A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges
Introduction
IDentity-based Authenticated Key Agreement (ID-AKA) protocols establish secure session key(s) between two users without pre-established security associations by using users’ ID-based private long-term keys. To establish a session key, a user chooses an ephemeral secret to generate a key token and exchanges the key token with her peer. Then both the protocol participants can generate the session key based on their own private long-term key, the ephemeral secret, the peer’s key token, and the peer’s public key.
A bilinear pairing is a mathematical tool which maps two elements in an elliptic curve group to an element in the related finite field, and is used commonly in building ID-AKA protocols and other security schemes [6], [17], [20]. However, since the bilinear pairing is always defined over a super singular elliptic curve group with large element size, the operation time for pairings is even longer than that of RSA private key operations, which makes pairings one of the most expensive cryptographic operations known [5]. Therefore, ID-AKA protocols without pairing may be more appealing in practice.
There are environments in which the communication round time matters. For example, in the mobile IP registration, a one-round AKA protocol is wanted to reduce the message exchange time between a foreign domain and a home domain [10]. Also in Wireless Sensor Networks (WSN), a two-round AKA protocol is preferred to extend the WSN lifetime [21]. Although not being stated explicitly, it is always a common understanding that a “perfect” ID-AKA protocol should be one-round, i.e. including two protocol messages in all, to enable an non-interactive key agreement.
Lots of ID-AKA protocols are proposed using pairings after Joux’s work (paring-based tripartite key establishment protocol [11]) and Boneh and Franklin’ s work (ID-based encryption from pairing [3]), such as Smart’s protocol [19], the SCK protocol [8], the CJL protocol [9] and the MB protocol [14]. All of these protocols realize secure session key establishment with minimal message exchange, and continuously reduce the employment of pairings: of note is the MB protocol, which requires only one pairing operation. In 2007, Zhu et al. [22] proposed an ID-AKA protocol without pairings based on Elliptic Curve Cryptography (ECC). However, this protocol combines a pairing-free ID-based signature scheme with the Diffie–Hellman key exchange, and such an explicit authentication method results in larger computation complexity and message size. Later, Cao et al. [4] proposed a pairing-free ID-AKA protocol based on the combination of the Computational Diffie–Hellman (CDH) problem and the Divisible CDH problem over ECC group. Their protocol realizes implicit authentication which makes it more efficient. Unfortunately, both Zhu’s and Cao’s protocols require three message exchanges. Therefore, minimizing the message exchange time of pairing-free ID-AKA protocols is still an open problem [4].
In this paper, we solve the problem based on the Computational Diffie–Hellman problems over ECC group, and the protocol is also pairing-free and can be extended to establish authenticated keys between users of different domains. We also prove the security of the protocol with Kudla–Paterson’s modular approach [13] in the mBR model.
The remaining part of this paper is organized as follows. The preliminaries including the ID-based cryptosystem and ECC groups are introduced in Section 2, and Section 3 describes the security model. In Section 4, we introduce the new ID-AKA protocol. Section 5 gives the formal security proof and Section 6 concludes the paper.
Section snippets
ID-based cryptosystem
The concept of ID-Based Cryptography (IBC) was proposed by Shamir in 1984 [16] to remove the transmission, verification, and maintenance of public key certificates. IBC employs a user’s unique identifier, e.g., e-mail address, rather than a random number, as the user’s public key, and the user’s corresponding private key is generated based on the user’s public key by the system’s trusted authority. The system’s trusted authority is unique and is the establisher of the ID-based cryptosystem. It
Modular approach for security proof in mBR model
The Modified Bellare–Rogaway model (mBR model) [1] is a well-defined model that describes the security of AKA protocols. However, proofs in mBR model are always error-prone. To provide a concise but precise security proof for AKA protocols in mBR model, Kudla and Paterson proposed a modular approach [13] that is regarded as one of the best solutions to prove AKA protocols [7]. In this section, we introduce the approach.
Protocol description
In this section we describe our pairing-free ID-AKA protocol with two message exchanges. The protocol is composed of three randomized algorithms, i.e. Setup, Extract, and Key Agreement.
Setup: Takes a security parameter k, returns system parameters and a master key. Given k, KGC does the following:
- (1)
Choose a k-bit prime p and determine the tuple as defined in Section 2.2.
- (2)
Choose the master key and compute the system public key Ppub = xP.
- (3)
Choose two cryptographic secure hash
Security proof
In this section, we prove the security of the new protocol using Kudla and Paterson’s modular approach. We first turn the new protocol Π into a related protocol π, which is similar to the former except that π uses the string as the session key while Π uses . Then we prove the cNR-mBR security of π. Theorem 2 Given the security parameter k of Protocol π, if for π there is an adversary E who can win the cNR-mBR game with non-negligible probability in
Conclusion
In this paper, we have proposed a pairing-free ID-AKA protocol based on the computational Diffie–Hellman problem. The protocol provides strong security protection including key compromise impersonation resilience, perfect forward secrecy, and master key forward secrecy. We also prove the security of the protocols using the modular approach. Compared with previous protocol, the new protocol minimizes the message exchange time with no extra cost, thus reducing the energy consumption and protocol
Acknowledgments
The authors thank Professor Bruce Maggs for constructive comments and discussions about this paper. The authors would also like to thank Ms. Heather Lane and Ms. Mia Berge for helping revise the language of the paper. Thanks to anonymous reviewers and editors who help to improve this paper.
References (22)
- et al.
Certificateless threshold ring signature
Inform. Sci.
(2009) - et al.
Efficient identity-based authenticated key agreement protocol from pairings
Appl. Math. Comput.
(2005) Certificate-based verifiably encrypted signatures from pairings
Inf. Sci.
(2008)- et al.
An improved identity-based key agreement protocol and its security proof
Inf. Sci.
(2009) - et al.
A survey of key management schemes in wireless sensor networks
Comput. Commun.
(2007) - et al.
An efficient identity-based key exchange protocol with KGS forward secrecy for low-power devices
Theor. Comput. Sci.
(2007) - M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in: Proceedings of...
- S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in: Proceedings of the...
- D. Boneh, M. Franklin, Identity-based encryption from the weil pairing. in: Proceedings of the CRYPTO2001, LNCS, vol....
- et al.
Identity-based authentication key agreement protocols without bilinear pairings
IEICE Trans. Fundam.
(2008)
Identity-based anonymous remote authentication for value-added services in mobile networks
IEEE Trans. Veh. Technol.
Cited by (263)
A strengthened eCK secure identity based authenticated key agreement protocol based on the standard CDH assumption
2023, Information and ComputationConsumer-source authentication with conditional anonymity in information-centric networking
2023, Information SciencesCitation Excerpt :Several IBC-based protocols using ECC are designed for key exchange with formal proof [38], anonymous-based vehicular sensor networks [39], and digital signatures in wireless sensor networks to achieve source authentication [40]. Nevertheless, among these protocols, many protocols still exhibit more or fewer security pitfalls, such as no user anonymity [38,40], failing to provide high-level security [39], and not considering multiple messages verification simultaneously [40], etc. IBC provides a communication-efficient approach that enables the signature string only be included in per signature packet without the signer’s public key.
Security issues in IoT applications using certificateless aggregate signcryption schemes: An overview
2023, Internet of Things (Netherlands)Pairing-free certificateless blind signature scheme for smart grid
2022, Journal of King Saud University - Computer and Information Sciences
- 1
The algorithm part of the paper was finished when the author was with Xidian University.