Cryptanalysis of tripartite and multi-party authenticated key agreement protocols

1. Cryptanalysis of tripartite and multi-party authenticated key agreement protocols Authors : Kyung-Ah Shim , Sung Sik Woo Source : Information Sciences, xxx 2006 xxx-xxx Speaker : 洪聖翔 Date: 2006/11/30

2. Outline • Introduction • Review of Al-Riyami–Paterson’s tripartite key agreement protocol • Review of Lee et al.’s multi-party AK protocol • Cryptanalysis of the tripartite key agreement protocol • Conclusion

3. Introduction • Tripartite authenticated key agreement protocols : Al-Riyami and Paterson proposed , to provide implicit key authentication with Joux’s protocol. • Multi-party setting : Lee et al. extended , assuming the existence of cryptographic multilinear forms. • Purpose : The tripartite and multi-party authenticated key agreement protocal are insecure against several active attacks( man-in-the-middle attacks, key-compromise impersonation attacks, known-key attacks and unknown key-share attacks ).

4. Review of Al-Riyami–Paterson’s tripartite key agreement protocols(1/6) • G1 be an additive group of prime order q • G2 be a multiplicative group of the same order q • Admissible Pairing: is a map with the following properties: 1. Bilinearity : for all and for all 2. Non-degeneracy: There exists such that 3. Computability: There is an efficient algorithm to compute for any . • a generator

5. Review of Al-Riyami–Paterson’s tripartite key agreement protocols(2/6) • Joux's Protocol : , short-term secret keys ,are selected uniformly at random by A, B and C respectively. A→B,C: aP B → A,C: bP C → A,B: cP A computes , B computes C computes these are equal to

6. Review of Al-Riyami–Paterson’s tripartite key agreement protocols(3/6) • One Round Tripartite Authenticated Key Agreement Protocols : : identity string of A : CA's signature : A's long-term public key ,where is the long-term private key of A. P : short-term public value where where

7. Review of Al-Riyami–Paterson’s tripartite key agreement protocols(4/6) • Protocol messages: A→B,C: aP|| B → A,C: bP|| C → A,B: cP|| • TAK key generation: (Below, H denotes a suitable hash function) • TAK-1

8. Review of Al-Riyami–Paterson’s tripartite key agreement protocols(5/6) • TAK-2 • TAK-3

9. Review of Al-Riyami–Paterson’s tripartite key agreement protocols(6/6) • TAK-4

10. Review of Lee et al.’s multi-party AK protocol • Let G1,G2 be two groups of the same prime order. We say that a map is an n-multilinear map if it satisfies the following properties: (i) If and ,then (ii) The map is non-degenerate in the following sense : If is a generator of then is a generator of .

11. Cryptanalysis of the tripartite key agreement protocol • Man-in-the-middle attacks on TAK-2:

12. Cryptanalysis of the tripartite key agreement protocol • Key-Compromise Impersonation (K-CI) Resilience • Key-compromise impersonation attacks on TAK-3: (Suppose that A’s long-term secret key x is compromised to an adversary E. ) A : B : C : E is able to obtain by computing E cannot compute since she does not compute the term This attack is a partial key-compromise impersonation attack.

13. Cryptanalysis of the tripartite key agreement protocol • Known-key security • Forward Secrecy • Known-key conspiracy attacks on TAK-2 : (1)A : (2)B : (3)C : (1’)B : (2’)D : (3’)E : (1”)C : (2”)D : (3”)E : A D E

14. Cryptanalysis of the tripartite key agreement protocol

15. Cryptanalysis of the tripartite key agreement protocol • Known-key attacks by insiders on TAK-3 : B : C : if the key established in the new session computed by C is known to E

16. Cryptanalysis of the tripartite key agreement protocol • Unknown key-share attack on TAK-1 : adversaries First, the adversaries select a random , compute , ,and , and get them as their long-term public keys obtaining their certificates , , A : B : C :

17. Conclusion Security attributes offered by Al-Riyami–Paterson’s tripartite Protocol K-CI K-KS UK-S TAK-1 No No No TAK-2 No No Yes TAK-3 No No Yes TAK-4 No Yes Yes