On the Relations Between Diffie-Hellman and ID-Based Key Agreement from Pairings

This paper studies the relationships between the traditional Diffie-Hellman key agreement protocol and the identity-based (ID-based) key agreement protocol from pairings. For the Sakai-Ohgishi-Kasahara (SOK) ID-based key construction, we show that identical to the Diffie-Hellman protocol, the SOK key agreement protocol also has three variants, namely \emph{ephemeral}, \emph{semi-static} and \emph{static} versions. Upon this, we build solid relations between authenticated Diffie-Hellman (Auth-DH) protocols and ID-based authenticated key agreement (IB-AK) protocols, whereby we present two \emph{substitution rules} for this two types of protocols. The rules enable a conversion between the two types of protocols. In particular, we obtain the \emph{real} ID-based version of the well-known MQV (and HMQV) protocol. Similarly, for the Sakai-Kasahara (SK) key construction, we show that the key transport protocol underlining the SK ID-based encryption scheme (which we call the "SK protocol") has its non-ID counterpart, namely the Hughes protocol. Based on this observation, we establish relations between corresponding ID-based and non-ID-based protocols. In particular, we propose a highly enhanced version of the McCullagh-Barreto protocol

Efficient algorithms for pairing-based cryptosystems

We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics.We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairing-based cryptography

Pairing-based public-key encryption schemes with backward-and-forward security

Identity-based cryptosystems utilize some arbitrary strings as the participants' public key in the underlying system. The encryptioner will not need to obtain the decryptioner's certificate. That will simplify the certificate management. Therefore, it is still interesting to propose some new identity-based encryption schemes. In this paper we will propose two new different constructions, i.e. receiptor-oriented encryption schemes. They are both identity-based encryption schemes and also based on pairings. The proposed encryption schemes have a new advantage, i.e. backward-and-forward security. In addition, we provide the security analysis for the proposed schemes

Identity based cryptography from bilinear pairings

This report contains an overview of two related areas of research in cryptography which have been prolific in significant advances in recent years. The first of these areas is pairing based cryptography. Bilinear pairings over elliptic curves were initially used as formal mathematical tools and later as cryptanalysis tools that rendered supersingular curves insecure. In recent years, bilinear pairings have been used to construct many cryptographic schemes. The second area covered by this report is identity based cryptography. Digital certificates are a fundamental part of public key cryptography, as one needs a secure way of associating an agent’s identity with a random (meaningless) public key. In identity based cryptography, public keys can be arbitrary bit strings, including readable representations of one’s identity.Fundação para a Ci~Encia e Tecnologia - SFRH/BPD/20528/2004

Introducing Accountability to Anonymity Networks

Many anonymous communication (AC) networks rely on routing traffic through proxy nodes to obfuscate the originator of the traffic. Without an accountability mechanism, exit proxy nodes risk sanctions by law enforcement if users commit illegal actions through the AC network. We present BackRef, a generic mechanism for AC networks that provides practical repudiation for the proxy nodes by tracing back the selected outbound traffic to the predecessor node (but not in the forward direction) through a cryptographically verifiable chain. It also provides an option for full (or partial) traceability back to the entry node or even to the corresponding user when all intermediate nodes are cooperating. Moreover, to maintain a good balance between anonymity and accountability, the protocol incorporates whitelist directories at exit proxy nodes. BackRef offers improved deployability over the related work, and introduces a novel concept of pseudonymous signatures that may be of independent interest. We exemplify the utility of BackRef by integrating it into the onion routing (OR) protocol, and examine its deployability by considering several system-level aspects. We also present the security definitions for the BackRef system (namely, anonymity, backward traceability, no forward traceability, and no false accusation) and conduct a formal security analysis of the OR protocol with BackRef using ProVerif, an automated cryptographic protocol verifier, establishing the aforementioned security properties against a strong adversarial model

Bilinear Mappings in Formal Cryptography

Krüptograafiliste protokollide turvalisuse testimiseks on loodud erinevad analüsaatorid. Osa neist põhineb predikaatloogika valemitel. Formaalses mudelis pole aga mugav realiseerida aritmeetilisi funktsioone. On kerge arvutada g^a, kui on teada nii g kui a väärtused, kuid protokollides on muutujad üldjuhul väärtustamata. Algebraliste struktuuride omadusi on vaja kirjeldada loogika valemite abil. Mõnede sellist liiki probleemidega on juba tegeldud. Näiteks on realiseeritud Diffie-Hellmani astendamine Horni valemitel põhineva analüsaatoriga ProVerif. Kahjuks see töötab vaid erinevate astendajate lõpliku arvu korral. Peale astendamist pakuvad aga krüptograafia valdkonnale huvi ka muud algebralised struktuurid, nende hulgas ka bilineaarsed kujutused. Antud uurimistöö eesmärk oli realiseerida bilineaarsete kujutuste arvutamist analüsaatoriga ProVerif ning analüüsida moodustatud protokolliteisendaja abil mõningaid bilineaarseid kujutusi kasutavaid protokolle.Bilinear mappings are quite powerful mathematical structures that can be used in cryptography. They allow constructing cryptographic primitives that would be otherwise ineffective or even impossible. In formal cryptography, the protocols are based on term algebras and process calculi, and can be represented through Horn clauses for analysis purposes. The security of these protocols can be tested with analyzers based on resolution methods. However, there are problems with realization of arithmetic operations. It is easy to compute g^a if the values of both g and a are known, but the values are usually undefned in the protocols. Some research works have been written about the representation of exponentiation in formal model, but there are still many things that should be done. In this work, an attempt to implement an analysis of bilinear mappings in formal cryptography has been done

A mechanical approach to derive identity-based protocols from Diffie-Hellman-based protocols

We describe a mechanical approach to derive identity-based (ID-based) protocols from existing Diffie-Hellman-based ones. As case studies, we present the ID-based versions of the Unified Model protocol, UMP-ID, Blake-Wilson, Johnson & Menezes (1997)\u27s protocol, BJM-ID, and Krawczyk (2005)\u27s HMQV protocol, HMQV-ID. We describe the calculations required to be modified in existing proofs. We conclude with a comparative security and efficiency of the three proposed ID-based protocols (relative to other similar published protocols) and demonstrate that our proposed ID-based protocols are computationally efficient

Secure pairing-free two-party certificateless authenticated key agreement protocol with minimal computational complexity

Key agreement protocols play a vital role in maintaining security in many critical applications due to the importance of the secret key. Bilinear pairing was commonly used in designing secure protocols for the last several years; however, high computational complexity of this operation has been the main obstacle towards its practicality. Therefore, implementation of Elliptic-curve based operations, instead of bilinear pairings, has become popular recently, and pairing-free key agreement protocols have been explored in many studies. A considerable amount of literatures has been published on pairing-free key agreement protocols in the context of Public Key Cryptography (PKC). Simpler key management and non-existence of key escrow problem make certificateless PKC more appealing in practice. However, achieving certificateless pairing-free two-party authenticated key agreement protocols (CL-AKA) that provide high level of security with low computational complexity, remains a challenge in the research area. This research presents a secure and lightweight pairingfree CL-AKA protocol named CL2AKA (CertificateLess 2-party Authenticated Key Agreement). The properties of CL2AKA protocol is that, it is computationally lightweight while communication overhead remains the same as existing protocols of related works. The results indicate that CL2AKA protocol is 21% computationally less complex than the most efficient pairing-free CL-AKA protocol (KKC-13) and 53% less in comparison with the pairing-free CL-AKA protocol with highest level of security guarantee (SWZ-13). Security of CL2AKA protocol is evaluated based on provable security evaluation method under the strong eCK model. It is also proven that the CL2AKA supports all of the security requirements which are necessary for authenticated key agreement protocols. Besides the CL2AKA as the main finding of this research work, there are six pairing-free CL-AKA protocols presented as CL2AKA basic version protocols, which were the outcomes of several attempts in designing the CL2AKA

Overview of Key Agreement Protocols

The emphasis of this paper is to focus on key agreement. To this aim, we address a self-contained, up-to-date presentation of key agreement protocols at high level. We have attempted to provide a brief but fairly complete survey of all these schemes

Identity-Based Higncryption

Identity-based cryptography (IBC) is fundamental to security and privacy protection. Identity-based authenticated encryption (i.e., signcryption) is an important IBC primitive, which has numerous and promising applications. After two decades of research on signcryption,recently a new cryptographic primitive, named higncryption, was proposed. Higncryption can be viewed as privacy-enhanced signcryption, which integrates public key encryption, entity authentication, and identity concealment (which is not achieved in signcryption) into a monolithic primitive. Here, briefly speaking, identity concealment means that the transcript of protocol runs should not leak participants\u27 identity information. In this work, we propose the first identity-based higncryption (IBHigncryption). The most impressive feature of IBHigncryption, among others, is its simplicity and efficiency. The proposed IBHigncryption scheme is essentially as efficient as the fundamental CCA-secure Boneh-Franklin IBE scheme [18], while offering entity authentication and identity concealment simultaneously. Compared to the identity-based signcryption scheme [11], which is adopted in the IEEE P1363.3 standard, our IBHigncryption scheme is much simpler, and has significant efficiency advantage in total. Besides, our IBHigncryption enjoys forward ID-privacy, receiver deniability and x-security simultaneously. In addition, the proposed IBHigncryption has a much simpler setup stage with smaller public parameters, which in particular does not have the traditional master public key. Higncryption is itself one-pass identity-concealed authenticated key exchange without forward security for the receiver. Finally, by applying the transformation from higncryption to identity-concealed authenticated key exchange (CAKE), we get three-pass identity-based CAKE (IB-CAKE) with explicit mutual authentication and strong security (in particular, perfect forward security for both players). Specifically, the IB-CAKE protocol involves the composition of two runs of IBHigncryption, and has the following advantageous features inherited from IBHigncryption: (1) single pairing operation: each player performs only a single pairingoperation; (2) forward ID-privacy; (3) simple setup without master public key; (4) strong resilience to ephemeral state exposure, i.e., x-security; (5) reasonable deniability