TESLA-for-5G: Broadcast Authentication for 5G Networks Using TESLA
Pith reviewed 2026-06-26 04:36 UTC · model grok-4.3
The pith
TF5 authenticates each 5G SIB1 message with a MAC after bootstrapping TESLA parameters once via GG09 IBS.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
In the steady state, TF5 enables UEs to authenticate each SIB1 message using a symmetric MAC and delayed key disclosure, eliminating the need for per-message digital signatures. Initial trust is bootstrapped during cell entry using a lightweight GG09 IBS over the TESLA parameters, avoiding certificate distribution overhead.
What carries the argument
TESLA delayed key disclosure combined with one-time GG09 IBS bootstrap for parameter distribution
If this is right
- UEs avoid heavy per-message signature verification for SIB1
- Lower computation, communication, and storage costs for authentication
- No certificate distribution required for bootstrapping
- Formal security guarantees hold under Dolev-Yao adversary
Where Pith is reading between the lines
- The approach could apply to authenticating additional 5G broadcast messages beyond SIB1
- Reduced per-message computation may lower energy use on battery-constrained devices
- The bootstrap pattern might inform broadcast authentication in other wireless standards
Load-bearing premise
The GG09 IBS bootstrap during cell entry securely establishes TESLA parameters without certificate overhead or new vulnerabilities, and the Dolev-Yao model used in Tamarin verification captures all relevant threats.
What would settle it
An attack succeeding in forging an SIB1 message accepted by a TF5-equipped UE, or a Tamarin proof failure when the adversary model is extended beyond Dolev-Yao.
read the original abstract
5G base stations broadcast unauthenticated system information (SI) that every user equipment (UE) reads during cell selection. This enables attackers to broadcast forged SI from a fake base station (FBS), deceiving UEs into camping on it. Prior approaches require UEs to authenticate System Information Block 1 (SIB1) using digital signatures. This necessitates computation-heavy verification for every SIB1 reception, imposing a significant burden on resource-constrained UEs. We propose TESLA-for-5G (TF5), a broadcast authentication protocol for 5G SIB1 that combines TESLA with GG09 Schnorr-like identity-based signatures (IBS). In the steady state, TF5 enables UEs to authenticate each SIB1 message using a symmetric MAC and delayed key disclosure, eliminating the need for per-message digital signatures. Initial trust is bootstrapped during cell entry using a lightweight GG09 IBS over the TESLA parameters, avoiding certificate distribution overhead. We formally verify TF5 in Tamarin under a Dolev-Yao adversary and demonstrate its favorable computation, communication, and storage costs through both an implementation on the OpenAirInterface 5G stack and trace-driven analysis.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes TESLA-for-5G (TF5), combining TESLA with GG09 IBS to authenticate 5G SIB1 broadcasts. In steady state, UEs use symmetric MACs with delayed key disclosure instead of per-message signatures; initial trust is established via lightweight GG09 IBS during cell entry. The work reports formal verification of TF5 in Tamarin under a Dolev-Yao adversary plus an OpenAirInterface implementation and trace-driven cost analysis showing reduced computation, communication, and storage overhead.
Significance. If the timing and bootstrap assumptions hold and the verification is adequate, TF5 could meaningfully lower UE computational burden for SI authentication while mitigating fake-base-station attacks. The explicit combination of machine-checked verification, real-stack implementation, and quantitative cost comparison is a strength that supports practicality claims.
major comments (2)
- [Abstract / Verification section] Abstract and verification section: the claim that Tamarin verification under Dolev-Yao supports the security of TESLA delayed disclosure is not justified, because Dolev-Yao abstracts messages as terms and contains no timed channels, global clock, or lemmas for bounded latency and clock synchronization; the timing invariants required by TESLA (MAC received before key disclosure, no pre-disclosure forgery) are therefore not entailed by the verified properties.
- [Protocol description / Bootstrap phase] Bootstrap description (cell-entry phase): the assertion that the GG09 IBS step securely establishes TESLA parameters without introducing new vulnerabilities or certificate overhead is load-bearing for the overall claim, yet no reduction to the GG09 assumption or explicit modeling of the 5G cell-entry channel appears; without this, the steady-state security reduction does not go through.
minor comments (2)
- [Protocol description] Notation for the disclosure delay parameter d and the associated timing assumptions should be introduced explicitly with a reference to the standard TESLA security condition.
- [Implementation and evaluation] The implementation section would benefit from a table comparing per-SIB1 verification time and energy on the UE side against the baseline signature scheme.
Simulated Author's Rebuttal
We thank the referee for the constructive and detailed comments, which help clarify the scope and limitations of our formal analysis and protocol claims. We address each major comment below and indicate the revisions we will make.
read point-by-point responses
-
Referee: [Abstract / Verification section] Abstract and verification section: the claim that Tamarin verification under Dolev-Yao supports the security of TESLA delayed disclosure is not justified, because Dolev-Yao abstracts messages as terms and contains no timed channels, global clock, or lemmas for bounded latency and clock synchronization; the timing invariants required by TESLA (MAC received before key disclosure, no pre-disclosure forgery) are therefore not entailed by the verified properties.
Authors: We agree that the Dolev-Yao model used in Tamarin does not capture timing. Our Tamarin model verifies authentication and secrecy properties for the message flows and key disclosure schedule in the symbolic setting under a Dolev-Yao adversary, but it does not include timed channels, a global clock, or explicit lemmas enforcing bounded latency and clock synchronization. Consequently, the timing invariants essential to TESLA (that a MAC is received before its key is disclosed and that forgery before disclosure is impossible) are not formally entailed by the verified properties; they rest on the separate timing assumptions of TESLA and the 5G radio interface. We will revise the abstract and verification section to state the scope of the Tamarin analysis explicitly and to note that the timing aspects rely on external assumptions not modeled in the tool. revision: yes
-
Referee: [Protocol description / Bootstrap phase] Bootstrap description (cell-entry phase): the assertion that the GG09 IBS step securely establishes TESLA parameters without introducing new vulnerabilities or certificate overhead is load-bearing for the overall claim, yet no reduction to the GG09 assumption or explicit modeling of the 5G cell-entry channel appears; without this, the steady-state security reduction does not go through.
Authors: We acknowledge that the manuscript does not supply an explicit reduction of the bootstrap phase to the GG09 assumption nor a Tamarin model of the 5G cell-entry channel. The bootstrap is described as a one-time lightweight GG09 IBS exchange that occurs during the existing 5G cell-entry procedure and is intended to inherit the security of that procedure plus the established security of GG09. To make this clearer, we will revise the protocol description to state the assumptions on the bootstrap channel explicitly, reference the original GG09 security result, and note that a full end-to-end reduction combining the bootstrap and steady-state phases is left as future work. This change will qualify the load-bearing claim without altering the steady-state analysis. revision: partial
Circularity Check
No circularity: derivation relies on external verification and implementation
full rationale
The paper describes a protocol combining the established TESLA broadcast authentication scheme with GG09 IBS for initial bootstrap, then steady-state MAC-based authentication with delayed key disclosure. It reports formal verification of the protocol in Tamarin under a Dolev-Yao adversary model plus an implementation on OpenAirInterface with trace-driven analysis. No equations, parameter fits, or self-citations are presented that reduce the central claims to inputs by construction; the verification step and implementation constitute independent external grounding. The derivation chain therefore remains self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Dolev-Yao adversary model is sufficient to capture threats for Tamarin verification
Reference graph
Works this paper leans on
-
[1]
SIM Card Market Size by Memory Capacity, https://www.abiresearch.com/ news-resources/chart-data/sim-card-market-outlook
-
[2]
Tech- nicalReport(TR)33.809(Release18),3rdGenerationPartnershipProject(3GPP) (Sep 2023), http://www.3gpp.org/DynaReport/33809.htm
3GPP: Study on 5G security enhancements against false base stations (FBS). Tech- nicalReport(TR)33.809(Release18),3rdGenerationPartnershipProject(3GPP) (Sep 2023), http://www.3gpp.org/DynaReport/33809.htm
2023
-
[3]
Technical Specification (TS) 38.212 (Release19),3rdGenerationPartnershipProject(3GPP)(Dec2025),http://www
3GPP: NR; Multiplexing and channel coding. Technical Specification (TS) 38.212 (Release19),3rdGenerationPartnershipProject(3GPP)(Dec2025),http://www. 3gpp.org/DynaReport/38212.htm
-
[4]
Technical Specification (TS) 38.300 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38300.htm
3GPP: NR; NR and NG-RAN overall description; stage-2. Technical Specification (TS) 38.300 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38300.htm
2025
-
[5]
Technical Specification (TS) 38.213 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/38213.htm 18 S
3GPP: NR; Physical layer procedures for control. Technical Specification (TS) 38.213 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/38213.htm 18 S. Song et al
2025
-
[6]
Technical Specifi- cation (TS) 38.331 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38331.htm
3GPP: NR; radio resource control (RRC); protocol specification. Technical Specifi- cation (TS) 38.331 (Release 19), 3rd Generation Partnership Project (3GPP) (Dec 2025), http://www.3gpp.org/DynaReport/38331.htm
2025
-
[7]
Technical Specification (TS) 23.501 (Release 20), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/23501.htm
3GPP: System architecture for the 5G system (5GS). Technical Specification (TS) 23.501 (Release 20), 3rd Generation Partnership Project (3GPP) (Dec 2025), http: //www.3gpp.org/DynaReport/23501.htm
2025
-
[8]
Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Proceedings of the 11th International Conference on Theory and Application of Cryptology and Information Security. pp. 515–532. ASIACRYPT’05, Springer- Verlag, Berlin, Heidelberg (Dec 2005). https...
-
[9]
In: Cachin, C., Camenisch, J.L
Bellare, M., Namprempre, C., Neven, G.: Security Proofs for Identity-Based Iden- tification and Signature Schemes. In: Cachin, C., Camenisch, J.L. (eds.) Advances in Cryptology - EUROCRYPT 2004. pp. 268–286. Springer, Berlin, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_17
-
[10]
Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems, https://bench.cr.yp.to/
-
[11]
Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) Advances in Cryptology — CRYPTO 2001. pp. 213–229. Springer, Berlin, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
-
[12]
Journal of Cryptology17(4), 297–319 (Sep 2004)
Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pair- ing. Journal of Cryptology17(4), 297–319 (Sep 2004). https://doi.org/10.1007/ s00145-004-0314-9
2004
-
[13]
In: Kwon, T., Lee, M.K., Kwon, D
Chatterjee, S., Kamath, C., Kumar, V.: Galindo-Garcia Identity-Based Signature Revisited. In: Kwon, T., Lee, M.K., Kwon, D. (eds.) Information Security and Cryptology – ICISC 2012. pp. 456–471. Springer, Berlin, Heidelberg (2013). https: //doi.org/10.1007/978-3-642-37682-5_32
-
[14]
Chlosta, M., Rupprecht, D., Pöpper, C., Holz, T.: 5G SUCI-catchers: Still catching them all? In: Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks. pp. 359–364. ACM, Abu Dhabi United Arab Emirates (Jun 2021). https://doi.org/10.1145/3448300.3467826
-
[15]
In: Iwata, T., Cheon, J.H
Costello, C., Longa, P.: FourQ: Four-dimensional decompositions on a Q-curve over the mersenne prime. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology – ASIACRYPT 2015. pp. 214–235. Springer Berlin Heidelberg, Berlin, Heidelberg (2015)
2015
-
[16]
In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF)
Cremers, C., Jacomme, C., Lukert, P.: Subterm-Based Proof Techniques for Im- proving the Automation and Scope of Security Protocol Analysis. In: 2023 IEEE 36th Computer Security Foundations Symposium (CSF). pp. 200–213 (Jul 2023). https://doi.org/10.1109/CSF57540.2023.00001
-
[17]
In: 5G NR: The next Generation Wireless Access Technology
Dahlman, E., Parkvall, S., Sköld, J.: Chapter 7: Overall Transmission Structure. In: 5G NR: The next Generation Wireless Access Technology. Academic Press, London, United Kingdom ; San Diego, CA, United States, second edition edn. (2021)
2021
-
[18]
Denis, F.: Libsodium (Mar 2026), https://github.com/jedisct1/libsodium
2026
-
[19]
https://doi.org/10.48550/ arXiv.2502.04915
Dong, Y., Behnia, R., Yavuz, A.A., Hussain, S.R.: Securing 5G Bootstrapping: A Two-Layer IBS Authentication Protocol (Feb 2025). https://doi.org/10.48550/ arXiv.2502.04915
arXiv 2025
-
[20]
In: 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks
Dong, Y., Wan, T., Wu, T., Hussain, S.R.: Evaluating Time-Bounded Defense Against RRC Relay in 5G Broadcast Messages. In: 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks. pp. 236–241. WiSec TESLA-for-5G: Broadcast Authentication for 5G Networks Using TESLA 19 2025, Association for Computing Machinery, New York, NY, USA (Jun 202...
-
[21]
In: Proceedings 2021 Network and Distributed System Security Symposium
Echeverria, M., Ahmed, Z., Wang, B., Arif, M.F., Hussain, S.R., Chowdhury, O.: PHOENIX: Device-Centric Cellular Network Protocol Monitoring using Run- time Verification. In: Proceedings 2021 Network and Distributed System Security Symposium. Internet Society, Virtual (2021). https://doi.org/10.14722/ndss.2021. 24390
-
[22]
EEMBC: CoreMark®: An EEMBC Benchmark, https://www.eembc.org/ coremark/
-
[23]
European Commission: 5G indicators: Infrastructure deployment | Shaping Eu- rope’s digital future (Dec 2025), https://digital-strategy.ec.europa.eu/en/policies/ 5g-indicators-infrastructure-deployment
2025
-
[24]
In: Preneel, B
Galindo, D., Garcia, F.D.: A Schnorr-Like Lightweight Identity-Based Signa- ture Scheme. In: Preneel, B. (ed.) Progress in Cryptology – AFRICACRYPT
-
[25]
pp. 135–148. Springer, Berlin, Heidelberg (2009). https://doi.org/10.1007/ 978-3-642-02384-2_9
2009
-
[26]
In: 2021 IEEE Global Communi- cations Conference (GLOBECOM)
Gao, H., Zhang, Y., Wan, T., Zhang, J., Duan, H.: On Evaluating Delegated Dig- ital Signing of Broadcasting Messages in 5G. In: 2021 IEEE Global Communi- cations Conference (GLOBECOM). pp. 1–7 (Feb 2021). https://doi.org/10.1109/ GLOBECOM46510.2021.9685173
arXiv 2021
-
[27]
Groves, M.: Elliptic curve-based certificateless signatures for identity-based en- cryption (ECCSI). RFC 6507 (Feb 2012). https://doi.org/10.17487/RFC6507
-
[28]
Introducing a new alert data set for multi-step attack analysis,
Heijligenberg, T., Rupprecht, D., Kohls, K.: The attacks aren’t alright: Large-Scale Simulation of Fake Base Station Attacks and Detections. In: Proceedings of the 17th Cyber Security Experimentation and Test Workshop. pp. 54–64. CSET ’24, Association for Computing Machinery, New York, NY, USA (Aug 2024). https: //doi.org/10.1145/3675741.3675742
-
[29]
Hess, F.: Efficient Identity Based Signature Schemes Based on Pairings. In: Nyberg, K., Heys, H. (eds.) Selected Areas in Cryptography. pp. 310–324. Springer, Berlin, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_20
-
[30]
In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks
Hussain, S.R., Echeverria, M., Singla, A., Chowdhury, O., Bertino, E.: Insecure connection bootstrapping in cellular networks: The root of all evil. In: Proceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks. pp. 1–11. WiSec ’19, Association for Computing Machinery, New York, NY, USA (May 2019). https://doi.org/10.1145/...
-
[31]
ISO/IEC: IT Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms. Tech. Rep. ISO/IEC 14888-3:2018, Interna- tional Organization for Standardization (2018)
2018
-
[32]
Kölbl, S.: Putting Wings on SPHINCS. In: Lange, T., Steinwandt, R. (eds.) Post- Quantum Cryptography. pp. 205–226. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_10
-
[33]
Meier, S.: Advancing Automated Security Protocol Verification. Ph.D. thesis, ETH Zurich (2013). https://doi.org/10.3929/ETHZ-A-009790675
-
[34]
In: Sharygina, N., Veith, H
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the sym- bolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) Computer Aided Verification. pp. 696–701. Springer Berlin Heidelberg, Berlin, Heidelberg (2013)
2013
-
[35]
In: Proceedings of the 34th USENIX Security Symposium (2025) 20 S
Mubasshir, K.S., Karim, I., Bertino, E.: Gotta detect’em all: Fake base station and multi-step attack detection in cellular networks. In: Proceedings of the 34th USENIX Security Symposium (2025) 20 S. Song et al
2025
-
[36]
OpenAirInterface (2026), https: //openairinterface.org/oai-code/
OpenAirInterface: OpenAirInterface. OpenAirInterface (2026), https: //openairinterface.org/oai-code/
2026
-
[37]
OpenAirInterface: radio/vrtsim/vrtsim.c·oai / openairinterface5G·Git- Lab(Jan2026),https://gitlab.eurecom.fr/oai/openairinterface5g/-/blob/develop/ radio/vrtsim/vrtsim.c
-
[38]
OpenSSL (Mar 2026), https://github.com/openssl/ openssl
OpenSSL: Openssl/openssl. OpenSSL (Mar 2026), https://github.com/openssl/ openssl
2026
-
[39]
Request for Comments RFC 4082, Internet Engineering Task Force (Jun 2005)
Perrig, A., Canetti, R., Song, D., Tygar, D., Briscoe, B.: Timed Efficient Stream Loss-Tolerant Authentication (TESLA): Multicast Source Authentication Trans- form Introduction. Request for Comments RFC 4082, Internet Engineering Task Force (Jun 2005). https://doi.org/10.17487/RFC4082
-
[40]
In: 2024 33rd International Conference on Computer Communications and Networks (ICCCN)
Purification, S., Wuthier, S., Kim, J., Kim, J., Chang, S.Y.: Fake Base Station Detection and Blacklisting. In: 2024 33rd International Conference on Computer Communications and Networks (ICCCN). pp. 1–9 (Jul 2024). https://doi.org/10. 1109/ICCCN61486.2024.10637542
arXiv 2024
-
[41]
Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakley, G.R., Chaum, D. (eds.) Advances in Cryptology. pp. 47–53. Springer, Berlin, Hei- delberg (1985). https://doi.org/10.1007/3-540-39568-7_5
-
[42]
In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
Singla, A., Behnia, R., Hussain, S.R., Yavuz, A., Bertino, E.: Look Before You Leap: Secure Connection Bootstrapping for 5G Networks to Defend Against Fake Base-Stations. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. pp. 501–515. ASIA CCS ’21, Association for Comput- ing Machinery, New York, NY, USA (Jun 2021). h...
-
[43]
Song, S.: Ssubinsong/tf5-tamarin-proof (Apr 2026), https://github.com/ ssubinsong/tf5-tamarin-proof
2026
-
[44]
Supranational (Mar 2026), https://github
Supranational: Supranational/blst. Supranational (Mar 2026), https://github. com/supranational/blst
2026
-
[45]
In: Proceedings 2025 Network and Distributed System Security Sym- posium
Tucker, T., Bennett, N., Kotuliak, M., Erni, S., Capkun, S., Butler, K., Traynor, P.: Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cel- lular Traffic. In: Proceedings 2025 Network and Distributed System Security Sym- posium. Internet Society, San Diego, CA, USA (2025). https://doi.org/10.14722/ ndss.2025.241115
arXiv 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.