Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p Present by J.Liu 17/9/2002

Outline Introduction Weil pairing AK and AKC protocols System setup Authenticated key exchange Security Three pass AKC protocol Conclusion

Introduction The first key agreement protocol was the Diff.-H. key exchange protocol. But the basic D.-H.suffers from the man - in –the-middle attack (without authenticate the communicating parties). In this Letter will describe a two pass ID- based authenticate key agreement protocol base on the Weil pairing.

Weil pairing G : a prime order subgroup of super- singular elliptic curve E over the finite field F q, and O(G)=l. k is the smallest integer such that l|q k -1.Where q k is large enough to make DLP Weil pairing is a map ê :G  G  F q k * (1)Bilinear (2)Non-degenerate:  P  G  ê(P,P)  1 (3)Computable :ê(P,Q) in poly time

AK and AKC protocols Key derivation function V: F q k *  {0,1}* Cryptographic hash function H{0,1}*  G H(#)=X, if X is invalid x-coordinate in G then X i =X+i, for i=0,1,2…. until X i is valid x-coordinate in G It’s easy find and fix the y-coordinate from the valid x-coordinate.

System setup The key generation center (KGC) select a secret key s  {1,…l-1} KGC produces a random P  G, computes P KGS = sP,publishes (P,P KGS ) User with ID wish to obtain a public/private key,then the KGC compute Q ID =H(ID) ( 公 ) S ID =sQ ID ( 私 )

Authenticated key exchange If A,B wish to agree a key and they have been obtain the key S A(B) =sQ A(B) A and B use the ephemeral private key a,b to compute T A(B) =a(or b)P and exchange T A,B User A compute k A =ê(aQ B,P KGS )ê(S A,T B ) User B compute k B =ê(bQ A,P KGS )ê(S B,T A ) K=V(k A )=V(k B ), ∵ k A =k B =ê(aQ B +bQ A,sP)

Authenticated key exchange(cont) k A = ê(aQ B,P KGS )ê(S A,T B ) = ê(aQ B,sP)ê(sQ A,bP) = ê(aQ B,P KGS )ê(bQ A,sP)= ê(aQ B +bQ A,sP) = ê(bQ A,sP)ê(aQ B,sP) = ê(bQ A,P KGS )ê(sQ B,aP) = ê(bQ A,P KGS )ê(S B,T A ) = k B The shared secret depend on s and two ephemeral keys a,b (Q A,Q B ).

Security Known key security : Each run produces a different session key, and knowledge of past session key. Forward secrecy : The KGC can determine all secret session key by the following step k A = ê(Q B,T A ) s ê(Q A,T B ) s = k B Key control : Neither party can control the outcome of the session key.

Three pass AKC protocol As with the MQV protocol it is trivial to add a key confirmation property in the scheme. Here need MAC and key derivation function V. Let R= ê(aQ B,P KGS )=ê(bQ A,P KGS ) …??? The three pass AKC protocol

Conclusion This paper has proposed an ID-based authenticated key agreement scheme which used the Weil pairing. In the end of paper has present how to add key confirmation to basic protocol.