Secure One-round Tripartite Authenticated Key Agreement Protocol from Weil pairing Chu-Hsing Lin* and Hsiu-Hsia Lin Department of Computer Sciences and Information Engineering, Tunghai University, 181 Taichung-kang Rd., Sec. 3, Taichung, 407 Taiwan, R.O.C E-mail: [email protected]

Keywords: Weil pairing, man-in-the-middle attack, insider attack, key-compromise impersonation attack, tripartite authenticated key agreement.

generator of the group of points with order q = (p+1)/6. Let µq be the subgroup of Fp * that contains all elements of order q. The Weil pairing on the curve E/Fp * is a mapping e : Gq × Gq → µq. The modified Weil pairing is defined as ê : Gq × Gq → µq , ê(P, Q) = ê(P, φ(Q)),where φ(x, y)=( ξx, y), 1≠ξ∈ Fp * is a solution of x3-1 = 0 (mod p) and Gq is the group of points with order q. The modified Weil pairing satisfies the following properties: (i) Bilinear: ê(a ⋅ P, b ⋅ Q) = ê(P, Q)ab for all P, Q ∈ E [q] and a, b ∈ Z . (ii) Alternative: ê(P, Q) = ê(Q, P)-1. (iii) Non-degenerate: there exists a point P∈ Gq such that ê(P, P) ≠ 1. (iv) Polynomial-time computable: ê(P,Q) is computable in polynomial time.

1. Introduction

3. Shim’ s tripartite key agreeme nt protocol

The first one-round tripartite Diffiee-Hellman key agreement protocol [1] was proposed by Joux in 2000. However, the protocol does not authenticate the messages, and, therefore, cannot resist the man-inthe-middle attack. To ensure authenticity of the communicating entities, Shim [2] proposed an improved tripartite authenticated key agreement protocol in 2003. Shim incorporated the certified public keys to avoid the attack in Joux’ s protocol. In this paper, we show that Shim’ s protocol suffers from some attacks, such as the insider attack and the keycompromise impersonation attack. We point out the weakness of Shim’ s protocol, and then propose a secure tripartite key agreement protocol with authentication to solve the problems.

Setup: A, B and C are three entities who want to agree on a common session key. The public domain parameters (p, q, E, P, ê) are common to all entities. Assume that the static public keys are exchanged via certificates. CertA denotes A’s public-key certificate, containing her static public key YA = a⋅P, an unique identifier string of A, and a certification authority CA’s signature on this information, where a is A’ s static private key. Similarly, CertB and CertC are the certificates for B and C, with YB = b⋅P and YC = c⋅P as their static public keys, where b and c are random numbers (used as the long-term private keys) selected by B and C, respectively.

Abstract

2

In 2000, Joux proposed a one-round protocol for tripartite Diffie-Hellman. In 2003, Shim presented an efficient one-round tripartite authenticated key agreement protocol based on Weil pairing to resist the man-in-the-middle attack appears in Joux’ s. In this paper, we show that Shim’ s protocol still cannot withstand the insider attack and the keycompromise impersonation attack. We propose a secure one-round tripartite authenticated key agreement protocol to solve the existed problems.

2. Modified Weil pairing The bilinear characteristic of Weil pairing is applied to reduce the commu nication rounds in the tripartite key agreement protocol. By the use of Weil pairing, Joux’s protocol [1] needs only one round of communication. Let p be a prime such that p = 2 (mod) 3 and p = 6q-1 for some prime q>3. Let E[q] be a supersingular curve defined by y2 = x3+1 over Fp. Let P∈ E/Fp be a

2

2

Messages exchange: A (B and C) chooses a random number x (y and z) and computes TA = x⋅YA (TB = y⋅YB and TC = z⋅YC), where x, y and z are used as the ephemeral private keys. Every one broadcasts the messages as follows: A → B, C : TA, CertA B → A, C : TB, CertB C → A, B : TC, CertC Key generation: The key computed by the three entities are as follows.

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

axê(Y

KA = ê(TB, TC)

B

, Y )a C

byê(Y , Y ) b

KA = ê(TA, TC)

A

C

czê(Y , Y )

axbyczê(P, P) abc

= ê(P, P) axbyczê(P, P) abc

= ê(P, P) c

axbyczê(P, P)

abc

KA = ê(TA, TB) A B = ê(P, P) The shared session key is then obtained as K = K= kdf ( KA || A || B || C) = kdf ( KB || A|| B || C) = kdf (K C || A || B || C ) , where kdf is a key derivation function.

4. Cryptanalysis on Shim’ s protocol 4.1. The insider attack The insider attack [3] in a tripartite key agreement protocol means that some one of the entities tries to impersonate any other one of the entities. For instance, B is an insider attacker who might try to impersonate C (to fool A) that he and C have participated in a key agreement protocol at the same time, while in fact C does not. If the insider attack is launched successfully in Shim’ s protocol, it could have damaging consequences: for example, if C acts as an on-line escrow agent or a referee. Assumptions (i) A, B and C: Legal entities appear in the system. (ii) CertA, CertB and CertC: The certificates of A, B and C, respectively, have been certified by a trusted CA. (iii) B: The insider attacker wants to impersonate C to A and he has obtained the CertC previously. (iv) C: The insider entity is of no knowledge to this communication round. Based on the above assumptions the insider attacker B, then, initiates a key agreement protocol, and also plays another role C' (masquerades as C to fool A). Therefore, A mistakenly accepts C' as the real C. Insider attack algorithm (I1) B: TC' = z' · YC = z' · (cP). (I2) B → A, C': {TB, CertB} (I3) C' → A, B : {TC', CertC} (I4) A → B, C': {TA, CertA} abc (I5) Computes KA = KB = KC' = eˆ ( P , P)abcxyz'eˆ (P ,P ) (I6) K= kdf ( K A || A || B || C' )= kdf ( K B || A || B || C' )= kdf

( K ' || A || B || C' )

static private key b, can also impersonate the other two entities to B. The details are illustrated as below. Assumptions (i) A, B and C: Legal entities appear in the system. (ii) CertA, CertB and CertC: The certificates of A, B and C, respectively, have been certified by a trusted CA. (iii) E: The outsider attacker wants to impersonate both of A and C and communicate with B. Note that E now owns the messages {b, TB, CertB} and has obtained the CertA and CertC. (iv) A, C: The insider entities are of no knowledge to this communication round. The outsider attacker E pretends to be A and C, indicated as A' and C', respectively. E can initiate a key agreement protocol among the three entities A', B and C' and impersonate both of A and C to cheat B. Therefore, B mistakenly believes that A' is the real A and C' is the real C. Key-compromise impersonation algorithm (K1) E: TA' = u· P and TC' = w· P (K2) E → B: {TA', CertA},{TC', CertC} (K3) B → A', C': {TB, CertB} (K4) A', B and C' computes KA', KB and KC', respectively, and all are equal to eˆ( P, P)b y u wˆ (e P, P) abc

(K5) K= kdf ( KA' || A' || B || C' )= kdf ( KB || A' || B || C' )= kdf ( K C' || A' || B ||C' )

5. The proposed one-round tripartite key agreement protocol Shim’s protocol does not authenticate some messages (such as the public ephemeral keys TA, TB and TC) that can suffer some attacks. We propose a secure one-round tripartite key agreement protocol with authentication, which uses an authentication of the message sender to conquer the Shim’s defects, and improves the generation of secret keys, simultaneously. The protocol also satisfies the security properties that are the same as Shim’s. Setup: The public domain parameters (p, q, E, P, ê, H) are common to all entities, where H : Z→ Z is a predefined one-way hash function.

C

4.2. Key-compromise impersonation attack The key-compromise impersonation attack means that the attacker who has compromised the long-tern private key of one entity can not only impersonate the compromised entity but also impersonate the other entities to the compromised entity. For example, an outsider attacker E, who has compromised B’ s

Messages exchange: A → B, C : TA = x · (aP), CertA mA=H(ax) sA = (ax)-1(mA+a) mod q B → A, C : TB = y · (bP), CertB, mB=H(by) sB= (by)-1(mB+b) mod q C → A, B : TC = z · (cP), CertC mC=H(cz) sC = (cz)-1(mC+c) mod q

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

Messages verification and key generation: (i) A verifies the received meaasges and computes the secret key as follows: Computes Equations (2) and (3), and then checks whether Equations (5) and (6) hold simultaneously. If so, A computes the secret key using Equation (7). (ii) B verifies the received meaasges and computes the secret key as follows: Computes Equations (1) and (3), and then checks whether Equations (4) and (6) hold simultaneously. If so, B computes the secret key using Equation (8). (iii) C verifies the received meaasges and computes the secret key as follows: Computes Equations (1) and (2), and then checks whether Equations (4) and (5) hold simultaneously. If so, C computes the secret key using Equation (9). (1) t A = sA -1 mod q, u A = (tA mA) mod q tB = sB -1 mod q, u B = (tB mB) mod q (2) (3) tC = sC -1 mod q, u C = (tC mC) mod q

? TA u B · P + tB · YB ? TB u C · P + tC · YC ? TC

u A · P + tA · YA

(4) (5) (6) a + ax

K A = eˆ(YB + TB ,YC + TC )

= eˆ(P ,P )

( a + ax)( b+ by )( c + cz )

(7) K B = eˆ(YA + TA ,YC + TC )b+ by = eˆ( P, P)( a+ ax )( b+ by )( c+ cz )

(8)

KC = eˆ(YA + TA ,YB + TB )c + cz = eˆ (P ,P )( a+ ax )( b+ by)( c+ cz) (9) The generation of the secret key takes one less Weil paring operation than Shim’s. For example, in Shim’s axê(Y

, Y )a

axbyczê(P, P) abc

B C = ê(P, P) protocol KA = ê(TB, TC) , which need two Weil paring operations. However, computing the secret key K A = eˆ(YB + TB ,YC + TC ) a+ ax

= eˆ( P , P)( a+ ax )(b +by )(c +cz ) in our protocol just needs one Weil paring operation. Note that the session key derivation function is the same as Shim’s.

6. Security analysis If E intends to compromise KA, she can compute K = ê(YB+TB, YC+TC), where K∈µq, and so that KA is equal to K(a+ax). But she cannot compute the correct KA, that is, she faces the hardness of the Bilinear Diffie-Hellman problem (BDHP) [4] for the pair of groups Gq, µq. (Given P, aP, axP, bP, byP, c⋅P, czP with a, b, c, x, y and z are chosen randomly, compute K = ê(P, P)(a+ax)(b+by)(c+cz)). Our protocol also satisfies the following security attributes. (i) Known session key security: In each run of the protocol, an entity chooses randomly a new

ephemeral private key (x, y or z) to generate a unique session key. Thus, knowledge of the past session key does not contribute to compromising the future session key. (ii) Forward secrecy: Suppose that an adversary compromis es one or more long-term private keys (a, b and c). She cannot compute the previously established session key K = ê(YB+TB, YC+TC)a+ax without ephemeral private key x. Similarly, KB and KC cannot be computed without y and z, respectively. (iii) Key-compromise imp ersonation attack: The compromise of an entity A’ s long-term private key a will allow an adversary E to impersonate A, but it should not enable the adversary to impersonate the other entities to A. Suppose that E, who impersonates B to A, can then forge the message TB' = u·P. Then E broadcasts {TB', CertB} as B’ s messages, where u is chosen by E. Now, A can compute KA = ê(YB+TB', YC+TC )a+ax = ê(P,P)(a+ax) (b+u) (c+cz), bet E cannot compute KB' = ê(YA+TA, YC+TC)b+u ( = ê(YB+TB', YC+TC)a+ax ), but it fails , because she does not know b or ax . The protocol can withstand a key-compromise impersonation attack. (iv) Insider attack: Assume insider B fools A into accepting the C’ s forged messages, and let A believe that C participates in the protocol run. Suppose that B, who impersonates C to A, can then forge the message TC' = w·P and compute mC' =H(w), sC' = (w)-1(mC'+c') mod q. Then B broadcasts {TC', CertC, mC', sC'} as C’s messages, where w is chosen by B. Then A verifies B’s forged messages and found the error. That is, B cannot forge C’s message without the long-term private key c. Therefore, B cannot masquerade C to A. The attack fails because every message is authenticated. (v) No unknown key-share: The identities of participants are included in the key derivation function of Shim’s and in our protocol, as well. It offers unknown key-shared resilience. (vi) Attacks on the one-way hash function: Pre-image resistance: If the one-way hash function H is pre-image resistance, then an adversary E can not find “ax” such that mA = H(ax) , therefore, he can not compute (ax)-1, and then she cannot derive “a” from sA = (ax)-1 (mA+a) mod q. Collision resistance: If function H is collision resistance, there does not exist “ax1” and “v” such that mA = H(ax) = H(v). If protocol participant A sends TA = (ax1)P , mA = H(ax1), sA = (ax1)-1(mA+a) mod q, and then E intercepts TA and replaces TA = v·P, but she cannot pass the message verification. (vii) Other attacks:

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

Pre-message

secrets: If E learns a single premessage “ax”, then E can compute (ax)-1 and find “a” from sA = (ax)-1(mA+a) mod q. However, in fact, she faces one ECDLP problem (to find out ax from TA,). Repeated use of pre-message secrets: Since “x” is chosen randomly in each run. (like a onetime signature), so this attack can not work. Collect message secrets: If E collects two messages sA(1) = (ax1)-1(mA(1)+a) mod q and sA(2) = (ax2)-1(mA(2)+a) mod q from A, she cannot find “a” , “x1” and “x2” by two equations sA(1) = (x1)1 -1 (a mA(1)+a) mod q and sA(1) = (x1)-1 (a -1mA(1)+a) mod q. If E collects more messages sA(1), sA(2),... and sA(n) from A, she still cannot find “a” , “x1” , “x2” ,...,“x2” (totally n+1 unknowns) by n equations.

For each entity, performance comparisons of Shim’s protocol and our protocol are shown in Table 1. According to Menezes et al [5], a Weil pairing requires a probabilistic polynomial time (in log p) steps, where one step is equivalent to the addition in E/Fp [6]. In consideration of its computation is very expensive, we reduce one Weil pairing operation and one modular exponentiation on the secret key generation, but the computation of our protocol consists mostly of messages authenticated. Therefore, th e computation of our protocol is less and one one Weil pairing operation in E/Fp exponentiation modulo p than Shim’s, but additionally four point multiplications (namely computing kP where P is an elliptic curve point and k is an integer) are required. Comparing with point multiplications or the Weil pairing operation, the kind of modular, inverse and hash functions can be ignored [7].

Key generation

Point multiplication Point multiplication Weil pairing Modular exponentiation

Acknowledgements This research was partially supported by the National Science Council, Taiwan, under grant NSC93-2213-E029-009.

References

7. Comparison

Messages exchange Messages verification

key agreement protocol with authentication to solve the existed problems. From the total operations point of view that our protocol are most spend on the authentication of messages sender which is more rather than Shim’s (are exceeding four point multiplications additions in E/Fp) in messages verification phase. But, we also propose a faster key generation to combine the long-term key and the ephemeral key is just half of that in Shim’s protocol in key generation phase. Our protocol absolutely resist the security weakness of Shim’s and make just one round messages sending.

Shim’s Protocol

Ours Protocol

1

1

0

4

2

1

2

1

Table 1. Comparisons of Shim’s protocol and our protocol Note that the methods of comparisons refer to the references [8], [9] and [10].

8. Conclusion

[1] A. Joux, “A one-round protocol for tripartite Diffie-Hellman,” Proceedings of the 4th International Algorithmic Number Theory Symposium (ANTS-IV), LNCS 1838, July, 2000, pp.385-394. [2] K. Shim, “Efficient one-round tripartite authenticated key agreement protocol from Weil pairing,” Electronics Letters, Vol. 39, no. 2, January, 2003, pp.208-209. [3] S.S. Al-Riyami, and K.G. Paterson, “Tripartite authenticated key agreement protocol from pairings,” IMA Conference on Cryptography and Coding 2003, LNCS 2898, December, 2003, pp.332359. [4] D. Boneh, and M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, Vol. 32, no. 3, 2003, pp. 586-615. [5] A.J .Menezes, T. Okamoto, and S.A. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field,” IEEE Transactions On Information Theory, Vol. 39, no. 5, September, 1993, pp.1639-1646. [6] K. Shim, “Efficient ID-based authenticated key agreement protocol based on Weil pairing,” Electronics Letters, Vol. 39, no. 8, April, 2003, pp.653-654. [7] A.J. Menezes, Elliptic Curve Public Key Cryptosystems , Kluwer Academic Publishers, 1993. [8] Y. Xun, “An ID-based signature scheme from Weil pairing,” IEEE Communications Letters, Vol. 7, no. 2, February, 2003, pp.76-78. [9] Y. Xun, “Efficient ID-based key agreement from the Weil pairing,” Electronics Letters, Vol. 39, no. 8, January, 2003, pp.206-208. [10] B. Rana, D. Ratna, and S. Palash, “Extending Joux’s protocol to multi party key,” INDOCRYPT 2003, LNCS 2904, December, 2003, pp.205-217.

In this paper, we analyze Shim’s security weaknesses, and then propose an secure tripartite

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

Keywords: Weil pairing, man-in-the-middle attack, insider attack, key-compromise impersonation attack, tripartite authenticated key agreement.

generator of the group of points with order q = (p+1)/6. Let µq be the subgroup of Fp * that contains all elements of order q. The Weil pairing on the curve E/Fp * is a mapping e : Gq × Gq → µq. The modified Weil pairing is defined as ê : Gq × Gq → µq , ê(P, Q) = ê(P, φ(Q)),where φ(x, y)=( ξx, y), 1≠ξ∈ Fp * is a solution of x3-1 = 0 (mod p) and Gq is the group of points with order q. The modified Weil pairing satisfies the following properties: (i) Bilinear: ê(a ⋅ P, b ⋅ Q) = ê(P, Q)ab for all P, Q ∈ E [q] and a, b ∈ Z . (ii) Alternative: ê(P, Q) = ê(Q, P)-1. (iii) Non-degenerate: there exists a point P∈ Gq such that ê(P, P) ≠ 1. (iv) Polynomial-time computable: ê(P,Q) is computable in polynomial time.

1. Introduction

3. Shim’ s tripartite key agreeme nt protocol

The first one-round tripartite Diffiee-Hellman key agreement protocol [1] was proposed by Joux in 2000. However, the protocol does not authenticate the messages, and, therefore, cannot resist the man-inthe-middle attack. To ensure authenticity of the communicating entities, Shim [2] proposed an improved tripartite authenticated key agreement protocol in 2003. Shim incorporated the certified public keys to avoid the attack in Joux’ s protocol. In this paper, we show that Shim’ s protocol suffers from some attacks, such as the insider attack and the keycompromise impersonation attack. We point out the weakness of Shim’ s protocol, and then propose a secure tripartite key agreement protocol with authentication to solve the problems.

Setup: A, B and C are three entities who want to agree on a common session key. The public domain parameters (p, q, E, P, ê) are common to all entities. Assume that the static public keys are exchanged via certificates. CertA denotes A’s public-key certificate, containing her static public key YA = a⋅P, an unique identifier string of A, and a certification authority CA’s signature on this information, where a is A’ s static private key. Similarly, CertB and CertC are the certificates for B and C, with YB = b⋅P and YC = c⋅P as their static public keys, where b and c are random numbers (used as the long-term private keys) selected by B and C, respectively.

Abstract

2

In 2000, Joux proposed a one-round protocol for tripartite Diffie-Hellman. In 2003, Shim presented an efficient one-round tripartite authenticated key agreement protocol based on Weil pairing to resist the man-in-the-middle attack appears in Joux’ s. In this paper, we show that Shim’ s protocol still cannot withstand the insider attack and the keycompromise impersonation attack. We propose a secure one-round tripartite authenticated key agreement protocol to solve the existed problems.

2. Modified Weil pairing The bilinear characteristic of Weil pairing is applied to reduce the commu nication rounds in the tripartite key agreement protocol. By the use of Weil pairing, Joux’s protocol [1] needs only one round of communication. Let p be a prime such that p = 2 (mod) 3 and p = 6q-1 for some prime q>3. Let E[q] be a supersingular curve defined by y2 = x3+1 over Fp. Let P∈ E/Fp be a

2

2

Messages exchange: A (B and C) chooses a random number x (y and z) and computes TA = x⋅YA (TB = y⋅YB and TC = z⋅YC), where x, y and z are used as the ephemeral private keys. Every one broadcasts the messages as follows: A → B, C : TA, CertA B → A, C : TB, CertB C → A, B : TC, CertC Key generation: The key computed by the three entities are as follows.

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

axê(Y

KA = ê(TB, TC)

B

, Y )a C

byê(Y , Y ) b

KA = ê(TA, TC)

A

C

czê(Y , Y )

axbyczê(P, P) abc

= ê(P, P) axbyczê(P, P) abc

= ê(P, P) c

axbyczê(P, P)

abc

KA = ê(TA, TB) A B = ê(P, P) The shared session key is then obtained as K = K= kdf ( KA || A || B || C) = kdf ( KB || A|| B || C) = kdf (K C || A || B || C ) , where kdf is a key derivation function.

4. Cryptanalysis on Shim’ s protocol 4.1. The insider attack The insider attack [3] in a tripartite key agreement protocol means that some one of the entities tries to impersonate any other one of the entities. For instance, B is an insider attacker who might try to impersonate C (to fool A) that he and C have participated in a key agreement protocol at the same time, while in fact C does not. If the insider attack is launched successfully in Shim’ s protocol, it could have damaging consequences: for example, if C acts as an on-line escrow agent or a referee. Assumptions (i) A, B and C: Legal entities appear in the system. (ii) CertA, CertB and CertC: The certificates of A, B and C, respectively, have been certified by a trusted CA. (iii) B: The insider attacker wants to impersonate C to A and he has obtained the CertC previously. (iv) C: The insider entity is of no knowledge to this communication round. Based on the above assumptions the insider attacker B, then, initiates a key agreement protocol, and also plays another role C' (masquerades as C to fool A). Therefore, A mistakenly accepts C' as the real C. Insider attack algorithm (I1) B: TC' = z' · YC = z' · (cP). (I2) B → A, C': {TB, CertB} (I3) C' → A, B : {TC', CertC} (I4) A → B, C': {TA, CertA} abc (I5) Computes KA = KB = KC' = eˆ ( P , P)abcxyz'eˆ (P ,P ) (I6) K= kdf ( K A || A || B || C' )= kdf ( K B || A || B || C' )= kdf

( K ' || A || B || C' )

static private key b, can also impersonate the other two entities to B. The details are illustrated as below. Assumptions (i) A, B and C: Legal entities appear in the system. (ii) CertA, CertB and CertC: The certificates of A, B and C, respectively, have been certified by a trusted CA. (iii) E: The outsider attacker wants to impersonate both of A and C and communicate with B. Note that E now owns the messages {b, TB, CertB} and has obtained the CertA and CertC. (iv) A, C: The insider entities are of no knowledge to this communication round. The outsider attacker E pretends to be A and C, indicated as A' and C', respectively. E can initiate a key agreement protocol among the three entities A', B and C' and impersonate both of A and C to cheat B. Therefore, B mistakenly believes that A' is the real A and C' is the real C. Key-compromise impersonation algorithm (K1) E: TA' = u· P and TC' = w· P (K2) E → B: {TA', CertA},{TC', CertC} (K3) B → A', C': {TB, CertB} (K4) A', B and C' computes KA', KB and KC', respectively, and all are equal to eˆ( P, P)b y u wˆ (e P, P) abc

(K5) K= kdf ( KA' || A' || B || C' )= kdf ( KB || A' || B || C' )= kdf ( K C' || A' || B ||C' )

5. The proposed one-round tripartite key agreement protocol Shim’s protocol does not authenticate some messages (such as the public ephemeral keys TA, TB and TC) that can suffer some attacks. We propose a secure one-round tripartite key agreement protocol with authentication, which uses an authentication of the message sender to conquer the Shim’s defects, and improves the generation of secret keys, simultaneously. The protocol also satisfies the security properties that are the same as Shim’s. Setup: The public domain parameters (p, q, E, P, ê, H) are common to all entities, where H : Z→ Z is a predefined one-way hash function.

C

4.2. Key-compromise impersonation attack The key-compromise impersonation attack means that the attacker who has compromised the long-tern private key of one entity can not only impersonate the compromised entity but also impersonate the other entities to the compromised entity. For example, an outsider attacker E, who has compromised B’ s

Messages exchange: A → B, C : TA = x · (aP), CertA mA=H(ax) sA = (ax)-1(mA+a) mod q B → A, C : TB = y · (bP), CertB, mB=H(by) sB= (by)-1(mB+b) mod q C → A, B : TC = z · (cP), CertC mC=H(cz) sC = (cz)-1(mC+c) mod q

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

Messages verification and key generation: (i) A verifies the received meaasges and computes the secret key as follows: Computes Equations (2) and (3), and then checks whether Equations (5) and (6) hold simultaneously. If so, A computes the secret key using Equation (7). (ii) B verifies the received meaasges and computes the secret key as follows: Computes Equations (1) and (3), and then checks whether Equations (4) and (6) hold simultaneously. If so, B computes the secret key using Equation (8). (iii) C verifies the received meaasges and computes the secret key as follows: Computes Equations (1) and (2), and then checks whether Equations (4) and (5) hold simultaneously. If so, C computes the secret key using Equation (9). (1) t A = sA -1 mod q, u A = (tA mA) mod q tB = sB -1 mod q, u B = (tB mB) mod q (2) (3) tC = sC -1 mod q, u C = (tC mC) mod q

? TA u B · P + tB · YB ? TB u C · P + tC · YC ? TC

u A · P + tA · YA

(4) (5) (6) a + ax

K A = eˆ(YB + TB ,YC + TC )

= eˆ(P ,P )

( a + ax)( b+ by )( c + cz )

(7) K B = eˆ(YA + TA ,YC + TC )b+ by = eˆ( P, P)( a+ ax )( b+ by )( c+ cz )

(8)

KC = eˆ(YA + TA ,YB + TB )c + cz = eˆ (P ,P )( a+ ax )( b+ by)( c+ cz) (9) The generation of the secret key takes one less Weil paring operation than Shim’s. For example, in Shim’s axê(Y

, Y )a

axbyczê(P, P) abc

B C = ê(P, P) protocol KA = ê(TB, TC) , which need two Weil paring operations. However, computing the secret key K A = eˆ(YB + TB ,YC + TC ) a+ ax

= eˆ( P , P)( a+ ax )(b +by )(c +cz ) in our protocol just needs one Weil paring operation. Note that the session key derivation function is the same as Shim’s.

6. Security analysis If E intends to compromise KA, she can compute K = ê(YB+TB, YC+TC), where K∈µq, and so that KA is equal to K(a+ax). But she cannot compute the correct KA, that is, she faces the hardness of the Bilinear Diffie-Hellman problem (BDHP) [4] for the pair of groups Gq, µq. (Given P, aP, axP, bP, byP, c⋅P, czP with a, b, c, x, y and z are chosen randomly, compute K = ê(P, P)(a+ax)(b+by)(c+cz)). Our protocol also satisfies the following security attributes. (i) Known session key security: In each run of the protocol, an entity chooses randomly a new

ephemeral private key (x, y or z) to generate a unique session key. Thus, knowledge of the past session key does not contribute to compromising the future session key. (ii) Forward secrecy: Suppose that an adversary compromis es one or more long-term private keys (a, b and c). She cannot compute the previously established session key K = ê(YB+TB, YC+TC)a+ax without ephemeral private key x. Similarly, KB and KC cannot be computed without y and z, respectively. (iii) Key-compromise imp ersonation attack: The compromise of an entity A’ s long-term private key a will allow an adversary E to impersonate A, but it should not enable the adversary to impersonate the other entities to A. Suppose that E, who impersonates B to A, can then forge the message TB' = u·P. Then E broadcasts {TB', CertB} as B’ s messages, where u is chosen by E. Now, A can compute KA = ê(YB+TB', YC+TC )a+ax = ê(P,P)(a+ax) (b+u) (c+cz), bet E cannot compute KB' = ê(YA+TA, YC+TC)b+u ( = ê(YB+TB', YC+TC)a+ax ), but it fails , because she does not know b or ax . The protocol can withstand a key-compromise impersonation attack. (iv) Insider attack: Assume insider B fools A into accepting the C’ s forged messages, and let A believe that C participates in the protocol run. Suppose that B, who impersonates C to A, can then forge the message TC' = w·P and compute mC' =H(w), sC' = (w)-1(mC'+c') mod q. Then B broadcasts {TC', CertC, mC', sC'} as C’s messages, where w is chosen by B. Then A verifies B’s forged messages and found the error. That is, B cannot forge C’s message without the long-term private key c. Therefore, B cannot masquerade C to A. The attack fails because every message is authenticated. (v) No unknown key-share: The identities of participants are included in the key derivation function of Shim’s and in our protocol, as well. It offers unknown key-shared resilience. (vi) Attacks on the one-way hash function: Pre-image resistance: If the one-way hash function H is pre-image resistance, then an adversary E can not find “ax” such that mA = H(ax) , therefore, he can not compute (ax)-1, and then she cannot derive “a” from sA = (ax)-1 (mA+a) mod q. Collision resistance: If function H is collision resistance, there does not exist “ax1” and “v” such that mA = H(ax) = H(v). If protocol participant A sends TA = (ax1)P , mA = H(ax1), sA = (ax1)-1(mA+a) mod q, and then E intercepts TA and replaces TA = v·P, but she cannot pass the message verification. (vii) Other attacks:

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE

Pre-message

secrets: If E learns a single premessage “ax”, then E can compute (ax)-1 and find “a” from sA = (ax)-1(mA+a) mod q. However, in fact, she faces one ECDLP problem (to find out ax from TA,). Repeated use of pre-message secrets: Since “x” is chosen randomly in each run. (like a onetime signature), so this attack can not work. Collect message secrets: If E collects two messages sA(1) = (ax1)-1(mA(1)+a) mod q and sA(2) = (ax2)-1(mA(2)+a) mod q from A, she cannot find “a” , “x1” and “x2” by two equations sA(1) = (x1)1 -1 (a mA(1)+a) mod q and sA(1) = (x1)-1 (a -1mA(1)+a) mod q. If E collects more messages sA(1), sA(2),... and sA(n) from A, she still cannot find “a” , “x1” , “x2” ,...,“x2” (totally n+1 unknowns) by n equations.

For each entity, performance comparisons of Shim’s protocol and our protocol are shown in Table 1. According to Menezes et al [5], a Weil pairing requires a probabilistic polynomial time (in log p) steps, where one step is equivalent to the addition in E/Fp [6]. In consideration of its computation is very expensive, we reduce one Weil pairing operation and one modular exponentiation on the secret key generation, but the computation of our protocol consists mostly of messages authenticated. Therefore, th e computation of our protocol is less and one one Weil pairing operation in E/Fp exponentiation modulo p than Shim’s, but additionally four point multiplications (namely computing kP where P is an elliptic curve point and k is an integer) are required. Comparing with point multiplications or the Weil pairing operation, the kind of modular, inverse and hash functions can be ignored [7].

Key generation

Point multiplication Point multiplication Weil pairing Modular exponentiation

Acknowledgements This research was partially supported by the National Science Council, Taiwan, under grant NSC93-2213-E029-009.

References

7. Comparison

Messages exchange Messages verification

key agreement protocol with authentication to solve the existed problems. From the total operations point of view that our protocol are most spend on the authentication of messages sender which is more rather than Shim’s (are exceeding four point multiplications additions in E/Fp) in messages verification phase. But, we also propose a faster key generation to combine the long-term key and the ephemeral key is just half of that in Shim’s protocol in key generation phase. Our protocol absolutely resist the security weakness of Shim’s and make just one round messages sending.

Shim’s Protocol

Ours Protocol

1

1

0

4

2

1

2

1

Table 1. Comparisons of Shim’s protocol and our protocol Note that the methods of comparisons refer to the references [8], [9] and [10].

8. Conclusion

[1] A. Joux, “A one-round protocol for tripartite Diffie-Hellman,” Proceedings of the 4th International Algorithmic Number Theory Symposium (ANTS-IV), LNCS 1838, July, 2000, pp.385-394. [2] K. Shim, “Efficient one-round tripartite authenticated key agreement protocol from Weil pairing,” Electronics Letters, Vol. 39, no. 2, January, 2003, pp.208-209. [3] S.S. Al-Riyami, and K.G. Paterson, “Tripartite authenticated key agreement protocol from pairings,” IMA Conference on Cryptography and Coding 2003, LNCS 2898, December, 2003, pp.332359. [4] D. Boneh, and M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, Vol. 32, no. 3, 2003, pp. 586-615. [5] A.J .Menezes, T. Okamoto, and S.A. Vanstone, “Reducing elliptic curve logarithms to logarithms in a finite field,” IEEE Transactions On Information Theory, Vol. 39, no. 5, September, 1993, pp.1639-1646. [6] K. Shim, “Efficient ID-based authenticated key agreement protocol based on Weil pairing,” Electronics Letters, Vol. 39, no. 8, April, 2003, pp.653-654. [7] A.J. Menezes, Elliptic Curve Public Key Cryptosystems , Kluwer Academic Publishers, 1993. [8] Y. Xun, “An ID-based signature scheme from Weil pairing,” IEEE Communications Letters, Vol. 7, no. 2, February, 2003, pp.76-78. [9] Y. Xun, “Efficient ID-based key agreement from the Weil pairing,” Electronics Letters, Vol. 39, no. 8, January, 2003, pp.206-208. [10] B. Rana, D. Ratna, and S. Palash, “Extending Joux’s protocol to multi party key,” INDOCRYPT 2003, LNCS 2904, December, 2003, pp.205-217.

In this paper, we analyze Shim’s security weaknesses, and then propose an secure tripartite

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE