Download presentation
Presentation is loading. Please wait.
Published byGerald Bryan Modified over 6 years ago
1
SAKAWP: Simple Authenticated Key Agreement Protocol Based on Weil Pairing
Authors: Eun-Jun Yoon and Kee-Young Yoo Src: International Conference on Convergence Information Technology, Nov pp Presenter: Jung-wen Lo (駱榮問)
2
Outline Introduction Notation SAKAWP Protocol Security Analysis
Performance comparison Conclusion & Comment
3
Introduction Simple Authenticated Key Agreement
Seo and Sweeney Electronics Letters, 35(13), pp ,1999 Elliptic curve cryptosystem V. Miller (1986), N. Koblitz (1987) A. Joux (LNCS 1838, 2000) Weil Diffie-Hellman problem can be considered as a new security assumption to develop cryptosystems Bilinear pairing Effective method of reducing the complexity of the discrete log problem in a finite field and they provide an appropriate setting for the Weil Diffie-Hellman problem Modified Weil pairing Let p be a prime such that q|(p − 1) for a large prime q. Let G1 and G2 be two cyclic groups of order q. The modified Weil pairing is a mapping e : G1 × G1 → G2 which satisfies the following properties: Bilinear: e(aP, bQ) = e(P,Q)ab, for all P,Q ∈ G1 and all a, b ∈ Zq. Non-degenerate: There exists a point P ∈ G1 such that e(P,P) ≠ 1. Computable: e(P,Q) can be computed in polynomial time.
4
Notation • IDA,IDS: Identity of user A and authentication server S, individually. • PWA: The common password shared between A and S. • p: A prime such that p = (2 mod 3) and p = 6q − 1 for a large prime q. • E: A super-singular curve defined by y2 = x2+1 over finite field Fp. • P ∈ E/Fp: A generator of the group of points of order q. • Eq: The group generated by P. • μq: The subgroup of F∗p2 of order q. • e : Eq×Eq → μq: A modified Weil pairing. • H(·): A cryptographic one-way hash function which maps a string to an element of Fp. • G(·): A cryptographic one-way hash function which maps a string to a point of G1. • sid: A session identifier. • a: A secret random number ∈ Z∗q chosen by A • b: A secret random number ∈ Z∗q chosen by S • SK: A shared common session key between A and B
5
SAKAWP Protocol A S (IDA, Eserverk(PWA))
1. Random aZ*q X=aP X1=X+G(sid,IDA,PWA) sid,IDA,X1 2. Random bZ*q Y=bP X=X1-G(sid,IDA,PWA) U=G(sid, IDA, IDS) KS=e(X,bU)=e(P,U) ab MACKS=H(sid,X,KS) 3. U’=G(sid, IDA, IDS) KA=e(Y,aU’)=e(P,U’) ab H(sid,X,KA)?=MACKS MACKA=H(sid,Y,KA) SK=H(sid,IDA,IDS,KA) sid,IDS,Y,MACKS sid,MACKA 4. H(sid,Y,KS)?=MACKA SK=H(sid,IDA,IDS,KS)
6
Security Analysis Replay attack Password guessing attack
Intercept X1 still need correct PWA KA need correct b => ECDLP Password guessing attack ECDLP & WDH Man-in-the-middle attack Mutual password PWA Modification attack Check KA=KS and Validity of X1 & Y Known-key security Each run produce unique session key Session key security Key is only known by A & S a,b protected by WDH & hash function Perfect forward secrecy PWA compromised => WDH
7
Performance comparison
B-SPEKE SRP6 AMP2 PAK-Y SAKAWP # of random numbers 3 2 # of steps 4 # of user’s exponentiations 5 # of server’s exponentiations
8
Conclusion & Comment Conclusion Comment Secure Efficient
Mutual authentication Comment Try 2 rounds Provide password change
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.