Mutual-anonymity and Authentication Key Agreement Protocol

According to the characteristics of trusted computation, we proposed an efficient pseudonym ring signature-based authentication and key agreement protocol with mutual anonymity. The use of ring signature can hide the identity information of communicating parties and effectively prevent the leakage of private information. Finally we derive a shared session key between them for their future secure communication especially in the trusted computation environment. Our protocol reaches the level of universally composable security and is more efficient.


INTRODUCTION
According to some of the more special cryptography applications, key agreement protocol also needs to protect the privacy of the communication.For instance, in trusted computing environment, protecting the privacy of the communication is one of the important functions of the trusted system.Trusted Computing Group (2009) released the TPM v 1.1 Privacy CA scheme and TPM v 1.2 Direct Anonymous testimony (DAA) scheme to realize the mutual anonymity to avoid their behavior tracking between the Trusted Platform Modules when they authenticate each other.
Anonymous digital signatures such as ring signatures (Xu et al., 2004;Bender et al., 2006), Direct Anonymous Attestation (Brickell and Li, 2010;Chen et al., 2010) and anonymous credentials (Camenisch and Lysyanskaya, 2004.)play an important role in privacy enhanced technologies.They allow an entity (e.g., a user, a computer platform, or a hardware device) to create a signature without revealing its identity.Anonymous signature also enable anonymous entity authentication.
Ring signatures, first introduced by Rivest, Shamir and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature.In contrast to group signatures, ring signatures do not require any central authority or coordination among the various users(indeed, users do not even need to be aware of each other); Furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature.
In the existing key agreement protocol, Chow and Choo (2007) adopted the user group and identity-based cryptography to construct a two-way anonymous authentication key agreement protocol, but it needs more multiplication operation.Walker and Li (2010) realized an authentication key agreement protocol on the basis of the DAA, but it only realized unidirectional anonymity between communicating parties.Wei et al. (2011) put forward a higher efficiency anonymous authentication key agreement protocol based on password, which could satisfy mutual anonymity but did not made a formalized security analysis.In this study, we first construct a ring signature ideal functionality F P-R-SIG based on pseudonym and an anonymous authentication key agreement ideal functionality F A-AKE .Finally we propose a mutualanonymity and authentication key agreement protocol, which has a high efficiency and is more security.The proposed protocol is better suitable for the environment of trust computation and the derived session key can be used for their future secure communications.

PROBLEMS HYPOTHESIS
The scheme of this study is mainly based on the elliptic curve cryptosystem (Enge, 2013), discrete logarithm, bilinear pairings (Su et al., 2012) and strong impact resistance of one-way hash function.The definitions and related problems hypothesis as follows: Elliptic curve E (Fp) and p is a big prime number, not less than 160 bit.Let G a multiplicative cyclic group in E (F p ) of order p, P :a generator of G.

Key Generation
Let C pi (S pi ) to be the pseudonym of C i (S i ),S is an adversary.Upon receiving a value (KeyGen,C pi ,sid) from C i , verify that sid = (C pi ,sid') for sid'.If not, then ignore the request.Else, hand (KeyGen,C pi ,sid) to the S. Upon receiving (VerKey,sid,C pi ,y i ) from S, output them to C i , record (C pi ,y i ).C = {C p1 ,C p2 …C pN } is a identity collection of pseudonym user who has executed the key generation process, the corresponding public key is Y = {y 1 ,y 2, …,y N }.
Signature Generation Upon receiving a value (P-R-Sign,sid,C pi ,m) from C i , verify that sid = (C pi ,sid') for sid'.If not, or C pi is not the subset of C, then ignore the request.Else send (P-R-Sign,sid,C pi , , m) to S. Upon receiving (P-R-Signature,sid,S pi ,m,σ) from S, verify that no entry (m,σ,y i ,0) is recorded.If it is, then output an error message to C i , else output (P-R-Signature,sid, C pi ,m,σ) to C i , and record the entry (m,σ,y i ,1).
Signature Verification Upon receiving a value (P-R-Sign-Verify,sid,m, S pi ,σ,y i ) from S i , hand it to S. Upon receiving (P-R-Sign-Verified,sid,m, S pi ,σ, y i ,φ) from S do: • If y i is the subset of Y, and the entry (m,σ,y i ,1) is recorded, then set f = 1 • Else ,if y i is the subset of Y, and no enry (m,σ,y i ,1) is recorded, then set f = 0,and record the entry (m,σ,y i ,0) • Else, if there is an entry (m,σ,y i ,f'), then let f = f' • Else let f = φ and record the entry (m,σ, y i ,φ).At last output (P-R-Sign-Verified,sid, S pi , m,f) to S i Fig. 1: Ring signature ideal functionality based on pseudonym F P-R-SIG • When received (KeyGen,C pi ,sid) from C i , verify that sid = (C pi ,sid') for sid'.If not, then ignore the request.Else, run the key generation algorithm KeyGen, save secret key x i , then output (Verkey,sid,C pi ,y i ).When received (P-R-Sign,sid,C pi ,m) from C i , execute P-R-Sign algorithm and obtain signature σ, then output (P-R-Signature,sid,C pi ,m,σ).

•
When received a value (P-R-Sign-Verify,sid,S pi ,m,σ,Y') from verifier S i , execute P-R-verify algorithm and obtain a verification value f, then output (P-R-Sign-Verified,sid,S pi ,m,σ,Y',f).

•
Wait to receive values (P-R-Sign-Verified, sid,C pi ,m,σ,Y',f) or (P-R-Sign-Verified, sid,S pi , m, σ, Y' ,f) from the parties C i , S i and an adversary S. Upon receiving the messages from the parties C i or S i , forward this message to S.

Definition 3:
The discrete logarithm problem: The discrete logarithm problem is the problem of finding the least positive integer a such that equation h = g a holds, when the element g, h∈G are given, provided this integer exists.
Let G 1 ，G 2 be two groups of the same prime order q.We view G 1 as an additive group and G 2 as a multiplicative group.Let P be an arbitrary generator of G 1 .A mapping e: G 1 × G 1 → G 2 satisfying the following properties is called a bilinear map from a cryptographic point of view: Definition 4: Bilinearity: e (aP, bQ) = e(P,Q) ab for all P,Q∈ G 1 and a, b∈Z*p.

Non-degeneracy:
If P is a generator of G 1 , then e (P, P) is a generator of G 2 .In other words, e(P,P) ≠1.
Computable: There exists an efficient algorithm to compute e (P, Q) for all P, Q∈ G 1 .

ANONYMOUS KEY AGREEMENT PROTOCOL SECURITY MODEL
Universally Composable (UC) security framework is a formal model based on the computational complexity theory to design and analyze security protocols (Canetti and Krawczyk, 2002a;Canetti, 2005a).The most outstanding properties is that it adopts the designing thought of modularization: we can design cryptographic protocols separately, as long as each subprotocol meets UC safety, it can guarantee the security of assembling, parallel running with other protocols (Canetti et al., 2005b).
Ring signature anonymous authentication makes the receiver certitude that the sending party is a legal member in the ring, but don't know the specific identity.Because the identity of the signer will be recorded in the session identification (sid), others can know his true identity through the sid.In order to achieve anonymity, we use pseudonym to instead of the true signer's identity information in the sid.Here, we learn the signature thought from Canetti (2004) and use pseudonym technology instead of the specific identity of the members; we first construct a ring signature ideal functionality based on pseudonym F P-R-SIG , as shown in Fig. 1: As need to construct an anonymous authentication key agreement ideal functionality, the concept is learned from Canetti and Krawczyk (2002b) and Hofheinz et al. (2003), the constructed anonymous authentication key agreement ideal functionality F A-AKE is show in Fig. 2:

THE NEW ANONYMOUS AUTHENTICATION KEY AGREEMENT PROTOCOL
The network model of the protocol is shown in Fig. 3, each user and server has a unique identity in the trusted environment.All users need to be registered on the servers before performing key agreement, besides; all users and servers are needed to be divided into groups.In the key agreement process, the users and the   1.
In this study, the mutual anonymous authentication key agreement protocol based on pseudonym ring signature is divided into three phases:

System initialization:
The Trusted third party is responsible for generating system parameters in the network.The specific steps are as follows: • TTP chooses a large prime p, p≥2 160 , constructs the cyclic group G and the elliptic curve E (F p ) as in the second chapter • Bilinear map: e: G×G→G T , G of order p is a multiplication cyclic group, g is a generator of G. • Assume that there exist n servers S = {ID s1 ,ID s2 ,…,ID sn } in the trusted network • TTP publishes the system parameters (p, q, e, E, G, G T , g, H u , H m ) Registration phase: Each user in the user group C = {ID c1 , ID c2 ,…,ID cm } needs to be registered in the servers of S, every user group is assigned to a server group by the server administrator and produces a ring signature on the server group identity set.Accordingly every user can also produces a ring signature on the user group identity set.Assume that user ID cπ (ID cπ ∈C) needs to communication with server ID sπ (ID sπ ∈S), the registration process would be: The server administrator selects t servers as a server group from n servers randomly, records as S π = {ID s1 ,ID s2 ,…,ID st } and server ID sπ must be selected as the default server.At here, we learn the ring signature scheme thought from Yu et al. (2012), the specific signature steps are as follows: • ID sπ randomly selects integer s∈ R R Z * p , computes g 1 = g s , selects g 2 ∈ R R G, u' ∈ R R Z p ,let U = (u i ) for t u dimensional vector, u i ∈ R R Z p , publishes the system parameters P pub = (p,g,g 1 ,g 2 ,u', U,H u ,H m ),master key k mk = g s 2 • Suppose v j = H u (ID sj ), v j [i] is the ith bit of v j ⊂{1,…,t u }, also satisfies that v j [i] = 1 and the collection of subscript i. Randomly selects r uj ∈Z p , computes Z=g  ; The ring signature on message M is σ = (Z,S,R 1 ,R 2 ,…,R t ) • And further, the server ID sπ randomly selects integer s, x S ,2≤x S ≤q-1,computes X S = g xS mod p, S p = (S π ,H n (s)), S p is the pseudonym of server ID sπ , used for communication between with the users later, finally, the server ID sπ sends M, S π ,σ,X S , s, S p to the user ID cπ through a appropriate safe way • Upon receiving the messages, ID cπ computes Verifies whether e(S', g) = e(g 1 ,Z) and S p = S' p are established.

Key agreement:
After registration, it is assumed that user ID cπ and server ID sπ need to conduct the anonymous key agreement, procedure is as follows: • Server ID sπ selects two random integer r S , a, 2≤r S , a≤q-1 and then computes

SECURITY ANALYSIS OF THE PROTOCOL
There are several tests to prove the security of the protocol: • Any input from the environment machine Z will be transmitted to A, any output of A is copied to Z's output (to be read by Z).

•
Whenever S receives a message (KeyGen, sid,C pi ) from F P-R- SIG , it does: if sid is not of the form (C pi , sid') then ignores this request.Otherwise, S selects y i and records it, returns (Verification key, sid, C pi , y i ) to F P-R-SIG .

•
Whenever S receives a message (P-R-Sign, sid, C pi , C', m) from F P-R-SIG , if sid = (C pi , sid') and there is a recorded signing key y i , then S computes σ = sig(y i ,m), and hands (P-R-Signature, sid,C pi , m, C', σ) back to F P-R-SIG .Otherwise, it does nothing.

•
When A corrupts some party C i , S corrupts C i in the ideal process.If C i is the signer, then S reveals the signing key s as the internal state of C i .
Fig. 4: Simulator S • Prove that our pseudonym-based ring signature protocol ρ rs safely realizes the ideal functionality F P-R-SIG • Prove that our anonymous authentication key agreement protocol π' safely realizes the ideal functionality F A-AKE in the F P-R-SIG -hybrid model • Use universally composable theorem, put ρ rs and π' together and prove that the combined protocol is equivalent of protocol π: pseudonym ring signature-based authentication and key agreement protocol with mutual anonymity and safely realizes F P-R-SIG and F A-AKE in the real life model Lemma 1: If CDH assumption is established, the corresponding ring signature protocol ρ rs UC realizes the ideal ring signature functionality F P-R-SIG .
Proof: Assume that ring signature protocol ρ rs can't UC realizes the ideal ring signature functionality F P-R-SIG , this is done by constructing an environment Z and a real-life adversary A such that for any ideal-process adversary S, Z can tell whether it is interacting with A and ρ rs or with S in the ideal process for F P-R-SIG .The simulation process is shown in Fig. 4: If an attacker can forge a ring signature, for the given input (P-R-Sign-Verify, sid, m, C', σ, Y'), according to the output record under the execution of S, Z can tell whether it is interacting with real-life protocol ρ rs or the ideal protocol F P-R-SIG .Therefore, the probability of forging successfully is negligible, contradicting with the assumption.So the lemma 1 is proved.
Lemma 2: If DDH assumption is established, Then protocol π' securely realizes the F A-AKE in the hybrid model.
Proof: Construct an attacker S (Fig. 5) in the ideal environment first, make any of the environment machine Z can't tell whether it is interacting with attacker H and π' in the F P-R-SIG -hybrid model, or with S • Any input from Z will be passed to H, and all the outputs of H will be seen as the outputs of S, Z can read their outputs.

•
When S receives (sid, C pi , S pi , role) from F A-AKE , it indicates that C i launched the authentication key agreement, so let S simulate out π' that interacts with H in the F P-R-SIG and F P-R- SIG -hybrid model.And given the same input, S lets C i and H interact with Z according to the execution rules of π'.

•
In order to simulate the implementation of π', F P-R-SIG can be activated by S to get the corresponding signature value σ, S can also computes k = prf (r, •), r is the output key of C i and S i in F A-AKE .Assume that under the execution of S, if there exists an environment machine Z, the probability of successfully distinguishing whether it is interacting with H and π' in the F P-R-SIG -hybrid model or S and F A- AKE in the ideal-life can not be ignored.That is the probability of F P-R-SIG -hybrid π', H,Z ≠IDEAL F,S,Z is 1/2+ε and the value is much greater than 1/2, ε is the distinguished advantage of Z'.We construct a distinguisher D, as shown in Fig. 6.Using the environment machine Z' to crack the DDH problem.
Analyzing the execution of the distinguisher D, if its input (p, q, g, α*, β*, γ*) is selected from Q 0 , then γ* is the real key of C i and S j after the execution of π', in this case, environment machine Z' saw the local output and its angle is equal to the execution of π' and H in F P-R-SIG -hybrid; If (p, q, g, α*, β*, γ*) is selected from Q 1 , then γ* is a random value, in this case ,the angle of the environment machine Z' is equal to the execution of S and F A-AKE in the ideal model.Because in the ideal model, the key that F A-AKE sends to C i and S j is just the random value selected by it.According the constructed principle of the distinguisher, the probability of successfully distinguishing is equal to the probability of environment machine Z' successfully discriminating the ideal and hybrid environment.Namely the probability of D successfully distinguishing Q 0 and Q 1 is 1/2 +ε and it contradicts with DDH assumption, so the lemma 2 is proved.
Theorem 1: In the real-life model, the protocol π securely realizes ideal functionality F A-AKE and for any environment machine Z, equation REAL π,A,Z ≈IDEAL FA-AKE,S,Z is established, so the mutual-anonymity and authentication key agreement protocol is safety under UC model.

EFFICIENCY ANALYSIS
The system initialization and registration process of the new protocol can be obtained by pretreatment, we compare our protocol with Chow and Choo (2007) and Wei et al. (2011) and only consider the operations that the calculation cost is relatively large including modular exponentiation, point multiplication, inverse, bilinear pairings and modular multiplication operations.Let T exp ,T emul , T ebp ,T mul , respectively denote the cost of modular exponentiation, point multiplication, bilinear pairings and modular multiplication operations and m is the size of the group.

CONCLUSION
This study puts forward a mutual-anonymous key agreement protocol based on pseudonym ring signature, the scheme satisfies unconditional anonymity between the communicating parties and protects the privacy of communications, achieves universally composable security.The system initialization and registration process of the new program can be obtained by pretreatment and it has a high efficiency, can better meet the scenarios of the trusted computing environment.

Fig. 2 :
Fig. 2: Anonymous authentication key agreement ideal functionality F A-AKE Definition 2: Decisional Diffie-Hellman Problem: Given (P, aP, bP, cP), decide whether c = ab.(a,b and c be elements of group Z p ).

g
N S = g a mod p, S S = x S r S +x S +a mod q and next sends (M S ,N S ,S S ) to user ID cπ After user ID cπ received (M S , N S , S S )p and compares it with X S , if equal, user ID cπ selects two random integer r C ,b,2≤r C , b≤q-1 and then computes mod p, N C = g b mod p, S C = x C r C +x C +b mod q and next sends (M C , N C , S C ) to server ID sπ .Calculates the session key: user and the server consult out a consistent session key k S = H m (k e , M S , M C , S S , S C ).

Fig. 6 :
Fig. 6: Distinguisher D and F A-AKE in the ideal-life.That is for any environment Z, we have F P-R-SIG -hybrid π',H,Z ≈IDEAL F,S,Z .Assume that under the execution of S, if there exists an environment machine Z, the probability of successfully distinguishing whether it is interacting with H and π' in the F P-R-SIG -hybrid model or S and F A-

Table 1 :
The symbols and their meanings in this study Symbol Meaning H u : {0,1} t u →G Collision-resistance one-way hash function, generate identity information H m : {0,1}*→Z*p Collision-resistance one-way hash function, generate message information ID si Server identity ID ci User identity S Identity collection of all the servers in the network C Identity collection of a group of users servers both communicate using pseudonym.The symbols and their meanings in this study are shown in Table

Table 2 :
The calculation cost comparison of anonymous authentication key agreement protocol • When C i produces a local output, and S i is not corrupted, S will sends the output of F A-AKE to C i ; If S i has be corrupted, the key value is decided by S, and S uses the previous output of C i to determine the local output of simulated C i and S i .When H executes the operation of capturing C i , S also captures C i .If F A-AKE has sent a key to C i , S will get the key; If both of the C i and S i do not produce a local output, S sends its internal state to H, as well as their secret selected value; If either C i or S i has produced a local output, their temporary private keys will be wiped out, S directly passes the local key to H.