Provable security of a pairing-free one-pass authenticated key establishment protocol for wireless sensor networks

Abstract

Designing efficient as well as secure cryptographic protocols for resource-constrained applications is a challenging task. In this paper, we formally analyze the security of an efficient one-pass authenticated key establishment protocol, the 1P-AKE protocol, which is primarily proposed for resource-constrained sensor nodes devices in wireless sensor networks (WSNs). In contrast to the existing identity-based one-pass key establishment protocols, the 1P-AKE protocol does not require any bilinear pairing computation in order to establish a key. This feature makes it really attractive for resource-constrained application environments, such as WSNs, where pairing computations are too expensive. We show that in the random oracle model, the 1P-AKE protocol is a secure authenticated one-pass key establishment protocol under the computational Diffie–Hellman assumption. The performance of the 1P-AKE protocol is also discussed and compared with the existing relevant protocols.

A Appendix: ID-based signature BNN-IBS

The BNN-IBS scheme has four algorithms: Setup, Key Extract, Sign and Verify.

Setup This algorithm sets up the system parameters which are \((E/F_{q},\,\mathbb {G},\,P,\,q,\,p,\,P_{PKG},\,H_{1},\,H_{2})\). This algorithm performs the following steps:

• Specify the parameters \(E/F_{q},\,q,\,p,\,P\hbox { and }\mathbb {G}\), where

  • \(E/F_{q}\) is an elliptic curve \(E\) over a finite field \(F_{q}\),

  • \(q\) is the field size and \(p\) is a large prime number,

  • \(P\) is a point of order \(p\) on the curve \(E\) and,

  • \(\mathbb {G}\) is a cyclic group of order \(p\) under the point addition “+” generated by \(P\).

• Chose a master secret key \(s \in _{R} \mathbb {Z}_{p}^{*}\) uniformly.

• Compute the master public key as \(P_{PKG}\) = \(sP\).

• Choose one cryptographic hash function \(H_{1}\) = \(\{0,1\}^{*} \times \mathbb {G}\rightarrow \mathbb {Z}_{p}^{*}\).

• Choose another cryptographic hash function \(H_{2} = \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}^{*}\).

• Output the system parameters \(\{E/F_{q},\,\mathbb {G},\,P,\,q,\,p,\,P_{PKG}\), \(H_{1},\,H_{2}\}\) and keep \(s\) secret.

Key Extract This algorithm computes the private keys corresponding to the \(ID\)s. Given an identity \(ID_{u}\) of a user \(U\), the corresponding private key \(s_{u}\) is generated as

• Choose at random \(r_{u} \in \mathbb {Z}_{p}^{*}\) and compute

• \(R_{u}\) = \(r_{u} P\)

• \(c_{u}\) = \(H_{1}(ID_{u}, R_{u})\)

• \(s_{u}\) = \(r_{u} + c_{u}x\)

The user \(U\) obtains \((R_{u},\,s_{u})\) via a secure channel. Here, \(s_{u}\) is the secret information whereas \(R_{u}\) is public.

Sign The user \(U\) with identity \(ID_{u}\) and private key \(s_{u}\) signs a message \(m\) as follows:

• Choose at random \(y \in \mathbb {Z}_{p}^{*}\) and compute

• \(Y\) = \(yP\)

• \(h\) = \(H_{2}(ID_{u},\,m,\,R_{u},\,Y)\)

• \(z\) = \(y\) + \(hs_{u}\)

The tuple \(\left\langle R_{u}, Y, z \right\rangle \) is \(U\)’s signature on message \(m\).

Verify Given the signature tuple \(\left\langle R_{u}, Y, z \right\rangle ,\,U\)’s identity \(ID_{u}\) and the message \(m\), the receiver verifies the signature as follows:

• Compute \(c_{u}\) = \(H_{1}(ID_{u}, R_{u})\)

• Compute \(h\) = \(H_{2}(ID_{u},\,m,\,R_{u},\,Y)\)

• Check whether the following equation holds

  $$\begin{aligned} zP \mathop {=}\limits ^{?} Y + h(R_{u} + c_{u}P_{PKG}) \end{aligned}$$

The signature is accepted if the answer is yes and rejected otherwise.

Correctness The correctness of the scheme follows from

$$\begin{aligned} zP&= Y + h(R_{u} + c_{u}P_{PKG}) \\&= yP + h(r_{u}P + c_{u}sP) \\&= yP + h(r_{u} + c_{u}s)P \\&= yP + hs_{u}P \\&= (y + hs_{u})P. \end{aligned}$$