Practical RSA-PAKE for Low-Power Device in Imbalanced Wireless Networks

For enhancing the security of ubiquitous communication, we have to consider three keywords: mobility, wireless, and low computing capability. In this paper, we study one of suitable security protocols for the ubiquitous communication environment. We discuss RSA-based password-authenticated key exchange (RSA-PAKE) protocols for imbalanced wireless networks where a party uses a low-power device to communicate with another party equipped with a powerful computing device. For imbalanced wireless network applications, it is important to reduce the cost of communication for a low-power device even though the cost for powerful devices is increasing. The most power-consuming operation in RSA-PAKE protocols is the reliability test of unauthorized RSA public keys. Hence, it is important to design an efficient reliability test method to construct an efficient RSA-PAKE protocol. In this paper, we propose a new reliability test technique and design a provably secure RSA-PAKE protocol using the technique. Our protocol is suitable for securing the communications conducted over imbalanced wireless networks since the operations computed by one communicating party are efficient enough to be implemented on most low-power devices such as mobile phones and PDAs. The cost of a low-power device is reduced by 84.25% compared with CEKEP, the most efficient RSA-PAKE protocol. We prove the security of our protocol under a firmly formalized security model.


Introduction
For enhancing the security of ubiquitous communication, we have to consider three keywords: mobility, wireless, and low computing capability. In this paper, we study one of suitable security protocols for the ubiquitous communication environment. We discuss RSA-based password-authenticated key exchange (RSA-PAKE) protocols for imbalanced wireless networks where a party uses a low-power device to communicate with another party equipped with a powerful computing device.
For securing the communications conducted over wireless network, password-authenticated key exchange (PAKE) protocols are needed since two parties can establish a session key without storing any sensitive information in mobile devices. Note that we have an interest in imbalanced wireless networks where two communicating parties have different computational capabilities. Generally, mobile devices have low capabilities. Hence, for imbalanced wireless networks, it is important to reduce the cost of communications for a low-power device even though the cost for a powerful device is increased. For PAKE protocols that have been designed based on the Diffie-Hellman key exchange protocol (DH-PAKE protocol), each communicating party should compute at least two exponentiations with 160-bit exponents (for 80bit security). Hence, it seems hard to design a DH-PAKE protocol for imbalanced wireless network applications where a party uses a low-power mobile device for communications. For PAKE protocols that have been designed based on the RSA function (RSA-PAKE protocol), one of the two parties can establish a session key by performing a small number of encryptions. Hence, RSA-based PAKE protocols seem to be suitable for imbalanced wireless networks since the cost of the RSA function is imbalanced in the sense that the encryption operation is very efficient while decryption is not. For example, if we use 3 as the public exponent for the RSA function, the encryption operation requires 2 multiplications 2 International Journal of Distributed Sensor Networks while the decryption requires one exponentiation with a fullsize (1024-bit) exponent.
For RSA-PAKE protocols, the existence of the publickey infrastructure (PKI) is not assumed, and thus a set of unauthorized public key pairs ( , ) is used without any authorized certificate. Therefore, we have to verify the reliability of the unauthorized RSA keys. Due to the additional cost for verifying the reliability of the keys, it is not easy to design an efficient RSA-PAKE protocol. Note that the most power-consuming operation in RSA-PAKE protocols is the reliability test of unauthorized RSA public keys. Hence, it is important to design an efficient reliability test method to improve the performance of an RSA-PAKE protocol. Until now, several researchers have tried to design efficient RSA-PAKE protocols [1][2][3][4][5][6][7][8]. However, they are not sufficiently efficient enough to be implemented on most of low-power devices. Hence, it will be valuable to design a new RSA-PAKE protocol which provides a more efficient key exchange for low-power devices than existing RSA-PAKE protocols.
The goal of this paper is to design a new RSA-PAKE protocol which is suitable for securing the communications conducted over imbalanced wireless networks. To design an efficient RSA-PAKE, we provide very simple and efficient conditions for testing the reliability of a set of RSA parameters. In our protocol, a low-power device can establish a session key by choosing a 52-bit prime and performing one exponentiation with the prime exponent. According to our experimental results, the cost of a client is reduced by 84.25% compared with the CEKEP, which is the most efficient RSA-PAKE protocol until now. Our protocol can be implemented more efficiently by generating the prime before a key exchange protocol is initiated. In this case, the cost of a client can be reduced by 88.46%. We prove the security of our protocol in the random oracle model under a firmly formalized security model.

Preliminary
In this section, we briefly review formal security models for RSA-PAKE protocols and some mathematical backgrounds.

Security Model.
Let and be two communicating parties, and let D be the password space. We assume that and share a password ∈ D. Let be an active adversary who attacks the key exchange between and by controlling their messages. The adversary may capture transmitted messages and verify guessed passwords using the collected information until he/she finds the correct password. This type of attack is called an offline password guessing attack. The security goal of a password-authenticated key exchange protocol is to provide password-enabled key exchange which is secure against offline password guessing attacks mounted by the active adversary . In this paper, we review the main points of well-formalized security models introduced by Bellare et al. [9]. (Refer to [9] for details.) Adversarial Model. When a protocol is executed, each party behaves as specified in the protocol. For given queries, each instance returns its outputs. Let Π be the th instance of . Note that each instance may be used only once. Each instance has a session key , a session id , and a partner id . In general, the session id of Π is the ordered concatenation of all messages sent and received by Π . An adversary can make queries to any instance. When the instance returns its output to the adversary, the internal state of the instance is also updated. can make the following queries for any instance.
Then, Π executes as specified by the protocol and returns its response to . If the instance accepts given as a valid message, the acceptance of the message, the session id , and the partner id will be made visible to . If the message is not accepted as a valid one, the instance terminates the oracle call, and the termination is also made visible to the adversary.
(ii) Execute( , , , ). By this oracle call, obtains a transcript of an honest execution between two instances Π and Π , where Π and Π are unused instances such that ̸ = .
(iii) Reveal( , ). By this oracle call, is given to the adversary , where is the session key of Π .
(iv) Test( , ). The instance Π generates a random bit . If = 1, real session key of the instance is given to . If = 0, a random value is given to as a session key. This query is allowed only once.
In the random oracle model, cryptographic hash functions are treated as random oracles. Hence, the adversary can make queries for random oracles. The queries for random oracles are treated as follows.
(v) Oracle( ). obtains a random value for the message by this oracle call. When the oracle models a hash function, the answer returned by the oracle is the hashed value of .
Partnering, Freshness, and Correctness. We say that two instances Π and Π are partnered if they satisfy the following conditions: (1) Π and Π have accepted given messages; (2) Π and Π have the same session id ; (3) the partner id of Π is and vice versa.
An instance Π is called fresh if the instance has accepted given messages and does not ask Reveal oracle queries for Π or its partner instance Π . The correctness requires that two instances should have the same session key if they are partnered and they have accepted.
Definitions of Security. Let P be a password-based protocol and let A be an adversary who tries to break the security of the protocol P. Let Succ be the event that A asks a Test query on a fresh instance Π and correctly guesses the bit which was selected during the Test query. Then, the advantage of A is defined as Adv(A, P) = 2Pr[Succ] − 1. Note that all probabilistic polynomial time adversaries can always test International Journal of Distributed Sensor Networks 3 the validity of a guessed password by performing an online dictionary attack. Hence, the protocol P is considered to be secure if an online dictionary attack is the best way to break the security of P. Note that an online attack can be mounted by making a Send oracle query. Based on the above observation, the security of an RSA-PAKE protocol can be defined as follows.
Definition 1. Let |D| be the size of the password space D and let be the number of Send queries. Then, an RSA-PAKE protocol P is secure if the following holds: where ADV is the set of all probabilistic polynomial time adversaries and is a negligible value.

Mathematical Background.
We recall a well-known theorem, the prime number theorem [10], and use it for obtaining two theorems, Theorems 2 and 3, that are used to demonstrate the security of our protocol.
Recall that the prime number theorem tells us that the number of primes smaller than a positive integer is approximately ( ) ≈ / ln for a large .

Theorem 2.
Let be an ℓ -bit prime chosen uniformly at random. Then, the probability that someone correctly guesses the prime is about 2ℓ /2 ℓ . Theorem 3. Let be a randomly chosen ℓ -bit pseudoprime which is not a prime with the probability 1/2 ℓ . Then, the probability that someone chooses an ℓ -bit integer such that | ( ) is bounded by 2ℓ /2 ℓ + 1/2 ℓ .
It is easy to prove the above theorems, and thus we omit (Omitted proofs will be provided in the full-version of this paper.) them due to lack of space.

Our RSA-PAKE Protocol
In this section, we propose an efficient RSA-PAKE protocol which is suitable for imbalanced wireless networks. We assume that two communicating parties and share a common password for establishing a session key. Let P ℓ be the set of all ℓ -bit pseudoprimes that are not prime with probability 1/2 ℓ ≈ 1/2|D|. The size of the prime is determined such that ℓ ≥ log 2 ℓ + log 2 |D| + 2. We use four hash functions : {0, 1} * → Z and : {0, 1} * → {0, 1} ℓ ℎ for = 1, 2, 3. Then, our RSA-PAKE protocol runs as follows.
terminates the protocol; otherwise, he/she computes = 3 (̂||info) and uses it as a session key.
Remark 4. Note that, in our protocol, we use a pseudoprime which is not prime with probability 1/2 ℓ . Therefore, the number of iterations of the Miller-Rabin primary test is determined so that a pseudoprime is indeed a prime with probability 1 − 1/2 ℓ .

Security Analysis
In this section, we prove the security of our protocol according to the security model described in Section 2.1. Similar to the work by Zhang [7], we define a series of hybrid experiments where the first experiment describes the real adversary attack and each experiment is gradually modified so that the adversary has negligible advantage in the last experiment. We denote these hybrid experiments by Exp for ∈ {0, . . . , 4}. Let Adv(A, ) be the advantage of A in Exp .
Experiment Exp 0 . The first experiment coincides with the real adversary attack. Therefore, all transmitting messages are computed according to the description of the proposed protocol. Since we prove the security of our protocol in the random oracle model, four hash functions are treated as random oracles and we maintain a list of input-output pairs for each random oracle. Note that we have Adv PAKE RSA-PAKE,D (A) = Adv(A, 0) for an adversary A since the first experiment describes the real adversary attack. Experiment Exp 1 . In this experiment, we modify the Execute oracle. When the Execute oracle is called for two instances Π and Π , the session keys and are replaced by an ℓ ℎbit random string rather than an output of the random oracle 3 .
In Lemma 5, we will show that the increment of the advantage of A that resulted from the modification of the Execute oracle is bounded by a negligible value. Throughout this paper, Adv RSA denotes the maximum advantage of adversaries who solve the RSA problem. Proof. We omit (Omitted proofs will be provided in the fullversion of this paper.) the proof of Lemma 5, due to lack of space. The remainder of our security proof is to show that the Send oracle gives negligible advantage to the adversary. We can classify Send oracle into five types as follows.
(iii) Send 2 ( , , , , ). If is not an ℓ -bit prime, the protocol execution is terminated. Otherwise, Π queries on ||info, receives the answer from the oracle , computes = ( ||info), and tests if gcd( , ) = 1 and gcd( , ( )) = 1. If one of the conditions does not hold, Π chooses a random̂∈ Z * ; otherwise, it computeŝ= ( ⋅ −1 ) mod . Then, Π queries the hash oracle 1 on̂||info and returns the reply received from 1 . (iv) Send 3 ( , , ). If the answer returned by 1 on ||info is not , Π rejects the protocol; otherwise, it queries the hash oracles 2 and 3 on ||info and receives the replies and from 2 and 3 , respectively. Then, Π accepts as a session key and returns .
(v) Send 4 ( , , ). If the answer returned by 2 on̂||info is not , Π rejects the protocol; otherwise, Π accepts the answer returned by the oracle 3 on ||info as a session key.
A message is called oracle generated if it was returned by an instance; otherwise, the message is called adversary generated. If a message was returned by Π , it is called Πoracle-generated message.
Experiment Exp 2 . In this experiment, we modify the following if an instance Π receives a Π -oracle-generated message ( , ) in a Send oracle call.
(i) If both Π and Π accept, we choose a random ℓ ℎ -bit value and give it to two instances as a session key.
(ii) If Π does not accept but Π accepts, we choose a random ℓ ℎ -bit value and give it to Π as a session key.
In this case, no session key is defined for Π .
Assume that Π receives a Π -oracle-generated message ( , ) in a Send oracle call and returns ( , , ) where is ℓbit prime, ∈ {0, 1} ℓ , and = ⋅ mod for random ∈ Z * and ∈ Z * . Note that is the answer returned by the random oracle on || || || || || || , since gcd( , ) = 1 holds with probability 1 ≈ 1 − 2 −ℓ /2 . Note that, as proved in Lemma 5, we can show that the probability that A recovers the random value is P ≤ Adv RSA + / ( ). Since A cannot generate valid and without the knowledge of , two instances Π and Π accept the protocol execution only if the instances Π and Π receive Π -oracle-generated message and Π -oracle-generated message , respectively. Hence, A can distinguish Exp 1 and Exp 2 only if the adversary can test to see whether or not a session key is the answer returned by the random oracle 3 on || || || || || || . Without the knowledge of , the session key seems to be a random value in A's point of view, and thus A cannot distinguish between two experiments. As a result, we have |Adv(A, 1)−Adv(A, 2)|= P ≤ Adv RSA + / ( ), since A asks at most times of Send queries. Experiment Exp 3 . In this experiment, we consider the case where an instance Π receives a Π -oracle-generated message ( , , ) in a Send 2 oracle call, while the instance Π received a Π -oracle-generated message ( , ) in a Send 1 oracle call. If Π and Π accept the protocol execution and their session keys are not replaced by a random value in the experiment Exp 2 , we give a random ℓ ℎ -bit value to them as a session key. Proof. It is clear that the advantage of A in Exp 3 is identical with its advantage in Exp 2 since the only way to distinguish two experiments is recovering the random value as discussed in Lemma 6.
Experiment Exp 4 . In this experiment, we consider the case where an instance Π (or Π ) receives an adversarygenerated message in a Send 2 (or Send 1 ) oracle call. If Π (or Π ) accepts the protocol execution, we stop the experiment and the adversary is said to have succeeded. Note that the modification of the experiment certainly improves the adversary's advantage.  Proof. Note that, in Exp 4 , the adversary A can obtain more information than in Exp 3 . Hence, it is obvious that Adv(A, 4) is greater than Adv(A, 3). It remains to show that the adversary's advantage in the last experiment is negligible. Proof. We omit (Omitted proofs will be provided in the fullversion of this paper.) the proof of Lemma 9, due to lack of space. By combining Lemmas 5, 6, 7, 8, and 9, we obtain Theorem 10.

Theorem 10. Let A be a probabilistic polynomial time algorithm which asks at most
Execute queries, Send queries, and Oracle queries for hash functions. Let |D| be the size of password space D. Then, one has Adv PAKE RSA-PAKE,D (A) ≤ |D| where 1 = + 3 and 2 = ( + 3 ) .
Proof. Note that, by Lemma 8, it is easy to see that Adv(A, 0) ≤ ∑ 2 =0 |Adv(A, ) − Adv(A, + 1)| + Adv(A, 4). By Lemmas 5, 6, 7, and 9, we have Adv (A, 0) ≤ |D| Note that Theorem 10 tells us that the proposed RSA-PAKE protocol is secure in terms of the security models described in Section 2.1 if the RSA problem is intractable.

Performance
In this section, we compare the proposed protocol with existing RSA-PAKE protocols, except the EPAKE protocol since the insecurity of that protocol has been discovered [11]. Let C Exp be the cost of an exponentiation under a 1024bit modulo with an -bit exponent, let C MGen be the cost of generating an -bit RSA modulus, let C PGen be the cost of generating an -bit prime, and let C PVer be the cost of verification of an -bit prime. Note that C Exp = C Exp . For comparison, we set ℓ = 1024, ℓ = ℓ ℎ = 160, ℓ 1 = 1025, ℓ 2 = 96, and ℓ = 52. For determining the number of Miller-Rabin primary tests, we refer to [12]. Our protocol uses a 52bit pseudoprime which is indeed prime with probability 1 − 1/2 ℓ (= 1 − 2 −41 ), and so it suffices to perform the primary tests 37 times according to the formula given in [12].
We performed experiments under Windows XP Professional with a 3.4 GHz Pentium 4 processor. As seen in Table 1, our protocol provides very efficient key exchange compared with other RSA-PAKE protocols in terms of the computational complexity. The computational complexity of the party is reduced by 84.25% compared to the CEKEP protocol. Moreover, the proposed protocol can be implemented more efficiently by generating a prime before a key exchange protocol is initiated. The PEKEP is the most efficient RSA-PAKE protocol in terms of communication overhead. The size of the communicating message of our scheme is almost the same as that of the PEKEP and shorter than other protocols, and thus our protocol is also efficient in terms of the communication overhead.

Conclusion
In this paper, we proposed an efficient RSA-PAKE protocol which is suitable for securing the communications conducted over imbalanced wireless networks and proved the security of our protocol in the random oracle model. Compared with other RSA-PAKE protocols, our protocol provides very efficient key exchange. In our protocol, the cost of a lowpower device holder can be reduced by 84.25% compared with the CEKEP. Moreover, our protocol can be implemented more efficiently by pregenerating a prime before a key exchange protocol is initiated.