An Efficient Certificate-Based Authenticated Key Agreement Protocol without Bilinear Pairing

(1)

345

Information Technology and Control 2017/3/46

An Efficient

Certificate-Based Authenticated

Key Agreement Protocol

Without Bilinear Pairing

ITC 3/46

Journal of Information Technology and Control

Vol. 46 / No. 3 / 2017 pp. 345-359

DOI 10.5755/j01.itc.46.3.14968 © Kaunas University of Technology

An Efficient Certificate-Based Authenticated Key Agreement Protocol Without Bilinear Pairing

Received 2016/05/13 Accepted after revision 2017/07/03

http://dx.doi.org/10.5755/j01.itc.46.3.14968

Corresponding author: [email protected]

Yang Lu, Quanling Zhang, Jiguo Li

College of Computer and Information, Hohai University, No. 8, Focheng Xi Road, Jiangning District, Nanjing, China e-mails: [email protected], [email protected], [email protected]

Jian Shen

School of Computer and Software, Nanjing University of Information Science and Technology, No. 219, Ningliu Road, Nanjing, China, e-mail: [email protected]

(2)

1. Introduction

To provide secure communications over insecure public networks, privacy and confidentiality should be guaranteed. An authenticated key agreement (AKA) protocol enables the communication parties to authenticate each other and securely set up a shared session key for their communications over an unreli-able communication channel. Therefore, it can assure the privacy and data confidentiality of the later com-munications.

The famous Diffie-Hellman key-exchange proto-col [8] is the first practical key agreement protoproto-col. However, Diffie-Hellman protocol suffers from the man-in-the-middle (MITM) attack due to the reason that it does not provide authentication to the proto-col participants. The protoproto-cols that can provide the authentication mechanism have attracted great at-tention from the research commnity (e.g. [14-17]). Over the years, many AKA protocols have been pro-posed. However, most of the previous AKA protocols were constructed over either conventional public-key cryptography (PKC) [4, 11, 13, 20, 25] or identity-ba-sed cryptography (IBC) [5-7, 36, 41, 44]. It is well-known that conventional PKC suffers from the heavy certificate management problem while IBC has the key escrow and key distribution problems.

To solve the key escrow problem, Al-Riyami and Pat-erson [1] presented the concept of certificateless AKA (CL-AKA) protocol by extending AKA protocol into certificateless PKC. In a CL-AKA protocol, a partially trusted key generation center (KGC) is employed to assist every user to produce a private key from a secret value selected by the user. In this way, KGC does not know any user’s private key. As a result, CL-AKA pro-tocols avoid the key escrow problem while reserving the certificateless property. Since the introduction of CL-AKA protocol, many CL-AKA protocols have been proposed [12, 19, 26, 40, 42, 47, 48]. However, KGC has to distribute a partial private key to every user over secure channels. This feature limits the application of CL-AKA protocols in the untrusted network environ-ments, because setting up a secure channel in those environments is usually expensive.

In Eurocrypt 2003, Gentry [10] put forward a new public-key cryptographic paradigm called certifi-cate-based cryptography (CBC). This new cryptog-raphy lies between conventional PKC and IBC. When

using CBC, every user should produce a pair of private key and public key independently and then apply for a certificate from a trusted certification authority (CA). The certificate is sent to its owner and serves as a partial decryption key or a partial signing key. This functionality of the certificate supplies an implicit certificate property so that a user can execute some cryptographic operations (e.g., decryption and sign-ing) correctly only when both his certificate and pri-vate key are known, while this user’s communication parties need not obtain the current status of his cer-tificate. Therefore, CBC solves the certificate revo-cation problem in conventional PKC. Furthermore, CBC eliminates both the key escrow problem (as CA has no knowledge of users’ private keys) and the key distribution problem (as CA can send the certificates to their owners publicly). Since its invention, CBC has obsorbed great interest from the cryptography community and numerous CBC schemes have been published, including certificate-based encryption (e.g. [9, 28, 31, 32, 39, 46]), certificate-based signature (e.g. [2, 18, 21, 22, 27, 30]) and certificate-based sign-cryption (e.g. [23, 29, 34]).

To overcome the problems imposed on the previous AKA protocols, Wang and Cao [45] proposed the notion of certificate-based AKA (CB-AKA) protocol following the idea of CBC. Compared with previous types of AKA protocol, CB-AKA protocol enjoys many attractive merits. Table 1 summarizes the properties of the different types of AKA protocol, including conventional AKA protocol over conventional PKC,

Table 1

Properties of AKA protocols over different public-key cryptography.

Types of AKA

Protocol CertificateImplicit Key-Escrow Free Channel Free

Secure-Traditional

AKA protocol × √ √

IB-AKA

protocol √ × ×

CL-AKA

protocol √ √ ×

CB-AKA

(3)

347

identity-based AKA (IB-AKA) protocol over IBC, CL-AKA protocol and CB-CL-AKA protocol.

To our knowledge, there exist four CB-AKA protocols [24, 33, 35, 45] in the literature so far. In [45], Wang and Cao proposed the first CB-AKA protocol that is based on Gentry’s certificate-based encryption scheme [10] and Smart’s AKA protocol [41]. Unfortunately, Lim

et al. [24] point out that Wang-Cao’s CB-AKA proto-col is insecure against ephemeral secret leakage. To fix the weakness in Wang-Cao’s protocol, Lim et al.

[24] proposed an improved CB-AKA protocol. They claim that the improved protocol is secure against all non-trivial secret leakages. However, no formal secu-rity proof is given in [24]. In [35], Luo et al. provide a security model for constructing provably secure CB-AKA protocols. They also present a CB-CB-AKA protocol that can be proven secure in the random oracle model [3]. Recently, Lu et al. [33] pointed out that the CB-AKA protocols in [24, 35, 45] can not resist the public key replacement (PKR) attack. To fight against PKR attack, Lu et al. [33] designed a new CB-AKA protocol with provable security in the random oracle model. The motivation of this paper is to design a CB-AKA protocol without costly bilinear pairing. In practice, the cryptographic operations are often performed on some devices which have very constrained resources, such as smart phone or PDA. Due to the limited com-putation or the constrained battery power, only the li-ghtweight or power-saving cryptographic schemes can be emplyed on these devices. All the previous CB-AKA protocols [24, 33, 35, 45] are constructed with bilinear pairings. Compared with other common cryptographic operations such as scalar multiplications in the ellip-tic curve group, the bilinear pairing may be the most expensive one. Our experiment results show that the average computation cost of a bilinear pairing is about nine times as much as that of a scalar multiplication in elliptic curve group under the 1024-bit RSA security level. Since the computationally-heavy pairing opera-tions will greatly aggravate the computation load of a device, they are extremely disliked by the computati-on-limited or power-constrained devices. Therefore, as far as the efficiency, the cryptographic schemes wi-thout bilinear pairing would be more attractive. Inspired by Schnorr’s signature scheme [37], we de-velop a practical CB-AKA protocol without bilin-ear pairing. Under the classic complexity

assump-tion computaassump-tional Diffie-Hellman assumpassump-tion, the proposed protocol is proven secure in the random oracle model. Without costly bilinear pairing oper-ations, the proposed CB-AKA protocol significantly decreases the computation cost. Compared with the previous pairing-based CB-AKA protocols [24, 33, 35, 45], it enjoys obvious advantage in the computational efficiency and is more suitable for the power-con-strained and computation-limited devices.

2. Preliminaries

2.1 Computational assumption

The security of our CB-AKA protocol is based on the computational Diffie-Hellman (CDH) assumption. Definition 1. Let G be a cyclic group of prime order q. The CDH problem over G is, given a tuple (P, xP, yP) ∈

G3_{for unknown values}_x_,_y_∈ *

q

Z , to compute xyP. The CDH assumption holds if for any polynomial-time algorithm A, the advantage Adv(A) = Pr{A(G, q, P, xP,

yP) = xyP} is negligible.

2.2 Bilinear pairing

Assume that G and GT are two cyclic groups of prime order q. A bilinear pairing e: G× G →GT is a map that satisfies the following properties:

1 Bilinearity: e(xU, yV) = e(U, V)xy_{for all}_U_,_V_∈_G_and

x, y ∈ *

q Z .

2 Non-degeneracy: There exists U, V ∈G such that

e(U, V) ≠ 1.

3 Computability: There exists an efficient algorithm to compute e U V( , )_{for all}U V G, ∈ .

Note that the construction of our CB-AKA protocol does not depend on the bilinear pairing. We only use this notion in the security proofs.

3. Formal model of CB-AKA protocol

3.1 Definition of CB-AKA protocol

(4)

performed by a CA to produce a master secret key and a set of system public parameters; (2) User key gene-ration algorithm UserKeyGen, which is performed by each user to produce a private key and a partial public key; (3) Certificate generation algorithm CertGen, which is performed by a CA to produce a full public key and a certificate for each user; (4) Key agreement algorithm KeyAgreement, which is performed by two communication users (an initiatorand a responder) to generate a session key.

Figure 1 gives a more concrete functional description of a CB-AKA protocol.

3.2 Security model of CB-AKA protocol

As introduced in [33, 35], a CB-AKA protocol should satisfy some commonly desired security properties, including known-key security, unknown key-share resilience, basic impersonation attacks resilience, forward secrecy, key compromise impersonation re-silience and key control security.

To capture these security properties, Luo et al. pre-sented a formal security model for CB-AKA protocols in [35]. However, Lu et al. [33] show that Luo et al.’s CB-AKA protocol is insecure against the PKR attacks, although it was proven secure in their proposed secu-rity model. To fix this problem, Lu et al. [33] improved Luo et al.’s security model to capture the adversaries’ PKR actions.

There are two types of adversaries against the

secu-Figure1

Functional description of a CB-AKA protocol

rity of CB-AKA protocols. They are the Type 1 adver-sary and the Type 2 adveradver-sary. The Type 1 adveradver-sary who acts as a malicious uncertified user is able to replace any user’s public key, but does not know the target user’s certificate. The Type 2 adversary who acts as an honest-but-curious CA possesses the CA’s master secret key, but does not know the target user’s private key and is disallowed to replace public keys. The security model of a CB-AKA protocol can be defined via an adversarial game which is played be-tween a challenger with a Type 1 adversary or a Type 2 adversary (denoted by ). In the description of the adversarial game, the symbol n_,

A B

∏ denotes an oralce that represents the n-th session between two participants A and B, where A is the initiatorand B

is the responder. LetS_ID= (ID_A,ID_B,MA Bn, ,MB An, ) be

the session identity of the session n_, A B

∏ , where n_, B A M and MA Bn, are the incoming protocol message and the

outgoing protocol message, respectively, in the n-th

session of the protocol. Two sessions are said to have matching conversation with each other if they have the same session identity.

The security model is formally described as follows: Setup. The challenger simulates the algorithm Setup to produce msk and params. Then the adversary  is given params if it is a Type 1 adversary or both msk

and params if it is a Type 2 adversary.

(5)

349

1 CreateUser(IDi): On receiving an identity IDi, the challenger outputs a public key PKi. If there is no public key associated with IDi, the challenger pro-duces a key pair (SKi, PKi) and a certificate Certi for

IDi, and then outputs PKi. In this case, the identi-ty IDi is said to be created. For simplicity, it is as-sumed that an identity can be responded by other oracles only when it has been created.

2 ReplacePublicKey(IDi, PKi′): On receiving an iden-tity IDi and a false public key PKi′, the challenger sets PKi′ as the user i’s current public key. Such an oracle is merely queried by the Type 1 adversary. It models the Type 1 adversary’s ability to replace public keys and thus captures the PKR attacks.

3 Corrupt(IDi): On receiving an identity IDi, the chal-lenger outputs a private key SK_i. For the Type 1 ad-versary, if it has made an oracle query ReplacePub-licKey(IDi, PKi′), then it is disallowed to request the user i’s private key.

4 Certificate(IDi): On receiving an identity IDi, the challenger outputs a certificate Certi. Such an or-acle is merely queried by the Type 1 adversary. If it has made an oracle query ReplacePublicKey(IDi,

i

PK′), then it is disallowed to request the user i’s certificate.

5 Send(∏_{i j}n_, , M): On receiving an oracle n_, i j

∏ _{and a}

mes-sage M, the challenger initiates a protocol session between the users i and j if M = λ or responds with an outgoing message according to the specification of the protocol otherwise. If the first message re-ceived by an oracle is λ, then n_,

i j

∏ _{is called an}

initia-tor; otherwise it is a responder oracle.

6 Reveal( n_, i j

∏ ): On receiving an oracle n_, i j ∏ , the challenger responds with the shared session key associated with n_,

i j ∏ .

Test. Once Phase 1 is over, the adversary  makes one Test query on an oracle ∏TI J, _{which is fresh (see}

the following Definition 2). To respond, the challeng-er picks a random bit b∈{0,1}. It outputs the shared session key SKTI J, _{associated with}∏TI J, _ifb=0 or a

ran-dom key chosen from the session key space otherwise. Phase 2.  continues to make a sequence of adaptive queries.

Guess.  outputs its guess b′∈{0,1}. It wins the game if and only if b b= ′ and the following constraints are satisfied: (1)  is unable to query the oracle Reveal on the oracle ∏TI J, _{and its matching conversation}∏TJ I,; (2)

 is unable to make a oracle query Certificate(IDJ) if it is a Type 1 adversary or a oracle query Corrupt(IDJ) if it is a Type 2 adversary.

The advantage of the adversary  in winning the game is defined to be Adv =Pr{b b= ′} 1/ 2- .

Definition 2. An oracle ∏nA B, _{is fresh if (1) It has}

estab-lished a shared session key; (2) The adversary  has not queried the oracle Reveal on it and its matching conversation; (3) The adversary  has not queried the oracle Certificate on the identity IDB if it is a Type 1 adversary or the oracle Corrupt on the identity IDB if it is a Type 2 adversary.

Definition 3. We say that a CB-AKA protocol is se-cure if the following two conditions are both satisfied: (1) Two oracles ∏ni j, _and∏mj i,_{always establish the same}

session key in the presence of a benign adversary, and the session key is distributed uniformly at random in the session key space; (2) Adv() is negligible for any adversary .

4. The proposed CB-AKA protocol

The proposed CB-AKA protocol is described as follows:

Setup(k): On input a security parameter k, this algo-rithm generates a cyclic group G of prime order q with generator P. It then chooses a random integer *

q s Z∈

as the CA’s master secret key msk and calculates the master public key Ppub = sP. Furthermore, it choos-es two cryptographic hash functions H1: {0,1}*×G ×

G → *

q

Z _andH2: {0,1}*× {0,1}*×G8→ {0,1}k. Finally, it

outputs msk = s and params = {k, q, G, P, Ppub, H1, H2}.

UserKeyGen(params): On input params, this algo-rithm chooses a random integer *

U q

x ∈Z _{as a private} key SK_U_{for a user}U with identity ID_U_{and then} com-putes a partial public key PPK_U =x P_U .

CertGen(params, msk, ID_U,PPK_U): On input

params, msk s= _{and a user}U’s identity IDU and partial public key PPK_U, this algorithm sets (1)

U U

PK =PPK . It then chooses a random integer *

U q

y ∈Z and com-putes (2)₌

U U

PK y P. Finally, it sets the user U’s public key ₍ (1)_, (2)₎

U U U

PK = PK PK _{and certificate}CertU = yU +

sH1(IDU, PKU).

KeyAgreement(params, IDA, PKA, SKA, CertA, IDB,

PKB, SKB, CertB): Assume that two participants A and

(6)

participant A is the initiatorwith identity IDA, public key PKA, private key SKA and certificate CertA, while the participant B is the responder with identity IDB, public key PKB, private key SKB and certificate CertB. As described in Figure 2, they can do as follows:

1 The participant A chooses a random integer t_A∈Z_q*, computes T_A =t P_A _{and then sends a message}

( , )

A A A M = ID T _toB.

2 After receiving M_A, the participant B chooses a

random integer *

B q

t ∈Z , computes T_B =t P_B _and sends a message MB = (IDB, TB) to A.

3 A and B, respectively, calculate four shared secrets as follows:

A calculates

(1) ₍ ₎₍ (1) ₎

AB A A A B B

K = SK +Cert +t PK +W

_,

(2) ₍ ₎₍ ₎

AB A A A B B

K = SK +Cert +t T W+

,

(3)₌

AB

K (1)

A

A B B

t PK +SK T

_,

(4)

AB A B K =t T

,

(1)

where (2)

1( , )

B B B B pub

W =PK +H ID PK P .

B calculates

(1) ₍ ₎

BA B B A

K = SK +Cert W

,

(2) ₍ ₎

BA B B A

K = t +Cert W

,

(2)

(3) (1)

BA B A B A K =t PK +SK T

,

(4)

BA B A

K =t T

,

(3)

where (1) (2)

1( , )

A A A A A pub A

W =PK +PK +H ID PK P +T .

4 A and B, respectively, compute the shared session key as follows:

2( , , , , , ,

AB A B A B A B

K =H ID ID PK PK T T (1)_, (2)_, (3)_, (4)₎

AB AB AB AB

K K K K

2( , , , , , ,

BA A B A B A B

K =H ID ID PK PK T T (1)_, (2)_, (3)_, (4)₎

BA BA BA BA

K K K K

(4) For the correctness of the proposed protocol, we can deduce that

(1)

AB

K =₍ ₎₍ (1) ₎

A A A B B

SK +Cert +t PK +W =(SKA+CertA+t SKA)( B+Cert PB)

=

₍ ₎ (1)

B B A BA

SK +Cert W =K

,

(5)

(2)

AB

K =(SKA+CertA+t T WA)( B+ B)

=(SKA+CertA+t tA)(B+Cert PB)

=₍ ₎ (2)

B B A BA

t +Cert W =K _,

(3) (1)

AB A B A B

K =t PK +SK T ₌ (1) (3)

B A B A BA SK T +t PK =K ,

(4) (4)

AB A B B A BA K =t T =t T =K .

(6)

Thus, we haveK_AB= K_BA. Figure 2

Key agreement phase of the proposed CB-AKA protocol

* B q

t Z

B B

T t P

( , )

B B B

M  ID T

(1) AB

K 

(2) ₍ ₎₍ ₎

AB A A A B B

K  SK Cert t T W

(1) (2)

1( , )

A A A A A pub A

W PK PK H ID PK P T

(1) ₍ ₎

BA B B A

K  SK Cert W

(2) ₍ ₎

BA B B A

K  t Cert W

(3) (1)

AB A B A B

K t PK SK T KBA(3)t PKB A(1)SK TB A *

A q

t Z

A A

T t P

( , )

A A A

M  ID T

(4) AB A B

K t T K(4)BAt TB A

(1) (2) (3) (4)

2( , , , , , , , , , )

AB A B A B A B AB AB AB AB

K H ID ID PK PK T T K K K K

(1) (2) (3) (4)

2( , , , , , , , , , )

BA A B A B A B BA BA BA BA

K H ID ID PK PK T T K K K K

(1)

(SKACertAt PKA)( B WB)

(2)

1( , )

B B B B pub

(7)

351

5. Security analysis

The security of the proposed CB-AKA protocol can be formally proved by combining the following three theorems.

Theorem 1. In the presence of a benign adversary, any two oracles n_,

i j

∏ and m_,

j i

∏ always establish the same shared session key that is distributed uniformly at ran-dom.

Proof.According to the correctness verification of the proposed protocol in Section 4, we can see that if two oracles n_,

i j

∏ and m_,

j i

∏ are matching, then they must es-tablish the same shared session key. In addtion, since the values tA, tB are randomly picked and TA, TB can be viewed as the random input of the hash function H2,

the shared session key can be viewed as the output of

H2. Thus, the session key is uniformly distributed due

to the properties of hash functions.

Theorem 2. Suppose that H1 and H2 are two random

oracles. If there is a Type 1 adversary 1 against the

security of our CB-AKA protocol with advantage e when running in time τ, making at most qcu queries to

the oracle CreateUser, qrp queries to the oracle

Replace-PublicKey, qco queries to the oracle Corrupt, qce queries

to the oracle Certificate, qse queries to the oracle Send,

qre queries to the oracle Reveal and qi queries to the random oracles Hi(1≤ i ≤ 2), then there exists an

algo-rithm  to solve the CDH problem in G with advantage

2 2

s cu n q q

ε

ε ′ ≥ and running time τ ′≤ τ+ (q1 + qrp + qco +

qce)O(1) + q2(4τm+ 9τp + O(1)) + qcu(3τm+ O(1)) + qse(τm+

O(1)) + qre(10τm+ 2τp + O(1)), where ns denotes the

max-imal number of the protocol sessions that each partici-pant participates in,τp andτm, respectively, denote the

time for computing a pairing and a scalar multiplica-tion in G.

Proof.Suppose that the algorithm  takes as input a random CDH instance (q, G, P, uP, vP), where u, v∈ *

q Z are unknown to the algorithm . To compute uvP,  interacts with the adversary 1 as below:

At the beginning of the game, the algorithm  chooses at random P_pub∈G_{as the system master public key} and sends params = {k, q, G , P, Ppub, H1, H2} to 1.

Furthermore, it picks three different indices I, J∈ {1, 2,…, qcu} and T∈ {1, 2,…, ns} at random.

In Phase 1 and Phase 2, the algorithm  answers the adversary 1’s queries as below:

H1(IDi, PKi): The algorithm  keeps a list L1 of tuples

<IDi, PKi, hi>. Upon receiving a H1 query on (IDi, PKi), it returns hi if a tuple <IDi, PKi, hi> is already in the list

L1. Otherwise, it randomly chooses h Zi∈ q*, adds a new tuple <IDi, PKi, hi> to the list L1 and returns hi.

H2(IDiA, IDiB, PKiA, PKiB, TiA, TiB, Ki(1), Ki(2), Ki(3), Ki(4)): The algorithm  keeps alist L2 of tuples <IDiA,IDiB,

A i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , hi>. Upon receiving a H2 query on(IDiA,IDiB,PKiA, PKiB,TiA,TiB,

(1)

i K , (2)

i K , (3)

i K , (4)

i

K ), it returns hi if a tuple <IDiA,IDiB, A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , hi> is already in the list L2. Otherwise,  does as below:

1 If there exists a tuple <∏ni j,, IDi, IDj, PKi, PKj,ti jn, ,Ti j,n, ,

n j i T , n_,

i j

K > in the list Ls(maintained by the oracle

Send) such thatKi jn, ≠⊥,ID IDi= Jand

_ Case 1: ∏_{i j}n_, is an initiator,  searches for the list

L2 to see if there exists a tuple <IDiA,IDiB,PKiA, B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ,h_i> such that i

ID₌ A i

ID ,ID_j= B i ID , A

i

PK =PK_i, B i

PK =PK_j, _,n i j T = A

i T

andTj in, =TiB. If it does,  computes Ki(2)=Ki(2)-(SK Cert Ti+ i)( j in, +PKi(2)+h Pi pub)-t Ti j in, (2) (2) (2)

, ,

= ( )( n + ) n

i i i i j i i i pub i j i

K K - SK Cert T+ +PK h P -t T _{and checks} whether the following equations hold given a proper bilinear map e for the group G:

(2) (2) ,

( + , n) ( , )

i i pub i j i e PK h P T =e K P ,

(1) (1) (2) ,

( + n )(

i i i i j j j

K = SK Cert t+ PK +PK +H ID PK P₁( j, j) pub),

(3) (1) ,

n n

i i j j i j,i K =t PK +SK T ,

(4) , ,

n n i i j j i K =t T .

(7)

If (1)

i K , (2)

i K , (3)

i

K and (4)

i

K pass the above validati-ons, then  sets hi =Ki jn, , adds a new tuple <IDiA,

B i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ,hi> to the list L2 and returns hi.

_ Case 2: ∏n_{i j}_, is a responder,  searches for the list L2 to see if there exists a tuple <IDiA,IDiB,

A i

PK , B i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ,h_i> such that ID_j= A

i

ID ,IDi=IDiB,PKiA=PKj,PKiB=PKi,

,n

i j T = B

i

T andTj in, =TiA. If it does,  computes

(2)

i

K = (2) (1) (2)

,

( + n)

i i j j j pub j i K -Cert PK +PK h P +T

-,n n,

j i j i j i

SK T -t T and checks whether the following equations hold given a proper bilinear map e for the group G:

(2) (2) ,

( + , n) ( , )

i i pub i j i e PK h P T =e K P

,

(1) (1) (2) ,

( + n ) (

i i i i j j j

K = SK Cert t+ ⋅ PK +PK

+H ID PK P1( j, j) pub)

,

(8)

(3) n i i j,i

K =SK T (1) ,

n i j j t PK

+

,

(4) , ,

n n i i j j i K =t T

.

If (1)

i K , (2)

i K , (3)

i

K and (4)

i

K pass the above validations, then  sets h_i= n_,

i j

K , puts a new tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ,hi> in the list L2

and returnsh_i.

2 Else, if there exists a tuple <∏ni j, , IDi, IDj, PKi, PKj,

,

n i j t , _,n

i j T , n_,

j i T , n_,

i j

K > on L_s_{such that}Ki jn, ≠⊥, IDi ≠IDJ and the following equations hold given a proper bi-linear map e for the group G:

(1) (1) (2)

1 ,

( , ) ( ( , ) n,

i i i i i pub i j

e K P =e PK +PK +H ID PK P +T (1) (2)

1( , ) )

j j j j pub

PK +PK +H ID PK P ,

(2) (1) (2)

1 ,

( , ) ( ( , ) n,

i i i i i pub i j

e K P =e PK +PK +H ID PK P +T

Tj in, +PK(2)j +H ID PK P1( j, j) pub),

(3) (1) (1)

, ,

( , ) ( ,n ) ( , )n

i i j j i j i

e K P =e T PK e PK T ,

(4)

, ,

( , ) ( , )n n

i i j j i

e K P =e T T , ₍₉₎

then  setsh Ki = i jn, , puts a new tuple <IDiA, IDiB, A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ,hi> in the list L2 and returnshi.

3 Otherwise, the algorithm  picks a random value

{0,1}k i

h ∈ , puts a new tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ,hi> in the list L2 and

returnsh_i.

CreateUser(ID_i): The algorithm  keeps a list Lc of tuples<ID SK PK Cert_i, _i, _i, _i >. Upon receiving a

CreateUser query on(IDi), it returnsPKiif a tuple

, , ,

i i i i ID SK PK Cert

< >is already in the list Lc. Otherwise, it performs as below:

1 If ID_i_{is the}J-th identity submitted to this oracle (i.e.,IDi=IDJ), it randomly chooses x Zi∈ *q, com-putes PK_i =(x P uP h P_i , - _{i pub})and sets Cert_i =⊥

and SKi =xirespectively. It then adds new tuples

, , ,

i i P i ID x K

< ⊥>_and<ID PK h_i, _i, _i >to the lists Lc and L1, respectively, and returnsPKi.

2 Otherwise, it randomly chooses s x h Z_i, ,_i _i∈ _q*, com-putes PKi =(x P P h Pi ,si - i pub)_{and sets}Certi =⊥ and SK_i =x_irespectively. It then adds new tuples

, , i, i i P i

D K

I x s

< > and <IDi, PKi, hi> to the lists Lc and L1, respectively, and returns PKi.

Certificate(IDi): Upon receiving a Certificate query

on (ID_i), the algorithm  aborts the game if IDi =IDJ. Otherwise, it searches for the list Lc to get a tuple

, , ,

< >and returns Certi.

Corrupt(ID_i): Upon receiving a Corrupt query on (ID_i), the algorithm  searches for the list Lc to get a tuple

, , ,

< >and returnsSK_i.

ReplacePublicKey(ID_i,PK_i′): Upon receiving a query on (ID_i,PK_i′), the algorithm  searches for the list

Lc to get a tuple <ID SK PK Certi, i, i, i > and replaces it with <IDi, ,⊥ PKi′,⊥>.

Send( n_, i j

∏ , M): The algorithm  keeps a listLsof tu-ples <∏ni j, , IDi, IDj, PKi, PKj,ti jn, ,Ti j,n ,Tj in, ,Ki jn, >. Upon

receiving a Send query on ( n_, i j

∏ , M) ( sets Tj in, =M if

M ≠λ),  returnsTi j,n if a tuple <∏ni j, , IDi, IDj, PKi, PKj,

,

n i j

t ,Ti j,n ,Tj in, ,Ki jn, > is already in the list Ls. Otherwise,  does as follows:

1 If ∏ = ∏n_{i j}_, T_{I J}_, , it sets n_, n_, i j i j K =t =⊥, _,n

i j

T =vP, n_, j i T =M, then puts a new tuple < n_,

i j

∏ , IDi, IDj, PKi, PKj,ti jn, , ,

n i j T , n_,

j i T , n_,

i j

K > in the list Ls and returns Ti j,n .

2 Otherwise, it randomly chooses Ki jn, ∈{0,1}k, *

,

n i j q

t ∈Z _{and sets} _,n n_, i j i j

T =t P, then puts a new tuple <

,

n i j

∏ , IDi, IDj, PKi, PKj,ti jn, ,Ti j,n ,Tj in, ,Ki jn, > in the list Ls and returns _,n

i j T .

Reveal(∏ni j, ): Upon receiving a Reveal query on (∏i jn, ),

the algorithm  aborts the game if ∏ = ∏ni j, TI J, or∏ni j,

is a matching conversation of ∏TI J, . Otherwise, it

searches for a tuple < n_, i j

∏ , IDi, IDj, PKi, PKj,ti jn, , Ti j,n , ,

n j i T , n_,

i j

K > in the list Ls and does the following:

1 If <∏n_{i j}_, , IDi, IDj, PKi, PKj,ti jn, ,Ti j,n ,Tj in, ,Ki jn, > is on the

list Ls andKi jn, ≠⊥,  returnsKi jn, .

2 Else if <∏n_{i j}_,, IDi, IDj, PKi, PKj, ti jn, , Ti j,n, Tj in,, Ki jn,> is

on the list Ls andKi jn, =⊥,  searches for a tuple

, , ,

< >_{in the list} Lc and performs as follows:

_ Case 1: ID_i =ID_J, n_, i j

∏ _{is an initiator and there}

exists a tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T ,

(1)

i K , (2)

i K , (3)

i K , (4)

i

K , h_i_{> in the list} L2 such that

A i i

ID ID= , B j i ID =ID , A

i i

PK =PK , B i

PK =PK_j,

,n A

i j i

T =T _and n_, B j i i

T =T . If it does,  computes Ki(2) =

(2) (2)

, , ,

( )( n + ) n n

i i i j i i i pub i j j i K - SK Cert T+ +PK h P -t T and checks whether the following equations hold:

(2) (2) ,

( + , n) ( , )

,

(1) (1) (2) ,

( + n )(

i i i i j j j

K = SK Cert t+ PK +PK +

H ID PK P1( j, j) pub)

,

(9)

353

(3)

i

K = (1)

,

n n

i j j i j,i t PK +SK T

,

(4) , ,

.

If (1)

i K , (2)

i K , (3)

i

K _and (4)

i

K _{pass the above} validati-ons, then  sets Ki jn, =hiand returnshi.

_ Case 2: ID_i =ID_J, n_, i j

∏ is a responder and there exists a tuple < A

i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , h_i> in the list L2 such

that ID_j₌ A i

ID , ID_i₌ B

i ID , A

i

PK ₌PKj, PKiB = PKi,

,n

i j T ₌ B

i

T _andTj in,₌TiA. If so,  computes Ki(2)=

(2) (1) (2)

, ,

( + n) n

i i j j j pub j i j i j K -Cert PK +PK h P +T -SK T -t Ti j j in, n,

and checks whether the following equations hold:

(2) (2) ,

( + , n) ( , )

(1) (1) (2) ,

( + n )(

i i i i j j j

K = SK Cert t+ PK +PK +

,

(3) (1) ,

n i i j j

K =t PK + n i j,i SK T

,

(4) , ,

.

(11)

If (1)

i K , (2)

i K , (3)

i

K and (4)

i

K pass the above validati-ons, then  setsKi jn, =hiand returnshi.

_ Case 3: ID_i ≠ID_J, n_, i j

∏ _{is an initiator and there}

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K ,

(3)

i K , (4)

i

K , h_i> in the list L2 such that IDi = IDiA, IDj₌ B

i ID , A

i

PK ₌PKi, PKiB = PKj, Ti j,n = TiA and Tj in,₌TiB. If it does,  checks whether the following equations hold:

(1) (1) (2) ,

( n )(

i i i i j j j

K = SK Cert t+ + PK +PK +

,

(2) (2) ,

( n )( n

i i i i j j,i j K = SK Cert t+ + T +PK +

,

(3)

i

K = (1)

,

n n

i j j i j,i t PK +SK T

,

(4) ,

n n i i j j,i K =t T

.

(12)

If (1)

i K , (2)

i K , (3)

i

K _and (4)

i

K _{pass the above} validati-ons, then  sets Ki jn, =hi_{and returns}hi.

_ Case 4: ID_i ≠ID_J, ∏i jn, _{is a responder and there}

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K ,

(3)

i K , (4)

i

K , hi > in the list L2 such that IDj₌IDiA, IDi = B

i ID , A

i

PK ₌PKj, PKiB = PKi, Ti jn, = TiB and Tj in,₌TiA. If it does,  checks whether the following equations hold:

(1) ₍ ₎₍ (1) (2)

i i i j j

K = SK Cert PK+ +PK +

H ID PK1( j, j)Ppub+ )Tj in,

,

(2) (1) (2)

,

( n )(

i i j i j j

K = t +Cert PK +PK +

,

(3) (1) ,

= n n

i i j j i j,i K t PK +SK T

,

(4) ,

.

(13)

If (1)

i K , (2)

i K , (3)

i

K _and (4)

i

K _{pass the above} validati-ons, then  sets Ki jn, =hi_{and returns}hi.

3 Otherwise,  randomly chooses n_, {0,1}k i j

K ∈ and returns Ki jn, .

At the test phase, if ₁ does not ask a Test query on the oracle T_,

I J

∏ , then  aborts the game. Otherwise,  returns a random value _x_∈{0,1}k_.

Once 1 finishes its queries, it returns its guess.

Clearly, if ₁can win the game with non-negligible advantage ε, there must exist a tuple < T_,

I J

∏ , ID_I, ID_J, I

PK , PKJ=⊥, , TI JT, , TJ IT,=⊥, > in the list Ls. According to the above simulation, if T_,

I J

∏ is an initiator, then there exists a tupe < A

i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K ,

(3)

i K , (4)

i

K , h_i_{> in the list}L2 such that TiA = TI JT, ₌vP and ,

B T i J I

T =T =M_{(Note that if}M is an incoming message, then M = TJ IT, ).  computes

Z =

(2) (2)

,

( )( T

i I I J I J

K - SK +Cert T +PK +

1( J, J) pub) TI,J J IT,

H ID PK P -t T

=

(SKI+Cert tI+ I,JT )(TJ IT, +U) (- SKI +

(4) ,

)( T )

I J I I Cert T +U -K

=

T =

I,J

t uP uvP

,

(14)

where (4) ,

T T I I,J J I

K =t T _{which can be found in the list}L2.

Else if ∏TI J, _{is a responder, then there exists a tuple}

< A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , h_i> in the list L2 such that TiB =TI JT, =vP_andTiA = TJ IT, =M

(Note that if M is an incoming message, then T_, J I M T= ).  computes

Z =

(2) ₍ (1) (2)

i I J J

K -Cert PK +PK +

H ID PK P1( J, J) pub+TJ IT, )-SK V t TJ - TI,J J IT,

(10)

Information Technology and Control 2017/3/46 354

=

(1)

,

(T )( + T )

I,J I J J I

t +Cert PK +U T

Cert PKI( J(1)+ +U TJ IT, )-SK V KJ - I(4)

=

T =

I,J

t uP uvP

,

where (4)

,

T T I I,J J I

K =t T _{which can be found in the list}L₂. For both cases, we have that Z uvP= . Therefore, the algorithm  can return Z as the solution to the given CDH problem.

To derive the algorithm ’s advantage in solving the CDH problem, we define the following events: (1) E1:

1 does not choose∏TI J, as the test oracle; (2) E2: 1

makes an oracle query Certificate(ID_J); (3) E3: 1

makes an oracle query Reveal (∏TI J, ).

According to the above simulation, the algorithm  aborts the game only when one of the above events happens. It is clear that Pr[¬E1] ≥1/(n qs cu2 ) as I, J∈ {1, 2,…, qcu} and T∈ {1, 2,…, ns}. In addition, because ¬E1

implies both ¬E2 and ¬E3, we get that Pr[¬E1∧¬E2∧

¬E3] ≥ 1/(n qs cu2).

Since the algorithm  selects the correct tuple from the list L2 with probability 1/q2, it can correctly solve

the given CDH problem with advantage ₂

2

s cu n q q

ε

ε ′ ≥ .

The time complexity of the algorithm  is mainly dominated by the running time τ of the adversary 1

and the scalar multiplications and pairings performed in the queries. From the simulation above, we obtain that the time complexity of the algorithm  is bound-ed by τ ′≤ τ+ (q1 + qrp + qco + qce)O(1) + q2(4τm+ 9τp + O(1)) + qcu(3τm+ O(1)) + qse(τm+ O(1)) + qre(10τm+ 2τp + O(1)). Theorem 3. Suppose that H1 and H2 are two random

oracles. If there is a Type 2 adversary 2 against the

security of our CB-AKA protocol with advantage e when running in time τ, making at most qcu queries to

the oracle CreateUser, qco queries to the oracle Corrupt,

qse queries to the oracle Send, qre queries to the oracle

Reveal and qi queries to the random oracles Hi(1≤ i ≤ 2), then there exists an algorithm  to solve the CDH

problem in G with advantage ₂

2

s cu n q q

ε

ε ′ ≥ and running

time τ ′≤ τ+ (q1 +qco)O(1) + q2(4τm+ 9τp + O(1)) + qcu(3τm + O(1)) + qse(τm+ O(1)) + qre(7τm+ O(1)), where ns

de-notes the maximal number of the protocol sessions that each participant participates in,τp andτm, respectively,

denote the time for computing a pairing and a scalar multiplication in G.

Proof. Suppose that the algorithm  takes as input a random CDH instance (q, G, P, aP, bP), where a, b∈

*

q

Z _{are unknown to the algorithm}. To computeabP,  interacts with the adversary 2 as below:

At the beginning of the game, the algorithm  chooses a random value *

q

s Z∈ _{as the master key}msk and computes P_pub=sP. It then outputs the public parameters params = {k, q, G, P, Ppub, H1, H2} and the

master secret key msk = s to ₂. Furthermore, it selects three different indices I, J∈ {1, 2,…, qcu} and T ∈ {1, 2,…, ns} at random.

In Phase 1 and Phase 2, the algorithm  answers the adversary ₂’s queries as below:

H1(IDi,PKi): The algorithm  keeps a list L1 of

tu-ples <ID_i,PK_i,h_i>. Upon receiving a H1 query on

(ID_i,PK_i), the algorithm  returnshiif there exists a tuple <ID_i,PK_i,h_i> in the list L1. Otherwise, it selects

a random value *

i q

h Z∈ , adds a new tuple < ID_i, PK_i, i

h_{> to the list}L1 and returns hi.

H2(IDiA, IDiB, PKiA, PKiB, TiA, TiB, Ki(1), Ki(2), Ki(3),Ki(4), i

h): The algorithm  keeps a list L2 of tuples <IDiA, B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i K , h_i>. Upon receiving a H2 query on (IDiA,IDiB,PKiA, PKiB,

A i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K ), the algorithm  re-turnshiif there exists a tuple <IDiA, IDiB, PKiA, PKiB,

A i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , h_i> in the list L2.

Oth-erwise, the algorithm  searches for a tuple <∏ni j, , IDi,

IDj, PKi, PKj,ti jn, , Ti j,n , Tj in, , Ki jn, > in the list Ls and per-forms as follows:

1 If such a tuple exists and satisfies the equations:

(1) (1) (2) 1

( _i , ) ( _i _i ( _i, _i) _pub

e K P =e PK +PK +H ID PK P

(1) (2)

,n, 1( , ) )

i j j j j j pub

T PK PK H ID PK P

+ + +

,

(2) (1) (2) 1

( _i , ) ( _i _i ( _i, _i) _pub

e K P =e PK +PK +H ID PK P

(2)

,n, n, 1( , ) )

i j j i j j j pub T T PK H ID PK P

+ + +

,

(3)

,

( , ) ( ,n

i i j

e K P =e T (1) (1) ,

) ( , )n

j i j i PK e PK T

,

(4)

, ,

( , ) ( , )n n

i i j j i e K P =e T T

,

then the algorithm  obtains Ki jn, _{and sets}h Ki = i jn, .

It adds a new tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T ,

(1)

i K , (2)

i K , (3)

i K , (4)

i

K , h_i> to the list L2 and returns hi.

2 Otherwise,  randomly selects hi ∈{0,1}k, adds a new tuple < A

i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K ,

(2)

i K , (3)

i K , (4)

i

(11)

355

CreateUser(ID_i): The algorithm  keeps a list Lc of tuples <ID SK PK Cert_i, _i, _i, _i >. Upon receiving a Cre-ateUser query on (IDi), the algorithm  returns PKi if a tuple<ID SK PK Cert_i, _i, _i, _i >is already in the list

Lc. Otherwise, it does as below:

1 If ID_i =ID_J, it randomly selects _, *

q i i h

Cert ∈Z , sets

( , )

i i i

PK = aP Cert P h sP- , adds a new tuple <IDi, ,

,PK_i Cert_i

⊥ >_{to the list} Lc and returnsPKi.

2 Otherwise, it randomly selects SK Cert_i, _i,hi∈Zq*, setsPKi =(SK P Cert P h sPi , i - i ), adds a new tuple

, , ,

< > to the list Lc and returns i

PK .

Corrupt(ID_i): Upon receiving a Corrupt query on (IDi), the algorithm  aborts if IDi =IDJ. Otherwise, it retrives a tuple <ID SK PK Cert_i, _i, _i, _i >_{in the list} Lc and returns SKi.

Send( n_, i j

∏ , M): The algorithm  keeps a listLsof tu-ples <∏i jn, , IDi, IDj, PKi, PKj,ti jn, , Ti j,n , Tj in, , Ki jn, >. Upon

receiving a Send query on ( n_, i j

∏ , M) ( sets Tj in, =M

if M ≠λ),  returns Ti j,n _to2 if a tuple <∏ni j, , IDi, IDj,

PKi, PKj,ti jn, , Ti jn, , Tj in, , Ki jn, > is already in the list Ls. Otherwise, it does as follows:

1 If ∏ = ∏_{i j}n_, T_{I J}_, , it sets n_, n_, i j i j K =t =⊥, _,n

i j

T =bP and

,

n j i

T ₌M. Then it adds a new tuple <∏ni j, , IDi, IDj,

PKi, PKj,ti jn, , Ti jn, , Tj in, ,Ki jn, > to the list Ls and returns

,

n i j T .

2 Otherwise, it randomly choosesK_{i j}n_, ∈{0,1}k,

* ,

n i j q t ∈Z

and sets Ti j,n =t Pi jn, . Then it puts a new

tu-ple < n_, i j

∏ , IDi, IDj, PKi, PKj,ti jn, , Ti j,n , Tj in, , Ki jn, > in the

list Ls and returns Ti j,n .

Reveal(∏i jn, ): Upon receiving a Reveal query on (∏ni j, ),

the algorithm  aborts the game if n_, T_, i j I J

∏ = ∏ or n_,

i j ∏

is a matching conversation of T_, I J

∏ . Otherwise,  searches for a tuple < n_,

i j

∏ , IDi, IDj, PKi, PKj,ti jn, , Ti j,n ,Tj in, , ,

n i j

K > in the list Ls.

1 If such a tuple exists and K_{i j}n_, ≠⊥, it returns n_, i j K .

2 Else if such a tuple exists and Ki jn, =⊥, it searches

for a tuple <ID SK PK Cert_i, _i, _i, _i >in the list Lc and does as below:

_ Case 1: ∏_{i j}n_, is an initiator and a tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , hi > can be found in the list L2 such that IDi = IDiA,IDj₌IDiB,

A i

PK ₌PKi, PKiB = PKj, Ti jn, ₌TiAand Tj in, =TiB. If it does,  checks whether the following equations hold:

(1) (1) (2) ,

( n )(

i i i i j j j

K = SK Cert t+ + PK +PK +

,

(2) (2) ,

=( n )( n

i i i i j j,i j K SK Cert t+ + T +PK +

,

(3) (1) ,

= n n

i i j j i j,i K t PK +SK T

,

(4) ,

.

(17)

If (1)

i K , (2)

i K , (3)

i

K _and (4)

i

K _{pass the above validations,} then  sets Ki jn, =hi_{and returns}hi.

_ Case 2: ∏n_{i j}_, _{is a responder and there exists a tuple}

< A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i K , hi> in the list L2 such that IDj₌IDiA, IDi= IDiB, PKiA =

j PK , B

i

PK ₌PKi, Ti j,n₌TiB and Tj in, = TiA. If it does,  checks whether the following equations hold:

(1) ₍ ₎₍ (1) (2)

i i i j j

K = SK Cert PK+ +PK +

,

(2) (1) (2) ,

( n )(

i i j i j j

K = t +Cert PK +PK +

,

(3) (1) ,

= n +

i i j j

K t PK n

i j,i SK T

,

(4) ,

.

(18)

If (1)

i K , (2)

i K , (3)

i

K _and (4)

i

K _{pass the above} validati-ons, then  sets n_,

i j i

K =hand returnsh_i.

3 Otherwise, it randomly selectsKi jn, ∈{0,1}k and

re-turns n_, i j K .

At the test phase, if the adversary _2 does not ask a

Test query on the oracle T_, I J

∏ , then the algorithm  aborts the game. Otherwise, the algorithm  outputs a random value _x_∈{0,1}k_.

Once the adversary _2 finishes its queries, it returns

its guess. Clearly, if the adversary 2 can win the game

with non-negligible advantage ε, then there must be a tuple < T_,

I J

∏ ,ID_I,ID_J,PK_I,PK_J=⊥, ,bP, T_, J I

T =⊥, > in the list Ls. According to the above simulation, if ∏TI J,

is an initiator oracle, then there exists a tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)

i K , (2)

i K , (3)

i K , (4)

i

K , hi> in the list L2 such that PKiB=PKJ, wherePKJ(1)=aPand

,

A T i I J

T =T =bP; else if ∏TI J, _{is a responder oracle, then}

there exists a tuple < A i ID , B

i ID , A

i PK , B

i PK , A

i T , B

i T , (1)