Introduction LBG’s Protocol Our CL-AKA
A Two-Party Certificateless Authenticated Key Agreement Protocol
Denise Goya (dhgoya@ime.usp.br)
DCC – IME – USP
2010, Sep
Fapesp no. 2008/06189-0
Objectives
To fix some mistakes in a security proof of a CL-AKA protocol;
To present a new and more efficient protocol.
Introduction LBG’s Protocol Our CL-AKA
Summary
1 Introduction
2 LBG’s Protocol
3 Our CL-AKA
Summary
1 Introduction
2 LBG’s Protocol
3 Our CL-AKA
Introduction LBG’s Protocol Our CL-AKA
Key Agreement Protocol
A tool for parties establish a shared session key;
Via public channels;
Our focus:
Authenticated;
2-party;
2-pass / 1-round;
Certificateless model.
Certificateless Public Key Cryptography
Al-Riyami and Paterson, 2003;
Identity-based variant;
Users have a public key;
KGC: a trust party;
Users’ full secret key:
partial secret from KGC + secret value from user.
Introduction LBG’s Protocol Our CL-AKA
Certificateless Key Agreement (CL-AKA)
Implicit authentication;
Mutual authentication;
Advantages over PKI:
with no digital certificates; lighter infrastructure; potential: lower costs; Disadvantages over PKI:
less tested;
research in progress.
Certificateless Key Agreement (CL-AKA)
Implicit authentication;
Mutual authentication;
Advantages over PKI:
with no digital certificates;
lighter infrastructure;
potential: lower costs;
Disadvantages over PKI:
less tested;
research in progress.
Introduction LBG’s Protocol Our CL-AKA
Certificateless Key Agreement (CL-AKA)
Advantages over ID-based:
KGC trust level;
In ID: leakage of ephemeral key of either party ⇒ KGC is able to compute the session key;
Disadvantages over ID-based:
protocols are more complex;
slower.
Certificateless Key Agreement (CL-AKA)
Swanson’s model, 2008:
Strong security model;
Previously known protocols are insecure;
Lippold, Boyd and Gonz´alez-Nieto, 2009 (LBG protocol):
First proved secure in a strong security model.
Introduction LBG’s Protocol Our CL-AKA
CL-AKA – Security Properties
Swanson’s security model:
Resistance to Basic Impersonation Attacks;
Known Key Security;
Resistance to Unknown Key-Share (UKS) Attacks;
Weak Perfect Forward Secrecy (wPFS);
Resistance to Key-Compromise Impersonation (KCI) Attacks;
Resistance to Disclosure of Ephemeral Secrets;
KGC Forward Secrecy;
Security model from Lippold et al. adds:
Resistance to Leakage of Ephemeral Secrets to KGC.
Bilinear Pairing
LetG and GT be groups of prime orderq.
e:G×G →GT is an admissible bilinear pairingif satisfies:
1 Bilinearity. For all P ∈G anda,b ∈Zq:
e(aP,bP) =e(P,P)ab =e(abP,P) =e(P,abP)
2 Non-degeneracy. e(P,P)6= 1, withP a generator ofG;
3 Computability. There is an efficient algorithm to compute e(P,Q), for all P,Q ∈G.
Introduction LBG’s Protocol Our CL-AKA
Computational Problems
Computational Diffie-Hellman Problem (CDH) given:
a groupG and elementsaP,bP∈G find:
abP
Bilinear Diffie-Hellman Problem (BDH) given:
groupsG,GT,
a pairinge:G×G →GT
and elementsaP,bP,cP∈G find:
e(P,P)abc
CDH and BDH are assumed to be hard.
Computational Problems
Computational Diffie-Hellman Problem (CDH) given:
a groupG and elementsaP,bP∈G find:
abP
Bilinear Diffie-Hellman Problem (BDH) given:
groupsG,GT,
a pairinge:G×G→GT
and elementsaP,bP,cP∈G find:
e(P,P)abc
CDH and BDH are assumed to be hard.
Introduction LBG’s Protocol Our CL-AKA
Summary
1 Introduction
2 LBG’s Protocol
3 Our CL-AKA
LBG protocol
Phases:
Setup
User Keys Generation Key Agreement:
Message Exchange Key Computation
Introduction LBG’s Protocol Our CL-AKA
LBG protocol – Setup
KGC chooses the system parameters:
q,G with a a generator P,GT;
an admissible bilinear pairing e :G×G →GT; a random s ∈Zq as master secret key;
sP as master public key;
for a security parameterk, three cryptographic hash functions:
H:{0,1}∗ → {0,1}k H1:{0,1}∗→G
H2 :G →G
LBG protocol – User Keys
Public values for the userA:
IDA
Q1A =H1(IDA) Q2A =H2(Q1A)
xAP (Public key, calculated by A) Secret Values:
xA ∈Zq (Secret value, chosen by A)
d1A =sQ1A (Partial secret key, calculated by KGC) d2A =sQ2A (Partial secret key, calculated by KGC)
Introduction LBG’s Protocol Our CL-AKA
LBG protocol – Message Exchange
UserA:
randomly picks an ephemeral private key rA computes rAP
UserB:
randomly picks an ephemeral private key rB computes rBP
They exchange the following messages:
A→B :EA(rAP,xAP) B →A:EB(rBP,xBP)
LBG protocol – Key Computation
Acomputes:
K1 =e(Q1B,sP)rA·e(d1A,rBP) K2 =e(Q2B,sP)rA·e(d2A,rBP) L1 =e(Q1B,sP)xA·e(d1A,xBP) L2 =e(Q2B,sP)xA·e(d2A,xBP) N1 =e(Q1B,d1A)
N2 =e(Q2B,d2A)
The session key is computed as
SK =H(A,B,EA,EB,rAP,rBP,xAxBP,rArBP,xArBP,rAxBP, K1,K2,L1,L2,N1,N2)
B computes the same session key in a similar way.
Introduction LBG’s Protocol Our CL-AKA
Strong Twin Bilinear Diffie-Hellman Problem
Defined and proved equivalent to BDH by Cash, Kiltz and Shoup, 2009;
Used to avoid the Gap Bilinear Diffie-Hellman Problem;
Main tool: Trapdoor Test Theorem.
Trapdoor Test Theorem (CashKiltzShoup09)
Theorem (conditions)
Let G and GT be groups of prime order q with P ∈G a generator of G . Let e:G ×G →GT be an admissible bilinear pairing.
Suppose B1,y,z are mutually independent random variables, where B1 take values in G , and each of y,z is uniformly
distributed overZq. Define the random variable B2:=yP−zB1. Further, suppose that X,Y are random variables taking values in G and T1,T2 are random variables taking values in GT, each of which is defined as some function of(B1,B2).
Introduction LBG’s Protocol Our CL-AKA
Trapdoor Test Theorem (CashKiltzShoup09)
Theorem (consequences) Then we have:
(i) B2 is uniformly distributed over G ; (ii) B1 and B2 are independent;
(iii) If B1 =b1P and B2 =b2P, then the probability that the truth value of
T1zT2 =? e(X,Y)y (1) does not agree with the truth value of
T1=e(X,Y)b1 ∧ T2=e(X,Y)b2 (2) is at most1/q, moreover, if (2) holds, then (1) certainly holds.
Introduction LBG’s Protocol Our CL-AKA
LBG and Trapdoor Test Theorems Variants
Two new versions of the Trapdoor Test Theorem in LBG:
Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test
A misuse in the Additive double BDH Trapdoor Test
(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)
To correct them:
A new Trapdoor Test variant
Rewrite parts of: Multiplicative Test and proof of Strategy 9
Introduction LBG’s Protocol Our CL-AKA
LBG and Trapdoor Test Theorems Variants
Two new versions of the Trapdoor Test Theorem in LBG:
Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:
A misuse in the Additive double BDH Trapdoor Test
(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)
To correct them:
A new Trapdoor Test variant
Rewrite parts of: Multiplicative Test and proof of Strategy 9
LBG and Trapdoor Test Theorems Variants
Two new versions of the Trapdoor Test Theorem in LBG:
Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:
A misuse in the Additive double BDH Trapdoor Test
(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)
To correct them:
A new Trapdoor Test variant
Rewrite parts of: Multiplicative Test and proof of Strategy 9
Introduction LBG’s Protocol Our CL-AKA
Double BDH Trapdoor Test
Theorem (conditions)
Let G and GT be groups of prime order q with P ∈G a generator of G . Let e:G ×G →GT be an admissible bilinear pairing.
Suppose B1,D1,y1,y2,z are mutually independent random variables, where B1,D1 take values in G , and each of y1,y2,z is uniformly distributed overZq. Define the random variables
B2 :=y1P−zB1 and D2 :=y2P −zD1. Suppose that A,X,Y are random variables taking values in G and A,X,Y,B1,D1 are mutually independent. Further, suppose that T1,T2 are random variables taking values in GT, each of which is defined as some function of(A,X,Y,B1,D1) and(A,X,Y,B2,D2). If X :=xP, Y :=yP, B1 =b1P, B2 =b2P, D1 =d1P and D2 =d2P
Double BDH Trapdoor Test
Theorem (consequences) Then we have:
(i) B2 and D2 are uniformly distributed over G ;
(ii) B1 and B2 are independent, D1 and D2 are independent, and B2 and D2 are independent;
(iii) xB1 and yD1 are independent, and xB2 and yD2 are also independent;
(iv) The probability that the truth value of
T1zT2 =? e(A,X)y1·e(A,Y)y2 (3) does not agree with the truth value of
T1 =e(A,X)b1·e(A,Y)d1 ∧ T2 =e(A,X)b2·e(A,Y)d2 (4) is at most1/q, moreover, if (4) holds, then (3) certainly holds.
Introduction LBG’s Protocol Our CL-AKA
Double BDH Trapdoor Test
Proof:
similar to the one in Cash, Kiltz and Shoup, 2009
Introduction LBG’s Protocol Our CL-AKA
Corrections in Multiplicative double BDH Trapdoor Test
To be correct, the equation (6) in the Theorem 3 from LBG would be:
T2 T1z2
=? e(A,P)y1y2 [e(A,C1)y1·e(A,B1)y2]z
T1
e(A,P)b1c1 z2
=? T2 e(A,P)b2c2
Introduction LBG’s Protocol Our CL-AKA
Corrections in Multiplicative double BDH Trapdoor Test
To be correct, the equation (6) in the Theorem 3 from LBG would be:
T2 T1z2
=? e(A,P)y1y2 [e(A,C1)y1·e(A,B1)y2]z
And, in the proof of this theorem, the equation (8) would be:
T1
e(A,P)b1c1 z2
=? T2 e(A,P)b2c2
Introduction LBG’s Protocol Our CL-AKA
Corrections in the Proof of the Strategy 9
To capture a valid query from the adversary, aboutN1 andN2 values, the correct test would be:
N2
N1z2
=? e(aP,P)y1y2
[e(aP,cP)y1·e(aP,bP)y2]z
values, the correct test would be (by using the new theorem): L1zL2 =? e(aP,xiP)y2·e(aP,xjP)y1
Introduction LBG’s Protocol Our CL-AKA
Corrections in the Proof of the Strategy 9
To capture a valid query from the adversary, aboutN1 andN2 values, the correct test would be:
N2
N1z2
=? e(aP,P)y1y2
[e(aP,cP)y1·e(aP,bP)y2]z
To capture a valid query from the adversary, aboutL1 andL2
values, the correct test would be (by using the new theorem):
L1zL2 =? e(aP,xiP)y2·e(aP,xjP)y1
Summary
1 Introduction
2 LBG’s Protocol
3 Our CL-AKA
Introduction LBG’s Protocol Our CL-AKA
Our CL-AKA Protocol
It is almost the same as LBG Protocol
Same Setup, Users’ keys and Message Exchage In Key Computation: onlyK1,K2 are different Proof: changes in the proof for strategies 7 and 8
Our CL-AKA Protocol
Phases:
Setup
User Keys Generation Key Agreement:
Message Exchange Key Computation
Introduction LBG’s Protocol Our CL-AKA
Our CL-AKA Protocol – Setup
KGC chooses the system parameters:
q,G with a a generator P,GT;
an admissible bilinear pairing e :G×G →GT; a random s ∈Zq as master secret key;
sP as master public key;
for a security parameterk, three cryptographic hash functions:
H:{0,1}∗ → {0,1}k H1:{0,1}∗→G
H2 :G →G
Our CL-AKA Protocol – User Keys
Public values for the userA:
IDA
Q1A =H1(IDA) Q2A =H2(Q1A)
xAP (Public key, calculated by A) Secret Values:
xA ∈Zq (Secret value, chosen by A)
d1A =sQ1A (Partial secret key, calculated by KGC) d2A =sQ2A (Partial secret key, calculated by KGC)
Introduction LBG’s Protocol Our CL-AKA
Our CL-AKA Protocol – Message Exchange
UserA:
randomly picks an ephemeral private key rA computes rAP
UserB:
randomly picks an ephemeral private key rB computes rBP
They exchange the following messages:
A→B :EA(rAP,xAP) B →A:EB(rBP,xBP)
Our CL-AKA Protocol – Key Computation
Acomputes:
K1 =e(rBP +Q1B,rAsP+d1A) K2 =e(rBP +Q2B,rAsP+d2A) L1 =e(Q1B,sP)xA·e(d1A,xBP) L2 =e(Q2B,sP)xA·e(d2A,xBP) N1 =e(Q1B,d1A)
N2 =e(Q2B,d2A)
The session key is computed as
SK =H(A,B,EA,EB,rAP,rBP,xAxBP,rArBP,xArBP,rAxBP, K1,K2,L1,L2,N1,N2)
B computes the same session key in a similar way.
Introduction LBG’s Protocol Our CL-AKA
Comparison
Conclusion
We fixed some mistakes in the security proof of LBG protocol;
We presented a new an more efficient CL-AKA protocol;
We have been working in the security proof of another CL-AKA: Kem2Aka.
Introduction LBG’s Protocol Our CL-AKA