A Certificateless-based One-Round Authenticated Group Key Agreement Protocol to Prevent Impersonation Attacks

Abstract

With the development of multiuser online meetings, more group-oriented technologies and applications for instance collaborative work are becoming increasingly important. Authenticated Group Key Agreement (AGKA) schemes provide a shared group key for users with after their identities are confirmed to guarantee the confidentiality and integrity of group communications. On the basis of the Public Key Cryptography (PKC) system used, AGKA can be classified as Public Key Infrastructure-based, Identity-based, and Certificateless. Because the latter type can solve the certificate management overhead and the key escrow problems of the first two types, Certificateless-AGKA (CL-AGKA) protocols have become a popular area of research. However, most CL-AGKA protocols are vulnerable to Public Key Replacement Attacks (PKRA) due to the lack of public key authentication. In the present work, we present a CL-AGKA scheme that can resist PKRA in order to solve impersonation attacks caused by those attacks. Beyond security, improving scheme efficiency is another direction for AGKA research. To reduce the communication and computation cost, we present a scheme with only one round of information interaction and construct a CL-AGKA scheme replacing the bilinear pairing with elliptic curve cryptography. Therefore, our scheme has good applicability to communication environments with limited bandwidth and computing capabilities.

1. Introduction

With the accelerated development of network communication technology, group communication provides the services required for distributed application systems, such as online conferences, and collaborative work systems. Because these applications usually transmit information in an open network environment, communication data can easily be hijacked, eavesdropped upon, or tampered with. Therefore, how to provide users with secure group communication services in an open and insecure network environment is very important. Ensuring the privacy of communication between multiple participants is a basic security guarantee. Using authenticated group key agreement (AGKA) protocols to negotiate group key is a common method. An AGKA protocol enables multiple participants to negotiate the same group key through an algorithm in an open and insecure channel [1]. This group key can only be generated by authenticated users, who can use it to encrypt and decrypt data to ensure the security of their communications.

On the basis of the Public Key Cryptography (PKC) system used, the AGKA protocols can be divided into Public Key Infrastructure (PKI)-based [2-4], Identity (ID)-based [5-7], and Certificateless (CL) [8-10]. As a CL-PKC system can solve the certificate management overhead and key escrow problems of the first two PKC systems, CL-AGKA protocols have become a research focus. However, most CL-AGKA protocols are vulnerable to public key replacement attacks because of the lack of public key authentication. How to resist such attacks is another research focus.

In addition to security, reducing communication and computational overheads to improve scheme efficiency is an important research direction within CL-AGKA protocols. When the group is large, the number of communication rounds is the major regard, because the number of communication rounds directly affects the users’ processing time and communication efficiency. Many AGKA schemes with a constant number of rounds have been proposed [11, 12]. In order to improve efficient, in addition to reducing communication complexity, reducing computation complexity is also very important. So given the high computational complexity of the pairing operation, more researchers have begun to investigate how to reduce pairing in CL-AGKA schemes.

This paper proposes an AGKA protocol based on CL-PKC that prevents an impersonation attack caused by public key replacement. Moreover, to improve the efficiency, we propose an efficient group key agreement protocol with only one round of communication. And we propose a scheme replacing the bilinear pairing with their large computational complexity with Elliptic Curve Cryptography (ECC), which is of lower computational complexity.

Our proposed scheme has the following prominent merits:

. Our protocol can solve the certificate management overhead of PKI and key escrow problems of ID-PKC by using CL-PKC.

. Strong security: Our CL-AGKA scheme not only supplies Mutual Authentication (MA) and Public Key Authentication (PKA), but also can provide Impersonation Attack Prevention (IAP).

. Efficient performance: We propose a one-round CL-AKGA protocol to reduce the communication overheads and we replace the bilinear pairing with ECC to improve computing efficiency.

We have structured this paper as follows. First, in Section 2, we present the related works of AGKA protocols. Second, we explain the relevant features of ECC, the system model for CL-AGKA, our security model, security requirements in Section 3. The proposed one- round CL-AGKA protocol is represented in Section 4. Then we describe security and performance analyses of our CL-AGKA protocol in Section 5. Lastly, we conclude with Section 6.

2. Related Works

An AGKA protocol is a cryptographic primitive that can realize secure group communication. This communication protocol enables multiple users involved in group communication to negotiate a group key in an open and insecure network space. Fig. 1 depicts the process of AGKA. Under AGKA protocols, each authenticated user can generate a group key by sharing contributions from every group member in advance. Then group members can then encrypt the subsequent communication content using the same group key to ensure the confidentiality and integrity of group communication.

In our scheme, we classify AGKA protocols according to Public Key Cryptography (PKC) system and the round of communication rounds.

Fig. 1. Authentication and group key agreement.

2.1 Classification of AGKA Schemes by The PKC System

A PKC cryptography system can be used for encryption and signature generation using public and private keys [13]. The AGKA scheme uses a PKC system to realize authentication and key agreement. Based on the PKC system used, AGKA schemes can be divided into traditional PKI-based, ID-based, and CL-based schemes.

In a PKC system if users’ public keys cannot be authenticated, the system is vulnerable to man-in-the-middle attacks. PKI cryptography system was proposed [14] to overcome this problem, which uses certificates to authenticate the users’ public keys. In this system, digital certificates are issued a Certification Authority (CA) to bind the identity information and public key of users. Users can verify the authenticity of the public key through this certificate to prevent man-in-the-middle attacks. However, there are overhead problems in these PKI systems because they require the generation, distribution, storage, and revocation of certificates.

In order to overcome the complexity of certificate management and use, in 1984 Shamir proposed an ID-PKC system [15]. In ID-PKC system, the identity of a user functions as its public key, so that users do not need to apply for and use certificates to authenticate their public keys. However, in ID-PKC systems, the private keys of users are calculated and produced by Key Generation Center (KGC) which is a trusted third-party. This introduces a problem that a malicious KGC could use a user’s private key to view his information at any time, which called the key escrow problem.

Demand has risen for CL-PKC systems that solve the key escrow problems of ID-PKC system in 2003, Al-Riyami proposed a PKC system without a certificate which was a hybrid of traditional PKI and ID-PKC where users’ private keys are decided jointly by both the KGC and the users themself [16]. The KGC cannot calculate the partial key generated by the user, and the user cannot calculate the partial private key generated by the KGC. Thus, this CL-PKC system can overcome the problems of key escrow. Also, the CL-PKC system removes the overhead problems caused by certificate management in PKI system. Therefore, more and more AGKA protocols based on CL-PKC system have been proposed [17-19]. CL-AGKA schemes are greatly improved compared with the PKI-AGKA and ID-AGKA schemes.

However, in the CL-PKC system, no certificate proves the authenticity of the public key, and it is easy for malicious attackers to impersonate users via public key replacement attacks. As shown in Fig. 2, in a CL-PKC based two-party key agreement scheme, a malicious attacker can replace the user B's public key and cannot be discovered. Then the attacker can forge as user B to negotiate session key with user A. Finally, the attacker can use the session key to communicate with user A. Similarly, the PKRA will occur in a CL-AGKA protocol. Therefore, research on CL-AGKA to prevent public key replacement attacks is in progress [20, 21].

Our scheme proposes an AGKA protocol based on CL-PKC that solves the problem of impersonation attacks caused by public key replacement.

Fig. 2. Public key replacement attack in a certificateless based key agreement protocol.

2.2 Classification of AGKA Schemes According to The Number of Communication Rounds

The AGKA protocols can be divided into constant-round and non-constant-round types, according to whether their number of communication rounds is stable. The number of communication rounds is an important indicator used to quantify the processing time online for users in such protocols. The number of communication rounds means the number of information interactions between users. In the process of group key agreement, each user must wait for the end of all communication rounds to calculate the group key in order to complete the key agreement [22]. A constant-round AGKA protocol has a fixed number of communication rounds, where this number is independent of the size of group. This reduces the time of network communication for users and improves communication efficiency.

In a non-constant-round AGKA [23-25], the number of communication rounds increases either linearly or logarithmically with the number of users. Thus, more members mean more rounds of communication. The efficiency of such agreement schemes is very low. For example, in a AGKA protocol based on a binary tree structure, the number of communication rounds growth logarithmically with the number of users [26]. That is for a group with 1,000 members, the number of rounds of information interactions during the key negotiation process is at least \(\log 2(1000) \approx 300\). All group members must remain online to perform the key agreement algorithm during all the communication rounds. Therefore, the users’ time of network communication is long so that the communication efficiency is very low. However, in a AGKA protocol with a constant number of communication rounds, the time of network communication will not increase with the number of users. For example, such a scheme [27] might require only one communication round, which means the group members need only send and receive messages once during the communication process, no matter how many members there are in the group. Therefore, a constant-round AGKA protocol can significantly reduce the time of network communication while ensuring system security and thus has broad applicability.

In 1994, Burmester and Desmedt presented a protocol for constant-round group key agreements regardless of the number of members [28]. However, in this protocol, the algorithm only verifies the accuracy of the member \(U_{i} \text { 's }\) signature value index \(Z_{i}\), it does not authenticate the identity of the members, leaving it vulnerable to impersonation attacks. In 2003, Katz and Yung [29] proposed a protocol for authentication using five rounds of communication to agree on the group keys. However, this process only authenticates the correctness of the index value K = α^{S_Ax + S_Bx} based on the discrete logarithm problem，it does not provide mutual authentication requires to verify the users' identities. It’s meaning that this scheme cannot prevent impersonation attacks from malicious group members.

3. Preliminaries

This section describes key previously defined concepts used in our proposed scheme.

3.1 Elliptic Curve Cryptography

We define an elliptic curve E on a finite field according to the following equation:

y² = x³ + a · x + b(mod p)         (1)

Where \(p\) is a prime number, and a and b are two nonnegative integers smaller than \(p\)p. They satisfy following:

Δ = (4a³ + 27b²)mod p ≠ 0        (2) 

The points (x,y) satisfying (1) on 𝐸 and 𝐹_𝑝 an infinite point 0 form a group G.

\(G=\left\{(x, y): x, y \in F_{p} \text { and }(x, y) \in \frac{E}{F_{p}}\right\} \cup\{O\}\)\(G=\left\{(x, y): x, y \in F_{p} \text { and }(x, y) \in \frac{E}{F_{p}}\right\} \cup\{O\}\)   (3)

A detailed description of elliptic curve cryptography may be found in previous works [30, 31].

It is difficult to solve the following problems defined on in polynomial time and the security of various cryptographic scheme is based on the difficulty of solving these problems.

• Problem 1, Elliptic Curve Discrete Logarithm Problem (ECDLP): We assume that an elliptic curve contains a large prime subgroup of order p , which is big enough to make solving discrete logarithms in F_p unfeasible. Suppose we have two points P,Q on E, and let , where is an integer. According to the ECDLP, it is not computationally

• Problem 2, Computational Diffie–Hellman Problem (CDHP): Given a generator P of G and for unknown , The probability of any polynomial-time 𝑃𝑃

algorithm finding is negligible.

• Problem 3, One-Way Hash Function (OWHF): Given the output of a one-way hash function, it is hard to obtain any message such that ).ℎ

3.2 System Model for Certificateless Authenticated Group Key Agreement

CL-PKC systems were proposed in 2003 to prevent the key escrow problem of the ID-PKC systems. Later, many AGKA schemes based on CL-PKC have been proposed. At present, the research of CL-AGKA schemes have become a hot issue.

In CL-AGKA, the KGC and the user himself generated users’ private keys together. The KGC generates a key pair and private key of that pair is used as the user's partial private key. The remainder of the user's private key is a random secret value selected by the user and known only to the user. The user combines their secret value with the partial key from the KGC to calculate the user’s public key. Then in CL-AGKA system, user verify each other and agree on a group key with shared contributions.

Typically, a CL-AGKA protocol consists of the following algorithms [32]..

• Setup: This process is performed by the KGC. It inputs a security parameter and generates the master private key of KGC and the system parameters.

• Partial-Private-Key-Extract: This process is performed by the KGC. It takes system parameters and an identity of user as input and computes the user’s partial private key

• Set-Secret-Value: This process is performed by the user. This process accepts system parameters and a user’s identity as inputs and returns the user’s secret value.

• Set-Private-Key: This process is also performed by the user. It uses the system parameters, user’s identity, partial private key generated by the KGC, and a secret value selected by the user to generate the user’s private key.

• Set-Public-Key: This process is also performed by the user. It uses the system parameters, the user’s identity value and private key to generate the user’s public key.

• Authenticated-Group-Key-Agreement: This process is also performed by the user. It allows users to authenticate the other users involved and agree on a single group key. It uses the system parameters, the users’ identity, and public and private keys to generates a group key.

3.3 Security Model

In PKC, the security of a system can be ranked according to one of three levels [33]:

• The KGC can know or calculate the users’ private keys and can use the users' private keys to pretend that a user is completing operations.

• The KGC doesn’t know and cannot calculate the private keys of users but can forge any user's public key to impersonate the user.

• The KGC doesn’t know and cannot calculate the private key of users and cannot forge the user's public key to impersonate the user.

ID-PKC systems, CL-PKC systems, and PKI systems fall into levels 1, 2, and 3 respectively. Most CL-AGKA schemes [34, 35] also have a secondary security level because the KGC doesn’t know or cannot calculate the users' private keys but can forge the public keys of users to impersonate a user. Therefore, attacks by two kinds of adversaries are typically considered in CL-AGKA schemes: a general user attack adversary 𝒜_Ⅰ and a malicious KGC attack adversary 𝒜_Ⅱ [16].

• 𝒜_Ⅰ: The KGC is trusted. The adversary cannot obtain the KGC’s master private key or generate the partial private key of a user, but they can replace the public key of any user.

• 𝓐_Ⅱ: The KGC is untrusted. The adversary can obtain the KGC’s master private and generate the partial private key of a user but cannot replace the user's public key or request their secret value.

In CL-PKC systems, a partial private key of user is made by the KGC. Although a malicious KGC cannot calculate the entirety of a private key of user, it can leak the partial private key to adversaries, who can then execute public key replacement attacks. In this way, they can negotiate the group key as legitimate users. To expand the security levels, an 𝓐_Ⅱ attack based on KGC untrustworthiness can be subdivided into those based on active and passive malicious KGCs.

Active Malicious KGC: The KGC is untrustworthy. The adversary can get the master private key of the KGC and generate user partial private keys but cannot replace users’ public keys.

Passive Malicious KGC: The KGC is untrustworthy. The adversary can obtain the master key of the KGC and generate users’ partial private keys but cannot replace and leak users' partial private keys to an external adversary. With this expansion, the attackers of CL-AGKA schemes can be divided into three types, as follows [36]:

• 𝒜_Ⅰ: The KGC is trusted. The adversary 𝒜_Ⅰ cannot get the KGC’s master private key and cannot get the users’ private keys but can replace the public key of any user.

• 𝓐_Ⅱ: The KGC is untrusted and active malicious. The adversary 𝓐_Ⅱ can obtain the master private key of KGC and then generate partial private keys of users but cannot replace the public keys of users.

• 𝓐_Ⅲ: The KGC is untrusted and passive malicious. The malicious KGC can collude with some malicious users. The malicious KGC can generate users’ partial private keys with master private key, and leaks users’ partial private keys to the malicious users 𝓐_Ⅲ. And the malicious user 𝓐_Ⅲ can replace users’ public keys.

3.4 Security Requirements

CL-AGKA should be designed to meet the following security requirements. If a protocol satisfies all of them, a system can be protected from threats such as man-in-the-middle, public key replacement, and impersonation attacks.

3.4.1 Mutual Authentication (MA)

Mutual authentication is a procedure in which both parties participating in a communication protocol can identify each other. In AGKA protocols group members must authenticate each other's identities before agreeing on the group key to against man-in-the-middle attacks. After authentication they can proceed securely with group key agreement.

3.4.2 Public Key Authentication (PKA)

In CL-PKC systems, because there is no certificate for public keys, the authenticity of public keys cannot be verified, and they are weak to public key replacement attacks. Therefore, a CL-AGKA protocol requires a function to verify others’ public keys before communicating with them. Through this mechanism, it is possible for entities to confirm the authenticity of each other's public keys and prevent public key replacement attacks.

3.4.3 Impersonation Attack Prevention (IAP)

An attacker involved in impersonation attack involves has access to all publicly available information. He tries to accomplish a protocol with one user by impersonating another user. Recall that a AGKA scheme is successful if each of the parties accepts the identities of the others and compute with the same key.

4. Proposed CL-AGKA Scheme

In this section, we present a secure and efficient one-round CL-AGKA scheme. Our proposed scheme solves the problems of certificate overhead in PKI-AGKA schemes and key escrow problems in ID-AGKA schemes. It provides mutual authentication by verifying users’ public keys and signatures also even when the KGC is not reliable it is secure resist impersonation attacks. Furthermore, our scheme reduces computation by using the concepts of ECC, which are more efficient than pairing operations. It also reduces the latency of the group key agreement process by completing this with a single round of communication. Our one-round CL-AGKA scheme can be divided into three phases as shown in Fig. 3: Initialization, Authentication, and Group Key Agreement. And the system symbols for this scheme are listed in Table 1.

Fig. 3. Proposed scheme overview.

Table 1. List of Notations Used in the Proposed Scheme

4.1 Initialization

As shown in Fig. 4, the initialization phase is composed of six steps: Setup, Set-Secret-Value, Set-Public-Value, Partial-Private-Key-Extract, Set-Private-Key, and Set-Public-Key. In our scheme, users set the secret values by themselves first. Then KGC must use users’ secret value as input into the Set-Partial-Secret-Key step in order to generate the users' partial private keys. Therefore, the KGC cannot fully control the generation of the partial private keys to prevent malicious KGC from forging partial private keys and not being found.

Fig. 4. Initialization Phase.

• Setup: In this step, the KGC generates the system parameters with a given security parameter: an integer . The following steps are implemented: The KGC chooses a -bit prime number then defines an elliptic curve over a prime finite field F_p of prime numbers. And the KGC lets G_p be an additive group formed by the points on E/F_p. The KGC randomly selects a generator P ∈ G_p . Then the KGC chooses a random value s ∈ Z^*_p as the KGC’s master private key and uses 𝑠𝑠 to computes the master public key, the KGC uses the master private key to compute the master public key P_pub. And the KGC selects five secure hash functions as (5-9). Finally, the KGC publishes system parameters as (10).

P_pub = s · P  (4)

H₁(•) : {0, 1}^* × G_p × G_p → Z^*_p   (5)

H₂(•) : Z^*_p  →  Z^*_p (6)

H₃(•) : Z^*_p × G_q → Z^*_p  (7)

H₄(•) : {0, 1}^* × G_p × G_p × Z^*_p → Z^*_p (8)

H₅(•) : {0, 1}^* → {0, 1}^k (9)

\(\text { Params }=\left\{\begin{array}{c} E / F_{p}, G_{p}, P, P_{p u b}, H_{1}(\bullet), H_{2}(\bullet), \\ H_{3}(\bullet), H_{4}(\bullet), H_{5}(\bullet) \end{array}\right\}\)    (10)

• Set-Secret-Value: A user 𝑈_𝑖 randomly selects a value 𝑥_𝑖 ∈ Z^*_p as his secret value.

x_i ∈ Z^*_p     (11)

• Set-Public-Value: 𝑈_𝑖 uses 𝑥_𝑖 to compute a public value 𝑋_𝑖.

X_i = x_i · P    (12)

• Set-Partial-Private-Key-Extract: This step is performed by the KGC. User 𝑈_i send to the KGC. The KGC selects a random value 𝑟_i ∈ 𝑍_p ∗ and multiplies 𝑟_i by 𝑃 to compute a partial public key 𝑅_i for 𝑈_i. The KGC inputs into (14) and computes the partial private key 𝑧_i by using elliptical multiplication and hash function 𝐻₁(•). KGC sends 𝑧_i through a secure channel to 𝑈_i. Then KGC uses 𝑧_i to calculate the public key 𝑍_i for verification by (15) and sends it with an insecure channel to 𝑈_i. After receiving 𝑧_i and 𝑍_i, user 𝑈_i verifies (16) through elliptical multiplication to authenticate the validity of 𝑧_i.

R_i = r_i · P        (13)

z_i = r_i + s · H₁(ID_i∥ X_i ∥ R_i )      (14)

Z_i = z_i · P     (15)

\(z_{i} \cdot P \stackrel{?}{=} R_{i}+H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right) \cdot P_{p u b}\)   (16)

• Set-Private-Key: This step is performed by the users. 𝑈_𝑖 sets his full private key 𝑆_𝑖 as follows:

S_i = (X_i, z_i)           (17)

• Set-Public-Key: This step is performed by the users. 𝑈_𝑖 sets his full public key 𝑃_i. Then KGC publishes 𝑈_i′𝑠 public keys <X_i, R_i, _i>:

P_i = (X_i, R_i, Z_i)      (18)

4.2 Authentication

The second authentication phase is run by users, and it is composed of four steps: settemporary-public-key, sign, verify-public-key, and verify-signature. As shown in Fig. 5, all users who want to participate in group communication conduct mutual authentication before proceeding with the group key agreement.

• Set-Temporary-Public-Key: 𝑈_𝑖 randomly selects a temporary private key 𝑡_i and computes a temporary public key 𝑇_𝑖 by using (19). And users make the value 𝐻₂(𝑡_i) as a group key contribution that can be used for negotiating a group key. The confidentiality of temporary private key 𝑡_i is guaranteed via the OWHF and ECDLP.

T_i = H₂(𝑡_i) · P     (19)

• Sign: 𝑈_i uses (20) to compute a value ℎ_ij by inputting his secret value 𝑥_𝑖 and the receiver user 𝑈_𝑗′𝑠 public value 𝑋_𝑗 which was published by KGC. Then values 𝐻₂(𝑡_𝑖), ℎ_ij and 𝑧_𝑖 are taken as the inputs to compute value 𝜕_ij in (21). Then 𝑈_𝑖 uses (22) to compute signature sig_ij and sends Msg_ij<ID_i, 𝜕_ij, sig_ij> to the receiver 𝑈_𝑗. And the value ℎ_ij cannot be calculated without the 𝑈_𝑗′𝑠 private key 𝑥𝑥𝑖𝑖 and 𝑈_𝑗′𝑠 private key 𝑥_j.

h_ij = H₃(x_i· X_j)     (20)

\(\partial_{i j}=\frac{H_{2}\left(t_{i}\right)}{h_{i j}+z_{i}}\)    (21)

\(\operatorname{sig}_{i j}=H_{2}\left(t_{i}\right) \oplus H_{4}\left(I D_{i}\left\|Z_{i}\right\| T_{i} \| h_{i j}\right)\)    (22)

• Verify-Public-Key: 𝑈_j first uses (23) to verify 𝑈_𝑗′𝑠 public key 𝑃_i which is published by KGC.

\(Z_{i} \stackrel{?}{=} R_{i}+H_{1}\left(I D_{i}, X_{i}, R_{i}\right) \cdot P_{p u b}\)   (23)

• Verify-Signature: On receiving Msg_ij<ID_i, 𝜕_ij, sig_ij> from 𝑈_i. If the result of Verify-Public-Key is true, 𝑈_j verifies 𝑈_i′𝑠 signature using the following equation:

\(\begin{aligned} \left(\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{i}\left\|Z_{i}\right\| \partial_{i j} \cdot\left(h_{j i} \cdot \mathrm{P}+Z_{i}\right) \| h_{j i}\right)\right) \cdot \mathrm{P} \\ & \stackrel{?}{=} T_{i} \end{aligned}\)    (24)

4.3 Group Key Agreement

If the result of Verify-Signature is true, users negotiate a common group key using contribution values of all users. If the scheme is performed successfully, all the group keys computed by the members will have the same value. 𝐺𝐺𝐾𝐾 .

• Group-Key-Agreement: calculates using (25) and takes as input and computes , with which group members can perform secure communication.

\(\begin{aligned} &H_{2}\left(t_{i}\right)=\operatorname{sig}_{i j} \bigoplus H_{4}\left(I D_{i}\left\|Z_{i}\right\| T_{i} \| h_{j i}\right)\\ &=\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{j}\left\|Z_{j}\right\| T_{j} \| H_{2}\left(x_{j} \cdot X_{i}\right)\right)\\ &=\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{j}\left\|Z_{j}\right\| T_{j} \| H_{2}\left(x_{i} \cdot x_{j} \cdot P\right)\right)\\ &=\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{j}\left\|Z_{j}\right\| T_{j} \| H_{2}\left(x_{i} \cdot X_{j}\right)\right)\\ &=\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{j}\left\|Z_{j}\right\| T_{j} \| h_{i j}\right) \end{aligned}\)    (25)

\(G K=H_{5}\left(H_{2}\left(t_{1}\right)\left\|H_{2}\left(t_{2}\right)\right\| \cdots \| H_{2}\left(t_{n}\right)\right)(i \neq n)\)    (26)

5. Security Analysis

5.1 Security Analysis of Proposed Scheme

In this section, we determine whether our scheme meets the security requirements of mutual authentication, public key authentication, and impersonation attack prevention described in Section Ⅲ. Our scheme’s security is based on the ECDLP, CDHP and OWHF.

5.1.1 MA

This scheme provides mutual authentication by verifying users’ public key and signatures based on the ECC cryptography system. When this one-round CL-AGKA scheme executes phase 2, user 𝑈_j authenticates the public key and signature sent by 𝑈_i. 𝑈_j can ensure that the message was sent by 𝑈_i and verify the identity of 𝑈_i. In the phase 2 after receiving Msg𝑖𝑖 from 𝑈_i, user 𝑈_j can use the public key 𝑍_i of 𝑈_i and their own private key 𝑥_j to check whether ( sig_ij ⊕ 𝐻₄(𝐼𝐷_i, 𝑍_i, ∂_i(ℎ_ijP + 𝑍_i) ∥ ℎ_ij)) ∙ 𝑃 = 𝑇_i . It means that the Msg_ij<ID_i, 𝜕_ij, sig_ij> was sent by 𝑈_i and 𝑈_i′𝑠 identity is authenticated by 𝑈_j if the equation holds. The proof of verifying the validity of the signature is described by (27). In our scheme, we bind the public key, private key, and identity information of the user in signatures. According to the security of the ECDLP, CDLP and OWHF, if an attacker does not have a private key of the user, then they cannot forge the signature. The correctness of the signature verification can be justified as follows:\(\begin{gathered} \left(\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{i}\left\|Z_{i}\right\| \partial_{i j} \cdot\left(h_{j i} \cdot \mathrm{P}+Z_{i}\right) \| h_{j i}\right)\right) \cdot P \\ =\left(\operatorname { s i g } _ { i j } \oplus H _ { 4 } \left(I D_{i}\left\|Z_{i}\right\|\right.\right. \\ \left.\frac{H_{2}\left(t_{i}\right)}{H_{3}\left(x_{i} \cdot X_{j}\right)+z_{i}}\left(H_{2}\left(x_{j} \cdot X_{i}\right) \cdot \mathrm{P}+Z_{i}\right) \| H_{3}\left(x_{j} \cdot X_{i}\right)\right) \cdot \mathrm{P} \\ =\left(\operatorname { s i g } _ { i j } \oplus H _ { 4 } \left(I D_{i}\left\|Z_{i}\right\| \frac{H_{2}\left(t_{i}\right)}{H_{3}\left(x_{i} \cdot X_{j}\right)+z_{i}} \cdot\right.\right. \\ \left.\left.\left(H_{3}\left(x_{j} \cdot x_{i} \cdot P\right) \cdot P+Z_{i}\right) \| H_{3}\left(x_{j} \cdot x_{i} \cdot P\right)\right)\right) \cdot P \\ =\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{i}\left\|Z_{i}\right\| \frac{H_{2}\left(t_{i}\right)}{H_{3}\left(x_{i} \cdot X_{j}\right)+z_{i}}\right. \\ \left.\left.\left(H_{3}\left(x_{i} \cdot X_{j}\right)+z_{i}\right) \cdot P\right) \| H_{3}\left(x_{i} \cdot X_{j}\right)\right) \cdot P \\ =\left(\operatorname{sig}_{i j} \oplus H_{4}\left(I D_{i}\left\|Z_{i}\right\| H_{2}\left(t_{i}\right) \cdot P \| h_{i j}\right)\right) \cdot P \\ =\left(\operatorname{sig}_{i j} \oplus H_{3}\left(I D_{i}\left\|Z_{i}\right\| T_{i} \| h_{i j}\right)\right) \cdot P \\ =H_{2}\left(t_{i}\right) \cdot P \\ =T_{i} \end{gathered}\)  (27)

5.1.2 PKA

In CL-PKC system, because the user’s public key has no certificate to prove its authenticity, the main problem for a CL-AGKA protocol is a public key replacement attack. As part of our scheme, we propose a way to prevent public key replacement attacks by malicious users as follows:

• The KGC binds user’s public value 𝑋_i previously calculated by the user themselves and identity information ID_i when calculating the partial private key of the user 𝑈_i. Before the KGC calculates the partial public keys of 𝑈_i, 𝑈_i first selects a secret value 𝑥_i, and then uses 𝑥𝑥𝑖𝑖 to calculate his public value 𝑋_i. 𝑈_i sends 𝑋_i to the KGC by an open channel, and KGC uses its master private key 𝑠𝑠 and 𝑈_i’s public value 𝑋_i, 𝑈_i’s partial public 𝑅_i and 𝑈_i’s identity value ID_i to compute partial private key 𝑧_i for 𝑈_i according to the equation 𝑧_i = 𝑟_i + 𝑠 ∙ 𝐻₁(ID_i ∥ 𝑋_i ∥ 𝑅_i). The KGC then uses a secure channel to send the partial private key 𝑧_i to 𝑈_i. Then KGC uses ECC multiplication to calculate the 𝑈_i’s public key 𝑍_i = 𝑧_i ∙ 𝑃 and sends it to 𝑈_i by a insure channel so that 𝑍_i = (𝑟_i + 𝑠 ∙ 𝐻₁(ID_i ∥ 𝑋_i ∥ 𝑅_i)) ∙ 𝑃.

• In this way, the behavior of the KGC with regard to generating partial private keys is restricted by users. Although a malicious KGC know the master private key 𝑠𝑠 and could randomly select 𝑟_i ′ to calculate the public key 𝑅_i′ , if the malicious KGC does not know the partial private key 𝑥_i of users, it cannot easily forge the 𝑈_i’s public key 𝑋_i. In our proposed scheme if malicious KGC wants to generate an effective public key 𝑋_i′ . The equation 𝑅_i + 𝐻₁(ID_i ∥ 𝑋_i ′ ∥ 𝑅_i) ∙ 𝑃_pub = 𝑍_i must be passed by the user’s public key as follows:

\(\begin{gathered} \quad R_{i}+H_{1}\left(I D_{i}\left\|X_{i}^{\prime}\right\| R_{i}\right) \cdot P_{\text {pub }} \\ =R_{i}+s \cdot H_{1}\left(I D_{i}\left\|X_{i}^{\prime}\right\| R_{i}\right) \cdot P \cdot P_{\text {pub }} \\ =\left(r_{i}+s \cdot H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right)\right) \cdot P \cdot P_{\text {pub }} \\ =Z_{i} \end{gathered}\)   (28)

Thus,

\(\begin{aligned} & H_{1}\left(I D_{i}\left\|X_{i}^{\prime}\right\| R_{i}\right) \\ =& H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right) \end{aligned}\)    (29)

This conclusion violates the strong non-collision of hash functions assumption, so it is impossible for a malicious KGC to compute the partial private key to forge the public key 𝑋′_i, which meets the conditions needed for preventing a PKRA.

• The KGC calculates the 𝑈_i’s partial public key 𝑅_i, 𝑍_i and publishes the 𝑈_i’s public key 𝑃_i = (𝑋_i, 𝑅_i, 𝑍_i) with the system parameters to prevent malicious users from using PKRA. Therefore, at any time, a user can use the equation 𝑍_i ≟ 𝑅_i + 𝐻₁(ID_i ∥ 𝑋_i ∥ 𝑅_i) ∙ 𝑃_pub to make sure whether a malicious user replaces his public key. Meanwhile, other users can use the same equation to verify whether the public key is indeed the public key of 𝑈_i before communicating with 𝑈_i. The validation process is as follows:

𝑍_i ≟ 𝑅_i + 𝐻₁(ID_i ∥ 𝑋_i ∥ 𝑅_i) ∙ 𝑃_pub   (30)

Proof:

\(\begin{gathered} Z_{i}=z_{i} \cdot P \\ =\left(r_{i}+s \cdot H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right)\right) \cdot P \\ =r_{i} \cdot P+s \cdot H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right) \cdot P \\ =R_{i}+H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right) \cdot P_{p u b} \end{gathered}\)    (31)

5.1.3 IAP

Impersonation attacks are classified into those by 𝒜Ⅰ (who can replace the public key but cannot get the KGC’s master private key), 𝒜Ⅱ (an untrusted and active malicious KGC who has the master key and can use it to generate a partial private key of the user but cannot replace public key of the user) and 𝒜Ⅲ (an untrusted and passive malicious KGC who cannot substitute the public key but can leak the partial private key of the user to another external adversary who can replace the public key of the user). Even if the receiver’s public key is replaced by 𝒜Ⅰ, or the partial private key is determined by 𝒜Ⅱ, or the partial private key is leaked to another external adversary who can substitute the receiver’s public key, the adversary cannot impersonate a legitimate user.

• Preventing impersonation attacks by 𝓐 Ⅰ :

An adversary has succeeded if he can successfully forge the signature and group key used to communicate with other users after authentication. First, 𝒜Ⅰ replaces the 𝑈_i’s public key 𝑃_i = (𝑋_i, 𝑅_i, 𝑍_i) with 𝑃_i′ = (𝑋_i′ , 𝑅_i′ , 𝑍_i′ ) and attempts to forge an effective message  Msg_ij<ID_i, T_i', 𝜕'_ij, sig'_ij>, which can satisfy (sig_ij′ ⊕ 𝐻₄(ID_i ∥ 𝑍_i' ∥ 𝜕_i′ ∙ (ℎ_j' ∙ 𝑃 + 𝑍_i′ ) ∥ ℎ_i′ )) ∙ 𝑃 = 𝑇_i′ . However, according to (14,15), we know that the user’s public key 𝑍_i is obtained by the ECC multiplication 𝑧_i ∙ 𝑃 using the partial private key 𝑧_i, which is generated by KGC. The KGC combines user’s public key 𝑋_i, identity information ID_i, and the KGC’s master key 𝑠𝑠 via a hash function and ECC multiplication. Because 𝒜Ⅰ does not know the user’s private key 𝑥𝑥𝑖𝑖 or the master key s, 𝒜Ⅰ cannot generate a public key 𝑍_i that would pass 𝑍_i′ = 𝑅_i + 𝐻₁(ID_i ∥ 𝑋_i∥ 𝑅_i) ∙ 𝑃_pub. Therefore, 𝒜Ⅰcannot undertake an impersonation attack by public key replacement.

• Preventing Impersonation Attacks by 𝓐 Ⅱ :

𝓐Ⅱ has the master private key 𝑠𝑠, and can generates 𝑈𝑈𝑖𝑖’s partial private key 𝑧𝑧𝑖𝑖, but 𝓐Ⅱ cannot replace the user’s public key 𝑃𝑃𝑖𝑖 or obtain the 𝑈𝑈𝑖𝑖’s own secret value 𝑥𝑥𝑖𝑖. If 𝒜Ⅱ can impersonate successfully, they can forge an effective signature with information that satisfies the following conditions:

\(\begin{gathered} \operatorname{sig}_{i j}^{\prime}=\frac{H_{2}\left(t_{i}^{\prime}\right)}{H_{2}\left(x_{i}^{\prime} \cdot X_{j}\right)+z_{i}} \\ =\frac{H_{2}\left(t_{i}\right)}{H_{2}\left(x_{i} \cdot X_{j}\right)+z_{i}} \\ =\operatorname{sig}_{i j} \end{gathered}\)   (32)

Thus,

H₂(x_i' · X_i) = H₂(x_i · X_i)    (33)

and,

H₂(t_i') = H₂(t_i)      (34)

The adversary can obtain the 𝑈_i’s partial private key 𝑧𝑧𝑖𝑖 but does not know the temporary value 𝑡_i and the secret value 𝑥_i generated by himself (user). Based on the EDCLP, OWHF and CDLP, the adversary cannot calculate H₂(x_i' · X_i) and H₂(t_i') that are the same as H₂(x_i · X_i) and H₂(t_i). Therefore, the adversary cannot calculate a value sig_ij′ that is the same as sig_ij.

• Preventing Impersonation Attacks by 𝓐 Ⅲ :

In this type of attack, the malicious KGC can collude with some malicious users. The malicious KGC can use his master private key 𝑠 to generate users’ partial private keys 𝑧_i, and leaks users’ partial private keys 𝑧𝑧𝑖𝑖 to the malicious users 𝒜Ⅲ. The malicious user 𝒜Ⅲ can replace users’ public keys 𝑋_i. They then use the new forged public key 𝑋_i′ , which passes the verification test, for a signature forgery attack. If the adversary successfully falsifies a signature that passes the verification test, the adversary can be authenticated by other users and negotiate a group key that can be used to communicate with them.

Let us assume that after 𝒜Ⅲ obtains the partial private key 𝑧_i of 𝑈_i, he can forge a valid key pair (𝑥_i′ ,𝑋_i′ ), and his public key can passthe public key verification. Then the conclusions follow:

Table 2. Comparative analysis of paper security requirements

\(\begin{aligned} & R_{i}+H_{1}\left(I D_{i}\left\|X_{i}^{\prime}\right\| R_{i}\right) \cdot P_{p u b} \\ =& r_{i} \cdot P+H_{1}\left(I D_{i}\left\|x_{\mathrm{i}}^{\prime} \cdot P\right\| R_{i}\right) \cdot P_{p u b} \\ =& r_{i} \cdot P+H_{1}\left(I D_{i}\left\|x_{i} \cdot P\right\| R_{i}\right) \cdot P_{p u b} \\ =&\left(r_{i}+H_{1}\left(I D_{i}\left\|X_{i}\right\| R_{i}\right) \cdot s\right) \cdot P \\ =& z_{i} \cdot P \end{aligned}\)   (35).

Thsu,

H₁(x_i' · P) = H₁(x_i· P)    (36)

Equation (36) violates the strong non-collision of hash functions assumption. In (35, 36), we can know even if an adversary obtains 𝑈_i’s partial private key 𝑧_i via a malicious KGC, the adversary cannot forge a valid public key 𝑋_i′ which can pass public key verification. Also, according to the ECDLP, even if the adversary knows the 𝑈_i’s public key 𝑋_i, they cannot calculate the user’s private value 𝑥𝑥𝑖𝑖 by 𝑋_i = 𝑥_i ∙ 𝑃. Therefore, our scheme can resist 𝓐Ⅲ impersonation attacks under the assumptions of the ECDLP and strong non-collision of the hash functions assumption.

5.2 Comparison of Schemes

Table 2 shows a comparison of our proposed one-round CL-AGKA scheme with existing schemes according to various security requirements. “O” and “X” mean that the scheme achieves or does not meet each of these, respectively.

Consulting Table 2 regarding mutual authentication, we see that in schemes [37] and [38], users cannot authenticate the other group members that communicate with them. Mutual Authentication cannot be completed in the communication process. Analysis performed in [38] indicates that, in [37], users send their contributions to all other users in the second round of communication after passing authentication in the first round. However, because identity authentication is performed in the first round, the message in the second round cannot reflect any fresh information, and a signature cannot resist a reply attack initiated by malicious participants. If there are two malicious users 𝑈_𝑖−1 and 𝑈_𝑖+1 in the group, they will have participated in the normal protocol in that group and recorded all the messages for that process. Thus, 𝑈_𝑖−1 and 𝑈_𝑖+1 can forge the signature of a legitimate user 𝑈𝑈𝑖𝑖 to pass authentication and then negotiate the new group key with other users as if they were 𝑈_i. Therefore, there is a risk of forging a signature for the mutual authentication in [38].

In terms of public key authentication, sc𝑈𝑈h^𝑖𝑖 emes [27, 37-40] do not provide a way to authenticate the public keys of users communicating with them. In such schemes, the partial public and of users’ private keys are computed by the KGC using its own master key, which is not controlled by users. Therefore, a malicious KGC can forge valid public and private keys without user constraints and then forge the signatures of users. In the scheme of [27], the KGC cannot arbitrarily generate the public and private keys that can forge valid signatures since when the KGC computes the partial private and public keys of users, it binds the public key information pre-generated by the user. However, because the user's public key cannot be authenticated, external adversaries can still replace the user's public key without being discovered.

In terms of the security requirements for impersonation attack prevention, an adversary 𝒜Ⅰ can replace the user’s public key. Without either the KGC master key nor the partial private key of the user. If the adversary 𝒜Ⅰ can impersonate successfully, they can forge an effective signature to pass the authentication. Under [27, 37-40], it is easy to execute public key replacement attacks and remain undiscovered. However, while the adversary can replace the public key of user, this is impossible because he cannot obtain the private key of the user and the KGC’s master key. Due to the ECDLP, an adversary cannot calculate the user’s partial private key or forge an authenticated signature. Therefore, in the attack model for first type of adversary, these schemes are secure.

In the second attack model, 𝒜Ⅱ has the KGC’s master private key, which can generate a user's partial private key. However, 𝒜Ⅱ cannot replace the public key of the user nor can they obtain the partial private key which is computed by the user themselves. If 𝒜Ⅱ can impersonate successfully, then they can forge an effective signature that passes authentication. In schemes [27, 37-40], even if the adversary knows that the partial private keys computed by the KGC for the users, they cannot replace the users' public keys. The adversary cannot generate a valid key for forging a signature based on the ECDLP. Therefore, in the second attack model, these schemes are secure.

In the third attack model, 𝒜Ⅲ has the master key of the KGC, which can generate the partial private key of the user and leaks it to an external adversary. The external adversary uses the partial private keys of users to substitute the public keys of users. It then uses the public key, which pass verification, to successfully forge a signature that can be authenticated. The adversary can then negotiate the group key with other users to communicate with them. Through our analysis of the public key authentication section above, we know that in other related schemes the public key of the user can be easily replaced without this being discovered.

5.3 Efficiency

In this subsection, we compare the computational cost and communication cost of our AGKA scheme with others. Table 3 uses the notation given in [27, 31] for the comparison parameters. The time complexities can be respectively written as EM ≈ 29𝑡_m, EA ≈ 0.12𝑡_𝑚, P ≈ 87𝑡_𝑚, and ME ≈ 240𝑡_𝑚.

Table 3. Definitions and values of Selected operational Timings

Table 4. Performance Comparison of Schemes

Fig. 6. Computational Cost for Various Group Sizes.

Consulting Table 4, when the number of group users is n, the computational complexities of the related schemes are as follows: For the scheme of Teng et al., the complexity is (3n − 3)EM + (n − 1)P + (n − 1)EA + (n − 1)ME ≈ ME 412.12(n − 1)𝑡_𝑚 and there are two communication rounds. In the scheme of Kumar et al., the computational complexity is 9EM + 8EA ≈ 261.96𝑡_𝑚 and there are two communication rounds. In the scheme of Hafizul et al., the computational complexity is (3n − 2)EM + (n − 1)P ≈ (174n − 145)𝑡_𝑚 and there is one communication round. In the scheme of Shan et al., the computational complexity is (3n + 13) EM + (3n + 20)EA ≈ 87.36n + 379.4𝑡_𝑚 and there are two communication rounds. In the scheme of Semal et al., the computational complexity is (3n − 3)EM + (n − 1)EA + (n − 1)P + (n − 1)ME ≈ 412.12(n − 1)𝑡𝑡_𝑚 and there are two communication rounds. In our scheme, the computational complexity is (5n − 4)EM + (7n − 7)EA ≈ (145.36n − 116.36) 𝑡_𝑚 and there is one communication round. As shown in Table 4 and Fig. 6, the total of computational complexity of our protocol is higher than [37] and [38] but the number of communication rounds is fewer than them.

6. Conclusion

AGKA is a key technology to make sure the secure communication among group members. An AGKA based CL-PKC can solve the problems include storage of keys, certificates, and management overhead in PKI-AGKA schemes, and the key escrow problems in ID-AGKA schemes. Therefore, in our work, we design a one-round AGKA protocol using a CL-PKC system which is secure and efficient and can prevent impersonation attacks.

Our scheme also provides mutual authentication by verifying signatures to prevent man-inthe-middle attacks and allows public key authentication to resist PKRA associated with CL-PKC. Furthermore, our CL-AGKA scheme is resistant to attack models by 𝒜Ⅰ, 𝒜Ⅱ, and 𝒜Ⅲ. We have given a security analysis for these adversaries in this protocol. And the security of our protocol is based on the hardness assumptions of the ECDLP, CDHP, and OWHF.

We propose the computational complexity of our scheme by using ECC multiplication operations, which are more efficient than pairing operations, and our plan reduces the time of network communication during key agreement by reducing the number of communication rounds to one. Therefore, this proposed scheme is more secure and efficient than other existing schemes. It has good applicability to group communication environments with limited bandwidth, storage space, and computing power.

Currently, this scheme applies to a static group environment. But nowadays More and more group communication environments need to satisfy members' joining or exiting. In those dynamic environments, AGKA protocols must can update group key when group members join and leave to improve forward and backward security of communication. In the next stage, we would like to enlarge the present work to make it suitable to the dynamic group communication environment, such as VANET, distributed cloud communication environment, etc.