An efficient certificateless authenticated key agreement protocol without bilinear pairings
11 An efficient certificateless authenticated key agreement protocol without bilinear pairings
Debiao He*, Yitao Chen
School of Mathematics and Statistics, Wuhan University, Wuhan, China *Correspond author Email: [email protected] Tel: +008615307184927
Abstract : Certificateless public key cryptography simplifies the complex certificate management in the traditional public key cryptography and resolves the key escrow problem in identity-based cryptography. Many certificateless authenticated key agreement protocols using bilinear pairings have been proposed. But the relative computation cost of the pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group. Recently, several certificateless authenticated key agreement protocols without pairings were proposed to improve the performance. In this paper, we propose a new certificateless authenticated key agreement protocol without pairing. The user in our just needs to compute five scale multiplication to finish the key agreement. We also show the proposed protocol is secure in the random oracle model.
Key words : Certificateless cryptography; Authenticated key agreement; Provable security; Bilinear pairings; Elliptic curve
Classification Codes : 11T71, 94A60
1. Introduction
Public key cryptography is an important technique to realize network and information security. Traditional public key infrastructure requires a trusted certification authority to issue a certificate binding the identity and the public key of an entity. Hence, the problem of certificate management arises. To solve the problem, Shamir defined a new public key paradigm called identity-based public key cryptography [1]. However, identity-based public key cryptography needs a trusted KGC to generate a private key for an entity according to his identity. So we are confronted with the key escrow problem. Fortunately, the two problems in traditional public key infrastructure and identity-based public key cryptography can be prohibited by introducing certificateless public key cryptography (CLPKC) [2], which can be conceived as an intermediate between traditional public key infrastructure and identity-based cryptography. The first certificateless two-party authenticated key agreement(CTAKA) protocol appears in the seminal paper by Al-Riyami and Pa-terson [2]. However, no formal security model or proof for this CTAKA protocol is provided. Some early certificateless key exchange protocols (e.g., [3-6]) are proposed with heuristic security analysis. In order to improve the security, Swanson [7] proposed the first formal security model for the CTAKA protocol. Swanson also pointed that several early proposed CTAKA protocols[3-6] are insecure in his model. In [8], Lippold et al. proposed a new security model for CTAKA protocol. They also proposed a CTAKE protocol and prove its security under their model. Compared with the model by Swanson, Lippold et al.'s model is stronger in the sense that after the adversary replaces the public key of a user, the user will use the new public/private key pair in the rest of the game, while in Swanson's model, the user keeps using his/her original public/private key pair. However, the performance of Lippold et al.'s protocol is unacceptable. Very recently, Zhang et al.[9] proposed a different security model. They also proposed an efficient CTAKA protocol and demonstrated that their protocol is probably secure in their model. All the above CTAKA protocols [2-9] are from bilinear pairings and the pairing is regarded as an expensive cryptography primitive. The relative computation cost of a pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group [10]. Therefore, CTAKA protocols without bilinear pairings would be more appealing in terms of efficiency. Recently, several certificateless key exchange protocols without pairing have been proposed in [11-14]. However, Yang et al.[13] pointed both of Geng et al.’s protocol[11] and Hou et al.’s protocol[12] are not secure. They proposed an improved CTAKA protocol. He et al. [14] also proposed an CTAKA protocol without pairing. Unfortunately, Han [15] demonstrated that their scheme is not secure against the type 1 adversary. In this paper, we propose a new CTAKA protocol without pairings. The user in our protocol just needs to compute five elliptic curve scale multiplications to end the key agreement. Then our protocol has the best performance among the CTAKA protocols. We also show our protocol is provably secure under the random oracle model. The remainder of this paper is organized as follows. Section 2 describes some preliminaries. In Section 3, we propose our certificateless authenticated key agreement protocol. The security analysis of the proposed protocol is presented in Section 4. In Section 5, performance analysis is presented. Conclusions are given in Section 6.
2. Preliminaries
Let the symbol / p E F denote an elliptic curve E over a prime finite field p F , defined by an equation baxxy ++= , p Fba ∈ , (1) and with the discriminant a b Δ = + ≠ . (2) The points on / p E F together with an extra point O called the point at infinity form a group {( , ) : , , ( , ) 0} { } p G x y x y F E x y O = ∈ = ∪ . (3) Let the order of G be n . G is a cyclic additive group under the point addition “+” defined as follows: Let , P Q G ∈ , l be the line containing P and Q (tangent line to / p E F if P = Q ), and R , the third point of intersection of l with / p E F . Let l ′ be the line connecting R and O . Then P “+” Q is the point such that l ′ intersects / p E F at R and O and P “+” Q. Scalar multiplication over / p E F can be computed as follows: ( ) tP P P P t times = + + + … (4). The following problems defined over G are assumed to be intractable within polynomial time. Computational Diffie-Hellman (CDH) problem : Given a generator P of G and ( , ) aP bP for unknown * , R n a b Z ∈ , compute abP . The CDH assumption states that the probability of any polynomial-time algorithm to solve the CDH problem is negligible. A CTAKA protocol consists of six polynomial-time algorithms[2, 8]:
Setup , Partial-Private-Key-Extract , Set-Secret-Value , Set-Private-Key , Set-Public-Key and
Key-Agreement . These algorithms are defined as follows.
Setup : This algorithm takes security parameter k as input and returns the system parameters params and master key. Partial-Private-Key-Extract : This algorithm takes params , master key and a user's identity i ID as inputs and returns a partial private key i D . Set-Secret-Value : This algorithm takes params and a user's identity i ID as inputs, and generates a secret value i x . Set-Private-Key : This algorithm takes params , a user's partial private key i D and his secret value i x as inputs, and outputs the full private key i S . Set-Public-Key : This algorithm takes params and a user's secret value i x as inputs, and generates a public key i P for the user. Key-Agreement : This is a probabilistic polynomial-time interactive algorithm which involves two entities A and B . The inputs are the system parameters params for both A and B , plus ( , , A A A
S ID P ) for A , and ( , , B B B
S ID P ) for B . Here, A S , B S are the respective private keys of A and B ; A ID is the identity of A and B ID is the identity of B ; A P , B P are the respective public key of A and B . Eventually, if the protocol does not fail, A and B will obtain a secret session key AB BA
K K K = = . In CTAKA, as defined in [2], there are two types of adversaries with different capabilities, we assume
Type 1 Adversary , A
1 acts as a dishonest user while
Type 2 Adversary , A Type 1 Adversary : Adversary A A
1 can replace the public keys of any entity with a value of his choice, since there is no certificate involved in CLPKC.
Type 2 Adversary : Adversary A
2 has access to the master key, but cannot replace any user's public key. Very recently, Zhang et al.’s [8] present a security model for AKA protocols in the setting of CLPKC. The model is defined by the following game between a challenger C and an adversary A ∈ { A A A is modeled by a probabilistic polynomial-time turing machine. All communications go through the adversary A . Participants only respond to the queries by A and do not communicate directly among themselves. A can relay, modify, delay, interleave or delete all the message flows in the system. Note that A can act as a benign adversary, which means that A is deterministic and restricts her action to choosing a pair of oracles , ni j ∏ and , tj i ∏ and then faithfully conveying each message flow from one oracle to the other. Furthermore, A may ask a polynomially bounded number of the following queries as follows. ( ) i Create ID : This allows A to ask C to set up a new participant i with identity i ID . On receiving such a query, C generates the public/private key pair for i . ( ) i Public Key ID − : A can request the public key of a participant i whose identity is i ID . To respond, C outputs the public key i P of participant i . i Partial - Private - Key(ID ) : A can request the partial private key of a participant i whose identity is i ID . To respond, C outputs the partial private key i D of participant i . ( ) i Corrupt ID : A can request the private key of a participant i whose identity is i ID . To respond, C outputs the private key i S of participant i . ( , ) i i Public Key Replacement ID P ′− − : For a participant i whose identity is i ID ; A can choose a new public key P ′ and then set P ′ as the new public key of this participant. C will record these replacements which will be used later. , ( , ) ni j Send M ∏ : A can send a message M of her choice to an oracle, say , ni j ∏ , in which case participant i assumes that the message has been sent by participant j . A may also make a special Send query with M λ ≠ to an oracle , ni j ∏ , which instructs i to initiate a protocol run with j . An oracle is an initiator oracle if the first message it has received is λ . If an oracle does not receive a message λ as its first message, then it is a responder oracle. , ( ) ni j Reveal ∏ : A can ask a particular oracle to reveal the session key (if any) it currently holds to A . , ( ) ni j Test ∏ : At some point, A may choose one of the oracles, say , TI J ∏ , to ask a single Test query. This oracle must be fresh. To answer the query, the oracle flips a fair coin {0,1} b ∈ , and returns the session key held by , TI J ∏ if b = , or a random sample from the distribution of the session key if b = . After a Test query, the adversary can continue to query the oracles except that it cannot make a Reveal query to the test oracle , TI J ∏ or to , tJ I ∏ who has a matching conversation with , TI J ∏ (if it exists), and it cannot corrupt participant J . In addition, if A is a Type 1 adversary, A cannot request the partial private key of the participant J ; and if A is a Type 2 adversary, J cannot replace the public key of the participant J . At the end of the game, A must output a guess bit b ′ . A wins if and only if b b ′ = . A ’s advantage to win the above game, denoted by ( ) A Advantage k , is defined as:
1( ) Pr[ ] 2 A Advantage k b b ′= − − . Definition 1 . A CTAKA protocol is said to be secure if: (1) In the presence of a benign adversary on , ni j ∏ and , tj i ∏ , both oracles always agree on the same session key, and this key is distributed uniformly at random. (2) For any adversary, ( ) A Advantage k is negligible.
3. Our protocol
In this section, we will propose a new CTAKA protocol. Our protocol consists of six polynomial-time algorithms. They are described as follows.
Setup:
This algorithm takes a security parameter k as in put, and returns system parameters and a master key. Given k , KGC does the following. 1) KGC chooses a k -bit prime p and determines the tuple { , / , , } p p F E F G P as defined in Secttion 2.1. 2)
KGC chooses the master private key * n s Z ∈ and computes the master public key pub P sP = . 3) KGC chooses two cryptographic secure hash functions * *1 :{0,1} n H Z → and * *2 :{0,1} n H Z → . 4) KGC publishes { , / , , , , , } p p pub params F E F G P P H H = as system parameters and secretly keeps the master key s . Set-Secret-Value : The user with identity i ID picks randomly * i n x Z ∈ , computes i i P x P = ⋅ and sets i x as his secret value. Partial-Private-Key-Extract:
This algorithm takes master key, a user’s identifier, i P , system parameters as input, and returns the user’s ID-based private key. With this algorithm, for each user with identifier i ID , KGC works as follows. 1) KGC chooses a random number * i n r Z ∈ , computes i i R r P = ⋅ and ( , , ) i i i i h H ID R P = . 2) KGC computes mod i i i s r h s n = + and issues { , } i i s R to the users through secret channel. The user’s s partial private key is the tuple i s and he can validate her private key by checking whether the equation i i i pub s P R h P ⋅ = + ⋅ holds. The private key is valid if the equation holds and vice versa. Set-Private-Key : The user with identity i ID takes the pair ( , ) i i i sk x s = as its private key. Set-Public-Key : The user with identity i ID takes { , } i i i pk P R = as its public key. Key-Agreement : Assume that an entity A with identity A ID has private key ( , ) A A A sk x s = and public key { , } A A A pk P R = and an entity B with identity B ID has private key ( , ) B B B sk x s = and public key { , } B B B pk P R = want to establish a session key, then they can do, as shown in Fig.1, as follows. 1) A chooses a random number * n a Z ∈ and computes A T a P = ⋅ , then A send { , } A A
M ID T = to B . 2) After receiving M , B chooses a random number * n b Z ∈ and computes B T b P = ⋅ , then B send { , } B B
M ID T = to A . Then both A and B can compute the shared secrets as follows. A computes ( ) ( ( , , ) ) AB A A B B B B B B pub
K x s T a P R H ID R P P = + + ⋅ + + and AB B
K a T = ⋅ (5) B computes ( ) ( ( , , ) ) BA B B A A A A A A pub
K x s T b P R H ID R P P = + + ⋅ + + and BA A
K b T = ⋅ (6) Fig. 1. Key agreement of our protocol The shared secrets agree because: ( ) ( ( , , ) )( ) ( ) ( ) ( )( ( , , ) ) ( )
AB A A B B B B B B pubA A B B B A A B B B AA A A A A pub B B ABA
K x s T a P R H ID R P Px s T a x s P x s T x s Tb P R H ID R P P P x s TK = + + ⋅ + += + + + = + + += ⋅ + + + += (7) and
AB BA
K abP baP K = = = (8) Thus the agreed session key for A and B can be computed as: ( || || || || || )( || || || || || ) A B A B AB ABA B A B BA BA sk H ID ID T T K KH ID ID T T K K == (9)
4. Security Analysis
To prove the security of our protocol in the random oracle model, we treats H and H as two random oracles [16] using the model defined in [9]. For the security, the following lemmas and theorems are provided. Lemma 1 . If two oracles are matching, both of them will be accepted and will get the same session key which is distributed uniformly at random in the session key sample space.
Proof . From the correction analysis of our protocol in section 4.1, we know if two oracles are matching, then both of them are accepted and have the same session key. The session key is distributed uniformly since a and b are selected uniformly during the protocol execution. Lemma 2 . Assuming that the CDH problem is intractable, the advantage of a Type 1 adversary against our protocol is negligible in the random oracle model.
Proof . Suppose that there is a Type 1 Adversary A A Advantage k in polynomial-time t . Then, A
1 can win the game with non-negligible probability ε , we show how to use the ability of A C to solve the CDH problem. Suppose C is given an instance ( , ) aP bP of the CDH problem, and wants to compute cP with mod c ab n = . C first chooses P G ∈ at random, sets P as the system public key pub P , selects the system parameter { , / , , , , , } p p pub params F E F G P P H H = ,and sends params to A
1. Let s q be the maximal number of sessions each participant may be involved in. Supposed A
1 makes at most i H q times i H queries and creates at most c q participants. C chooses at random , [1, ] H I J q ∈ , [1, ] s T q ∈ , and answers A i Create ID : C maintains an initially empty list C L consisting of tuples of the form ( , , , i i i i ID D x P ). If i I
ID ID = , C chooses a random * , i i n x h Z ∈ and computes i i R bP h P = − , public key i i
P x P = , then i ’s partial private key, private key and public key are ⊥ , ( , ) i i sk x = ⊥ and ( , ) i i i pk P R = separately. 0 Otherwise, C chooses a random * , , i i i n x s h Z ∈ and computes i i i R s P h P = − , i i P x P = , then i ’s partial private key, private key and public key are i s , ( , ) i i i sk x s = and ( , ) i i i pk P R = separately. At last, C adds the tuple ( , , , i i i i ID R P h ) and ( , , , i i i i
ID s sk pk ) to the list H L and C L , separately. ( , , ) i i i H ID R P : C maintains an initially empty list H L which contains tuples of the form ( , , , i i i i ID R P h ). If ( , , i i i
ID R P ) is on the list H L , then returns i h . Otherwise, C executes the query ( ) i Create ID and returns i h . ( ) i Public Key ID − : On receiving this query, C first searches for a tuple ( , , , i i i i ID s sk pk ) in C L which is indexed by i ID , then returns i pk as the answer. ( ) i Partial Private Key ID − − : Whenever C receives this query, if i I ID ID = C aborts; else, C searches for a tuple ( , , , i i i i ID s sk pk ) in C L which is indexed by i ID and returns i sk as the answer. ( ) i Corrupt ID : Whenever C receives this query, if i I ID ID = C aborts. Otherwise, C searches for a tuple ( , , , i i i i ID s sk pk ) in C L which is indexed by i ID and if i x null = , C returns null . Otherwise, C returns ( , i i s sk ) as the answer. ( , ) i i Public Key Replacement ID pk ′− − : On receiving this query, C searches for a tuple ( , , , i i i i ID s sk pk ) in C L which is indexed by i ID , then updates i pk to i pk ′ and sets , i i s sk =⊥ =⊥ . , ( , ) ni j Send M ∏ : C maintains an initially empty list S L consisting of tuples of the form ( , , , , , n n ni j i j i j trans r ∏ ), where , ni j trans is the transcript of , ni j ∏ so far and , ni j r will be described later. C answers the query as follows: (cid:122) If n T = , i I ID ID = and j J ID ID = , C returns aP as the answer and updates the tuple ( , , , , , n n ni j i j i j trans r ∏ ) , ni j r =⊥ . (cid:122) Otherwise, C answers the query according to the specification of the protocol. Note that when M is not the second message to , ni j ∏ , C chooses at random *, ni j n r Z ∈ and computes , ni j r P as the reply. Then C updates the tuple indexed by , ni j ∏ in S L . 1 , ( ) ni j Reveal ∏ : C maintains a list R L of the form ( , , , , , , , n n n n n ni j ini resp ini resp i j ID ID T T SK ∏ ) where nini ID is the identification of the initiator in the session which , ni j ∏ engages in and nresp ID is the identification of the responder. C answers the query as follows: (cid:122) If n T = , i I ID ID = and j J ID ID = or , ni j ∏ is the oracle who has a matching conversion with , TI J ∏ , C aborts. (cid:122) Else if i I
ID ID ≠ , (cid:151) C looks up the list S L and C L for corresponding tuple , , , , ( , , , , , , , ) n n n n n n n ni j i j i j j i i j i j r T T R R P P ∏ and ( , , , i i i i ID D x P ) separately. Then C computes
1, , , 1 ( ) ( ( || ) ) n n n n ni j i i j i j i j j j j pub
K x s T r P R H ID R P = + + + + ,
1, , , n ni j j i j i
K r T = . (cid:151) C makes a H query. If , ni j ∏ is the initiator oracle then the query is of the form ( || || || || || i j i j i j i j ID ID T T K K ) or else of the form ( || || || || || j i j i i j i j
ID ID T T K K ). (cid:122) Else ( i I
ID ID = ), (cid:151) C looks up the list S L for corresponding tuple , , , , ( , , , , , , , ) n n n n n n n ni j i j i j j i i j i j r T T R R P P ∏ . (cid:151) C looks up the list H L to see if there exists a tuple index by ( , , , i j i j ID ID T T ). If , ni j ∏ is an initiator, otherwise index by ( , , , j i j i ID ID T T ). (cid:151) If there exists such tuple and the corresponding i j K and i j K satisfies the equation ( , ) ( , ) n ni j i j e K P e T T = and
1, , 1 1 ( ( ( || || ) , ) ( ( || || ) , n n n n n n n n n ni j i j j j j j j pub i i i i i pub j e K r P R H ID R P P P e P R H ID R P P T − + + = + + given a proper bilinear map e for group G , then C obtains the corresponding i h and sets , ni j SK = i h . Otherwise C chooses at random , {0,1} n ki j SK ∈ . H query: C maintains a list H L of the form ( , , , , , , i j i ju u u u u u u ID ID T T K K h ) and A responds with H queries ( , , , , , i j i ju u u u u u ID ID T T K K ) as follows: (cid:122)
If a tuple indexed by ( , , , , , i j i ju u u u u u
ID ID T T K K ) is already in H L , C replies with the corresponding u h . (cid:122) Else, if there is no such a tuple, (cid:151)
If the equation ( , ) ( , ) i ju u u e K P e T T = and ( , ) ( ( || || ) , ) ( ( || || ) , ) j iu i i i i i pub u j j j j j pub u e K P e P R H ID R P P T e P R H ID R P P T = + + + + hold given a proper bilinear pairing e for group G , go through the list R L . If there is such a tuple indexed by ( , , , i j i ju u u u ID ID T T ) in the 2 list R L , then C obtains the corresponding , ni j SK and sets , ni j u SK h = .Otherwise C chooses at random {0,1} ku h ∈ . (cid:151) Else if the equations do not hold for ( , , , , , i j i ju u u u u u
ID ID T T K K ), C chooses at random {0,1} ku h ∈ . (cid:151) C inserts the tuple ( , , , , , , i j i ju u u u u u u ID ID T T K K h ) into the list H L . , ( ) TI J
Test ∏ : At some point, C will ask a Test query on some oracle. If C does not choose one of the oracles , TI J ∏ to ask the Test query, then C aborts. Otherwise, C simply outputs a random value {0,1} k x ∈ . The probability that C chooses , TI J ∏ as the Test oracle and that C s q q . In this case, C would not have made , ( ) TI J
Corrupt ∏ or , ( ) TI J
Reveal ∏ queries, and so C would not have aborted. If C can win in such a game, then C must have made the corresponding H2 query of the form ( , , , , , i j i jT T T T T T ID ID T T K K ). If , TI J ∏ is the initiator oracle or else ( , , , , , j i j iT T T T T T ID ID T T K K ) with overwhelming probability because H is a random oracle. Thus C can find the corresponding item in the H -list with the probability H q and output ( )( ) ( ) TT I I I J J J J pub
K x h aP r P R h P − − − + + as a solution to the CDH problem. The probability that C solves the CDH problem is C s H q q q ε . Lemma 3 . Under the assumption that the CDH problem is intractable, the advantage of a Type 2 adversary against our protocol is negligible in the random oracle model.
Proof . Suppose that there is a Type 2 adversary A
2 who can win the game defined in Section 2 with a non-negligible advantage ( ) A Advantage k in polynomial-time t . Then, A ε , we show how to use the ability of A C to solve the CDH problem. Suppose C is given an instance ( , ) aP bP of the CDH problem, and want to compute cP with mod c ab n = . C first chooses sP G ∈ at random, sets sP as the system public key pub P , selects the system parameter 3 { , / , , , , , } p p pub params F E F G P P H H = ,and sends params and master key s to A
2. Let s q be the maximal number of sessions each participant may be involved in. Supposed A
2 makes at most i H q times i H queries and creates at most c q participants. C chooses at random , [1, ] H I J q ∈ , [1, ] s T q ∈ , and answers A i Create ID : C maintains an initially empty list C L consisting of tuples of the form ( , , , i i i i ID s sk pk ). If i I
ID ID = , C chooses a random * , i i n r h Z ∈ and computes i i R r P = , mod i i i s r h s n = + , i P bP = , then i ’s partial private key, private key and public key are i s , ( , ) i i sk s = ⊥ and { , } i i i pk P R = separately. Otherwise, C chooses a random * , , i i i n x r h Z ∈ and computes i i R r P = , mod i i i s r h s n = + , public key i i P x P = , then i ’s partial private key, private key and public key are i s , ( , ) i i i sk x s = and { , } i i i pk P R = separately. At last, C add the tuple ( , , , i i i i ID R P h ) and ( , , , i i i i
ID s sk pk ) to the list H L and C L , separately. C answers A ( , , ) i i i H ID R P , ( ) i Public Key ID − , ( ) i Corrupt ID , ( ) i Partial Private Key ID − − , , ( , ) ni j Send M ∏ , , ( ) ni j Reveal ∏ , H query and , ( ) TI J
Test ∏ queries like he does in lemma 2. The probability that C chooses , TI J ∏ as the Test oracle and that C s q q . In this case, C would not have made , ( ) TI J
Corrupt ∏ or , ( ) TI J
Reveal ∏ queries, and so C would not have aborted. If C can win in such a game, then C must have made the corresponding H2 query of the form ( , , , , , i j i jT T T T T T ID ID T T K K ) if , TI J ∏ is the initiator oracle or else ( , , , , , j i j iT T T T T T ID ID T T K K ) with overwhelming probability because H is a random oracle. Thus C can find the corresponding item in the H -list with the probability H q and output ( ) ( ) TT I I J J J J pub
K s bP r P R h P − − + + as a solution to the CDH problem. The probability that C solves the CDH problem is C s H q q q ε . 4 From the above three lemmas, we can get the following two theorems. Theorem 1 . Our protocol is a secure CTAKA protocol. Through the similar method, we can prove our protocol could provide forward secrecy property. We will describe it in the following theorem.
Theorem 2 . Our protocol has the perfect forward secrecy property if the CDH problem in G is hard.
5. Comparison with previous protocol
For the convenience of evaluating the computational cost, we define some notations as follows. mul T : The time of executing a scalar multiplication operation of point. add T : The time of executing an addition operation of points. inv T : The time of executing a modular invasion operation. h T : The time of executing a one-way hash function. We will compare the efficiency of our new protocol with there CTAKA protocols without pairings, i.e. Geng et al.’s protocol [11], Hou et al.’s protocol [12], Yang et al.’s protocol[13], and He et al.’s protocol[14]. In Table 1, we summarize the performance results of the proposed user authentication and key exchange protocol. Table 1 . Comparison of different protocols
Geng et al.’s protocol [11] Hou et al.’s protocol [12] Yang et al.’s protocol [13] He et al’s protocol[14] Our protocol
Cost 7 2 mul h
T T + mul h T T + mul h T T + mul addinv h T TT T ++ + mul addh
T TT ++ As the main computational overheads, we only consider the scale multiplication. Then we can conclude the computational cost of our protocol is 71.43% of Geng et al.’s scheme [11], 83.33% of Hou et al.’s scheme[12], and 55.56% of Yang et al.’s scheme[13]. Moreover, Geng et al.’s protocol [11] and Hou et al.’s protocol[12] are not secure[13]. He et al.’s protocol [14] has almost the same performance as our protocol. But He et al.’s protocol [14] is not secure either [15]. Thus our scheme is more useful and efficient than the previous schemes. 5
6. Conclusion
The certificateless public key cryptography is receiving significant attention because it is a new paradigm that simplifies the public key cryptography. We then proposed a new CTAKA protocol without pairings and proved its security in the random oracle model under the CDH assumption. The proposed protocol has the best performance among the related protocols. Many researchers have expressed doubts about the wisdom of relying on the random oracle model. In particular, Canetti et al. [17] proved that there are signature and encryption schemes which are secure in the random oracle model, but insecure for any instantiation of the standard oracle. To get better security, it is necessary to construct CTAKA protocol without pairings in the standard model. In the future, we will investigate the extraction algorithm for the standard model first. Then we will use the extraction algorithm to construct the CTAKA protocol without pairings in standard model such that it can be applied to more applications.
References [1].
A. Shamir, Identity-based cryptosystems and signature protocols, Proc. CRYPTO1984, LNCS, vol.196, 1984, pp.47–53. [2].
S. Al-Riyami, K.G. Paterson, Certificateless public key cryptography, Proceedings of ASIACRYPT 2003, LNCS 2894, Springer-Verlag, 2003, pp. 452 – Z. Shao. Efficient authenticated key agreement protocol using self-certifed public keys from pairings. Wuhan University Journal of Natural Sciences, 10(1):267-270, 2005. [4].
S. Wang, Z. Cao, X. Dong, Certificateless authenticated key agreement based on the MTI/CO protocol, Journal of Information and Computational Science 3 (2006) 575 – T. Mandt, C. Tan, Certificateless authenticated two-party key agreement protocols, in: Proceedings of the ASIAN 2006, LNCS, vol. 4435, Springer-Verlag, 2008, pp. 37 –
44. [6].
Y. Shi, J. Li, Two-party authenticated key agreement in certificateless public key cryptography, Wuhan University Journal of Natural Sciences 12 (1) (2007) 71 –
74. [7].
C. Swanson. Security in key agreement: Two-party certi_cateless schemes. Master Thesis, University of Waterloo, 2008. [8].
G. Lippold, C. Boyd, J. Nieto. Strongly secure certificateless key agreement. In Pairing 2009, pages 206-230. [9].
L. Zhang, F. Zhang, Q. Wua, J. Domingo-Ferrer, Simulatable certificateless two-party authenticated key agreement protocol, Information Sciences 180 (2010) 1020 – [10]. L. Chen, Z. Cheng, and N.P. Smart, Identity-based key agreement protocols from pairings, Int. J. Inf. Secur., 6(2007) pp.213–241. [11].
M. Geng and F. Zhang. Provably secure certificateless two-party authenticated key agreement protocol without pairing. In International Conference on Computational Intelligence and Security, pages 208-212, 2009. [12].
M. Hou and Q. Xu. A two-party certificateless authenticated key agreement protocol without pairing. In 2nd IEEE International Conference on Computer Science and Information Technology, pages 412-416, 2009. [13].
G. Yang, C. Tan, 6th ACM Symposium on Information, Computer and Communications Security, 71-79, 2011. [14].
D. He, J. Chen, J. Hu, A pairing-free certificateless authenticated key agreement protocol, International Journal of Communication Systems, DOI: 10.1002/dac.1265, 2011. [15].
W. Han, Breaking a certificateless key agreement protocol without bilinear pairing, http://eprint.iacr.org/2011/249.pdf [16].