Cryptanalysis of tripartite and multi-party authenticated key agreement protocols

Information Sciences 177 (2007) 1143–1151

www.elsevier.com/locate/ins

Cryptanalysis of tripartite and multi-party authenticatedkey agreement protocols

Kyung-Ah Shim *, Sung Sik Woo

Department of Mathematics, Ewha Womans University, 11-1 Daehyun-dong, Seodaemun-gu, Seoul 120-750, Republic of Korea

Received 15 July 2005; received in revised form 10 July 2006; accepted 21 July 2006

Abstract

Al-Riyami and Paterson proposed four authenticated tripartite key agreement protocols which make use of the Weilpairing. Recently, Lee et al. extended the protocols to a multi-party setting assuming the existence of cryptographicmultilinear forms. In this paper we show that the tripartite and multi-party authenticated key agreement protocols areinsecure against several active attacks.� 2006 Elsevier Inc. All rights reserved.

Keywords: Cryptography; Authenticated key agreement protocol; Bilinear pairing; Multilinear form

1. Introduction

Authenticated key agreement protocols are cryptographic protocols by which two or more entities thatcommunicate over an adversarially controlled network can generate a common secret key. These protocolsare essential for enabling the use of symmetric-key cryptography to protect transmitted data. They are a cen-tral piece for building secure communications, and perhaps the most commonly used cryptographic protocols.A multi-party key exchange protocol is a generalization of two-party key establishment to provide three ormore parties with a shared secret key. Rapid advances in computing have resulted in dramatic improvementsin large-number arithmetic computation. In contrast, communication latency has not improved appreciably.In this point of view, we believe that a one-round protocol is a real improvement over key exchange protocols.Also, tripartite case is of the most practical importance not only because it is the most common size for elec-tronic conference but because it can be used to provide a range of services for two parties communicating.

Recently, there have been proposed several new cryptosystems based on bilinear pairings. In fact, the exis-tence of the Weil and Tate pairings was thought to be a bad thing in cryptography. It was shown that thediscrete logarithm problem in supersingular curves was reducible to that in an extension of underlying fieldvia Weil pairing [13]. This led supersingular curves to be avoided from cryptographic use. This situation

0020-0255/$ - see front matter � 2006 Elsevier Inc. All rights reserved.

doi:10.1016/j.ins.2006.07.034

* Corresponding author.E-mail addresses: [email protected], [email protected] (K.-A. Shim), [email protected] (S.S. Woo).

mailto:[email protected]



1144 K.-A. Shim, S.S. Woo / Information Sciences 177 (2007) 1143–1151

changed with the work of Boneh–Franklin’s ID-based encryption scheme [4] and Joux’s one-round tripartiteDiffie–Hellman protocol [8]. However, like the basic Diffie–Hellman key agreement protocol [7], Joux’s pro-tocol also suffers from man-in-the-middle attacks because it does not attempt to authenticate the communi-cating entities. Al-Riyami and Paterson [1] proposed four tripartite authenticated key agreement protocolsto provide implicit key authentication with Joux’s protocol by incorporating certified public keys. The proto-cols use ideas from Joux’s protocol and the MTI and MQV protocols. Recently, Lee et al. [11] extended theprotocols to a multi-party setting assuming the existence of cryptographic multilinear forms. In this paper weshow that the tripartite and multi-party authenticated key agreement protocols are insecure against severalactive attacks, including man-in-the-middle attacks, key-compromise impersonation attacks, known-keyattacks and unknown key-share attacks.

The rest of this paper is organized as follows. In the following section, we describe desirable security attri-butes for authenticated key agreement protocols. In Section 3, we review Al-Riyami–Paterson’s tripartite pro-tocols, TAK-1, TAK-2, TAK-3, and TAK-4, and Lee et al.’s multi-party ones, MAK-A, MAK B-j, andMAK-C. In Section 4, we show that the protocols are vulnerable to several active attacks. Section 4.5 containsa summary of security attributes that are believed to be provided by the protocols. Concluding remarks aregiven in Section 5.

2. Desirable security attributes of authenticated key agreement protocols

Let A and B be two honest entities, i.e., legitimate entities who execute the steps of a protocol correctly. Akey agreement protocol is said to provide implicit key authentication (IKA) of B to A if entity A is assured thatno other entity aside from a specifically identified second entity B can possibly learn the value of a particularsecret key. A key agreement protocol which provides implicit key authentication to both participating entitiesis called an authenticated key agreement (AK) protocol. In addition to the fundamental security goal such asimplicit key authentication, a number of desirable security attributes of AK protocols have been identified [3].

1. Known-Key Security (KKS). Each run of a key agreement among entities should produce a unique secretkey; such keys are called session keys. A protocol should still achieve its goal in the face of an adversarywho has learned some other session keys.

2. Forward Secrecy (FS). If long-term private keys of one or more entities are compromised, the secrecy ofprevious session keys established by honest entities is not affected.

3. Key-Compromise Impersonation (K-CI) Resilience. Suppose A’s long-term private key is disclosed. Clearlyan adversary that knows this value can now impersonate A, since it is precisely this value that identifies A.However, it may be desirable in some circumstances that this loss does not enable the adversary to imper-sonate other entities to A. In a multi-party setting, if an adversary with A’s long-term private key succeedsin recovering some session keys then this attack is called a partial key-compromise impersonation attack.

4. Unknown Key-Share (UK-S) Resilience. Entity B cannot be coerced into sharing a key with entity A withoutB’s knowledge, i.e., when B believes the key is shared with some entity E, and A believes the key is sharedwith B. The attack scenario on the unknown key-share attacks is described in [2].

3. Review of Al-Riyami–Paterson’s tripartite and Lee et al.’s multi-party AK protocols

Now, we describe Al-Riyami–Paterson’s tripartite authenticated key agreement protocols, TAK-1, TAK-2,TAK-3 and TAK-4 and Lee et al.’s multi-party ones, MAK-A, MAK B-j, and MAK-C.

3.1. Tripartite case

We first describe admissible pairings. Let G1 be a cyclic group of a large prime order q and G2 be a cyclicmultiplicative group with the same order q.

Admissible Pairing: We call e an admissible pairing if e : G1 �G1 ! G2 is a map with the followingproperties:

K.-A. Shim, S.S. Woo / Information Sciences 177 (2007) 1143–1151 1145

1. Bilinearity: eðaP ; bQÞ ¼ eðP ;QÞab for all P ;Q 2 G1 and for all a; b 2 Z.2. Non-degeneracy: There exists P 2 G1 such that eðP ; PÞ 6¼ 1.3. Computability: There is an efficient algorithm to compute eðP ;QÞ for any P ;Q 2 G1.

The Weil and Tate pairings associated with supersingular elliptic curves or abelian varieties can be modifiedto create such admissible pairing, as in [4,8].

Let A, B and C be honest entities, i.e., legitimate entities who execute the steps of a protocol correctly. Let P

be a generator of G1. Let e : G1 �G1 ! G2 be an admissible pairing and H a cryptographic hash function. Weassume that public domain parameters hq;G1;G2; e; P i are common to all entities. Also, we will assume thatlong-term public keys are exchanged via certificates. CertA denotes A’s public-key certificate, containing astring of information that uniquely identifies A (such as A’s name and address), her long-term public keyYA = x Æ P, and a certifying authority CA’s signature over this information. Similarly, CertB and CertC arecertificates for entities B and C with YB = y Æ P and YC = z Æ P as their long-term public keys, respectively.

Protocol Messages: As usual, in the protocols below, short-term secret keys a; b; c 2 Z�q are selected uni-formly at random by A, B and C, respectively. Then they compute PA = a Æ P, PB = b Æ P, and PC = c Æ P

and then broadcast these values together with their certificates;

ð1Þ A : P A ¼ a � P ; CertA

ð2Þ B : P B ¼ b � P ; CertB

ð3Þ C : P C ¼ c � P ; CertC

Each user computes the session key in each protocol as follows:

• TAK-1

KA ¼ HðeðbP ; cP ÞakeðyP ; zPÞxÞKB ¼ HðeðaP ; cP ÞbkeðxP ; zP ÞyÞKC ¼ HðeðaP ; bP ÞckeðxP ; yPÞzÞKABC ¼ KA ¼ KB ¼ KC ¼ HðeðP ; P ÞabckeðP ; P ÞxyzÞ

• TAK-2

KA ¼ eðbP ; zP Þa � eðyP ; cP Þa � eðbP ; cP Þx

KB ¼ eðaP ; zP Þb � eðxP ; cPÞb � eðaP ; cP Þy

KC ¼ eðaP ; yPÞc � eðxP ; bP Þc � eðaP ; bP Þz

KABC ¼ KA ¼ KB ¼ KC ¼ eðP ; P ÞðabÞzþðacÞyþðbcÞx

• TAK-3

KA ¼ eðyP ; cP Þx � eðbP ; zP Þx � eðyP ; zP Þa

KB ¼ eðaP ; zP Þy � eðxP ; cP Þy � eðxP ; zP Þb

KC ¼ eðaP ; yPÞz � eðxP ; bPÞz � eðxP ; yPÞc

KABC ¼ KA ¼ KB ¼ KC ¼ eðP ; P ÞðxyÞcþðxzÞbþðyzÞa

• TAK-4

KA ¼ eðbP þ HðbPkyPÞyP ; cP þ HðcPkzP ÞzP ÞaþHðaPkxP Þx

KB ¼ eðaP þ HðaPkxP ÞxP ; cP þ HðcPkzP ÞzP ÞbþHðbPkyP Þy

KC ¼ eðaP þ HðaPkxPÞxP ; bP þ HðbPkyPÞyPÞcþHðcPkzP Þz

KABC ¼ KA ¼ KB ¼ KC ¼ eðP ; P ÞðaþHðaPkxP ÞxÞðbþHðbPkyP ÞyÞðcþHðcPkzPÞzÞ

TAK-1, TAK-2, and TAK-3 have their roots in the MTI protocols [12]. TAK-4 is modeled on the MQV
protocol [10] but it can prevent unknown key-share attacks described in [9] by using a cryptographic hashfunction H to combine long-term and short-term public keys.
3.2. Multi-party case

Assuming the existence of cryptographic multilinear forms en�1 for any n > 4, where en�1 is a generalizationof bilinear pairings (in fact, to find such a cryptographic multilinear form is a long-standing open problem [5]),Lee et al. [11] extended Al-Riyami–Paterson’s tripartite protocols to a multi-party setting.

• MAK-A: This is a generalization of TAK-1 to the multi-party setting with resulting session keyK ¼ en�1ðP ; P Þa1��anþx1��xn among n users.

• MAK B-j: They are generalizations of TAK-2, and TAK-3 to the multi-party setting. More precisely,(n = 3, j = 1) case and (n = 3, j = 2) are identical to TAK-2 and TAK-3, respectively.

• MAK-C: This is a generalization of TAK-4 to the multi-party setting.


4. Cryptanalysis of the tripartite and multi-party AK protocols

In this section, we present several active attacks on TAK-1, TAK-2, TAK-3 and TAK-4. In fact, Al-Riyamiand Paterson [1] proposed tripartite AK protocols to provide implicit key authentication with Joux’s protocolby incorporating certified public keys. However, TAK-2 does not satisfy the implicit key authentication attri-bute, i.e., it is still insecure against man-in-the-middle attacks. Also, all the protocols are insecure against key-compromise impersonation attacks. Almost all of these attacks are described only for Al-Riyami–Paterson’stripartite AK protocols because they can be easily extended to Lee et al.’s ones.

4.1. Man-in-the-middle attacks and impersonation attacks on TAK-2

4.1.1. Man-in-the-middle attacks on TAK-2

When A, B and C, respectively, broadcast PA, PB and PC, an adversary E chooses short-term secret keys a 0,b 0 and c 0 and replaces PA, PB and PC with P 0A ¼ a0 � P , P 0B ¼ b0 � P and P 0C ¼ c0 � P , respectively. Then A, B andC compute the session keys KA, KB and KC, respectively.

KA ¼ eðP 0B; zPÞa � eðyP ; P 0CÞa � eðP 0B; P 0CÞ

x ¼ eðP ; PÞab0zþac0yþb0c0x

KB ¼ eðP 0A; zPÞb � eðxP ; P 0CÞb � eðP 0A; P 0CÞ

y ¼ eðP ; P Þa0bzþbc0xþa0c0y

KC ¼ eðP 0A; yPÞc � eðxP ; P 0BÞc � eðP 0A; P 0BÞ

z ¼ eðP ; P Þa0cyþb0cxþa0b0z

Then E, who knows a 0, b 0 and c 0, is able to compute these session keys from publicly known values PA, PB andPC as follows:

KA ¼ eðaP ; zP Þb0� eðyP ; aP Þc

0� eðxP ; P Þb

0c0 ¼ eðP ; P Þab0zþac0yþb0c0x

KB ¼ eðbP ; zP Þa0� eðxP ; bP Þc

0� eðyP ; P Þa

0c0 ¼ eðP ; P Þa0bzþbc0xþa0c0y

KC ¼ eðcP ; yPÞa0� eðxP ; cPÞb

0� eðzP ; P Þa

0b0 ¼ eðP ; P Þa0cyþb0cxþa0b0z

Thus, TAK-2 is still insecure against man-in-the-middle attacks and so does not offer implicit key authentica-tion. It also leads to the following impersonation attack.

4.1.2. Impersonation attacks on TAK-2Suppose that an adversary E wants to impersonate C to both A and B. When A and B broadcast PA = a Æ P

and PB = b Æ P, respectively, E chooses short-term secret keys a 0 and b 0 and replaces PA and PB with P 0A ¼ a0 � Pand P 0B ¼ b0 � P , respectively. Simultaneously, E chooses a random number c 0 and broadcasts PC = c 0 Æ P

impersonating C. We denote EC the adversary E impersonating C.


ð1Þ A : P A ¼ a � P ! P 0A ¼ a0 � P ; CertA

ð2Þ B : P B ¼ b � P ! P 0B ¼ b0 � P ; CertB

ð3Þ EC : P C ¼ c0 � P ; CertC

Then A and B compute the session keys KA and KB as follows:

KA ¼ eðP 0B; zP Þa � eðyP ; P CÞa � eðP 0B; P CÞx ¼ eðP ; P Þab0zþac0yþb0c0x

KB ¼ eðP 0A; zP Þb � eðxP ; P CÞb � eðP 0A; P CÞy ¼ eðP ; P Þa0bzþbc0xþa0c0y

The adversary E can compute KA and KB from publicly known values PA, PB, and secret values a 0, b 0 and c 0:

KA ¼ eðP A; zP Þb0� eðyP ; P AÞc

0� eðxP ; P Þb

0c0 ¼ eðP ; P Þab0zþac0yþb0c0x

KB ¼ eðP B; zP Þa0� eðxP ; P BÞc

0� eðyP ; P Þa

0c0 ¼ eðP ; P Þa0bzþbc0xþa0c0y

Finally, E succeeds in impersonating C to both A and B as well as in obtaining the knowledge of the secretkeys KA and KB.

4.2. Key-compromise impersonation attacks on TAK-2, TAK-3, and TAK-4

Al-Riyami and Paterson [1] claimed that only TAK-1 is insecure against key-compromise impersonationattacks. But, we show that the other protocols are still vulnerable to several kinds of key-compromise imper-sonation attacks.

4.2.1. Key-compromise impersonation attacks on TAK-2

In the previous subsection, we showed that TAK-2 is insecure against impersonation attacks. In otherwords, an adversary can impersonate any user to the other users at any time without the knowledge of theuser’s secret information. From this result, we derive that TAK-2 is also insecure against key-compromiseimpersonation attacks.


Suppose that A’s long-term secret key x is compromised to an adversary E. When A and B broadcastPA = a Æ P and PB = b Æ P, respectively, E chooses short-term secret keys a 0 and b 0 and replaces PA and PB withP 0A ¼ a0 � P and P 0B ¼ b0 � P , respectively. Simultaneously, E chooses a random number c 0 and broadcastsPC = c 0 Æ P impersonating C.





KA ¼ eðyP ; c0P Þx � eðb0P ; zPÞx � eðyP ; zP Þa ¼ eðP ; P Þxyc0þxzb0þyza

KB ¼ eða0P ; zPÞy � eðxP ; c0P Þy � eðxP ; zP Þb ¼ eðP ; P Þyza0þxyc0þxzb

Then E is able to obtain KB by computing eðzP ; yPÞa0� eðxP ; yP Þc

0� eðzP ; bP Þx. However, E cannot compute KA

since she does not compute the term eðP ; Þyza of KA. Thus, if KB is used to encrypt subsequent communications,E can decrypt the encrypted message. But the protocol participant A cannot decrypt the message. In fact, thisattack is a partial key-compromise impersonation attack, i.e., the adversary succeeds in impersonating C toonly B and recovers the session key KB.


The same attack can be applied to TAK-4. Suppose that A’s long-term secret key x is compromised to anadversary E. As in the case of TAK-2 and TAK-3, the adversary EC replaces PA and PB with P 0A and P 0B,respectively, impersonating C.






KA ¼ eðP ; P ÞðaþHðaPkxP ÞxÞðb0þHðb0PkyP ÞyÞðc0þHðc0PkzPÞzÞ

KB ¼ eðP ; P Þða0þHða0PkxPÞxÞðbþHðbPkyP ÞyÞðc0þHðc0PkzPÞzÞ

Then E is able to obtain KB from publicly known values PA, PB and secret values a 0, b 0, c 0 and x by computing

eðbP ; P Þa0c0 � eðbP ;Hðc0PkzP ÞzPÞa

0� eðP ;HðbPkyP ÞyP Þa

0c0 � eðHðbPkyPÞyP ;Hðc0PkzP ÞzP Þa0

� eðbP ;Hða0PkxP ÞxP Þc0� eðHða0PkxPÞbP ;Hðc0PkzP ÞzP Þx � eðHða0PkxPÞxP ;HðbPkyPÞyPÞc

0

� eðHðbPkyPÞyP ;Hðc0PkzPÞzP ÞxHða0PkxPÞ

However, E cannot compute KA because she does not calculate the term

eðP ; P ÞayzHðb0PkyP ÞHðc0PkzPÞ

of KA. Thus, the adversary succeeds in impersonating C to B and recovers the session key KB.

4.2.4. Key-compromise impersonation attacks on MAK-C

The same attack can be applied to MAK-C. Let {A1, . . . ,An} be a group of communicating users. Supposethat A1’s long-term secret key x1 is compromised to an adversary E and E wants to impersonate An to theother users. When Ai broadcasts P Ai ¼ aiP , the adversary EAn replaces P Ai (1 6 i 6 n � 1) with P 0Ai

¼ a0iPand broadcasts P An ¼ a0nP impersonating An.

ð1Þ A1 : P A1¼ a1 � P ! P 0A1

¼ a01 � P ; CertA1

ð2Þ A2 : P A2¼ a2 � P ! P 0A2

¼ a02 � P ; CertA2

� � �ðn� 1Þ An�1 : P An�1

¼ an�1 � P ! P 0An�1¼ a0n�1 � P ; CertAn�1

ðnÞ EAn : P An ¼ a0n � P ; CertAn

Then E cannot calculate the term

eðP ; P Þa1

Qn

i¼2HðaiPkxiP Þxi

of KA1, while E can compute KAi (2 6 i 6 n) from its own values a0i and x1. Thus, the adversary succeeds in

impersonating An to Ai (2 6 i 6 n � 1) and recovers the session keys KAi (2 6 i 6 n � 1). Note that, for coher-ence between tripartite cases and multi-party cases, we denote the public keys additively unlike the originalnotation in [11].

4.3. Known-key attacks on TAK-2 and TAK-3

Al-Riyami and Paterson [1] argued that TAK-2 is secure against known-key attacks. Such a result is due tothe lack of the consideration on three-party setting. Unlike two-party settings, in the three-party setting, weshould consider some attacks mounted by participant’s conspiracy. Now, we present a known-key conspiracyattack on TAK-2 and a known-key attack by insider on TAK-3. The known-key conspiracy attack is definedin [14] as follows:

• Known-Key Conspiracy (KKC) Attacks: adversaries enter a new session without impersonation and theycollude and finally compute the earlier session key among A, B and C, from the keys of new session.


4.3.1. Known-key conspiracy attacks on TAK-2

Assume that D and E are malicious entities. CertD and CertE are certificates for D and E and YD = v Æ P andYE = w Æ P as their long-term public keys, respectively. Given an assumption that release of session keys, if D

and E conspire, they can recover the earlier session key established among A, B and C. The known-key con-spiracy attack on TAK-2 is executed as follows.

1. First, D and E eavesdrop on a session among A, B and C.




2. Next, colluding D and E start three sessions with A, B and C, separately, in which they use informationgained during step 1. When A, B and C broadcast a 0P, b 0P and c 0P, respectively, in each session, D andE replay short-term public keys of the earlier session. As a result, D and E do not obtain the session keys,KADE, KBDE and KCDE, established in these sessions.

ð1Þ A : a0 � P ; CertA; ð10Þ B : b0 � P ; CertB; ð100Þ C : c0 � P ; CertC

ð2Þ D : b � P ; CertD; ð20Þ D : a � P ; CertD; ð200Þ D : a � P ; CertD

ð3Þ E : c � P ; CertE; ð30Þ; E : c � P ; CertE; ð300Þ E : b � P ; CertE

KADE ¼ eðP ; P Þa0bw � eðP ; P Þa

0cv � eðP ; P Þbcx

KBDE ¼ eðP ; P Þb0aw � eðP ; P Þb

0cv � eðP ; P Þacy

KCDE ¼ eðP ; PÞc0aw � eðP ; P Þc

0bv � eðP ; P Þabz

3. D and E now induce A, B and C to reveal KADE, KBDE and KCDE established in the sessions. Because A, B

and C believe that the session keys should be known to D and E, this may be reasonable assumption [6].4. With this information, D and E can recover KABC established among A, B and C as follows:

KABC ¼ KADE � KBDE � KCDE � ðeða0P ; bP Þw � eðaP ; b0P ÞwÞ�1 � ðeðaP ; c0P Þw � eða0P ; cÞv � eðb0P ; cP Þv

� eðbP ; c0P ÞvÞ�1

In fact, this attack requires more assumptions than usual. Plausible attack scenario is described in [6]. Ofcourse, these attacks can be prevented if a key derivation function is used to derive a session key from theshared secret. But, without using an additional function, a protocol should be robust against those kindsof attacks.

4.3.2. Known-key attacks by insiders on TAK-3

We describe a known-key attack by an insider on TAK-3, which is a variant of Burmester’s triangle attackon the Yacobi protocol [6]. As in Burmester’s attack, an adversary is an insider who knows A’s long-termsecret key x. A known-key attack on TAK-3 is launched as follows.

1. First, an adversary E eavesdrops on a communication among A, B and C.




2. Subsequently, E starts a new session with both B and C impersonating A. When B and C broadcast b 0P andc 0P, respectively, E replays aP and CertA recorded from the earlier session impersonating A and, at thesame time, replaces b 0P and c 0P with bP and cP, respectively.

TableSecuri

Protoc

TAK-1TAK-2TAK-3TAK-4

a If ab Th

privatethat evpreven


ð1Þ EA : P A ¼ a � P ; CertA

ð2Þ B : P B ¼ b0 � P ! P B ¼ b � P ; CertB

ð3Þ C : P C ¼ c0 � P ! P C ¼ c � P ; CertC

3. As in the known-key conspiracy attack on TAK-2, if the key K 0C ¼ eðP ; P Þayzþxbzþxyc0 established in the newsession computed by C is known to E, E can recover KABC established among A, B and C in the past sessionas follows:

KABC ¼ K 0C � ½eðyP ; c0P Þx��1 � eðyP ; cPÞx ¼ eðP ; P Þayzþbxzþxyc

4.4. Unknown key-share attack on TAK-1

In [1], they showed that TAK-1 is secure against unknown key-share attacks if the CA checks that publickey is only registered once. But we show that if the CA does not check user’s possession of the long-term pri-vate key, TAK-1 is still vulnerable to unknown key-share attacks.

4.4.1. Unknown-key attacks on TAK-1

Suppose that adversaries E1, E2 and E3 collude. First, the adversaries select a random k 2 Z�q, computeY E1¼ kðY AÞ ¼ kðx � PÞ, Y E2

¼ kðY BÞ ¼ kðy � P Þ, and Y E3¼ kðY CÞ ¼ kðz � P Þ, and get them as their long-term

public keys obtaining their certificates CertE1, CertE2

, and CertE3, respectively. Note that E1, E2 and E3 do

not know the corresponding long-term secret keys kx, ky, and kz although they know k. When A, B, andC broadcast short-term public keys together with their certificates, they replace CertA, CertB, and CertC, withCertE1

, CertE2, and CertE3

, respectively.

ð1Þ A : P A ¼ a � P ; CertA ! P A ¼ a � P ; CertE1

ð2Þ B : P B ¼ b � P ; CertB ! P B ¼ b � P ; CertE2

ð3Þ C : P C ¼ c � P ; CertC ! P C ¼ c � P ; CertE3

Then A, B, and C compute the session keys KA, KB and KC as follows:

KA ¼ HðeðbP ; cP ÞakeðkyP ; kzP ÞxÞ ¼ HðeðP ; P ÞabckeðP ; P Þk2xyzÞ

KB ¼ HðeðaP ; cP ÞbkeðkxP ; kzPÞyÞ ¼ HðeðP ; P ÞabckeðP ; P Þk2xyzÞ

KC ¼ HðeðaP ; bP ÞckeðkxP ; kyPÞzÞ ¼ HðeðP ; P ÞabckeðP ; P Þk2xyzÞ

Finally, A, B, and C share the session key K ¼ KA ¼ KB ¼ KC ¼ HðeðP ; P ÞabckeðP ; P Þk2xyzÞ. However, A

believes that she shares the key with E2 and E3, while B (resp. C) believes that he shares the key with E1

and E3 (resp. E1 and E2). Thus, if the CA does not check user’s possession of private key corresponding tohis public key, TAK-1 is insecure against unknown key-share attacks.

1ty attributes offered by Al-Riyami–Paterson’s tripartite and Lee et al.’s multi-party AK protocols

ol IKA K-CI K-KS UK-S

/MAK-A Yes No No Nob

/MAK B-j (j 5 n � 1) No No Noa Yes/MAK B-(n � 1) Yes No Noa Yes/MAK-C Yes No Yes Yes

key derivation function to derive the shared key from the shared secret is used, known-key security is achieved.e UK-S attack on TAK-1 is usually prevented by requiring that entities prove to the certificate issuing authority possession of thekeys corresponding to their public keys during the certification process. But, this method is not so desirable since no one guaranteesery CA will conduct the checking procedure. Including identities of the participating entities in the key derivation function cant all kinds of UK-S attacks.


4.5. Summary

This section compares the security of TAK-1/MAK-A, TAK-2/MAK B-j (j 5 n � 1), TAK-3/MA B-(n � 1) and TAK-4/MAK-C. Table 1 presents a summary of security attributes that are believed to be pro-vided by the protocols. We denote IKA, implicit key authentication, K-CI, key-compromise impersonationresilience, K-KS, known-key security, and UK-S, unknown key-share resilience.

5. Conclusion

We have shown that Al-Riyami–Paterson’s tripartite AK protocols, TAK-1, TAK-2, TAK-3, and TAK-4and Lee et al.’s multi-party AK protocols, MAK-A, MAK B-j, and MAK-C are insecure against several activeattacks. Thus, it is fair to say that constructing a usable tripartite and multi-party AK protocols satisfying allthe security attributes described in Section 2 is still an open problem.

References

[1] S.S. Al-Riyami, K.G. Paterson, Authenticated three party key agreement protocols from pairing, in: Proc. of IMA’03, Cryptographyand Coding, LNCS, vol. 2898, 2003, pp. 332–359. Available from: <http://eprint.iacr.org/2002/035>.

[2] S. Blake-Wilson, D. Johnson, A. Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, in: Proc. of PKC’99,LNCS, vol. 1560, 1999, pp. 154–170.

[3] S. Blake-Wilson, A. Menezes, Authenticated Diffie–Hellman key agreement protocols, in: Proc. of SAC’98, LNCS, vol. 1556, 1999,pp. 339–361.

[4] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, Advances in cryptology, Proc. of Crypto’01, LNCS, vol.2139, 2001, pp. 213–229.

[5] D. Boneh, A. Silverberg, Applications of multilinear forms to cryptography, Contemp. Math. 324 (2003) 71–90.[6] M. Bumester, On the risk of opening distributed keys, Advances in Cryptology, in: Proc. of Crypto’94, LNCS, vol. 839, 1994, pp. 308–

317.[7] W. Diffie, M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory 22 (1976) 644–654.[8] A. Joux, A one round protocol for tripartite Diffie–Hellman, in: Proc. of ANTS IV LNCS, vol. 1838, 2000, pp. 385–394.[9] B. Kaliski, An unknown key-share attack on the MQV key agreement protocol, ACM Trans. Inform. Syst. Security 4 (2001) 275–288.

[10] L. Law, A. Menezes, M. Qu, J. Solinas, S. Vanstone, An efficient protocol for authenticated key agreement, Designs, Codes Cryptogr.28 (2003) 119–134.

[11] H. Lee, H. Lee, Y. Lee, Multi-party authenticated key agreement protocols from multilinear forms, Appl. Math. Comput. 159 (2004)317–331.

[12] T. Matsumoto, Y. Takashima, H. Imai, On seeking smart public-key distribution systems, Trans. IEICE Jpn. E69 (1986) 99–106.[13] A.J. Menezes, T. Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms in a finite field, IEEE Trans. Inform. Theory 39 (1993)

1639–1646.[14] K. Shim, The risk of compromising secret information, in: Proc. of ICICS’02, LNCS, vol. 2513, 2002, pp. 122–133.

http://eprint.iacr.org/2002/035

Documents

Cryptanalysis of tripartite and multi-party authenticated key agreement protocols