Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

(1)

Cryptanalysis of pairing-free certificateless

authenticated key agreement protocol

Zhian Zhu

China Ship Development and Design Center (CSDDC), Wuhan, China Email: zhuzhian2012@gmail.com

Abstract: Recently, He et al. [D. He, J. Chen, J. Hu, A pairing-free certificateless authenticated key agreement protocol, International Journal of Communication Systems, 25(2), pp. 221-230, 2012] proposed a pairing-free certificateless authenticated key agreement protocol and demonstrated that their protocol is provable security in the random oracle model. However, in this paper, we show that t He et al. protocol is completely broken.

Key words: certificateless cryptography; authenticated key agreement; provable

security; elliptic curve

1. Introduction

To simplify the complex certificate management in the traditional public key cryptography (PKC), Shamir [1] proposed the concept of identity-based public key cryptography (ID-PKC). In ID-PKC, there is no need of the certificate of a public key since the user’s public key is his identity such as e-mail address, telephone number et al. However, ID-PKC inherently has the key escrow problem, i.e., the key generation center (KGC) knows the user’s private key. To solve the problem, Al-Riyami et al. [2] introduced the concept of the certificateless public key cryptography (CLPKC). Since then, many certificateless key agreement protocols using bilinear pairings have been proposed.

(2)

The organization of the paper is sketched as follows. The Section 2 gives a brief review of He et al.’s protocol. Cryptanalysis on He et al.’s protocol is shown in Section 3. Finally, we give some conclusions in Section 4.

2. He et al.’s protocol

In this section, we will review He et al.’s protocol. For convenience, some notations used in this paper are described as follows.

z p n, : two large prime numbers; z Fp: a finite field;

z E F/ _p: an elliptic curve defined on F_p;

z G: the cyclic additive group composed of the points on E F/ _p; z P: a generator of G;

z H₁( )⋅ : a secure one-way hash function, where H₁:{0,1}*→Z_n*; z H₂( )⋅ : a secure one-way hash function, where H₂:{0,1}*→Z_n*; z IDi: the identity of user i;

z ( ,x P_pub): the KGC’s private/public key pair, where P_pub=xP; z ( ,x Pi i): the user i’s secret value/public key pair, where Pi = ⋅x Pi ; z ( ,r R_i _i): a random point generated by KGC, where R_i = ⋅r P_i ;

z ( ,s R_i _i): the user i ’s partial private key, where s_i = +r_i h x_i modn,

1( , )

i i i

h =H ID R ;

z t T_i, _i): the user i’s ephemeral private/public key pair, where T_i = ⋅t P_i ;

In this section, we present a CTAKA protocol without pairing. Our protocol consists of the following six algorithms: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key and Key-Agreement.

Setup: This algorithm takes a security parameter kas inputs and returns system parameters and a master key. Given k, KGC does the following.

1) KGC chooses the master private key x∈Z_n* and computes the master public key P_pub =xP.

2) KGC chooses two cryptographic secure hash functions H₁:{0,1}*→Z_n* and H₂:{0,1}*→Z_n*.

(3)

Partial-Private-Key-Extract: This algorithm takes master key, a user’s identifier, system parameters as input and returns the user’s ID-based private key. With this algorithm, for each user with identifier ID_i, KGC works as follows.

1) KGC chooses at random r_i∈Z_n*, computes R_i = ⋅r P_i and 1( , )

i i i

h =H ID R .

2) KGC computes s_i = +r_i h x_i modn.

The user’s s partial private key is the tuple D_i =( ,s R_i _i) and he can validate her private key by checking whether the equation s P_i⋅ =R_i+ ⋅h P_i _pub holds. The private key is valid if the equation holds and vice versa.

Set-Secret-Value: The user with identity IDi picks randomly

*

i n

x ∈Z sets

i

x as his secret value.

Set-Private-Key: The user with identity ID_i takes the pair S_i =( ,x D_i _i) as its private key, where Di =( ,s Ri i).

Set-Public-Key: The user with identity ID_i takes paramsand its secret value x_ias inputs, and generates its public keyP_i = ⋅x P_i .

Key-Agreement: Assume that an entity A with identity IDA has private key (S_A = x D_A, _A) and public key P_A =x_A⋅P, an entity B with identity ID_B has private key S_B =(x D_B, _B) and public key P_B =x_B⋅P. As shown in Fig. 1,

A and B run the protocol as follows. 1) A send M1=(ID R PA, A, A) to B.

2）After receiving M₁, B chooses at random the ephemeral key * n b∈Z

and computes T_B = ⋅b P( _A+R_A+H ID R P₁( _A, _A) _pub), then B send

2 ( B, B, B, B)

M = ID R P T to A.

3) After receiving M₂, A chooses at random the ephemeral key a∈Z_n* and computes T_A = ⋅a P( _B +R_B+H ID R P₁( _B, _B) _pub), then A send M₃ =(T_A) to

B.

Then both A and B can compute the shared secrets as follows. A computes

1 1

( )

AB A A B

(4)

1 1

( )

BA B B A

K = x +s − ⋅ + ⋅T b P and K2AB b x( B sB) 1 TA

−

= ⋅ + ⋅ (2)

Fig. 1. Key agreement of He et al.’s protocol

3. Cryptanalysis of He et al.’s protocol

In certificateless signature protocol, as defined in [2, 5], there are two types of adversaries with different capabilities, we assume type Iadversary, A1 acts as a dishonest user, while type IIadversary, A 2 acts as a malicious KGC.

In this section, we will show that He et al. protocol is vulnerable to the impersonation attack against of A1 and A 2. The detailed steps are described as follows.

3.1. Impersonation attack of type I adversary

Let A 1 be a type I adversary. Then, A1 does not have access to the master key, but A1 can replace the public keys of any entity with a value of his choice, since there is no certificate involved in certificateless signature protocol.

z Impersonation attack against initiator

1) A1 generates a random number t and replaces A’s public key

A A

P =x ⋅P with P′_A =tP−R_A−H ID R P₁( _A, _A) _p_ub.

2) A 1 impersonate A to sends the message M1 =(ID RA, A,PA′) to B. 3) After receiving M₁, B chooses at random the ephemeral key b∈Z_n* and computes T_B = ⋅b (P_A′+R_A+H ID R P₁( _A, _A) _p_ub), then B send

2 ( B, B, B, B)

(5)

4) After receiving M2, A 1 chooses at random the ephemeral key

* n a∈Z , computes T_A = ⋅a P( _B +R_B +H ID R P₁( _B, _B) _pub)and send M₃ =(T_A) to B.

5) After receiving M₃, B will computes

1 1

( )

BA B B A

K = x +s − ⋅ + ⋅ =T b P aP bP+ ,KAB2 b x( B sB) 1 TA abP

−

= ⋅ + ⋅ = and the

session key sk_BA=H ID₂( _A||ID_B ||T_A||T_B||K1_BA||K_BA2 ). Since P′_A =tP−R_A−H ID R P₁( _A, _A) _p_ub and

1

( ( , ) )

B A A A A pub

T = ⋅b P′+R +H ID R P , then A1 computes

1 1 1

1 1

( ( , ) )

( ( , ) ( , ) )

AB B A A A pub

A A A pub A A

A

A pub

BA

K t T a P t b R H ID R P a P

t b tP R H ID R P R H ID R P a P

t b tP aP P aP

P

b K

− −

−

= ⋅ + ⋅ = ⋅ ⋅ + + + ⋅

= ⋅ ⋅ − − + + + ⋅

= ⋅ ⋅ + = + =

′

(3)

and

2 1 1

1 1

1 2

( ( , ) )

( ( , ) ( , ) )

AB B A A A pub

A A A pub A A A pu

A

b

BA

K a t T a t b R H ID R P

a t b tP R H ID R P R H ID R P

a t b tP

P

abP K

− −

−

= ⋅ ⋅ = ⋅ ⋅ ⋅ + +

= ⋅ ⋅ ⋅ − − + +

= ⋅ ⋅ ⋅ = =

′

(4)

Thus A 1 could compute 1 2

2( || || || || || )

AB A B A B AB AB

sk =H ID ID T T K K as the

session key. It is easy to say that sk_AB and sk_BA are equal since K1_AB =K1_BA and K_AB2 =K_BA2 . Then A 1 impersonate the initiator A successfully.

z Impersonation attack against responder

1) A1 generates a random number t and replaces B ’s public key

B B

P =x ⋅P with P′_B =tP−R_B −H ID R P₁( _B, _B) _p_ub.

2) After intercept the message M₁=(ID R P_A, _A, _A) sent by A, A1 chooses

at random the ephemeral key b∈Z_n* , computes

1

( ( , ) )

B A A A A pub

T = ⋅b P +R +H ID R P . Then A 1 impersonate B to send back

2 ( B, B, B, B)

M = ID R P′ T to A1.

3) After receiving M₂, A chooses at random the ephemeral key a∈Z_n*, computes T_A = ⋅a (P_B′+R_B +H ID R P₁( _B, _B) _p_ub), K_AB2 = ⋅a x( _A+s_A)−1⋅T_B =abP,

1 1

( )

AB A A B

(6)

4) After receiving M3, A1 will computes

1 1

BA A

K =t− ⋅ ⋅ + ⋅a T b P,

2 1

AB A

K = ⋅b t− ⋅T and the session key sk_BA =H ID₂( _A||ID_B||T_A||T_B ||K_BA1 ||K_BA2 ). Since P′_B =tP−R_B −H ID R P₁( _B, _B) _p_ub and

1

( ( , ) )

A B B B B pub

T = ⋅a P′+R +H ID R P , then A 1 computes

1 1 1

1 1

( ( , ) )

( ( , ) ( , ) )

BA A B B B pub

B B B pub B B B pu

B B

b

A

K t a T b P t R H ID R P b P t a tP R H ID R P R H ID R P b P t a tP bP aP P

P

b K

− −

−

= ⋅ ⋅ + ⋅ = ⋅ + + + ⋅

= ⋅ ⋅ − − + + + ⋅

= ⋅ ⋅ + = + =

′

(5)

and

2 1 1

1 1

1 2

( ( , ) )

( ( , ) ( , ) )

AB A B B B pub

B B B pub B B B pu

B

b

BA

K b t T b t a R H ID R P

b t a tP R H ID R P R H ID R P b t a tP

P

abP K

− −

−

= ⋅ ⋅ = ⋅ ⋅ ⋅ + +

= ⋅ ⋅ ⋅ − − + +

= ⋅ ⋅ ⋅ = =

′

(6)

Thus A 1 could compute sk_AB =H ID₂( _A||ID_B||T_A||T_B ||K1_AB||K_AB2 ) as the session key. It is easy to say that sk_AB and sk_BA are equal since K1_AB =K1_BA and K_AB2 =K_BA2 . Then A 1 impersonate the responder B successfully.

3.2 Impersonation attack of type II adversary

Let A 1 be a type I adversary. Then, A 2 has access to the master key

x, but cannot replace any user's public key. z Impersonation attack against initiator

1) A 2 generates a random number t , computes R_A′ =tP−P_A and impersonate A to send the message M1=(IDA,R′A,PA) to B.

2)After receiving M₁, B chooses at random the ephemeral key * n b∈Z and computes T_B = ⋅b P( _A+R_A′ +H ID₁( _A,R_A′)P_pub), then B send

2 ( B, B, B, B)

M = ID R P T to A 2.

3) After receiving M₂, A 2 chooses at random the ephemeral key * n a∈Z , computes T_A = ⋅a P( _B +R_B +H ID R P₁( _B, _B) _pub)and send M₃ =(T_A) to B.

4) After receiving M3, B will computes

1 1

( )

BA B B A

K = x +s − ⋅ + ⋅ =T b P aP bP+ , 2 1

( )

AB B B A

(7)

Since T_B = ⋅b P( _A+R_A′ +H ID₁( _A,R_A′)P_pub), R′_A =tP−P_A and A 2 knows the mast key x. Then A 2 computes

1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) (

AB A A B

A

A A A pub

A A A A pub

A A A A A A A A A A

K t xH ID T a P

t xH ID b P H ID P a P

t xH ID b P tP P H ID P a P t xH ID b tP

R

R R R

R R

R H ID xP a P

t xH ID R t

R b − − − − − ′ ′ ′ ′ ′ ′ ′ ′ = + ⋅ + ⋅ = + ⋅ ⋅ + + + ⋅ = + ⋅ ⋅ + − + + ⋅ = + ⋅ ⋅ + + ⋅

= + ′ ⋅ ⋅ ₁

1

( _A, ) ) A

A

B

H ID R x P a P bP aP K

+ + ⋅ = + = ′ (7) and 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( (

AB A B

A A A pub

A A A A pub

A

A A A

A A A A A A A R

R R R

R R

K a t xH ID T

a t xH ID b P H ID P

a t xH ID b P tP P H ID P a t xH ID b tP H ID xP

a t xH ID b t H I

R R R D − − − − − = ⋅ + ⋅ = ⋅ + ⋅ ⋅ + + = ⋅ + ⋅ ⋅ + − + = ′ ′ ′ ′ ′ ′ ⋅ + ⋅ ⋅ + = ⋅ + ⋅ ⋅ + ′ ′ ′ 2 , ) ) A A A B x P abP R K = = ′ (8)

Thus A 2 could compute sk_AB=H ID₂( _A||ID_B||T_A||T_B ||K1_AB||K_AB2 ) as the session key. It is easy to say that skAB and skBA are equal since

1 1 AB BA K =K

and K_AB2 =K_BA2 . Then A 2 impersonate the initiator A successfully. z Impersonation attack against responder

1) A 2 generates a random number t and computes R_B′ =tP−P_B.

2) After intercept the message M₁ =(ID R P_A, _A, _A) sent by A , A 2

chooses at random the ephemeral key b∈Z_n* , computes

1

( ( , ) )

B A A A A pub

T = ⋅b P +R +H ID R P . Then A 2 impersonate B to send back

2 ( B,RB, B, B)

M = ID ′ R T to A 2.

3) After receiving M₂, A chooses at random the ephemeral key a∈Z_n*, computes T_A = ⋅a P( _B +R_B′ +H ID₁( _B,R_B′)P_pub), K_AB2 = ⋅a (x_A+s_A)−1⋅T_B =abP,

1 1

( )

AB A A B

(8)

4) After receiving M₃, A 2 will computes

1 1

1

( ( , _B))

BA B A

K = +t xH ID R′ − ⋅ ⋅ + ⋅a T b P, K_AB2 =b t⋅ +( xH I₁( D_A,R_A′))−1⋅T_A and the session key skBA=H ID2( A||IDB ||TA||TB||K1BA||KBA2 ).

Since R_B′ =tP−P_B and T_A = ⋅a P( _B +R_B′ +H ID₁( _B,R_B′)P_pub), then A 2

computes 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) (

BA B B A

B

B B B pub

B B B B pub

B B B B B B B B B B

K t xH ID T b P

t xH ID a P H ID P b P

t xH ID a P tP P H ID P b P t xH ID a tP

R

R R R

R R

R H ID xP b P

t xH ID R t

R a − − − − − ′ ′ ′ ′ ′ ′ ′ ′ = + ⋅ + ⋅ = + ⋅ ⋅ + + + ⋅ = + ⋅ ⋅ + − + + ⋅ = + ⋅ ⋅ + + ⋅

= + ′ ⋅ ⋅ ₁

1

( _B, ))

AB

B

xH ID R P b P aP bP K

+ + ⋅ = + = ′ (5) and 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( (

AB B A

B B B pub

B B B B pub

B

B B B

B B B B B B B R

R R R

R R

K b t xH ID T

b t xH ID a P H ID P

b t xH ID a P tP P H ID P b t xH ID a tP H ID xP

b t xH ID a xH I

R R R t − − − − − = ⋅ + ⋅ = ⋅ + ⋅ ⋅ + + = ⋅ + ⋅ ⋅ + − + = ′ ′ ′ ′ ′ ′ ⋅ + ⋅ ⋅ + = ⋅ + ⋅ ⋅ + ′ ′ ′ 2 , )) A B B B

D R P abP K

= =

′

(6)

Thus A 2 could compute sk_AB=H ID₂( _A||ID_B||T_A||T_B ||K1_AB||K_AB2 ) as the session key. It is easy to say that sk_AB and sk_BA are equal since K1_AB =K1_BA and K_AB2 =K_BA2 . Then A 2 impersonate the responder B successfully.

4. Conclusion

(9)

Reference

[1]. Shamir A. Identity-based cryptosystems and signature protocols. In Proceedings of CRYPTO’84. Lecture Notes in Computer Science, Vol. 196. Springer: Berlin, 1985; 47–53.

[2]. Al-Riyami S, Paterson K. Certificateless public key cryptography. In Proceedings of ASIACRYPT 2003. Lecture Notes in Computer Science, Vol. 2894. Springer: Berlin, 2003; 452–473.

[3]. Chen L, Cheng Z, Smart N, Identity-based key agreement protocols from pairings, International Journal of Information Security, 6, pp. 213–241, 2007.

[4]. He D, Chen J, Zhang R. An efficient and provably-secure certificateless signature protocol without bilinear pairings. International Journal of Communication Systems, doi: 10.1002/dac.1330, 2011.