An Efficient Certificateless Authenticated Tripartite Key

Agreement Protocol

Gao Meng, Zhang Futai and Geng Manman School of Computer Science and Technology

Nanjing Normal University, P. R. China Wjghm2007@sohu.com zhangfutai@njnu.edu.cn gm413@163.com

Abstract— The key agreement protocol is an important primitive tool for establishing shared session keys among partners that communicate over open public networks. In this paper we present the first certificateless authenticated tripartite key agreement protocol which realizes the authentication by using a provably secure signature scheme [7]. The discussion of our protocol shows that it has achieved all necessary security attributes. Keywords: the certificateless public key cryptography, tripartite key agreement protocols, bilinear map.

Ⅰ. Introduction

A tripartite key agreement protocol is the mechanism by which three entities that communicate over open networks can get a shared secret (a session key) which will be used to create a confidential communication channel among them for security purposes such as confidentiality and data integrity. An authenticated tripartite key agreement protocol assures all involved three participants that no other entities aside from them can learn any useful information about the agreed session key. In the study of key agreement protocols, the three-party (tripartite) case is the most practical case for that it is the common size of the most electronic conferences and it also can be used to offer many services for communications between two parties such as refereeing a conversation and data escrow.

One of the most exciting developments in the area of tripartite key agreement protocols is the Joux’s [1] one round tripartite key agreement protocol. Its security is based on the difficulty of the bilinear computational Diffie-Hellman problem (BCDH). But in practical applications, the protocol is vulnerable to a man-in-the-middle attack due to its lack of authentication mechanisms. From then on, may authenticated tripartite key agreement protocols appeared. To realize key authentication, some of them [2, 3, 11] use the traditional public key cryptography supported by public key infrastructures (PKIs), while others [5, 6, 8, 14] employ the ID-based public key cryptography without certificates.

Al-Riyami and Paterson [13] gave four key agreement protocols (TAK-1, TAK-2, TAK-3, TAK-4) which have the same message exchanging process. The security

properties of their protocols are studied using provable security methods and heuristic approaches. As shown in [15] by shim the TAK-3 is vulnerable to the man-in-the-middle attack. He also discussed the security properties of other protocols, but we think that his key-compromise impersonation attack on TAK-4 is not a real attack for that the adversary can not compute the final agreed session key.

The concept of certificateless public key cryptography (CL-PKC) has been proposed by Al-Riyami and Paterson [12] which avoids the inherent key escrow problem of identity-based public key cryptography (ID-PKC) and yet requires no certificates to guarantee the authenticity of users’ public keys. After that some two-party and group certificateless key agreement protocols appeared. In this paper we turn the TAK-4 protocol into a certificateless authenticated tripartite key agreement protocol in which each participant only needs to compute four pairings to derive the final session key.

The rest of this paper is organized as follows. In section 2 we give underlying definitions including the security attributes needed to an authenticated key agreement protocol. Our protocol will be shown in section 3. In section 4 we prove that our protocol has achieved all the security attributes described in section 2. As the end of this paper our conclusion will be given in section 5.

Ⅱ. Preliminaries

A． Bilinear map

Let G1 be an additive group of prime order q with a generator P and G2 be a multiplicative group with the same order q. A pairing e is a function: G1×G1→G2 that satisfies the properties bellow.

(1) Bilinear: e(aP, bQ) = e(P, Q)ab for all P, Q∈G1, a, b∈Z*

q . (2) Non-degeneracy: There exist P, Q∈G1 such that

e(P, Q) ≠ 1. (3) Computability: There exists an efficient algorithm

to compute e(P, Q) for all P, Q∈G1.

978-1-4244-4639-1/09/$25.00 ©2009 IEEE

The security of our protocol is based on a set of difficult problems defined bellow. In the following definitions G is an additive group of prime order q with a generator P.

Discrete Logarithm Problem (DLP). Given Q∈G, find an element a∈Zq

* such that aP = Q.

Computational Diffie-Hellman Problem (CDH). Given P, aP, bP∈G where elements a, b are randomly selected from Zq

*, compute abP.

Bilinear Computational Diffie-Hellman Problem (BCDH). Let G1 and G2 be additive and multiplicative groups of prime order q respectively. Let P be a generator of G1 and e: G1×G1→G2 be a pairing. The bilinear computational Diffie-Hellman problem in (G1, G2, e) is: Given P, aP, bP, cP∈G1 where a, b, c are randomly selected from Zq

*, compute e(P, P)abc∈G2.

As the foundation of the security of our key agreement protocol, we assume that the DLP in both G1 and G2, the CDH problem in G1 and the BCDH problem in

(G

1, G

2, e) are intractable.

C. Security attributes

In recent years, some security attributes needed to authenticated key agreement protocols have been identified in [1, 3, 8]. We briefly explain these security attributes as follows.

- Known session key security. Knowledge of some previously agreed session keys will not allow an adversary to compromise other previous session keys or future session keys.

- (Perfect) forward secrecy. A protocol has forward secrecy if the compromise of one or more entities’ long term private keys does not lead to the exposure of previously agreed session keys in the presence of a passive (benign) adversary. We say that the protocol has the security attribute of perfect forward secrecy if the compromise of all participants’ long term private keys will not lead to the exposure of previously agreed session keys in the presence of a passive (benign) adversary.

- Key-compromise impersonation security. The compromise of an entity A’ long term private key will certainly allow an adversary to impersonate A to other entities. But it should not allow an adversary to impersonate other entities to A in a protocol run and obtain a session key with A.

- Unknown key-share security. If an adversary can convince a group of entities that they share some session key with a different participant to the one intended, the protocol suffers from unknown key-share attack. The protocol has the security attribute of unknown key-share

security if the attack does not work.

- No key control. No participant involved in a protocol run could control the outcome of the session key more than others.

Ⅲ. The certificateless tripartite key agreement protocol

A. The signature algorithm in [7]

In our protocol we use a certificateless signature system to provide key authentication. The signature system consists of five steps: setup, partial-private key extraction, set-secret-value, sign and verify.

Setup: Given a security parameter l, the KGC chooses a cyclic additive group G1 which is generated by P with the prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e: G1×G1→G2. The KGC also chooses a random s∈Z*

q as the master-key and sets P0 =sP as its public key, chooses cryptographic hash functions H1: {0, 1}*→G1, H2: {0, 1}*→Z*

q , H3: {0, 1}*→Z*q . The system parameters are

(G1, G2, e, P, P0, H1, H2, H3).

Partial-Private Key Extraction: Given the system parameters, the master-key s and a user’s identity IDi∈{0, 1}* as input, it generates the partial private key for the user as follows.

1) Computes Qi = H1(IDi||P). 2) Outputs the partial private key Di = sQi.

Set-Secret-Value: This algorithm takes as input the system parameters and a user’s identity IDi. It then selects a random xi ∈ Z*

q and outputs xi as the user’s secret value.

Set-Public-Key: This algorithm accepts the system parameters, a user’s identity IDi and secret value xi∈Z*

q as input. It produces the user’s public key Pi = xiP.

Sign: To sign a message M the signer, with identity IDi and the corresponding public key Pi using his partial private key Di and the secret value xi, performs the following steps.

1) Choose a random element r∈Z*q, compute R = rP.

2) Compute u = H2(R||Pi||M), v = H3(R||Pi||M). 3) Compute V = (uxi + r)Qi + vDi. 4) Output σ = (R, V) as the signature on M.

Verify: To verify a signature σ of an identity IDi with public key Pi on a message M, the verifier performs the following steps.

1) Compute Qi = H1(IDi||P), u = H2(R||Pi||M), v = H3(R||Pi||M).

2) If the equation e(V, P) = e(uPi + vP0 + R, Qi) holds, output true. Otherwise, output ⊥.

B. Diffie-Hellman problems

B. The certificateless tripartite key agreement protocol.

In this section we will give the tripartite key agreement protocol which consists of three algorithms: setup, public/private key pair extraction and key agreement.

Setup: Given a security parameter l, the KGC chooses a cyclic additive group G1 which is generated by P with the prime order q, chooses a cyclic multiplicative group G2 of the same order and a bilinear map e: G1×G1→G2. The KGC also chooses a random s∈Z*

q as the master-key and sets P0 =sP as its public key, chooses cryptographic hash functions H1: {0, 1}*→G1, H2: {0, 1}*→Z*

q , H3: {0, 1}*→Z*q and H: G2×G1

3 → {0, 1}l. The system parameters are (G1, G2, e, P, P0, H1, H2, H3, H).

Public/Private Key Pair Extraction: Given an entity Ui with identity IDi∈{0, 1}*, the long-term public and private key pair will be generated as follows:

(1) Ui randomly selects a secret value xi∈RZ*q.

(2) The KGC generates Ui’s partial private key Di = sQi where Qi = H1(IDi)∈G1. Ui may verify that e(Qi, P0) = e(Di, P) to check the validity of Di.

(3) Ui’s full private key is Si = <Di, xi>. Ui’s public key is Pi = xiP.

Key Agreement: We suppose that three entities A, B and C want to agree a shared session key. They randomly select x, y, z∈RZ*

q as their secret values respectively and get their public/private key pairs (SA = <DA, x>, PA = xP), (SB = <DB, y>, PB = yP), (SC = <DC, z>, PC = zP) as described above. After that A, B and C select random short-term session-specific elements a, b, c∈Z*

q and compute TA = aP, TB = bP, TC = cP respectively.

The entity A selects rA∈RZ*q, computes RA = rAP, uA =

H2(RA, PA, TA, time1, IDA, IDB, IDC ), vA = H3(RA, PA, TA, time1, IDA, IDB, IDC), VA = (uAx+rA)QA+vADA. Time1 is the timestamp when the entity A signs the message.

The entity B selects rB∈RZ*q, computes RB = rBP, uB =

H2(RB, PB, TB, time2, IDA, IDB, IDC), vB = H3(RB, PB, TB, time2, IDA, IDB, IDC), VB = (uBy+rB)QB+vBDB. Time2 is the timestamp when the entity B signs the message.

The entity C selects rC∈RZ*q, computes RC = rCP, uC =

H2(RC, PC, TC, time3, IDA, IDB, IDC), vC = H3(RC, PC, TC, time3, IDA, IDB, IDC), VC = (uCz+rC)QC+vCDC. Time3 is the timestamp when the entity C signs the message.

Then they will exchange messages as follow. (1) A → B, C: TA, RA, VA, PA, time1. (2) B → A, C: TB, RB, VB, PB, time2. (3) C → A, B: TC, RC, VC, PC, time3.

The entity A checks whether ),(),(),( 00 PvPuRQePvPuRQeVVPe CCCCCBBBBBCB ++⋅++=+

and the time stamps time2 and time3 are acceptable. If

no check fails, he will compute ))||((

222))||(,)||(( aPTHx

CCCCBBBBAAATPTHPTPTHPeK +++= .

The entity B checks whether ),(),(),( 00 PvPuRQePvPuRQeVVPe CCCCCAAAAACA ++⋅++=+

and the time stamps time1 and time3 are acceptable. If no check fails, he will compute

))||((22

2))||(,)||(( bPTHyCCCCAAAAB

BBTPTHPTPTHPeK +++= .

The entity C checks whether ),(),(),( 00 PvPuRQePvPuRQeVVPe BBBBBAAAAABA ++⋅++=+

and the time stamps time1 and time2 are acceptable. If no check fails, he will compute

))|((22

2))||(,)||(( cPTHzBBBBAAAAC

CCTPTHPTPTHPeK +++= . ))||()()||()()||(( 222),( cPTHzbPTHyaPTHx

CBACCBBAAPPeKKKK +++==== .

As a result, they will get the final agreed session key KABC = H(K||QA||QB||QC).

Ⅳ. Security analysis

In the certificateless public key cryptography, adversaries are usually divided into two types. The type�adversary does not know the KGC’s master key s, but he can replace participants’ public keys by his own values. In other words, we assume that he knows the value of every participant’s partial private key. The type�adversary has the access to the KGC’s master key s, in other words, he can compute every participant’s partial private key DID, but he is forbidden to replace the target users’ public keys. We will discuss the security of our protocol to show that it has achieved all the security attributes described above.

- Known session key security. Each run of the protocol between A, B and C will produce a unique session key based on every particular ephemeral elements a, b and c. The knowledge of some session keys will not allow an adversary to compute other previous session keys or future session keys for the randomicity of the elements a, b and c used in computing the session key and the difficulty of computing

abcPTHPTHPTH CCBBAAPPe )||()||()||( 222),( from P, aP, bP and cP which is an instance of the BCDH problem in G1, G2, e. So the protocol achieves the property of known key security.

- (perfect) Forward secrecy. We assume that the adversary E has known A’s private key <DA, x>, B’s private key <DB, y> and C’s private key <DC, z>. In order to extract a past session key, he must compute

abcPTHPTHPTH CCBBAAPPe )||()||()||( 222),( from P, aP, bP and cP without the knowledge of a, b and c which is exactly an instance of the BCDH problem in G1, G2, e that he is not able to resolve. So the protocol achieves the perfect forward secrecy.

- Key-compromise impersonation security. We suppose that the adversary E who has known the entity A’s private key <DA, x> will impersonate B or C to A in a protocol run to get a session key. IF E is a typeII adversary, he can not forge a valued signature on message rEP where rE is chosen by E himself due to the existential unforgeability of the signature scheme used in the protocol. The timestamps and identities in the signed messages will prevent him to run a replay attack, so he can not simulate the entity B or C to the entity A. If E is a typeII adversary, he can not compute e(P, P)xyz from P, xP, yP and zP without the knowledge of x, y and z for the difficulty of the BCDH problem in (G1, G2, e). So our protocol achieves the key-compromise impersonation security.

-Unknown key-share security. Our protocol can prevent potential unknown key share attack for the use of the involved participants’ identities (QA, QB and QC) in the key derivation function.

-No key control. Key generation in our protocol is role symmetric and each run of the protocol will produce a distinct session key for the randomicity of a, b and c. None of the participants can control the final session key if a, b and c are chosen uniformly at random. As has been shown in [4], the participant who has seen the messages from the other two participants may be able to control a few bits of the final session key, but he can not control the whole value of the final session key for the limitation of time and computing ability. So in our protocol the messages should not be accepted if they have been delayed too much time.

Ⅴ. Conclusion

We have presented the first certificateless authenticated tripartite key agreement protocol which realizes the key authentication by using a secure signature algorithm. Our protocol is efficient for that each participant only needs to compute four pairings before he can get the final session key. The proposed protocol has been proved that it achieves all the

necessary security attributes, so that it can be securely put into use for some security attributes such as data escrow.

REFERENCES [1] A. Joux, A One-round Protocol for Tripartite Diffie-Hellman. In:

Bosma, W. (ed.) Algorithmic Number Theory. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000).

[2] Cheng Zhaohui, Vasiu Luminita and Comley Richard, Pairing-based One-round Tripartite Key Agreement Protocols, Cryptology ePrint Archive: Report (079) (2004),

http://eprint.iacr.org/2004/079.pdf. [3] Chien Hung-Yu and Lin Ru-Yu, An Improved Tripartite

Authenticated Key Agreement Protocol Based on Weil Pairing. International Journal of Applied Science and Engineering, 3.1, pp. 13-18 (2005).

[4] C.J. Mitchell, M. Ward, P. Wilson, Key control in key agreement protocols, Electronics Letters 34, pp.980-981 (1998).

[5] D. Nalla, ID-based Tripartite Key Agreement with Signatures, Cryptology ePrint Archive: Report (144) (2003),

http://eprint.iacr.org/2003/144.pdf. [6] D. Nalla, K. C. Reddy, ID-based tripartite Authenticated Key

Agreement Protocols from pairings, Cryptology ePrint Archive: Report (004) (2003), http://eprint.iacr.org/2003/004.pdf.

[7] Lei zhang, Futai Zhang, A New Provably Secure Certificateless Signature Scheme, pp.1685 – 1689, ICC 2008,

[8] Lim Meng-Hui, Lee Sanggon and Moon Sangjae, Cryptanalysis of Tso et al.’s ID-Based Tripartite Authenticated Key Agreement Protocol. Lecture Notes in Computer Science, pp. 64-76, 2007.

[9] S.B. Wilson and A. Menezes, Authenticated Diffie-Hellman Key Agreement Protocols. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 339–361. Springer, Heidelberg (1999).

[10] S.B. Wilson, D. Johnson and A. Menezes, Key Agreement Protocols and Their Security Analysis. In: Darnell, M. (ed.) Cryptography and Coding. LNCS, vol. 1355, pp. 339–361. Springer, Heidelberg (1997).

[11] Shim Kyungah, Efficient One-round Tripartite Authenticated Key Agreement Protocol from Weil Pairing. Electronics Letters 39(2), pp.208–209 (2003).

[12] S.S. Al-Riyami, and K. Paterson, Certificateless Public Key Cryptography, In: Laih, C.-S.(ed.) ASIACRYPT 2003, LNCS, vol.2894, pp.452-473, Springer, Heidelberg(2003).

[13] S.S. Al-Riyami and K.G. Paterson, Tripartite Authenticated Key Agreement Protocols from Pairings, Cryptology ePrint Archive: Report (035) (2002). http://eprint.iacr.org/2002/035.pdf.

[14] Zhang Fangguo, Liu Shengli and Kim Kwangjo, ID-based One Round Authenticated Tripartite Key Agreement Protocol with Pairings, Cryptology ePrint Archive: Report (122) (2002), http://eprint.iacr.org/2002/122.pdf.

[15] Kyungah Shim, Cryptanalysis of Al-Riyami-Paterson’s Authenticated Three Party Key Agreement Protocols, Cryptography ePrint Archive, Report (122) (2003) http://eprint.iacr.org/2003/122.