Provably secure three-party password-based authenticated key exchange protocol using Weil pairing

1. Provably secure three-party password-based authenticated key exchange protocol using Weil pairing H.-A.Wen,T.-F.Lee and T.Hwang IEE Proc-Commun. , Vol.152, No.2 ,p138~143 April 2005 Presented by C.C.Tsai

2. Outline • Introduction • Preliminary • Protocol • Model and Definition • Security analysis (Proof) • Conclusion

3. Introduction • Three PAKE just share a password with a trust server, but server knows all session keys • Some papers had been proposed to overcome this problem later • Joux first discovered the Bilinear Diffie-Hellman problem • This paper first proposed provably three PAKE using Weil pairing

4. Preliminaries • Weil pairing： Let G1,G2 be two groups of prime order q e : G1×G1 G2 is a bilinear mapping Weil pairing is a bilinear mapping which has following properties (1)Bilinear:e(aP,bQ)=e( P,Q)ab ,for all (2)Non-degenarate: (3)Computable:e(P,Q) can be computed in polynomial time • BDH problem： given<e,xP,yP,zP>,the probability to output e(P,P)abc is negligible

5. Protocol (setup) • p: a prime such that p=2(mod 3) and p=6q-1 for large prime q • E ：be a supersingular curve y2= x2+1 over Fp • P：generator of point of order q • Eq：the group generated by p • uq：subgroup of of order q • e：modified weil pairing e:Eq × Eq uq • IDs IDA IDB：the identity of server S, user A , user B • PS：S selects secret key s to compute public key PS=sP • PWA PWB：user A B share password with server S

6. 1. Randomly selects a , compute aP andka=H(aP, PS , Q, e(PS,aQ)),where Q=G(IDs) 2. computes ca= (IDA, aP , ca) A B 1.Randomly selects b , computes bP andkb=H(bP, PS , Q ,e(PS , bQ)) 2.K=e(aP, bU) where U=G(IDA, IDB) 3.Computes cb= and ub=H(IDB,K) (IDA, aP, ca, bP, cb,ub) B S Protocol (Execution) A B S

7. 1.Computes ka=H(aP, PS , Q, e(aP,sQ))kb=H(bP, PS, Q, e(bP,sQ)) 2.verifies 3.Computes , (bP, ub , , ) A S Protocol (Execution) A B S

8. 1.Computes K=e(bP , aU) and verifies 2. Computes ua=H(IDA, K ) (ua , ) A B Protocol (Execution) A B S The session key with A , B ：SK=H(aP, bP, U ,K )

9. Models • H(M): inputs M and returns r; H also records (M, r) into a public H-table

10. Definitions • Password security：adversary A breaks the password security of P if A learns the password of a user by on-line or off-line dictionary attack • AKE secure：the probability of adversary A breaks the AKE security of P is defined by . We say P is AKE-secure if is negligible

11. Security Analysis • Let be the advantage that A breaks the AKE security of protocol P within time t • Let be the advantage that ω breaks the WDH problem with time t’ Assume A breaks the AKE security of P by running qse Send queries,qex Execute queries and qh H queries .Then Where ( Tp is the time to generate a random point in Eq Te is the time to perform a Weil pairiing )

12. Proof of theorem • Case1. S1 denotes A breaks AKE security without breaking PW • Let be the probability thatω correctly chooses among the possible H(xP,yP,zP,*) queries from the H-table then • Let be the probability thatω correctly guesses the value i ,then

13. Proof of theorem • Case 2. S2 denotes A breaks the AKE security of P by breaking the PW security • (i)On-line dictionary attack • (ii)Off-line dictionary attack

14. Proof of theorem • By (1) and (2)

15. Conclusion • The proposed protocol requires only four steps to achieve mutual authentication and session key establishment • Given a formally proved in the random oracle model