Identity Based Authenticated Key Agreement Protocols from Pairings

1. Identity Based Authenticated Key AgreementProtocols from Pairings

2. Content • Introduction • Technical Background • Smart’s ID-based AK Protocol • A More Efficient AK Protocol

3. Introduction Key establishment is a process whereby two (or more) entities can establish a shared secret key (session key) . Two approaches to key establishment between two entities is key transport and key agreement. A key agreement protocol provide implicit key authentication if A is assured that no other entity besides B can possibly ascertain the value of the secret key.

4. key agreement protocol (AK protocol): A key agreement protocol that provides mutual implicit key authentication. • key confirmation protocol(AKC protocol): A protocol that provides mutual key authentication as well as mutual key confirmation

5. AK and AKC protocols possess the following security attributes: • Known-key security • Forward secrecy: partial forward secrecy ,TA forward secrecy • Key-compromise impersonation resilience • Unknown key-share resilience • Key control

6. In 1984, Shamir proposed an identity-based asymmetric key pair. An authenticated key establishment protocol is called identity-based if in the protocol, users use an identity based asymmetric key pair instead of a traditional public/private key pair for authentication and determination of the established key.

7. Technical Background • Pairing A pairing is a computable bilinear map between these two groups. e : G1× G1→ G2: which has the following three properties: – Bilinear: If P,P1,P2,Q,Q1,Q2∈ G1and a ∈ Z∗q, then e(P1+ P2,Q) = e(P1,Q). e(P2,Q), e(P,Q1+ Q2) = e(P,Q1).e(P,Q2). – Non-degenerate: There exists a P ∈ G1such that e(P,P) ≠1. – Computable: If P,Q ∈ G1, one can compute e(P,Q) in polynomial time.

8. Security Model(BJM97) E is allowed to make the following types of queries: • Create • Send • Reveal • Corrupt • Test

9. matching conversation • Test query

10. Definition 1. [BJM97] A protocol is a secure AK protocol if: 1) the benign adversary 2) the Malicious adversary 3) AdvantageE(k) is negligible

11. Smart’s ID-based AK Protocol • Smart’s ID-AK protocol involves three entities: two users and a TA • Setup:TAchooses a secret key s∈ Zq, public key Ps = sP ∈ G1, P is a generator of G1 • A user with identity ID the public key Q=H1(ID) ∈ G1(H1: {0,1}∗→ G1) , the private key S = sQ

12. Authenticated Key Exchange: SA=sQA and SB=sQB TA= aP and TB= bP( a,b ∈ Z∗q,) Protocol 1. M1 : Alice → Bob : TA M2 : Bob → Alice : TB KAB= e(SA,TB) · e(aQB,Ps ) , KBA= e(SB,TA) · e(bQA,Ps) K = KAB= KBA= e(bQA+ aQB,Ps) the shared session key FK = H2(K) (H2: G2→ {0,1}k)

13. A More Efficient AK Protocol • WA = aQA, WB= bQB( a,b ∈ Z∗q,) Protocol 2. M1 : Alice → Bob : WA M2 : Bob → Alice : WB KAB= e(SA,WB+ aQB) , KBA= e(WA+ bQA,SB) K = KAB = KBA = e(QA,QB)s(a+b) Their shared secret session key is FK = H2(K)

14. Theorem 1. Protocol 2 is a secure AK protocol, assuming that the adversary does not make any Reveal queries, the BDH problem (for the pair of groups G1and G2) is hard and provided that H1 and H2 are random oracles. Proof: Let P be a generator of G1. The BDH problem in G1,G2, e is given (P,xP,yP,zP) ∈ G41for some x,y,z chosen at random from Zq, compute W = e(P,P)xyz∈ G2.

15. Modification of Protocols 2 without Key Escrow • Protocol 2’: Alice and Bob exchange aQA, aP and bQB,bP. They then compute K as in Protocol 2, and finally compute the shared secret key as • FK = H’2(K,abP).

16. Thank you !