1 / 15

Provably secure three-party password-based authenticated key exchange protocol using Weil pairing

Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. H.-A.Wen,T.-F.Lee and T.Hwang IEE Proc-Commun. , Vol.152, No.2 ,p138~143 April 2005 Presented by C.C.Tsai. Outline. Introduction Preliminary Protocol Model and Definition

dkruse
Download Presentation

Provably secure three-party password-based authenticated key exchange protocol using Weil pairing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Provably secure three-party password-based authenticated key exchange protocol using Weil pairing H.-A.Wen,T.-F.Lee and T.Hwang IEE Proc-Commun. , Vol.152, No.2 ,p138~143 April 2005 Presented by C.C.Tsai

  2. Outline • Introduction • Preliminary • Protocol • Model and Definition • Security analysis (Proof) • Conclusion

  3. Introduction • Three PAKE just share a password with a trust server, but server knows all session keys • Some papers had been proposed to overcome this problem later • Joux first discovered the Bilinear Diffie-Hellman problem • This paper first proposed provably three PAKE using Weil pairing

  4. Preliminaries • Weil pairing: Let G1,G2 be two groups of prime order q e : G1×G1 G2 is a bilinear mapping Weil pairing is a bilinear mapping which has following properties (1)Bilinear:e(aP,bQ)=e( P,Q)ab ,for all (2)Non-degenarate: (3)Computable:e(P,Q) can be computed in polynomial time • BDH problem: given<e,xP,yP,zP>,the probability to output e(P,P)abc is negligible

  5. Protocol (setup) • p: a prime such that p=2(mod 3) and p=6q-1 for large prime q • E :be a supersingular curve y2= x2+1 over Fp • P:generator of point of order q • Eq:the group generated by p • uq:subgroup of of order q • e:modified weil pairing e:Eq × Eq uq • IDs IDA IDB:the identity of server S, user A , user B • PS:S selects secret key s to compute public key PS=sP • PWA PWB:user A B share password with server S

  6. 1. Randomly selects a , compute aP andka=H(aP, PS , Q, e(PS,aQ)),where Q=G(IDs) 2. computes ca= (IDA, aP , ca) A B 1.Randomly selects b , computes bP andkb=H(bP, PS , Q ,e(PS , bQ)) 2.K=e(aP, bU) where U=G(IDA, IDB) 3.Computes cb= and ub=H(IDB,K) (IDA, aP, ca, bP, cb,ub) B S Protocol (Execution) A B S

  7. 1.Computes ka=H(aP, PS , Q, e(aP,sQ))kb=H(bP, PS, Q, e(bP,sQ)) 2.verifies 3.Computes , (bP, ub , , ) A S Protocol (Execution) A B S

  8. 1.Computes K=e(bP , aU) and verifies 2. Computes ua=H(IDA, K ) (ua , ) A B Protocol (Execution) A B S The session key with A , B :SK=H(aP, bP, U ,K )

  9. Models • H(M): inputs M and returns r; H also records (M, r) into a public H-table

  10. Definitions • Password security:adversary A breaks the password security of P if A learns the password of a user by on-line or off-line dictionary attack • AKE secure:the probability of adversary A breaks the AKE security of P is defined by . We say P is AKE-secure if is negligible

  11. Security Analysis • Let be the advantage that A breaks the AKE security of protocol P within time t • Let be the advantage that ω breaks the WDH problem with time t’ Assume A breaks the AKE security of P by running qse Send queries,qex Execute queries and qh H queries .Then Where ( Tp is the time to generate a random point in Eq Te is the time to perform a Weil pairiing )

  12. Proof of theorem • Case1. S1 denotes A breaks AKE security without breaking PW • Let be the probability thatω correctly chooses among the possible H(xP,yP,zP,*) queries from the H-table then • Let be the probability thatω correctly guesses the value i ,then

  13. Proof of theorem • Case 2. S2 denotes A breaks the AKE security of P by breaking the PW security • (i)On-line dictionary attack • (ii)Off-line dictionary attack

  14. Proof of theorem • By (1) and (2)

  15. Conclusion • The proposed protocol requires only four steps to achieve mutual authentication and session key establishment • Given a formally proved in the random oracle model

More Related