1 / 11

Identity-based authenticated key agreement protocol based on Weil pairing

Identity-based authenticated key agreement protocol based on Weil pairing. N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p.630-632 Present by J.Liu 17/9/2002. Outline. Introduction Weil pairing AK and AKC protocols System setup Authenticated key exchange Security

Download Presentation

Identity-based authenticated key agreement protocol based on Weil pairing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20thJune 2002 vol.38 No13 p.630-632 Present by J.Liu 17/9/2002

  2. Outline • Introduction • Weil pairing • AK and AKC protocols • System setup • Authenticated key exchange • Security • Three pass AKC protocol • Conclusion

  3. Introduction • The first key agreement protocol was the Diff.-H. key exchange protocol . • But the basic D.-H.suffers from the man -in –the-middle attack (without authenticate the communicating parties). • In this Letter will describe a two pass ID-based authenticate key agreement protocol base on the Weil pairing.

  4. Weil pairing • G : a prime order subgroup of super-singular elliptic curve E over the finite field Fq , and O(G)=l . k is the smallest integer such that l|qk-1 .Where qk is large enough to make DLP • Weil pairing is a map ê :GGFqk* (1)Bilinear (2)Non-degenerate: PG  ê(P,P)1 (3)Computable :ê(P,Q) in poly time

  5. AK and AKC protocols • Key derivation function V: Fqk*{0,1}* • Cryptographic hash function H{0,1}*G H(#)=X , if X is invalid x-coordinate in G then Xi=X+i , for i=0,1,2…. until Xi is valid x-coordinate in G • It’s easy find and fix the y-coordinate from the valid x-coordinate.

  6. System setup • The key generation center (KGC) select a secret key s{1,…l-1} • KGC produces a random PG , computes PKGS = sP,publishes (P,PKGS) • User with ID wish to obtain a public/private key,then the KGC compute QID=H(ID) (公) SID=sQID(私)

  7. Authenticated key exchange • If A,B wish to agree a key and they have been obtain the key SA(B)=sQA(B) • A and B use the ephemeral private key a,b to compute TA(B)=a(or b)P and exchange TA,B • User A compute kA=ê(aQB,PKGS)•ê(SA,TB) • User B compute kB=ê(bQA,PKGS)•ê(SB,TA) • K=V(kA)=V(kB) ,∵kA=kB=ê(aQB+bQA,sP)

  8. Authenticated key exchange(cont) • kA= ê(aQB,PKGS)•ê(SA,TB) = ê(aQB,sP)•ê(sQA,bP) = ê(aQB,PKGS)•ê(bQA,sP)= ê(aQB+bQA,sP) = ê(bQA,sP)•ê(aQB,sP) = ê(bQA,PKGS)•ê(sQB,aP) = ê(bQA,PKGS)•ê(SB,TA) = kB • The shared secret depend on s and two ephemeral keys a,b (QA,QB).

  9. Security • Known key security : Each run produces a different session key, and knowledge of past session key. • Forward secrecy : The KGC can determine all secret session key by the following step kA= ê(QB,TA)s•ê(QA,TB)s = kB • Key control : Neither party can control the outcome of the session key.

  10. Three pass AKC protocol • As with the MQV protocol it is trivial to add a key confirmation property in the scheme. • Here need MAC and key derivation function V. Let R=ê(aQB,PKGS)=ê(bQA,PKGS) …??? • The three pass AKC protocol

  11. Conclusion • This paper has proposed an ID-based authenticated key agreement scheme which used the Weil pairing. • In the end of paper has present how to add key confirmation to basic protocol.

More Related