Presentation is loading. Please wait.

Presentation is loading. Please wait.

Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,

Published byCarol Atkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,"— Presentation transcript:

1 Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST, Korea University

2 Center for Information Security Technologies 2 Key Exchange Key key Two or more users can share a session key

3 Center for Information Security Technologies 3 ID-based System General PKI system ID-based system 6DFF12DA27 4855BFC29D E399395A.... Bob Alice’s public key Alice@company.com OK~!! Alice’s public key Bob

4 Center for Information Security Technologies 4 Bilinear Map Assume – G 1,G 2 be two groups of same order q. – DLP is hard in both G 1, G 2. Admissible Bilinear Map – Bilinearity : e(aP, bQ) = e(P,Q) ab – Non-degeneracy : P ∈ G 1 such that e(P,P)≠1 – Computability : an efficient algorithm to compute e(P,Q) Bilinear Map e : G 1 Χ G 1 → G 2

5 Center for Information Security Technologies 5 Computational Diffie-Hellman (CDH) Problem Given (P, aP, bP) for some a, b ∈ Z q * => Compute abP Inverse Computational DH (ICDH) Problem Given (P, aP) for some a ∈ Z q * => Compute a -1 P Modified Inverse Computional DH (mICDH) Problem Given (b, P, aP) for some a, b ∈ Z q * => Compute (a+b) -1 P CDH ⇔ ICDH ⇔ mICDH Assumptions (1)

6 Center for Information Security Technologies 6 Bilinear Diffie-Hellman (BDH) Problem Given (P, aP, bP, cP) for some a, b, c ∈ Z q * => Compute Bilinear Inverse DH (BIDH) Problem Given (P, aP, cP) for some a, c ∈ Z q * => Compute Modified Bilinear Inverse DH (mBIDH) Problem Given (b, P, aP, cP) for some a, b, c ∈ Z q * => Compute BDH ⇔ BIDH ⇔ mBIDH Assumptions (2)

7 Center for Information Security Technologies 7 Definitions Collusion Attack Algorithm with k traitor (k-CAA) Given P, sP and h 1,h 2, …, h k ∈ Z q *, (s+h 1 ) -1 P, (s+h 2 ) -1 P,..., (s+h k ) -1 P => Compute (s+h) -1 P for some h ∈ Z q * Modified BIDH with k values (k-mBIDH) Given P, sP, tP and h,h 1,h 2, …, h k ∈ Z q *, (s+h 1 ) -1 P, (s+h 2 ) -1 P,..., (s+h k ) -1 P => Compute

8 Center for Information Security Technologies 8 Previous Protocol Previous ID-based authenticated key exchanges Smart’s Protocol(2002) McCullagh’s Protocol(2005)

9 Center for Information Security Technologies 9 Our Result Our protocol is an ID-based authenticated key exchange (AKE) protocol for Client and Server. We remove complicate operation of bilinear maps from a client side. Using off-line precomputation, the client only computes hashing and scalar multiplication of the point of elliptic curve during on-line phase. Thus, our protocol is well suited to unbalanced computing environment.

10 Center for Information Security Technologies 10 Proposed Protocol ID-AKE (1) Setup – KGC (Key Generation Center) selects a master secret key s, generates P and computes P pub = sP, g = e(P, P) – Cryptographic hash functions – KGC publishes params ={e, G 1, G 2, q, P, P pub, g, H, H 1, H 2, H 3 } H : {0,1} * → Z q * H 1 : G 2 → Z q * H 2 : {0,1} * → {0,1} t (t : secret parameter) H 3 : {0,1} * → {0,1} k (k : bit length of a session key)

11 Center for Information Security Technologies 11 Proposed Protocol ID-AKE (2) q ID = H(ID) Secret key : S ID = (s+q ID ) -1 P ID S ID Secure Channel Extract e(Q ID, S ID ) = e(P, P) = g – The security of secret key is based on the intractability of the mICDH problem. – Public information of user (ID) : Q ID = P pub + q ID P = (s+q ID )P KGC – We assume that the mICDH problem in G 1 is intractable.

12 Center for Information Security Technologies 12 Proposed Protocol ID-AKE (3) U P, P pub, g, [ ID U, S U ] V P, P pub, [ ID V, S V ] q v = H(ID V ), a ← Z q * Q V = P pub + q v P, t u = g a h = H 1 (t u ) X = aQ V, Y = (a+h)S U ID U, (X, Y) q u = H(ID U ), Q U = P pub + q u P t u = e(X, S V ), c = e(Y, Q U ) h = H 1 (t u ), c =? t u g h z’ = H 2 (t u, t v, X, Y, ID U, ID V ) z, t v sk = H 3 (t u, t v, X, Y, ID U, ID V ) t v ← Z q * z = H 2 (t u, t v, X, Y, ID U, ID V ) z’ =? z sk = H 3 (t u, t v, X, Y, ID U, ID V )

13 Center for Information Security Technologies 13 Security Analysis The ID-AKE protocol provides half forward secrecy. The security of ID-AKE protocol bases at the intractability of the k-CAA and k-mBIDH problems. k-CAA and k-mBIDH problems, Why?

14 Center for Information Security Technologies 14 Security Analysis (2) ID-AKA Attacker ASimulator B System params ={e, G 1, G 2, q, P, P pub, g=e(P,P)} H-query (ID) B chooses random q ID in Z q * q ID A can compute Q ID = P pub + q ID P = (s+q ID )P Extract (or Corrupt) – query (ID) B must compute S ID = (s+q ID ) -1 P S ID e(Q ID, S ID ) = e(P, P) = g

15 Center for Information Security Technologies 15 ID-AKE of Distinct Domains (1) q U = H(ID U ) Private key : S U = (s+q U ) -1 P Extract q V = H(ID V ) Private key : S V = (s’+q V ) -1 P KGC 1 KGC 2 params ={e, G 1, G 2, q, P, P pub =sP} master secret key : s params’ ={e, G 1, G 2, q, P, P’ pub =s’P} master secret key : s’ Client Server

16 Center for Information Security Technologies 16 ID-AKE of Distinct Domains (2) U P, P pub, g, [ ID U, S U ] V P, P’ pub, [ ID V, S V ] a ← Z q * q v = H(ID V ), Q V = P’ pub + q v P t u = g a, h = H 1 (t u ) X = aQ V, Y = (a+h)S U ID U, (X, Y) q u = H(ID U ), Q U = P pub + q u P t u = e(X, S V ), c = e(Y, Q U ) h = H 1 (t u ), c =? t u g h z’ = H 2 (t u, t v, X, Y, ID U, ID V ) z, t v sk = H 3 (t u, t v, X, Y, ID U, ID V ) t v ← Z q * z = H 2 (t u, t v, X, Y, ID U, ID V ) z’ =? z sk = H 3 (t u, t v, X, Y, ID U, ID V )

17 Center for Information Security Technologies 17 Comparison – M : scalar multiplication of G 1 – P : pairing(bilinear map) operation – Ex : small modular exponentiation MB 05 : CT-RSA 2005 (McCullagh and Barreto) Client (using precomputation) Server M P MPEx MB 05 31310 Our ID-AKA20121

18 Center for Information Security Technologies 18 Conclusion We proposed an efficient ID-AKE protocol which is suitable for low-power mobile devices. The ID-AKE protocol can be easily applied in different KGCs. Also, our protocol can be expanded to a group AKE protocol.

19 Center for Information Security Technologies 19 Thank you

Download ppt "Center for Information Security Technologies ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST,"

Similar presentations

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.

TCC 2006 Research on Password-Authenticated Group Key Exchange Jeong Ok Kwon, Ik Rae Jeong, and Dong Hoon Lee (CIST, Korea Univ.) Kouchi Sakurai (Kyushu.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.

多媒體網路安全實驗室 An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards 作者 :JongHyup LEE 出處.
BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.

BY JYH-HAW YEH COMPUTER SCIENCE DEPT. BOISE STATE UNIVERSITY Proxy Credential Forgery Attack to Two Proxy Signcryption Schemes.
11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.

11 Efficient and Secure Certificateless Authentication and Key Agreement Protocol for Hybrid P2P Network Authors: Z. B. Xu and Z. W. Li Source: The 2nd.
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.

1 Security analysis of an enhanced authentication key exchange protocol Authors : H.Y. Liu, G.B. Horng, F.Y. Hung Presented by F.Y. Hung Date : 2005/5/20.
Mutual authentication and group key agreement for low-power mobile devices Authors: Emmanuel Bresson, Olivier Chevassut, Abdeilah Essiari, David Pointcheval.

Mutual authentication and group key agreement for low-power mobile devices Authors: Emmanuel Bresson, Olivier Chevassut, Abdeilah Essiari, David Pointcheval.
Identity Based Encryption

Identity Based Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.

Weakness of Shim’s New ID- base Tripartite Multiple-key Agreement Protocol Authors: J.S. Chou, C.H.Lin and C.H. Chiu ePrint/2005/457 Presented by J. Liu.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p.630-632 Present by.

Identity-based authenticated key agreement protocol based on Weil pairing N.P.Smart ELECTRONICS LETTERS 20 th June 2002 vol.38 No13 p Present by.
Certificateless Authenticated Two-Party Key Agreement Protocols

Certificateless Authenticated Two-Party Key Agreement Protocols
Inter-Domain Identity-Based Authenticated Key Agreement Protocols from Weil Pairing Authors: Hong-bin Tasi, Yun-Peng Chiu and Chin-Laung Lei From:ISC2006.

Inter-Domain Identity-Based Authenticated Key Agreement Protocols from Weil Pairing Authors: Hong-bin Tasi, Yun-Peng Chiu and Chin-Laung Lei From:ISC2006.
Identity-based authenticated key agreement protocol based on Weil pairing N.P. Smart IEE Electronics Letters 2002 Presented By Kuang-Ling Lin 10/7/2003.

Identity-based authenticated key agreement protocol based on Weil pairing N.P. Smart IEE Electronics Letters 2002 Presented By Kuang-Ling Lin 10/7/2003.

Similar presentations

Ads by Google