1 / 19

ID-based Authenticated Key Exchange for Low-Power Mobile Devices

ID-based Authenticated Key Exchange for Low-Power Mobile Devices. K. Y. Choi , J. Y. Hwang, D. H. Lee. CIST, Korea University. key. key. key. key. Key Exchange. Two or more users can share a session key. Key. ID-based System. General PKI system. 6DFF12DA27 4855BFC29DE399395A.

xena
Download Presentation

ID-based Authenticated Key Exchange for Low-Power Mobile Devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ID-based Authenticated Key Exchange for Low-Power Mobile Devices K. Y. Choi, J. Y. Hwang, D. H. Lee CIST, Korea University

  2. key key key key Key Exchange • Two or more users can share a session key Key

  3. ID-based System • General PKI system 6DFF12DA27 4855BFC29DE399395A.... Alice’s public key Bob • ID-based system Alice’s public key OK~!! Alice@company.com Bob

  4. Bilinear Map • Assume • G1,G2 be two groups of same order q. • DLP is hard in both G1, G2. • Bilinear Map e : G1Χ G1→ G2 • Admissible Bilinear Map • Bilinearity : e(aP, bQ) = e(P,Q)ab • Non-degeneracy : • P∈G1 such that e(P,P)≠1 • Computability : • an efficient algorithm to compute e(P,Q)

  5. Assumptions (1) • Computational Diffie-Hellman (CDH) Problem Given (P, aP, bP) for some a, b ∈ Zq* => Compute abP • Inverse Computational DH (ICDH) Problem Given (P, aP) for some a ∈ Zq* => Compute a-1P • Modified Inverse Computional DH (mICDH) Problem Given (b, P, aP) for some a, b ∈ Zq* => Compute (a+b)-1P CDH ⇔ ICDH ⇔ mICDH

  6. Assumptions (2) • Bilinear Diffie-Hellman (BDH) Problem Given (P, aP, bP, cP) for some a, b, c ∈ Zq* => Compute • Bilinear Inverse DH (BIDH) Problem Given (P, aP, cP) for some a, c ∈ Zq* => Compute • Modified Bilinear Inverse DH (mBIDH) Problem Given (b, P, aP, cP) for some a, b, c ∈ Zq* => Compute BDH ⇔ BIDH ⇔ mBIDH

  7. Definitions • Collusion Attack Algorithm with k traitor (k-CAA) Given P, sP and h1,h2, … , hk ∈ Zq* , (s+h1)-1P, (s+h2)-1P, . . . , (s+hk)-1P => Compute (s+h)-1P for some h ∈ Zq* • Modified BIDH with k values (k-mBIDH) Given P, sP, tP and h,h1,h2, … , hk ∈ Zq* , (s+h1)-1P, (s+h2)-1P, . . . , (s+hk)-1P => Compute

  8. Previous Protocol • Previous ID-based authenticated key exchanges Smart’s Protocol(2002) McCullagh’s Protocol(2005)

  9. Our Result • Our protocol is an ID-based authenticated key exchange (AKE) protocol for Client and Server. • We remove complicate operation of bilinear maps from a client side. • Using off-line precomputation, the client only computes hashing and scalar multiplication of the point of elliptic curve during on-line phase. • Thus, our protocol is well suited to unbalanced computing environment.

  10. Proposed Protocol ID-AKE (1) • Setup • KGC (Key Generation Center) selects a master secret keys, • generates P and computes Ppub= sP, g = e(P, P) • Cryptographic hash functions H : {0,1}* → Zq* H1 : G2 → Zq* H2 : {0,1}* → {0,1}t (t : secret parameter) H3 : {0,1}* → {0,1}k (k : bit length of a session key) • KGC publishes params={e, G1, G2, q, P, Ppub, g, H, H1, H2, H3}

  11. Proposed Protocol ID-AKE (2) • Extract ID KGC Secure Channel SID qID = H(ID) Secret key : SID= (s+qID)-1P e(QID, SID) = e(P, P) = g • Public information of user (ID) : QID = Ppub + qIDP = (s+qID)P • The security of secret key is based on the intractability • of the mICDH problem. • We assume that the mICDH problem in G1 is intractable.

  12. Proposed Protocol ID-AKE (3) V U P, Ppub, [ IDV, SV ] P, Ppub, g, [ IDU, SU ] qv = H(IDV), a ← Zq* QV = Ppub + qvP, tu = ga h = H1(tu) X = aQV, Y = (a+h)SU IDU, (X, Y) qu = H(IDU), QU = Ppub + quP tu = e(X, SV), c = e(Y, QU) h = H1(tu), c =? tugh tv← Zq* z = H2(tu, tv, X, Y, IDU, IDV) z, tv z’ = H2(tu, tv, X, Y, IDU, IDV) z’ =? z sk = H3(tu, tv, X, Y, IDU, IDV) sk = H3(tu, tv, X, Y, IDU, IDV)

  13. Security Analysis • The ID-AKE protocol provides half forward secrecy. • The security of ID-AKE protocol bases at the intractability of the k-CAA and k-mBIDH problems. k-CAA and k-mBIDH problems, Why?

  14. Security Analysis (2) System params={e, G1, G2, q, P, Ppub, g=e(P,P)} ID-AKA Attacker A Simulator B H-query (ID) B chooses random qID in Zq* qID A can compute QID = Ppub + qIDP = (s+qID)P Extract (or Corrupt) – query (ID) B must compute SID = (s+qID)-1P SID e(QID, SID) = e(P, P) = g

  15. ID-AKE of Distinct Domains (1) • Extract KGC2 KGC1 master secret key : s’ master secret key : s params’={e, G1, G2, q, P, P’pub=s’P} params={e, G1, G2, q, P, Ppub=sP} Server Client qU = H(IDU) Private key : SU= (s+qU)-1P qV = H(IDV) Private key : SV= (s’+qV)-1P

  16. ID-AKE of Distinct Domains (2) V U P, P’pub, [ IDV, SV ] P, Ppub, g, [ IDU, SU ] a ← Zq* qv = H(IDV), QV = P’pub + qvP tu = ga, h = H1(tu) X = aQV, Y = (a+h)SU IDU, (X, Y) qu = H(IDU), QU = Ppub + quP tu = e(X, SV), c = e(Y, QU) h = H1(tu), c =? tugh tv← Zq* z = H2(tu, tv, X, Y, IDU, IDV) z, tv z’ = H2(tu, tv, X, Y, IDU, IDV) z’ =? z sk = H3(tu, tv, X, Y, IDU, IDV) sk = H3(tu, tv, X, Y, IDU, IDV)

  17. Comparison • M : scalar multiplication of G1 • P : pairing(bilinear map) operation • Ex : small modular exponentiation MB 05 : CT-RSA 2005 (McCullagh and Barreto)

  18. Conclusion • We proposed an efficient ID-AKE protocol which is suitable for low-power mobile devices. • The ID-AKE protocol can be easily applied in different KGCs. • Also, our protocol can be expanded to a group AKE protocol.

  19. Thank you

More Related