(p, PAi). On the other hand, when a user, either
honest or corrupt, completes an interaction that is associated
to PA
i
,tx(p, PAi)decreases by 1. It ensures that for any
honest agent PA
i
, the number of user-completed OPRF
evaluations with PA
i
is no more than the number of agent-
completed OPRF evaluations of PAi. It sets t+1 agent
tickets for accessing the proper TOPRF result by reducing
(nonzero) ticket counters tx(p, PAi)for an arbitrary set of
t+1 agents in SI. e ideal functionality as:
4.4.1. Registration
(i) Upon receiving (Reg,sid,SI,pw,Bio)for |SI| � PAn
from U, records this message and sends
(Reg, U, sid,SI)to A(Ignores other Reg cmd).
Computes a secret key Kusing TOPRF protocol
FTOPRF and if |SI CorrSrv|t+1 then sends
(K, pw,Bio)to A.
(ii) Upon receiving (SReg,sid, PAi)from A, if a re-
cord Reg, U, sid,SI,pw,Bioexists and PAiSI
then marks PA as active and sends (SInit, sid)to
PA.
(iii) Upon receiving (UReg, sid)from A, if the record
Reg, U, sid,SI,pw,Bioexists and all agents in SI
are marked active, then runs a commitment scheme
FCom and an encryption FEnc to get (τi,ci), re-
spectively, and sets the pseudonym as Nymo
uτi
and PCicias the credential. It records
Nymo
u,PCi, U, SI, K, sends (sid,Nymo
u,PCi)and
(RegComplete,sid,SI)to its public ledger and A,
respectively.
4.4.2. Authentication
(i) Upon receiving (Auth,sid,ssid,SR,pw,Bio)for
|SR| t+1from U, retrieves Reg, U, sid,SI,
pw,Bio, K, records Auth, U,sid,SI,SR,pw,pw,
Bio,Bio, and sends (Auth, U,sid,ssid,SR)to A.
Ignores future Auth commands involving the same ssid.
(ii) Upon receiving (SAuth,sid,ssid, PAi)from A, if
PAiSR is marked active then sets tx(PAi) + +
(sets it to 1 if it is undefined) and sends
(SAuth,sid,ssid)to PAi.
4.4.3. Password and Biometric Test
(iii) After receiving (TestPwBio,sid, PAi,pw,Bio)
from A, if tx(PAi)>0 then sets tested (pw) �
tested(pw)and (Bio) � tested(Bio)PAiand
tx(PAi):tx(PAi) − 1, retrieves Reg, U, SI,pw,
Bio, Kand if |SI (tested(pw)tested(Bio)
CorrSrv)| t+1 and if pwpw and Bio Bio,
then returns sk to Aand marks the record com-
promised and responses to Awith “correct guess”,
else returns FAIL.
4.4.4. Authentication for Service Provider
(i) GetCredList: Every participant can obtain all data in
the public ledger of the trusted party via submitting a
“retrieve” request to FDAMFA.SP then retrieves the
intended credential PCiissued by Nymo
ufrom FTOPRF
and accepts functionality’s assertion only if PCiPC
.
(ii) Key generation: Upon receiving (UAuth, sid,ssid,
Pi,SR, sk), for |SR| � t+1 from A, if there is a
record Auth, P, sid,ssid,SI,SR,pw,Bio,pw,Bio,
where PU, SP
{ } then do:
(a) If this record is compromised so that pwpw
and BioBio or (SRCorrSrv), then output
(sid, sk)to player Pi.
(b) Else, if this record is fresh, and if there is a record
(P, pw,Bio, sk)with pwpw and BioBio,
then sends sk(a random key) to player Pi.
(c) In any other case, picks a random key sk and
sends (sid, sk)to Pi.
Definition 2 (Secure DAMFA). Let Πbe a probabilistic
polynomial time protocol for the DAMFA functionality. We
say that Πis secure if for every PPT real world adversary A
attacking DAMFA, there exists a PPT ideal world simulator
Ssuch that for both the real and ideal world interactions,
outputs of registration and authentication phases are
computationally indistinguishable: RealA(1λ)IdealS(1λ).
4.5. Our Construction
4.5.1. Setup Phases
We select a bilinear pairing e:G1×G2GTthat is
efficiently computable, nondegenerate, and three
groups with prime order p. We let g1and g2be
generators of G1and G2, respectively, and
gte(g1, g2)the generator of GT. Note that it is as-
sumed to support one-way Bio-hash function H1,
8Security and Communication Networks
which resolves the recognition error of general hash
functions [62]. We consider two additional hash
functions as H2:M0,1
{ }λand Hg:MG1.
We publish params (G1,G2, g1, g2, p, hnym, H1,
H2, Hg)as the set of system parameters where
hnym G1. e user Ugenerates a private key K, then
executes a secret sharing construction scheme on Kto
create secret keys for each personal agent
k1, k2,. . . , knTSS(K).Ustores secret shares
among personal agents.
4.5.2. Registration Phase
To register a user to the system, Ufirst chooses a
password pw and scans her biometric impression Bio at
the sensor. en, Uruns the following steps to register
herself in the system.
(i) A user runs TOPRF protocol [49] with agents to
compute the secret value usk FK(pw,Bio)as
follows:
(a) e user Upicks a random number rZpand
computes AHg(pw, H(Bio))rand sends the
message M1A
{ } to all PAi.
(b) Upon receiving the message M1A
{ } from
the user, each PAicomputes
biAkiHg(pw, H1(Bio))λi·ki·rby
Lagrange interpolation coefficients and secret
key ki(s.t. K􏽐
iSR
λi·ki). ey return the
message M2bi
􏼈 􏼉 to U.
(c) After receiving all the messages bifrom per-
sonal agents, Ucomputes: C􏽑
iSR
br1
i
Hg(pw, H1(Bio)) Kusk h(pw, C).
(ii) In order to obtain a membership credential from
IDP, we use PS signatures protocol [47] to derive a
signature on a hidden committed message as
follows:
(a) KeyGen(pp): e IDP runs this algorithm to
generate private and public keys. is algo-
rithm selects (x, y, y1)Zp, computes
(X, Y, Y1)(gx
1, gy
1, gy1
1)and (X, Y,
Y1
)(gx
2, gy
2, gy1
2), and sets
sk (X, y, y1)and pk (g1, g2, Y,
X, Y).
(b) Protocol. A user first selects a random
r2Zpand computes Cgr2
1·Yusk, which
is a commitment on her secret key. She then
sends Cto the IDP. ey both run a proof of
knowledge of the opening of the commitment
(authentication). If the signer is convinced, the
IDP selects a random uZpand returns
σ(σ1gu
1,σ2� (X·C·Ym
1)u). e user
can now unblind the signature σand get a valid
signature over her secret key and the message
m1by computing σ(σ1,σ2/(σ1)r2)de-
scribed in Sect. 3.1.
(c) Verify. To verify this signature, the user can
execute this algorithm and compute:
(d) Verify(pk, m, σ):e(σ1, X·Yusk
·Ym1
1) �
e(σ2, g2).
(iii) CreatePC. e user generates a protected cre-
dential with TOPRF secret key usk derived from
the password and the biometric: Upicks a random
number sZpto generate a pseudonym as
Nymo
ugs
1·husk
nym and computes an El-Gamal
encryption of the credential σwith secret TOPRF
values usk into a ciphertext as: PCi� [σ]usk.
(iv) Proof. A NIZK proof of knowledge of the cre-
dential (PS signature [47]) works as follows: U
selects random r3, t1Zpand computes
σ(σr3
1,(σ2·σt1
1)r3).Usends σ� (σ1
,σ2
)to
the verifier and carries out a zero-knowledge proof
of knowledge (such as the Schnorr’s interactive
protocol) of m,usk, and t1such that
πNIZK
s, m1, t1, usk
 􏼁:Nymo
ugs
1·husk
nym
PCiEncusk(σ)
eσ1
, Y
 􏼁usk ·eσ1
, g2
 􏼁t1·σ1
, Y1
 􏼁m1
eσ2
, g2
 􏼁
eσ1
, X
 􏼁
.
(7)
(v) At the end of this phase, Usubmits the resulting
values (PCi,π,Nymo
u)to the public ledger nodes
where πis a proof of knowledge on the Nymo
uand
the PCi. If the signature verifies successfully,
output 1, otherwise 0. e nodes should accept
values to the ledger if this algorithm returns 1.
4.5.3. Authentication Phase
In this phase, a user authenticates herself to the
service provider and establishes a session key with the
service provider. e following steps are executed by
U,PA, and SP:
(i) First of all, the server chooses a secret key
yZpand computes Zgy
1. en, SP
generates a signature σson message Z(i.e.,
Schnorr’s signature [55]) using its secret key and
sends the message M1Z, σs
􏼈 􏼉 to the user.
(ii) When receiving a pair (Z, σs), the client verifies
whether σsis valid on message Zunder the SP’s
public key. If σsis valid, Uinserts pwand scans
her personal biometric impression Bioat the
sensor.
(iii) e user interacts with personal agents and runs
the necessary steps to compute the TOPRF
protocol
Security and Communication Networks 9
FK(Bio,pw) � usk h(pw,􏽑iSRbr1
i).
en, Udecrypts ciphertext [σ]usk with the
TOPRF secret key usk to recover the credential
σ.
(iv) Show: e user creates a NIZK πensuring that
the credential is well-formed and the credential
related to the same secret values as her pseu-
donym. Here we prove: (1) she knows a cre-
dential on the ledger from the IDP, (2) the
credential includes the secret key as her pseu-
donym, (3) she possesses of a credential (sig-
nature). We use the bilinear maps accumulator
[57] to accumulate the group elements
g1,. . . , gn
􏼈 􏼉 instead of, e.g., the integers
1,..., n
{ }. In addition, Camenisch et al. [57]
describe an efficient zero-knowledge proof of
knowledge such as Schnorr’s protocol [55, 56]
that a committed value is in an accumulator. See
Refs. [57, 63] to find how this proof works.
U runs the following steps to authenticate herself:
(a) e user selects a random number r4Zpto
generate a pseudonym Nymv
ugr4
1·husk
nym for
communication with service providers.
(b) Upicks random numbers d, t2Zpand
computes a randomized commitment credential
(like in the previous step) as σ(σr2
1,(σ2·
σt2
1)r2).
(c) en, Ucalculates Dgd
1, a secret session key
SK Zdgy·d
1and Hmac(SK, D, Z).
(d) For a set of credentials PC
,Ucomputes an ac-
cumulator and witness as AC Accumulate
(params,PC
)and ωGenWitness(params,
PC
,PC
i), carries out a zero-knowledge proof of
knowledge of the credential, and outputs the
following proof of knowledge πsuch that
NIZK
usk, ω, d, t2, m, r4
 􏼁:
AccVerify(params, AC, ω) � 1
eσ1
, Y
 􏼁usk ·eσ1
, g2
 􏼁t2·σ1
, Y
 􏼁m
eσ2
, g2
 􏼁
eσ1
, X
 􏼁
PCiEncusk(σ)Dgd
1
Nymv
ugr4
1·husk
nym
(8)
Finally, U sends the message M4Nymv
u, D,
􏼈
Hmac,π}, to the service provider.
(i) After receiving the message M4Nymv
u, D,
􏼈Hmac,
π}, from the user, the service provider first scans
through the ledger to obtain a set PC
consisting of all
credentials belonging to IDP. First, SP computes the
accumulator AC Accumulate(params,PC
). en,
it verifies that π1 is the aforementioned proof of
knowledge on PCiand Nymv
uusing the known public
values. If the proof verifies successfully, output 1, SP
computes the session key as follows: SK Dygy·d
1.
en, SP computes Hmac(SK, D, Z)and checks
Hmac Hmac. If π1 and Hmac holds, SP accepts SK as
the session key and also the user is authentic.
Note that we can simply send σalongside the message of
the proof of knowledge. With this, we can prove the con-
struction is a Σ-protocol (see Ref. [47] to see how proof of
knowledge of PS signature works).
4.6. Optimization. To exploit the accumulator AC in our
construction which can be computed incrementally, we
consider that any node mining a new block can add this
block’s accumulator to the previous one. e node stores the
result as a new accumulator value in the transaction at the
beginning of the new block, namely, the accumulator
checkpoint. Peer nodes validate this computation before
accepting the new block into the blockchain. With this
optimization, SP no longer needs to compute the accu-
mulator AC. Instead, SP can merely reference the current
block’s accumulator checkpoint and compute the secret key
SK starting from the checkpoint preceding her mint (instead
of starting at the beginning).
Theorem 1. Our proposed protocol is secure against any
nonuniform PPT adversary corrupting t1many personal
agents PA by assuming that the El-Gamal encryption, zero-
knowledge proof of signature, and the TOPRF protocol are
secure and also the hash function is collision resistant.
4.7. Security Proofs of eorem 1
4.7.1. Proof Sketch. Our construction DAMFA is modular
and relies directly on the TOPRF and the zero-knowledge
proof. e security is then straightforwardly inherited from
those algorithms:
e credential security requires that no adversary is able
to present a credential (guess passwords and biometrics) and
generate a session key, which they have not had any access
to. If we use a TOPRF on passwords and biometric of users,
then the security properties of TOPRF would make it hard to
guess. e proof is once again twofold:
(i) First, the authentication is done through a zero-
knowledge proof. At this step, the adversary presents
an invalid credential or manages to build a valid
proof. Hence, the adversary breaks the soundness of
the underlying proof of knowledge we used, or else
uses a valid credential.
(ii) At this step, we now assume the adversary wins by
using a valid credential. We now rely on the
obliviousness of the TOPRF. We interact with a
TOPRF challenge to answer every adversarial re-
quest, and at the end, we can use the (valid) cre-
dential output by the adversary to break the TOPRF
obliviousness, which leads to the conclusion.
10 Security and Communication Networks
4.7.2. Anonymity. During the registration phase, when a
user reveals her pseudonym but does not (intentionally)
reveal her secret key usk, no adversary should learn any
information about the secret key or the identity. Besides,
during the authentication phase, a user proves her credential
using zero-knowledge proof, which reveals no additional
information about her secret key and identity to the SP.
e simulator Sis essentially an ideal world adversary
that interacts with the functionality FDAMFA and the envi-
ronment ξ. We also assume that our zero-knowledge sig-
nature of knowledge includes an efficient extractor and a
simulator and also that the signature is unforgeable. To
guarantee that the view of the environment in the ideal
world is indistinguishable from its view in the real world, it
has to invoke the real-world adversary Aby simulating all
other entities for A. en, for the most parts, the simulator
follows the action of adversary Aappropriately.
4.7.3. Description of the Simulator. Once the adversary
registers a new user to the system via storing a tuple
(Nymo
u,PCi,πi)to the bulletin board, the simulator registers
this user in the ideal world via the following process. It makes
an interface between honest parties in the real world (which are
the user Uand nt+1personal agents denoted by PAiwhere
it, . . . , n wlog. since all personal agents in our solution are
identical) and corrupted parties in the ideal world (which are
the service provider SP and tpersonal agents denoted by PAic
where ic � (1,. . . , t). e simulator behaves as follows:
(1) Registration
(1) Upon receiving (Reg,sid, U, SI)from FDAMFA , ig-
nores it if |SI|PAn. Otherwise, records U, sid,SI
and sends (Send,(sid,0), U, PA, SI)to Afor all
PA SI. If FTOPRF sends (K, pw,Bio), records it.
Remark 1. Since Ssimulates PAic in the ideal world, S
receives whatever they receive from FDAMFA.
(2) After receiving (sid,PAic,PCi,Nymo
u,πi)from Afor
some PAiSI, it checks if it has a record of
(U, kic,Nymo
u)on its list of users. If the user with Nymo
u
exists, then Sretrieves Kassociated with
(U, kic,Nymo
u)and proceeds. e simulator then
employs the knowledge extractor to obtain usk. If it is
not on the list, Sfollows the protocol to register Nymo
u
as a user by choosing a random password pwand
Bio. It generates secret shares kic
on Kfor each
corrupted personal agent, records Reg, U, sid,SI,pw,
Bio, kic, K, and sends kicto PAic SI and A.
(3) Upon receiving (RegComplete,sid,SI)from A,
retrieves
Reg, U, sid,SI,pw,Bio, kic, Kcomputes a pseudo-
nym Nymv
uand a credential PCi
h·gusk where
uskic FK(pw,Bio). It records Nymv
u,PCi
, U, SI, uskic
and sends (sid,PAic,PCi,Nymv
u,πi)to its public ledger and
Awhere πiis proof of knowledge. Sstores
(pw,Bio, K, uskic,Nymv
u,PCi
,πi)in its list of granted
credentials.
Remark 2. When an honest user wants to establish a cre-
dential through the functionality, the simulator creates a
credential and uses the extractor of the signature of knowl-
edge to simulate the associated proof. It then transmits the
credential information (PCi
,πi,Nymv
u)to the trusted store.
(2) Authentication
(1) Upon receiving (Auth, U,sid,ssid,SR)where |SR|
t+1 from A, retrieves Nymv
u,PCi
, U, SI, uskic
corresponding to Uas stored in the registration
phase. If there is a set (Bio,pw, K)stored in the
registration phase and uskic is defined, then executes
the TOPRF protocol with each personal agent using
the password pwand Bioand receives ρic T(p,
(pw,Bio)) from FTOPRF and sends (Auth,sid,ssid,
U, SR)to A.
Remark 3. e initialization also specifies a parameter p
used to identify a table T(p, .)of random values that define
the proper PRF values computed by the user when inter-
acting with any subset of t+1 honest servers from the set SI.
An additional parameter p, and corresponding tables
T(p, .), can be specified by the adversary to represent rogue
tables with values computed by the user in the interaction
with corrupted servers (see more on this [49]).
(2) Upon receiving (Auth,sid,ssid, U, ρic )from FTOPRF,
Srecovers SR and uskic corresponding to Uas stored
during the registration phase in the database (ignores
this message if no corresponding tuples exist). S
checks ρic uskic and if each PAic used the correct
corresponding shareic � (uskic, kic )values. Ignores
this message if either of the following conditions
fails: if ρic uskic then |S|tx(p, S)>0|>tor all
servers in SR are honest. Otherwise, sends
(Auth,sid,SR,pw,Bio, sk)to FDA MFA where sk is
a random secret key and sets for
(flag, pw,Bio, sk)as follows:
(a) Case 1: Correct shareic � (ρic , kic)employed by
the adversary in the real protocol. Sdetects this
by verifying that uskic ρic. erefore, Ssets
(flag, pw,Bio, sk) � (1, ., .)and sends
(uskic, kic )in its database to FDAMFA where
uskic, kic was sent by FDAMFA .
(b) Case 2: Otherwise, incorrect uskic , kic employed
by the adversary in the real protocol. Sdetects
this by verifying that uskic ρic. So, Ssets
(flag, pw,Bio, sk) � (0, ., .)and defines xas
the set of values pw and Bio in the dictionary
such that T(p,(pw,Bio)) is defined. For every x
in lexicographic order, sets v:T(p, x)and
checks if vuskic. If so, sets
(flag,pw,Bio, sk):� (2, x, sk)and breaks
the loop. If the above loop processes all pw and
Security and Communication Networks 11
Bio without breaking, sets
(flag,pw,Bio, sk) � (0, ., .).
(3) On receiving (Auth,sid,ssid,SR, x pw,Bio
􏼈 􏼉)
from party P(U, A)and (Auth,sid,ssid, P, ρic)
from A, recovers uskic corresponding to Uas stored
in step 1. It ignores this message if either of the
following conditions fails: If ρic uskic then
|S|tx(p, S)>0|>tor if all servers in SR are honest.
Otherwise, picks T(p, x)0,1
{ }lif it has not
been defined and sends (Auth,sid,ssid, T(p, x)) to
A. If ρic uskic (without resulting in the failure of
conditions) then adds every PA SR to tested(x)
and sends (TestPwBio,sid, PA, pw,Bio)to
FDAMFA. If FDAMFA replies sk, then records it.
Remark 4. FDAMFA employs the ideal user-provided pass-
word and biometric test in the ideal world. erefore, if the
adversarial personal agents in the real world acted honestly,
it means that the simulator provided correct pairs (uski, ki).
en, the calculated credential and pseudonymous will be
valid (consisting in the ledger) since it is computed using the
actual password and biometric. On the other hand, if per-
sonal agents acted maliciously in the real world, Swould
have detected this in the previous step and would have
provided wrong pairs to FDAMFA in the ideal world. So, in
both worlds, the response will be invalid.
(4) Upon receiving (Auth,sid,ssid,SR,Nymv
u,PCi)
from FDAMFA,Sforwards Nymv
u,PCito the Ain
the real world.
(3) e Indistinguishability
(i) GameReal. is is the real world: the system con-
structed in this work is run between nt+1 honest
parties and tparties controlled by the adversary.
(ii) Game1. is is identical to GameReal except that the
encryption generated in the registration phase by
honest users is replaced with a simulated one. Indis-
tinguishability between GameReal and Game1comes
from the El-Gamal encryption security properties.
(iii) Game2. is is identical to Game1except that in
TOPRF, each share (biand usk) generated by honest
users using an actual password pw and biometric
Bio is replaced by pwand Biochosen randomly.
Since, Sdoes not have the correct password and
biometric, indistinguishability between Game1and
Game2comes from the indistinguishability of the
TOPRF algorithm and TSS construction.
(a) Reduction 1. e TOPRF security ensures that
senders (adversarial personal agents) cannot
distinguish between the receiver (the simulated
user) input, whether they are the actual pass-
word pw and Bio or another randomly chosen
pair of password pwand biometric Bio.
(b) Reduction 2. e TSS security ensures that less
than the threshold number of agents cannot
reconstruct the secret and also cannot check if
the shares are indeed related to the same secret.
erefore, there is no efficient way for the ad-
versary to distinguish this from real behavior
since one more agent needs to be corrupted to
mount a successful offline attack.
(iv) Game3. is game is identical to Game2except that
an authentication response (Nymv
oand PC
i), which
are two random group elements generated by the
adversary will be rejected if the extracted secret key
does not fulfill the requirements. Indistinguish-
ability between Game2and Game3comes from the
verified consistency of the bilinear pairing algo-
rithm and the simulation breaks the soundness of
the underlying proof of knowledge we used before
(assuming that there is no hash collision).
(v) Game4. is is the world simulated by S. It is not
hard to check that Gameideal is identical to Game4.
We already know that the possibility of TOPRF and
NIZK proofs to break is negligible.
5. Implementation
In this section, we illustrate the practicability of the proposed
protocol. To this end, we provide the public ledger part
which is realized by well-known blockchains, namely,
Namecoin and Ethereum. e results are summarized in
Table 1. Here, initial data size shows the size of the block-
chain needed for downloading and storage. Initial sync time
is the time required to sync and connect to the blockchain.
Confirmation time is the time required to confirm that the
data are uploaded in the blockchain.
5.1. Namecoin Implemention. e public ledger can be
implemented by a blockchain system. One of the smooth
ways to realize a public ledger is using Namecoin blockchain.
Namecoin allows for registering names and stores related
values in the blockchain, which is a securely distributed
shared database. It also enables a basic feature to query the
database and to retrieve the list of existing names and as-
sociated data. us, we can store credentials, scan them based
on namespace, and then verify them. We execute the fol-
lowing steps in order to participate in the Namecoin system
and store credentials by the namecoin id as pseudonyms:
(i) We need to install a Namecoin client that has a full
copy of the Namecoin blockchain and keep it in
sync with the P2P network by fetching and vali-
dating new blocks from connected peers. We use
implementation of the Namecoin client [64], which
can be controlled by HTTP JSON-RPC, command
line, or graphical interface. It spontaneously con-
nects to the Namecoin network and downloads the
blockchain.
(ii) e Namecoin client also creates the user’s wallet,
which includes the private key of Namecoin address
of the user.
12 Security and Communication Networks
(iii) To save credentials in the blockchain, the user needs
to register a namespace “id/name” as the owner of
the name by paying a very small fee (currently
0.006 4 USD). An id name can be registered using
the Namecoin graphical interface or commands
“name_new” and “name_firstupdate.” e follow-
ing description shows how the id name in Name-
coin namespace is registered and how those names
can be accessed.
namecoind name-new id/3608a30756b0...
e output will look like this:
[“0e0e03510b0b0b7dbba6e301e519693f6.
8062121b29f3cd3a6652c238360d0d0,
“9f213ff4a582fd65”].
is transaction shows a hashed version of the
name, salted with a random value (which is
“9f213. . .” for transaction ID “0e0e0351. . .”).
(iv) e user can store arbitrary data as descriptions
(which contains a credential) for Namecoin keys using
the JSON format: the following codes can be a simple
example of the JSON value of an identity name:
namecoind name_firstupdate id/3608...
Output:
{“description”: “28790de641755e77d1.
3382229156f5c26a9dd8a9673006b...”,
“namecoin”: “NBvmSUQbRGu...”}
Subsequently, the update has been confirmed and
transactions have been added to the blockchain.
e user has a fully valid credential. To show the
credential, SP scans through the list of added
names and retrieves all credentials via a graphical
interface or commands like the following code:
namecoind name_list
Output:
[{“name”: “id/3608a30756b07e...”,
“value”: “28790de641755e77d13382.
229156f5c26a9dd8a9673006b15...”,
“address”: “NBvmSUQbRGunCS...”,
“expires_in”: 36000}].
(1) Cost:
Initially, a reasonable transaction fee of either 0.00
or 0.01 NMC is charged. We can choose this fee
based on how fast we want to process a transaction.
(2) Latency:
Namecoin and Bitcoin both attempt to generate
blocks every 10 minutes; on average, it takes nearly 5
minutes to see the data appear on the blockchain. In
practice, it then takes the necessary time to solidify the
transactions and the data to be verified. For Name-
coin, it takes about 2 hours to confirm that the data are
uploaded in the blockchain (12 confirmations). at is
why name_firstupdate will only be accepted after a
mandatory waiting period of 12 additional blocks.
Remark 5. Note that these costs and delays occur only once
during the setup and registration phases. ey do not affect
the authentication phase. us, we focus on the computation
time of the authentication phase that is frequently used in
the authentication system (see Section 5.3).
5.2. Ethereum. Ethereum allows us to test our decentralized
application on a local blockchain; we use a test network
called Rinkeby to build our decentralized application. We
can connect to the Ethereum blockchain and even perform
operations such as mine blocks, send transactions, and
deploy smart contracts by running an Ethereum node.
(i) We run the Ethereum wallet (minst or geth com-
mand line) in order to access to Ethereum protocol
and deploy our smart contract.
(ii) To start, we need to sink the Rinkeby network locally
and download blockchain which takes a few hours.
(iii) Create an account:
Enter a password for your Rinkeby
Account by geth command line or.
Ethereum graphic (Minst).
Geth Version: 1.8.1-stable.
creates an account using geth
command: geth account new.
(iv) Next, obtain some Ether so that transactions can be
sent. Since we used the Rinkeby testnet, their Ether
can be obtained for free at the faucet website. Ether
is used to pay transaction fees.
(v) We can deploy smart contracts to store our cre-
dentials and names into them. For this purpose, we
write our first smart contract in Solidity (Solidity is a
high-level contract language that is planned to
target the Ethereum Virtual Machine (EVM)) and
deploy it through Mist. A simple example code is
pragma solidity 0.4.2
contract Test {
string public $NYM$;
string public $Z$;
function Test(string $NYM$, string $Z$)
{
v1 $NYM$;
v2 $Z$;
}
}
Table 1: Comparison of public ledger instantiations.
Properties Namecoin Ethereum (Rinkeby)
Initial data size 5.08 GB 5.3 GB
Initial sync time 3 h 3 h
Cost 0.069 USD 0.022 5 USD
Confirmation time 10 min/2 h a few seconds/3 min
Security and Communication Networks 13
(vi) We can also see the option to watch previously
deployed contracts and tokens. We can click on
“Watch Contracts” at the bottom and enter the
contract’s name and contract address.
(1) Cost:
All transactions need some amount of gas to mo-
tivate processing. A transaction fee is between 0 and
0.000 424 ETHER depending on how fast we want to
approve the blockchain transaction.
(2) Latency:
Ethereum creates a new block every few seconds so
that the data will appear on the blockchain instantly.
As mentioned in Ethereum Blog, 10 confirmations
are sufficient to achieve a similar security degree as
that of 6 confirmations in Bitcoin. It takes around
3 minutes to confirm the transaction/data. Note that
these costs and delays occur only once during the
setup and registration phases.
5.3. Performance of the Authentication System. We now
examine the performance of our anonymous authentication
system. ere are two main steps: the registration phase and the
authentication phase. However, since time-critical operations
in both registration and authentication phases are the same, we
concentrate our evaluation on the efficiency of these processes.
ese processes include OPRF, issuing/receiving a credential,
and proving knowledge of the signature and pseudonym. To
simplify the evaluation criteria of the experiment results, we
only assume a simple policy with a threshold t2for two
agents. e experiment is based on a laptop with Intel Core i5-
6200U CPU 2.30 GHz, 8.00 GB RAM, and 64-bit Ubuntu OS in
Java 8, building upon the upb.crypto library (available at
https://github.com/cryptimeleon) [65]. is library offers el-
liptic curve math and several useful building blocks for
anonymous credentials like Sanders signatures [47], Pedersen’s
commitment [58], Nguyen’s accumulator [66], Shamir secret
sharing, generalized Schnorr protocols, proofs of partial
knowledge [67], Damg˚
ard’s technique for concurrently black-
box secure Sigma protocols, and the Fiat-Shamir heuristic [56].
Table 2 shows the computational performances of the protocols
over 50 iterations. For issuing and proving protocols in such a
way that a certain policy is satisfied by a credential, we assume
equality of two attributes as Policy: StuID “11111” and
GENDER “male” and credential: certifying only these
attributes.
5.4. Computational and Communication Complexity. We
analyze the communication and the computation com-
plexity of our proposed protocol using the size of each el-
ement exchange involved in our protocol, the number of
exponentiation needed for issuing a credential (executed
only once in the registration phase) and the proving of a
credential (the most frequently executed phase),
respectively. We show the following efficiency analysis in
Table 3. r,t,EG1, and Pdenote the number of attributes that
can be certified, the number of agents that need to be
connected, the cost of exponentiation in G1, and the cost of a
pairing computation, respectively. By POK EG1[n]
􏽮 􏽯 (resp.
POK P[n]
{ }), we denote the cost of proving knowledge of n
secrets involved in a multi-exponentiation (resp. pairing-
product) equation, and Ver(POK)indicates the cost of
verifying this proof.
5.5. Comparison. We provide a comparison of DAMFA
with some of the most popular SSO schemes in Table 4.
We compare DAMFA with the above schemes in terms of
Decentralization (Decent.), Passive verification (PV),
Multi-Factor (MF), Formal definitions (FD), Anonymity
(Anony.), and Selective Disclosure (SD) attributes. De-
cent denotes the decentralization of the SSO schemes
(i.e., user authentication process no longer depends on a
trusted third party). We provide this by applying a
distributed transaction ledger and the blind issuing
protocol. PV shows that service providers can verify
users (who have registered a particular credential)
without requiring interaction with an identity provider.
We fulfill this property using a distributed transaction
ledger and anonymous credentials. Anonymity guaran-
tees that no one can trace or learn information about the
user’s identity during the authentication process. We
fulfill this property by applying NIZNP + SP signature +
Pseudonym. Here, denotes that it is unfeasible for
IDP’s to track users’ sign-on activity onto different SPs.
Also, it shows that it is impossible to correlate multiple
accounts created from the same credential on different
SPs. Subsequently, indicates that either IDP’s sor SPs
can create a correlation between different accounts of the
same user. FD demonstrates if proposed schemes provide
a formal security definition. In this case, DAMFA is the
only scheme that provides a formal security definition and
proof. SD allows to disclose a subset of user attributes and
proves statements about their attributes. Finally, to protect the
user’s private information against offline (OA) attacks, we use
the TOPRF primitive. Here, means that other related
schemes are resistant against offline attacks as long as IDP does
not compromise or the theft/loss/corruption of a user’s device
does not happen when they use this device as 2FA token.
means that resistance to offline attacks is satisfied even in the
presence of a corrupted IDP or user’s device.
Table 2: Performance of the authentication protocol.
Sub-protocol Duration (ms)
OPRF 30
ProveNym 6
IssCred 25
ProveCred 33
14 Security and Communication Networks
6. Conclusion
In this paper, we proposed a decentralized authentication
and key exchange system DAMFA (SSO scheme) under
TOPRF protocol and standard cryptographic primitives. e
proposed scheme builds upon a trustworthy global append-
only ledger that does not rely on a trusted server. DAMFA
fulfills the following properties:
(1) Decentralization property means that the process of
user authentication no longer depends on a trusted
party. To realize such a distributed ledger, we pro-
pose using the blockchain system already in real-
world use with the cryptographic currency Bitcoin.
(2) Passive verification means that service providers who
have access to the shared ledger can verify users
without requiring interaction with an identity
provider.
(3) Single sign-on property ensures that a user logs in
with a single ID into the identity provider and then
gains access to any of the several related systems. So,
users do not need to register with each service
provider individually.
(4) Anonymity guarantees that no one can trace or learn
information about the user’s identity during the
authentication process. Finally, we evaluated that our
protocol is efficient and practical for authentication
systems.
Moreover, we provided comparison of our scheme
(DAMFA) with some of the most prominent SSO schemes. To
demonstrate a more detailed analysis of the performance of
our scheme, we analyzed the communication and the com-
putation complexity of our proposed protocol using the size
of each element’s exchange involved in our protocol and the
number of exponentiation, respectively. We proved our
construction’s security via ideal-real simulation, showing the
impossibility of offline dictionary attacks. Finally, we dem-
onstrated that our protocol is efficient and practical through a
prototypical implementation and implemented the public
ledger using Ethereum and Namecoin blockchains.
Data Availability
No additional data are available.
Disclosure
is paper is an extended version of the paper entitled
“DAMFA: Decentralized Anonymous Multi-Factor Au-
thentication” [23], including complete proofs, formal
security models, an Ethereum implementation, a com-
parison with other SSO schemes, a computation and
communication complexity analysis, and improved ex-
perimental results.
Conflicts of Interest
e authors declare that they have no conflicts of interest.
Acknowledgments
is work was supported by Johannes Kepler Open Access
Publishing Fund and has been carried out within the scope
of Digidow, the Christian Doppler Laboratory for Private
Digital Authentication in the Physical World. It has partially
been supported by the LIT Secure and Correct Systems Lab.
e authors are grateful for the financial support by the
Table 3: DAMFA computation and communication complexity.
Transaction TOPRF IssueCred ProveCred
User PAiUser IDP User SP
Computation 2 EG1EG1(r+1)EG1+POK EG1[r+1]
􏽮 􏽯 2EG1+Ver(POK)2EG1+POK P[r+1]
{ } Ver(POK)
Communication (2t)|G1| |G1| + |POK|2|G1| + |POK|
Table 4: Comparison of single sign-on schemes.
Schemes Decent. PV OA Anony. MF FD SD
SAML [19] ✕ ✕
OpenID [16] ◐ ◐ ✕ ✕
PRIMA [17] ◐ ◐ ✕ ✕
IRMA [68]
EL PASSO [45]
NextLeap [46]
DAMFA ✓ ✓
Anonymity: NextLeap relies on unlinkable credentials. However, blinded credentials should be stored at IDP, which allows IDP to perform user tracking.
Also, in PRIMA, signon across multiple SPs can be linked. Other schemes do not support unlinkable credentials. —Offline attacks : the related schemes only
fulfilled offline attack if IDP is honest. In IRMA, the user’s device (i.e., IRMA app) should be secure to provide OA and anonymity. Otherwise, any adversary
who gets these can simply impersonate the user (we addressed this open problem in IRMA). —Selective disclosure: PRIMA supports proving statements
about attributes, particularly when they are displayed as extra attributes signed by IDP. — Passive verification : In IRMA, SPs still require to interact with an
IRMA API server during the authentication.
Security and Communication Networks 15
Austrian Federal Ministry for Digital and Economic Affairs,
the National Foundation for Research, Technology and
Development, the Christian Doppler Research Association,
3 Banken IT GmbH, ekey biometric systems GmbH, Kepler
Universit¨
atsklinikum GmbH, NXP Semiconductors Austria
GmbH and Co KG, ¨
Osterreichische Staatsdruckerei GmbH,
and the State of Upper Austria.
References
[1] M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated
key exchange secure against dictionary attacks,” in Proceed-
ings of the International Conference on eory and Application
of Cryptographic Techniques (EUROCRYPT), pp. 139–155,
Springer, Prague, Czech Republic, May 2000.
[2] D. Cameron, “Over 560 million passwords discovered in
anonymous online database (2017),” 2017, https://goo.gl/
upDqzt.
[3] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s
law in passwords,” IEEE Transactions on Information Fo-
rensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
[4] V. Goel and N. Perlroth, “Yahoo says 1 billion user accounts
were hacked,” 2016, https://goo.gl/q4WZi9.
[5] Gemalto, “Year of mega breaches & identity theft: findings
from the breach level index,” 2014, https://www.sbs.ox.ac.uk/
cybersecurity-capacity/content/2014-year-mega-breaches-
and-identity-theft.
[6] I. Paul, “LinkedIn confirms account passwords hacked,” 2012,
http://goo.gl/UBWuY0.
[7] A. Ometov, S. Bezzateev, N. M¨akitalo, S. Andreev,
T. Mikkonen, and Y. Koucheryavy, “Multi-factor authenti-
cation: a survey,” Cryptography, vol. 2, no. 1, p. 1, 2018.
[8] O. Mir, R. Mayrhofer, M. H¨
olzl, and T.-B. Nguyen, “Recovery
of encrypted mobile device backups from partially trusted
cloud servers,” in Proceedings of the 13th International
Conference on Availability, pp. 1–10, Reliability and Security,
2018.
[9] S. Jarecki, H. Krawczyk, M. Shirvanian, and N. Saxena, “Two-
factor Authentication with end-to-end password security,” in
Proceedings of the International Conference on Practice and
eory of Public Key Cryptography (PKC), Springer, Rio de
Janeiro, Brazil, Cham, March 2018.
[10] M. A. Mustafa, A. Abidin, and E. A. R´ua, “Frictionless au-
thentication system: security & privacy analysis and potential
solutions,” 2018, https://arxiv.org/abs/1802.07231.
[11] V. Rimmer, D. Preuveneers, W. Joosen, M. A. Mustafa,
A. Abidin, and E. A. R´ua, “Frictionless authentication sys-
tems: emerging trends, Research challenges and opportuni-
ties,” 2018, https://arxiv.org/abs/1802.07233.
[12] D. Q. Viet, A. Yamamura, and H. Tanaka, “Anonymous
password-based authenticated key exchange,” in Proceedings
of the International Conference on Cryptology in India
(INDOCRYPT), pp. 244–257, Springer, Bangalore, India,
December 2005.
[13] Y. Lindell, “Anonymous authentication,” Journal of Privacy
and Confidentiality, vol. 2, no. 2, 2011.
[14] J. Yang and Z. Zhang, “A new anonymous password-based
authenticated key exchange protocol,” in Proceedings of the
International Conference on Cryptology in India (INDOC-
RYPT), pp. 200–212, Springer, Bangalore, India, December
2008.
[15] S. Shin, K. Kobara, and H. Imai, “Anonymous password-
authenticated key exchange: new construction and its
extensions,” IEICE Transactions on Fundamentals of Elec-
tronics, Communications and Computer Sciences, vol. E93-A,
no. 1, pp. 102–115, 2010.
[16] D. Recordon and D. Reed, “Openid 2.0: a platform for user-
centric identity management,” in Proceedings of the second
ACM workshop on Digital identity management, pp. 11–16,
New York, NY, United States, November 2006.
[17] M. R. Asghar, M. Backes, and M. Simeonovski, “Prima:
privacy-preserving identity and access management at in-
ternet-scale,” in Proceedings of the 2018 IEEE International
Conference on Communications (ICC), pp. 1–6, IEEE, Kansas
City, MO, USA, May 2018.
[18] D. Hardt and M. Jones, “e oauth 2.0 authorization
framework: bearer token usage,” 2012, https://www.omgwiki.
org/dido/doku.php?iddido:public:ra:xapend:xapend.b_stds:
tech:ietf:oauth_bearer.
[19] OneLogin Inc, “SAML toolkits,” 2019, https://developers.
onelogin.com/saml.
[20] S. Agrawal, P. Miao, P. Mohassel, and P. Mukherjee, “Pasta:
password-based threshold authentication,” in Proceedings of
the ACM Conference on Computer and Communications Se-
curity (CCS), pp. 2042–2059, ACM, New York, NY, United
States, October 2018.
[21] G. Alp´
ar, J.-H. Hoepman, and J. Siljee, “e identity crisis.
security, privacy and usability issues in identity management,”
2011, https://arxiv.org/abs/1101.0427.
[22] D. Fett, R. K¨usters, and G. Schmitz, “e web SSO standard
openid connect: in-depth formal security analysis and security
guidelines,” in Proceedings of the Computer Security Foun-
dations Symposium (CSF), pp. 189–202, IEEE, Santa Barbara,
CA, USA, August 2017.
[23] O. Mir, M. Roland, and R. Mayrhofer, “Damfa: decentralized
anonymous multi-factor authentication,” in Proceedings of the
2nd ACM International Symposium on Blockchain and Secure
Critical Infrastructure, ser. BSCI ’20, pp. 10–19, New York,
NY, United States, October 2020.
[24] S. M. Bellovin and M. Merritt, “Encrypted key exchange:
password-based protocols SecureAgainst dictionary attacks,”
in Proceedings of the IEEE Symposium on Security and Privacy
(S&P), IEEE, Oakland, CA, USA, May 1992.
[25] Augmented Encrypted Key Exchange, “A password-based
protocol secure against dictionary attacks and password file
compromise,” in Proceedings of the ACM Conference on
Computer and Communications Security (CCS), pp. 244–250,
ACM, New York, NY, United States, October 1993.
[26] V. Boyko, P. MacKenzie, and S. Patel, “Provably secure
password-authenticated key exchange using diffie-hellman,”
in Proceedings of the International Conference on eory and
Application of Cryptographic Techniques (EUROCRYPT),
pp. 156–171, Springer, Bruges, Belgium, May 2000.
[27] O. Goldreich and Y. Lindell, “Session-key generation using
human passwords only,” Journal of Cryptology, vol. 19, no. 3,
pp. 241–340, 2006.
[28] R. Gennaro and Y. Lindell, “A framework for password-based
authenticated key exchange,” Lecture Notes in Computer
Science, Springer, in Proceedings of the International Con-
ference on the eory and Applications of Cryptographic
Techniques (Eurocrypt), pp. 524–543, May 2003.
[29] A. Groce and J. Katz, “A new framework for efficient pass-
word-based authenticated key exchange,” in Proceedings of the
ACM Conference on Computer and Communications Security
(CCS), pp. 516–525, ACM, New York, NY, United States,
October 2010.
16 Security and Communication Networks
[30] F. Benhamouda and D. Pointcheval, “Verifier-based pass-
word-authenticated key exchange: new models and con-
structions,” IACR Cryptology ePrint Archive, vol. 2013, p. 833,
2013.
[31] M. Shirvanian, S. Jarecki, N. Saxena, and N. Nathan, “Two-
factor authentication resilient to server compromise using
mix-bandwidth devices,” in Proceedings of the Network and
Distributed System Security Symposium, (NDSS), San Diego,
CA, USA, February 2014.
[32] J. Bringer, H. Chabanne, and R. Lescuyer, “Software-only two-
factor authentication secure against active servers,” in Pro-
ceedings of the International Conference on Cryptology in Africa
(AFRICACRYPT), pp. 285303, Springer, Fes, Morocco, April
2016.
[33] O. Mir, T. van der Weide, and C.-C. Lee, “A secure user
anonymity and authentication scheme using avispa for tele-
care medical information systems,” Journal of Medical Sys-
tems, vol. 39, no. 9, p. 89, 2015.
[34] S. Jarecki, H. Krawczyk, M. Shirvanian, and N. Saxena,
“Device-enhanced password protocols with optimal online-
offline protection,” in Proceedings of the ACM on Asia
Conference on Computer and Communications Security (ASIA
CCS), pp. 177–188, ACM, New York, NY, United States,
October 2016.
[35] D. He and D. Wang, “Robust biometrics-based authentication
scheme for multiserver environment,” IEEE Systems Journal,
vol. 9, no. 3, pp. 816–823, 2015.
[36] X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, “Robust
multi-factor authentication for fragile communications,”
IEEE Transactions on Dependable and Secure Computing,
vol. 11, no. 6, pp. 568–581, 2014.
[37] D. Pointcheval and S. Zimmer, “Multi-factor Authenticated
key exchange,” in Proceedings of the 6th International Con-
ference on Applied Cryptography and Network Security
(ACNS), pp. 277–295, Springer, New York, NY, United States,
June 2008.
[38] O. Mir and M. Nikooghadam, “A secure biometrics based
authentication with key agreement scheme in telemedicine
networks for e-health services,” Wireless Personal Commu-
nications, vol. 83, no. 4, pp. 2439–2461, 2015.
[39] N. Fleischhacker, M. Manulis, and A. Azodi, “A modular
framework for multi-factor authentication and key exchange,”
in Proceedings of the International Conference on Research in
Security Standardisation, pp. 190–214, Springer, London,
United Kingdom, December 2014.
[40] R. Zhang, Y. Xiao, S. Sun, and H. Ma, “Efficient multi-factor
authenticated key exchange scheme for mobile communi-
cations,” IEEE Transactions on Dependable and Secure
Computing, vol. 1, 2017.
[41] D. Wang, Z. Zhang, P. Wang, J. Yan, and X. Huang, “Targeted
online password guessing: an underestimated threat,” in
Proceedings of the 2016 ACM SIGSAC conference on computer
and communications security, pp. 1242–1254, Vienna Austria,
October 2016.
[42] D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous two-
factor authentication in distributed systems: certain goals are
beyond attainment,” IEEE Transactions on Dependable and
Secure Computing, vol. 12, no. 4, pp. 428–442, 2014.
[43] D. Debiao He, N. Kumar, J.-H. Jong-Hyouk Lee, and
R. S. Sherratt, “Enhanced three-factor security protocol for
consumer usb mass storage devices,” IEEE Transactions on
Consumer Electronics, vol. 60, no. 1, pp. 30–37, 2014.
[44] Z. Zhang, K. Yang, X. Hu, and Y. Wang, “Practical anony-
mous password authentication and TLS with anonymous
client authentication,” in Proceedings of the ACM Conference
on Computer and Communications Security (CCS),
pp. 1179–1191, ACM, Vienna Austria, October 2016.
[45] Z. Zhang, M. Kr´
ol, A. Sonnino, L. Zhang, and E. Rivi`
ere, “El
passo: privacy-preserving, asynchronous single sign-on,”
2020, https://arxiv.org/abs/2002.10289.
[46] H. Halpin, “Nextleap: decentralizing identity with privacy for
secure messaging,” in Proceedings of the 12th International
Conference on Availability, pp. 1–10, Reliability and Security,
Inria de Paris, December 2017.
[47] D. Pointcheval and O. Sanders, “Short randomizable signa-
tures,” in Proceedings of the Cryptographers’ Track at the RSA
Conference, pp. 111–126, Springer, San Francisco, CA, USA,
March 2016.
[48] S. Jarecki and X. Liu, “Efficient oblivious pseudorandom
function with applications to adaptive OT and secure com-
putation of set intersection,” in Proceedings of the Conference
on eory of Cryptography (TCC), pp. 577–594, Springer, San
Francisco, CA, USA, March 2009.
[49] S. Jarecki, A. Kiayias, H. Krawczyk, and J. Xu, “TOPPSS: cost-
minimal password-protected secret sharing based on
threshold OPRF,” in Proceedings of the International Con-
ference on Applied Cryptography and Network Security,
pp. 39–58, Springer, Singapore, June 2017.
[50] A. Shamir, “How to share a secret,” Communications of the
ACM, vol. 22, no. 11, pp. 612-613, 1979.
[51] E. B. Sasson, A. Chiesa, C. Garman et al., “Zerocash:
decentralized anonymous payments from bitcoin,” in Pro-
ceedings of the IEEE Symposium on Security and Privacy
(S&P), pp. 459–474, IEEE, Berkeley, CA, USA, May 2014.
[52] C. Garman, M. Green, and I. Miers, “Decentralized anony-
mous credentials,” in Proceedings of the 2014 Network and
Distributed System Security Symposium, Internet Society, San
Diego, California,, February 2014.
[53] C. Fromknecht, D. Velicanu, and S. Yakoubov, A Decen-
tralized Public Key Infrastructure with Identity Retention,
IACR Cryptology ePrint Archive, 2014, https://eprint.iacr.
org/2014/803.pdf.
[54] R. Yang, M. H. Au, Q. Xu, and Z. Yu, “Decentralized
blacklistable anonymous credentials with reputation,” Com-
puters & Security, vol. 85, pp. 353–371, 2019.
[55] C.-P. Schnorr, “Efficient identification and signatures for
smart cards,” in Proceedings of the Annual International
Cryptology Conference on Advances in Cryptology (CRYPTO),
pp. 239–252, Springer, Aarhus, Denmark, May 1990.
[56] A. Fiat and A. Shamir, “How to prove yourself: practical
solutions to identification and signature problems,” in Pro-
ceedings of the Conference on the eory and Application of
Cryptographic Techniques (Eurocrypt), pp. 186–194, Springer,
Santa Barbara, CA, USA, March 1986.
[57] J. Camenisch, M. Kohlweiss, and C. Soriente, “An accumu-
lator based on bilinear maps and efficient revocation for
anonymous credentials,” in Proceedings of the International
Workshop on Public Key Cryptography, pp. 481–500, Springer,
Irvine, CA, USA, March 2009.
[58] T. P. Pedersen, “Non-interactive and information-theoretic
secure verifiable secret sharing,” in Proceedings of the Annual
International Cryptology Conference (Crypto), pp. 129–140,
Springer, Santa Barbara, CA, USA, August 1991.
[59] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, “Secure
distributed key generation for discrete-log based cryptosystems,”
in Proceedings of the International Conference on the eory and
Applications of Cryptographic Techniques (Eurocrypt), pp. 295
310, Springer, Prague, Czech Republic, May 1999.
Security and Communication Networks 17
[60] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. MacKenzie,
“Universally composable password-based key exchange,” in
Proceedings of the Annual International Conference on eory
and Applications of Cryptographic Techniques (EUROCRYPT),
pp. 404–421, Springer, Aarhus, Denmark, May 2005.
[61] J. Camenisch, M. Drijvers, and B. Tackmann, “Multi-protocol
uc and its use for building modular and efficient protocols,”
IACR Cryptol. ePrint Arch, vol. 2019, p. 65, 2019.
[62] A. T. B. Jin, D. N. C. Ling, and A. Goh, “Biohashing: two factor
authentication featuring fingerprint data and tokenised ran-
dom number,” Pattern Recognition, vol. 37, no. 11,
pp. 2245–2255, Nov 2004.
[63] M. Chase, S. Meiklejohn, and G. Zaverucha, “Algebraic macs
and keyed-verification anonymous credentials,” in Proceed-
ings of the ACM SIGSAC Conference on Computer and
Communications Security (CCS), pp. 1205–1216, ACM,
Scottsdale Arizona USA, November 2014.
[64] N. team, Namecoind, Sourcecode of the Namecoin-Client
Reference Implementation, Namecoin, Aug 2016, https://
github.com/namecoin/namecoin.
[65] K. Bemmann, J. Bl¨
omer, J. Bobolz et al., “Fully-featured
anonymous credentials with reputation system,” in Pro-
ceedings of the 13th International Conference on Availability,
Reliability and Security (ARES 2018), no. 42, pp. 1–10, IEEE,
New York, NY, United States, August 2018.
[66] L. Nguyen, “Accumulators from bilinear pairings and ap-
plications,” in Lecture Notes in Computer Science, vol. 3376,
pp. 275–292, Springer, 2005.
[67] R. Cramer, I. Damg˚ard, and B. Schoenmakers, “Proofs of
partial knowledge and simplified design of witness hiding
protocols,” in Advances in Cryptology – CRYPTO ’94, ser.
LNCS, vol. 839, pp. 174–187, Springer, 1994.
[68] G. Alp´ar, F. van den Broek, B. Hampiholi, B. Jacobs, W. Lueks,
and S. Ringers, “Irma: practical, decentralized and privacy-
friendly identity management using smartphones,” HotPETs,
vol. 2017, 2017.
18 Security and Communication Networks
ResearchGate has not been able to resolve any citations for this publication.
Full-text available
Conference Paper
Token-based authentication is usually applied to enable single-sign-on on the web. In current authentication schemes, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future accesses to various services and applications. This type of interaction can make authentication schemes challenging in terms of security and usability. From a security point of view, one of the main threats is the compromisation of identity providers. An adversary who compromises the authentication data (password or biometric) stored with the identity provider can mount an offline dictionary attack. Furthermore, the identity provider might be able to track user activity and control sensitive user data. In terms of us-ability, users always need a trusted server to be online and available while authenticating to a service provider. In this paper, we propose a new Decentralized Anonymous Multi-Factor Authentication (DAMFA) scheme where the process of user authentication no longer depends on a trusted third party (the identity provider). Also, service and identity providers do not gain access to sensitive user data and cannot track individual user activity. Our protocol allows service providers to authenticate users at any time without interacting with the identity provider. Our approach builds on a Threshold Oblivious Pseudorandom Function (TOPRF) to improve resistance to offline attacks and uses a distributed transaction ledger to improve usability. We demonstrate practicability of our proposed scheme through a prototype. CCS CONCEPTS • Security and privacy → Cryptography; Distributed systems security; Privacy-preserving protocols.
Full-text available
Conference Paper
Including electronic identities (eIDs), such as passports or driving licenses in smartphones transforms them into a single point of failure: loss, theft, or malfunction would prevent their users even from identifying themselves e.g. during travel. Therefore, a secure backup of such identity data is paramount, and an obvious solution is to store encrypted backups on cloud servers. However, the critical challenge is how a user decrypts the encrypted data backup if the user's device gets lost or stolen and there is no longer a secure storage (e.g. smartphone) to keep the secret key. To address this issue, Password-Protected Secret Sharing (PPSS) schemes have been proposed which allow a user to store a secret key among n servers such that the user can later reconstruct the secret key. Unfortunately, PPSS schemes are not appropriate for some applications. For example, users will be highly unlikely to remember a cryptographically strong password when the smartphone is lost. Also, they still suffer from inefficiency. In this paper, we propose a new secret key reconstruction protocol based recently popular PPSS schemes with a Fuzzy Extractor which allows a client to recover secret keys from an only partially trusted server and an auxiliary device using multiple key shares and a biometric identifier. We prove the security of our proposed protocol in the random oracle model where the parties can be corrupted separately at any time. An initial performance analysis shows that it is efficient for this use case.
Full-text available
Conference Paper
We present CLARC (Cryptographic Library for Anonymous Reputation and Credentials), an anonymous credentials system (ACS) combined with an anonymous reputation system. Using CLARC, users can receive attribute-based credentials from issuers. They can efficiently prove that their credentials satisfy complex (access) policies in a privacy-preserving way. This implements anonymous access control with complex policies. Furthermore, CLARC is the first ACS that is combined with an anonymous reputation system where users can anonymously rate services. A user who gets access to a service via a credential, also anonymously receives a review token to rate the service. If a user creates more than a single rating, this can be detected by anyone, preventing users from spamming ratings to sway public opinion. To evaluate feasibility of our construction, we present an open-source prototype implementation.
Full-text available
Article
Today, digitalization decisively penetrates all the sides of the modern society. One of the key enablers to maintain this process secure is authentication. It covers many different areas of a hyper-connected world, including online payments, communications, access right management, etc. This work sheds light on the evolution of authentication systems towards Multi-Factor Authentication (MFA) starting from Single-Factor Authentication (SFA) and through Two-Factor Authentication (2FA). Particularly, MFA is expected to be utilized for human-to-everything interactions by enabling fast, user-friendly, and reliable authentication when accessing a service. This paper surveys the already available and emerging sensors (factor providers) that allow for authenticating a user with the system directly or by involving the cloud. The corresponding challenges from the user as well as the service provider perspective are also reviewed. The MFA system based on reversed Lagrange polynomial within Shamir’s Secret Sharing (SSS) scheme is further proposed to enable more flexible authentication. This solution covers the cases of authenticating the user even if some of the factors are mismatched or absent. Our framework allows for qualifying the missing factors by authenticating the user without disclosing sensitive biometric data to the verification entity. Finally, a vision of the future trends in MFA is discussed.
Article
Blacklistable anonymous credential systems provide service providers with a way to authenticate users according to their historical behaviors, while guaranteeing that all users can access services in an anonymous and unlinkable manner, thus are potentially useful in practice. Traditionally, to protect services from illegal access, the credential issuer, which completes the registration with users, must be trusted by the service provider. However, in practice, this trust assumption is usually unsatisfied. In this paper, we solve this problem and present the decentralized blacklistable anonymous credential system with reputation (DBLACR), which inherits nearly all features of the BLACR system presented in Au et al. (2012) but does not need a trusted party to register users.The new system also has extra advantages. In particular, it enables blacklist (historical behaviors) sharing among different service providers and is partially resilient to the blacklist gaming attack, where dishonest service providers attempt to compromise the privacy of users via generating blacklist maliciously. Technically, the main approach to achieve DBLACR system is a novel use of the blockchain technique, which serves as a public append-only ledger. The system can be instantiated from three different types of cryptographic systems, including the RSA system, the classical DL system, and the pairing based system. To demonstrate the practicability of our system, we also give a proof of concept implementation for the instantiation under the RSA system. The experiment results indicate that when authenticating with blacklists of reasonable size, our implementation can fulfill practical efficiency demands.
Conference Paper
Token-based authentication is commonly used to enable a single-sign-on experience on the web, in mobile applications and on enterprise networks using a wide range of open standards and network authentication protocols: clients sign on to an identity provider using their username/password to obtain a cryptographic token generated with a master secret key, and store the token for future accesses to various services and applications. The authentication server(s) are single point of failures that if breached, enable attackers to forge arbitrary tokens or mount offline dictionary attacks to recover client credentials. Our work is the first to introduce and formalize the notion of password-based threshold token-based authentication which distributes the role of an identity provider among n servers. Any t servers can collectively verify passwords and generate tokens, while no t-1 servers can forge a valid token or mount offline dictionary attacks. We then introduce PASTA, a general framework that can be instantiated using any threshold token generation scheme, wherein clients can "sign-on" using a two-round (optimal) protocol that meets our strong notions of unforgeability and password-safety. We instantiate and implement our framework in C++ using two threshold message authentication codes (MAC) and two threshold digital signatures with different trade-offs. Our experiments show that the overhead of protecting secrets and credentials against breaches in PASTA, i.e. compared to a naive single server solution, is extremely low (1-5%) in the most likely setting where client and servers communicate over the internet. The overhead is higher in case of MAC-based tokens over a LAN (though still only a few milliseconds) due to public-key operations in PASTA. We show, however, that this cost is inherent by proving a symmetric-key only solution impossible.