Skip to main content

Identity-Based Identity-Concealed Authenticated Key Exchange

  • 1206 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12973)

Abstract

Identity-based authenticated key exchange (ID-AKE) allows two parties (whose identities are just their public keys) to agree on a shared session key over open channels. At ESORICS 2019, Tomida et al. proposed a highly efficient ID-AKE protocol, referred to as the TFNS19-protocol, under the motivation of providing authentication and secure communication for huge number of low-power IoT devices. The TFNS19-protocol currently stands for the most efficient ID-AKE based on bilinear pairings, where each user remarkably performs only a single pairing operation. But it does not consider users’ identity privacy, and the security is based on relatively non-standard assumptions.

In this work, we formulate and design identity-based identity-concealed AKE (IB-CAKE) protocols. Here, identity concealment means that the session transcript does not leak users’ identity information. We present a simple and highly practical IB-CAKE protocol, which is computationally more efficient than the remarkable TFNS19-protocol in total. We present a new security model for IB-CAKE, and show it is stronger than the ID-eCK model used for the TFNS19-protocol. The security of our IB-CAKE protocol is proved under relatively standard assumptions in the random oracle model, assuming the security of the underlying authenticated encryption and the gap bilinear Diffie-Hellman (Gap-BDH) problem. Finally, we provide the implementation results for the proposed IB-CAKE scheme, and present performance benchmark.

Keywords

  • Identity-based cryptography
  • Identity privacy
  • IoT authentication

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-88428-4_32
  • Chapter length: 25 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-88428-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    If \(SID_T'\) exists, whether exposing either the static keys of \(ID_{t_0},ID_{t_1}\) and \(ID_k\) via the \(\mathbf{StaKeyReveal} (ID_{i})\) oracle, or exposing the states of session \(SID_T\) and \(SID_{T}'\) via the \(\mathbf{STReveal} (SID)\) oracle, does not necessarily expose the test-session.

  2. 2.

    The unexposed case implies that the static secret-keys of both \(ID_t\) and \(ID_k\) could be exposed.

References

  1. Baek, J., Safavi-Naini, R., Susilo, W.: Efficient multi-receiver identity-based encryption and its application to broadcast encryption. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 380–397. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_26

    CrossRef  MATH  Google Scholar 

  2. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptol. 21, 469–491 (2008). https://doi.org/10.1007/s00145-008-9026-x

    MathSciNet  CrossRef  MATH  Google Scholar 

  3. Blazy, O., Chevalier, C.: Non-interactive key exchange from identity-based encryption. In: ARES 2018, pp. 13:1–13:10. ACM, Hamburg (2018)

    Google Scholar 

  4. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13

    CrossRef  Google Scholar 

  5. Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70500-0_6

    CrossRef  Google Scholar 

  6. Boyd, C., Mathuria, A., Stebila, D.: Protocols for Authentication and Key Establishment, 2nd edn. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-662-09527-0

    CrossRef  MATH  Google Scholar 

  7. Brzuska, C., Smart, N.P., Warinschi, B., Watson, G.J.: An analysis of the EMV channel establishment protocol. In: ACM CCS 2013, pp. 373–386. ACM Press, Berlin (2013)

    Google Scholar 

  8. Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Secur. 6(4), 213–241 (2007). https://doi.org/10.1007/s10207-006-0011-9

    CrossRef  Google Scholar 

  9. Daniel, R.M., Rajsingh, E.B., Silas, S.: An efficient eCK secure identity based two party authenticated key agreement scheme with security against active adversaries. Inf. Comput. 275, 104630 (2020)

    MathSciNet  CrossRef  Google Scholar 

  10. Fiore, D., Gennaro, R.: Making the Diffie-Hellman protocol identity-based. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 165–178. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_12

    CrossRef  Google Scholar 

  11. Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_24

    CrossRef  Google Scholar 

  12. Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33

    CrossRef  Google Scholar 

  13. Libert, B., Quisquater, J.-J.: Identity based undeniable signatures. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 112–125. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_9

    CrossRef  Google Scholar 

  14. Ni, L., Chen, G., Li, J., Hao, Y.: Strongly secure identity-based authenticated key agreement protocols without bilinear pairings. Inf. Sci. 367–368, 176–193 (2016)

    CrossRef  Google Scholar 

  15. Okamoto, E., Tanaka, K.: Key distribution system based on identification information. IEEE J. Sel. Areas Commun. 7(4), 481–485 (1989)

    CrossRef  Google Scholar 

  16. Okamoto, E.: Key distribution systems based on identification information. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 194–202. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_15

    CrossRef  Google Scholar 

  17. Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size does matter: attacks and proofs for the TLS record protocol. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 372–389. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_20

    CrossRef  Google Scholar 

  18. Rescorla, E.: The transport layer security (TLS) protocol version 1.3, RFC 8446 (2018)

    Google Scholar 

  19. Rogaway, P.: Authenticated-encryption with associated-data. In: CCS 2002, pp. 98–107. ACM, Washington (2002)

    Google Scholar 

  20. Roskind, J.: Quick UDP internet connections: Multiplexed stream transport over UDP, 1(2), 77–94 (2012). https://www.chromium.org/quic

  21. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystem based on pairings. In: Symposium on Cryptography and Information Security (SCIS), pp. 26–28 (2000)

    Google Scholar 

  22. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5

    CrossRef  Google Scholar 

  23. Shim, K.: Efficient ID-based authenticated key agreement protocol based on the Weil pairing. Electron. Lett. 39(8), 653–654 (2003)

    CrossRef  Google Scholar 

  24. Smart, N.P.: Identity-based authenticated key agreement protocol based on Weil pairing. Electron. Lett. 38(13), 630–632 (2002)

    CrossRef  Google Scholar 

  25. Tomida, J., Fujioka, A., Nagai, A., Suzuki, K.: Strongly secure identity-based key exchange with single pairing operation. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 484–503. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_23

    CrossRef  Google Scholar 

  26. Wu, J.-D., Tseng, Y.-M., Huang, S.-S.: An identity-based authenticated key exchange protocol resilient to continuous key leakage. IEEE Syst. J. 13(4), 3968–3979 (2019)

    CrossRef  Google Scholar 

  27. Xie, M., Wang, L.: One-round identity-based key exchange with perfect forward security. Inf. Process. Lett. 112(14–15), 587–591 (2012)

    MathSciNet  CrossRef  Google Scholar 

  28. Zhang, J., Huang, X., Wang, W., Yue, Y.: Unbalancing pairing-free identity-based authenticated key exchange protocols for disaster scenarios. IEEE Internet Things J. 6(1), 878–890 (2019)

    CrossRef  Google Scholar 

Download references

Acknowledgement

We are grateful to Prof. Satoshi Obana for shepherding on our submission, and for all the anonymous referees of ESORICS 2021 for their constructive and insightful review comments. We thank Shiyu Shen, Pengfei Shi and Hongbing Wang for many helpful discussions. This work was supported by National Key Research and Development Program of China (Grant No. 2017YFB0802000), National Natural Science Foundation of China (Grant Nos. U1536205, 61472084 and NSFC61702007), Shanghai Innovation Action Project under Grant No. 16DZ1100200, Shanghai Science and Technology Development Funds under Grant No. 16JC1400801, Shandong Provincial Key Research and Development Program of China (Grant Nos. 2017CXG0701 and 2018CXGC0701), and Foundations (Grant Nos. 2019M661360 (KLH2301024), gxbjZD27, KJ2018A0533, XWWD201801, ahnis20178002).

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Huige Wang or Yunlei Zhao .

Editor information

Editors and Affiliations

Appendices

A Structures of IB-CAKE Protocol with Asymmetric Bilinear Pairing

1.1 A.1 Protocol Structure with Bilinear Pairing of Type-II

For the construction of our IB-CAKE protocol with Type-II bilinear pairing, an additional efficient publicly computable isomorphism \(\psi \) is required. Let \( \kappa \) be a secure parameter, \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) be three multiplicative bilinear map groups of the same prime order q such that the discrete algorithm problems in \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) are intractable, \(g_1\) be a generator of \(\mathbb {G}_1\), \(g_2= \psi (g_1)\) be a generator of \(\mathbb {G}_2\), the isomorphism \(\psi \) is for the purpose of mapping an element from \(\mathbb {G}_1\) to \(\mathbb {G}_2\), \({\hat{e}}:{\mathbb {G}_1}\times {\mathbb {G}_2} \rightarrow {\mathbb {G}_T} \) be a bilinear pairing. Let \( SE=(K_{se}, Enc, Dec) \) be an authenticated encryption with associated data (AEAD) scheme, where \( \mathcal {K} ={\{0,1\}}^{\kappa } \) is the key space of \( K_{se} \). Let \( H:{\{0,1\}}^{*} \rightarrow \mathbb {Z}_q^{*} \) and \( H_1 : {\{0,1\}}^{*} \rightarrow \mathbb {G}_1 \) be one-way collision-resistant cryptographic hash functions modeled as random oracles and \( KDF: {\{0,1\}}^{*} \rightarrow {\{0,1\}}^{p(\kappa )} \) be a key derivation function which is also modeled as a random oracle, where \( p(\kappa ) \) is a polynomial of \( \kappa \). The KGC first produces the system’s public parameters and the master secret key msk. Then it generates the private key \( SK_i=H_1{(ID_i)}^{msk} \) for the user with identity \( ID_i \). For presentation simplicity, we denote by Alice the anonymous session initiator, whose public identity and private key are \( {ID}_A \) and \( {SK}_A={(H_1({ID}_A))}^{msk} \), and by Bob the session responder, whose public identity and private key are \({ID}_B\) and \({SK}_B={(H_1({ID}_B))}^{msk}\). The structure is described in Fig. 2.

  • The initiator A selects \( r_A \leftarrow \mathbb {Z}_q^*\), computes \( x=H({SK}_A,r_A) \) and \( X={(H_1({ID}_A))}^{x} \). It sends X to B.

  • Upon receiving X, B checks whether \( X \in \mathbb {G}_1/1_{\mathbb {G}_1} \) and aborts if not. B selects \( r_B\leftarrow \mathbb {Z}_q^*\), computes \( y=H({SK}_B,r_B) \) and \( Y={(H_1({ID}_B))}^{y} \). Then B sets the primary secret \( {PS}_B=e(X,\psi (SK_B))^y \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_B,X\parallel Y) \) and computes \( C_B=Enc_{K_1}({ID}_B,y) \). Finally, B sends \( (Y,C_B) \) to A.

  • Upon receiving \( (Y,C_B) \), A sets primary secret \( {PS}_A=e({SK}_A,\psi (Y))^x \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_A,X\parallel Y) \) and decrypts the ciphertext \( C_B \) by using \( K_1 \) to get the identity \( ID_B \) and y. Then A verifies if \( y\in {Z_q}^{*} \) and \( Y=(H_1(ID_B))^{y} \), if so, it computes \( C_A=Enc_{K_1}(ID_A,x) \) and the session key is set to be \( K_2 \). Finally, A sends \( C_A \) to B.

  • Upon receiving \( C_A \), B runs \( Dec_{K_1}(C_A) \rightarrow (ID_A,x) \). Then it verifies if \( x\in Z_q^{*} \) and \( X={(H_1(ID_A))}^x \), if so, the session key is set to be \( K_2 \).

Fig. 2.
figure 2

Construction of IB-CAKE with Type-II bilinear mapping

1.2 A.2 Protocol Structure with Bilinear Pairing of Type-III

For the construction of our IB-CAKE protocol with Type-III bilinear pairing, the private key SK of any user ID is replaced by a pair of key \((SK^I,SK^R)\), where \(SK^I\) is used when the user is an initiator in a session and \(SK^R\) is used when the user is a responder in a session. Let \( \kappa \) be a secure parameter, \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) be three multiplicative bilinear map groups of the same prime order q such that the discrete algorithm problems in \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) are intractable, \(g_1\) be a generator of \(\mathbb {G}_1\), \(g_2\) be a generator of \(\mathbb {G}_2\), \({\hat{e}}:{\mathbb {G}_1}\times {\mathbb {G}_2} \rightarrow {\mathbb {G}_T} \) be a bilinear pairing. Let \( H:{\{0,1\}}^{*} \rightarrow \mathbb {Z}_q^{*} \), \( H_1 : {\{0,1\}}^{*} \rightarrow \mathbb {G}_1 \) and \( H_2 : {\{0,1\}}^{*} \rightarrow \mathbb {G}_2 \) be one-way collision-resistant cryptographic hash functions modeled as random oracles. Our IB-CAKE protocol structure using Type-III bilinear pairing is described in Fig. 3.

Fig. 3.
figure 3

Construction of IB-CAKE with Type-III bilinear mapping

In the following, let A be a session initiator and B be a session responder.

  • The initiator A selects \( r_A \leftarrow \mathbb {Z}_q^*\), computes \( x=H(SK_A^I,r_A) \) and \( X={(H_1({ID}_A))}^{x} \). It sends X to B.

  • Upon receiving X, B checks whether \( X \in \mathbb {G}_1/1_{\mathbb {G}_1} \) and aborts if not. B selects \( r_B\leftarrow \mathbb {Z}_q^*\), computes \( y=H({SK}_B^R,r_B) \) and \( Y={(H_2({ID}_B))}^{y} \). Then B sets the primary secret \( {PS}_B=e(X, SK_B^R))^y \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_B,X\parallel Y) \) and computes \( C_B=Enc_{K_1}({ID}_B,y) \). Finally, B sends \( (Y,C_B) \) to A.

  • Upon receiving \( (Y,C_B) \), A computes primary secret \( {PS}_A=e({SK}_A^I,Y)^x \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_A,X\parallel Y) \) and decrypts the ciphertext \( C_B \) under the secret value \( K_1 \) to get the identity \( ID_B \) and y. Then A verifies if \( y\in {Z_q}^{*} \) and \( Y=(H_2(ID_B))^{y} \), if so, it computes \( C_A=Enc_{K_1}(ID_A,x) \) and the session key is set to be \( K_2 \). Finally, A sends \( C_A \) to B.

  • Upon receiving \( C_A \), B runs \( Dec_{K_1}(C_A) \rightarrow (ID_A,x) \). Then it verifies if \( x\in Z_q^{*} \) and \( X={(H_1(ID_A))}^x \), if so, the session key is set to be \( K_2 \).

B Review of the TFNS19-Protocol

The structure of the TFNS19-protocol [25] is described in Fig. 4. In this protocol, the three hash functions are defined as: \(H, H_1, H_2: \{0,1\}^*\rightarrow \mathbb {Z}_p\), \(H_3: \{0,1\}^*\rightarrow \{0,1\}^\kappa \).

Fig. 4.
figure 4

Construction of TFNS19-protocol [25]

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Lian, H., Pan, T., Wang, H., Zhao, Y. (2021). Identity-Based Identity-Concealed Authenticated Key Exchange. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-88428-4_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-88427-7

  • Online ISBN: 978-3-030-88428-4

  • eBook Packages: Computer ScienceComputer Science (R0)