Strongly-Secure Identity-Based Key Agreement and Anonymous Extension
Lecture Notes in Computer Science
We study the provable security of identity-based (ID-based) key agreement protocols. Although several published protocols have been proven secure in the random oracle model, only a weak adversarial model is considered -the adversary is not allowed to ask Session-Key Reveal queries that will allow the adversary to learn previously established session keys. Recent research efforts devoted to providing a stronger level of security require strong assumptions, such as assuming that the simulator has
... access to a non-existential computational or decisional oracle. In this work, we propose an ID-based key agreement protocol and prove its security in the widely accepted indistinguishability-based model of Canetti and Krawczyk. In our proof, the simulator does not require access to any non-existential computational or decisional oracle. We then extend our basic protocol to support ad-hoc anonymous key agreement with bilateral privacy. To the best of our knowledge, this is the first protocol of its kind as previously published protocols are for fixed group and provide only unilateral privacy (i.e., only one of the protocol participants enjoy anonymity). Privacy issues: Confidentiality of identity Anonymity is required in many applications to ensure that the identifying information about the user is not revealed. This concept is also useful and applicable to key agreement protocol. Suppose two entities, U and V, want to exchange confidential messages. In anonymous key agreement protocols such as the protocols of Boyd and Park  and of Shoup , U's identity is not known to anyone in the network except V -the recipient entity in the key agreement protocol. This work considers anonymity from a slightly different perspective. Although V knows that U is a member of a group of users, V is unable to confirm the actual identity of U. This class of protocol is useful when V only needs to ensure the membership of the sender, but not the identity of the user, perhaps, due to privacy issues. Our protocol provides deniability  for any user who has taken part in a protocol run to deny that this was the case, since any one can simulate runs of the protocol involving any other potential user. Related Work and Our Contributions Session-Key Reveal and Session-State Reveal Queries Recent research efforts have been devoted towards designing protocols that can be proven secure in a model that allows the Session-Key Reveal queries. For example, the ID-based protocols of Chen and Kudla  and McCullagh and Barreto  were improved  to ensure that these protocols can be proven secure in a less restrictive sense (the adversary is allowed to ask Session-Key Reveal queries in most cases) in the random oracle model, assuming bilinear Diffie-Hellman problem is intractable. The technicality of not being able to answer reveal queries in some special sessions can be resolved using the gap assumption -the underlying computational problem is intractable even with the help of a corresponding decisional oracle. Using the gap assumption, Kudla and Paterson  propose a generic transformation turning two-party Diffie-Hellman-based protocols proven secure in the wBR model to one in the full BR model. This is also applicable to two-party ID-based protocols such as the protocols of Chen and Kudla  and McCullagh and Barreto . However, gap assumption in  and  means the simulator has access to a decisional bilinear Diffie-Hellman oracle (in contrast with decisional Diffie-Hellman oracle that can be realized by some classes of pairing). Chow ( as cited in ) raised a similar observation. Along somewhat similar line, Wang  proposes a protocol based on a decisional problem by using a computational oracle to support the Session-Key Reveal queries. Again, the simulation in this proof requires the existence of a special oracle. Finally, we note that Cheng et al.  introduce the concept of coin queries that forces the adversary to reveal its ephemeral secret, and thus making Session-Key Reveal possible. Their approach is restricted in the sense that the possibility of breaking a protocol without knowing the ephemeral secret (which is possible in a real world attack) is not modelled. The Session-State Reveal query in the Canetti-Krawczyk model (hereafter referred to as the CK model)  allows an adversary to learn the ephemeral parameters associated with a particular session. An example of a protocol secure in this stronger model 2 is the HMQV protocol  , which is the "hashed" variant of the MQV protocol 3 . The basic version of HMQV is proven secure even if the adversary is allowed to ask Session-Key Reveal queries under the computational Diffie-Hellman assumption. The enhanced version of HMQV is proven secure even when the adversary learns the ephemeral Diffie-Hellman key associated with any non-target sessions, under the gap Diffie-Hellman assumption and knowledge of exponent assumption  . No security claim is, however, made about the availability of the keying material for the derivation of the session key. Our contribution: High-performance ID-based key agreement protocol We propose a new ID-based key agreement protocol. Security assurance of the protocol is provided in the 2 The relative strengths between the BR and CK models are discussed in  . 3 MQV's security is analyzed  . without consideration of Session-State Reveal query. SO queries : Suppose W V is received as the challenge and the designated verifier is ID V . For any signing query of ID I , S knows the corresponding private key, so the simulation can be done as a typical protocol invocation. Except for the following special handling for ID J , α and h are chosen randomly from Z * q and setting h = H 0 (αP − hQ J , m). If H 0 (αP − hQ J , m) is previously queried, another α is chosen. The signature (W J , e J ) can be computed by W J = αP − hQ J and e J =ê(αxP, W V ). It is easy to see the signature is valid sinceê( Forgery : Suppose F does not halt, now S returns σ * = (W * J , e * J ) as a valid signature. If it is not made on behalf of ID J , the simulation fails. Event 0 would not occur if ID J were chosen by F as the target of attack, such choice is made with probability 1/N Q where N Q is the number of H queries. Suppose the simulation does not abort we have e * J =ê(W * J + h * J yP, zP ) x where h * J = H 0 (W * J , m * ). We ignore the small probability that F can correctly guess the value of H 0 (W * J , m * ) without making the corresponding H 0 query. Now S runs F for a second time with the same settings except setting the response of H 0 query of (W J , m * ) as h J . By the standard forking lemma argument  , in this second time F gives a valid forgery with e J =ê(W * J +h J yP, zP ) x . The solution of the BDH problem is given by (e V ). The second run gives e J =ê(W * J + h J yP, zP + h V Q V ) x where h J = H 0 (W * J , m * J ) and h V = H 0 (W * V , m V ). Note that forger F may give another message m V in the second run since it is something which is under F's control. e J /e * J givesê( Notice that Q V is in the form of r V P , so xQ V can be computed as r V (xP ) by simulator S. Thus the last two term of the above expression can be cancelled out which leaves the termê((h J − h * J )yP, zP ) x . BDH problem can be solved in a similar way as the proof for our basic scheme.