150 likes | 166 Views
Provably secure three-party password-based authenticated key exchange protocol using Weil pairing. H.-A.Wen,T.-F.Lee and T.Hwang IEE Proc-Commun. , Vol.152, No.2 ,p138~143 April 2005 Presented by C.C.Tsai. Outline. Introduction Preliminary Protocol Model and Definition
E N D
Provably secure three-party password-based authenticated key exchange protocol using Weil pairing H.-A.Wen,T.-F.Lee and T.Hwang IEE Proc-Commun. , Vol.152, No.2 ,p138~143 April 2005 Presented by C.C.Tsai
Outline • Introduction • Preliminary • Protocol • Model and Definition • Security analysis (Proof) • Conclusion
Introduction • Three PAKE just share a password with a trust server, but server knows all session keys • Some papers had been proposed to overcome this problem later • Joux first discovered the Bilinear Diffie-Hellman problem • This paper first proposed provably three PAKE using Weil pairing
Preliminaries • Weil pairing: Let G1,G2 be two groups of prime order q e : G1×G1 G2 is a bilinear mapping Weil pairing is a bilinear mapping which has following properties (1)Bilinear:e(aP,bQ)=e( P,Q)ab ,for all (2)Non-degenarate: (3)Computable:e(P,Q) can be computed in polynomial time • BDH problem: given<e,xP,yP,zP>,the probability to output e(P,P)abc is negligible
Protocol (setup) • p: a prime such that p=2(mod 3) and p=6q-1 for large prime q • E :be a supersingular curve y2= x2+1 over Fp • P:generator of point of order q • Eq:the group generated by p • uq:subgroup of of order q • e:modified weil pairing e:Eq × Eq uq • IDs IDA IDB:the identity of server S, user A , user B • PS:S selects secret key s to compute public key PS=sP • PWA PWB:user A B share password with server S
1. Randomly selects a , compute aP andka=H(aP, PS , Q, e(PS,aQ)),where Q=G(IDs) 2. computes ca= (IDA, aP , ca) A B 1.Randomly selects b , computes bP andkb=H(bP, PS , Q ,e(PS , bQ)) 2.K=e(aP, bU) where U=G(IDA, IDB) 3.Computes cb= and ub=H(IDB,K) (IDA, aP, ca, bP, cb,ub) B S Protocol (Execution) A B S
1.Computes ka=H(aP, PS , Q, e(aP,sQ))kb=H(bP, PS, Q, e(bP,sQ)) 2.verifies 3.Computes , (bP, ub , , ) A S Protocol (Execution) A B S
1.Computes K=e(bP , aU) and verifies 2. Computes ua=H(IDA, K ) (ua , ) A B Protocol (Execution) A B S The session key with A , B :SK=H(aP, bP, U ,K )
Models • H(M): inputs M and returns r; H also records (M, r) into a public H-table
Definitions • Password security:adversary A breaks the password security of P if A learns the password of a user by on-line or off-line dictionary attack • AKE secure:the probability of adversary A breaks the AKE security of P is defined by . We say P is AKE-secure if is negligible
Security Analysis • Let be the advantage that A breaks the AKE security of protocol P within time t • Let be the advantage that ω breaks the WDH problem with time t’ Assume A breaks the AKE security of P by running qse Send queries,qex Execute queries and qh H queries .Then Where ( Tp is the time to generate a random point in Eq Te is the time to perform a Weil pairiing )
Proof of theorem • Case1. S1 denotes A breaks AKE security without breaking PW • Let be the probability thatω correctly chooses among the possible H(xP,yP,zP,*) queries from the H-table then • Let be the probability thatω correctly guesses the value i ,then
Proof of theorem • Case 2. S2 denotes A breaks the AKE security of P by breaking the PW security • (i)On-line dictionary attack • (ii)Off-line dictionary attack
Proof of theorem • By (1) and (2)
Conclusion • The proposed protocol requires only four steps to achieve mutual authentication and session key establishment • Given a formally proved in the random oracle model