Cryptanalysis and improvement of two certificateless three-party authenticated key agreement protocols
Haiyan Sun, Qiaoyan Wen, Hua Zhang, Zhengping Jin, Wenmin Li
aa r X i v : . [ c s . CR ] J a n Cryptanalysis and improvement of two certificatelessthree-party authenticated key agreement protocols
Haiyan Sun ∗ , Qiaoyan Wen, Hua Zhang, Zhengping Jin, Wenmin Li State Key Laboratory of Networking and Switching Technology,Beijing University of Posts and Telecommunications, Beijing 100876, China
Abstract:
Recently, two certificateless three-party authenticated keyagreement protocols were proposed, and both protocols were claimed theycan meet the desirable security properties including forward security, keycompromise impersonation resistance and so on. Through cryptanalysis, weshow that one neither meets forward security and key compromise imperson-ation resistance nor resists an attack by an adversary who knows all users’secret values, and the other cannot resist key compromise impersonationattack. Finally, we propose improved protocols to make up two original pro-tocols’ security weaknesses, respectively. Further security analysis shows thatour improved protocols can remove such security weaknesses.
Key words: key compromise impersonation attack; forward security;three-party; certificateless authenticated key agreement; bilinear pairings
1. Introduction
Authenticated key agreement (AKA) is one of the fundamental crypto-graphic primitives. It allows two or more users to generate a shared sessionsecret key over an open network with each other, and all the users are as-sured that only their intended peers can know the shared session secret key.AKA protocols can be realized in the traditional public-key infrastructure(PKI) setting, identity-based cryptography setting [1], or certificateless cryp-tography setting [2]. Certificateless authenticated key agreement (CLAKA)protocols would be more appealing due to its advantages in eliminating theheavy certificate management burden in PKI-based AKA protocols and key ∗ Corresponding author.
Email address: [email protected] (Haiyan Sun ) scrow problem in identity-based AKA protocols. By far, many researchershave been investigating secure and efficient certificateless two-party authen-ticated key agreement protocols (e.g., [3–12]). A research direction in AKAprotocol aims to generalize two-party AKA setting to multi-party AKA set-ting, among which the three-party AKA protocols receive much interest. In2009, Gao et al. [13] proposed the first three-party CLAKA protocol. Sincethen, several three-party CLAKA protocols (e.g., [14], the XCQ-11 protocol[15], the XCL-12 protocol [16]) have been proposed.In this paper, we analyze two three-party CLAKA protocols [15, 16] andpropose two improved protocols. Firstly, we point out that the XCQ-11protocol [15] is subjected to three attacks including forward security attack,key compromise impersonation attack, and an attack by adversaries whoknow all users’ secret values, and then propose a simple improvement toremove these flaws. Secondly, we find that the XCL-12 protocol [16] cannotresist key compromise impersonation attack and propose an efficient protocolwhich can resist this attack.The remaining part of this paper is organized as follows. Some preliminar-ies are introduced in Section 2. A review and three attacks and an improvedprotocol of the XCQ-11 protocol are given in Section 3. A review and twoattacks and an improved protocol of the XCL-12 protocol are given in Section4. Finally, some conclusions are drawn in Section 5.
2. Preliminaries
We now briefly review some basic concepts used in this paper, includingbilinear pairings and some security properties.
Let G be an additive group generated by P with prime order q and G be a multiplicative group of the same order. A map ˆ e : G × G → G is saidto be a bilinear pairing if the following three conditions hold true:1. Bilinearity: for all a, b ∈ Z ∗ q , ˆ e ( aP, bP ) = ˆ e ( P, P ) ab .2. Non-degeneracy: ˆ e ( P, P ) = 1 G .3. Computability: ˆ e is efficiently computable.2 .2. Security properties It is desirable for three-party authenticated key agreement protocols topossess the following security properties. Let A , B and C be three partici-pants that execute the protocol correctly. • Known-key security : The session key is not compromised in the face ofadversaries who have learned some other session keys. • Key compromise impersonation (KCI) resistance : If an adversaryreveals A ’s long-term private key, the adversary cannot impersonate anyother participant to A without the participant’s private key. • Forward secrecy (FS) : Compromising of long-term private keys of oneor more of the participants should not affect the secrecy of previously es-tablished session keys. A protocol has forward secrecy if the secrecy ofpreviously established session keys is not affected when some but not all ofthe participants’ long-term private keys are corrupted. A protocol has per-fect forward secrecy if the secrecy of previously established session keys isnot affected when all participants’ long-term private keys are compromised. • Unknown key share (UKS) resistance : If one participant A thinksthat he/she is sharing a key with the other participants (e.g., B and C ),then it should not happen that A is actually sharing that key with theadversary, which is not B or C .
3. The XCQ-11 protocol and its analysis and improvement
In this section, we first review the XCQ-11 protocol [15], then give threeattacks on the XCQ-11 protocol, and finally propose a simple countermeasureto resist these attacks.
The XCQ-11 protocol [15] requires a KGC and consists of four phases:system setup, partial key extraction, user key generation and key agreementphases. • Setup : Given a security parameter k ∈ Z , the algorithm works as follows.(1) It runs the parameter generator on input k to generate a prime q , twogroups G , G of prime order q , a generator P of G , and an admissiblepairing ˆ e : G × G → G . 32) It chooses a master-key x ∈ Z ∗ q and computes P = xP .(3) It chooses three cryptographic secure hash functions H : { , } ∗ → Z ∗ q , H : G → Z ∗ q and H : { , } ∗ × G × G → { , } k . Fi-nally the KGC’s master-key x is kept secret and the system parameters { q, G , G , ˆ e, P, P , H , H , H } are published. • PartialKeyGen : Given a user’s identity ID U ∈ { , } ∗ , KGC first choosesat random q U = H ( ID U ). It then sets this user’s partial private key s U = x + q U P and transmits it to user ID U secretly.It is easy to see s U is actually a signature on ID U for the key pair ( P , x ),and user ID U can check its correctness by checking whether ˆ e ( s U , P + q U P ) = ˆ e ( P, P ). For convenience, here we define Q U = P + q U P . • UserKeyGen : User ID U picks randomly x U ∈ Z ∗ q as his/her user secretkey usk U , and computes his/her public key as upk U = x U Q U . After that,the user ID U computes the full private key S U = x U + H ( upk U ) s U . • Key Agreement : Assume that an entity A with identity ID A has fullprivate key S A and public key upk A , an entity B with identity ID B hasprivate key S B and public key upk B , and an entity C with identity ID C hasprivate key S C and public key upk C . The message flows and computationsof a protocol run are described below.(1) A, B, C : choose a, b, c ∈ Z ∗ q .(2) A → B : T AB = a ( upk B + H ( upk B ) Q B ) ,A → C : T AC = a ( upk C + H ( upk C ) Q C ) ,B → A : T BA = b ( upk A + H ( upk A ) Q A ) ,B → C : T BC = b ( upk C + H ( upk C ) Q C ) ,C → A : T CA = c ( upk A + H ( upk A ) Q A ) ,C → B : T CB = c ( upk B + H ( upk B ) Q B ) . (3) A : k A = ˆ e ( P, P ) a ˆ e ( T BA , S A )ˆ e ( T CA , S A ) = ˆ e ( P, P ) a + b + c ,B : k B = ˆ e ( P, P ) b ˆ e ( T AB , S B )ˆ e ( T CB , S B ) = ˆ e ( P, P ) a + b + c ,C : k C = ˆ e ( P, P ) c ˆ e ( T AC , S C )ˆ e ( T BC , S C ) = ˆ e ( P, P ) a + b + c . After the protocol has finished, all three entities share the session key,which is computed as K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T AB || T AC || T BA || T BC || T CA || T CB || ˆ e ( P, P ) a + b + c ). Suppose that A ’s long-term private key S A and B ’s long-term privatekey S B have been compromised. In the following, we show that an adver-4ary A with the knowledge S A and S B can obtain previously establishedsession keys. Assume adversary A has eavesdropped the transferred mes-sages T BA , T CA , T AB , T CB , T AC and T BC . From the values T BA , T AB , T CA , S A and S B , adversary A can compute k = ˆ e ( T AB , S B )ˆ e ( T BA , S A )ˆ e ( T CA , S A ) =ˆ e ( P, P ) a + b + c from which he can construct the session key. Thus the XCQ-11protocol cannot provide forward secrecy. Suppose that A ’s long-term private key S A and B ’s long-term privatekey S B have been compromised. Obviously, A is now able to impersonatethe corrupted party to any other party. However, it is also desirable thatknowledge of the full private key does not enable A to impersonate otherentities to the corrupted party. Accordingly, in a three-party key agreementprotocol, a KCI attack can be an attack whereby A , with A ’s long-termprivate key and B ’s long-term private key at hand, attempts to establish avalid session key with A and B by masquerading as another legitimate entity(say C ).A detailed description of KCI attack by a common adversary against theXCQ-11 protocol is outlined below ( A ( C ) denotes that A is impersonating C ).(1) A, B, A ( C ): choose a, b, c ′ ∈ Z ∗ q .(2) A → B : T AB = a ( upk B + H ( upk B ) Q B ) ,A → A ( C ) : T AC = a ( upk C + H ( upk C ) Q C ) ,B → A : T BA = b ( upk A + H ( upk A ) Q A ) ,B → A ( C ) : T BC = b ( upk C + H ( upk C ) Q C ) , A ( C ) → A : T CA = c ′ ( upk A + H ( upk A ) Q A ) , A ( C ) → B : T CB = c ′ ( upk B + H ( upk B ) Q B ) . (3) A and B compute the session key according to the protocol specification. A ( C ) computes the session key as follows. k A ( C ) = ˆ e ( P, P ) c ′ ˆ e ( T AB , S B )ˆ e ( T BA , S A ) = ˆ e ( P, P ) a + b + c ′ .K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T AB || T AC || T BA || T BC || T CA || T CB || ˆ e ( P, P ) a + b + c ′ )So A successfully agrees a session key K with entity A and B while A and B believes he is sharing the key with entity C . Thus KCI attack by a commonadversary is successful. 5 .4. An attack by an adversary who knows all users’ secret values An adversary who knows all users’ secret values can compute the sessionkey of the XCQ-11 protocol with the following method.From the values T AB , T AC , T BA , T BC , T CA , T CB , upk A , upk B , upk C , q A , q B , q C , x A , x B and x C , the adversary can compute the following three points aP = q B − q C ( x B + H ( upk B ) T AB − x C + H ( upk C ) T AC )= q B − q C ( x B + H ( upk B ) a ( x B + H ( upk B )) Q B − x C + H ( upk C ) a ( x C + H ( upk C )) Q C )= q B − q C ( aQ B − aQ C )= q B − q C ( q B − q C ) aPbP = q A − q C ( x A + H ( upk A ) T BA − x C + H ( upk C ) T BC ) cP = q A − q B ( x A + H ( upk A ) T CA − x B + H ( upk B ) T CB ).Then the adversary can compute k = ˆ e ( aP + bP + cP, P ) = ˆ e ( P, P ) a + b + c from which he can obtain the session key. The reason why the XCQ-11 protocol can suffer from the above threeattacks is that it lacks message origin authentication in the XCQ-11 protocol.To make up security weaknesses, we give a simple improvement which usessignatures to achieve message origin authentication and has the same designidea as protocols [14, 17]. • Setup : This phase is the same as that in Section 3.1 except that a se-cure signature scheme from pairings is chosen and H is modified to H : { , } ∗ × G × G → { , } k . • PartialKeyGen and UserKeyGen : These two phases are the same asthose in Section 3.1. • Key Agreement : This phase is the same as that in Section 3.1 exceptthat the following message flows and computations of a protocol run.(1)
A, B, C : choose a, b, c ∈ Z ∗ q .(2) A → B, C : { T A = aP, σ A } , where σ A is the signature on T A and upk A under A ’s full private key S A . B → A, C : { T B = bP, σ B } , where σ B is the signature on T B and upk B under B ’s full private key S B . C → A, B : { T C = cP, σ C } , where σ C is the signature on T C and upk C under C ’s full private key S C . 63) A verifies the validity of σ B and σ C . If both are valid, A computes k A = ˆ e ( T B , T C ) a . B verifies the validity of σ A and σ C . If both are valid, B computes k B = ˆ e ( T A , T C ) b . C verifies the validity of σ A and σ B . If both are valid, C computes k C = ˆ e ( T A , T B ) c .After the protocol has finished, all three entities share the session key, whichis computed as K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T A || T B || T C || ˆ e ( P, P ) abc ).With this modification, the improved protocol can withstand the aboveattacks. Reasons are easily described as follows.The resulting session key of our improved protocol is independent of theparticipants’ full private keys as the full private keys are used only to gen-erate signatures. That is to say, compromising the full private keys of allparticipants is no help to compute the session key. Hence, the improvedprotocol provides perfect forward secrecy and resist the attack described inSection 3.4. Furthermore, an adversary who wants to impersonate a usermust generate a correct signature, however, he cannot generate a correct sig-nature without the user’s full private key. Thus the improved protocol canresist KCI attack by a common adversary.
4. The XCL-12 protocol and its analysis and improvement
In this section, we first review the XCL-12 protocol [16], then show thatthe XCL-12 protocol is vulnerable to two types of KCI attacks, and finallypropose an efficient countermeasure to resist these attacks.
The XCL-12 protocol [16] is described as follows. • Setup : Given a security parameter k ∈ Z , the algorithm works as follows.(1) It runs the parameter generator on input k to generate a prime q , twogroups G , G of prime order q , a generator P of G , and an admissiblepairing ˆ e : G × G → G .(2) It chooses a master-key x ∈ Z ∗ q and computes P = xP .73) It chooses two cryptographic secure hash functions H : { , } ∗ × G → Z ∗ q and H : { , } ∗ × G × G → { , } k . Finally the KGC’s master-key x is kept secret and the system parameters { q, G , G , ˆ e, P, P , H , H } are published. • PartialKeyGen : Given a user’s identity ID U ∈ { , } ∗ , KGC first choosesat random r U ∈ Z ∗ q , and computes R U = r U P, h = H ( ID U || R U ), and s U = ( r U + hx ) − . It then sets this user’s partial private key { s U , R U } andtransmits it to user ID U secretly.It is easy to see that user ID U can validate his/her partial private key bychecking whether the equation s U ( R U + H ( ID U || R U ) P ) = P holds. Thepartial key is valid if the equation holds, and vice versa. • UserKeyGen : User ID U picks randomly x U ∈ Z ∗ q as his/her user secretkey usk U , and computes his/her public key as upk U = x U P . • Key Agreement : Assume that an entity A with identity ID A has fullprivate key ( s A , R A , x A ) and public key upk A , an entity B with identity ID B has private key ( s B , R B , x B ) and public key upk B , and an entity C with identity ID C has private key ( s C , R C , x C ) and public key upk C . Themessage flows and computations of a protocol run are described below.(1) A, B, C : choose a, b, c ∈ Z ∗ q .(2) A → B, C : { ID A , upk A , R A } B → A : { ID B , upk B , R B , T BA = b ( R A + H ( ID A || R A ) P ) } C → A : { ID C , upk C , R C , T CA = c ( R A + H ( ID A || R A ) P ) } A → B : T AB = a ( R B + H ( ID B || R B ) P ) A → C : T AC = a ( R C + H ( ID C || R C ) P ) B → C : { ID B , upk B , R B } C → B : { ID C , upk C , R C , T CB = c ( R B + H ( ID B || R B ) P ) } B → C : T BC = b ( R C + H ( ID C || R C ) P ) . (3) A computes: k ABC = aP + s A T BA + s A T CA = aP + bP + cP = ( a + b + c ) Pk ABC = ˆ e ( s A T BA , s A T CA ) a = ˆ e ( bP, cP ) a = ˆ e ( P, P ) abc k ABC = ˆ e ( upk B , upk C ) x A = ˆ e ( P, P ) x A x B x C .B computes: k ABC = bP + s B T AB + s B T CB = bP + aP + cP = ( a + b + c ) Pk ABC = ˆ e ( s B T AB , s B T CB ) b = ˆ e ( aP, cP ) b = ˆ e ( P, P ) abc k ABC = ˆ e ( upk A , upk C ) x B = ˆ e ( P, P ) x A x B x C . computes: k ABC = cP + s C T AC + s C T BC = cP + aP + bP = ( a + b + c ) Pk ABC = ˆ e ( s C T AC , s C T BC ) c = ˆ e ( aP, bP ) c = ˆ e ( P, P ) abc k ABC = ˆ e ( upk A , upk B ) x C = ˆ e ( P, P ) x A x B x C . After the protocol has finished, all three entities share the session key,which is computed as K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T AB || T AC || T BA || T BC || T CA || T CB || ( a + b + c ) P || ˆ e ( P, P ) abc || ˆ e ( P, P ) x A x B x C ). Suppose the full private key ( s A , R A , x A ) of an entity A is compromised bya malicious KGC (say E ). Obviously, E is now able to impersonate the cor-rupted party to any other party. However, it is also desirable that knowledgeof the full private key does not enable E to impersonate other entities to thecorrupted party. Accordingly, in a three-party key agreement protocol, a KCIattack can be an attack whereby E , with A ’s long-term private key at hand,attempts to establish a valid session key with A and B by masquerading asanother legitimate entity (say C ).A detailed description of KCI attack by a malicious attack against theXCL-12 protocol is outlined below ( E ( C ) denotes that E is impersonating C ).We note that a malicious KGC knows the partial key ( s C , R C ) of C since theuser’s partial key is generated by him, however, he cannot know the secretvalue x C of C .(1) A, B, E ( C ): choose a, b, c ′ ∈ Z ∗ q .(2) A → B, E ( C ) : { ID A , upk A , R A } B → A : { ID B , upk B , R B , T BA = b ( R A + H ( ID A || R A ) P ) }E ( C ) → A : { ID C , upk C , R C , T CA = c ′ ( R A + H ( ID A || R A ) P ) } A → B : T AB = a ( R B + H ( ID B || R B ) P ) A → E ( C ) : T AC = a ( R C + H ( ID C || R C ) P ) B → E ( C ) : { ID B , upk B , R B }E ( C ) → B : { ID C , upk C , R C , T CB = c ′ ( R B + H ( ID B || R B ) P ) } B → E ( C ) : T BC = b ( R C + H ( ID C || R C ) P ).(3) A and B compute the session key according to the protocol specification. E ( C ) computes the session key as follows. k ABC = c ′ P + s C T AC + s A T BA = c ′ P + aP + bP = ( a + b + c ′ ) Pk ABC = ˆ e ( s C T AC , s A T BA ) c ′ = ˆ e ( aP, bP ) c ′ = ˆ e ( P, P ) abc ′ ABC = ˆ e ( upk B , upk C ) x A = ˆ e ( P, P ) x A x B x C K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T AB || T AC || T BA || T BC || T CA || T CB || ( a + b + c ′ ) P || ˆ e ( P, P ) abc ′ || ˆ e ( P, P ) x A x B x C ).So E successfully agrees a session key K with entity A and B while A and B believes he is sharing the key with entity C . Thus KCI attack by a maliciousKGC is successful. Suppose that A ’s full private key ( s A , R A , x A ) and B ’s full private key( s B , R B , x B ) have been compromised. Obviously, A is now able to imperson-ate the corrupted party to any other party. However, it is also desirable thatknowledge of the full private key does not enable A to impersonate otherentities to the corrupted party. Accordingly, in a three-party key agreementprotocol, a KCI attack can be an attack whereby A , with A ’s long-term pri-vate key and B ’s long-term private key at hand, attempts to establish a validsession key with A and B by masquerading as another legitimate entity (say C ).A detailed description of KCI attack by a common adversary against theXCL-12 protocol is outlined below ( A ( C ) denotes that A is impersonating C ).(1) A, B, A ( C ): choose a, b, c ′′ ∈ Z ∗ q .(2) A → B, A ( C ) : { ID A , upk A , R A } B → A : { ID B , upk B , R B , T BA = b ( R A + H ( ID A || R A ) P ) }A ( C ) → A : { ID C , upk C , R C , T CA = c ′′ ( R A + H ( ID A || R A ) P ) } A → B : T AB = a ( R B + H ( ID B || R B ) P ) A → A ( C ) : T AC = a ( R C + H ( ID C || R C ) P ) B → A ( C ) : { ID B , upk B , R B }A ( C ) → B : { ID C , upk C , R C , T CB = c ′′ ( R B + H ( ID B || R B ) P ) } B → A ( C ) : T BC = b ( R C + H ( ID C || R C ) P ).(3) A and B compute the session key according to the protocol specification. A ( C ) computes the session key as follows. k ABC = c ′′ P + s B T AB + s A T BA = c ′′ P + aP + bP = ( a + b + c ′′ ) Pk ABC = ˆ e ( s B T AB , s A T BA ) c ′′ = ˆ e ( aP, bP ) c ′′ = ˆ e ( P, P ) abc ′′ k ABC = ˆ e ( upk B , upk C ) x A = ˆ e ( P, P ) x A x B x C K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T AB || T AC || T BA || T BC || T CA || T CB || ( a + b + c ′ ) P || ˆ e ( P, P ) abc ′ || ˆ e ( P, P ) x A x B x C ).10o A successfully agrees a session key K with entity A and B while A and B believes he is sharing the key with entity C . Thus KCI attack by a commonadversary is successful. Informally saying, the XCQ-12 protocol cannot resist two types of KCIattacks is because the inappropriate design of shared values k ABC , k ABC and k ABC makes that the session key does not depend on all three parties’ partialprivate keys, secret values, and ephemeral secrets. To make up the securityweaknesses, we give an efficient improvement as follows which modifies thethree shared values. • Setup,PartialKeyGen and UserKeyGen : These three phases are thesame as those in Section 4.1. • Key Agreement : This phase is the same as that in Section 4.1 exceptthat the following computations. A computes k ABC = aP + s A T BA + s A T CA = aP + bP + cP = ( a + b + c ) Pk ABC = ˆ e ( s A T BA + R B + H ( ID B || R B ) P , s A T CA + R C + H ( ID C || R C ) P ) a + s − A = ˆ e ( P, P ) ( a + s − A )( b + s − B )( c + s − C ) k ABC = ˆ e ( s A T BA + upk B , s A T CA + upk C ) a + x A = ˆ e ( P, P ) ( a + x A )( b + x B )( c + x C ) B computes k ABC = bP + s B T AB + s B T CB = bP + aP + cP = ( a + b + c ) Pk ABC = ˆ e ( s B T AB + R A + H ( ID A || R A ) P , s B T CB + R C + H ( ID C || R C ) P ) b + s − B = ˆ e ( P, P ) ( a + s − A )( b + s − B )( c + s − C ) k ABC = ˆ e ( s B T AB + upk A , s B T CB + upk C ) b + x B = ˆ e ( P, P ) ( a + x A )( b + x B )( c + x C ) C computes k ABC = cP + s C T AC + s C T BC = cP + aP + bP = ( a + b + c ) Pk ABC = ˆ e ( s C T AC + R A + H ( ID A || R A ) P , s C T BC + R B + H ( ID B || R B ) P ) c + s − C = ˆ e ( P, P ) ( a + s − A )( b + s − B )( c + s − C ) k ABC = ˆ e ( s C T AC + upk A , s C T BC + upk B ) c + x C = ˆ e ( P, P ) ( a + x A )( b + x B )( c + x C ) . After the protocol has finished, all three entities share the session key, whichis computed as K = H ( ID A || ID B || ID C || upk A || upk B || upk C || T AB || T AC || T BA || T BC || T CA || T CB || ( a + b + c ) P || ˆ e ( P, P ) ( a + s − A )( b + s − B )( c + s − C ) || ˆ e ( P, P ) ( a + x A )( b + x B )( c + x C ) ).11ith this modification, the improved protocol can withstand two typesof KCI attacks due to the following reasons.As we know, a malicious KGC can know partial private keys ( s A , R A ),( s B , R B )and ( s C , R C ). Suppose the full private key ( s A , R A , x A ) of an entity A is com-promised by a malicious KGC. Then if he want to impersonate C to A and B , he would have to compute k ABC = ˆ e ( s C T AC + x A P, s C T BC + upk B ) c ′ + x C .However, without the knowledge of a and x C , the malicious KGC cannotcompute k ABC since he must know b and x B which is not permitted.Suppose that A ’s full private key ( s A , R A , x A ) and B ’s full private key( s B , R B , x B ) have been compromised by an adversary A . Then if he want toimpersonate C to A and B , he would have to compute k ABC = ˆ e ( s B T AB + s − A P, s A T BA + s − A P ) c ′′ + s − C and k ABC = ˆ e ( s B T AB + x A P, s A T BA + x B P ) c ′′ + x C .However, without the knowledge of a and b , A cannot compute k ABC and k ABC since he must know s C and x C which is not permitted.Furthermore, our improved protocol is as efficient as the XCQ-12 protocolsince only 4 point additions are increased.
5. Conclusion
In this paper, we have indicated that Xiong et al.’s protocol [15] suffersfrom FS attack, KCI attack and an attack by adversaries who know all users’secret values, and proposed a simple improvement to remove these flaws. Wealso have indicated that Xiong et al.’s protocol [16] cannot resist two typesof KCI attacks and proposed an efficient improvement to remove these flaws.
Acknowledgement
This work is supported by NSFC (Grant Nos. 61272057, 61202434,61170270, 61100203, 61003286, 61121061), the Fundamental Research Fundsfor the Central Universities (Grant Nos. 2012RC0612, 2011YB01).
References [1] A. Shamir,
Identity-based cryptosystems and signature schemes , Advances inCryptology-Crypto 1984, LNCS 196, Berlin: Springer-Verlag, 1984, pp. 47-53.[2] S. S. Al-Riyami and K. G. Paterson,
Certificateless public key cryptography , Advancesin Cryptology-Asiacrypt 2003, LNCS 2894, Berlin: Springer-Verlag, 2003, pp. 452-473.
3] S.B. Wang, Z.F. Cao and X. Dong,
Certificateless authenticated key agreement basedon the MTI/CO protocol , Journal of Information and Computational Science 3(3)(2006), pp. 575-581.[4] F. Wang and Y. Zhang,
A new provably secure authentication and key agreementmechanism for SIP using certificateless public-key cryptography , Computer Commu-nications, 31(10) (2008), pp. 2142-2149.[5] C. Swanson and D. Jao,
A study of two-party certificateless authenticated key agree-ment protocols , Indocrypt 2009, LNCS 5922, Springer-Verlag, 2009, pp. 57-71.[6] G. Lippold, C. Boyd and J. Manuel Gonzalez Nieto,
Strongly secure certificatelesskey agreement , Pairing 2009, 2009, pp. 206-230.[7] L. Zhang, F.T. Zhang, Q.H. Wu and J. Domingo-Ferrer,
Simulatable certificatelesstwo party authenticated key agreement protocol , Information Sciences, 180(6) (2010),pp. 1020-1030.[8] D.B. He, Y. Chen and J. Chen,
A pairing-free certificateless authenticated key agree-ment protocol , International Journal of Communication Systems 25(2) (2012), pp.221-230.[9] D.B. He, Y. Chen, J. Chen, R. Zhang and W. Han,
A new two-round certificatelessauthenticated key agreement protocol without bilinear pairings , Mathematical andComputer Modelling, 54(11-12) (2011), pp. 3143-3152.[10] H. Xiong, Q. Wu and Z. Ch,
Toward pairing-free certificateless authenticated keyexchanges , ISC 2011, LNCS 7001, Springer-Verlag, 2011, pp. 79-94.[11] G. Yang and C. Tan,
Strongly secure certificateless key exchange without pairing ,The 6th ACM Symposium on Information, Computer and Communications Security,2011, pp. 71-79.[12] D. He, S. Padhye and J. Chen,
An efficient certificateless two-party authenticatedkey agreement protocol , Available at Computers and Mathematics with Applications(2012) doi:10.1016/j.camwa.2012.03.044.[13] Meng Gao, Futai Zhang and Manman Geng,
An efficient certificateless authenticatedtripartite key agreement protocol , 3rd International Conference on Management andService Science, Wuhan, China, 2009, pp. 1-4.[14] J.B. Hu, H. Xiong, Z. Guan, C. Tang, Y.G. Wang, W. Xin and Z. Chen,
Yet An-other Certificateless three-party authenticated key agreement protocol , The 9th IEEEInternational Symposium on Parallel and Distributed Processing with ApplicationsWorkshops, 2012, pp. 222-226.[15] H. Xiong, Z. Chen and Z.G. Qin,
Efficient three-party authenticated key agreementprotocol in certificateless cryptography , International Journal of Computer Mathe-matics 88(13)(2011), pp. 2707-2716.[16] H. Xiong, Z. Chen and F. Li,
Provably secure and efficient certificateless authenticatedtripartite key agreement protocol , Mathematical and Computer Modelling, 55(3-4)(2012), pp. 1213-1221.[17] Kyung-Ah Shim.
A round-optimal three-party ID-based authenticated key agreementprotocol , Information Sciences 186 (2012), pp. 239-248., Information Sciences 186 (2012), pp. 239-248.