Identity Based Authenticated Key AgreementProtocols from Pairings

Content

Introduction Technical Background Smart’s ID-based AK Protocol A More Efficient AK Protocol

Introduction

Key establishment is a process whereby two (or more) entities can establish a shared secret key (session key) . Two approaches to key establishment between two entities is key transport and key agreement. A key agreement protocol provide implicit key authentication if A is assured that no other entity besides B can possibly ascertain the value of the secret key.

key agreement protocol (AK protocol): A key agreement protocol that provides mutual implicit key authentication.

key confirmation protocol(AKC protocol): A protocol that provides mutual key authentication as well as mutual key confirmation

AK and AKC protocols possess the following security attributes: Known-key security Forward secrecy: partial forward secrecy ,TA forward secrecy Key-compromise impersonation resilience Unknown key-share resilience Key control

In 1984, Shamir proposed an identity-based asymmetric key pair.

An authenticated key establishment protocol is called identity-based if in the protocol, users use an identity based asymmetric key pair instead of a traditional public/private key pair for authentication and determination of the established key.

Technical Background

Pairing

A pairing is a computable bilinear map between these two groups. e : G1× G1→ G2: which has the following three properties:

– Bilinear: If P,P1,P2,Q,Q1,Q2 G∈ 1and a Z q, then∈ ∗ e(P1+ P2,Q) = e(P1,Q). e(P2,Q),

e(P,Q1+ Q2) = e(P,Q1).e(P,Q2).

– Non-degenerate: There exists a P G∈ 1such that

e(P,P) ≠1.

– Computable: If P,Q G∈ 1, one can compute e(P,Q) in

polynomial time.

Security Model(BJM97)

E is allowed to make the following types of queries: Create Send Reveal Corrupt Test

matching conversation

Test query

Definition 1. [BJM97] A protocol is a secure AK protocol if: 1) the benign adversary 2) the Malicious adversary 3) AdvantageE (k) is negligible

Smart’s ID-based AK Protocol

Smart’s ID-AK protocol involves three entities: two users and a TA Setup:TA chooses a secret key s Z∈ q, public key Ps = sP G∈ 1, P is a

generator of G1

A user with identity ID the public key Q=H1(ID) G∈ 1 (H1 : {0,1}∗→ G1)

, the private key S = sQ

Authenticated Key Exchange:

SA=sQ A and SB=sQ B

TA= aP and TB= bP( a,b Z∈ ∗q,)

Protocol 1.M1 : Alice → Bob : TA

M2 : Bob → Alice : TB

KAB = e(SA,TB) · e(aQB,Ps ) , KBA= e(SB,TA) · e(bQA,Ps)

K = KAB= KBA= e(bQA+ aQB,Ps)

the shared session key FK = H2(K) (H2: G2→ {0,1}k)

A More Efficient AK Protocol

WA = aQA , WB = bQB( a,b Z q,)∈ ∗Protocol 2.

M1 : Alice → Bob : WA

M2 : Bob → Alice : WB

KAB= e(SA,WB+ aQB) , KBA= e(WA+ bQA,SB)

K = KAB = KBA = e(QA, QB)s(a+b)

Their shared secret session key is FK = H2(K)

Theorem 1. Protocol 2 is a secure AK protocol, assuming that the adversary does not make any Reveal queries, the BDH problem (for the pair of groups G1and G2) is hard and provided that H1 and H2 are random oracles.

Proof: Let P be a generator of G1. The BDH problem in G1,G2, e is given (P,xP,yP,zP) G∈ 4

1for some x,y,z chosen at random from Zq, compute W = e(P,P)xyz G∈ 2.

Modification of Protocols 2 without Key Escrow Protocol 2’: Alice and Bob exchange aQA, aP and bQB,bP. They then compute K as in Protocol 2, and finally compute the shared secret key as FK = H’2(K,abP).

Thank you !