identity based authenticated key agreement protocols from pairings
DESCRIPTION
Identity Based Authenticated Key Agreement Protocols from Pairings. Content. Introduction Technical Background Smart’s ID-based AK Protocol A More Efficient AK Protocol. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Identity Based Authenticated Key AgreementProtocols from Pairings
Content
Introduction Technical Background Smart’s ID-based AK Protocol A More Efficient AK Protocol
Introduction
Key establishment is a process whereby two (or more) entities can establish a shared secret key (session key) . Two approaches to key establishment between two entities is key transport and key agreement. A key agreement protocol provide implicit key authentication if A is assured that no other entity besides B can possibly ascertain the value of the secret key.
key agreement protocol (AK protocol): A key agreement protocol that provides mutual implicit key authentication.
key confirmation protocol(AKC protocol): A protocol that provides mutual key authentication as well as mutual key confirmation
AK and AKC protocols possess the following security attributes: Known-key security Forward secrecy: partial forward secrecy ,TA forward secrecy Key-compromise impersonation resilience Unknown key-share resilience Key control
In 1984, Shamir proposed an identity-based asymmetric key pair.
An authenticated key establishment protocol is called identity-based if in the protocol, users use an identity based asymmetric key pair instead of a traditional public/private key pair for authentication and determination of the established key.
Technical Background
Pairing
A pairing is a computable bilinear map between these two groups. e : G1× G1→ G2: which has the following three properties:
– Bilinear: If P,P1,P2,Q,Q1,Q2 G∈ 1and a Z q, then∈ ∗ e(P1+ P2,Q) = e(P1,Q). e(P2,Q),
e(P,Q1+ Q2) = e(P,Q1).e(P,Q2).
– Non-degenerate: There exists a P G∈ 1such that
e(P,P) ≠1.
– Computable: If P,Q G∈ 1, one can compute e(P,Q) in
polynomial time.
Security Model(BJM97)
E is allowed to make the following types of queries: Create Send Reveal Corrupt Test
matching conversation
Test query
Definition 1. [BJM97] A protocol is a secure AK protocol if: 1) the benign adversary 2) the Malicious adversary 3) AdvantageE (k) is negligible
Smart’s ID-based AK Protocol
Smart’s ID-AK protocol involves three entities: two users and a TA Setup:TA chooses a secret key s Z∈ q, public key Ps = sP G∈ 1, P is a
generator of G1
A user with identity ID the public key Q=H1(ID) G∈ 1 (H1 : {0,1}∗→ G1)
, the private key S = sQ
Authenticated Key Exchange:
SA=sQ A and SB=sQ B
TA= aP and TB= bP( a,b Z∈ ∗q,)
Protocol 1.M1 : Alice → Bob : TA
M2 : Bob → Alice : TB
KAB = e(SA,TB) · e(aQB,Ps ) , KBA= e(SB,TA) · e(bQA,Ps)
K = KAB= KBA= e(bQA+ aQB,Ps)
the shared session key FK = H2(K) (H2: G2→ {0,1}k)
A More Efficient AK Protocol
WA = aQA , WB = bQB( a,b Z q,)∈ ∗Protocol 2.
M1 : Alice → Bob : WA
M2 : Bob → Alice : WB
KAB= e(SA,WB+ aQB) , KBA= e(WA+ bQA,SB)
K = KAB = KBA = e(QA, QB)s(a+b)
Their shared secret session key is FK = H2(K)
Theorem 1. Protocol 2 is a secure AK protocol, assuming that the adversary does not make any Reveal queries, the BDH problem (for the pair of groups G1and G2) is hard and provided that H1 and H2 are random oracles.
Proof: Let P be a generator of G1. The BDH problem in G1,G2, e is given (P,xP,yP,zP) G∈ 4
1for some x,y,z chosen at random from Zq, compute W = e(P,P)xyz G∈ 2.
Modification of Protocols 2 without Key Escrow Protocol 2’: Alice and Bob exchange aQA, aP and bQB,bP. They then compute K as in Protocol 2, and finally compute the shared secret key as FK = H’2(K,abP).
Thank you !