This paper proposes an ID-based authenticated two round multi-party key agreement among n parties. Several ID-based two-party and tripartite key agreement schemes were proposed recently. Our two round multi-party key agreement scheme utilizes the idea of the two-round group key exchange protocol of Burmester and Desmedt. The authenticity of the protocol is assured by a special signature scheme, so the messages carrying the information of ephemeral key can be broadcasted authentically by an entity. Security attributes of our protocol are presented, and computational overhead and band width of the broadcast messages are analyzed as well

Jianhua Ge

Xinjun Du

Ying Wang

Yumin Wang

Cryptology ePrint Archive

An ID-based Authenticated Two Round Multi-Party Key Agreement Xinjun Du, Ying Wang, Jianhua Ge and Yumin Wang Key Laboratory of Computer  Networks and Information Security Xidian University Xi’an 710071, P.R. China Abstract:    This paper proposes an ID-based authenticated two round multi-party key agreement among n parties. Several ID-based two-party and tripartite key agreement schemes were proposed recently. Rana Barua attempted to extend Joux’s tripartite protocol to multi-party key agreement, but this scheme requires rounds. Our two round multi-party key agreement scheme utilizes the idea of the two-round group key exchange protocol of Burmester and Desmedt. The authenticity of the protocol is assured by a special signature scheme, so the messages carrying the information of ephemeral key can be broadcasted authentically by an entity. Security attributes of our protocol are presented, and computational overhead are analyzed as well.  3log n⎡⎢ ⎤⎥ Keywords: multi-party key agreement, Bilinear pairings, Identity-based cryptography  1. Introduction The first modern protocol for key agreement was the Diffie-Hellman protocol given in the seminal paper [1]. Diffie-Helman key agreement provided the first practical solution to the key agreement problem, allowing two parties never having met in advance or shared keying material, to establish a shared secret by exchanging messages over an open channel. A huge number of two-party key agreement protocols based Diffie-Helman problem have been proposed [2]. However, the basic Diffie-Hellman protocol does not authenticate the two communication entities, hence suffers from the “man-in-the-middle” attack. A number of works have considered solving the problem [3,4,5,6]. Another direction of research on key agreement is to extending the two-party Diffie-Hellman protocol to the multi-party setting, amongst which the three-party case receives much interest. Joux[7] presented an one-round tripartite key agreement protocol using pairings. Joux’s protocol did not attempt to authenticate the three communicating entities and is also vulnerable to “man-in the-middle” attack. Lately, Al-Riyami and Paterson presented some authenticated three-party agreement protocols from pairings in [8]. The certificates of the three entities, which are issued by a Certificate Authority (CA), are used to bind an entity’s identity with his static keys. However, in a certificate system, before using the public key of a user, the participants must first verify the certificate of the user. As a result, this system requires a large amount of computing time and storage.  Since Shamir [10] asked for identity-based encryption and signature scheme to simplify key management procedures in certificated-based public key infrastructure, many ID-based cryptosystem schemes have been proposed [11]. The bilinear pairings are important tools for construction of ID-based cryptographic schemes. With the construction of ID-based public key cryptosystems, ID-based public key infrastructure can be an alternative for certificate-based public key infrastructures, especially efficient key management. Zhang, Liu and Kim [9] proposed a new identity-based authenticated three-party key agreement protocol, in which the authenticity is assured by a special signature scheme from pairing. Rana Barua[12] attempted to extend Joux’s tripartite protocol to authenticated and unauthenticated multi-party key agreement, but according to the paper this scheme requires rounds, and is not scalable. 3log n⎡⎢ ⎤⎥2In this paper, we utilize the idea of the BD protocol [13] and a modified signature scheme [14] to propose a two round multi-party authenticated key agreement protocol based on the ID-based public key infrastructure. The rest of the paper is organized as follows: The next section briefly explains the bilinear pairing and ID-based public key infrastructure. Section 3 gives a detailed description of our multi-party key agreement protocol. In section 4, a heuristic analysis of this protocol is presented. Section 5 concludes this paper.   2. ID-Based Public Key Infrastructure with Pairing In this section, we briefly describe the bilinear pairing and BDH assumption. Then the ID-based public key infrastructure based on pairing is presented.  2.1 Bilinear pairings and the Bilinear Diffie-Hellam Assumption Let  and  be two cyclic groups of order q  for some large prime .  is a cyclic additive group and  is a cyclic multiplicative group. We assume that the discrete logarithm problems in both  and  are hard. Let 1G 2G q 1G2G1G 2G 1 1:e G G G× →  be a pairing which satisfies the following conditions: (1) Bilinear: ,for all ( , ) ( , )abe aP bQ e P Q= 1,P Q G∈  and all ; *, qa b∈(2) Non-degenerate: there exists 1P G∈  and 1Q G∈ , such that ; ( , ) 1e P Q ≠(3) Computability: there is an efficient algorithm to compute  for all . ( , )e P Q 1,P Q G∈Definition 1. The Bilinear Diffie-Hellman (BDH) Problem for a bilinear pairing  is defined as follows: give1 1:e G G G× → 2 1, , ,P aP bP cP G∈ , compute , where . An algorithm  is said to solve the BDH problem in  with an advantage of 2( , )abce P P G∈*, , Ra b c∈ q A 1 2, ,G G e< >ε , if Pr[ ( , , , ) ( , ) ]abcP aP bP cP e P P ε= >A  BDH Parameter Generator:  We say that a randomized algorithm  be a BDH parameter generator if (1)  takes a security parameter IGIG 0 k< ∈ , (2)  runs in polynomial time in , and (3)  outputs the description of two groups  and the description of a bilinear pairing  described above.  IGk IG 1 2,G G1 1:e G G G× → 2Bilinear Diffie-Hellman Assumption:  We assume that the BDH problem is hard, which means there is no polynomial time algorithm to solve BDH problem with non-negligible probability.  2.2 ID-based Public Key Infrastructure ID-based public key infrastructure involves a Key Generation Center (KGC) and users. The basic operations consist of Set Up and Private Key Extraction. KGC runs BDH parameter generator to generate two groups and a bilinear pairing1,G G2 21 1:e G G G× → , which are described above. It chooses an arbitrary generator 1P G∈ and defines two cryptographic hash functions: ,* *:{0,1} qH →*1 1:{0,1}H G→ .  — Set Up: KGC chooses a random number  and set *qs∈ pubP sP= . Then the KGC publishes system parameters 1 2 1{ , , , , , , }pubparams G G q P P H H= , and keep as master-key. s— Private Key Extraction: A user submits his identity information ID to KGC. KGC computer the user’s public key as 1( )IDQ H ID= , and returns his private key . ID IDS sQ= 3. ID-based Authenticated Multi-party Key Agreement Protocol  In this section, we present an ID-based authenticated multi-party key agreement protocol enlightened by the idea of the BD protocol [13].  Let 1,..., nID ID be the entities which are going to agree to some session keys and each has a unique identifier ,1iID i≤ ≤ n) i. With the ID-based public key infrastructure, each entity has its public key and private key: and1(i iQ H ID= iS sQ= . The pair is the entity ’s static key pairs. ( , )i iQ S i The protocol is as follows: 1. Each entity ,1iID i≤ ≤ n q P, generates its ephemeral key and broadcasts , . *iN ∈ i iz N=( )i i i i pubT H z S N P= +2. Each entity iID  verifies: {1,..., }\{ } {1,..., }\{ }( , ) ( ( ( ) ), )j j j j pubj n i j n ie T P e H z Q z P∈ ∈= +∑ ∑ . Then, it computes and broadcasts 1 1( , ( )i pub i i iX e P N z z+ − )= − . 3. Each entity iID  now computes the key1 21 1( , )n npub i i i i iK e P nN z X X X− −2− + −= ⋅ ⋅ ⋅⋅⋅ . Note: All indexes are modulo . n The bilinearity of e makes it easy to see that the shared session key is: 1 2 2 3 1( )( , ) nN N N N N N sK e P P + +⋅⋅⋅= . 4. Analysis of the proposed protocol 4.1 Authenticity of the protocol From the protocol we can see the authenticity of ,1iz i n≤ ≤  are achieved by the authenticators . The authenticators are computed by the entities using their static private keys .  can also be considered to be the entity,1iT i≤ ≤ n≤ ≤ iT,1iS i n iID ’s signature for the message . As a consequence, the authenticity of the key agreement protocol is assured by the security of the ID-based signature scheme, which relies on the ID-based public key infrastructure introduced in Section 2. Without loss of generality, the entityiziID  is the signer.   Signing: Suppose that the message to be signed is m NULL= . The signature of the message is ( )i i i pubH N P S N P+ .  Verification: After getting a message m and its signature , the verifier accepts the signature if and only the following equation holds: iT( , ) ( ( ) , )i i i i pube T P e H z Q z P= +  This signature scheme is secure against existential forgery under an adaptively chosen message attack in the random oracle model. The proof is similar to the Scheme 4 in [14]. Here, we give a brief security analysis. Suppose that there is polynomial time probabilistic Turing machine E which takes and as input, and output an existential forgery of a signature from the entityiz iQiID  with a non-negligible probability. Then we show there is a polynomial time algorithm can solve the weak version of Diffie-Hellman problem. The hash function'E H is considered to be a random oracle. According to the Forking Lemma [15], E can get two forgeries of the signature for the same message m :  and . We have iT îT( , )i i iT H m z S sz= + i i and 'ˆ ( , )i i iT H m z S sz= + . It follows that 'ˆ ( ( , ) ( , ))i i i iT T H m z H m z S− = − i  then  '( , ) ( , )ˆ( , ) ( , ) i iH m z H m zi i i pube T T P e Q P−− = .  From the above equation, we can see the polynomial time algorithm can invert the pairing, i.e. there is a polynomial time algorithm'E2: 1f G G→ . Let g be a generator of , then  is also a generator of . Furthermore, 2G' ( ( ), ( ))g e f g f g= 2G'( ( ), ( ))e f g f g gλ µ = λµ . That is given gλ  and g µ , we can computed 'g λµ  and have hence solved an instance of the weak Diffie-Hellman problem in . 2G4.2 Security of session keys Proposition 1 The secrecy of the session keys produced by the protocol relies on the assumption of hardness of BDH problem. Proof: First, we let ( ,pube P P)α =  and' ( , ) ,1iNi pub iz e P z i nα= = ≤ ≤ . Then we modify the protocol as follows.  1. Each entity ,1iID i n≤ ≤ , generates its ephemeral key and broadcasts*iN ∈ q' iNiz α= . 2. Each entity iID computes and broadcasts' '1 1( / ) iNi i iX z z+ −= . 3. Each entity iID  now computes the session key' 1 21 1( ) inN n ni i i 2iK z X X X− −− + −= ⋅ ⋅ ⋅ ⋅ ⋅ . This protocol is a basic BD protocol [13] and its security has been proven in the standard model [16]. So the messages broadcasted in step 2 provide nothing about the session key, especially the value , to an adversary. We also can see:  ' 1( ) inNiz −1'1 1( ) ( , ) ( , )i inN nN N N si pub iz e P N P e P P −− −= = i in. Due to the bilinearity of the pairing, the entities do not exchange ephemeral keys , but in our protocol. But given , it is hard to determine , which relies on the assumption of hardness of BDH problem.               □ ,1iN i≤ ≤,1iN P i n≤ ≤ 1{ , , , }i iP N P N P sP−1( , ) i isN Ne P P −The protocol also has the other security attributes: Known session key session security, Perfect forward security, No key-compromise impersonation, No key control etc. The definitions of these security attributes can be founded in [17].  4.3 Performance analysis Table 1 gives a comprehensive idea about the number of computations per entity in our protocol. The basic computations include: Scalar Multiplication and Addition over , Exponentiation over , Hashing and Pairing. 1G2G Scalar Multiplication Addition Exponentiation Hashing Pairing 3n+  3 2n−  1n−  1n−  4 Table 1. Computation overhead per entity   5. Conclusion In this paper, we proposed an ID-based authenticated multi-party agreement protocol. The resulting key is determined by the ephemeral keys and the master-key of the TA. The authenticity of the protocol is assured by a digital signature scheme. The protocol is only need two rounds and is a round-optimal protocol.  Reference [1] W. Diffie and M. Hellman. New directions in cryptography. IEEE Trans. Info. Th., 22, 644-654, 1976. [2] A. Menezes, P.C. Van Oorschot and S. Vanstone. Handbook of Applied Cryptography, CRC Press, Boca Raton, 1997. [3] S. Blake-Wilson and A. Menezes. Authenticated Diffie-Hellman Key Agreement Protocols. Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography(SAC’98), LNCS 1556, Springer-Verlag, pp.339-361, 1999. [4] L. Law, A. Menezes, M.Qu, J.Solinas and S. Vanstone. An efficient protocol for authenticated key agreement. Technical Report CORR 98-05, Department of C & O, University of Waterloo, 1998. [5] T. Matsumoto, U. Takashima and H. Imai. On seeking smart public-key distribution systems. Trans. IECE of Japan, E69, pp. 99-106, 1986. [6] B. Song and K. Kim. Two-Pass Authenticated Key Agreement Protocol with Key Confirmation, Proc. of Indocrypt 2000, LNCS 1977, pp.237-249, Springer-Verlag, 2000. [7] A. Joux. A one round protocol for tripartite Diffie-Hellman, ANTS IV, LNCS 1838, pp. 385-394, Springer-Verlag, 2000. [8] S. Al-Riyami and K. Paterson. Authenticated three party key agreement protocols from pairings. Cryptology ePrint Archive, Report 2002/035, available at http://eprint.iacr.org/2002/035. [9] F. Zhang, S. Liu and K. Kim. ID-Based One Round Authenticated Tripartite Key Agreement Protocol with Pairings. Cryptology ePrint Archive, Report 2002/122, 2002. [10] A. Shamir. Identity-based cryptosystems and signature schemes. Advances in         Cryptology-Crypto 84, LNCS 196, pp.47-53, Springer-Verlag, 1984. [11] Martin Gagne. Identity-Based Encryption: a Survey. RSA Laboratories Cryptobytes, Vol. 6,  No. 1, Spring 2003. [12] Rana Barua, Ratna Dutta and Palash Sarkar. Extending Joux’s Protocol to Multi Party Key Agreement. Cryptology ePrint Archive, Report 2003/190, 2003. [13] Mike Burmester and Yvo Desmedt. A secure and efficient conference key distribution system. In I.B.Damgard, editor, Advances in Cryptology-EURO-CRYPT’94, Lecture Notes in Computer Science, Springer-Verlag, Berlin Germany, 1994. [14] F. Hess. Exponent Group Signature Schemes and Efficient Identity Based Signature Schemes  Based on Pairings. Cryptology ePrint Archive, Report 2002/012, 2002. [15] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures,  Journal of cryptology, No. 13, pp.361-396, 2000. [16] Jonathan Katz and Moti Yung. Scalable Protocols for Authenticated Group Key Exchange. Advances in Cryptology-CRYPTO2003, pp 110-125, Springer-Verlag, 2003.     

ID-based Authenticated Two Round Multi-Party Key Agreement

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive