I. Introduction
Background. Key agreement is a fundamental cryptographic primitive for establishing a secure communication. It is a process of computing a shared secret contributed by two or more users such that no single user can predetermine the resulting value. An authenticated key agreement is attained by combining the key agreement protocol with digital signatures. This avoids man-in-the-middle attack.
In a traditional Public Key Cryptosystems(PKC), the association between a user's identity and his public key is obtained through a digital certificate issued by a Certifying Authority(CA). The CA checks the credentials of a user before issuing a certificate to him. Hence, the process of certificate management requires high computational and storage efforts. To simplify the certificate management process, Shamir introduced the concept of ID-based cryptosystem in 1984[1]. In such cryptosystems the public key of a user is derived from his identity information and his private key is generated by a trusted third party called Key Generation Center (KGC). The advantage of ID-based cryptosystems is that it simplifies the key management process which is a heavy burden in the traditional certificate based cryptosystems. However, they suffer from an inherent drawback of key escrow i.e. KGC knows the users' private keys. They also require a secure channel for key issuance between KGC and user. The ID-based cryptosystems require the users to authenticate themselves to their KGC in the same way as they would authenticate themselves to a CA in traditional PKC.
Boneh and Franklin have proposed two ID-based encryption (IBE) schemes which potentially allow the replacement of a PKI with a system where ones identity becomes the public key and a trusted KGC helps to generate users' private key[2]. After that, many ID-based cryptographic protocols were developed based on pairings and is currently an area of very active research. There are many ID-based two-party or three-party key agreement protocols based on pairing.
Another direction of research on key agreement is to generalize the two-party or three-party key agreement to multi-party setting. As a result of the increased popularity of group oriented applications, the design of an efficient ID-based authenticated group key agreement protocol (ID-AGKA) has recently received much attention in the literature.
Related Work. Choi et al. and Du et al. have proposed two rounds ID-AGKA protocols, which are based on bilinear pairings and Burmester and Desmedt scheme[3-5]. However, Zhang et al. have pointed out an impersonation attack on the two protocols[6]. Then Du et al. improved their ID-AGKA protocol to resist this attack[7]. One defect of the scheme is that group users must keep loose synchronization. If groups are dynamic, new users' counters must keep up with that of the group users.
Shi et al. presented a one round ID-AGKA protocol under a modified IBE system[8]. But, their protocol has no signature verification process. He et al. pointed out that Shi et al.'s protocol is weak against impersonation attack and disparate session keys attack[9]. They proposed a modified one round authenticated group key agreement. But, their protocol uses the complicated public and private keys and signature verification process with many parameters and frequent hash functions and more messages.
Contribution. So, we present a one round AGKA protocol which modified Shi et al.'s and He et al.'s protocol. Our protocol uses the simple public and private keys including the public and private key of typical IBE system[10]. Also, it uses the simpler signature verification process than that of their protocol.
II. Technical Backgrounds
2.1. Bilinear Pairings
We let G1 be a cyclic additive group generated by P, whose order is a prime q, and G2 be a cyclic multiplicative group of the same order q. We assume that the discrete logarithm problem(DLP) in both G1 and G2 are hard. We let e : G1☓G1→G2 be a pairing which satisfies the following properties:
1. Bilinear : e(P1 + P2, Q) = e(P1, Q)e(P2, Q), e(P, Q1 + Q2) = e(P, Q1)e(P, Q2) i.e., e(aP, bQ) = e(P, Q)abwhere a,b∈Zq*, P, Q∈G1.
2. Non-degenerate : There exists P∈G1 such that e(P, P)≠1.
3. Computability : There is an efficient algorithm to compute e(P, Q) for all P, Q∈G1.
2.2. Diffie-Hellman Problem
We let the Diffie-Hellman(DH) tuple in G1 be (P, xP, yP, zP) ∈G1 for some x,y,z∈Zq* satisfying z = xy mod q.
1. The Decision Diffie-Hellman(DDH) problem: Given P, xP, yP, zP∈G1 , decide if it is a valid DH tuple. This can be solved in polynomial time by verifying e(xP,yP) = e(P,zP).
2. The Computational Diffie-Hellman(CDH) problem: Given any three elements from the four elements in DH tuple, compute the remaining element.
CDH Assumption: There exists no algorithm running in expected polynomial time, which can solve the CDH problem with non-negligible probability.
3. The Bilinear Diffie-Hellman(BDH) problem: Given P,xP,yP,zP∈G1, compute e(P,P)xyz∈G2 , where x,y,z∈Zq*. An algorithm is said to solve the BDH problem with an advantage of ε if
Pr[A(P,xP,yP,zP) = e(P,P)xyz] ≥ε.
BDH Assumption: There exists no algorithm running in expected polynomial time, which can solve the BDH problem in <G1,G2,e> with non-negligible probability.
III. The Shi et al.'s protocol
[Table 1] shows the notations used in this paper.
[Table 1] The notations
The KGC(Key Generation Center) generates the system parameters and all users' public and private keys. The KGC's public keys are Ppub = s1P and Ppub′ = s2P. The public key of a user Ui(1≤ i ≤n) is Qi = (Iis1 +s2)P and the private key is Si = (Ii s1 +s2)-1P.
The KGC sends Si to the Ui securely.
When a user Ui picks an ephemeral key ai∈Zq* and sends Tij = aiQj to the user Uj(1≤j ≤n, j ≠ i). Each user Ui computes the session key:
\(\begin{aligned} K &=e\left(T_{1 i}+T_{2 i}+\ldots+T_{i-1 i}+a_{i} Q_{i}+T_{i+1 i}+\ldots+T_{n i}, S_{i}\right) \\ &=e\left(Q_{i}, S_{i}\right)^{\left(a_{1}+a_{2}+\ldots+a_{i}+\ldots+a_{n-1}+a_{n}\right)} \\ &=e(P, P)^{\left(a_{1}+a_{2}+\ldots+a_{i}+\ldots+a_{n-1}+a_{n}\right)} \end{aligned}\)
But, Shi et al.'s protocol has no signature verification process. Let assume that an attacker chooses x'∈Zq* and sends Tij'=aiQj+x'Qj to the user Uj. Finally, all users share wrong session key K′ = e(P,P)(a1+ a2+ ... + an-1+ an+ x′)[11].
He et al. pointed out that Shi et al.'s protocol is weak against impersonation attack and disparate session keys attack[9].
IV. The He et al.'s protocol
The KGC generates the system parameters and all users' public and private keys. The KGC's public keys are Ppub = s1P and Ppub′ = s2P. The public key of a user Ui(1≤i≤n) is Qi = (Iis1 + s2)P and the two private keys of a user Ui are Si = Iis1 and Ri = (Iis1 + s2)-1P. The KGC sends Si and Ri to the Ui securely.
When a user Ui picks an ephemeral key ai ∈Zq* and sends Tij = aiQj, Xi = aiP and
Yij = H2(H1(GID)Tij)Si + aiPpub. to the Uj(1≤j≤n, j ≠ i).
Each user Uj verifies as follows:
e(Yij, P) = e((H2(H1(GID)Tij)H1(IDi)+ Xi), Ppub)
If the above equation holds, then each user Ui computes the session key:
K = e(T1i + T2i +... + Ti - 1i + aiQi + Ti+1i +... + Tn i,Ri) = e(Qi,Ri)(a1 + a2 + ... + ai + ... + an-1 + an) = e(P,P)(a1 + a2 + ... + ai + ... + an-1 + an)
In the signature verification process of their protocol, a user Ui has to send the same Xi to other users and a user Uj has to compute H1(IDi) (1≤i≤n, j ≠ i) of other users.
V. The Proposed Protocol
In this section, we describe a one round authenticated group key agreement protocol which uses one more key pair as well as the long term public and private keys of typical IBE system.
5.1 System Setup
[Setup]
The KGC generates the following system parameters:
{q, G1, G2, P, Ppub, e, H1(), H2()}
The KGC selects an elliptic curve E defined over GF(p) with order q and a base point P. And then, chooses a master key s ∈Zq* and computes Ppub by Ppub = sP and publishes system parameters.
[Extract]
A user Ui(1 ≤ i ≤ n) picks a random integer ri ∈Zq* and submits his identity IDi and riP to the KGC. riP is a user's long term public key and ri is a user's long term private key. The KGC computes Qi = H1 (IDi) as a user's another long term public key and publishes riP and Qi. Then, computes a user's another long term private key as Si = sQi and sends Si to the user Ui securely.
5.2. Key Generation
[Signature]
Each user Ui picks a random integer ai ∈Zq* as his ephemeral key. Then he computes Tij = airjP ( 1≤ j ≤n, j≠i ) and Yij = H2(Tij)Si +riPpub. Each user Ui sends Tij and Yij to the user Uj.
[Verification]
Each user Uj verifies Tij and Yij as follows:
e(Yij, P) = e(H2(Tij)Si +riPpub, P)
= e(H2(Tij)Qi + riP, Ppub )
If the above equation holds, then Uj accepts Tij as the message from Ui.
[Key Computation]
Upon receiving T1i, T2i,..., Ti - 1i, Ti + 1i,..., Tn i from other users, each user Ui computes the session key as follows:
\(\begin{aligned} &K=K_{i} \\ &=e\left(a_{1} r_{i} P+a_{2} r_{i} P+\ldots+a_{i} r_{i} P+\ldots+a_{n-1} r_{i} P+a_{n} r_{i} P, r_{i}^{-1} P\right) \\ &=e\left(r_{i} P, r_{i}^{-1} P\right)^{\left(a_{1}+a_{2}+\ldots+a_{i}+\ldots+a_{n-1}+a_{n}\right)} \\ &=e(P, P)^{\left(a_{1}+a_{2}+\ldots+a_{i}+\ldots+a_{n-1}+a_{n}\right)} \end{aligned}\)
VI. Analysis
6.1. Security
Key Authentication: This property requires that only users of the group are allowed to know the key. In our protocol, the only user to have the long term private keys ri and Si can deliver messages to other users owing to the signature verification process. If an adversary doesn't know ri and a ephemeral key ai, he can't compute the session key. According to the discrete logarithm hardness, the adversary cannot extract ai from Tij = airjP and cannot compute \(K_{i}=e\left(\sum_{k=1, k \neq i}^{n} T_{k i}+a_{i} r_{i} P, r_{i}^{-1} P\right)\)
Forward Secrecy: This property requires that disclosure of long term secret of a user does not compromise the previous session keys. Though the private keys ri and Si of Ui are disclosed, the adversary cannot extract ai from Tij = ai rj P and he cannot compute airiP and \(K_{i}=e\left(\sum_{k=1, k \neq i}^{n} T_{k i}+a_{i} r_{i} P, r_{i}^{-1} P\right)\)
No Key - Compromise Impersonation: A protocol resists key-compromise impersonation when the compromise of one user's long term private key does not imply that the private keys of other users will also be compromised. Suppose that an adversary who knows the user Ui´s long term private keys ri and Si wishes to impersonate the user Uj to all other users. He chooses an ephemeral key a´j and computes T´jk = a´jrkP(1≤k≤n,k≠j), but he can’t compute Y´jk = H2 (T´jk )Sj +rjPpub without the user Uj´s long term private keys rj and Sj. Therefore, the adversary may impersonate the compromised user in the subsequent protocols, but cannot impersonate other users.
Known Session Key Security: Since each run of the protocol computes a different session key K = e(P,P)(a1+ a2+ ... + an-1+ an) with new ephemeral keys ai( 1 ≤ i ≤ n ), the adversary having obtained some past session keys, gains no advantage toward computing future session keys. Thus our protocol resists the known session key attack.
No Unknown Key Share: A protocol satisfies the no unknown key share, if the all users do not share the session key with the adversary. If the adversary convinces a group of users, they share some session key with the adversary, and this protocol suffers from unknown key share attack. In our protocol, the adversary cannot share the session key without some users´ long term private keys. Therefore, our protocol has the property of the no unknown key share.
No Key Control: The session keys in our protocol are determined jointly by n users, so that neither user alone can control the outcome of the session key by restricting it to lie in some predetermined small set. Therefore, there is no key control in our protocol.
6.2. Performance
[Table 2] summarizes the communication and computation costs of Shi et al.´s, He et al.´s and our protocol. Because Shi et al.´s and He et al.´s protocol use more complicated public and private keys than them of our protocol, their protocols have more computation costs during the system setup and key extract process.
[Table 2] Communication and Computation Costs
Moreover, during the signature verification process, He et al.'s protocol uses more parameters, more frequent hashes and more messages than our protocol. On the one hand, our protocol uses Xi and H1 (IDi) of He et al.'s protocol as the long term public keys of a user.
So, our protocol has less computation costs than their protocol.
During the key computation process, our protocol has a little more computation costs. From the result of performance analysis, our protocol makes higher performance than Shi et al.'s and He et al.'s protocol by using simple public and private keys and a simple signature verification process.
VII. Conclusion
This paper presents a one round authenticated group key agreement protocol which modified Shi et al.'s and He et al.'s protocol by using the simpler public and private keys and signature verification process than them of their protocols. So, our protocol is secure and more efficient than their protocols in communication and computation costs.
References
- A. Shamir, "Identity-based cryptosystems and signature schemes," Advances in Cryptology- Crypto LNCS 196, pp.47-53, 1984.
- D. Boneh and M. Franklin, "Identitybased encryption from the Weil pairing," Advances in Cryptology- Crypto LNCS 2139, pp.213-229, 2001.
- K. Y. Choi, J. Y. Hwang, and D. H. Lee, "Efficient ID-based group key agreement with bilinear maps," International Workshop on Practice and Theory in Public Key Cryptography (PKC2004, IACR), pp.1-14, 2004.
- X. Du, Y. Wang, J. Ge, and Y. Wang, "An ID-based authenticated two round multiparty key agreement," IACR ePrint 2003-247, 2003.
- M. Burmester and Y. Desmedt, "A secure and efficient conference key distribution system," Advances in Cryptology-EURO- CRYPT94, LNCS, pp.950, 1995.
- F. Zhang and X. Chen, "Attack on ID-based authenticated group key agreement schemes," IACR ePrint 2003-259, 2003.
- X. Du, Y. Wang, J. Ge, and Y. Wang, "An Improved ID-based authenticated group key agreement scheme," IACR ePrint 2003-260, 2003.
- Y. Shi, G. Chen, and J. Li, "ID-based one round authenticated group key agreement protocol with bilinear pairings," Proc. ITCC'05. Vol. 1, pp. 757-761, 2005.
- Y. Z. He and Z. Han, "An Efficient Authenticated Group key agreement protocol," Security Technology, IEEE International Carnahan Conference, pp.250-254, 2007.
- X. Chen, F. Zhang, and K. Kim, "A new ID-based group signature scheme from bilinear pairings," IACR ePrint 2003-116, 2003.
- K. K. R. Choo, "Revisit of McCullagh- Barreto two-party ID- based authenticated key agreement Protocols," International journal of network security, pp.154-160, Nov. 2005.