pith. sign in

arxiv: 2606.26528 · v1 · pith:TLUEGMA5new · submitted 2026-06-25 · 💻 cs.CR

TESLA-for-5G: Broadcast Authentication for 5G Networks Using TESLA

Pith reviewed 2026-06-26 04:36 UTC · model grok-4.3

classification 💻 cs.CR
keywords 5G securitybroadcast authenticationTESLAidentity-based signaturesSIB1 authenticationfake base stationMAC authentication
0
0 comments X

The pith

TF5 authenticates each 5G SIB1 message with a MAC after bootstrapping TESLA parameters once via GG09 IBS.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes TESLA-for-5G (TF5) to secure broadcast system information in 5G networks against fake base stations. Current methods require heavy digital signature verification on every SIB1 message, burdening user equipment. TF5 shifts to efficient symmetric MAC authentication in steady state using TESLA delayed key disclosure, with initial trust established via a lightweight GG09 IBS during cell entry. This reduces computation while maintaining security, as verified in Tamarin under the Dolev-Yao model and shown through OpenAirInterface implementation.

Core claim

In the steady state, TF5 enables UEs to authenticate each SIB1 message using a symmetric MAC and delayed key disclosure, eliminating the need for per-message digital signatures. Initial trust is bootstrapped during cell entry using a lightweight GG09 IBS over the TESLA parameters, avoiding certificate distribution overhead.

What carries the argument

TESLA delayed key disclosure combined with one-time GG09 IBS bootstrap for parameter distribution

If this is right

  • UEs avoid heavy per-message signature verification for SIB1
  • Lower computation, communication, and storage costs for authentication
  • No certificate distribution required for bootstrapping
  • Formal security guarantees hold under Dolev-Yao adversary

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The approach could apply to authenticating additional 5G broadcast messages beyond SIB1
  • Reduced per-message computation may lower energy use on battery-constrained devices
  • The bootstrap pattern might inform broadcast authentication in other wireless standards

Load-bearing premise

The GG09 IBS bootstrap during cell entry securely establishes TESLA parameters without certificate overhead or new vulnerabilities, and the Dolev-Yao model used in Tamarin verification captures all relevant threats.

What would settle it

An attack succeeding in forging an SIB1 message accepted by a TF5-equipped UE, or a Tamarin proof failure when the adversary model is extended beyond Dolev-Yao.

read the original abstract

5G base stations broadcast unauthenticated system information (SI) that every user equipment (UE) reads during cell selection. This enables attackers to broadcast forged SI from a fake base station (FBS), deceiving UEs into camping on it. Prior approaches require UEs to authenticate System Information Block 1 (SIB1) using digital signatures. This necessitates computation-heavy verification for every SIB1 reception, imposing a significant burden on resource-constrained UEs. We propose TESLA-for-5G (TF5), a broadcast authentication protocol for 5G SIB1 that combines TESLA with GG09 Schnorr-like identity-based signatures (IBS). In the steady state, TF5 enables UEs to authenticate each SIB1 message using a symmetric MAC and delayed key disclosure, eliminating the need for per-message digital signatures. Initial trust is bootstrapped during cell entry using a lightweight GG09 IBS over the TESLA parameters, avoiding certificate distribution overhead. We formally verify TF5 in Tamarin under a Dolev-Yao adversary and demonstrate its favorable computation, communication, and storage costs through both an implementation on the OpenAirInterface 5G stack and trace-driven analysis.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes TESLA-for-5G (TF5), combining TESLA with GG09 IBS to authenticate 5G SIB1 broadcasts. In steady state, UEs use symmetric MACs with delayed key disclosure instead of per-message signatures; initial trust is established via lightweight GG09 IBS during cell entry. The work reports formal verification of TF5 in Tamarin under a Dolev-Yao adversary plus an OpenAirInterface implementation and trace-driven cost analysis showing reduced computation, communication, and storage overhead.

Significance. If the timing and bootstrap assumptions hold and the verification is adequate, TF5 could meaningfully lower UE computational burden for SI authentication while mitigating fake-base-station attacks. The explicit combination of machine-checked verification, real-stack implementation, and quantitative cost comparison is a strength that supports practicality claims.

major comments (2)
  1. [Abstract / Verification section] Abstract and verification section: the claim that Tamarin verification under Dolev-Yao supports the security of TESLA delayed disclosure is not justified, because Dolev-Yao abstracts messages as terms and contains no timed channels, global clock, or lemmas for bounded latency and clock synchronization; the timing invariants required by TESLA (MAC received before key disclosure, no pre-disclosure forgery) are therefore not entailed by the verified properties.
  2. [Protocol description / Bootstrap phase] Bootstrap description (cell-entry phase): the assertion that the GG09 IBS step securely establishes TESLA parameters without introducing new vulnerabilities or certificate overhead is load-bearing for the overall claim, yet no reduction to the GG09 assumption or explicit modeling of the 5G cell-entry channel appears; without this, the steady-state security reduction does not go through.
minor comments (2)
  1. [Protocol description] Notation for the disclosure delay parameter d and the associated timing assumptions should be introduced explicitly with a reference to the standard TESLA security condition.
  2. [Implementation and evaluation] The implementation section would benefit from a table comparing per-SIB1 verification time and energy on the UE side against the baseline signature scheme.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed comments, which help clarify the scope and limitations of our formal analysis and protocol claims. We address each major comment below and indicate the revisions we will make.

read point-by-point responses
  1. Referee: [Abstract / Verification section] Abstract and verification section: the claim that Tamarin verification under Dolev-Yao supports the security of TESLA delayed disclosure is not justified, because Dolev-Yao abstracts messages as terms and contains no timed channels, global clock, or lemmas for bounded latency and clock synchronization; the timing invariants required by TESLA (MAC received before key disclosure, no pre-disclosure forgery) are therefore not entailed by the verified properties.

    Authors: We agree that the Dolev-Yao model used in Tamarin does not capture timing. Our Tamarin model verifies authentication and secrecy properties for the message flows and key disclosure schedule in the symbolic setting under a Dolev-Yao adversary, but it does not include timed channels, a global clock, or explicit lemmas enforcing bounded latency and clock synchronization. Consequently, the timing invariants essential to TESLA (that a MAC is received before its key is disclosed and that forgery before disclosure is impossible) are not formally entailed by the verified properties; they rest on the separate timing assumptions of TESLA and the 5G radio interface. We will revise the abstract and verification section to state the scope of the Tamarin analysis explicitly and to note that the timing aspects rely on external assumptions not modeled in the tool. revision: yes

  2. Referee: [Protocol description / Bootstrap phase] Bootstrap description (cell-entry phase): the assertion that the GG09 IBS step securely establishes TESLA parameters without introducing new vulnerabilities or certificate overhead is load-bearing for the overall claim, yet no reduction to the GG09 assumption or explicit modeling of the 5G cell-entry channel appears; without this, the steady-state security reduction does not go through.

    Authors: We acknowledge that the manuscript does not supply an explicit reduction of the bootstrap phase to the GG09 assumption nor a Tamarin model of the 5G cell-entry channel. The bootstrap is described as a one-time lightweight GG09 IBS exchange that occurs during the existing 5G cell-entry procedure and is intended to inherit the security of that procedure plus the established security of GG09. To make this clearer, we will revise the protocol description to state the assumptions on the bootstrap channel explicitly, reference the original GG09 security result, and note that a full end-to-end reduction combining the bootstrap and steady-state phases is left as future work. This change will qualify the load-bearing claim without altering the steady-state analysis. revision: partial

Circularity Check

0 steps flagged

No circularity: derivation relies on external verification and implementation

full rationale

The paper describes a protocol combining the established TESLA broadcast authentication scheme with GG09 IBS for initial bootstrap, then steady-state MAC-based authentication with delayed key disclosure. It reports formal verification of the protocol in Tamarin under a Dolev-Yao adversary model plus an implementation on OpenAirInterface with trace-driven analysis. No equations, parameter fits, or self-citations are presented that reduce the central claims to inputs by construction; the verification step and implementation constitute independent external grounding. The derivation chain therefore remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Based solely on the abstract, the protocol rests on standard cryptographic primitives and the Dolev-Yao model; no free parameters or invented entities are described.

axioms (1)
  • domain assumption Dolev-Yao adversary model is sufficient to capture threats for Tamarin verification
    Explicitly used for the formal verification step described in the abstract.

pith-pipeline@v0.9.1-grok · 5774 in / 1277 out tokens · 50013 ms · 2026-06-26T04:36:50.002233+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 17 canonical work pages

  1. [1]

    SIM Card Market Size by Memory Capacity, https://www.abiresearch.com/ news-resources/chart-data/sim-card-market-outlook

  2. [2]

    Tech- nicalReport(TR)33.809(Release18),3rdGenerationPartnershipProject(3GPP) (Sep 2023), http://www.3gpp.org/DynaReport/33809.htm

    3GPP: Study on 5G security enhancements against false base stations (FBS). Tech- nicalReport(TR)33.809(Release18),3rdGenerationPartnershipProject(3GPP) (Sep 2023), http://www.3gpp.org/DynaReport/33809.htm

  3. [3]

    Technical Specification (TS) 38.212 (Release19),3rdGenerationPartnershipProject(3GPP)(Dec2025),http://www

    3GPP: NR; Multiplexing and channel coding. Technical Specification (TS) 38.212 (Release19),3rdGenerationPartnershipProject(3GPP)(Dec2025),http://www. 3gpp.org/DynaReport/38212.htm

  4. [4]

    Technical Specification (TS) 38.300 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38300.htm

    3GPP: NR; NR and NG-RAN overall description; stage-2. Technical Specification (TS) 38.300 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38300.htm

  5. [5]

    Technical Specification (TS) 38.213 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/38213.htm 18 S

    3GPP: NR; Physical layer procedures for control. Technical Specification (TS) 38.213 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/38213.htm 18 S. Song et al

  6. [6]

    Technical Specifi- cation (TS) 38.331 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38331.htm

    3GPP: NR; radio resource control (RRC); protocol specification. Technical Specifi- cation (TS) 38.331 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38331.htm

  7. [7]

    Technical Specification (TS) 23.501 (Release 20), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/23501.htm

    3GPP: System architecture for the 5G system (5GS). Technical Specification (TS) 23.501 (Release 20), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/23501.htm

  8. [8]

    In: Proceedings of the 11th International Conference on Theory and Application of Cryptology and Information Security

    Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Proceedings of the 11th International Conference on Theory and Application of Cryptology and Information Security. pp. 515–532. ASIACRYPT’05, Springer- Verlag, Berlin, Heidelberg (Dec 2005). https...

  9. [9]

    In: Cachin, C., Camenisch, J.L

    Bellare, M., Namprempre, C., Neven, G.: Security Proofs for Identity-Based Iden- tification and Signature Schemes. In: Cachin, C., Camenisch, J.L. (eds.) Advances in Cryptology - EUROCRYPT 2004. pp. 268–286. Springer, Berlin, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_17

  10. [10]

    Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems, https://bench.cr.yp.to/

  11. [11]

    In: Kilian, J

    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) Advances in Cryptology — CRYPTO 2001. pp. 213–229. Springer, Berlin, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13

  12. [12]

    Journal of Cryptology17(4), 297–319 (Sep 2004)

    Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pair- ing. Journal of Cryptology17(4), 297–319 (Sep 2004). https://doi.org/10.1007/ s00145-004-0314-9

  13. [13]

    In: Kwon, T., Lee, M.K., Kwon, D

    Chatterjee, S., Kamath, C., Kumar, V.: Galindo-Garcia Identity-Based Signature Revisited. In: Kwon, T., Lee, M.K., Kwon, D. (eds.) Information Security and Cryptology – ICISC 2012. pp. 456–471. Springer, Berlin, Heidelberg (2013). https: //doi.org/10.1007/978-3-642-37682-5_32

  14. [14]

    Chlosta, M., Rupprecht, D., Pöpper, C., Holz, T.: 5G SUCI-catchers: Still catching them all? In: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks. pp. 359–364. ACM, Abu Dhabi United Arab Emirates (Jun 2021). https://doi.org/10.1145/3448300.3467826

  15. [15]

    In: Iwata, T., Cheon, J.H

    Costello, C., Longa, P.: FourQ: Four-dimensional decompositions on a Q-curve over the mersenne prime. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology – ASIACRYPT 2015. pp. 214–235. Springer Berlin Heidelberg, Berlin, Heidelberg (2015)

  16. [16]

    In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF)

    Cremers, C., Jacomme, C., Lukert, P.: Subterm-Based Proof Techniques for Im- proving the Automation and Scope of Security Protocol Analysis. In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF). pp. 200–213 (Jul 2023). https://doi.org/10.1109/CSF57540.2023.00001

  17. [17]

    In: 5G NR: The next Generation Wireless Access Technology

    Dahlman, E., Parkvall, S., Sköld, J.: Chapter 7: Overall Transmission Structure. In: 5G NR: The next Generation Wireless Access Technology. Academic Press, London, United Kingdom ; San Diego, CA, United States, second edition edn. (2021)

  18. [18]

    Denis, F.: Libsodium (Mar 2026), https://github.com/jedisct1/libsodium

  19. [19]

    https://doi.org/10.48550/ arXiv.2502.04915

    Dong, Y., Behnia, R., Yavuz, A.A., Hussain, S.R.: Securing 5G Bootstrapping: A Two-Layer IBS Authentication Protocol (Feb 2025). https://doi.org/10.48550/ arXiv.2502.04915

  20. [20]

    In: 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks

    Dong, Y., Wan, T., Wu, T., Hussain, S.R.: Evaluating Time-Bounded Defense Against RRC Relay in 5G Broadcast Messages. In: 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks. pp. 236–241. WiSec TESLA-for-5G: Broadcast Authentication for 5G Networks Using TESLA 19 2025, Association for Computing Machinery, New York, NY, USA (Jun 202...

  21. [21]

    In: Proceedings 2021 Network and Distributed System Security Symposium

    Echeverria, M., Ahmed, Z., Wang, B., Arif, M.F., Hussain, S.R., Chowdhury, O.: PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Run- time Verification. In: Proceedings 2021 Network and Distributed System Security Symposium. Internet Society, Virtual (2021). https://doi.org/10.14722/ndss.2021. 24390

  22. [22]

    EEMBC: CoreMark®: An EEMBC Benchmark, https://www.eembc.org/ coremark/

  23. [23]

    European Commission: 5G indicators: Infrastructure deployment | Shaping Eu- rope’s digital future (Dec 2025), https://digital-strategy.ec.europa.eu/en/policies/ 5g-indicators-infrastructure-deployment

  24. [24]

    In: Preneel, B

    Galindo, D., Garcia, F.D.: A Schnorr-Like Lightweight Identity-Based Signa- ture Scheme. In: Preneel, B. (ed.) Progress in Cryptology – AFRICACRYPT

  25. [25]

    pp. 135–148. Springer, Berlin, Heidelberg (2009). https://doi.org/10.1007/ 978-3-642-02384-2_9

  26. [26]

    In: 2021 IEEE Global Communi- cations Conference (GLOBECOM)

    Gao, H., Zhang, Y., Wan, T., Zhang, J., Duan, H.: On Evaluating Delegated Dig- ital Signing of Broadcasting Messages in 5G. In: 2021 IEEE Global Communi- cations Conference (GLOBECOM). pp. 1–7 (Feb 2021). https://doi.org/10.1109/ GLOBECOM46510.2021.9685173

  27. [27]

    RFC 6507 (Feb 2012)

    Groves, M.: Elliptic curve-based certificateless signatures for identity-based en- cryption (ECCSI). RFC 6507 (Feb 2012). https://doi.org/10.17487/RFC6507

  28. [28]

    Introducing a new alert data set for multi-step attack analysis,

    Heijligenberg, T., Rupprecht, D., Kohls, K.: The attacks aren’t alright: Large-Scale Simulation of Fake Base Station Attacks and Detections. In: Proceedings of the 17th Cyber Security Experimentation and Test Workshop. pp. 54–64. CSET ’24, Association for Computing Machinery, New York, NY, USA (Aug 2024). https: //doi.org/10.1145/3675741.3675742

  29. [29]

    In: Nyberg, K., Heys, H

    Hess, F.: Efficient Identity Based Signature Schemes Based on Pairings. In: Nyberg, K., Heys, H. (eds.) Selected Areas in Cryptography. pp. 310–324. Springer, Berlin, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_20

  30. [30]

    In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks

    Hussain, S.R., Echeverria, M., Singla, A., Chowdhury, O., Bertino, E.: Insecure connection bootstrapping in cellular networks: The root of all evil. In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. pp. 1–11. WiSec ’19, Association for Computing Machinery, New York, NY, USA (May 2019). https://doi.org/10.1145/...

  31. [31]

    ISO/IEC: IT Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms. Tech. Rep. ISO/IEC 14888-3:2018, Interna- tional Organization for Standardization (2018)

  32. [32]

    In: Lange, T., Steinwandt, R

    Kölbl, S.: Putting Wings on SPHINCS. In: Lange, T., Steinwandt, R. (eds.) Post- Quantum Cryptography. pp. 205–226. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_10

  33. [33]

    Meier, S.: Advancing Automated Security Protocol Verification. Ph.D. thesis, ETH Zurich (2013). https://doi.org/10.3929/ETHZ-A-009790675

  34. [34]

    In: Sharygina, N., Veith, H

    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the sym- bolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) Computer Aided Verification. pp. 696–701. Springer Berlin Heidelberg, Berlin, Heidelberg (2013)

  35. [35]

    In: Proceedings of the 34th USENIX Security Symposium (2025) 20 S

    Mubasshir, K.S., Karim, I., Bertino, E.: Gotta detect’em all: Fake base station and multi-step attack detection in cellular networks. In: Proceedings of the 34th USENIX Security Symposium (2025) 20 S. Song et al

  36. [36]

    OpenAirInterface (2026), https: //openairinterface.org/oai-code/

    OpenAirInterface: OpenAirInterface. OpenAirInterface (2026), https: //openairinterface.org/oai-code/

  37. [37]

    OpenAirInterface: radio/vrtsim/vrtsim.c·oai / openairinterface5G·Git- Lab(Jan2026),https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/ radio/vrtsim/vrtsim.c

  38. [38]

    OpenSSL (Mar 2026), https://github.com/openssl/ openssl

    OpenSSL: Openssl/openssl. OpenSSL (Mar 2026), https://github.com/openssl/ openssl

  39. [39]

    Request for Comments RFC 4082, Internet Engineering Task Force (Jun 2005)

    Perrig, A., Canetti, R., Song, D., Tygar, D., Briscoe, B.: Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Trans- form Introduction. Request for Comments RFC 4082, Internet Engineering Task Force (Jun 2005). https://doi.org/10.17487/RFC4082

  40. [40]

    In: 2024 33rd International Conference on Computer Communications and Networks (ICCCN)

    Purification, S., Wuthier, S., Kim, J., Kim, J., Chang, S.Y.: Fake Base Station Detection and Blacklisting. In: 2024 33rd International Conference on Computer Communications and Networks (ICCCN). pp. 1–9 (Jul 2024). https://doi.org/10. 1109/ICCCN61486.2024.10637542

  41. [41]

    In: Blakley, G.R., Chaum, D

    Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakley, G.R., Chaum, D. (eds.) Advances in Cryptology. pp. 47–53. Springer, Berlin, Hei- delberg (1985). https://doi.org/10.1007/3-540-39568-7_5

  42. [42]

    In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

    Singla, A., Behnia, R., Hussain, S.R., Yavuz, A., Bertino, E.: Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. pp. 501–515. ASIA CCS ’21, Association for Comput- ing Machinery, New York, NY, USA (Jun 2021). h...

  43. [43]

    Song, S.: Ssubinsong/tf5-tamarin-proof (Apr 2026), https://github.com/ ssubinsong/tf5-tamarin-proof

  44. [44]

    Supranational (Mar 2026), https://github

    Supranational: Supranational/blst. Supranational (Mar 2026), https://github. com/supranational/blst

  45. [45]

    In: Proceedings 2025 Network and Distributed System Security Sym- posium

    Tucker, T., Bennett, N., Kotuliak, M., Erni, S., Capkun, S., Butler, K., Traynor, P.: Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cel- lular Traffic. In: Proceedings 2025 Network and Distributed System Security Sym- posium. Internet Society, San Diego, CA, USA (2025). https://doi.org/10.14722/ ndss.2025.241115