Multiparty Key Agreement for Secure Teleconferencing - CiteSeerX

4 downloads 0 Views 711KB Size Report
running a multiparty key agreement protocol to generate a common secret key. ..... compromise the session key Ki (equals to e((Yi+1+Ti+1),. (a.+ax.) n-l n-2.
2006 IEEE International Conference on Systems, Man, and Cybernetics October 8-11, 2006, Taipei, Taiwan

Multiparty Key Agreement for Secure Teleconferencing Chu-Hsing Lin, Hsiu-Hsia Lin, and Jen-Chieh Chang Abstract-Multiparty key agreement has many applications on internet services such as secure teleconferencing. A group of users can hold a conference securely over an open network by

running a multiparty key agreement protocol to generate a common secret key. With the common secret key, data

transmission over the internet is protected for confidentiality. In 2003, Barua (INDOCRYPT 2003) first proposed a multiparty key agreement protocol by using Weil pairing. The

protocol is based on ternary trees and Joux's tripartite key agreement. However, in Barua's protocol the communication round for n entities is

Flog ni

which is proportional to the

number of participants. In this paper, we propose a new

multiparty key agreement protocol from Weil pairing that needs only constant number of rounds. Besides, the message

size, the total number of scalar multiplications, and the number of Weil pairing are reduced. Index Terms-multiparty key agreement, tripartite authenticated key agreement protocol, conference key agreement, Weil pairing. I. INTRODUCTION N

/ultiparty key agreement f

is

an

interesting research

IV I topic and has many applications on internet services such as secure teleconferencing. When a group of people want to have a conference securely over an open network, they have to run a multiparty key agreement protocol to share a common secret key K. By using the common secret key, they can encrypt message to be shared with each other Manuscript received March 30, 2006. This paper is partially supported by the National Science Council, Taiwan, NSC-94-2213-E-029-001. Chu-Hsing Lin is with the Department of Computer Science and Information Engineering, Tunghai University, Taichung, Taiwan (corresponding author, phone: 886-4-23590121 ext 3287; fax: 886-4-23591567; e-mail: [email protected]). Hsiu-Hsia Lin is with the Department of Computer Science and Information Engineering, Tunghai University, Taichung, Taiwan (e-mail:

[email protected]).

Jen-Chieh Chang is with the Department of Computer Science and Information Engineering, Tunghai University, Taichung, Taiwan (e-mail:

g942817Gq)thu.edu.tw).

1-4244-0100-3/06/$20.00 C2006 IEEE

such that an adversary cannot decrypt it without the key. In this paper, we propose a new multiparty key agreement protocol based on Weil pairing. We have two versions of the multiparty key agreement protocol: one is authenticated version and the other is unauthenticated version. In the proposed protocol we use the topology of broadcast network which is the same as in Barua's protocol [1] (based on Joux's tripartite key agreement protocol [2] ). We show that for n > 2, where n is the communication parties, our protocols need constant rounds (two rounds) of message transmission, which is independent of the number of participants. In Barua's protocol, the communication round for n entities is Flog ni, which is proportional to the number of participants. Besides, the message size, the total number of scalar multiplications, and the number of Weil pairing used in our proposed protocol are reduced.

The rest of the paper is organized as follows: The basic definition and properties of the bilinear pairing are described in Section 2. We present a new multiparty key agreement protocol based on Weil pairing in Section 3. Section 4 analyzes the security of our protocol. Section 5 shows the performance of the protocols and comparison with Braua's protocol. Finally, we have a conclusion in Section 6. II. MODIFIED WEIL PAIRING

Let p be a prime such that p = 2 (mod) 3 and p = 6q - 1 for some prime q > 3. Let E be a super-singular curve defined by y2 = x3 + l over Fp. The set of rational points E[Fp] = {(x, y) e FpxFp : (x, y} c E} forms a cyclic group of order p+1. Furthermore, because p+l = 6q for some prime q, the set of pints of order q in E[Fp] form a cyclic subgroup, denoted as Gq. Let PE-= E/lFp be a generator of the group of points with order q = (p+1)/6. Let /Uq be the subgroup of F*,p that contains all elements of order q. The Weil pairing on the curve E F, is a mapping e: Gy xGq o+i.The modified Weil pairing is defined as e:GqxGq G,uq

3702

Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 19, 2009 at 02:19 from IEEE Xplore. Restrictions apply.

e(P,Q)=e(P,q!(Q)), whereqs(x,y)= (Gx,y), 1 GF* is a solution of x3-l = 0 (mod p) and Gq is the group of points with order q. The modified Weil pairing then satisfies the following properties:

K,

=

e(T,+1,nT,-1)

B.

(2) Alternative: e(P,Q) = e(Q,P)l. (3) Non-degenerate: there exists a point p Gq such that e(P, P) X 1.

(4) Polynomial-time computable: e(P,Q) is computable in polynomial time. III. PROPOSED PROTOCOL

Suppose that n entities who wish to agree on a common secret key, indicated as an entity set U { Ul, U2, ..., U4}. The public domain parameters (p, q, E, P, e) are common to all entities. In the authenticated version, we assume that the static public keys are exchanged via certificates. Certi denotes U,'s public-key certificate, containing static public key y, = ai p (for i = 1, 2, .. ., n), an unique identifier string Ui (such as U,'s name), and a signature of certificated authority (CA) on this information, where ai is random number (used as the long-term private key) selected by Ui.

The unauthenticated protocol

The protocol uses the following parameters: * U,: a participant in a communication round. xi: the short-term secret key randomly chosen by U,. * Tj, Xi : Ui's public messages in each communication round.

Stepi. Messages exchange (Round 1):

x1

n-l

ix*+

x2)+( Ix2A3)+ (xex(xf

,P,b Q)=e(P, Q),,b, for all P. QEGq and

(1) Bilinear: e a,b E Z.

A.

Step3. Key generation: Each Ui, i = 1, ..., n, computes Ki as follows:

(

n-2

x2x3x4)+

* + (x-2x-

xn)+ (x-

1xXn+

The authenticated protocol

The protocol uses the following parameters: * Ui: a participant in a communication round. a,: the long-term secret (private) key randomly chosen by U,. * Y : the long-term public key computed by Y, = ai P. * Cert,: Ui's long-term public-key certificate. * : the short-term (ephemeral) secret key randomly chosen by Ui. * T,, Xi: U,'s public messages in each communication round.

Step1. Messages exchange (Round 1): Each Ui, i 1, ..., n, chooses a random number xi, computes T1 = x,i = xi (aiP) and broadcasts T, and certificates

Certi.

Step2. Messages exchange (Round 2): Each Ui, i = 1, ..., n, computes and broadcasts Xi = e((Yi+ I+ Ti+ ), (yi+2+Ti+2) -( yi-I+Ti-1 ))

(e) .+a+)() 1

(3)

Step3. Key generation: Each Ui, i = 1, ..., n, computes Ki as follows:

Ki, e((Yi+1+T+±1), n(Yi 1+Ti l)) (a.+atxi) e(Pa , P)

i

n- I

Xi+

n-2

Xi-2 [( a±+a x)( l+a±xa)( a2+a2x2) + a1+a1l1)( a2+a2x2)( a3+a3x3) + fxn n

2x2)+(a,)tix,)(a2+2x2.

+

(4

Each Ui, i = 1, ..., n, chooses a random number xi, computes and broadcasts T= x, P.

Step2. Messages exchange (Round 2): Each Ui, i = 1, ..., n, computes and broadcasts

Xi e(Ti+,1,(Ti+2-T))i.

(1)

Furthermore, both in the unauthenticated and the authenticated versions, the common shared secret key is then obtained as K= kdjKI 11 U, 11 U2 11 ... I U,) = kdK2 11 U, 11 U211 ... 11 U,) = ... = kdfK, II U1 I U2 11 ... 1 U), where kdf is a key derivation function and string Ui is an unique identifier of entity Ui.

3703 Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 19, 2009 at 02:19 from IEEE Xplore. Restrictions apply.

C.

Examples

IV. SECURITY ANALYSIS

We have a simple example for the unauthenticated version in case of n = 10.

Step]. Messages exchange (Round 1): Each U, (i = 1, 2, ..., 10) computes and broadcasts Ti, x,P

T1 1xP, T2 = X2P, T3 = X3P, T4 = X4P'

TO = X1OP '0

Step2. Messages exchange (Round 2): Each Ui Computes and broadcasts x.x

Xi=e(Ti+,(Ts+2-Ti1))~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_T)

(5)

XI e(T2, (T3-T1o)) 1, X2 e(T3, (T4 T1))2, X3 e(11, (T5-T2))3, X4 e(T5, (T6T3))4 X5 - e(T6, (T7 T4))5, X6 T e(T7, (T8-T5))x1,Xlo X7 _ e(T8, (T9-T6))~~~~x7 , X8 -_x e(T9, (TT o-T7)) Xg = e(Tio, (TI-T8)) 9, Xo = e(T1, (T2-Tg))x0 . =

Step3. Key generation: Each U, computes his/her Ki as follows: x.

Ki e(T,+I,nTi1) Xi K1

e(T2,

1OT0O)

n-i

Xi+I

n-2

. Xi-2

(6)

X1 X1 9 8 7 6 5 4 3 X 2 1 XA Xl X4 X5 *6X78 x8 X

e(x2P, 0lx P) 1e(T2, (T3-T10)) e(T3, (T4_T1)) 6x4 5x5 e(T4, (T5-T2)) 3e(T5, (T6_T3)) 4e(T6, (T--T4)) 5 4x

3x

2x

e(T7, (85)) 6 e(T8, (T9-T6)) 7e(Ts, (T1o-T7))8 e(T1o, (T1-T8))x9 + x2x +X X PX23 3x4x5 + x4x5x6+ x5x7 + x6x7x8 x7X8 x9

9 IO

x9x1Oxl +xlOxlx2 xjo lOT9) X1 X11 *X2 -X3 X4 X5 X6 8X X e(T1, I 10 8 8x 7 ~~~~~9x1340 e(x1P, 10 Ix P) e(TI, (T2-Tg)) °e(T2, (T3-T10)) I. 5x 97x 6x e(T3, (T4-Ti)) e(T4, (Ts-T2)) 3x3e(T5, (T6-T3))4 2x 4x5 e(T6, (T7TF)) 5 e(T7 (FF)) 6e(T8, (F9 T6))7 e(Tg, (F10 F7))8 9

K

8

7

6

5

4

3

2

1

We analyze the security of the proposed protocol by inspecting attacks from both of the passive adversary and the active adversary.

A.

Passive adversary

A passive adversary (an eavesdropper) is not a participant who tries to compute the common shared secret key by listening to the broadcast messages among the legal participants. If a multiparty key agreement protocol is secure against passive adversary, a passive adversary is unable to obtain information about the common shared secret key by eavesdropping messages transmitted over the broadcast channel.

To prove this, we will follow a well-known security assumption. We use the bilinear Diffie-Hellman problem assumption to prove our protocol is secure against passive adversary. The similar technique is used in literatures such as Boneh's scheme [3]. We say that passive adversary cannot work under the assumption that solving the bilinear Diffie-Hellman problem (BDHP) will be infeasible. The abc definition of BDHP is to compute e(P, P) by given (P; aP; bP; cP ). That is, given T1 x1P, T2= x2P, T3= x3P, and xl, x2, x3 are randomly chosen from Z, the two tuples of random variables, (F, F2, T3, (P P) )xlx2x3 d (F, F2, F3, F), where T is a random value in yq, are computationally indistinguishable. In other words, there is no efficient algorithm A satisfying

Pr[A (X1P, x2P, x3P, e(P, P) x2x3

true]

x

Pr[A (xIP, X2P, x3P, T) = true] > 1/ Q(I q 1)

(7)

7

cx

e(P,

X8XgX I o +

P) Ix12

gX9, I ox I

+Xx

12

+X 3

x

2X3X4

+xc+

±xvx

+X345 + X4x5x6+ X5x67 + x6x7x8 + X789 +

Following the computation equation of Ki, we can obtain K= thatK1 =K K3 K4 K5 K6 = K= K9 Kl. 8 1 7 1 2

for any polynomial Q, where the probability is over the random choice of x1, X2,X3 and T.

First, we consider the case of passive adversary on our unauthenticated protocol. If an eavesdropper E intends to x nl n-2 compromise K, = e(TiF,, nTj-l)' *, Xi+1 Xi-2 in our unauthenticated protocol, she needs to compute T= e (Ti+,, V flX NV n-2 ) and X+ n-lin-2 nTi-I)x (equal to e(P, P) i lx'x'+l~~X=n-I respectively, where T, X e,uq, and then she can obtain K, = (TX). We assume that she can compute the value of X from

3704 Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 19, 2009 at 02:19 from IEEE Xplore. Restrictions apply.

the public messages Xi's. However, she can not obtain the correct xi form Xi (equal to e(Ti+1, ( Ti±2-T Without knowing xi l, xi and xi+,, she can not compute the correct value of T = e(P, P) ''" Because that she faces the hardness of BDHP for the pair of groups Gq , paq: To compute T by given P, xi 1P, x,P, xi,±P, with that xi l, xi and xi,+ are chosen randomly. That is, the two tuples of random variables (Ti l, T,, Ti+±, e(P, P) ) and (Ti-1, Ti, Ti+1, 7), where T is a random value in /1q, are computationally indistinguishable. In other words, there is no efficient algorithm A satisfying

Pr[A ((ai-,+ai-lxi- )P, (ai+ai-xi)P, (ai+,+ai+lxi+,)P, e(P, P)

T,))x').

Pr[A (x, 1P, x,P, xi+1P, e(P, P)'

I

+) = true] -

|Pr[A (x IP, x,P, xi+1P, 7) true] > 1/ Q(j q 1).

(8)

for any polynomial Q, where the probability is over the random choice of xi-,, xi, xi+, and T. Therefore, she cannot compute easily the correct Ki. Next, it is similar when we consider the case of passive adversary on our authenticated protocol. If E intends to compromise the session key Ki (equals to e((Yi+1+Ti+1), (a.+ax.) n-l n-2 n(Y, 1+Ti )) ' X,lXi Xi+ Xi-2) in the authenticated protocol, she needs to compute the random value T= e((Yi+±+Ti+,), n(Y, 1+T,1))(aiaixi) (equals to e(P, (ai+aixi) (ai+lai+ xi+1)), and X-Xi Xi+12 .Xi,2, where T, X

P)n(ai_,+ai-,xi-,)

c,Lq, and then obtains Ki,TX. We assume that she can compute the value of X from the public messages Xi's. However, she can not compute correctly ai and a,xi form the (a.+a ) public value Xi e((Yi+I+Ti+,), (Yi+2+Ti+2) -(Yi +Ti l)) jxi Without correct ai and a,xi, she cannot compute T e((Yi,+1+T,±), n(Y, 1±T, ')) (ai+aixi) Because that she faces the hardness of the BDHP problem for the pair of groups Gq, IJq: (a .+a x.) To compute T = e((Y1+±+Ti+7), n(Yj 1+T, _)) aal by given P, (a, + ai,lxi )P, (ai + ajx,)P and (a i+1 + ai+lxi+1)P, with that ai, , ai, ai+±, xi l, xi and xi+, are chosen randomly. That is, the two tuples of random variables ((Y, 1+T, '), (Y,.+Tj), (Yi+l+Ti+), e(E n ,J pn(a (Y+,+1HT±) P) -I+axi_,i-) (ai+lli) (ai+l+ai+lxri+,)))and ((Y,1+T, '), (Yi+Ti), (Yi+,+Ti+,), 7), where T is a random value in Pq, are computationally indistinguishable. In other words, there is no efficient algorithm A satisfying

n(aji+ai_Ixi_I) (ai+,a

i) (ai+ ai+lxi+l))

=

true]

K-

|Pr[A ((ai-,+a i-xi-,)P, (ai+a,;xi)P, (ai+,+ai+lxi+,)P, T)= true]I > 1/Q(Iqj). (9) for any polynomial Q, where the probability is over the random choice of xi l, xi, xi+, and T. Therefore, she cannot compute easily the correct K,. Active adversary

B.

An active adversary is a dishonest participant who tries to disrupt the establishment of a common key among all of the participants. An active adversary can fool an honest participant into believe that he has computed the same common key as the other honest participants do. We will show that our proposed protocols are secure against active

adversary. (1) Known-key security: An entity in each run of the protocol computes a new ephemeral private keys xi to generate a unique session key. Thus, the knowledge of a previous key does not help in deducing a new key. (2) Forward secrecy: Suppose that a malicious adversary has compromised one or more long-term private keys ai. However, he cannot compute the previously established (a n- I n-2 session key Ki- e((Yi+1+Ti+1) , n(Y, -+Tj,l)) +aixi) Xi X,+ Xi-2 without knowing the ephemeral private key xi. (3) Key compromise impersonation resilience: The key-compromise impersonation attack means that the attacker E who has compromised the long-term private key of one entity U, would not only impersonate the compromised entity but also impersonate any other one to fool the compromised entity. For example, an outsider attacker E, who has compromised Ul's static private key al, can also impersonate the other entities to fool Ul. Suppose that E who impersonates U2 to fool U1 can then forge a message T2'j uP. Then E broadcasts {T2', Cert2} and claims that it is sent by U2, where u is chosen by E. Now, U1 n-I (al+a1AI) will compute K1 = e((Y2+T2), n(Y±+Tn)) .X [ (an+anxn)(aI+a1xI)(a2+u) + (caI+a lIx)(a2+u)(a3+a3x3)

n-2

+

+

(an l +an

1x, l )ta+a-)ta±+i +an+ t 'n+1i)

compute K2'= e((Y3+T3), n(Y1+T1))

3705 Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 19, 2009 at 02:19 from IEEE Xplore. Restrictions apply.

.

However, E cannot 2 .X2 X3 ...X

((12+11) n2

n

n- I n-2 (equals to e((Y3+T3), n(Y2+T2)) (al+a,xl).X2 .X3 ... XJ). It fails because she does not know the correct value of a2 or alxl. The proposed protocol provides the property of key-compromise impersonation resilience.

(4) Unknown key-shared resilience: The identity of a participant is included in the key derivation function of our

Note that, in our protocol, the above four performance complexities are the same for both of the unauthenticated case and the authenticated case. As shown in table I, We can see that our protocol has better performance than Barua's.

TABLE I. COMPARISON OF BARUA'S AND OURS

proposed protocol. It provides unknown key-shared resilience as well as public-key substitution unknown key-shared attack.

(5) No key control: Each entity in a run of the protocol chooses a new ephemeral private keys xi to generate a unique session key. In our protocol, no participant does control and predict the value of a common session key. V. PRRFORMANCE ANALYSIS

The performance analysis includes communication round, message size and computation cost. In the following, we give the definition for some notations.

Unauthenticated

Authenticated

Barua's

Ours

Barua's

R(n)

F/ognl

2

Flog3n]

2

B(n)

< 5(n-1)/2

2n

< 5(n-1)

2n

E(n)

< 5(n-1)/2

n

< 9(n-1)

n

P(n)