SAKA WP : Simple Authenticated Key Agreement Protocol Based on Weil Pairing

1. SAKAWP: Simple Authenticated Key Agreement Protocol Based on Weil Pairing Authors: Eun-Jun Yoon and Kee-Young YooSrc: International Conference on Convergence Information Technology, 21-23 Nov. 2007 pp. 2096 - 2101 Presenter: Jung-wen Lo (駱榮問)

2. Outline • Introduction • Notation • SAKAWP Protocol • Security Analysis • Performance comparison • Conclusion & Comment

3. Introduction • Simple Authenticated Key Agreement • Seo and Sweeney • Electronics Letters, 35(13), pp.1073-1074,1999 • Elliptic curve cryptosystem • V. Miller (1986), N. Koblitz (1987) • A. Joux (LNCS 1838, 2000) • Weil Diffie-Hellman problem can be considered as a new security assumption to develop cryptosystems • Bilinear pairing • Effective method of reducing the complexity of the discrete log problem in a finite field and they provide an appropriate setting for the Weil Diffie-Hellman problem • Modified Weil pairing Let p be a prime such that q|(p − 1) for a large prime q. Let G1 and G2 be two cyclic groups of order q. The modified Weil pairing is a mapping e : G1 × G1 → G2 which satisfies the following properties: • Bilinear: e(aP, bQ) = e(P,Q)ab, for all P,Q ∈ G1 and all a, b ∈ Zq. • Non-degenerate: There exists a point P ∈ G1 such that e(P,P) ≠ 1. • Computable: e(P,Q) can be computed in polynomial time.

4. Notation • IDA,IDS: Identity of user A and authentication server S, individually. • PWA: The common password shared between A and S. • p: A prime such that p = (2 mod 3) and p = 6q − 1 for a large prime q. • E: A super-singular curve defined by y2 = x2+1 over finite field Fp. • P ∈ E/Fp: A generator of the group of points of order q. • Eq: The group generated by P. • μq: The subgroup of F∗p2of order q. • e : Eq×Eq → μq: A modified Weil pairing. • H(·): A cryptographic one-way hash function which maps a string to an element of Fp. • G(·): A cryptographic one-way hash function which maps a string to a point of G1. • sid: A session identifier. • a: A secret random number ∈ Z∗q chosen by A • b: A secret random number ∈ Z∗q chosen by S • SK: A shared common session key between A and B

5. SAKAWP Protocol A S (IDA, Eserverk(PWA)) 1.Random aZ*qX=aPX1=X+G(sid,IDA,PWA) sid,IDA,X1 2.Random bZ*qY=bPX=X1-G(sid,IDA,PWA)U=G(sid, IDA, IDS) KS=e(X,bU)=e(P,U) abMACKS=H(sid,X,KS) 3.U’=G(sid, IDA, IDS) KA=e(Y,aU’)=e(P,U’) abH(sid,X,KA)?=MACKSMACKA=H(sid,Y,KA)SK=H(sid,IDA,IDS,KA) sid,IDS,Y,MACKS sid,MACKA 4.H(sid,Y,KS)?=MACKASK=H(sid,IDA,IDS,KS)

6. Security Analysis • Replay attack • Intercept X1 still need correct PWA • KA need correct b => ECDLP • Password guessing attack • ECDLP & WDH • Man-in-the-middle attack • Mutual password PWA • Modification attack • Check KA=KS and Validity of X1 & Y • Known-key security • Each run produce unique session key • Session key security • Key is only known by A & S • a,b protected by WDH & hash function • Perfect forward secrecy • PWA compromised => WDH

7. Performance comparison

8. Conclusion & Comment • Conclusion • Secure • Efficient • Mutual authentication • Comment • Try 2 rounds • Provide password change