Embed Size (px)
Citation preview
Information Sciences 186 (2012) 239–248
Contents lists available at SciVerse ScienceDirect
Information Sciences
journal homepage: www.elsevier .com/locate / ins
A round-optimal three-party ID-based authenticated keyagreement protocol
Kyung-Ah Shim ⇑Division of Fusion and Convergence of Mathematical Sciences, National Institute for Mathematical Sciences, KT Daedoek 2nd Research Center 463-1,Jeonmin-dong, Yuseong-gu, Daejeon, Republic of Korea
a r t i c l e i n f o a b s t r a c t
Article history:Received 30 October 2007Received in revised form 28 September 2011Accepted 29 September 2011Available online 8 October 2011
Keywords:Identity-based systemDigital signatureAuthenticated key agreementCollusion Attack Algorithm with k-TraitorproblemBilinear Diffie–Hellman problem
0020-0255/$ - see front matter � 2011 Elsevier Incdoi:10.1016/j.ins.2011.09.038
⇑ Tel.: +82 2 3277 3390; fax: +82 2 3277 2289.E-mail address: [email protected]
In this paper, we propose a round-optimal identity-based authenticated key agreementprotocol for a three-party setting in which three parties can actually transmit messagessimultaneously. We then give its security proof in the random oracle model under theBilinear Diffie–Hellman assumption.
� 2011 Elsevier Inc. All rights reserved.
1. Introduction
In 1984, Shamir [23] introduced the concept of identity (ID)-based cryptosystems. In the traditional public key cryptosys-tem, Alice’s public key is a random string. When Bob wishes to send a message to Alice, he must first obtain her authenti-cated public key from a public directory. The main idea in ID-based cryptosystems is to eliminate the public key distributionproblem by making Alice’s public key derivable from her known identity information, such as an email address or a cellularphone number. Such cryptosystems alleviate certificate overhead and solve several problems associated with PKI technologyincluding issues related to certificate management, storage and distribution, and the computational cost of certificate veri-fication. Shamir [23] presented an ID-based signature (IBS) scheme, while he left as an open problem to propose an ID-basedencryption (IBE) scheme. Over the years, a number of researchers have tried to propose secure and efficient IBE schemes, butwith little success. This state of affairs changed in 2001 when an IBE scheme based on Weil pairing was proposed by Bonehand Franklin [5]. In fact, the existence of bilinear pairings such as Weil and Tate pairings was thought to be detrimental incryptography, as the MOV attack [19] and the FR attack [12] reduce discrete logarithm problems on some elliptic curves orhyperelliptic curves to discrete logarithm problems in a finite field via the Weil pairing and the Tate pairing, respectively.These led some families of elliptic curves to be avoided from cryptographic use. Since Boneh–Franklin’s scheme, the bilinearpairings of algebraic curves have initiated some completely new fields in cryptography, making it possible to realize cryp-tographic primitives that were previously unknown or impractical.
Key establishment is a process in which two or more entities establish a shared secret key. This key is subsequently usedto achieve cryptographic goal, such as confidentiality or data integrity. The Diffie–Hellman key agreement protocol [10] is
. All rights reserved.
240 K.-A. Shim / Information Sciences 186 (2012) 239–248
the first practical solution to the key distribution problem, allowing two parties, never having met in advance or shared key-ing material, to establish a shared secret key while exchanging messages over an open channel. A conference keying protocolis a generalization of the two-party key establishment protocol that provides three or more parties with a shared secret key.There have been several proposals for conference key exchanges, however, they suffer from heavy cryptographic computa-tion and communication overhead in that OðnÞ communication rounds or OðnÞ cryptographic operations are required toestablish a shared key in a group of n members. Rapid advances in computing have resulted in dramatic improvements inlarge-number arithmetic computations. In contrast, communication latency has not improved appreciably. In view of this,we believe that one-round three-party key exchange is a real improvement over conference keying. The three-party caseis of the most practical importance not only because it is the most common size for an electronic conference but also becauseit can be used to provide a range of services for two-party communication.
Initially, Joux [15] proposed a one-round tripartite Diffie–Hellman key agreement protocol based on the Weil pairing.However, like the basic Diffie–Hellman key agreement protocol [10], Joux’s protocol is also susceptible to man-in-the-middleattacks because it does not attempt to authenticate the communicating entities. Since Joux’s protocol, a number of ID-basedkey agreement protocols for two or three-party setting have been proposed and most of them are broken or provide onlyinformal security analysis [17,7,18,8,22,14,24,25,9]. To the best of my knowledge, there exists no provably secure three-partyID-based authenticated key agreement protocol that achieves all of the desirable security attributes described in [4]. In thispaper, we propose the first one-round ID-based authenticated key agreement protocol for a three-party setting by adopting anew IBS scheme to Joux’s protocol, giving its security proof in the random oracle model under the Bilinear Diffie–Hellmanassumption. We also show that the proposed protocol achieves all of the desirable security attributes described in [4].
The rest of this paper is organized as follows. In the following Section, we describe formal security models for IBS schemesand three-party ID-based key agreement protocols. In Section 3, we propose a new IBS scheme and then construct a one-round three-party ID-based authenticated key agreement protocol by combining the proposed signature scheme with Joux’sprotocol. In Section 4, we prove the security of the signature scheme and the key agreement protocol in the random oraclemodel under the Collusion Attack Algorithm with k-Traitor problem and the Bilinear Diffie–Hellman problem, respectively.Concluding remarks are given in Section 5.
2. Preliminaries
2.1. Some definitions and assumptions
Let G1 be a cyclic group of a large prime order of q and G2 be a cyclic multiplicative group with the same order of q.Admissible Pairing: we call e an admissible pairing if e : G1 �G1 ! G2 is a map with the following properties:
1. Bilinearity: e(aP,bQ) = e(P,Q)ab for all P; Q 2 G1 and for all a; b 2 Z.2. Non-degeneracy: there exists P 2 G1 such that e(P,P) – 1.3. Computability: there is an efficient algorithm to compute e(P,Q) for any P; Q 2 G1.
Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modified to create thistype of admissible pairing; this was achieved in [5,15].
We consider the following problems and assumptions in ðG1;G2Þ.
Definition 2.1 (Bilinear Diffie–Hellman (BDH) Problem). Given (P,aP,bP,cP) for some a; b; c2RZ�q and a generator P of G1, tocompute eðP; PÞabc 2 G2.
Definition 2.2 (Bilinear Diffie–Hellman (BDH) Assumption). Let G be a BDH parameter generator. We say that an algorithmA has advantage �(k) in solving the BDH problem for G if, for a sufficiently large k,
AdvG;AðtÞ ¼ PrAðq;G1; P; aP; bP; cPÞ ¼ eðP; PÞabc 2 G2
ðq;G1Þ Gð1kÞ; P G1; a; b; c Z�q
" #P eðkÞ:
We say that G satisfies the BDH assumption if, for any randomized polynomial-time (in t) algorithmA, we have AdvG;AðtÞ as anegligible function.
We review the Collusion Attack Algorithm with k-Traitor (k-CAA) problem [20,26] which is defined as follows:
Definition 2.3 (Collusion Attack Algorithm with k-Traitor (k-CAA) Problem). For given P; xP;h1;h2 . . . ;hk;1
xþh1P; 1
xþh2P; . . . ;
�1
xþhkPÞ, an integer k and x2RZq; P 2 G1; hi 2 Zq to compute 1
xþh P for some h R {h1, . . . ,hk}.
Definition 2.4 (k-CAA Assumption). We say that an algorithmA has advantage �(k) in solving the BDH problem for G if, for asufficiently large k,
K.-A. Shim / Information Sciences 186 (2012) 239–248 241
Advkk�CAAA ¼ Pr
AðP; xP; 1xþh1
P; 1xþh2
P; . . . ; 1xþhk
PÞ ¼ 1xþh P
x2RZq; P 2 G1; h1;h2 . . . ;hk 2 Zq; h R fh1; � � � ;hkg
" #P eðkÞ:
We say that the k-CAA is (t,e)-hard if, for all t-time adversaries A, we have AdvG;AðtÞ as a negligible function.
2.2. Formal security model for ID-based signature schemes
We give a definition of IBS schemes and their formal security model.COMPONENTS OF IBS SCHEMES. An IBS scheme IBS = (Setup,Extract,Sign,Verify) is specified by four polynomial time algo-
rithms with the following functionality:
Setup takes 1k, where k 2 Z is the security parameter and outputs some publicly known system parameters Params.Extract takes an identity ID and a master secret msk, and outputs a private key SID Extract(msk, ID).
Sign takes a private key SID corresponding to the ID and a message m 2 {0,1}⁄, and outputs a signaturer Sign(SID,m).
Verify takes an identity ID, a message m 2 {0,1}⁄, and a signature r, and outputs Valid if Verify(r,m, ID) = 1, or \otherwise.
All of the algorithms above can be randomized. Almost all IBS schemes use the BLS short signature scheme [6] to extract aprivate key SID corresponding to the ID, but it is possible to use any standard signature scheme, in which the signature on theidentity information signed by the PKG’s master secret serves as a user private key. In addition, there exists a deterministicIBS scheme [13]. The Verify algorithm is usually deterministic, but it may be randomized. Boneh and Franklin [5] describeda generic method for converting any IBE scheme into a standard signature scheme that has a randomized verification algo-rithm. Therefore, if this converted standard signature scheme is used as the starting scheme of the transformation by Bellareet al. [1], the verification algorithm of the resulting IBS scheme would also be randomized.
The most general security notion of a signature scheme is existential unforgeability under an adaptive chosen-messageattack. It is extended to an IBS scheme, specifically, in the form of existential unforgeability under an adaptive chosen-mes-sage and an adaptive chosen-ID attack, where an adversary can choose its messages and its identities adaptively. We give theadversary the power to request private keys on the identities of its choice. The adversary is also given access to the signingoracle of any messages for any desired identities. This is formalized as follows.
UNFORGEABILITY of IBS SCHEMES against an ADAPTIVE CHOSEN-MESSAGE ATTACK and an ADAPTIVE CHOSEN-ID ATTACK. An adversary’s advan-tage AdvIBS;A is defined as its probability of success in the following game between a challenger C and A:
Setup. The challenger runs the Setup algorithm and its resulting system parameters are given to A.Extract Query. When A requests a private key corresponding to an identity ID of its choice, C responds to A with its pri-
vate key SID.Sign Query. Proceeding adaptive, A requests a signature on a given message m with an identity IDi, and C returns a
signature ri.Output. Eventually, A outputs r⁄ on a message m⁄ for an identity ID⁄ and wins the game if (i) ID⁄ has never
requested the private key extraction oracle, (ii) the pair (m⁄, ID⁄) has never requested the signing oracleand (iii) Verify(r⁄,m⁄, ID⁄) = 1.
Definition 2.5. A forger Aðt; qH; qE; qS; �Þ-breaks an IBS scheme, IBS, if A runs in time at most t; Amakes at most qH queriesto the hash function, qE queries to the extraction oracle, qS queries to the signing oracle and AdvIBS;A is at least �. An IBSscheme is (t,qH,qE,qS,�)-existentially unforgeable under an adaptive chosen-message attack and an adaptive chosen-IDattack if no forger (t,qE,qS,�)-breaks it in the above game.
2.3. Formal security model for authenticated key agreement protocols
We extend the notions of security defined in [2,11] to the three-party setting. We assume that there are N parties. Eachparty is denoted as Ui with its identity IDi. The public parameters and identities U ¼ fID1; . . . ; IDNg are assumed to be knownto all parties and adversaries in the network. We consider an ID-based key agreement protocol in which three parties want toexchange a session key using their public keys derived from the identity information to provide implicit key authentication.We denote tth instance of Ui by Pt
i . If an ID-based key agreement protocol terminates, then Pti generates a session key ski. A
session identifier of an instance, denoted as sidki , is a string that is different from those of all other sessions in the system with
a high probability. We assume that sidti is the concatenation of all messages sent and received by a particular instance Pt
i ,where the order of these messages is determined by the lexicographic ordering of the three parties’ identities. The partnersof Pt
i are the parties with whom Ui believes it is interacting. We say that three instances Pti ;P
t0
j and Pt00
k are partnered ifsidt
i ¼ sidt0
j ¼ sidt00
k , and Uj and Uk (resp., Ui, Uk, and Ui, Uj) are the partners of Pti (resp., Pt0
j , and Pt00
k ). Any protocol should satisfythe following correctness condition: three partnered instances compute the same session key.
242 K.-A. Shim / Information Sciences 186 (2012) 239–248
ADVERSARIAL MODEL. We first define the capabilities of an adversary A. We allow the adversary to control all communicationsin the network via access to a set of oracles as defined below. We consider an experiment in which the adversary queriesoracles and the oracles answer back to the adversary.
� Extract(ID): this query allows A to obtain the long-term secret key of ID.� Initiate(i, j,k): this query is used by party Ui to initiate the execution of the protocol with partners Uj and Uk. This query
will result in Ui sending a message, which is given to the adversary.� Execute(i, j,k): this query models passive attacks, whereA eavesdrops on an execution of the protocol. In response to this
query, parties Ui, Uj and Uk execute the protocol without any interference from the adversary, and the adversary is giventhe resulting transcript of the execution.� Send Pt
i ;M� �
: this query models active attacks on the part of the adversary. It is used to send a message M to an instancePt
i . When Pti receives M, it responds according to the key agreement protocol. Adversary Amay use this query to perform
active attacks by modifying and inserting the messages of the protocol.� Reveal Pt
i
� �: this query models known key attacks in the real system. Adversary A is given the session key for an instance
Pti .
� Corrupt(Ui): This query models the exposure of the long-term secret key held by Ui.� Test Pt
i
� �: This query is used to define the advantage of A. WhenA utilizes this query on an instance Pt
i , a random bit b ischosen: if b = 1, then the session key is returned. Otherwise, a random string is returned. AdversaryA is allowed to make asingle Test query at any time during the game.
The adversary is allowed to make a single Test query to a fresh instance (defined below) at any time during the exper-iment. To define a meaningful notion of security, we must define freshness.
FRESHNESS. An instance Pti (partnered with instances Pt0
j and Pt00
k ) is fresh if the following conditions are true at the conclu-sion of the experiment described above:
(i) The adversary has not queried Reveal(i, t), Reveal(j, t0) or Reveal(k, t00).(ii) If the adversary has queried Corrupt(Ui), Corrupt(Uj) or Corrupt(Uk), then it has not queried Send(i, t), Send(j, 0) or
Send(k, t00).
SECURITY NOTIONS. The minimum requirement is that a protocol should ensure the secrecy of session keys for an adversarywho passively eavesdrops on protocol executions and may also send messages of its choice to various parties. A key agree-ment protocol is said to provide implicit key authentication of an entity to other entities if the entity is assured that no otherentity aside from specifically identified entities can possibly learn the value of a particular secret key. A key agreement pro-tocol which provides implicit key authentication to participating entities is termed an authenticated key agreement (AK) pro-tocol. A stronger notion of security is key independence, which means that session keys are computationally independentfrom each other. Key independence protects against known-key attacks involving a compromise of multiple session keysfor sessions other than the one whose secrecy is being considered. Lastly, protocols achieving forward secrecy maintainthe secrecy of session keys even when an adversary is able to obtain the long-term secret keys of parties who have previouslygenerated a common session key in an honest execution of the protocol without any interference by the adversary. In all ofthe notions of security considered below, the adversary A outputs a bit b0 at the end of the experiment above. The advantageof A; AdvAðkÞ, is defined as j2Pr[b0 = b] � 1j. A protocol is considered to be secure if the advantage of any PPT adversary is
negligible. The following notions of security may be considered, depending on the types of queries the adversary is allowed to ask:
(i) KI (Key Independence): an adversary A can make Reveal queries, but cannot make Corrupt queries.(ii) FS (Forward Secrecy): an adversary A is now allowed to make any of the above queries (i.e., including Corrupt).
Note that forward secrecy implies key independence.
Definition 2.6. For an adversary A attacking a protocol in the sense of FS, we denote the advantage of this adversary byAdvFS
A ðkÞ. For a protocol P, we define its security as:
AdvFSP ðk; tÞ ¼ maxA AdvFS
A ðkÞn o
;
where the maximum is taken over all adversaries running in time t. The scheme P is said to be FS-secure if AdvFSP ðk; tÞ is neg-
ligible (in k) for any t = poly(k).There are other desirable security attributes of AK protocols apart from key independence and forward secrecy: key-
compromise impersonation resilience and unknown key-share resilience [4].
� Key-Compromise Impersonation Resilience. Suppose a user A’s long-term secret key is disclosed. Clearly, an adversarythat knows this value can now impersonate A, as it is precisely this value that identifies A. This loss does not enable anadversary to impersonate other entities as well and obtain the session key.
K.-A. Shim / Information Sciences 186 (2012) 239–248 243
� Unknown Key-Share Resilience. Entity B cannot be coerced into sharing a key with entity A without B’s knowledge, i.e.,when B believes the key is shared with some entity C – A and A believes the key is shared with B. This definition can beextended to the three-party setting.
Thus far, to design an (ID-based or non-ID-based) AK protocol which satisfies all desirable security attributes has beendifficult. We will propose a one-round tripartite ID-based AK protocol which achieves all of the security attributes in nextsection.
3. A new ID-based signature scheme
3.1. Our construction: IBS
We first propose a new IBS scheme based on the k-CAA problem. Our IBS scheme runs as follows.
[Setup.] Given a security parameter k 2 Z, the algorithm works as follows:
1. Run the BDH parameter generator G on input k to generate q; G1; G2 and e : G1 �G1 ! G2 and P 2 G1.2. Private Key Generator (PKG) chooses a random s 2 Zq, computes Ppub = sP and g ¼ eðP; PÞ 2 G2, where s is a master
secret.3. Choose two cryptographic hash functions H : f0;1g� ! Zq and H1 : f0;1g� ! Zq. The system parameters is
params ¼ hq;G1;G2; e; P; PPub; g;H;H1i.
[Extract.] When a user with identity ID wishes to obtain a private key, the PKG computes qID ¼ HðIDÞ 2 Zq, a private keySID ¼ 1
sþqIDP and returns SID to the user.
[Sign.] Given a private key SID and a message m 2 {0,1}⁄,
1. Choose a random r 2 Z�q and compute V ¼ rP 2 G1.2. Compute H1ðm;VÞ 2 Zq and W ¼ ½r þ H1ðm;VÞ� � SID 2 G1. Then r = (V,W) is a signature on m for ID.
[Verify.] Given a signature r = (V,W) of m for an identity ID,
1. Compute qID ¼ HðIDÞ 2 Zq and H1ðm;VÞ 2 Zq.2. Verify whether eðW; PPub þ qID � PÞ ¼ eðV ; PÞ � gH1ðm;VÞ holds or not. If it holds, a verifier accepts the signature.
3.2. Security proof
We prove the security of the scheme IBS against an adaptive chosen-message and an adaptive chosen-ID attack in therandom oracle model under the qE-CAA assumption. Let an adversary A be a probabilistic polynomial time algorithm whoseinput Params ¼ hq;G1;G2; e; P; g;H;H1i, where q P 2k. We deal with H and H1 as random oracles. The adversary A can makeqH queries to the H-hash, qH1
queries to the H1-hash, qE queries to the private key extraction oracle and qS queries to the sign-ing oracle.
Theorem 3.1. If the qE-CAA problem is (t0,e0)-hard, the scheme IBS is ðt; qH; qH1; qE; qS; �Þ-secure against existential forgery under
an adaptive chosen-message and an adaptive chosen-ID attack, for any t and � satisfying
�P e � ðqE þ 1Þ � �0; t 6 t0 � cG1 ð4qS þ 2Þ;
where e is the base of the natural logarithm, and cG1 is the time necessary to compute a scalar multiplication in G1 and an inversionin Z�q.
Proof. Suppose that A is a forger who breaks the scheme IBS. With the forgery algorithm A, we will construct an algorithmB that solves an instance of a qE-CAA problem. Suppose that an instance hP; sP; q1; . . . ; qE;
1sþq1
P; . . . ; 1sþqE
Pi of a qE-CAA problemis given to B. Its goal is to compute 1
sþq0 P for some q0 R {q1, . . . ,qE}. Algorithm B performs the following simulation by inter-acting with forger A.
Setup. Algorithm B starts by giving A the system parameters params ¼ hq;G1;G2; e; P; Ppub; gi. At any time, A can querythe random oracles H and H1 as well as the private key extraction oracle and the signing oracle. To answer these queries, Bdoes the following:
H-Queries. To respond to H-queries, B maintains a list of tuples (IDi,qi,ci), as explained below. We refer to this list as theH-list. When A queries the oracle H at IDi; B responds as follows:
244 K.-A. Shim / Information Sciences 186 (2012) 239–248
1. If the query ID already appears on the H-list in a tuple (IDi,qi,ci), then B responds with H(IDi) = qi.2. Otherwise, B chooses a random coin ci 2 {0,1} with Pr½ci ¼ 0� ¼ 1
qEþ1.– If ci = 0, then B returns H(IDi) = q0 and adds the tuple (IDi,q0,ci) to the H-list.– If ci = 1, then B returns H(IDi) = qi and adds the tuple (IDi,qi,ci) to the H-list.
Extract Queries. When A queries the private key corresponding to IDi; B first finds the corresponding tuple (IDi,qi,ci) inthe H-list:
– If ci = 0, then B fails and halts.– Otherwise, B returns 1
sþqiP to A.
H1-Queries. To respond to H1-queries, Bmaintains a list of tuples (IDi,Mi,Vi,hi), as explained below. We refer to this list asthe H1-list. When A queries the random oracle H1 at ðIDi;Mi;ViÞ;B responds as follows:
1. If the query (IDi,Mi,Vi) already appears on the H1-list in a tuple (IDi,Mi,Vi,hi), then B responds withH1ðIDi;Mi;ViÞ ¼ hi 2 Zq.
2. Otherwise, B chooses a random hi 2 Zq and adds the tuple (IDi,Mi,Vi,hi) to the H1-list and responds to A withH1(IDi,Mi,Vi) = hi.
Sign Queries. When A requests a signature on M for IDi;B first finds (IDi,qi,ci) in the H-list:
– If ci = 0, then H(IDi) = q0. Algorithm B chooses ai; hi2RZ�q and computes
Vi ¼ aiðsPÞ þ aiq0P � hiP; Wi ¼ aiP:
If the tuple containing Ui and hi already appears on the H1-list, then B chooses another a0i;h0i 2 Z�q until such a collision does
not occur. Then, (Vi,Wi) is a valid signature because it satisfies the following verification equation
eðVi; PÞ � ghi ¼ eðaiðsPÞ þ aiq0P � hiP; PÞeðP; PÞhi ¼ eðaiðsPÞ þ aiq0P; PÞ ¼ eðaiP; PPub þ q0PÞ ¼ eðWi; PPub þ q0PÞ:
Finally, B returns ri = (Vi,Wi).– Otherwise, B chooses a random number ai, computes Vi = aiP, and finds (IDi,M,Vi,hi) in the H1-list. Then, B computes
Wi ¼ ðai þ hiÞ1
sþ qiP
and returns ri = (Vi,Wi).
All responses to H and H1 queries are then in a real attack, as each response is uniformly and independently distributed.Moreover, all responses to Sign queries are valid.
Output. If B does not abort as a result of A’s Extract query, then A’s view is identical to its view in a real attack. Byapplying the Forking Lemma [21] to our scheme, after replaying A with the same random tape, B obtains two valid sig-natures r = (ID⁄,m,h,V,W) and r0 = (ID⁄,m,h0,V,W0) within the polynomial time. Then, B finds the corresponding tuple(ID⁄,q⁄,c⁄) in the H-list, if c⁄ = 1, then B fails and halts. Otherwise, q⁄ = q0 and
W ¼ ðaþ hÞ 1sþ q0
P; W 0 ¼ ðaþ h0Þ 1sþ q0
P:
Therefore, B can solve the instance of the qE-CAA problem by computing
ðh� h0Þ�1ðW �W 0Þ ¼ 1sþ q0
P:
This completes the description of algorithm B. It remains to show that B solves the given instance of the qE-CAA problemwith a probability of at least e0. To do this, we analyze the four events needed for B to succeed:
� E1: B does not abort as a result of any Extract query by A.� E2: A generates a valid and nontrivial signature forgery r = (V,W) on m for ID.� E3: event E2 occurs and c = 0 for the tuple containing ID on the H-list.
Algorithm B succeeds if all of these events occur. The probability Pr[E1 ^ E2 ^ E3] is decomposed as
K.-A. Shim / Information Sciences 186 (2012) 239–248 245
Pr½E1 ^ E2 ^ E3� ¼ Pr½E1� � Pr½E2jE1� � Pr½E3jE1 ^ E2� � � � ð�Þ:
The following claims give a lower bound for each of these terms.
Claim 1. The probability that B does not abort as a result of A’s Extract query is at least 1� 1qEþ1
� �qE, as A makes at most qE
queries to the Extract oracle and Pr½c ¼ 1� ¼ 1� 1qEþ1
� �. Hence, Pr½E1�P 1� 1
qEþ1
� �qE.
Claim 2. If B does not abort as a result of A’s Extract query, then A’s view is identical to its view in a real attack. Hence,Pr[E2jE1] P �.
Claim 3. The probability that B does not abort after A outputs a valid and nontrivial forgery is at least 1qEþ1. Algorithm B will abort
only if A generates a forgery such that c = 1. Hence, Pr½E3jE1 ^ E2�P 1qEþ1.
To complete the proof of Theorem 3.1, we use the bounds from the claims above in the equation (⁄). Algorithm B produces thecorrect answer with a probability of at least
1� 1qE þ 1
� �qEþ1
� � � 1qE þ 1
P1e� �ðqE þ 1ÞP �0;
as required.Algorithm B’s running time is identical to A’s running time plus the time it takes to respond to qS Sign queries and the time to
transform A’s final forgery into the qE-CAA solution. The Sign query requires at most 4 scalar multiplications and the output phaserequires an inversion and a scalar multiplication. We assume that a scalar multiplication G1 and an inversion in Z�q require timecG1
. Hence, the total running time is at most t þ cG1ð4qS þ 2Þ60, as required. h
4. One-round ID-based three-party AK protocol
4.1. Our Construction: 3-IDAK
In this section, we proposed a three-party ID-based AK protocol, 3-IDAK, to provide implicit key authentication withJoux’s protocol by incorporating the proposed IBS scheme IBS. The proposed protocol consists of four algorithms: Setup,Extract, Publish and KeyAgreement.
[Setup], Extract These are the same as those of the IBS scheme IBS.[Publish] Let H2:{0,1}⁄? {0,1}k be a cryptographic hash function. Suppose that A, B and C want to share a common ses-sion key:
1. A computes qA = H(IDA) and chooses a random number a 2 Z�q. Then, A computes XA ¼ aP; YA ¼ ½aþ H1ðID;XAÞ� � SA
and broadcasts {IDA,XA,YA}, where ID ¼ fIDA; IDB; IDCg.2. B also computes qB = H(IDB) and chooses a random number b 2 Z�q. Then, B computes
XB ¼ bP;YB ¼ ½bþ H1ðID;XBÞ� � SB and broadcasts {IDB,XB,YB}, where ID ¼ fIDA; IDB; IDCg.3. C also computes qC = H(IDC) and chooses a random number c 2 Z�q. Then, C computes
XC ¼ cP; YC ¼ ½c þ H1ðID;XCÞ� � SC and broadcasts {IDC,XC,YC}, where ID ¼ fIDA; IDB; IDCg.[KeyAgreement] Let QID be PPub + qIDP in G1.
1. A checks whether eðYB; QBÞ � eðYC ;QCÞ ¼ eðXB þ XC ; PÞ � gH1ðID;XBÞþH1ðID;XC Þ holds or not. If it does not hold, A outputsFAIL and aborts. Otherwise, A computes S = e(XB,XC)a = gabc.
2. B also checks whether eðYA;Q AÞ � eðYC ;Q CÞ ¼ eðXA þ XC ; PÞ � gH1ðID;XAÞþH1ðID;XC Þ holds or not. If it does not hold, B out-puts FAIL and aborts. Otherwise, B computes S = e(XA,XC)b = gabc.
3. C checks whether eðYA;QAÞ � eðYB;QBÞ ¼ eðXA þ XB; PÞ � gH1ðID;XAÞþH1ðID;XBÞ holds or not. If it does not hold, C outputsFAIL and aborts. Otherwise, C computes S = e(XA,XB)c = gabc.
4. Finally, they compute a session key K = H2(IDAkIDBkIDCkXAkXBkXCkS).
4.2. Security proof
The following theorem characterizes the security of the proposed AK protocol.
246 K.-A. Shim / Information Sciences 186 (2012) 239–248
Theorem 4.1. Suppose G satisfies the BDH assumption and the base IBS scheme IBS is ðt; qH; qH1; qE; qS; �Þ-secure against an
existential forgery under an adaptive chosen-message and an adaptive chosen-ID attack. The protocol 3-IDAK is then an FS-secureID-based key agreement protocol with the probability:
AdvFS3�IDAKðk; t; qre; qH; qH1
; qH2Þ 6 qH2
� AdvBDHG ðtÞ þ
q3se
2kþ N � �;
where t is the maximum total experiment time including the adversary’s execution time, where the adversary makes qre Reveal
queries, N is the upper bound of the number of parties, and qse is the upper bound of the number of the sessions in the experiment.
Proof. Given an adversary A attacking the protocol 3-IDAK, we will construct an algorithm B that solves an instance of theBDH problem. A can then gain an advantage by the following three cases:
� Case 1. The signatures on the transmitted messages are forged.� Case 2. The value sid repeats at some point during the experiment for the same triple of users.� Case 3. The adversary queries the random oracle on point ikjkk sidt
i
��� ���S.
First, let Forge be the event in which A outputs a new valid message/signature pair under the identity ID of user U 2 Ubefore querying Corrupt(U). Using the forger A, we construct an algorithm F that forges a signature of the scheme IBS asfollows: given an identity ID; F chooses a random U 2 U , sets IDU = ID, and honestly generates all of the other identities andtheir secrete keys for the system. Algorithm F simulates the oracle queries of A in a natural way (accessing its signing oraclewhen necessary), which results in a perfect simulation unless A queries Corrupt(U). If this occurs, F simply aborts.Otherwise, if A ever outputs a new valid message/signature pair under IDU = ID, then F outputs this pair as its forgery. Thesuccess probability of F is exactly Pr½Forge�
N , where N is the number of parties in U. This immediately implies that
Pr½Forge� 6 N � �:
Let Repeat be the event in which value of sid repeats at some point during the experiment. A straightforward birthdayproblem calculation shows that
PrA½Repeat� 6q3
se
2k:
Let Query be the event in which, for some i; j; k 2 U , the adversary queries the random oracle at state ikjkkkUkVkWkS andfor some t; sidt
i ¼ UkVkW ¼ xPkyPkzP, with instance Pti initiated via the query Execute(i, j,k). Hence sidt0
i ¼ sidt00
i ¼ UkVkWfor some t0, t00 and S = e(P,P)xyz.
We now describe the construction of an algorithm B that solves an instance of the BDH problem using A as a subroutine.An instance of the BDH problem (U0 = xP,V0 = yP,W0 = zP) is given to B. Algorithm Bwill set this instance to all Execute oraclecalls and we will show that B can solve the given BDH instance with a probability of at least 1=qH2
. Algorithm B runs A,simulating the oracle queries of A as follows (we ignore Corrupt queries because no long-term secret key are used in thesession key computation in the proposed protocol):
1. It begins by choosing identities for all parties normally, i.e., choosing a random qi and setting the public key of Ui as qi.2. Algorithm B runs A as a subroutine, answering its oracle queries as follows:� For queries H2(ikjkkkUkVkWkS), if this query was asked before, then B returns the answer given previously. Otherwise,B returns a random value r 2 {0,1}k. Furthermore, if there exists an instance Pt
i with sidti ¼ UkVkW and this instance
was initiated via an oracle Execute(i, j,k), then B stores (U,V,W,S) in a list of BDH-tuple.� Initiate, Send, Reveal and Test queries are answered honestly.� For queries Execute(i, j,k), proceed as follows: B chooses random a; b; c 2 Z�q and returns the transcript
(U0 + aP,V0 + bP,W0 + cP). The session key skti ¼ skt0
j ¼ skt00
j is set equal to a random value in {0,1}k.3. Once the experiment has finished, B chooses a random tuple (U,V,W,S) from its list of BDH-tuples. It finds (U,V,W) such
that U = U0 + aP, V = V0 + bP, W = W0 + cP and outputs
S
eðU;VÞceðU;WÞbeðV ;WÞaeðU; PÞbceðV ; PÞaceðW; PÞabeðP; PÞabc:
We claim that the above is a perfect simulation for A as long as a Query does not occur. If a Query occurs, it is the case inwhich B selects a tuple (U,V,W,S) with the probability 1=qH2
for which S = e(P,P)xyz, where U = xP, V = yP, W = zP, i.e., it is avalid BDH-tuple. Algorithm B then outputs S as a valid solution to the given BDH instance. Thus, we obtain
PrA½Query� 6 qH2� AdvBDH
G ðtÞ:
This concludes the proof of the theorem. h
Table 1Efficiency and security of one-round tripartite ID-based AK protocols.
Protocol Sig. Length Sig. Gen. Sig. Ver. Sess. KeyGen. Provable Security
Liu et al. 2jGj 3SM 4P + 2SM 1P + 1Exp �3� IDAK 2jGj 2SM 3P + 1Exp 1P + 1Exp UU
K.-A. Shim / Information Sciences 186 (2012) 239–248 247
We proved that the proposed AK protocol achieves key independence and forward secrecy attributes. We also note thatour protocol provides two other security attributes: key-compromise impersonation resilience and unknown key-share resil-ience. This is easily derived from the fact that the resulting session keys of our protocol are independent of the participatingusers’ long-term secret keys, as the long-term secret keys are used only to generate signatures. It is also known that includ-ing the identities of participating entities in the key derivation function to derive the session keys from the shared secrets canprevent the UK-S attack [3].
We note that our protocol is secure against the attack described in [18], specifically where, an active adversary can offsetthe agreed session key by an exponent e unbeknownst to the participating entities. Almost all key agreement protocols (bothID-based and non-ID-based) without key confirmation are vulnerable to key offset attacks. Although this attack is interest-ing, it does not allow the attacker to gain any knowledge of the agreed session key. Nevertheless, such attacks may causeDenial-of-Service attacks by forcing the key agreement to fail many times. In our protocol, by attaching signatures on theephemeral public keys transmitted, the key offset attacks can be prevented.
4.3. Explicit authentication and insider attacks
We do not define any notion of explicit authentication or, equivalently, confirmation that the other members of the grouphave computed the common key. The proposed AK protocol does not explicitly provide such confirmation. In fact, the pos-sibility of insider attacks in a multi-party setting represents a qualitative difference from the two-party setting, where insi-der attacks are far less of a concern. Of course, if a malicious insider executes some active attacks on the AK protocols, there isno way to prevent this insider from learning the session key shared by a group of which he is a valid member. However, thereare important security concerns to be considered: for example, a malicious insider should not have the ability to learn thesession keys computed by groups of which he is not a member, and he should not able to impersonate other honest mem-bers. To prevent such attacks, we can add a key confirmation phase to the protocol. For example, Katz and Shin [16] proposedsecurity notions against insider attacks and showed how to achieve explicit authentication for any secure authenticatedgroup key agreement protocol. Applying their transformation to our AK protocol will result in an ID-based AK protocol withexplicit authentication, i.e., it achieves security against potential insider attacks.
4.4. Comparison
Liu et al. [17] proposed a tripartite ID-based AK protocol without providing formal security proofs. A comparison of theefficiency and security features of our protocol with that of Liu et al. is given in Table 1. In the table, Exp, P and SM representthe number of exponentiations, the pairing computations and the scalar multiplications, respectively.
5. Conclusion
We proposed the first provably secure one-round three-party ID-based AK protocol combining Joux’s protocol [15] withthe proposed IBS scheme. We then gave its security proof in the random oracle model under the Bilinear Diffie–Hellmanassumption.
Acknowledgement
This work was supported by the National Institute for Mathematical Sciences grant funded by the Korean Government(No. A21103).
References
[1] M. Bellare, C. Namprempre, G. Neven, Security proofs for identity-based identification and signature schemes, Advances in Cryptology: Eurocrypt’04,LNCS, 3027, Springer-Verlag, 2004.
[2] M. Bellare, P. Rogaway, Entity autentication and key distribution, Advances in Cryptology: Crypto’93, LNCS, 773, Springer-Verlag, 1994.[3] S. Blake-Wilson, D. Johnson, A. Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, PKC’99, LNCS, 1560, Springer-Verlag,
1999.[4] S. Blake-Wilson, A. Menezes, Authenticated Diffie–Hellman key agreement protocols, SAC’98, LNCS, 1556, Springer-Verlag, 1999.[5] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, Advances in cryptology: Crypto’01, LNCS, 2139, Springer-Verlag, 2001.[6] D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, Advances in Cryptology: Asiacrypt’01, LNCS, 2248, Springer-Verlag, 2002.[7] C. Boyd, K.K.R. Choo, Security of two-party identity-based key agreement, MYCRYPT’05, LNCS, 3715, Springer-Verlag, 2005.
248 K.-A. Shim / Information Sciences 186 (2012) 239–248
[8] L. Chen, Z. Cheng, N.P. Smart, Identity-based key agreement protocols from pairings, International Journal of Information Security 6 (4) (2007) 213–241.
[9] K.R. Choo, Provably-Secure Mutual Authentication and Key Establishment Protocols Lounge. <http://sky.fit.qut.edu.au/choo/lounge.html>.[10] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions on Information Theory 22 (6) (1976) 644–654.[11] W. Diffie, P. van Oorschot, M. Wiener, Authentication and authenticated key exchanges, Designs, Codes, and Cryptography 2 (2) (1992) 107–125.[12] G. Frey, H. Ruck, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves, Mathematics of Computations 62
(1994) 865–874.[13] J. Herranz, Deterministic identity-based signatures for partial aggregation, The Computer Journal 49 (3) (2006) 322–330.[14] M. Hölbl, T. Welzera, B. Brumena, Two proposed identity-based three-party authenticated key agreement protocols from pairings, Computers &
Security 29 (2) (2010) 244–252.[15] A. Joux, A one round protocol for tripartite Diffie–Hellman, ANTS IV, LNCS, 1838, Springer-Verlag, 2000.[16] J. Katz, J. Shin, Modeling insider attacks on group key-exchange protocols, in: ACM Conference on Computer and Communications Security, 2005, pp.
180–189.[17] S. Liu, F. Zhang, K. Chen, ID-based tripartite key agreement protocol with pairing, in: 2003 IEEE International Symposium on Information Theory, 2003,
pp. 136–143, or available at Cryptology ePrint Archive, Report 2002/122.[18] N. McCullagh, P.S.L.M. Barreto, A new two-party identity-based authenticated key agreement, CT-RSA’05, LNCS, 3376, Springer-Verlag, 2005.[19] A. Menezes, T. Okamoto, S. Vanstone, Reducing elliptic curve logarithms in a finite field, IEEE Transaction on Information Theory 39 (5) (1993) 1639–
1646.[20] S. Mitsunari, R. Sakai, M. Kasahara, A new traitor tracing, IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences
E85-A (2002) 481–484.[21] D. Pointcheval, J. Stern, Security proofs for signature schemes, Advances in Cryptology: Eurocrypt’96, LNCS, 1070, Springer-Verlag, 1996.[22] R. Sakai, K. Ohgishi, M. Kasahara, Cryptosystems based on elliptic curve pairing, Modeling Decisions for Artificial Intelligence, LNCS, 3558, Springer-
Verlag, 2005.[23] A. Shamir, Identity-based cryptosystems and signature schemes, Advances in cryptology: Crypto’84, LNCS, 196, Springer-Verlag, 1984.[24] K.A. Shim, S.S. Woo, Cryptanalysis of tripartite and multi-party authenticated key agreement protocols, Information Sciences 177 (4) (2007) 1143–
1151.[25] S. Wang, Z. Cao, K.R. Choo, L. Wang, An improved identity-based key agreement protocol and its security proof, Information Sciences 179 (3) (2009)
307–318.[26] F. Zhang, R. Safavi-Naini, W. Susilo, An efficient signature scheme from bilinear pairings and its applications, PKC’04, LNCS, 2947, Springer-Verlag,
2004.
