Security Key Establishment

(1)

Research Proposal

Security Key Establishment

Ang Yang

Supervisor: Kim-Kwang Raymond Choo

Abstract. Secure key establishment is focus on the communication message security transfering via public channel. This proposal shows the process and duty of honours mi- nor thesis. The research target is about proofing and designing the security key exchange protocol. We have finished the SM2 algorithm key exchange protocol proof and will focus on designing and improving the other protocol. This proposal shows methodology involving critical analysis of published protcols, design and mathematical proof.

Keywords: Cryptography, Key, Protocol, Oracle Random Model.

(2)

The Table of Content

Abstract ... 01

Table of Contents ... 02

1 Introduction ... 03

1.1 Research Question ... 03

1.2 Research Aims ... 03

1.3 Field of Thesis ... 03

2 Literature Review ... 04

2.1 Number Theory For Computing ... 04

2.2 SM2 Algorithm Key Exchange Protocol ... 04

2.3 GPAKE protocol ... 05

3 Background Matherials ... 06

3.1 Mathematics Background Materials ... 06

3.2 Cryptography Background Matherials ... 07

3.3 Oralce Random Model ... 07

3.3.1 Bellare-Rogaway Model ... 07

3.3.2 Abdalla RoR Model ... 09

4 Research Methodology ... 10

4.1 Critical Analysis of Published Protocols ... 10

4.2 Design Protocol ... 10

4.3 Mathematical Proofs ... 10

5 Draft Thesis Table of Contents ... 17

6 Research Schedule ... 18

7 Glossary ... 19

References ... 20

(3)

1 Introduction

Key establishment is deﬁned to be any process whereby a shared secret key becomes available to two or more parties for subsequent cryptographic adopting.

It is generally regarded that the design of secure key exchange protocols is noto- riously hard, and conducting security analysis for such protocols time-consuming and error-prone. In the provable security paradigm for protocols, a deductive rea- soning process is adopted whereby emphasis is placed on a proven reduction from the problem of breaking the protocol to another problem believed to be hard.

Proofs are invaluable for arguing about security and certainly are one very important tool in getting protocols right. Moreover, having security proofs allow a protocol designer to formally state the desirable properties/ goals that a protocol offers. My prposal focus on proof the security of the new key exchange protocol and built the proposal with strong algorithm and improve the current protocol effectively which can influence the secert messages transfering in public channel.

This research will focus on proof the current key exchange protocol and design the new key exchange protocol with mathematics proof checking security. This research can proof the security of currently security key exchange protocol and oﬀer the new protocol with more eﬃcent than current protocol.

The first chapter is about introduction with research question and research target and field of thesis. Second part is about the literature review. The thirdly party is about the mathematics background materials. The fourth part is about research methodology that show how to do this research with comparing, design and proof processes. The fifth part is about deaft thesis table of contents. The sixth part is research schedule. The lastly part is Glossary to explaining some professional words.

– 1.1 Research Question

How do we design and proof secure key establishment protocols?

– 1.2 Research Aims

– To analyse published protocols in the literature, including protocols that carry heuristic security arguments and protocols that carry proofs of security.

– To design new provably secure key establishment protocols, which need to be as eﬃcient in performance as the existing protocols.

– 1.3 Field of Thesis : Cryptography protocols.

(4)

2 Literature Review

The literature Review of this research consist of mathematics associated with number theory of computing, SM2 cryptography algorithm key exchange protocol and Gateway-Oriented Password-Based Authenticated Key Exchange Protocol (GPAKE).

– 2.1 Number Theory for Computing

Cryptography is the new research field of UniSA research, so studying foundation knowledge is firstly step to start this field. The number theory for computing is foundation mathematics knowledge associated with cryptography (Yan, 2000). All the cryptography algorithm is based on computing number theory such as RSA, BDH, CDH (Yan, 2000).

Therefore, studying the number theory for computing

is the ﬁrst steps to do the research related to sucurity key exchange protocol.

– 2.2 SM2 Algorithm Key Exchange Protocol

In recent years, elliptic curve cryptography (ECC) has emerged as a promising branch of public-key cryptography due to its potential for oﬀering similar security to established public-key cryptosystems at reduced key sizes. We observe an emerging trend in the use of identity-based cryptography, such as a large number of identity-based (ID-based) key agreement protocols based on pairings. One example protocol is the SM2 key exchange protocol, standarised by the Chinese Government State Cryptography Administration in December 2010 (Chinese Government State Cryptography Administration, 2010). Chinese state cryptography administration published the report about adopting cryptography system associated with SM2 Algorithm from July,1,2011 and prblished the report about usage speciﬁcation of hash function adopting (Standard Number:

GM/T 0003-2012)usage speciﬁcations of SM2 algorithm (Standard Number: GM/T 0009-2012GM/T 0010-2012GM/T 0015-2012) (Chinese Government State Cryptography Administration, 2010). Therefore, the SM2 cryptography is the standard cryptography standard in China, it is Cinstead of RSA and using widely in China now. And All cryptography equipment should be suitable to SM2 cryptography in China now (Chinese Government State Cryptography Administration & Chinese Government State Administration of Customs, 2010).

(5)

A 2005 survey by Boyd and Choo found that the purported security of many existing ID-based protocols is either based on heurstic security arguments or the protocols are proven secure in a restricted model, which highlighted the need for more rigourously tested identity-based protocols (Boyd &Choo, 2005). We observed that despite the wide usage of the SM2 protocol among Chinese commercial applications/electronics, it does not have a security proof. The goals of a protocol can be deﬁned as the properties that the protocol is trying to achieve. As Boyd and Mathuria suggested, any attack on a protocol is only valid if it violates some property that the protocol was intended to achieve (Boyd Mathuria, 2003). It is also important for protocol designers to identify at an early stage the desirable properties / goals that a protocol oﬀers. Without doing so, attacks can be discovered long after a protocol is proposed / published, only to have the original protocol designer claim that the attacks are invalid, as the protocol is not intended to provide such assurances against the properties being exploited (Choo,2009). In the case of the SM2 protocol, Xu and Feng claimed that the SM2 protocol is insecure in the Canetti–Krawczyk model (Xu and Feng, 2011).

– 2.3 Gateway-Oriented Password-Based Authenticated Key Exchange Protocol (GPAKE)

In 2005, Abdalla etl. publish the GPAKE protocol and proof it in the oracle random model ﬁrstly (Abdalla, 2005). However, Byun (2006) found that the Abdalla’s protocol has the weakness of undetected online

dictionary attack that gateway cannot against the dictionary attack and found it. So Byun improve the protocol that add a key establish between server and client that add authentication to protect password (Byun, 2006).

Shim(2008) found that the Byun’s protocol has the weakness of dictionary attack that gateway cannot against the dictionary attack as well. So Shim improve the protocol that let client and server establish session key with symmetriccal key theory, named S-GPAKE [10].In the same year, Abdalla publish a new GPAKE model and a security model using Real-Or-Random model deﬁnition in relation to GPAKE protocol which achieves the forward security (Abdalla et al., 2008). In 2011, Wei(2011) publish the GPAKE protocol based on RSA and proof it in oracle random model and standard model. Then, Wei publich the GPAKE protocol based on DDH assumption and proof it in oracle random model in 2012 (Wei et al., 2012). In 2013, Chien(2013) improve the Abadalla’s and Byun’s GPAKE protocols and proof it standard model and show that their protocol can against the undetected online dictionary attack which is the newest GPAKE protocol now, this protocol is depending on CDH assumption (Chien, 2013).

(6)

To conclude, this research focus on proofing recently protoocl which is SM2 key exchange protocol published by Chinese government. SM2 algorithm is the newest cryptography algorithm published by Chinese government. It is based on ECDLP assumption which is the most difficult mathematics problem to keep the key establishment security. SM2 cryptography algorithm and key exchange protocol has been adopted in China now and will instead of RSA in further (Chinese Government State Cryptography Administration & Chinese Government State Administration of Customs, 2010). Therefore, the doing research related to SM2 algorithm is very improtant to cryptography field because it has been published and adopted in China. Currently, the proof security of SM2 key exchange protocol has finished.

Then, we will focus on improving the recently protocol such as GPAKE protocol. GPAKE protocol is the improtant protocol which can be used to real structure such as mobile network and could computing. It is diﬃcult to design the key establishment protocol due to its particular structure. It is new protocol and can be used widely, so improving GPAKE protocol is an improtant research which may inﬂuence the new information technology development such as telecommunication nerwork, could computing (Wei et al. ,2011; Wei et al., 2013).

3 Background Materials

– 3.1 Mathematics background materials

Security key establishment is related to cryptography. The number theory for computing is foundation knowledge which is about cryptography (Choo, 2008). Therefore, mathematics background materials is necessary part of key establishment. The mathematics background materials as follow:

Table 1. Mathematics Background Materials (Choo, 2008) Principals Denotes protocol participants or entities

x∈ {0, 1}^k Denotes that x is randomly chosen from{0, 1}^k

where the superscript k symbolises the security parameter.

x||y If x and y are strings, then x||y denotes their concatenation.

x= y^? If x and y are strings, x= y denotes comparing if x = y.^?

P r[·] Denotes the probability that p() is true after ordered execution of the listed experiments.

⊕ Denotes the bit-wise exclusive OR (XOR) operator.

(7)

– 3.2 Cryptography background materials

Cryptography owns the speﬁcial background materials as well. The cryptography background materials as follow (Katz & Lindell, 2008)

Table 2. Cryptography Background Materials (Katz & Lindell, 2008) Principals Denotes protocol participants or entities

(Gen, Enc, Dec) Stand for key’s process about producing, encryption , decryption.

P P T Stand for ’probabilistic polynomial time’.

negl(n) Denote a negligible function.

poly(n) Denote an arbitrary polynomial.

– 3.3 Oracle Random Model

Cryptography owns the speﬁcial oracle random model for prooﬁng. The cryptography background materials associated with oracle random model as follow

The proof models as follow:

∗ 3.3.1 Overview of the Bellare–Rogaway Model

In the model (Bellare & Bellare, 1993; Bellare & Bellare, 1995), the adversaryA is deﬁned to be a probabilistic machine that is in control of all the communications that take place between parties by

interacting with a set of Πⁱ_U

1,U2 oracles (Πⁱ_U

1,U2 is defined to be the i^th instantiation of a principal U1 in a specific protocol run and U2 is the principal with whom U₁ wishes to establish a secret key). The predefined oracle queries are described informally as follows.

· The Send(U1, U₂, i, m) query allowsA to send some message m of her choice to a user at will. Πⁱ_U₁_,U₂, upon receiving the query, will compute what the protocol speciﬁcation demands and return toA the response message and/or decision. If Πⁱ_U₁_,U₂ has either accepted with some session key or terminated, this will be made known toA.

· The Reveal(U, i) query allows A to expose an old session key that has been previously accepted. Uⁱ, upon receiving this query and if it has accepted and holds some session key, will send this session key back to A.

· The Corrupt(U) query allows A to corrupt the principal U at will, and thereby learn the complete internal state of the corrupted principal. This query can be used to model the real world scenarios

(8)

of an insider cooperating with the adversary or an insider who has been completely compromised by the adversary.

· The Test(U1, U₂, i) query is the only oracle query that does not correspond to any ofA’s abilities. If ΠⁱU₁,U₂ has accepted with some session key and is being asked a Test(U₁, U₂, i) query, then depending on a randomly chosen bit b,A is given either the actual session key or a session key drawn randomly from the session key distribution.

Definition 1 Deﬁnition of Partnership. Two oracles, Πⁱ_A,B and Π^j_B,A, are partners if, and only if, both oracles have accepted the same session key with the same SID, have agreed on the same set of

principals (i.e. the initiator and the responder of the protocol), and no other oracles besides Πⁱ_A,B and Π^j_B,A have accepted with the same SID (defined to be the concatenation of the message flows).

Definition 2 Deﬁnition of Freshness. Oracle Πⁱ_A,B is fresh (or it holds a fresh session key) at the end of execution, if, and only if, oracle Πⁱ_A,B has accepted with or without a partner oracle Π^j_B,A, both oracle Πⁱ_A,B and its partner oracle Π^j_B,A (if such a partner oracle exists) have not been sent a Reveal query, and the principals A and B of oracles Πⁱ_A,B and Π^j_B,A (if such a partner exists) have not been sent a Corrupt query.

The definition of security depends on the notions of partnership of oracles (see Definition 1), freshness (see Definition 2) and defined using the gameG, played between a malicious adversary A and a collection of Πⁱ_U_x_,U_y oracles for players Ux, Uy∈ {U1, . . . , UNp} and instances i∈ {1, . . . , Ns}. A runs the game simulation G, whose setting is as follows.

· Stage 1: A is able to send any Send, Reveal, and Corrupt oracle queries at will in the game simulationG.

· Stage 2: At some point during G, A will choose a fresh session on which to be tested and send a Test query to the fresh oracle associated with the test session. Note that the test session chosen must be fresh. Depending on a randomly chosen bit b, A is given either the actual session key or a session key drawn randomly from the session key distribution.

· Stage 3: A continues making any Send, Reveal, and Corrupt oracle queries of its choice.

· Stage 4: Eventually, A terminates the game simulation and outputs a bit b^′, which is its guess of the value of b.

Success ofA in G is measured in terms of A’s advantage in

distinguishing whetherA receives the real key or a random value. A wins if, after asking a Test(U1, U2, i) query, where Πⁱ_U

1,U₂ is fresh and

(9)

has accepted,A’s guess bit b^′ equals the bit b selected during the Test(U₁, U₂, i) query. Let the advantage function ofA be denoted by Adv^A(k), where Adv^A(k) = 2× Pr[b = b^′]− 1.

Definition 3 Deﬁnition of Security. A protocol is secure in the Bellare–Rogaway model and secure if both the validity and indistinguishability requirements are satisfied:

1. Validity: When the protocol is run between two oracles in the absence of a malicious adversary, the two oracles accept the same key.

2. Indistinguishability: For all probabilistic, polynomial-time (PPT) adversariesA, Adv^A(k) is negligible.

∗ 3.3.2 Overview of the Abdalla ROR Model

I will adopt the Abdalla ROR model to proof the GPAKE protocol because the Abdalla ROR model is the most security model to proof the security related to GPAKE protocol (Abdalla et al.,2005).

Comparing the Abdalla ROR model and Find-Then-Guess F T G model (Abdalla et al.,2008), the weakness is that there is no Reveal of Abadalla model whilst Abadalla ROR model allow theA do T est query repeatedly (Abdalla et al.,2005). The advantage of F T G model is involving Reveal whereas it allowA to one time T est query (Abdalla et al.,2008). Therefore, the Abdalla ROR model as

Real-Or-Random, is more strong than BPR model as F T G (Abdalla et al.,2008).

Definition of Abdalla ROR model is that the adversaryA is defined to be a probabilistic machine that is in control of all the communications that take place between parties by interacting. The predefined oracle queries are described informally as follows.

· The Execute(Cⁱ, G^j): This query models passive eavesdropping of a protocol execution between a client instance Cⁱ and a gateway instance G^j. At the end of the execution, a transcript is given to the adversary, which logs everything an adversary could see during the execution.

· The Send(Uⁱ, m): This query models an active attack against the client or gateway instance Uⁱ, in which the adversary may intercept a message and then modify it, create a new one, or simply forward it to the intended recipient. Instance Uⁱ executes as speciﬁed by the protocol and sends back its response to the adversary.

· The Test(Uⁱ): This query is used to measure the semantic security of the session key of instance Uⁱ, if the latter is defined. If the key is not defined, return the undefined symbol . Otherwise, return either the session key held by instance Uⁱif b = 1 or a random key of the

(10)

same size if b = 0, where b is a hidden bit chosen uniformly at random at the beginning of the experiment deﬁning the semantic security of the session keys.

· The TestPair(Cⁱ, G^j): This query is used to measure the key privacy of the session key established between the instance Cⁱ and G^j. If the client instance Cⁱ and the gateway instance G^j do not share the same key, then return the undeﬁned symbol . Otherwise, return either the session key established between Cⁱ and G^j if b = 1 or a random key of the same size if b = 0, where b is a hidden bit chosen uniformly at random at the beginning of the experiment deﬁning the key privacy of the session keys.

4 Research Methodology

∗ 4.1 Critical analysis of published protocols

Collect the cryptography protoocls which are associated with my research. Then, I will compare the mathematic algorithms and assumptions, computing burden and security among protoocls to obtain superiod results. Thirdly, I will analysis the association among the results. The association about mathematic algorithms is filtering algorithm with short calculating steps. The association about mathematic assumptions is comparing security levels associated with cryptography assumptions. The association about computing burden is analyzing whether effecient of protocol running on computer suitable or not. The association about security is analyzing the security levels of different protocol. This step target is to get enough materials for designing steps.

∗ 4.2 Design protocol

We should balance all the characteristics of ﬁrst step results to design the new protocol. The new protocol design process will depending on the real situation. For example, if the protocol is used to could computing, we should consider about the computing burden of server part and client part. We may put more conputing burden to client part to keep the server running in security situation without collapsing.

∗ 4.3 Mathematical proofs

We will using diﬀerents cryptography proof model to proof the protocol whether security or not depending on mathematics theories. We will use

(11)

the major model such as the BP95 model and Abdalla ROR model. I have ﬁnish SM2 algorithm key exchange protocol with BP95 model which can be as an example to show that the mathematical proofs method. This paper is about the SM2 cryptography algorithm key exchange protocol. We have used the mathematics method to proof the attacking of SM2 key exchange protocol is wrong, then proof this protocol is security via oracle random model which is BP95 model.

Taking an exampleSM2 key exchange protocol proof can show mathematics proof validity as follow:

1. A provably-secure SM2 key exchange protocol The notations used in the protocol are as follow:

∗ A,B : Two SM2 protocol participants

∗ a,b : a, b ∈ fq, which are the parameters of the elliptic curve E on Fq

∗ Fq : The prime ﬁeld F includes q elements.

∗ G : The base point of elliptic curve. order of G is prime number.

∗ h : Co-factor, h = #E(Fq)/n, n is the order of G.

∗ SK : Private key.

∗ P K : Public key.

∗ K : Session key.

∗ ID : Identiﬁcation.The length of ID is entlenA bits.

∗ KDF () : Key derivation function.

∗ Hv() : Hash function with b-bit length.

∗ SK : Temporary private key.

∗ P K : Temporary public key.

∗ klen : The bit length of the key.

∗ entlen : The bit lengh of ID.

In the protocol, it is assumed both clients A and B with identities ZA

and ZB have a set of public/private keys, (P KA, SKA∈ [1, n − 1]) and (P K_B, SK_B∈ [1, n − 1]), respectively. The public parameters are (E(F q), G, n, P KA, P KB, ZA, ZB). To establish a session key with B, 1. A will now run the protocol as follows:

(a) Randomly selects SK_A∈ [1, n1]

and computes P K_A= [SK_A]G = (x_{P K}

A, y_{P K}

A).

(b) Sends P KA to B

(c) Computes tA= (SKA+ xA· SKA) mod n, where x_A= 2^w+ (x_SK

A&(2^w− 1)) and w = ⌈(⌈log2(n)⌉ /2)⌉ − 1.

2. Upon receiving the message, P KA, from A, B will perform the following:

(a) Randomly selects SK_B∈ [1, n1] and computes P KB = [SKB]G = (x_{P K}

B, y_{P K}

B).

(12)

(b) Computes t_B= (SK_B+ x_B· SKB) mod n, where xB = 2^w+ (x_SK

B&(2^w− 1)).

(c) Veriﬁes that P KA∈ E. If it holds, computes

OBA= [h· tB](P KA+ [xA]P KA) = (xO_BA, yO_BA). Otherwise, terminates the protocol run and outputs an error message.

(d) Computes session key, K_B = KDF (x_O_BA||yOBA||ZA||ZB, klen).

(Optional for key conﬁrmation: Also computes

SB1= H(0x02||yO_BA||H(xO_BA||ZA||ZB||xP K_A||yP K_A||xP K_B||yP K_B)).) (e) Sends P KB to A (Optional for key conﬁrmation: B will also send S_B1 to A.)

3. Upon receiving the message, P K_B (and Optional for key conﬁrmation: SB1), from B, A will perform the following:

(a) Veriﬁes that P KB ∈ E. If it holds, computes

OAB= [h· tA](P KB+ [xB]P KB) = (xO_AB, yO_AB). Otherwise, terminates the protocol run and outputs an error message.

(b) (Optional for key conﬁrmation) Veriﬁes that SB1

= S? A1=

H(0x02||yOAB||H(xOAB||ZA||ZB||xP K_A||yP K_A||xP K_B||yP K_B)), and if it returns true then A is assured that B actually has possession of the session key. Otherwise, terminates the protocol run and outputs an error message.

i. Computes session key: KA= KDF (xO_AB||yO_AB||ZA||ZB, klen).

(Optional: Computes

S_A= H(0x03||yOAB||H(xOAB||ZA||ZB||x_{P K}_A||y_{P K}_A||x_{P K}_B||y_{P K}_B)).) ii. Sends SA to B.

4. (Optional for key conﬁrmation) Upon receiving the message,SA, B will verify whether

S_A= S^? _B=H(0x03||yOBA||H(xOBA||xP K_A||yP K_A||xP K_B||yP K_B)). If the veriﬁcation returns true, then B is assured that A actually has

possession of the session key. Otherwise, terminates the protocol run and outputs an error message.

Although session identifiers (SIDs) are not part of the original protocol specification, we include SIDs as a form of partnering mechanism. The latter would allows the right session key to be identified in concurrent protocol executions. The SID for the SM2 protocol is the concatenation of the message flows. In other words, SIDA= (P KA||P KB) = SIDB (or SIDA= (P KA||P KB||SB1||SA) = SIDB for key confirmation). Note that SID is made public upon protocol completion, and the security of the SM2 protocol does not hinge on the difficulty of predicting a valid SID. In other words, anyone (including the adversary) knows what a particular SID is.

(13)

1.1. Error in Xu and Feng’s claimed attack In this section, we will point out the error in Xu and Feng’s computation, which invalidates their claim. In Steps 1(c) and 2(a) of the SM2 protocol, t_A and t_B are computed as tA= (SKA+ xA· SKA) mod n and tB = (SKB+ xB· SKB) mod n (Xu and Feng, 2012). However, mod n is omitted from the computations of t_A and t_B in [4]’s attack description as outlined below.

Let P K_A= P KA+ [e]G be the public key of the adversary, which is computed by adding [e]G to the public key of A (and e∈ [1, n − 1]).

O_AB = [h· tA](P K_B+ [x_B]P K_B)

= [h· (SKA+ x_A· SKA)](P K_B+ [x_B]P K_B)

= [h· (SKB+ xB· SKB)](P KA+ [xA]P KA)

= [h· (SKB+ xB· SKB)](P K_A− [e]G + [xA]P KA)

= [h· (SKB+ xB· SKB)](P K_A+ [xA]P KA)

−[h · (SKB+ xB· SKB)][e]G

= OBA− [h · (SKB+ xB· SKB)][e]G

= OBA− [e](P KB+ xB]P KB) = (xO_AB, yO_AB) The omission of mod n may appear trivial. However,

OAB = [h· tA](P KB+ [xB]P KB)

= [h· (SKA+ xA· SKA) mod n](P KB+ [xB]P KB)

= [h· (SKB+ xB· SKB) mod n](P KA+ [xA]P KA)

= [h· (SKB+ xB· SKB) mod n](P K_A− [e]G + [xA]P KA)

= [h· (SKB+ xB· SKB) mod n](P K_A+ [xA]P KA)

−[h · (SKB+ xB· SKB) mod n][e]G

= OBA− [h · (SKB+ xB· SKB) mod n][e]G

̸= OBA− [e](P KB+ x_B]P K_B)

1.2. Security proof The security of the protocol – see Theorem 1 – is based on the elliptic curve discrete logarithm problem (ECDLP ) assumption (see Deﬁnition 4) in the random oracle model¹.

1Despite the criticism that a proof in the random oracle model is more of a heuristic proof than a real one, no one has yet provided a convincing contradiction to the practicality of the random oracle model and this model is still widely accepted by the cryptographic community.

Moreover, as Black(2006) observed, no scheme has yet to been proven secure in the random- oracle model and broken once instantiated with some hash function, unless that was the goal from the very beginning.

(14)

Definition 4 ECDLP Problem (Yan, 2011).

Instance : E\ Fp, P, Q∈ E(Fp)

Output : K ∈ N^∗, K > 1, Q≡ kP mod p.

If we can solve the Discrete Logarithm Problem (DLP) (Boneh & Lipton, 1996), then we can also (immediately) solve the ECDLP Problem.

Theorem 1. SM2 protocol is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the Elliptic Curve Discrete Logarithm Problem (ECDLP) assumption is satisified in E(Fq).

The validity of the protocol is straightforward to verify and we will now concentrate on the indistinguishability requirement.

In the usual tradition of reductionist proofs, we assume that there exists an adversaryA against the protocol (i.e. A has a non-negligible

advantage, η(k), where k is the security parameter), and we then construct a solverS that makes use of A to solve the ECDLP problem.

In other words,S will simulate the view of A by answering all Send, Reveal, Corrupt and Test queries ofA. S will start by randomly selecting two users, I and J , and a session number, i, as the test session.S will also manage two random oracles, H and KDF , in order to answerA’s queries. More speciﬁcally when the H oracle is queried,S will check whether the tuple is already in the H-list, and output the stored

response. Otherwise,S will respond with the appropriate output, H(· · ·), and adds the tuple (H(· · ·), U, i) to the H-list. S will answer KDF queries in the same manner.

∗ Send(UI, U_J, j, m) queries: For any well-formed Send(U, j, ) queries fromA, S can trivially answer with the right output as the protocol speciﬁcation demands. Speciﬁcally,

· If UI = initiator and U_J = responder, then the S will output the message m ={

P KU_I

}to A’s query.

· If UJ = initiator, UI = responder, and m ={ P KU_I

}and veriﬁes correctly, thenS will output the message m ={

P K_U_J, S_U_J₁} to A’s query, as the potocol speciﬁcation. Otherwise,S will abort the simulation and fail.

· If UI = initiator, U_J = responder, and m ={

P K_U_J, S_U_J₁} and veriﬁes correctly, thenS will output the message m = {SU_I} to A’s query, as the potocol speciﬁcation. Otherwise,S will abort the simulation and fail.

∗ Reveal(U, j) queries: If Uj = Ii or Uj = Ji, thenS will abort the simulation and fail. Otherwise this query can be answered with the

(15)

right session key as long as U_j has accepted and neither U nor its partner has been corrupted. However, such a session will be rendered unfresh.

∗ Corrupt(U) queries: This query can be easily answered as per the protocol speciﬁcations, unless U = I or U = J . In the latter scenario, S will abort the simulation and fail.

∗ Test(U1, U2, j, m) queries: At some point in the simulation,A will ask a Test query of some oracle. If Π^j_U

1,U₂ ̸= ΠⁱI,J, thenS will abort the simulation and fail. Otherwise,S will check whether Π^jU₁,U₂ has accepted and that the session is fresh (i.e. Π^j_U

1,U₂ has not asked a Reveal query, and both U1 and U2 have not been asked a Corrupt query). Assuming that Π^j_U

1,U₂ has obtained some value as its input prior to accepting, the oracle should hold a session key of the correct form. However,A cannot compute this key, so S cannot correctly simulate the Test query. Instead,S simply outputs a random value.

IfS does not abort at some stage during the game simulation and A does not detectS’s inconsistency in answering the Test query, then A’s success probability is still η(k). In order forA to have a non-negligible advantage in distinguishing the session key from a random value,A must also have queried the KDF oracle on the value

KDF (xO_{UI UJ}||yO_{UI UJ}||ZU_I||ZU_J, klen) with some non-negligible advantage η^′(k). In other words,A would have to compute tB by guessing the relevant values correctly (i.e. SK_U_J and SK_U_J to compute t_U_J).

Let Success^SK_A ^UJ and Success^SK_A ^UJ denote the respective events thatA guesses of SKU_J and SKU_J is correct, TQ be the maximum number of Send, Reveal, Corrupt and Test queries, and TRO the maximum number of random oracle queries. Therefore,

P r [

Success^SK_A ^UJ ]

= 1/T_Q P r

[

= 1/T_Q.

and the probability ofA computing the right value of tUJ, P r

[

Success^t_A^UJ ]

, is:

P r [

Success^t_A^UJ ]

= P r [

Success^SK_A ^UJ ]· P r

[

= 1/T_Q² ForA to correctly guess the value of OBA,A has to also guess the right values for x_O_{UJ UI} and y_O_{UJ UI}. Therefore, the probabilities ofA correctly guessing the xO_{UJ UI} and yO_{UJ UI} are:

(16)

P r [

Success^x_A^OU^{J UI} ]

= 1/TRO

P r [

Success^y_A^OU^{J UI} ]

= 1/2.

Therefore, the probability ofA correctly guessing the value of OUJUI is:

P r [

Success^O_A^{UJ UI} ]

= P r [

Success^x_A^OU^{J UI} ]

· P r [

Success^y_A^OU^{J UI} ]

= _2T¹

RO

In other words,A would need to solve the ECDLP problem with the non-negligible ϵ:

P r[

Success^ECDLP_A ]

≥ ϵ

The probability thatS did not abort at some stage and produces the correct output is at least:

P r[

Success^ECDLP_A ]

· P r[

Success^O_A^{UJ UI} ]· P r[

Success^t_A^UJ

]≥_2T ^ϵ

ROT_Q², which is non-negligible. This concludes the proof for Theorem 1.

This example show we can use the mathematics method not only prooﬁng the issues of attacking protocol, but also prooﬁng the security of protocol via oracle random model.

(17)

5 Draft Thesis Table of Contents

– i Abstract

– ii Acknowledgement – iii Table of Contents – Chapter 1 Overview

∗ 1.1 Introduction

∗ 1.2 Research Question

∗ 1.3 Research Aims

– Chapter 2 Literature Review – Chapter 3 Background Materials – Chapter 4 SM2 protocol and its proof – Chapter 5 Another protocol

– Chapter 6 Conclusion

∗ 6.1 Summary of research activities

∗ 6.2 Concluding remarks – Appendix

– Glossary – References

(18)

6 Research Schedule

The research schedule as follow:

Table 3. Schedule

Period Task

Ealy Mar 2013 Identify research interest and find supervisor

Mar 2013 Work on annotated bibliography and read SM2 report Apr 2013 Determine research topic

May 2013 Review literature related to mathematics, SM2 algorithm, proof models and prepare research proposal

End of May 2013 Finish SM2 algorithm key exchange protocol proof 1-12 Jun Focus on research proposal and persentation Jun to Aug Focus on another protocol review literature Early Sep Try to finish designing and proof GPAKE protocol

Sep Prepaer thesis draft

Early Oct Submit thesis for review

Oct Edit thesis depending on feedback

Nov Submit final thesis

(19)

7 Glossary

This table shows glossary as follow:

Table 4. Glossary

Private key Key for decryption.

Public key Key for encryption.

Session Key Session Key for all parties to establish.

ECC Elliptic curve cryptography.

SM2 algorithm Current Chinese cryptographic algorithm.

GPAKE Gateway password-based authentication key exchange

Oracle Random model The model for proofing security of security key exchange protocol.

BP95 model The model for proofing key exchange protocol Abdalla RoR model The model for proofing GPAKE protocol

FTG model Find-Then-Guess

RSA A algorithm of public key cryptography.

BDH A mathematics assumption.

CDH A mathematics assumption.

ID-based A mathematics assumptionn based on pairings.

(20)

REFERENCES

[1] Abdalla, M., et al. (2005). A simple threshold authenticated key exchange from short secrets. Advances in Cryptology-Asiacrypt 2005, Springer: 566-584.

[2] Abdalla, M., et al. (2008). Anonymous and transparent gateway-based

password-authenticated key exchange. Cryptology and Network Security, Springer:

133-148.

[3] Abdalla, M., et al. (2005). Password-based authenticated key exchange in the three-party setting. Public Key Cryptography-PKC 2005, Springer: 65-84.

[4] Bellare, M. and Bellare (1993), P.: ‘Entity Authentication and Key Distribution’, CRYPTO 1993, LNCS 773: 110–125

[5] Bellare, M. and Rogaway, P. (1995): ‘Provably Secure Session Key Distribution: The Three Party Case’, ACM STOC 1995: 57–66

[6] Black, J. (2006): ‘The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function’, EUROCRYPT 2006, LNCS 4047: 328-340 [7] Boneh, D. and Lipton, RJ (1996): ‘Algorithms for Black-Box Fields and their

Application to Cryptography’, CRYPTO 1996, LNCS 1109: 283–297

[8] Boyd, C. and Choo, KKR (2005): ‘Security of Two-Party Identity-Based Key Agreement’, Mycrypt 2005, LNCS 3715: 229-243

[9] Boyd, C. and Mathuria, A. (2003): Protocols for Authentication and Key Establishment. Springer

[10] Byun, J. W., et al. (2006). ”Security analysis and improvement of a gateway-oriented password-based authenticated key exchange protocol.”

Communications Letters, IEEE 10(9): 683-685.

[11] Chinese Government State Cryptography Administration (2012): ’Chinese Government State Cryptography Administration N o.23 Announcement’, 2012 (http://www.oscca.gov.cn/News/201204/News_1229.htm, in Chinese)

[12] Chinese Government State Cryptography Administration: ’Chinese Government State Cryptography Administration N o.24 Announcement’, 2012

(http://www.oscca.gov.cn/News/201212/News_1234.htm, in Chinese) [13] Chinese Government State Cryptography Administration: ‘Public Key

Cryptographic Algorithm SM2 Based on Elliptic Curves, Part 3: Key Exchange Protocol’, 2010 (http://www.oscca.gov.cn/UpFile/2010122214822692.pdf, in Chinese)

[14] Chinese Government State Cryptography Administration & Chinese Administration of Customs: ‘Chinese Government State Cryptography Administration No.64 Announcement’, 2012 (http:

//www.oscca.gov.cn/WebSite/smb/Upload/File/201301/20130125170704188.pdf, in Chinese)

[15] Chien, H.-Y., et al. (2013). ”Provably Secure Gateway-Oriented Password-Based Authenticated Key Exchange Protocol Resistant to Password Guessing Attacks.”

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 29: 249-265.

[16] Choo, KKR: Secure Key Establishment. Advances in Information Security 41, Springer, 2009

[17] Ding Y., Horster P., Undetectable on-line dictionary attack. ACM Operating System, 1995, 29(3): 77-86

[18] Farash, MS. and Attari, MA:’An ID-Based Key Agreement Protocol Based on ECC Among Users of Separate Networks’, ISCISC 2012: 32–37, 2012

[19] He, DB., Chen, J. and Hu, J.:’An ID-based client authentication with key agreement protocol for mobile clientserver environment on ECC with provable security’.

Information Fusion 13(3): 223-230, 2012

[20] Huang, H. and Z. Cao:’An ID-based authenticated key exchange protocol based on bilinear Diﬃe-Hellman problem’, AsiaCCS 2009: 333–342, 2009

[21] Islam SH. and Biswas G.P. :’An improved pairing-free identity-based authenticated key agreement protocol based on ECC’. Procedia Engineering 30 499-507, 2012

(21)

[22] Katz, J. and Lindell Y. :’Introduction to modern cryptography’ Chapman &

Hall/CRC, 2008

[23] Kyung-Ah, S. (2008). ”Cryptanalysis and enhancement of modiﬁed

gateway-oriented password-based authenticated key exchange protocol.” IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences 91(12): 3837-3839.

[24] Wang, Y. :’Eﬃcient identity-based and authenticated key agreement protocol’.

Transactions on Computational Science XVII, Springer: 172-197, 2013

[25] Wei, F., et al. (2011). ”Anonymous gateway-oriented password-based authenticated key exchange based on RSA.” EURASIP Journal on Wireless Communications and Networking 2011(1): 1-12.

[26] Wei, F., et al. (2011). Gateway-oriented password-authenticated key exchange protocol with stronger security. Provable Security, Springer: 366-379.

[27] Wei, F., et al. (2012). ”Gateway-oriented password-authenticated key exchange protocol in the standard model.” Journal of Systems and Software 85(3): 760-768.

[28] Xu, J. and D. Feng: ’Comments on the SM2 key exchange protocol’. CANS 2011, LNCS 7092: 160–171, 2011

[29] Yan, S. Y.: ‘Elliptic Curve’, Dalian Polytechnic University, 2011 (in Chinese) [30] Yan, S. Y.: ‘Number theory for computing’,Springer, 2000