Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Transcription

1 Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10, 2006 Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 1/30

2 Outline 1 Introduction Weil Pairing Identity-Based Encryption Scheme 2 ID-ID-AK Protocol Previous Works Our ID-ID-AK Protocol 3 Security Analysis Security Proof Security Attributes 4 Conclusions and Future Works Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 2/30

3 Outline 1 Introduction Weil Pairing Identity-Based Encryption Scheme 2 ID-ID-AK Protocol Previous Works Our ID-ID-AK Protocol 3 Security Analysis Security Proof Security Attributes 4 Conclusions and Future Works Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 3/30

4 Key Agreement Protocols A key agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. A key agreement protocol that does not provide authentication of the parties is vulnerable to man-in-the-middle attack, e.g., Diffie-Hellman key exchange. Identity-based authenticated key agreement (AK) protocol is that the users in the protocol use an ID-based asymmetric key pair for authentication and establishment of the key. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 4/30

5 Weil Pairing Definitions A pairing is a computable bilinear map between an additive group, G 1, and a multiplicative group, G 2. G 1 denotes a subgroup of the group of points on an elliptic curve. G 2 denotes a subgroup of the multiplicative group of a finite field. The Weil pairing is denoted ê : G 1 G 1 G 2. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 5/30

6 Weil Pairing Properties Bilinear: If P, P 1, P 2, Q, Q 1, Q 2 G 1 and a Z q, then ê(p 1 + P 2, Q) = ê(p 1, Q) ê(p 2, Q), and ê(p, Q 1 + Q 2 ) = ê(p, Q 1 ) ê(p, Q 2 ). Non-degenerate: If ê(p, Q) = 1 for all P G 1, then Q = O. Computable: If P, Q G 1, one can compute ê(p, Q) in polynomial time. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 6/30

7 Identity-Based Encryption Scheme Identity-Based Encryption (IBE) Scheme Boneh and Franklin had proposed an identity-based encryption scheme built from any bilinear map, in which the public key is some unique information about the identity of the user. Identity-Based Encryption from the Weil Pairing, D. Boneh and M. Franklin, A Trusted Authority (TA) is required in the scheme to generate private keys corresponding to users public identity. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 7/30

8 Identity-Based Encryption Scheme IBE algorithms (1/2) Setup: The Setup algorithm produces TA s master key s Z q and system parameters that are known to public: Groups G 1, G 2 of order q and a random generator P G 1. TA s public key P pub = sp. A cryptographic hash function H 1 : {0,1} G 1. A cryptographic hash function H 2 : G 2 {0,1} n for some n. Extract: Given a user s public identity string ID {0, 1}, the Extract algorithm generates: Public key Q ID = H 1 (ID) G 1. Private key d ID = sq ID, where s is the master key. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 8/30

9 Identity-Based Encryption Scheme IBE algorithms (2/2) Encrypt: To encrypt a message M, algorithm Encrypt does: 1 choose a random r Z q 2 set the ciphertext C to be C = rp,m H 2 (g r ID) where g ID = ê(q ID,P pub ) G 2 Decrypt: Let C = U, V be a ciphertext encrypted using the public key ID. The algorithm Decrypt computes as follows: V H 2 (ê(d ID, U)) = M The masks used during encryption and decryption are the same: ê(d ID, U) = ê(sq ID, rp) = ê(q ID, P) sr = ê(q ID, P pub ) r = g r ID Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 9/30

10 Outline 1 Introduction Weil Pairing Identity-Based Encryption Scheme 2 ID-ID-AK Protocol Previous Works Our ID-ID-AK Protocol 3 Security Analysis Security Proof Security Attributes 4 Conclusions and Future Works Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 10/30

11 Previous Works Chen and Kudla s Protocol (1/2) Chen and Kudla had proposed a key agreement protocol that allows users in different domains to establish a shared secret key. We give an overview as follows. Identity Based Authenticated Key Agreement Protocols from Pairings, L. Chen and C. Kudla, Setup Following IBE scheme, let there be two TAs, TA 1 and TA 2 with public keys s 1 P and s 2 P respectively. Alice TA 1, has private key S A = s 1 Q A and public key Q A = H 1 (Alice s ID), ephemeral key a Z q. Bob TA 2, has private key S B = s 2 Q B and public key Q B = H 1 (Bob s ID), ephemeral key b Z q. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 11/30

12 Previous Works Chen and Kudla s Protocol (2/2) T A = ap T B = bp Alice Bob After a successful protocol run: Alice computes K AB = ê(s A,T B ) ê(q B,as 2 P). Bob computes K BA = ê(s B,T A ) ê(q A,bs 1 P). K = K AB = K BA = ê(bs A + as B,P pub ). Then use a key derivation function H 2 : G 2 {0, 1} n to generate the shared session key H 2 (K). Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 12/30

13 Previous Works Possible disadvantages 1 Necessity of a Trusted Third Party Parameters are decided and distributed by a Trusted Third Party (TTP). 2 Vast costs of key update One update produces enormous re-key processes, which is linear to the number of TAs in the system. 3 Inflexibility of key management Users in different domains fail to establish a shared secret key if their according TAs have different parameters. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 13/30

14 Our ID-ID-AK Protocol Setup The groups G 1, G 2 of prime order q and the bilinear map ê : G 1 G 1 G 2 are defined as before. Let TA i, TA j, where i j, be two TAs controlling different domains. TA i has a master key s i Z q and a public key s i P i G 1 where P i is a generator of G 1. TA j has a master key s j Z q and a public key s j P j G 1 where P j is a generator of G 1. Alice is registered to TA i, holding a public key Q A = H 1 (Alice s ID) and a private key S A = s i Q A. Bob is registered to TA j, holding a public key Q B = H 1 (Bob s ID) and a private key S B = s j Q B. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 14/30

15 Our ID-ID-AK Protocol Design Concepts No TTP is required, each TA can choose their own generator P G 1. Users in distinct domains willing to establish a shared secret key doesn t have to apply identical generator P G 1. The achievement of key agreement between users in a protocol needs information from their own TAs, which is defined as Public Token in our protocol. The protocol is divided into two phases. Phase 1: The TAs exchange public tokens for later key agreement. Phase 2: Users in the system are able to establish a shared secret key with others via public tokens generated in Phase 1. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 15/30

16 Our ID-ID-AK Protocol Phase 1 Assume Alice initiates the key agreement protocol with Bob and checks if TA i and TA j have exchanged public tokens before. If the needed public token is available and its corresponding lease L is not expired, then proceeds to Phase 2, else Alice asks TA i to start the protocol Phase 1 as follows. P i P j s i P j Alice's TA s j P i Bob's TA Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 16/30

17 Our ID-ID-AK Protocol Phase 2 (1/2) ap i, aq A bp j, bq B Alice Bob After a successful protocol run: Alice computes K AB = ê(s i Q A,aP i ) ê(s i Q A,bP j ) ê(q B,as j P i ) ê(bq B,s j P j ). Bob computes K BA = ê(s j Q B,bP j ) ê(s j Q B,aP i ) ê(q A,bs i P j ) ê(aq A,s i P i ). Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 17/30

18 Our ID-ID-AK Protocol Phase 2 (2/2) If Alice and Bob follow the protocol, they can compute and output a common session key as follows: K = K AB = ê(s i Q A, ap i ) ê(s i Q A, bp j ) ê(q B, as j P i ) ê(bq B, s j P j ) = ê(s i Q A, ap i + bp j ) ê(q B, as j P i + bs j P j ) = ê(s j Q B, ap i + bp j ) ê(q A, as i P i + bs i P j ) = ê(s j Q B, bp j ) ê(s j Q B, ap i ) ê(q A, bs i P j ) ê(aq A, s i P i ) = K BA = ê(s i Q A + s j Q B, ap i + bp j ). Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 18/30

19 Outline 1 Introduction Weil Pairing Identity-Based Encryption Scheme 2 ID-ID-AK Protocol Previous Works Our ID-ID-AK Protocol 3 Security Analysis Security Proof Security Attributes 4 Conclusions and Future Works Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 19/30

20 Security Proof Bilinear Diffie-Hellman Problem Let G 1, G 2 be two groups of prime order q, ê : G 1 G 1 G 2 a bilinear map and P a generator of G 1. BDHP: Given P, xp, yp, zp for some x, y, z Z q, compute W = ê(p, P) xyz G 2. The hardness of BDH depends on the hardness of CDH in both G 1 and G 2. M. Maas, 2004 Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 20/30

21 Security Proof Security Model (1/3) Assumptions: The authenticity between TAs is realized through other cryptographic mechanisms, e.g., PKI. Setup: Assume a set I = {1,2,...,f 1 (k)} of protocol participants, where k is a security parameter and f 1 (k) is a polynomial bound on the number of participants. An oracle s I,J denotes a message sent from a participant I to another participant J, whom I believes he/she is in communication with, in sth protocol session. Every message sent by I or J is known by the adversary E. E is a benign adversary if it simply passes messages to and fro between participants. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 21/30

22 Security Proof Security Model (2/3) E is allowed to make following queries: Send: A Send query allows E to send a message of his/her choice to an oracle s I,J and to record the response. Reveal: A Reveal query allows E to reveal the session key currently held by an oracle s I,J. Corrupt: A Corrupt query allows E to reveal the long-term private key of the sender of an oracle s I,J. Test: Participants must reply to this Test query with either the session key K held by the oracle or a random k-bit string, depending on a fair coin toss. The probability that E can distinguish K from the random string is denoted as: advantage E (k) = Pr[b = b] 1/2 Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 22/30

23 Security Proof Security Model (3/3) A protocol is a secure AK protocol if: 1 In the presence of the benign adversary on oracles s t J,I I,J and, both oracles always accept holding the same session key, which is distributed uniformly and randomly on {0,1} k. 2 If uncorrupted oracles s I,J and t J,I participate in a matching conversation, then both oracles accept and hold the same session key, which is again uniformly distributed on {0,1} k. 3 advantage E (k) is negligible. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 23/30

24 Security Proof Proof Sketch (1/2) Proof of Condition 1 and 2: Conditions 1 and 2 follow directly from the protocol description. Proof of Condition 3: Suppose that advantage E (k) is non-negligible. We can construct an algorithm F from E which solves the BDHP with non-negligible probability. Given description of G 1, G 2,ê, generator P G 1, and xp,yp,zp G 1 with uniformly random choice of x,y,z Z q. F s task is to compute and output ê(p,p) xyz G 2. F simulates the Setup algorithm to create necessary oracles and variables. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 24/30

25 Security Proof Proof Sketch (2/2) At some point in the simulation, E will make a Test query to some oracle. Then F responds with either the key held by the oracle or a random bit string. After a careful deduction (please refer to the paper for details), we can conclude that the probability that F produces the correct output is non-negligible. This result contradicts to the BDH assumption. Therefore, the algorithm F doesn t exist. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 25/30

26 Security Attributes Security Attributes (1/2) Partial forward secrecy: The compromise of either Alice or Bob s long-term private key does not lead to the compromise of past session keys. However, the compromise of both Alice and Bob s long-term private keys enables an adversary to compute K. (Because that s i Q A, s j Q B, ap i, bp j are known.) Our protocol suffices partial forward secrecy, but does not offer perfect forward secrecy. TA forward secrecy: The compromise of the long-term private key of TA implies the compromise of its registrant s long-term private key. Thus the result follows partial forward secrecy. Imperfect key control: Mitchell et al. had pointed out that the responder in a protocol happens to have an unfair advantage in controlling the value of the established session key. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 26/30

27 Security Attributes Security Attributes (2/2) Unknown key-share resilience: This property follows from the protocol. No key-compromise impersonation: The compromise of Alice s long-term private key does not enable an adversary to impersonate other entities, say Bob, to Alice in a successful protocol run. Note that previous works satisfy partial forward secrecy, partial TA forward secrecy as well. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 27/30

28 Outline 1 Introduction Weil Pairing Identity-Based Encryption Scheme 2 ID-ID-AK Protocol Previous Works Our ID-ID-AK Protocol 3 Security Analysis Security Proof Security Attributes 4 Conclusions and Future Works Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 28/30

29 Conclusions We have proposed an AK protocol that allows users in distinct domains to establish a shared secret key through pairings without the constraint of using identical generator. Instead of following the decision of a Trusted Third Party, TAs can select a generator P at its choice, which prevents the single point of failure. The operation of key updates can be done within a domain without the interference of a TTP. Thus our protocol is more scalable than previous works. Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 29/30

30 Future Works How to modify the protocol to achieve tripartite (multi-party) key agreement? How to improve the protocol s efficiency? Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing 30/30