Abstract
Designing efficient as well as secure cryptographic protocols for resource-constrained applications is a challenging task. In this paper, we formally analyze the security of an efficient one-pass authenticated key establishment protocol, the 1P-AKE protocol, which is primarily proposed for resource-constrained sensor nodes devices in wireless sensor networks (WSNs). In contrast to the existing identity-based one-pass key establishment protocols, the 1P-AKE protocol does not require any bilinear pairing computation in order to establish a key. This feature makes it really attractive for resource-constrained application environments, such as WSNs, where pairing computations are too expensive. We show that in the random oracle model, the 1P-AKE protocol is a secure authenticated one-pass key establishment protocol under the computational Diffie–Hellman assumption. The performance of the 1P-AKE protocol is also discussed and compared with the existing relevant protocols.
Similar content being viewed by others
Notes
In case of one-pass protocol, there is only one message transmitted during the protocol, i.e., from the initiator. The initiator takes the empty string \(\lambda \) as input and transmits the message msg and the responder takes msg as input and transmits \(\lambda \).
References
Akyildiz, I.F., Su, W., Sankarasubramaniam, Y., Cayirci, E.: Wireless sensor networks: a survey. Comput. Netw. 38, 393–422 (2002)
Aranha, D.F., Dahab, R., López, J., Oliveira, L.B.: Efficient implementation of elliptic curve cryptography in wireless sensors. Adv. Math. Commun. 4(2), 169–187 (2010)
Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. In: Advances in Cryptology, vol. 3027, pp. 268–286. EUROCRYPT 2004. LNCS. Springer, Berlin (2004)
Benits Jr, W., Terada, R.: An IBE scheme to exchange authenticated secret keys. Cryptology ePrint Archive, Report 2004/071 (2004). http://eprint.iacr.org/
Beuchat, J.L., Diaz, J.E.G., Mitsunari, S., Okamoto, E., Rodriguez-Henriquez, F., Teruya, T.: High-speed software implementation of the optimal ate pairing over barreto-naehrig curves. Cryptology ePrint Archive, Report 2010/354 (2010). http://eprint.iacr.org/
Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Proceedings of IMA International Conference, vol. 1355, pp. 30–45. LNCS. Springer, Berlin (1997)
Cao, X., Kou, W., Dang, L., Zhao, B.: IMBAS: identity-based multi-user broadcast authentication in wireless sensor networks. Comput. Commun. 31(4), 659–667 (2008). doi:10.1016/j.comcom.2007.10.017
Chalkias, K., Baldimtsi, F., Hristu-Varsakelis, D., Stephanides, G.: Two types of key-compromise impersonation attacks against one-pass key establishment protocols. In: e-Business and Telecommunications, pp. 227–238 (2009). doi:10.1007/978-3-540-88653-2_17
Chen, L., Morrissey, P., Smart, N.P.: Pairings in trusted computing. In: Proceedings of Pairing’08, vol. 5209, pp. 1–17. LNCS. Springer, Berlin (2008)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992). doi:10.1007/BF00124891
Galindo, D., Garcia, F.D.: A Schnorr-like lightweight identity-based signature scheme. In: AFRICACRYPT’ 09, vol. 5580, pp. 135–148. Springer, Berlin (2009). doi:10.1007/978-3-642-02384-2_9
Gorantla, M.C., Boyd, C., González Nieto, J.M.: ID-based one-pass authenticated key establishment. In: AISC’ 08, pp. 39–46. Australian Computer Society, Inc. (2008)
Gorantla, M.C., Boyd, C., Nieto, J.M.G.: On the connection between signcryption and one-pass key establishment. IACR Cryptol. ePrint Archive 2009, 436 (2009)
Juels, A.: RFID security and privacy: a research survey. IEEE J. Sel. Areas Commun. 24(2), 381–394 (2006)
Krawczyk, H.: Hmqv: A high-performance secure Diffie–Hellman protocol. In: CRYPTO, pp. 546–566 (2005)
LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: ProvSec’07, pp. 1–16 (2007)
Law, L., Menezes, A., Qu, M., Solinas, J.A., Vanstone, S.A.: An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28(2), 119–134 (2003)
Longa, P., Gebotys, C.H.: Efficient techniques for high-speed elliptic curve cryptography. In: CHES, LNCS, vol. 6225, pp. 80–94. Springer, Berlin (2010)
MICA: http://www.memsic.com
Okamoto, T., Tso, R., Okamoto, E.: One-way and two-party authenticated ID-based key agreement protocols using pairing. In: MDAI’ 05, vol. 3558, pp. 122–133. LNCS. Springer, Berlin (2005)
Oliveira, L.B., Aranha, D.F., Gouvêa, C.P.L., Scott, M., Címara, D.F., López, J., Dahab, R.: TinyPBC: Pairings for authenticated identity-based non-interactive key distribution in sensor networks. Comput. Commun. 34(3), 485–493 (2011)
Pottie, G.J., Kaiser, W.J.: Wireless integrated network sensors. Commun. ACM 43(5), 51–58 (2000). doi:10.1145/332833.332838
Sarr, A.P., Elbaz-Vincent, P., Bajard, J.C.: A secure and efficient authenticated diffie-hellman protocol. In: Proceedings of the 6th European Conference on Public Key Infrastructures, Services and Applications, EuroPKI’09, pp. 83–98. Springer, Berlin (2010). http://dl.acm.org/citation.cfm?id=1927830.1927839
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4, 161–174 (1991)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Advances in Cryptology, CRYPTO 1984, pp. 47–53. Springer, Berlin (1985)
Wang, Y.: Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108 (2005). http://eprint.iacr.org/
Yasmin, R., Ritter, E., Wang, G.: An authentication framework for wireless sensor networks using identity-based signatures. In: Computer and Information Technology, CIT’10, pp. 882–889 (2010)
Yasmin, R., Ritter, E., Wang, G.: A pairing-free id-based one-pass authenticated key establishment protocol for wireless sensor networks. In: The Fifth International Conference on Sensor Technologies and Applications (SENSORCOMM’11). (2011)
Yasmin, R., Ritter, E., Wang, G.: An authentication framework for wireless sensor networks using identity-based signatures: implementation and evaluation. IEICE Trans. 95–D(1), 126–133 (2012)
Author information
Authors and Affiliations
Corresponding author
A Appendix: ID-based signature BNN-IBS
A Appendix: ID-based signature BNN-IBS
The BNN-IBS scheme has four algorithms: Setup, Key Extract, Sign and Verify.
Setup This algorithm sets up the system parameters which are \((E/F_{q},\,\mathbb {G},\,P,\,q,\,p,\,P_{PKG},\,H_{1},\,H_{2})\). This algorithm performs the following steps:
-
Specify the parameters \(E/F_{q},\,q,\,p,\,P\hbox { and }\mathbb {G}\), where
-
\(E/F_{q}\) is an elliptic curve \(E\) over a finite field \(F_{q}\),
-
\(q\) is the field size and \(p\) is a large prime number,
-
\(P\) is a point of order \(p\) on the curve \(E\) and,
-
\(\mathbb {G}\) is a cyclic group of order \(p\) under the point addition “+” generated by \(P\).
-
-
Chose a master secret key \(s \in _{R} \mathbb {Z}_{p}^{*}\) uniformly.
-
Compute the master public key as \(P_{PKG}\) = \(sP\).
-
Choose one cryptographic hash function \(H_{1}\) = \(\{0,1\}^{*} \times \mathbb {G}\rightarrow \mathbb {Z}_{p}^{*}\).
-
Choose another cryptographic hash function \(H_{2} = \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}^{*}\).
-
Output the system parameters \(\{E/F_{q},\,\mathbb {G},\,P,\,q,\,p,\,P_{PKG}\), \(H_{1},\,H_{2}\}\) and keep \(s\) secret.
Key Extract This algorithm computes the private keys corresponding to the \(ID\)s. Given an identity \(ID_{u}\) of a user \(U\), the corresponding private key \(s_{u}\) is generated as
-
Choose at random \(r_{u} \in \mathbb {Z}_{p}^{*}\) and compute
-
\(R_{u}\) = \(r_{u} P\)
-
\(c_{u}\) = \(H_{1}(ID_{u}, R_{u})\)
-
\(s_{u}\) = \(r_{u} + c_{u}x\)
The user \(U\) obtains \((R_{u},\,s_{u})\) via a secure channel. Here, \(s_{u}\) is the secret information whereas \(R_{u}\) is public.
Sign The user \(U\) with identity \(ID_{u}\) and private key \(s_{u}\) signs a message \(m\) as follows:
-
Choose at random \(y \in \mathbb {Z}_{p}^{*}\) and compute
-
\(Y\) = \(yP\)
-
\(h\) = \(H_{2}(ID_{u},\,m,\,R_{u},\,Y)\)
-
\(z\) = \(y\) + \(hs_{u}\)
The tuple \(\left\langle R_{u}, Y, z \right\rangle \) is \(U\)’s signature on message \(m\).
Verify Given the signature tuple \(\left\langle R_{u}, Y, z \right\rangle ,\,U\)’s identity \(ID_{u}\) and the message \(m\), the receiver verifies the signature as follows:
-
Compute \(c_{u}\) = \(H_{1}(ID_{u}, R_{u})\)
-
Compute \(h\) = \(H_{2}(ID_{u},\,m,\,R_{u},\,Y)\)
-
Check whether the following equation holds
$$\begin{aligned} zP \mathop {=}\limits ^{?} Y + h(R_{u} + c_{u}P_{PKG}) \end{aligned}$$
The signature is accepted if the answer is yes and rejected otherwise.
Correctness The correctness of the scheme follows from
Rights and permissions
About this article
Cite this article
Yasmin, R., Ritter, E. & Wang, G. Provable security of a pairing-free one-pass authenticated key establishment protocol for wireless sensor networks. Int. J. Inf. Secur. 13, 453–465 (2014). https://doi.org/10.1007/s10207-013-0224-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-013-0224-7