ISBN 978-952-5726-02-2 (Print), 978-952-5726-03-9 (CD-ROM) Proceedings of the 2009 International Symposium on Information Processing (ISIP’09) Huangshan, P. R. China, August 21-23, 2009, pp. 325-328
Two-Party Attribute-based Key Agreement Protocol in the Standard Model Hao Wang, QiuLiang Xu, and Xiu Fu School of computer science and technology, Shandong University, Jinan, China Email:
[email protected],
[email protected],
[email protected]
Abstract—We present a new two-party attribute-based key agreement protocol that is secure without the random oracle model in groups equipped with a bilinear map. The attribute-based key agreement scheme is one type of the identity-based key agreement scheme, in which the identity can be viewed as a set of descriptive attributes. These kinds of schemes provide some new properties, such as hiding the identity information of the individual, increasing the flexibility of key management, and providing efficient means to revoke users from the system. Index Terms—attribute-based key agreement, without random oracles
I. INTRODUCTION Key establishment is a process whereby two (or more) entities can establish a shared secret key (session key). There are two different approaches to key establishment between two entities. In one scenario, one entity generates a session key and securely transmits it to the other entity. This is known as enveloping or key transport. More commonly, both entities contribute information from which a joint secret key is derived. This is known as key agreement. All the protocols discussed in this paper are of this latter form. The first key agreement protocol based on asymmetric cryptography was proposed by Diffie and Hellman in 1976 [4]. In 1984, Shamir [11] introduced the concept of Id-based cryptosystem where a user’s private key is generated by a trusted private key generator (PKG) and any party could easily derive the user’s public key from his identity. An authenticated key agreement protocol is called identity-based if in the protocol, users use an identity-based asymmetric key pair instead of a traditional public/private key pair for authentication and determination of the established key. In 2005, Sahai and Waters first presented the concept of attribute-based encryption (ABE) [10]. In an ABE system, user's keys and ciphertexts are labeled with sets of descriptive attributes and a particular key can decrypt a particular ciphertext only if there is a match between the attributes of the ciphertext and the user's key. Then, a few attribute-based cryptosystems were developed [1, 8, etc.]. Based on above works, Wang et al. presented the first two-party attribute-based key agreement protocol in [12]. In this protocol, two parties use attribute information of the other party instead of the traditional public key to
generate the session key shared between them. For example, Alice is an employee of the department Da in company Ca , and Bob is an employee of group Gb in the department Db , company Cb . The attribute of Alice is ω A = ( Da , Ca ) , and the attribute of Bob is ωB = (Gb , Db , Cb ) . They can use their attribute information as public key to generate a session key. Moreover, the attribute-based key agreement has a merit which an identity-based key agreement does not have: hiding the identity information of the individual. In the above example, Alice only knows the other party is one of employees of group G1 in department D1 , company C1 , but she doesn’t know who he/she is, vice versa. This property is meaningful in the practical application, because in many scenes, hiding the identity information often is necessary. Though Wang’s scheme is practical, its security relies heavily on random oracle model. In this paper, we present a new two-party attribute-based key agreement protocol, which is secure in the standard model (without random oracle). The rest of the paper is organization as follows. In Section 2 we introduce the background knowledge of this paper. We propose our new two-party attribute-based key agreement protocol in Section 3, and we formally prove its security by reduction to the hardness of the truncated decision q-ABDHE assumption in Section 4. The conclusion of our work is given in Section 5. II. PRELIMINARIES A. Pairings Let G1 and G2 denote two groups of prime order p , where G1 , with an additive notation, denotes a subgroup of the group of points on an elliptic curve; and G2 , with a multiplicative notation, denotes a subgroup of the multiplicative group of a finite field. A pairing is a computable bilinear map between these two groups. For the purposes of this paper, we let e denote a general bilinear map, i.e., e : G1 × G1 → G2 , which can be either a modified Weil pairing or a Tate pairing, and which has the following three properties: Bilinear: If P, Q ∈ G1 and a, b ∈ Z p* , then e( P a , Q b ) = e( P, Q ) ab
Non-degenerate: There exists a P ∈ G1 such that
Corresponding author: Qiu-Liang Xu,
[email protected]
© 2009 ACADEMY PUBLISHER AP-PROC-CS-09CN002
e( P , P ) ≠ 1 . 325
Computable: If P, Q ∈ G1 , one can compute e( P, Q) in polynomial time.
the values of the corresponding ephemeral public keys separately: E A = X 0 a , E A = {( X i g − i ) a }i∈ω , E A = e( g , g ) a and 0
B. Intractability Assumptions The security of our Attribute-Based key agreement scheme is based on the truncated decision q-ABDHE assumption [7]. The truncated decision q-ABDHE assumption: Let e : G1 × G1 → G2 is a bilinear map, we define the q+2
B
2
Then they exchange the ephemeral public keys as follows: AliceÆBob: E A = E A || E A || E A 0
1
2
BobÆAlice: EB = EB || EB || EB 0
(k ) of an adversary B as advantage function AdvGq1−,abdhe B
1
2
Alice then computes shared secret K AB as follow: K AB = ∏ (e( EB1 ,i , d A1 ,i ) ⋅ EBA21 ,i )
q +1
s
| Pr[ B ( g x ,..., g x , g z , g zx , e( g , g ) zx ) = 1] − Pr[ B( g x ,..., q
1
EB0 = X 0b , EB1 = {( X i g − i )b }i∈ω A , EB2 = e( g , g )b .
Δi ,ω (0)
i∈ω A
q+2
⋅ e( EB0 , d A0 ) ⋅ EBA20 ⋅ V a , s
g x , g z , g zx , e( g , g ) r = 1] | , where x, y, z , r ∈R Z p . We
Bob computes shared secret K BA as follow:
say that the truncated decision q-ABDHE assumption (k ) is negligible of all B. holds if AdvGq1−,abdhe B
K BA = ∏ (e( E A1 ,i , d B1 ,i ) ⋅ E AB21 ,i )
q
s
i∈ωB
Use the encryption scheme which introduced by Fang et al. in [5], we construct an attribute-based two party key agreement protocol, that is secure in the standard model, under the truncated decision q-ABDHE assumption. Our attribute-based key agreement protocol (ABKA) consists of the following algorithms: Setup, Key-Gen, and Key-Agreement. Let G1 , G2 be groups of prime order p and g be a generator of G1 . We let e denote an admissible bilinear map, i.e., e : G1 × G1 → G2 . We define the Lagrange interpolation coefficient Δ i , S for i ∈ Z p and a set S , as element
In this work we use a modified Bellare-Rogaway key agreement model [2] which is proposed by Chen et al. in [9] to prove the protocol security. Theorem 2 The ABKA scheme is a secure authenticated key agreement protocol in the standard model under the truncated decision q-ABDHE assuming. Proof. We will present our scheme satisfied the definition of secure authenticated key agreement protocol [9, Definition 7]. First, we explained that the condition 1 is satisfied: If two participants of the agreement follow the protocol specifications, and adversary E is benign, then two participants both can receive the protocol message which correctly opposite party sends. Also according to the agreement accuracy analysis, we have K AB = K AB = e( g , h)a + b , and their conversation is matching. Therefore, they will obtain the same session key. And, this key distributed uniformly at random in session key space. Next, the condition 2 also satisfy: If two participants of the agreement have not been corrupted, then they impossible to pretend to be by the adversary; If their conversation is matching, then means that they have received the protocol message which correctly opposite party sends, therefore they can obtain same session key. Below, we prove that the condition 3 is also satisfied. We use the reduction to absurdity. Assume that there exists an adversary E who can win the game [9] with nonnegligible advantage η in time t. We can construct from E a simulator S which solves the truncated decision qABDHE problem with non-negligible probability. Given input of, as described in Section 2, the two groups G1 , G2 , the bilinear map e , a generator of g of
x− j . User's attribute set ω will be i∈ S , j ≠ i i − j
a subset of the universe U , where U ⊂ Z p* . Suppose that Alice and Bob want to use the ABKA protocol to share a session key. ω A and ωB represent their attribute set separately. A description of this scheme is as follows: Setup: Define the universe U as {μ1 ,..., μ|U |} , which is a set of all possible attribute, and every attribute maps into an element in Z *p . Pick x0 ,{xi }i∈U , y0 ∈ Z * at random p
( xi ≠ i ) and compute X 0 = g
, { X i }i∈U = {g }i∈U , h = g y , V = e( g , h) . Output a public parameter params = ( X 0 , { X i }i∈U ,V ) , and master key mk = ( x0 ,{xi }i∈U , y0 ) . Key-Gen: To generate a private key for a user M with attributes ωM the following steps are taken. Two polynomials P1 ( x) and P2 ( x) of degree | ωM | −1 are randomly chosen. The private key of a set of attributes ωM is skω = {( sM ,i , d M ,i )i∈ω ,( sM , d M )} , where sM ,i = M
P2 (i) , d M1 ,i = g
dM0 = g
1
1
M
( P1 ( i ) − sM1 ,i ) ( x − i ) i
xi
0
0
0
1
, for i ∈ ωM ,and sM ∈R Z p , 0
( y0 − P1 (0) − s M ) x0 0
s
Ⅳ. SECURITY OF OUR ABKA SCHEME
∏
x0
⋅ e( E A0 , d B0 ) ⋅ E AB20 ⋅ V a .
If Alice and Bob follow the protocol, they will compute the same shared secret: K = K AB = K AB = e( g , h) a + b . This shared secret value K is suitable to be used to derive a shared session key [6]. We then use a key derivation function H :{0,1}* → {0,1}k to generate the shared session key: sk = H (ω A || ωB || E A || EB || K ) , where k =| sk | .
Ⅲ. OUR TWO-PARTY ATTRIBUTE-BASED KEY AGREEMENT PROTOCOL
in Z p : Δ i , S ( x) =
Δ i ,ω (0)
.
Key-Agreement: Alice and Bob each randomly choose an ephemeral private key, a, b ∈R Z p and compute 326
to be consistent with our implicit choice of P1 ( x) and P2 ( x) . We define a polynomial of degree q-1:
G1 , and a truncated decision q-ABDHE instance x0 q
x0
z
( g , g ,..., g , g , R = e( g , g ) z
g
z ⋅ x0 q + 2
, R) , S’s task is to distinguish
x0q +1
from a random element in G2 . Setup: S picks a random polynomial g1 ( x) of degree q
and computes X 0 = g
x0
, X i = X 0 ⋅ g , V = e( g , g ) ei
i
g1 ( x0 )
G1,i ' ( x) =
,
q
0
x
sK1 ,i ' = g1 (0)Δ 0,T (i ') + ∑ sK1 ,i Δ i ,T (i ')
Note that this does not change the distribution of the public parameter ( X 0 ,{ X i }i∈U ,V ) , and the simulator S does not need to know the master key. In order to guarantee that the secret of the polynomial g1 ( x) , we limit the number of Corrupt queries made by adversary E is at most q-1. Moreover, we suppose that E at most initiates qs sessions, namely for any Oracle Πωt ,ω , there is t ∈ {1, 2,..., qs } . S randomly chooses 3 A
i∈Γ '
The key components for i ' ∈ ωK − Γ ' are calculated as:
where i ∈ U , ei ∈R Z *p , using the values g , g x ,..., g x . 0
( g1 ( x) − g1 (0))Δ 0,T (i ') + ∑ ( g1,i ( x) − g1,i (0))Δ i ,T (i ')
i∈Γ '
= g1 (0)Δ 0,T (i ') + ∑ g1.i (0)Δ i ,T (i ') i∈Γ '
d K1 ,i ' = ( g
G1,i ' ( x0 )
1
)
Correctness: d K1 ,i ' = (g
(( g1 ( x0 ) − g1 (0)) Δ 0,T ( i ') +
integer, i, j ∈ {1, 2,..., q} , n ∈ {1, 2,..., qs } , and guesses that the adversary E will make a Test query to Oracle Πωn ,ω ,
= (g = (g
J
where ωI is the attributes set of the ith participant. Corrupt queries: S simulates the corrupt queries made by E on the participant whose attribute is ωK , as follow: IF ωK = ω J , S gives up. Else, let Γ = ωK I ω J ; Let Γ ' be any set such that Γ ⊆ Γ ' ⊆ ωK and | Γ ' |=| ωK | −1 ; Let T = Γ 'U {0} . Firstly, S chooses a random element sK ∈R Z p , and
=g
0
Next, S defines the private key components ( sK ,i , d K ,i )i∈ω , K
=g
( g1,i ' ( x0 ) − sK1 ,i ' ) ( x ⋅ei ' + i ' − i ') 0
( g1,i ' ( x0 ) − sK1 ,i ' ) ( xi ' − i ')
I
)
0
=g
G1,i ( x0 )
0
0
J
J
|| EI 2 for oracle
1
S defines a q degree polynomial G* ( x) = x q +1 , sets a = zG * ( x0 ) , EI0 = g zx0
of degree q-1, and sets
q+2
, EI = {( g zx
q+2
0
1
)ei }i∈ωJ , EI 2 = R , and
sends the message EI = EI || EI || EI to adversary E. Then, it
.
generates
1
2
secret
key
of
ωJ
,
skωJ = {( s J1 ,i , d J1 ,i )i∈ωI ,( s J0 , d J 0 )} ← R KeyGen(mk , ω J ) .
Correctness: d K1 ,i = ( g
K
Πωt I ,ωJ as follow:
0
d K1 ,i = ( g
ei
1
adversary E makes a Send query to an oracle Πωt ,ω , S
1
1
1
computes the message EI = EI || EI
1
G1,i ( x0 )
)1 ei '
contribution, except that if E asks Πωt ,ω for any t. When
degree q, such that g1,i (0) = sK ,i . Then it defines a x
)
x0
I
as follow: For every i ∈ Γ ' as, S chooses a random element sK ,i ∈R Z p , and picks a random polynomial g1,i ( x) of g1,i ( x) − sK1 ,i
( g1,i ' ( x0 ) − sK1 ,i ' ) x0 1 ei '
K
0
polynomial G1,i ( x) =
i∈Γ '
Send queries: S answers all the Send queries as specified for a normal oracle, i.e., for the first Send query to an oracle, S takes a random value in Z *p to form its
of degree q-1, and sets d K = g g ( x ) . 1
∑ g1,i ( x0 )Δi ,T ( i ')}−{ g1 (0) Δ0,T ( i ') + ∑ g1,i (0)Δi ,T ( i ')}
i∈Γ '
polynomials P1 ( x) , P2 ( x) and our construction of the private key components skω = {( sK ,i , d K ,i )i∈ω ,( sK , d K )}
0
1
{( g1 ( x0 ) Δ 0,T ( i ') +
)1 ei '
P2 (i ) = g1,i (0) = sK1 ,i induce two random | ωK | −1 degree
picks a random polynomial g 2 ( x) of degree q, such that g 2 (0) = g1 (0) − sK . Then it defines a polynomial g ( x) = x
x0
Therefore, the simulator is able to construct a private key for the attribute ωK . Furthermore, the distribution of the private key for ωK is identical to that of original P1 (i ) = g1,i ( x0 ) and scheme since our choice of
0
g1 ( x) − g 2 ( x) − S K0
∑ ( g1,i ( x0 ) − g1,i (0))Δi ,T ( i '))
i∈Γ '
B
I
ei '
1
)
ei
= (g
( g1,i ( x0 ) − sK1 ,i ) x
( g1,i ( x0 ) − sK1 ,i ) ( x ⋅ei + i − i ) 0
=g
1 0
)
ei
=g
( g1,i ( x0 ) − sK1 ,i ) ( x ⋅ei )
Next, S computes the sharing secrete K IJ as follow:
0
K IJ = K JI = ∏ (e( EI1 ,i , d J1 ,i ) ⋅ EI 2J1 ,i ) s
( g1,i ( x0 ) − sK1 ,i ) ( xi − i )
Δi ,ω (0)
i∈ω J
The intuition behind these assignments is that we implicitly choose two random polynomials P1 ( x) and P2 ( x) of degree | ωK | −1 by choosing its value for the | ωK | −1 points in Γ ' randomly and setting P1 (i ) = g1,i ( x0 ) ,
⋅ e( EI0 , d J 0 ) ⋅ EI 2J0 ⋅ V r , s
where r is randomly picked in Z *p by S. According to protocol, S computes the session key sk I for oracle Πωt ,ω as follow: I
J
sk I = H (ωI || ω J || EI || EJ || K IJ ) .
P2 (i) = g1,i (0) = sK1 ,i . In addition, there are P1 (0) = g 2 ( x0 )
Correctness:
and P2 (0) = g 2 (0) . The simulator also needs to calculate the decryption key values for all i ' ∈ ωK − Γ ' . We calculate these points
EI0 = X 0ZG
*
( x0 )
= ( g x0 ) ZG
EI1 ,i = ( X i g − i ) zG = ( g ei ⋅ x0 ) zG
327
*
*
( x0 )
( x0 )
*
( x0 )
= g zx0
q+2
= ( g ei ⋅ x0 + i − i ) zG q +1
*
( x0 ) q+2
= (( g x0 ) zx0 )ei = ( g zx0 )ei
EI 2 = e( g , g ) zG
*
( x0 )
q +1
providing efficient means to revoke users from the system [3], etc.
= e( g , g ) zx0 = R
Hence the session key sk I created above is distributed the same as the one in the real attack. Reveal queries: S aborts and issues the warning, when an adversary E makes Reveal query to oracle Πωt ,ω or its
ACKNOWLEDGMENT
key of the oracle which was asked Reveal query to E. Test query: At some point in the simulation, E will ask a Test query of some oracle. If E does not choose Πωt ,ω to ask the Test query, then S aborts. However if E
This work is supported by the National Nature Science Foundation of China under Grant No.60873232, the National Nature Science Foundation of Shandong Province under Grant No.Y2007G37, and Shandong Postdoctoral Special Fund for Innovative Research under Grant No.200803051.
dose pick Πωt ,ω for the Test query, then Πωt ,ω must
REFERENCES
I
matching oracle Πωs
I
J
,ω I
J
.Otherwise, S will give the session
J
I
J
I
J
have accepted, I and J must unopened, and J must be uncorrupted. To answer the query, S flips a fair coin b ∈ {0,1} , and return the session key held by Πωt ,ω if I
[1] J. Baek, W. Susilo, J. Zhou, “New constructions of fuzzy identity-based encryption”, in the 2nd ACM Symposium on Information, Computer and Communications Security, ACM New York, NY, USA, 2007, pp. 368-370. [2] M. Bellare and P. Rogaway, “Entity authentication and key distribution”, in Advances in Cryptology-CRYPTO’93, Springer-Verlag, LNCS 773, 1994, pp. 232-249. [3] A. Boldyreva, V. Goyal, “Identity-based Encryption with Efficient Revocation”, in Conference on Computer and Communications Security, Virginia, ACM Press, 2008, pp. 417-426. [4] W. Diffie and M. Hellman, “New directions in cryptography”, in IEEE Transactions on Information Theory, IT22(6): 644-654, 1976. [5] L. Fang, J. Xia, “Full Security:Fuzzy Identity Based Encryption”, in the Cryptology ePrint Archive, 2008, Report 2008/307. http://eprint.iacr.org /2008/307. [6] S. D. Galbraith, H. J. Hopkins and I. E. Shparlinski, “Secure Bilinear Diffie-Hellman Bits”, in the Cryptology ePrint Archive, 2002, Report 2002/155. http://eprint.iacr. org/2002/155. [7] C. Gentry, “Practical identity-based encryption without random oracles”, in Advances in Cryptology-Eurocrypt 2006, Springer-Verlag, LNCS 4004, 2006, pp. 457-464. [8] V. Goyal, O. Pandey, A. Sahai, B. Waters, “Attributebased encryption for fine-grained access control of encrypted data”, in Conference on Computer and Communications Security, 89-98, New York, ACM Press, 2006, pp. 221-238. [9] L. Chen and Z. Cheng and N. P. Smart, “Identity-based key agreement protocols from pairings”, in the Cryptology ePrint Archive, 2006, Report 2006/199. http://eprint.iacr. org/2006/199. [10] A. Sahai, B. Waters, “Fuzzy Identity-Based Encryption”, in Advances in Cryptology-Eurocrypt 2005, SpringerVerlag, LNCS 3494, 2005, pp. 457-473. [11] A. Shamir, “Identity-based Cryptosystems and Signature Schemes”, in Advances in Cryptology-Crypto’84, Springer -Verlag, LNCS 196, 1985, pp. 47-53. [12] H. Wang, Q. Xu, X. Sun, “A Provably Secure Two-Party Attribute-based Key Agreement Protocol”, in Conference on Intelligent Information Hiding and Multimedia Signal Processing, Kyoto, IEEE Press, in press.
J
b = 0 , or else a random key sampled from {0,1}k if b = 1 .
After making Test query, adversary E can make Corrupt queries to all the participant oracles except J, and make Reveal queries to all the participant oracles except I and J. Finally, E outputs its guess b ' ∈ {0,1} for b . S does not abort at some point during the attack, namely the view of adversary E in this game is completely same as in the real word. According to supposition, E is a successful adversary, so | Pr(b ' = b) − 1/ 2 |> η . To solve the truncated decision q-ABDHE problem, S directly gives the output of E (b ') as the reply return to its challenger of the truncated decision q-ABDHE problem. We have proved that, when R = e( g , g ) zx , the simulation is perfect, and we suppose that the adversary E can guess b correctly with the probability η + 1 2 . q +1 0
Therefore, with the help of E, S can solve the truncated decision q-ABDHE problem with a non-negligible probability. Ⅴ. CONCLUSIONS We have constructed a new two-party attribute-based key agreement protocol. Comparing Wang’s scheme [12], which is secure in the random oracle model, our new scheme is secure in the standard model (without random oracles). Being different from the traditional identity-based key agreement schemes, the attribute-based key agreement schemes use the attribute information as the public key. Furthermore, there are some new properties of the attribute-based cryptosystem in these kinds of key agreement protocols, such as hiding the identity of the individual, increasing the flexibility of key management,
328
