SBSeg2010 DeniseGoya ,CleberOkida,RoutoTerada ATwo-PartyCertiﬁcatelessAuthenticatedKeyAgreementProtocol

(1)

Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions

A Two-Party Certificateless

Authenticated Key Agreement Protocol

Denise Goya, Cleber Okida, Routo Terada

DCC – IME – USP

SBSeg 2010

Fapesp no. 2008/06189-0

(2)

Objectives

To present a new and more efficient CL-AKA protocol;

To fix some mistakes in security proof of a previous CL-AKA protocol.

(3)

Summary

1 Introduction

2 Our CL-AKA

3 Corrections in the Security Proof from LBG

4 Conclusions

(4)

Summary

1 Introduction

2 Our CL-AKA

4 Conclusions

(5)

Key Agreement Protocol

A tool for parties establish a shared secret key;

Via public channels;

Our focus:

Authenticated; 2-party; 2-pass;

Certificateless model.

(6)

Key Agreement Protocol

A tool for parties establish a shared secret key;

Via public channels;

Our focus:

Authenticated;

2-party;

2-pass;

Certificateless model.

(7)

Certificateless Public Key Cryptography

Al-Riyami and Paterson, 2003;

Identity-based variant;

Users have a public key.

(8)

KGC - Key Generation Centre

(9)

User Keys

(10)

User Keys - Parcial Secret

(11)

User Keys - Secret Value

(12)

Certificateless Key Agreement (CL-AKA)

Implicit authentication;

Mutual authentication.

(13)

Certificateless Key Agreement (CL-AKA)

Swanson’s security model, 2008:

Strong security model;

Previously known protocols are insecure;

Lippold, Boyd and Gonz´alez-Nieto, 2009 (LBG protocol): First proved secure in a strong security model.

(14)

Certificateless Key Agreement (CL-AKA)

Swanson’s security model, 2008:

Strong security model;

Previously known protocols are insecure;

Lippold, Boyd and Gonz´alez-Nieto, 2009 (LBG protocol):

First proved secure in a strong security model.

(15)

CL-AKA – Security Properties

Swanson’s security model:

Resistance to Basic Impersonation Attacks;

Known Key Security;

Resistance to Unknown Key-Share (UKS) Attacks;

Weak Perfect Forward Secrecy (wPFS);

Resistance to Key-Compromise Impersonation (KCI) Attacks;

Resistance to Disclosure of Ephemeral Secrets;

KGC Forward Secrecy;

Security model from Lippold et al. adds:

Resistance to Leakage of Ephemeral Secrets to KGC.

.

(16)

CL-AKA – Security Properties

Swanson’s security model:

Resistance to Basic Impersonation Attacks;

Known Key Security;

Resistance to Unknown Key-Share (UKS) Attacks;

Weak Perfect Forward Secrecy (wPFS);

Resistance to Key-Compromise Impersonation (KCI) Attacks;

Resistance to Disclosure of Ephemeral Secrets;

KGC Forward Secrecy;

Security model from Lippold et al. adds:

Resistance to Leakage of Ephemeral Secrets to KGC;

Adversary canreplace public keys

(17)

Summary

1 Introduction

2 Our CL-AKA

4 Conclusions

(18)

Our CL-AKA Protocol

Phases:

Setup

User Keys Generation Key Agreement:

Message Exchange Key Computation

(19)

User Keys

(20)

User Keys + Random

(21)

Message Exchange

(22)

Message Exchange

(23)

Key Computation - How Alice Computes

Alice Beto

(24)

Key Computation - How Beto Computes

Beto Alice

(25)

Our CL-AKA Protocol – Setup

KGC chooses the system parameters:

q,G with a a generator P,G_T;

an admissible bilinear pairing e :G×G →G_T; a random s ∈Zq as master secret key;

sP as master public key;

for a security parametern, two cryptographic hash functions:

H:{0,1}^∗ → {0,1}ⁿ H₁:{0,1}^∗→G

(26)

Our CL-AKA Protocol – User Keys

Public values for the userA:

IDA

Q₁_A =H₁(ID_A)

x_AP (Public key, calculated by A) Secret Values:

x_A ∈Zq (Secret value, chosen by A)

d1_A =sQ1_A (Partial secret key, calculated by KGC)

(27)

Our CL-AKA Protocol – Message Exchange

UserA:

randomly picks an ephemeral private key r_A computes rAP

UserB:

randomly picks an ephemeral private key r_B computes r_BP

They exchange the following messages:

A→B :EA(rAP,xAP) B →A:E_B(r_BP,x_BP)

(28)

Our CL-AKA Protocol – Key Computation

Acomputes:

K1 =e(r_BP +Q1B,r_AsP+d1A) L₁ =e(Q₁_B,sP)^x^A·e(d₁_A,x_BP) N1 =e(Q1_B,d1_A)

The session key is computed as

SK =H(A,B,EA,EB,rAP,rBP,xAxBP,rArBP,xArBP,rAxBP, K₁,L₁,N₁)

B computes the same session key in a similar way.

(29)

Security Proof

Security model from Lippold et al.

Random Oracle model;

Assumption:

Gap Bilinear Diffie-Hellman (Gap BDH)or

BDH: if partial secret is doubled.

(30)

Security Proof

Security model from Lippold et al.

Random Oracle model;

Assumption:

Gap Bilinear Diffie-Hellman (Gap BDH)or BDH: if partial secret is doubled.

(31)

Our CL-AKA Protocol (BDH)

Another hash:

H₂:G →G

Another public value for the userA:

Q2_A =H2(Q1_A) Another Partial Secret:

d2A =sQ2A

(32)

Our CL-AKA Protocol (BDH) – Key Computation

Acomputes:

K1 =e(r_BP +Q1_B,r_AsP+d1_A) K₂ =e(r_BP +Q₂_B,r_AsP+d₂_A) L1 =e(Q1B,sP)^x^A·e(d1A,xBP) L2 =e(Q2_B,sP)^x^A·e(d2_A,x_BP) N₁ =e(Q₁_B,d₁_A)

N2 =e(Q2B,d2A)

The session key is computed as

SK =H(A,B,E_A,E_B,r_AP,r_BP,x_Ax_BP,r_Ar_BP,x_Ar_BP,r_Ax_BP, K1,K2,L1,L2,N1,N2)

B computes the same session key in a similar way.

(33)

Security Proof

Our protocol is similar to LBG, except forK₁,K₂;

We could use parts of their security proof (and rewrite others);

But we found some mistakes in their proof and then we fixed it.

(34)

Summary

1 Introduction

2 Our CL-AKA

4 Conclusions

(35)

Strong Twin Bilinear Diffie-Hellman Problem

Defined and proved equivalent to BDH by Cash, Kiltz and Shoup, 2009;

Used to avoid the Gap Bilinear Diffie-Hellman Problem;

Main tool: Trapdoor Test Theorem.

(36)

LBG and Trapdoor Test Theorems Variants

Two new versions of the Trapdoor Test Theorem in LBG:

Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test

A misuse in the Additive double BDH Trapdoor Test

(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)

To correct them:

A new Trapdoor Test variant

Rewrite parts of: Multiplicative Test and proof of Strategy 9

(37)

LBG and Trapdoor Test Theorems Variants

Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:

To correct them:

(38)

LBG and Trapdoor Test Theorems Variants

Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:

To correct them:

(39)

Double BDH Trapdoor Test

Theorem (conditions)

Let G and GT be groups of prime order q with P ∈G a generator of G . Let e:G ×G →G_T be an admissible bilinear pairing.

Suppose B₁,D₁,y₁,y₂,z are mutually independent random variables, where B1,D1 take values in G , and each of y1,y2,z is uniformly distributed overZq. Define the random variables

B₂ :=y₁P−zB₁ and D₂ :=y₂P −zD₁. Suppose that A,X,Y are random variables taking values in G and A,X,Y,B₁,D₁ are mutually independent. Further, suppose that T1,T2 are random variables taking values in G_T, each of which is defined as some function of(A,X,Y,B₁,D₁) and(A,X,Y,B₂,D₂). If X :=xP, Y :=yP, B1 =b1P, B2 =b2P, D1 =d1P and D2 =d2P

(40)

Double BDH Trapdoor Test

Theorem (consequences) Then we have:

(i) B₂ and D₂ are uniformly distributed over G ;

(ii) B1 and B2 are independent, D1 and D2 are independent, and B₂ and D₂ are independent;

(iii) xB₁ and yD₁ are independent, and xB₂ and yD₂ are also independent;

(iv) The probability that the truth value of

T₁^zT₂ =^? e(A,X)^y¹·e(A,Y)^y² (1) does not agree with the truth value of

T1 =e(A,X)^b¹·e(A,Y)^d¹ ∧ T2 =e(A,X)^b²·e(A,Y)^d² (2) is at most1/q, moreover, if (4) holds, then (3) certainly holds.

(41)

Double BDH Trapdoor Test

Proof:

similar to the one in Cash, Kiltz and Shoup, 2009

(42)

Corrections in Multiplicative double BDH Trapdoor Test

To be correct, the equation (6) in the Theorem 3 from LBG would be:

T₂ T1z²

=? e(A,P)^y¹^y² [e(A,C1)^y¹·e(A,B1)^y²]^z

T₁

e(A,P)^b¹^c¹ z²

=? T₂ e(A,P)^b²^c²

(43)

Corrections in Multiplicative double BDH Trapdoor Test

To be correct, the equation (6) in the Theorem 3 from LBG would be:

T₂ T1z²

=? e(A,P)^y¹^y² [e(A,C1)^y¹·e(A,B1)^y²]^z

And, in the proof of this theorem, the equation (8) would be:

T₁

e(A,P)^b¹^c¹ z²

=? T₂ e(A,P)^b²^c²

(44)

Corrections in the Proof of the Strategy 9

To capture a valid query from the adversary, aboutN₁ andN₂ values, the correct test would be:

N2

N₁^z²

=? e(aP,P)^y¹^y²

[e(aP,cP)^y¹·e(aP,bP)^y²]^z

values, the correct test would be (by using the new theorem): L₁^zL₂ =^? e(aP,x_iP)^y²·e(aP,x_jP)^y¹

(45)

Corrections in the Proof of the Strategy 9

To capture a valid query from the adversary, aboutN₁ andN₂ values, the correct test would be:

N2

N₁^z²

=? e(aP,P)^y¹^y²

[e(aP,cP)^y¹·e(aP,bP)^y²]^z

To capture a valid query from the adversary, aboutL1 andL2

values, the correct test would be (by using the new theorem):

L₁^zL₂ =^? e(aP,x_iP)^y²·e(aP,x_jP)^y¹

(46)

Summary

1 Introduction

2 Our CL-AKA

4 Conclusions

(47)

Protocols Comparison

BDH Gap BDH Gap BDH +

Assumption Assumption Storage

LBG Ours LBG Ours LBG Ours

Pairings 10 8 5 4 1 1

Expon. in G_T 0 0 0 0 1 0

Multipl. in G_T 4 2 2 1 1 0

Multipl. in G 7 6 5 5 4 5

Additions in G 0 4 0 2 0 2

Time (s) 29.62 23.65 15.66 13.07 6.72 5.22

Our protocol is about 20% faster than LBG.

(48)

Conclusion

We presented a new and more efficient CL-AKA protocol;

We fixed some mistakes in the security proof of LBG protocol.

(49)

Questions?

(50)