Cryptanalysis of pairing-free certificateless
authenticated key agreement protocol
Zhian Zhu
China Ship Development and Design Center (CSDDC), Wuhan, China Email: zhuzhian2012@gmail.com
Abstract: Recently, He et al. [D. He, J. Chen, J. Hu, A pairing-free certificateless authenticated key agreement protocol, International Journal of Communication Systems, 25(2), pp. 221-230, 2012] proposed a pairing-free certificateless authenticated key agreement protocol and demonstrated that their protocol is provable security in the random oracle model. However, in this paper, we show that t He et al. protocol is completely broken.
Key words: certificateless cryptography; authenticated key agreement; provable
security; elliptic curve
1. Introduction
To simplify the complex certificate management in the traditional public key cryptography (PKC), Shamir [1] proposed the concept of identity-based public key cryptography (ID-PKC). In ID-PKC, there is no need of the certificate of a public key since the user’s public key is his identity such as e-mail address, telephone number et al. However, ID-PKC inherently has the key escrow problem, i.e., the key generation center (KGC) knows the user’s private key. To solve the problem, Al-Riyami et al. [2] introduced the concept of the certificateless public key cryptography (CLPKC). Since then, many certificateless key agreement protocols using bilinear pairings have been proposed.
The organization of the paper is sketched as follows. The Section 2 gives a brief review of He et al.’s protocol. Cryptanalysis on He et al.’s protocol is shown in Section 3. Finally, we give some conclusions in Section 4.
2. He et al.’s protocol
In this section, we will review He et al.’s protocol. For convenience, some notations used in this paper are described as follows.
z p n, : two large prime numbers; z Fp: a finite field;
z E F/ p: an elliptic curve defined on Fp;
z G: the cyclic additive group composed of the points on E F/ p; z P: a generator of G;
z H1( )⋅ : a secure one-way hash function, where H1:{0,1}*→Zn*; z H2( )⋅ : a secure one-way hash function, where H2:{0,1}*→Zn*; z IDi: the identity of user i;
z ( ,x Ppub): the KGC’s private/public key pair, where Ppub=xP; z ( ,x Pi i): the user i’s secret value/public key pair, where Pi = ⋅x Pi ; z ( ,r Ri i): a random point generated by KGC, where Ri = ⋅r Pi ;
z ( ,s Ri i): the user i ’s partial private key, where si = +ri h xi modn,
1( , )
i i i
h =H ID R ;
z t Ti, i): the user i’s ephemeral private/public key pair, where Ti = ⋅t Pi ;
In this section, we present a CTAKA protocol without pairing. Our protocol consists of the following six algorithms: Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, Set-Public-Key and Key-Agreement.
Setup: This algorithm takes a security parameter kas inputs and returns system parameters and a master key. Given k, KGC does the following.
1) KGC chooses the master private key x∈Zn* and computes the master public key Ppub =xP.
2) KGC chooses two cryptographic secure hash functions H1:{0,1}*→Zn* and H2:{0,1}*→Zn*.
Partial-Private-Key-Extract: This algorithm takes master key, a user’s identifier, system parameters as input and returns the user’s ID-based private key. With this algorithm, for each user with identifier IDi, KGC works as follows.
1) KGC chooses at random ri∈Zn*, computes Ri = ⋅r Pi and 1( , )
i i i
h =H ID R .
2) KGC computes si = +ri h xi modn.
The user’s s partial private key is the tuple Di =( ,s Ri i) and he can validate her private key by checking whether the equation s Pi⋅ =Ri+ ⋅h Pi pub holds. The private key is valid if the equation holds and vice versa.
Set-Secret-Value: The user with identity IDi picks randomly
*
i n
x ∈Z sets
i
x as his secret value.
Set-Private-Key: The user with identity IDi takes the pair Si =( ,x Di i) as its private key, where Di =( ,s Ri i).
Set-Public-Key: The user with identity IDi takes paramsand its secret value xias inputs, and generates its public keyPi = ⋅x Pi .
Key-Agreement: Assume that an entity A with identity IDA has private key (SA = x DA, A) and public key PA =xA⋅P, an entity B with identity IDB has private key SB =(x DB, B) and public key PB =xB⋅P. As shown in Fig. 1,
A and B run the protocol as follows. 1) A send M1=(ID R PA, A, A) to B.
2)After receiving M1, B chooses at random the ephemeral key * n b∈Z
and computes TB = ⋅b P( A+RA+H ID R P1( A, A) pub), then B send
2 ( B, B, B, B)
M = ID R P T to A.
3) After receiving M2, A chooses at random the ephemeral key a∈Zn* and computes TA = ⋅a P( B +RB+H ID R P1( B, B) pub), then A send M3 =(TA) to
B.
Then both A and B can compute the shared secrets as follows. A computes
1 1
( )
AB A A B
1 1
( )
BA B B A
K = x +s − ⋅ + ⋅T b P and K2AB b x( B sB) 1 TA
−
= ⋅ + ⋅ (2)
Fig. 1. Key agreement of He et al.’s protocol
3. Cryptanalysis of He et al.’s protocol
In certificateless signature protocol, as defined in [2, 5], there are two types of adversaries with different capabilities, we assume type Iadversary, A1 acts as a dishonest user, while type IIadversary, A 2 acts as a malicious KGC.
In this section, we will show that He et al. protocol is vulnerable to the impersonation attack against of A1 and A 2. The detailed steps are described as follows.
3.1. Impersonation attack of type I adversary
Let A 1 be a type I adversary. Then, A1 does not have access to the master key, but A1 can replace the public keys of any entity with a value of his choice, since there is no certificate involved in certificateless signature protocol.
z Impersonation attack against initiator
1) A1 generates a random number t and replaces A’s public key
A A
P =x ⋅P with P′A =tP−RA−H ID R P1( A, A) pub.
2) A 1 impersonate A to sends the message M1 =(ID RA, A,PA′) to B. 3) After receiving M1, B chooses at random the ephemeral key b∈Zn* and computes TB = ⋅b (PA′+RA+H ID R P1( A, A) pub), then B send
2 ( B, B, B, B)
4) After receiving M2, A 1 chooses at random the ephemeral key
* n a∈Z , computes TA = ⋅a P( B +RB +H ID R P1( B, B) pub)and send M3 =(TA) to B.
5) After receiving M3, B will computes
1 1
( )
BA B B A
K = x +s − ⋅ + ⋅ =T b P aP bP+ ,KAB2 b x( B sB) 1 TA abP
−
= ⋅ + ⋅ = and the
session key skBA=H ID2( A||IDB ||TA||TB||K1BA||KBA2 ). Since P′A =tP−RA−H ID R P1( A, A) pub and
1
( ( , ) )
B A A A A pub
T = ⋅b P′+R +H ID R P , then A1 computes
1 1 1
1 1
1 1
1 1
( ( , ) )
( ( , ) ( , ) )
AB B A A A pub
A A A pub A A
A
A pub
BA
K t T a P t b R H ID R P a P
t b tP R H ID R P R H ID R P a P
t b tP aP P aP
P
b K
− −
−
−
= ⋅ + ⋅ = ⋅ ⋅ + + + ⋅
= ⋅ ⋅ − − + + + ⋅
= ⋅ ⋅ + = + =
′
(3)
and
2 1 1
1 1
1 1
1 2
( ( , ) )
( ( , ) ( , ) )
AB B A A A pub
A A A pub A A A pu
A
b
BA
K a t T a t b R H ID R P
a t b tP R H ID R P R H ID R P
a t b tP
P
abP K
− −
−
−
= ⋅ ⋅ = ⋅ ⋅ ⋅ + +
= ⋅ ⋅ ⋅ − − + +
= ⋅ ⋅ ⋅ = =
′
(4)
Thus A 1 could compute 1 2
2( || || || || || )
AB A B A B AB AB
sk =H ID ID T T K K as the
session key. It is easy to say that skAB and skBA are equal since K1AB =K1BA and KAB2 =KBA2 . Then A 1 impersonate the initiator A successfully.
z Impersonation attack against responder
1) A1 generates a random number t and replaces B ’s public key
B B
P =x ⋅P with P′B =tP−RB −H ID R P1( B, B) pub.
2) After intercept the message M1=(ID R PA, A, A) sent by A, A1 chooses
at random the ephemeral key b∈Zn* , computes
1
( ( , ) )
B A A A A pub
T = ⋅b P +R +H ID R P . Then A 1 impersonate B to send back
2 ( B, B, B, B)
M = ID R P′ T to A1.
3) After receiving M2, A chooses at random the ephemeral key a∈Zn*, computes TA = ⋅a (PB′+RB +H ID R P1( B, B) pub), KAB2 = ⋅a x( A+sA)−1⋅TB =abP,
1 1
( )
AB A A B
4) After receiving M3, A1 will computes
1 1
BA A
K =t− ⋅ ⋅ + ⋅a T b P,
2 1
AB A
K = ⋅b t− ⋅T and the session key skBA =H ID2( A||IDB||TA||TB ||KBA1 ||KBA2 ). Since P′B =tP−RB −H ID R P1( B, B) pub and
1
( ( , ) )
A B B B B pub
T = ⋅a P′+R +H ID R P , then A 1 computes
1 1 1
1 1
1 1
1 1
( ( , ) )
( ( , ) ( , ) )
BA A B B B pub
B B B pub B B B pu
B B
b
A
K t a T b P t R H ID R P b P t a tP R H ID R P R H ID R P b P t a tP bP aP P
P
b K
− −
−
−
= ⋅ ⋅ + ⋅ = ⋅ + + + ⋅
= ⋅ ⋅ − − + + + ⋅
= ⋅ ⋅ + = + =
′
(5)
and
2 1 1
1 1
1 1
1 2
( ( , ) )
( ( , ) ( , ) )
AB A B B B pub
B B B pub B B B pu
B
b
BA
K b t T b t a R H ID R P
b t a tP R H ID R P R H ID R P b t a tP
P
abP K
− −
−
−
= ⋅ ⋅ = ⋅ ⋅ ⋅ + +
= ⋅ ⋅ ⋅ − − + +
= ⋅ ⋅ ⋅ = =
′
(6)
Thus A 1 could compute skAB =H ID2( A||IDB||TA||TB ||K1AB||KAB2 ) as the session key. It is easy to say that skAB and skBA are equal since K1AB =K1BA and KAB2 =KBA2 . Then A 1 impersonate the responder B successfully.
3.2 Impersonation attack of type II adversary
Let A 1 be a type I adversary. Then, A 2 has access to the master key
x, but cannot replace any user's public key. z Impersonation attack against initiator
1) A 2 generates a random number t , computes RA′ =tP−PA and impersonate A to send the message M1=(IDA,R′A,PA) to B.
2)After receiving M1, B chooses at random the ephemeral key * n b∈Z and computes TB = ⋅b P( A+RA′ +H ID1( A,RA′)Ppub), then B send
2 ( B, B, B, B)
M = ID R P T to A 2.
3) After receiving M2, A 2 chooses at random the ephemeral key * n a∈Z , computes TA = ⋅a P( B +RB +H ID R P1( B, B) pub)and send M3 =(TA) to B.
4) After receiving M3, B will computes
1 1
( )
BA B B A
K = x +s − ⋅ + ⋅ =T b P aP bP+ , 2 1
( )
AB B B A
Since TB = ⋅b P( A+RA′ +H ID1( A,RA′)Ppub), R′A =tP−PA and A 2 knows the mast key x. Then A 2 computes
1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) (
AB A A B
A
A A A pub
A A A A pub
A A A A A A A A A A
K t xH ID T a P
t xH ID b P H ID P a P
t xH ID b P tP P H ID P a P t xH ID b tP
R
R R R
R R
R H ID xP a P
t xH ID R t
R b − − − − − ′ ′ ′ ′ ′ ′ ′ ′ = + ⋅ + ⋅ = + ⋅ ⋅ + + + ⋅ = + ⋅ ⋅ + − + + ⋅ = + ⋅ ⋅ + + ⋅
= + ′ ⋅ ⋅ 1
1
( A, ) ) A
A
B
H ID R x P a P bP aP K
+ + ⋅ = + = ′ (7) and 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( (
AB A B
A A A pub
A A A A pub
A
A
A A A
A A A A A A A R
R R R
R R
K a t xH ID T
a t xH ID b P H ID P
a t xH ID b P tP P H ID P a t xH ID b tP H ID xP
a t xH ID b t H I
R R R D − − − − − = ⋅ + ⋅ = ⋅ + ⋅ ⋅ + + = ⋅ + ⋅ ⋅ + − + = ′ ′ ′ ′ ′ ′ ⋅ + ⋅ ⋅ + = ⋅ + ⋅ ⋅ + ′ ′ ′ 2 , ) ) A A A B x P abP R K = = ′ (8)
Thus A 2 could compute skAB=H ID2( A||IDB||TA||TB ||K1AB||KAB2 ) as the session key. It is easy to say that skAB and skBA are equal since
1 1 AB BA K =K
and KAB2 =KBA2 . Then A 2 impersonate the initiator A successfully. z Impersonation attack against responder
1) A 2 generates a random number t and computes RB′ =tP−PB.
2) After intercept the message M1 =(ID R PA, A, A) sent by A , A 2
chooses at random the ephemeral key b∈Zn* , computes
1
( ( , ) )
B A A A A pub
T = ⋅b P +R +H ID R P . Then A 2 impersonate B to send back
2 ( B,RB, B, B)
M = ID ′ R T to A 2.
3) After receiving M2, A chooses at random the ephemeral key a∈Zn*, computes TA = ⋅a P( B +RB′ +H ID1( B,RB′)Ppub), KAB2 = ⋅a (xA+sA)−1⋅TB =abP,
1 1
( )
AB A A B
4) After receiving M3, A 2 will computes
1 1
1
( ( , B))
BA B A
K = +t xH ID R′ − ⋅ ⋅ + ⋅a T b P, KAB2 =b t⋅ +( xH I1( DA,RA′))−1⋅TA and the session key skBA=H ID2( A||IDB ||TA||TB||K1BA||KBA2 ).
Since RB′ =tP−PB and TA = ⋅a P( B +RB′ +H ID1( B,RB′)Ppub), then A 2
computes 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) (
BA B B A
B
B B B pub
B B B B pub
B B B B B B B B B B
K t xH ID T b P
t xH ID a P H ID P b P
t xH ID a P tP P H ID P b P t xH ID a tP
R
R R R
R R
R H ID xP b P
t xH ID R t
R a − − − − − ′ ′ ′ ′ ′ ′ ′ ′ = + ⋅ + ⋅ = + ⋅ ⋅ + + + ⋅ = + ⋅ ⋅ + − + + ⋅ = + ⋅ ⋅ + + ⋅
= + ′ ⋅ ⋅ 1
1
( B, ))
AB
B
xH ID R P b P aP bP K
+ + ⋅ = + = ′ (5) and 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 ( ( , )) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( ( , ) ) ( ( , )) ( (
AB B A
B B B pub
B B B B pub
B
B
B B B
B B B B B B B R
R R R
R R
K b t xH ID T
b t xH ID a P H ID P
b t xH ID a P tP P H ID P b t xH ID a tP H ID xP
b t xH ID a xH I
R R R t − − − − − = ⋅ + ⋅ = ⋅ + ⋅ ⋅ + + = ⋅ + ⋅ ⋅ + − + = ′ ′ ′ ′ ′ ′ ⋅ + ⋅ ⋅ + = ⋅ + ⋅ ⋅ + ′ ′ ′ 2 , )) A B B B
D R P abP K
= =
′
(6)
Thus A 2 could compute skAB=H ID2( A||IDB||TA||TB ||K1AB||KAB2 ) as the session key. It is easy to say that skAB and skBA are equal since K1AB =K1BA and KAB2 =KBA2 . Then A 2 impersonate the responder B successfully.
4. Conclusion
Reference
[1]. Shamir A. Identity-based cryptosystems and signature protocols. In Proceedings of CRYPTO’84. Lecture Notes in Computer Science, Vol. 196. Springer: Berlin, 1985; 47–53.
[2]. Al-Riyami S, Paterson K. Certificateless public key cryptography. In Proceedings of ASIACRYPT 2003. Lecture Notes in Computer Science, Vol. 2894. Springer: Berlin, 2003; 452–473.
[3]. Chen L, Cheng Z, Smart N, Identity-based key agreement protocols from pairings, International Journal of Information Security, 6, pp. 213–241, 2007.
[4]. He D, Chen J, Zhang R. An efficient and provably-secure certificateless signature protocol without bilinear pairings. International Journal of Communication Systems, doi: 10.1002/dac.1330, 2011.