Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
A Two-Party Certificateless
Authenticated Key Agreement Protocol
Denise Goya, Cleber Okida, Routo Terada
DCC – IME – USP
SBSeg 2010
Fapesp no. 2008/06189-0
Objectives
To present a new and more efficient CL-AKA protocol;
To fix some mistakes in security proof of a previous CL-AKA protocol.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Summary
1 Introduction
2 Our CL-AKA
3 Corrections in the Security Proof from LBG
4 Conclusions
Summary
1 Introduction
2 Our CL-AKA
3 Corrections in the Security Proof from LBG
4 Conclusions
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Key Agreement Protocol
A tool for parties establish a shared secret key;
Via public channels;
Our focus:
Authenticated; 2-party; 2-pass;
Certificateless model.
Key Agreement Protocol
A tool for parties establish a shared secret key;
Via public channels;
Our focus:
Authenticated;
2-party;
2-pass;
Certificateless model.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Certificateless Public Key Cryptography
Al-Riyami and Paterson, 2003;
Identity-based variant;
Users have a public key.
KGC - Key Generation Centre
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
User Keys
User Keys - Parcial Secret
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
User Keys - Secret Value
Certificateless Key Agreement (CL-AKA)
Implicit authentication;
Mutual authentication.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Certificateless Key Agreement (CL-AKA)
Swanson’s security model, 2008:
Strong security model;
Previously known protocols are insecure;
Lippold, Boyd and Gonz´alez-Nieto, 2009 (LBG protocol): First proved secure in a strong security model.
Certificateless Key Agreement (CL-AKA)
Swanson’s security model, 2008:
Strong security model;
Previously known protocols are insecure;
Lippold, Boyd and Gonz´alez-Nieto, 2009 (LBG protocol):
First proved secure in a strong security model.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
CL-AKA – Security Properties
Swanson’s security model:
Resistance to Basic Impersonation Attacks;
Known Key Security;
Resistance to Unknown Key-Share (UKS) Attacks;
Weak Perfect Forward Secrecy (wPFS);
Resistance to Key-Compromise Impersonation (KCI) Attacks;
Resistance to Disclosure of Ephemeral Secrets;
KGC Forward Secrecy;
Security model from Lippold et al. adds:
Resistance to Leakage of Ephemeral Secrets to KGC.
.
CL-AKA – Security Properties
Swanson’s security model:
Resistance to Basic Impersonation Attacks;
Known Key Security;
Resistance to Unknown Key-Share (UKS) Attacks;
Weak Perfect Forward Secrecy (wPFS);
Resistance to Key-Compromise Impersonation (KCI) Attacks;
Resistance to Disclosure of Ephemeral Secrets;
KGC Forward Secrecy;
Security model from Lippold et al. adds:
Resistance to Leakage of Ephemeral Secrets to KGC;
Adversary canreplace public keys
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Summary
1 Introduction
2 Our CL-AKA
3 Corrections in the Security Proof from LBG
4 Conclusions
Our CL-AKA Protocol
Phases:
Setup
User Keys Generation Key Agreement:
Message Exchange Key Computation
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
User Keys
User Keys + Random
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Message Exchange
Message Exchange
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Key Computation - How Alice Computes
Alice Beto
Key Computation - How Beto Computes
Beto Alice
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Our CL-AKA Protocol – Setup
KGC chooses the system parameters:
q,G with a a generator P,GT;
an admissible bilinear pairing e :G×G →GT; a random s ∈Zq as master secret key;
sP as master public key;
for a security parametern, two cryptographic hash functions:
H:{0,1}∗ → {0,1}n H1:{0,1}∗→G
Our CL-AKA Protocol – User Keys
Public values for the userA:
IDA
Q1A =H1(IDA)
xAP (Public key, calculated by A) Secret Values:
xA ∈Zq (Secret value, chosen by A)
d1A =sQ1A (Partial secret key, calculated by KGC)
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Our CL-AKA Protocol – Message Exchange
UserA:
randomly picks an ephemeral private key rA computes rAP
UserB:
randomly picks an ephemeral private key rB computes rBP
They exchange the following messages:
A→B :EA(rAP,xAP) B →A:EB(rBP,xBP)
Our CL-AKA Protocol – Key Computation
Acomputes:
K1 =e(rBP +Q1B,rAsP+d1A) L1 =e(Q1B,sP)xA·e(d1A,xBP) N1 =e(Q1B,d1A)
The session key is computed as
SK =H(A,B,EA,EB,rAP,rBP,xAxBP,rArBP,xArBP,rAxBP, K1,L1,N1)
B computes the same session key in a similar way.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Security Proof
Security model from Lippold et al.
Random Oracle model;
Assumption:
Gap Bilinear Diffie-Hellman (Gap BDH)or
BDH: if partial secret is doubled.
Security Proof
Security model from Lippold et al.
Random Oracle model;
Assumption:
Gap Bilinear Diffie-Hellman (Gap BDH)or BDH: if partial secret is doubled.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Our CL-AKA Protocol (BDH)
Another hash:
H2:G →G
Another public value for the userA:
Q2A =H2(Q1A) Another Partial Secret:
d2A =sQ2A
Our CL-AKA Protocol (BDH) – Key Computation
Acomputes:
K1 =e(rBP +Q1B,rAsP+d1A) K2 =e(rBP +Q2B,rAsP+d2A) L1 =e(Q1B,sP)xA·e(d1A,xBP) L2 =e(Q2B,sP)xA·e(d2A,xBP) N1 =e(Q1B,d1A)
N2 =e(Q2B,d2A)
The session key is computed as
SK =H(A,B,EA,EB,rAP,rBP,xAxBP,rArBP,xArBP,rAxBP, K1,K2,L1,L2,N1,N2)
B computes the same session key in a similar way.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Security Proof
Our protocol is similar to LBG, except forK1,K2;
We could use parts of their security proof (and rewrite others);
But we found some mistakes in their proof and then we fixed it.
Summary
1 Introduction
2 Our CL-AKA
3 Corrections in the Security Proof from LBG
4 Conclusions
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Strong Twin Bilinear Diffie-Hellman Problem
Defined and proved equivalent to BDH by Cash, Kiltz and Shoup, 2009;
Used to avoid the Gap Bilinear Diffie-Hellman Problem;
Main tool: Trapdoor Test Theorem.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
LBG and Trapdoor Test Theorems Variants
Two new versions of the Trapdoor Test Theorem in LBG:
Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test
A misuse in the Additive double BDH Trapdoor Test
(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)
To correct them:
A new Trapdoor Test variant
Rewrite parts of: Multiplicative Test and proof of Strategy 9
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
LBG and Trapdoor Test Theorems Variants
Two new versions of the Trapdoor Test Theorem in LBG:
Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:
A misuse in the Additive double BDH Trapdoor Test
(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)
To correct them:
A new Trapdoor Test variant
Rewrite parts of: Multiplicative Test and proof of Strategy 9
LBG and Trapdoor Test Theorems Variants
Two new versions of the Trapdoor Test Theorem in LBG:
Additive double BDH Trapdoor Test Multiplicative double BDH Trapdoor Test Some mistakes in the original paper:
A misuse in the Additive double BDH Trapdoor Test
(consequence of a wrong equation in the proof of Strategy 9) Mistakes in equations (6) and (8) from Multiplicative double BDH Trapdoor Test (and a wrong equation in the proof of Strategy 9)
To correct them:
A new Trapdoor Test variant
Rewrite parts of: Multiplicative Test and proof of Strategy 9
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Double BDH Trapdoor Test
Theorem (conditions)
Let G and GT be groups of prime order q with P ∈G a generator of G . Let e:G ×G →GT be an admissible bilinear pairing.
Suppose B1,D1,y1,y2,z are mutually independent random variables, where B1,D1 take values in G , and each of y1,y2,z is uniformly distributed overZq. Define the random variables
B2 :=y1P−zB1 and D2 :=y2P −zD1. Suppose that A,X,Y are random variables taking values in G and A,X,Y,B1,D1 are mutually independent. Further, suppose that T1,T2 are random variables taking values in GT, each of which is defined as some function of(A,X,Y,B1,D1) and(A,X,Y,B2,D2). If X :=xP, Y :=yP, B1 =b1P, B2 =b2P, D1 =d1P and D2 =d2P
Double BDH Trapdoor Test
Theorem (consequences) Then we have:
(i) B2 and D2 are uniformly distributed over G ;
(ii) B1 and B2 are independent, D1 and D2 are independent, and B2 and D2 are independent;
(iii) xB1 and yD1 are independent, and xB2 and yD2 are also independent;
(iv) The probability that the truth value of
T1zT2 =? e(A,X)y1·e(A,Y)y2 (1) does not agree with the truth value of
T1 =e(A,X)b1·e(A,Y)d1 ∧ T2 =e(A,X)b2·e(A,Y)d2 (2) is at most1/q, moreover, if (4) holds, then (3) certainly holds.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Double BDH Trapdoor Test
Proof:
similar to the one in Cash, Kiltz and Shoup, 2009
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Corrections in Multiplicative double BDH Trapdoor Test
To be correct, the equation (6) in the Theorem 3 from LBG would be:
T2 T1z2
=? e(A,P)y1y2 [e(A,C1)y1·e(A,B1)y2]z
T1
e(A,P)b1c1 z2
=? T2 e(A,P)b2c2
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Corrections in Multiplicative double BDH Trapdoor Test
To be correct, the equation (6) in the Theorem 3 from LBG would be:
T2 T1z2
=? e(A,P)y1y2 [e(A,C1)y1·e(A,B1)y2]z
And, in the proof of this theorem, the equation (8) would be:
T1
e(A,P)b1c1 z2
=? T2 e(A,P)b2c2
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Corrections in the Proof of the Strategy 9
To capture a valid query from the adversary, aboutN1 andN2 values, the correct test would be:
N2
N1z2
=? e(aP,P)y1y2
[e(aP,cP)y1·e(aP,bP)y2]z
values, the correct test would be (by using the new theorem): L1zL2 =? e(aP,xiP)y2·e(aP,xjP)y1
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Corrections in the Proof of the Strategy 9
To capture a valid query from the adversary, aboutN1 andN2 values, the correct test would be:
N2
N1z2
=? e(aP,P)y1y2
[e(aP,cP)y1·e(aP,bP)y2]z
To capture a valid query from the adversary, aboutL1 andL2
values, the correct test would be (by using the new theorem):
L1zL2 =? e(aP,xiP)y2·e(aP,xjP)y1
Summary
1 Introduction
2 Our CL-AKA
3 Corrections in the Security Proof from LBG
4 Conclusions
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions
Protocols Comparison
BDH Gap BDH Gap BDH +
Assumption Assumption Storage
LBG Ours LBG Ours LBG Ours
Pairings 10 8 5 4 1 1
Expon. in GT 0 0 0 0 1 0
Multipl. in GT 4 2 2 1 1 0
Multipl. in G 7 6 5 5 4 5
Additions in G 0 4 0 2 0 2
Time (s) 29.62 23.65 15.66 13.07 6.72 5.22
Our protocol is about 20% faster than LBG.
Conclusion
We presented a new and more efficient CL-AKA protocol;
We fixed some mistakes in the security proof of LBG protocol.
Introduction Our CL-AKA Corrections in the Security Proof from LBG Conclusions