Recently, Liu proposed two authenticated multiple key exchange protocols using pairings, and claimed two protocols featured many security attributes. In this paper, we show that Liu’s protocols are insecure. Both of Liu’s protocols cannot provide perfect forward secrecy

Chuangui Ma

Qingfeng Cheng

Cryptology ePrint Archive

Security weakness of two authenticated keyexchange protocols from pairingsQingfeng Cheng, Chuangui MaZhengzhou Information Science and Technology InstituteZhengzhou 450002, P.R.Chinaqingfengc2008@sina.comAbstract. Recently, Liu proposed two authenticated multiple key ex-change protocols using pairings, and claimed two protocols featuredmany security attributes. In this paper, we show that Liu’s protocolsare insecure. Both of Liu’s protocols cannot provide perfect forward se-crecy.Key words: Key compromise impersonation attack; Authenticated keyexchange; Multiple key; Perfect forward secrecy.1 IntroductionAuthenticated key exchange (AKE) plays an important role in secure commu-nications. An AKE protocol allows two or more parties to agree upon a secretcommon session key over a public network. But the design of secure AKE proto-cols has always been a notorious hard problem. Many AKE protocols that haveappeared in the literature subsequently were proved to be flawed.Recently, Liu proposed two AKE protocols. One is a three-party multiplekey exchange protocol [1], which is based on the Lee’s protocol [2] and Hölbl’sprotocol [3]. The other is a two-party authenticated multiple key exchange pro-tocol [4], which is based on the Lee’s protocol [2]. In this paper, we will showthat both of them cannot provide perfect forward secrecy (PFS). In additional,the former cannot resist key compromise impersonation (KCI) attack.The rest of this paper is organized as follows. In section 2, we introducepreliminaries used in this paper. In section 3, we review Liu’s three-party pro-tocol. In section 4, we present analysis of Liu’s three-party protocol. In section5, we review Liu’s two-party protocol. In section 6, we propose analysis of Liu’stwo-party protocol. In the final section, we conclude this paper.2 PreliminariesIn this section, we introduce several Diffie-Hellman problems. Let G1 be anadditive group of order q, and G2 be a multiplicative group of order q. LetQ, W ∈ G1 and e : G1 ×G1 −→ G2 be a bilinear pairing that has the followingproperties:– Bilinearity: For any Q,W ∈ G1 and a, b ∈ Z∗q , we have e(aQ, bW ) =e(Q,W )ab.– Non-degeneracy: There exists Q,W ∈ G1 such that e(Q,W ) 6= 1.– Computability: For any Q,W ∈ G1, there exists an efficient algorithm tocompute e(Q,W ).Next, we describe DL and BDH problems:– Discrete Logarithm (DL) Problem: Given two elements Q,W ∈ G1.Find the integer n whenever such an integer exists, such that Q = nW .– Bilinear Diffie-Hellman (BDH) Problem: Let P is a generator of G1.Given (P, aP, bP, cP ) with a, b, c ∈ Z∗q , computes e(P, P )abc ∈ G2.We say that G2 satisfies the DL and BDH assumptions if no feasible adversarycan solve the DL and BDH problems with non-negligible probability.3 Review of Liu’s Three-Party ProtocolIn this section, we briefly review Liu’s three-party protocol proposed by Liu in2010. Let P be a generator of a cyclic additive group G1 of the prime order q,and G2 be a cyclic multiplicative group of the prime order q. e : G1×G1 −→ G2is a bilinear pairing. Each party i has a static private key Xi ∈ Z∗q and a staticpublic key Yi(= XiP ). For more details about the protocol, refer to [1].In the following description we suppose that three communications parties,A,B and C wish to communicate with each other.1. Party A chooses a1, a2 ∈ Z∗q randomly and computes TA1 = a1P andTA2 = a2P . Then party A computesSA1 = a1XA + a2, SA2 = a2XA + a1.Finally, party A sends the message (TA1, TA2, SA1, SA2, Cert(YA)) to partyB and party C.2. Similarly, party B chooses b1, b2 ∈ Z∗q randomly and computes TB1 = b1Pand TB2 = b2P . Then party B computesSB1 = b1XB + b2, SB2 = b2XB + b1.Finally, party B sends the message (TB1, TB2, SB1, SB2, Cert(YB)) to partyA and party C.In the same way, party C chooses c1, c2 ∈ Z∗q randomly and computesTC1 = c1P and TC2 = c2P . Then party C computesSC1 = c1XC + c2, SC2 = c2XC + c1.Finally, party C sends the message (TC1, TC2, SC1, SC2, Cert(YC)) to partyA and party B.3. Upon receiving the message from parties B and C, party A checks whethere((SB1 + SB2)P − (TB1 + TB2), P ) = e(TB1 + TB2, YB),e((SC1 + SC2)P − (TC1 + TC2), P ) = e(TC1 + TC2, YC),if they are equal, then computes the session keys Ki(i = 1, 2, ..., 8) as follows:K1 = e(a1TB1, XA(SC1P − TC2) + TC1)e(a1(SB1P − TB2), XATC1)= e((XAXB + XAXC + XBXC)P, P )a1b1c1K2 = e(a1TB1, XA(SC2P − TC1) + TC2)e(a1(SB1P − TB2), XATC2)= e((XAXB + XAXC + XBXC)P, P )a1b1c2K3 = e(a1TB2, XA(SC1P − TC2) + TC1)e(a1(SB2P − TB1), XATC1)= e((XAXB + XAXC + XBXC)P, P )a1b2c1K4 = e(a1TB2, XA(SC2P − TC1) + TC2)e(a1(SB2P − TB1), XATC2)= e((XAXB + XAXC + XBXC)P, P )a1b2c2K5 = e(a2TB1, XA(SC1P − TC2) + TC1)e(a2(SB1P − TB2), XATC1)= e((XAXB + XAXC + XBXC)P, P )a2b1c1K6 = e(a2TB1, XA(SC2P − TC1) + TC2)e(a2(SB1P − TB2), XATC2)= e((XAXB + XAXC + XBXC)P, P )a2b1c2K7 = e(a2TB2, XA(SC1P − TC2) + TC1)e(a2(SB2P − TB1), XATC1)= e((XAXB + XAXC + XBXC)P, P )a2b2c1K8 = e(a2TB2, XA(SC2P − TC1) + TC1)e(a2(SB2P − TB1), XATC2)= e((XAXB + XAXC + XBXC)P, P )a2b2c2Otherwise party A aborts.4. Party B and party C compute these session keys in the similar way, here weomit the details.4 Analysis of Liu’s Three-Party ProtocolIn this section, we show that Liu’s protocol cannot provide perfect forward se-crecy, and cannot resist key compromise impersonation attack.4.1 No PFSIn this subsection, we show that Liu’s three-party protocol cannot provide per-fect forward secrecy. If the adversary learns long-term private keys XA, XB andXC , the adversary can compute a1, a2 from SA1, SA2 as follows:SA1 = a1XA + a2 ⇒ a2 = SA1 − a1XA⇓SA2 = a2XA + a1, a2 = SA1 − a1XA ⇒ SA2 = (SA1 − a1XA)XA + a1⇓a1 = (SA2 − SA1XA)((XA)2 + 1)−1⇓a2 = SA1 − (SA2 − SA1XA)((XA)2 + 1)−1XA.Similarly, the adversary also can compute b1, b2 from SB1, SB2 and c1, c2 fromSC1, SC2. With these values (XA, XB , XC , a1, a2, b1, b2, c1, c2), the adversary caneasily recover session keys Ki(i = 1, ..., 8). It means that Liu’s three-party mul-tiple key agreement protocol cannot provide perfect forward secrecy.4.2 KCI AttackIn this subsection, we assume the adversary learns the long-term key XA. Fromsubsection 4.1, we know that the adversary can compute the values a1, a2. If theadversary has past session transcripts, he can impersonate successfully party Band party C to cheat party A in the new session.5 Review of Liu’s Two-Party ProtocolIn this section, we briefly review Liu’s two-party protocol [4] proposed by Liu in2010. Let P be a generator of a cyclic additive group G1 of the prime order q,and G2 be a cyclic multiplicative group of the prime order q. e : G1×G1 −→ G2is a bilinear pairing. Each party i has a static private key Xi ∈ Z∗q and a staticpublic key Yi(= XiP ). For more details about the protocol, refer to [4].In the following description we suppose that three communications parties,A and B wish to communicate with each other.1. Party A chooses a1, a2 ∈ Z∗q randomly and computes TA1 = a1YA andTA2 = a2PYA, Let KA1 and KA2 be the x-coordinate values of TA1 and TA2.Then party A computesSA = (a1KA1 + a2KA2)TA1 + XATA12.Finally, party A sends the message (TA1, TA2, SA, Cert(YA)) to party B.2. Similarly, party B chooses b1, b2 ∈ Z∗q randomly and computes TB1 = b1YBand TB2 = b2YB , Let KB1 and KB2 be the x-coordinate values of TB1 andTB2. Then party B computesSB = (b1KB1 + b2KB2)TB1 + XBTB2.Finally, party B sends the message (TB1, TB2, SB , Cert(YB)) to party A.3. Upon receiving the message (TB1, TB2, SB , Cert(YB)), party A takes out thex-coordinate values KB1 and KB2 from TB1 and TB2, checks whethere(SB , YB) = e(KB1TB1 + KB2TB2, TB1)e(TB2, YB),if e(SB , YB) = e(KB1TB1 +KB2TB2, TB1)e(TB2, YB), then computes the ses-sion keys K1,K2, K3,K4 as follows:K1 = e(a1XATB1, YA + YB)K2 = e(a1XATB2, YA + YB)K3 = e(a2XATB1, YA + YB)K4 = e(a2XATB2, YA + YB)Otherwise party A aborts.4. Upon receiving the message (TA1, TA2, SA, Cert(YA)), party B takes out thex-coordinate values KA1 and KA2 from TA1 and TA2, checks whethere(SA, YA) = e(KA1TA1 + KA2TA2, TA1)e(TA2, YA),if e(SA, YA) = e(KA1TA1 + KA2TA2, TA1)e(TA2, YA), then computes the ses-sion keys K1,K2, K3,K4 as follows:K1 = e(b1XBTA1, YA + YB)K2 = e(b1XBTA2, YA + YB)K3 = e(b2XBTA1, YA + YB)K4 = e(b2XBTA2, YA + YB)Otherwise party B aborts.6 Analysis of Liu’s Two-Party ProtocolIn this section, we show that Liu’s protocol cannot provide perfect forward se-crecy. The adversary E can carry out his attack as follows:K1 = e(b1XBTA1, YA + YB) = e(b1XBTA1, YA + YB)= e(b1XBTA1, (XA + XB)P )= e(b1XBTA1, (XA + XB)P )= e(XBTA1, (XA + XB)b1P )Since the adversary learns XB and XA, he can compute X−1B , then computesb1P = X−1B TB1. Finally, he can recover the session key K1 = e(XBTA1, (XA +XB)b1P ). In the similar way, the adversary also can recover K2,K3,K4 if he canlearns XB and XA.It means that Liu’s two-party protocol cannot provide perfect forward se-crecy.7 ConclusionIn this paper, we show Liu’s protocols cannot satisfy the security properties asclaimed. The three-party protocol cannot provide PFS and resist KCI attack,and the two-party protocol also cannot provide PFS.References1. Feng Liu, One-round and authenticated three-party multiple key exchange protocolfrom parings. Available at http://eprint.iacr.org/2010/239.2. Lee N.Y., Wu C.N., Wang C.C., Authenticated multiple key exchange protocolsbased on elliptic curves and bilinear pairings. Computer Electronic Engneering2008, 34(1): 12-203. Holbl M, Welzer T, Brumen B. Two proposed identity-based three-party authen-ticated key agreement protocols from pairings. Computers & Security 29(2010)244-2524. Feng Liu, Two improved authenticated multiple key exchange protocols. Availableat http://eprint.iacr.org/2010/267.

Security weakness of two authenticated key exchange protocols from pairings

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive