2010,Sep DeniseGoya(dhgoya@ime.usp.br) ATwo-PartyCertiﬁcatelessAuthenticatedKeyAgreementProtocol

(1)

Introduction LBG’s Protocol Our CL-AKA

A Two-Party Certificateless Authenticated Key Agreement Protocol

Denise Goya (dhgoya@ime.usp.br)

DCC – IME – USP

2010, Sep

Fapesp no. 2008/06189-0

(2)

Objectives

To fix some mistakes in a security proof of a CL-AKA protocol;

To present a new and more efficient protocol.

(3)

Summary

1 Introduction

2 LBG’s Protocol

3 Our CL-AKA

(4)

Summary

1 Introduction

2 LBG’s Protocol

3 Our CL-AKA

(5)

Key Agreement Protocol

A tool for parties establish a shared session key;

Via public channels;

Our focus:

Authenticated;

2-party;

2-pass / 1-round;

Certificateless model.

(6)

Certificateless Public Key Cryptography

Al-Riyami and Paterson, 2003;

Identity-based variant;

Users have a public key;

KGC: a trust party;

Users’ full secret key:

partial secret from KGC + secret value from user.

(7)

Certificateless Key Agreement (CL-AKA)

Implicit authentication;

Mutual authentication;

Advantages over PKI:

with no digital certificates; lighter infrastructure; potential: lower costs; Disadvantages over PKI:

less tested;

research in progress.

(8)

Certificateless Key Agreement (CL-AKA)

Implicit authentication;

Mutual authentication;

Advantages over PKI:

with no digital certificates;

lighter infrastructure;

potential: lower costs;

Disadvantages over PKI:

less tested;

research in progress.

(9)

Certificateless Key Agreement (CL-AKA)

Advantages over ID-based:

KGC trust level;

In ID: leakage of ephemeral key of either party ⇒ KGC is able to compute the session key;

Disadvantages over ID-based:

protocols are more complex;

slower.

(10)

Certificateless Key Agreement (CL-AKA)

Swanson’s model, 2008:

Strong security model;

Previously known protocols are insecure;

Lippold, Boyd and Gonz´alez-Nieto, 2009 (LBG protocol):

First proved secure in a strong security model.

(11)

CL-AKA – Security Properties

Swanson’s security model:

Resistance to Basic Impersonation Attacks;

Known Key Security;

Resistance to Unknown Key-Share (UKS) Attacks;

Weak Perfect Forward Secrecy (wPFS);

Resistance to Key-Compromise Impersonation (KCI) Attacks;

Resistance to Disclosure of Ephemeral Secrets;

KGC Forward Secrecy;

Security model from Lippold et al. adds:

Resistance to Leakage of Ephemeral Secrets to KGC.

(12)

Bilinear Pairing

LetG and GT be groups of prime orderq.

e:G×G →G_T is an admissible bilinear pairingif satisfies:

1 Bilinearity. For all P ∈G anda,b ∈Zq:

e(aP,bP) =e(P,P)^ab =e(abP,P) =e(P,abP)

2 Non-degeneracy. e(P,P)6= 1, withP a generator ofG;

3 Computability. There is an efficient algorithm to compute e(P,Q), for all P,Q ∈G.

(13)

Computational Problems

Computational Diffie-Hellman Problem (CDH) given:

a groupG and elementsaP,bP∈G find:

abP

Bilinear Diffie-Hellman Problem (BDH) given:

groupsG,G_T,

a pairinge:G×G →GT

and elementsaP,bP,cP∈G find:

e(P,P)^abc

CDH and BDH are assumed to be hard.

(14)

Computational Problems

Computational Diffie-Hellman Problem (CDH) given:

a groupG and elementsaP,bP∈G find:

abP

Bilinear Diffie-Hellman Problem (BDH) given:

groupsG,G_T,

a pairinge:G×G→GT

and elementsaP,bP,cP∈G find:

e(P,P)^abc

CDH and BDH are assumed to be hard.

(15)

Summary

1 Introduction

2 LBG’s Protocol

3 Our CL-AKA

(16)

LBG protocol

Phases:

Setup

User Keys Generation Key Agreement:

Message Exchange Key Computation

(17)

LBG protocol – Setup

KGC chooses the system parameters:

q,G with a a generator P,GT;

an admissible bilinear pairing e :G×G →G_T; a random s ∈Zq as master secret key;

sP as master public key;

for a security parameterk, three cryptographic hash functions:

H:{0,1}^∗ → {0,1}^k H₁:{0,1}^∗→G

H₂ :G →G

(18)

LBG protocol – User Keys

Public values for the userA:

IDA

Q1A =H1(IDA) Q₂_A =H₂(Q₁_A)

x_AP (Public key, calculated by A) Secret Values:

x_A ∈Zq (Secret value, chosen by A)

d1_A =sQ1_A (Partial secret key, calculated by KGC) d2A =sQ2A (Partial secret key, calculated by KGC)

(19)

LBG protocol – Message Exchange

UserA:

randomly picks an ephemeral private key r_A computes rAP

UserB:

randomly picks an ephemeral private key r_B computes r_BP

They exchange the following messages:

A→B :EA(rAP,xAP) B →A:E_B(r_BP,x_BP)

(20)

LBG protocol – Key Computation

Acomputes:

K1 =e(Q1_B,sP)^rÂ·e(d1_A,r_BP) K₂ =e(Q₂_B,sP)^rÂ·e(d₂_A,r_BP) L1 =e(Q1B,sP)^xÂ·e(d1A,xBP) L2 =e(Q2_B,sP)^xÂ·e(d2_A,x_BP) N₁ =e(Q₁_B,d₁_A)

N2 =e(Q2B,d2A)

The session key is computed as

SK =H(A,B,E_A,E_B,r_AP,r_BP,x_Ax_BP,r_Ar_BP,x_Ar_BP,r_Ax_BP, K1,K2,L1,L2,N1,N2)

B computes the same session key in a similar way.

(21)

Strong Twin Bilinear Diffie-Hellman Problem

Defined and proved equivalent to BDH by Cash, Kiltz and Shoup, 2009;

Used to avoid the Gap Bilinear Diffie-Hellman Problem;

Main tool: Trapdoor Test Theorem.

(22)

Trapdoor Test Theorem (CashKiltzShoup09)

Theorem (conditions)

Let G and GT be groups of prime order q with P ∈G a generator of G . Let e:G ×G →G_T be an admissible bilinear pairing.

Suppose B₁,y,z are mutually independent random variables, where B1 take values in G , and each of y,z is uniformly

distributed overZq. Define the random variable B2:=yP−zB1. Further, suppose that X,Y are random variables taking values in G and T₁,T₂ are random variables taking values in G_T, each of which is defined as some function of(B1,B2).

(23)

Trapdoor Test Theorem (CashKiltzShoup09)

Theorem (consequences) Then we have:

(i) B2 is uniformly distributed over G ; (ii) B₁ and B₂ are independent;

(iii) If B₁ =b₁P and B₂ =b₂P, then the probability that the truth value of

T₁^zT₂ =^? e(X,Y)^y (1) does not agree with the truth value of

T1=e(X,Y)^b¹ ∧ T2=e(X,Y)^b² (2) is at most1/q, moreover, if (2) holds, then (1) certainly holds.

(24)

LBG and Trapdoor Test Theorems Variants

Two new versions of the Trapdoor Test Theorem in LBG:

Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test

A misuse in the Additive double BDH Trapdoor Test

(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)

To correct them:

A new Trapdoor Test variant

Rewrite parts of: Multiplicative Test and proof of Strategy 9

(25)

LBG and Trapdoor Test Theorems Variants

Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:

To correct them:

(26)

LBG and Trapdoor Test Theorems Variants

Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:

To correct them:

(27)

Double BDH Trapdoor Test

Theorem (conditions)

Let G and GT be groups of prime order q with P ∈G a generator of G . Let e:G ×G →G_T be an admissible bilinear pairing.

Suppose B₁,D₁,y₁,y₂,z are mutually independent random variables, where B1,D1 take values in G , and each of y1,y2,z is uniformly distributed overZq. Define the random variables

B₂ :=y₁P−zB₁ and D₂ :=y₂P −zD₁. Suppose that A,X,Y are random variables taking values in G and A,X,Y,B₁,D₁ are mutually independent. Further, suppose that T1,T2 are random variables taking values in G_T, each of which is defined as some function of(A,X,Y,B₁,D₁) and(A,X,Y,B₂,D₂). If X :=xP, Y :=yP, B1 =b1P, B2 =b2P, D1 =d1P and D2 =d2P

(28)

Double BDH Trapdoor Test

Theorem (consequences) Then we have:

(i) B₂ and D₂ are uniformly distributed over G ;

(ii) B1 and B2 are independent, D1 and D2 are independent, and B₂ and D₂ are independent;

(iii) xB₁ and yD₁ are independent, and xB₂ and yD₂ are also independent;

(iv) The probability that the truth value of

T₁^zT₂ =^? e(A,X)^y¹·e(A,Y)^y² (3) does not agree with the truth value of

T1 =e(A,X)^b¹·e(A,Y)^d¹ ∧ T2 =e(A,X)^b²·e(A,Y)^d² (4) is at most1/q, moreover, if (4) holds, then (3) certainly holds.

(29)

Double BDH Trapdoor Test

Proof:

similar to the one in Cash, Kiltz and Shoup, 2009

(30)

Corrections in Multiplicative double BDH Trapdoor Test

To be correct, the equation (6) in the Theorem 3 from LBG would be:

T₂ T1z²

=? e(A,P)^y¹^y² [e(A,C1)^y¹·e(A,B1)^y²]^z

T₁

e(A,P)^b¹^c¹ z²

=? T₂ e(A,P)^b²^c²

(31)

Corrections in Multiplicative double BDH Trapdoor Test

To be correct, the equation (6) in the Theorem 3 from LBG would be:

T₂ T1z²

=? e(A,P)^y¹^y² [e(A,C1)^y¹·e(A,B1)^y²]^z

And, in the proof of this theorem, the equation (8) would be:

T₁

e(A,P)^b¹^c¹ z²

=? T₂ e(A,P)^b²^c²

(32)

Corrections in the Proof of the Strategy 9

To capture a valid query from the adversary, aboutN₁ andN₂ values, the correct test would be:

N2

N₁^z²

=? e(aP,P)^y¹^y²

[e(aP,cP)^y¹·e(aP,bP)^y²]^z

values, the correct test would be (by using the new theorem): L₁^zL₂ =^? e(aP,x_iP)^y²·e(aP,x_jP)^y¹

(33)

Corrections in the Proof of the Strategy 9

To capture a valid query from the adversary, aboutN₁ andN₂ values, the correct test would be:

N2

N₁^z²

=? e(aP,P)^y¹^y²

[e(aP,cP)^y¹·e(aP,bP)^y²]^z

To capture a valid query from the adversary, aboutL1 andL2

values, the correct test would be (by using the new theorem):

L₁^zL₂ =^? e(aP,x_iP)^y²·e(aP,x_jP)^y¹

(34)

Summary

1 Introduction

2 LBG’s Protocol

3 Our CL-AKA

(35)

Our CL-AKA Protocol

It is almost the same as LBG Protocol

Same Setup, Users’ keys and Message Exchage In Key Computation: onlyK1,K2 are different Proof: changes in the proof for strategies 7 and 8

(36)

Our CL-AKA Protocol

Phases:

Setup

User Keys Generation Key Agreement:

Message Exchange Key Computation

(37)

Our CL-AKA Protocol – Setup

KGC chooses the system parameters:

q,G with a a generator P,GT;

an admissible bilinear pairing e :G×G →G_T; a random s ∈Zq as master secret key;

sP as master public key;

for a security parameterk, three cryptographic hash functions:

H:{0,1}^∗ → {0,1}^k H₁:{0,1}^∗→G

H₂ :G →G

(38)

Our CL-AKA Protocol – User Keys

Public values for the userA:

IDA

Q1A =H1(IDA) Q₂_A =H₂(Q₁_A)

x_AP (Public key, calculated by A) Secret Values:

x_A ∈Zq (Secret value, chosen by A)

d1_A =sQ1_A (Partial secret key, calculated by KGC) d2A =sQ2A (Partial secret key, calculated by KGC)

(39)

Our CL-AKA Protocol – Message Exchange

UserA:

randomly picks an ephemeral private key r_A computes rAP

UserB:

randomly picks an ephemeral private key r_B computes r_BP

They exchange the following messages:

A→B :EA(rAP,xAP) B →A:E_B(r_BP,x_BP)

(40)

Our CL-AKA Protocol – Key Computation

Acomputes:

K1 =e(r_BP +Q1_B,r_AsP+d1_A) K₂ =e(r_BP +Q₂_B,r_AsP+d₂_A) L1 =e(Q1B,sP)^x^A·e(d1A,xBP) L2 =e(Q2_B,sP)^x^A·e(d2_A,x_BP) N₁ =e(Q₁_B,d₁_A)

N2 =e(Q2B,d2A)

The session key is computed as

SK =H(A,B,E_A,E_B,r_AP,r_BP,x_Ax_BP,r_Ar_BP,x_Ar_BP,r_Ax_BP, K1,K2,L1,L2,N1,N2)

B computes the same session key in a similar way.

(41)

Comparison

(42)

Conclusion

We fixed some mistakes in the security proof of LBG protocol;

We presented a new an more efficient CL-AKA protocol;

We have been working in the security proof of another CL-AKA: Kem2Aka.

(43)

Questions?

(44)