Efficient identity-based authenticated key agreement ... - SAGE Journals

Research Article

Efficient identity-based authenticated key agreement protocol with provable security for vehicular ad hoc networks

International Journal of Distributed Sensor Networks 2018, Vol. 14(4) Ó The Author(s) 2018 DOI: 10.1177/1550147718772545 journals.sagepub.com/home/dsn

Lanjun Dang1, Jie Xu2, Xuefei Cao1, Hui Li1, Jie Chen1, Yueyu Zhang1 and Xiaotong Fu1

Abstract In vehicular ad hoc networks, establishing a secure channel between any two vehicles is fundamental. Authenticated key agreement is a useful mechanism, which can be used to negotiate a shared key for secure data transmission between authentic vehicles in vehicular ad hoc networks. Among the existing identity-based two-party authenticated key agreement protocols without pairings, there are only a few protocols that provide provable security in strong security models such as the extended Canetti–Krawczyk model. This article presents an efficient pairing-free identity-based one-round two-party authenticated key agreement protocol with provable security, which is more suitable for real-time application environments with highly dynamic topology such as vehicular ad hoc networks than the existing identity-based two-party authenticated key agreement protocols. The proposed protocol is proven secure under the passive and active adversaries in the extended Canetti–Krawczyk model based on the Gap Diffie–Hellman assumption. The proposed protocol can capture all essential security attributes including known-session key security, perfect forward secrecy, basic impersonation resistance, key compromise impersonation resistance, unknown key share resistance, no key control, and ephemeral secrets reveal resistance. Compared with the existing identity-based two-party authenticated key agreement protocols, the proposed protocol is superior in terms of computational cost and running time while providing higher security. Keywords Authenticated key agreement, pairing-free, identity-based, connected and autonomous vehicles, eCK model

Date received: 29 December 2017; accepted: 29 March 2018 Handling Editor: Daniel Gutierrez-Reina

Introduction The significant advances in the embedded technology and wireless communication drive the evolution of vehicular ad hoc networks (VANETs). Vehicular networks comprise three types of components: a trusted authority, road-side units (RSUs) distributed on the roadside, and Connected and Autonomous Vehicles (CAVs) with on-board units (OBUs). Drivers can make some decisions based on the sensed road and traffic information transmitted from other CAVs and RSUs nearby. In many VANET applications such as pothole collection,1 file sharing among familiar entities,2 and

infotainment applications, the messages exchanged between two vehicles are sensitive and need to be kept secret. Due to the open nature of wireless links, it is

1

State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi’an, China 2 School of Information and Control Engineering, Xi’an University of Architecture and Technology, Xi’an, China Corresponding author: Lanjun Dang, State Key Laboratory of Integrated Service Networks (ISN), Xidian University, Xi’an 710071, Shaanxi, China. Email: [email protected]

Creative Commons CC BY: This article is distributed under the terms of the Creative Commons Attribution 4.0 License (http://www.creativecommons.org/licenses/by/4.0/) which permits any use, reproduction and distribution of the work without further permission provided the original work is attributed as specified on the SAGE and Open Access pages (http://www.uk.sagepub.com/aboutus/ openaccess.htm).

2 crucial for VANETs to establish secure communications between any two vehicles. Compared with traditional public key encryption, symmetric key encryption with a shared key is more efficient in providing confidential communication. Authenticated key agreement (AKA) is an appealing mechanism in which authentic parties can agree on a shared session key over an open network to ensure the confidentiality, authentication, or integrity of subsequent session messages. For instance, in the literatures,3–5 a key agreement protocol is used for a vehicle to update its pseudonym-private key pairs. In the literature,6 a key agreement protocol is used to establish a vehicular cloud. In addition, AKA protocols achieve implicit authentication, that is, each party is assured that no party but the intended peers can possibly generate the shared session key, which is important in key agreement. The shared session key, which is generated from two or more parties as a function of their long-term keys and ephemeral materials, cannot be predetermined. In 1993, Bellare and Rogaway7 first presented a security model to formalize symmetric key-based AKA protocols. Based on the Bellare-Rogaway (BR) model, some security models for other types of AKA protocols were formalized, for example, AKA protocols with a trusted server,8 AKA with key confirmation (AKC) protocols,9 asymmetric key-based AKA protocols,10 and AKA protocols against dictionary attack.11 However, these models do not capture ephemeral secrets reveal attack. The Canetti–Krawczyk (CK) model12 proposed in 2001 also does not completely cover ephemeral secrets reveal resistance (ESRR) because it cannot support the adversary’s Session-State Reveal queries against the test session. In addition, the CK model also does not catch forward security (FS) and key compromise impersonation resistance (KCIR). In 2005, Choo et al.13 examined and compared the differences among these security models. Subsequently, LaMacchia et al.14 made the extended CK (eCK) model to prove the security of AKA protocols in 2007. The eCK model can capture all essential security attributes including known-session key security (K-SKS), perfect forward security (PFS), basic impersonation resistance (BIR), KCIR, unknown key share resistance (UKSR), no key control (NKC), ESRR, and so on. Therefore, AKA protocols should be given formal proofs in the eCK model. According to the number of involving parties, the existing AKA protocols are divided into three categories: (1) authenticated group KA protocols, (2) threeparty AKA protocols, and (3) two-party AKA (2PAKA) protocols. According to the public key setting employed, previously proposed asymmetric keybased AKA protocols are roughly classified into three groups: (1) traditional public key infrastructure (PKI)based AKA protocols, (2) identity (ID)-based AKA protocols, and (3) certificateless AKA protocols. In the

International Journal of Distributed Sensor Networks traditional PKI-based 2PAKA protocols, the management of public key certificates is a heavy burden, which contains the maintenance, transmission, and authentication of certificates. To eliminate the certificate management problem, many research works15–33 employed ID-based cryptography (IBC) first introduced by Shamir,34 in which a user’s public key is the user’s identities (e.g. telephone number, e-mail address, etc.) and the user’s private key is extracted based on his or her ID and a key generation center (KGC) master key. Therefore, these ID-based 2PAKA protocols15–33 have improved the efficiency by removing the use of public key certificates. However, these ID-based 2PAKA protocols15–33 were built using bilinear pairings, which is seen to be one of the most time-consuming operations. The operation cost of a pairing is about 3 to 20 times that of an elliptic curve point multiplication.25,35,36 Consequently, in order to accomplish a better performance, some ID-based 2PAKA protocols without pairings35,37–49 have been proposed. Unfortunately, among these pairing-free ID-based 2PAKA protocols,35,37–49 only a few protocols46–48 provide provable security in the eCK model. Moreover, the running times of these protocols46–48 need to be further reduced if they are deployed in real-time application environments with highly dynamic topology such as VANETs. The reason is that the time for key agreement between any two vehicles should be minimized considering the fast moving and topology dynamic natures of VANETs. In addition, ID-based 2PAKA protocol with two message exchanges may be more attractive in reality. Therefore, it is a challenge to design a provably secure and efficient pairing-free ID-based one-round 2PAKA protocol that is more suitable for VANETs.

Related works Since Boneh and Franklin50 first presented an ID-based encryption scheme from pairings in 2001, a great deal of ID-based 2PAKA protocols15–33 have been designed using pairings, and some of them have been pointed out having security flaws later. These protocols were continuously devoted to seek a secure ID-based 2PAKA protocol with minimal pairing operations. In order to remove the expensive pairing operation, Zhu et al.37 started the research of pairing-free IDbased 2PAKA protocol in 2007. However, Zhu et al.’s protocol realizes explicit authentication by introducing an ID-based signature scheme, which leads to larger computational cost and bandwidth. In addition, Zhu et al.’s protocol requires three message exchanges. After 1 year, Cao et al.38 put forward an ID-based 2PAKA protocol without pairings, which achieves implicit authentication but requires the same message exchanges as Zhu et al.’s protocol. In 2010, Fiore and Gennaro39 presented an ID-based 2PAKA protocol using

Dang et al. exponentiation operation, which is proven secure in the CK model. However, the CK model cannot cover FS, KCIR, and ESRR. In order to reduce the message exchange, Cao et al.35 proposed another ID-based twomessage 2PAKA protocol without pairings in 2010. Unfortunately, Hou and Xu40,41 and Islam and Biswas42 independently demonstrated that two protocols proposed by Cao et al. are vulnerable to ephemeral secrets reveal attack, in 2011 and 2012. However, Hou et al. and Islam et al.’s informal security analysis cannot guarantee that their protocols satisfy all essential security properties. Moreover, Islam et al.’s42 protocol requires three message exchanges and the last message exchange may be intercepted by adversaries, which enable the two involved parties to have different session keys. In 2012, Xie and Wang43 used a signature scheme to realize mutual authentication in their protocol, which causes computation cost to be increased. In 2013, Vivek et al.44 put forward an ID-based 2PAKA protocol using exponentiation, which is provable secure in the CK model. Nevertheless, the CK model cannot ensure Vivek et al.’s protocol catches FS, KCIR, and ESRR. In addition, Vivek et al.’s protocol involves more exponentiation operations than Fiore et al.’s protocol. In 2015, Ghoreishi et al.45 and Sun et al.,46 respectively, presented two pairing-free ID-based 2PAKA protocols. Ghoreishi et al. only analyzed the security of their protocol informally and roughly. It is clear that Ghoreishi et al.’s protocol cannot resist key compromise impersonation attack. Sun et al.’s protocol needs six elliptic curve point multiplication operations. Moreover, the formal proof in the eCK model does not take active adversaries into account. In 2016, Bala et al.47 put forward an ID-based 2PAKA protocols without pairings, which only needs four elliptic curve point multiplication operations. However, the security proof in the eCK model also does not consider active adversaries. In the same year, two other ID-based 2PAKA protocols were proposed by Ni et al.,48 which require seven and five elliptic curve point multiplication operations, respectively. Ni et al.’s protocols are given the formal proofs under the passive and active adversaries in the eCK model. In 2017, Islam and Biswas49 put forward a pairing-free ID-based 2PAKA protocol. Unfortunately, the security analysis using Burrows-Abadi-Needham (BAN) logic model cannot guarantee that Islam et al.’s protocol is secure.51

Our contributions Our contributions are as below: 1.

Our ID-based 2PAKA protocol is proven to be secure under the passive and active adversaries in the eCK model. Therefore, it can capture all essential security attributes including K-SKS,

3

2.

PFS, BIR, KCIR, UKSR, NKC,ESRR, and so on, which is also analyzed later. Performance analysis demonstrates that our protocol has less computational cost and running time than previous ID-based 2PAKA protocols while providing stronger or the same level of security. For example, considering pre-computation, the running time of our protocol is 77.1% of Bala’s protocol, 36.8% of Ni-I protocol, and 53.8% of Ni-II protocol. In conclusion, our protocol is more applicable for VANETs than other existing protocols.

Outline of the article The remainder of the article is arranged as below. In section ‘‘Preliminaries,’’ we review several computational problems and essential security attributes required by ID-based AKA protocols. The section ‘‘Proposed pairing-free ID-based 2PAKA protocol’’ describes the eCK model and then presents a pairingfree ID-based 2PAKA protocol. The section ‘‘Security analyses’’ gives a formal proof of the proposed protocol in the eCK model, analyzes essential security attributes that the proposed protocol catches, and compares the security of our protocol with the existing ID-based 2PAKA protocols. The section ‘‘Performance analyses’’ provides the performance analyses and comparisons between the proposed protocol and previous ID-based 2PAKA protocols. Finally, the article concludes in section ‘‘Conclusions and future works.’’

Preliminaries This section introduces the preliminaries including several computational problems and essential security attributes required in ID-based AKA protocols.

Computational problems Let G be a q-order cyclic additive group of E=Fp , and P be a generator of G. We recall elliptic curve discrete logarithm (ECDL), computational Diffie–Hellman (CDH), Decisional Diffie–Hellman (DDH), and Gap Diffie–Hellman (GDH) problems over the additive group as follows. Definition 1 (ECDL problem). Given (P, xP) where unknown x2R Zp , for any probabilistic polynomial time (PPT) algorithm, computing x is intractable. Definition 2 (CDH problem). For unknown x, y2R Zp , given (P, xP, yP), it is infeasible to compute xyP by any PPT algorithm.

4

International Journal of Distributed Sensor Networks

Definition 3 (DDH problem). For unknown x, y, z2R Zp , given (P, xP, yP, zP), it is impossible to determine whether or not z = xy mod q in PPT.

Definition 4 (GDH problem). Given a DDH oracle and (P, xP, yP) where x, y2R Zp , for any PPT algorithm, the probability of computing xyP is negligible.

Proposed pairing-free ID-based 2PAKA protocol This section first describes the eCK model and then presents a secure pairing-free ID-based one-round 2PAKA protocol S for VANETs, which satisfies all the essential security attributes.

Security model Essential security attributes It is essential for ID-based 2PAKA protocols to satisfy the following security requirements. Suppose that two legal parties A and B run the protocol exactly. 1.

2.

3.

4.

5.

6. 7.

K-SKS. Any session key should not be disclosed when an adversary has known the keys generated in some other sessions. Forward secrecy (FS). If the long-term secrets of parties are leaked, past session keys should not be compromised. The security property falls into four types: Partial forward secrecy: Learning some parties’ long-term secrets should not have any influence on the security of the keys in past sessions. Perfect forward secrecy (PFS). The loss of all the parties’ long-term secrets should not make past session keys known. Master key forward secrecy (MFS). The past session keys should not be endangered by the leakage of the KGC master private key. Weak perfect forward secrecy (wPFS). In 2005, Krawczyk52 showed that none of one-round AKA protocols can keep full PFS if the adversary can modify communications between the parties. Thus, oneround AKA protocols can achieve PFS under a passive adversary, which is defined as wPFS. BIR. An adversary who does not acquire a party A’s long-term secret cannot disguise himself as A. KCIR. The leakage of party A’s long-term secret cannot enable an adversary to masquerade as any other party to A. UKSR. It will be prevented that two parties A and B compute the same session key but B deem that the key is negotiated with the adversary E. NKC. No party can enforce the key in a session to a predetermined value. ESRR. The compromise of one session’s ephemeral private keys cannot affect the security of the session key.

The original eCK model14 was originally proposed for the conventional PKI-based AKA protocols. In order to formalize ID-based AKA protocols, the modified eCK model was presented by Huang and Cao28 and Ni et al.,29 respectively. Participants. The protocol participants are modeled as a group of parties, in which each party IDa is regarded as a PPT Turing machine. Any two parties can be involved in a run of the protocol. Each party may participate Q in a polynomial number of sessions at the same time. sa, b denotes the sth session of party QIDa communicating with intended peer IDb . A session sa, b is completed by party IDa when IDa computes a session key. Adversary model. The adversary M is regarded as a PPT Turing machine. The communication link is fully controlled by M. That is to say, M can possibly eavesdrop, suspend, intercept, replay, modify, and inject messages randomly. The power of the adversary is modeled by allowing it to issue the first six queries in any sequence: 1.

2.

3. 4.

5.

6.

Q EphemeralKeyReveal( sa, b ): The adversary M has access to the Q ephemeral private key of party IDa in session sa, b .Q M SessionKeyReveal( sa, b ): The adversary Qs . The can get the key of a completed session a, b Q session sa, b enters an opened state when the adversary M makes the query against it. StaticKeyReveal(IDa ): The query returns party IDa ’s long-term secret to the adversary M. MasterPrivateKeyReveal: The KGC master private key is revealed to the adversary M. MFS can be modeled by the query. EstablishParty(IDa ): The adversary M may register a lawful user in the name of party IDa and obtains IDa ’s long-term secret by the query. Then party Q IDa is said to be not honest. Send( sa, b , m): The query enables the adversary M to send the message m to party IDa in the name ofQparty IDb and control IDa to start the session sa, b with party QIDb . If m = l, party IDa launches the session sa, b . Otherwise, if party IDa is an initiator, it only outputs a decision to the session (i.e. accept or reject it); if party IDa

Dang et al.

7.

5

is a responder, party IDa selects an ephemeral secret and returns a message and a decision to the session. Q Test( sa, Qb ): The query can be made to a fresh session sa, b only once. A fair coin b 2 f0, 1g is flipped. If b = 0, the session key is returned to the adversary, otherwise the adversary obtains a selected random value from the distribution of session key.

Q Definition 5 (matching session). The session sa, b has a Qt Qt matching session b, a when the session b, a is executed by the other party IDb with the same message exchanged, although in different sequence. Q Definition 6 (fresh session). Supposing sa, b is a completed session andQexecuted by honest party IDa with honest party IDb , sa, b is a fresh session if none of the three cases occur: 1.

2.

3.

Qs

Both theQsession Q key of a, b and its matching session tb, a (if tb, a exists) are leaked to the adversary. Qt Qs a, b has a matching session b, a , and the adversary M obtains the long-term and ephemQ eral secret of party IDa in sa, b or theQlong-term t and ephemeral secret of party Qs IDb in b, a . The matching session of a, b does not exist, and the adversary M obtains the long-term and Q ephemeral secret of party IDa in sa, b or the long-term secret of IDb .

In the first stage of the game, the adversary queries the first six oracles in any order. During the Qssecond stage, the adversary selects a fresh session a, b (see Q Definition 6) and makes a Test( sa, b ) query. The game terminates as soon as the adversary outputs a guess b0 for b. The adversary M wins the game when b0 = b and the test session is still fresh. Assuming k is the security parameter, the advantage of M in the game is denoted as 1 AdvM ðk Þ = Pr½M wins 2

Definition 7 (secure 2PAKA protocols). A 2PAKA protocol is deemed secure in the eCK model when the protocol satisfies the following two conditions: 1. 2.

Matching sessions executed by two parties, respectively, generate the same session key. No any PPT adversary has a non-negligible advantage to win the above game.

Remark 1. In ID-based 2PAKA protocols, the shared session key can be computed by using four pieces of secret information: the long-term and ephemeral secrets of two involved parties. The eCK model allows the adversary to query the long-term secrets of two parties, the ephemeral secrets of two parties, or the long-term secret of one party and the ephemeral secret of the other party, but cannot know the long-term and ephemeral secrets of one party.

Protocol description In our protocol, the trusted authority acts as KGC. Our protocol S is composed of the following three parts: Setup. With the security parameter k, the trusted authority (acts as KGC) gets system parameters and its master public/private key pair as below: 1.

2. 3.

4.

Selects a k-bit prime number p and produces the parameters hE=Fp , G, q, Pi, where G is a cyclic additive group over E=Fp with the order q and P is a generator of G. Picks the master private key s2R Zp , and sets Ppub = sP as the master public key. Chooses two cryptographic hash functions and H2 : f0, 1g 3 H1 : f0, 1g 3 G ! Zp f0, 1g 3 G 3 G 3 G 3 G 3 G ! f0, 1gk . Publishes the parameters hE=Fp , G, q, P, Ppub , H1 , H2 i and keeps s secret.

Extract. Suppose the ID of a vehicle is IDi 2 f0, 1g , the trusted authority computes the long-term private key of the vehicle as below: 1. 2.

3.

Picks randomly ri 2R Zp , and computes Ri = ri P and hi = H1 (IDi jjRi ). Computes si = ri + hi s mod q and sets the key pair (si , Ri ) as the long-term private key of the vehicle. Return the key pair (si , Ri ) to the vehicle in a safe manner.

Upon receiving the key pair, the vehicle can validate its correctness by checking if the equation si P = Ri + H1 (IDi jjRi )Ppub holds. The long-term public key of the vehicle is PKi = si P. Key agreement. Suppose that vehicle A with ID IDA wishes to agree a key with vehicle B with ID IDB . Figure 1 shows the proposed ID-based two-message 2PAKA protocol that proceeds as follows:

6


Figure 1. Proposed ID-based two-message 2PAKA protocol for VANETs.

1.

A randomly selects a2R Zp as its ephemeral private key, computes its ephemeral public keys TA1 = aRA , TA2 = aPpub , and then sends (IDA , RA , TA1 , TA2 ) to B A ! B : IDA , RA , TA1 , TA2

2.

Upon receiving A’s message, B selects b2R Zp at random as its ephemeral private key, calculates its ephemeral public keys TB1 = bRB , TB2 = bPpub , and then sends (IDB , RB , TB1 , TB2 ) to A B ! A : IDB , RB , TB1 , TB2

3.

4.

A computes KAB = asA (TB1 + H1 (IDB jjRB )TB2 ) and the shared session key sk = H2 (IDA jjIDB jjTA1 jjTA2 jjTB1 jjTB2 jjKAB ). B computes KBA = bsB (TA1 + H1 (IDA jjRA )TA2 ) and the shared session key sk = H2 (IDA jjIDB jjTA1 jjTA2 jjTB1 jjTB2 jjKBA ).

Consistency. The correctness of the protocol is proved as follows KAB = asA TB1 + H1 ðIDB jjRB ÞTB2 = asA bRB + H1 ðIDB jjRB ÞbPpub = asA bsB P KBA = bsB TA1 + H1 ðIDA jjRA ÞTA2 = bsB aRA + H1 ðIDA jjRA ÞaPpub = bsB asA P = KAB

Thus, A and B can get the same session key sk = H2 IDA jjIDB jjTA1 jjTA2 jjTB1 jjTB2 jjKAB = H2 IDA jjIDB jjTA1 jjTA2 jjTB1 jjTB2 jjKBA

Security analyses This section first proves that the proposed ID-based 2PAKA protocol is secure in the eCK model, and then analyzes the security attributes that the proposed protocol captures.

Security proof Theorem 1. Assume that GDH problem is intractable and H1 and H2 are random oracles, the protocol S proposed in section ‘‘Proposed pairing-free ID-based 2PAKA protocol’’ is said to be secure in the eCK model. Proof 1. If the two conditions shown in Definition 7 hold, the proposed ID-based 2PAKA protocol S is deemed secure in the eCK model. The correctness proof of the protocol S guarantees that matching sessions executed by two involved parties, respectively, generate the same session key. Therefore, the first condition holds. Next, we will demonstrate that the second condition also holds. Namely, no any PPT adversary against the protocol S can win the game described in section ‘‘Security model’’ with non-negligible probability. Assume that k is the security parameter and the adversary M against the protocol S succeeds in the game outlined above with non-negligible probability AdvSM (k). Suppose that no more than p(k) honest parties are activated by the adversary M and each party is engaged in at most s(k) sessions. Assume that Q the adversary M chooses the Sth protocol session SA, B initiated by party IDA communicating with party IDB as the test session in the game. The adversary M differentiates between the test session key and a random value only through the following three ways: 1.

Guessing attack: The adversary M conjectures the test session key rightly.

Dang et al. 2.

3.

Key replication attack: The adversary M succeeds in establishing a session, which does not match the test session but possesses the same session key with it. Therefore, M can know the test session key by querying the key of the nonmatching session. Forging attack: At some point, M queries H2 on (IDA , IDB , TA1 , TA2 , TB1 , TB2 , KAB ) in the test session. It is obvious that the adversary M computes the value KAB itself.

Since the session key’s size is k bit, the success probability of guessing attack is O(1=2k ). If two sessions are not matched, the key derivation function H2 has the same input with probability O(s(k)2 =2k ). Consequently, the first two attacks succeed with negligible probability. In the following, forging attack is analyzed by employing a reduction approach. A challenger S executes the eCK game described in section ‘‘Security model’’ with M against the protocol S. In the course of the game, the challenger S makes a response to all queries of M. If the adversary M is successful in forging attack with non-negligible probability AdvSM (k), the challenger S can utilize M to solve the GDH prob(k). Given a lem with non-negligible probability AdvGDH S GDH problem instance (X = xP, Y = yP) where x, y2R Zp , the challenger S’s task is to compute GDH(X , Y ) = xyP with the help of a DDH oracle. When the game begins, the challenger S ascertains the Q test session that the adversary M selects is SA, B with probability greater than 1=p(k)2 s(k). According to the fresh definition in the eCK model, there are two Q cases S that require attention: (1) the matching session of A, B QT QS (i.e. B, A ) exists; (2) the test session A, B has no matching session. In the first case, the adversary is passive and faithfully transmits the messages between party IDA and party IDB . In the second case, the challenger S also needs to face an active adversary that may alter IDB ’s public key material RB . Based on the above analysis and the fresh definition, the challenger S has to guess the strategy that the adversary M adopts from the following six choices: S1. M does not know IDA ’s ephemeral private key and IDB ’s long-term private key, and M correctly transmits IDB ’s public key material RB . S2. M does not know the long-term private keys of IDA and IDB , and M correctly transmits IDB ’s public key material RB . S3. M does not know the ephemeral private keys of IDA and IDB . S4. M does not know IDA ’s long-term private key and IDB ’s ephemeral private key. S5. M does not know IDA ’s ephemeral private key and IDB ’s long-term private key, and the adversary M may alter IDB ’s public key material RB .

7 S6. M does not know the long-term private keys of IDA and IDB , and the adversary M may alter IDB ’s public key material RB . The success probability that S chooses both the test session and the strategy is larger than 1=6p(k)2 s(k). Next, we will analyze the six strategies. S1. M does not know IDA ’s ephemeral private key and IDB ’s long-term private key, and M correctly transmits IDB ’s public key material RB . Setup. The challenger S sets the KGC’s master public key and all parties’ long-term keys as follows: 1. 2.

3.

4.

S randomly selects a value Ppub 2 G as the KGC’s master public key. S selects hB 2R Zp as H1 (IDB jjRB ), computes RB = Y hB Ppub , and sets (?, RB ) as party IDB ’s long-term private key. Therefore, party IDB ’s long-term public key PKB = RB + hB Ppub = Y . S picks hi , si 2R Zp , computes Ri = si P hi Ppub , sets H1 (IDi jjRi ) = hi , and sets (si , Ri ) as longterm private key of party IDi (i 6¼ B). Therefore, IDi ’s long-term public key PKi = Ri + hi Ppub = si P. For each party IDi , S passes (IDi , Ri ) to M, and inserts the entry (IDi , Ri , hi ) to H1list .

Queries. S maintains three initially empty lists H1list , and Rlist to handle the H1 , H2 , and SessionKeyReveal queries. S responds to the queries issued by M as follows:

H2list ,

1.

2.

H1 (IDi , Ri ). After the challenger S sets long-term private keys to party IDi , S adds the entry (IDi , Ri , hi ) to H1list . If an H1 query issued by the adversary M matches one entry in the list H1list , S returns hi of the entry to M. Otherwise, S selects hi 2R Zp , inserts the entry (IDi , Ri , hi ) to H1list , and responds with the randomly chosen value. H2 (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij ). At first, S maintains an empty list H2list in which each entry is the form of (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ). If (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) is already in the list H2list , the challenger S returns h2 to M. Otherwise, S looks up the matching entry in the list Rlist . If the entry exists and i = B, S checks if Kij is correctly generated by verifying whether DDH((Ti1 + hi Ti2 ), (Tj1 + hj Tj2 ), Kij ) = 1. If Kij is correct, the challenger S sets h2 = sk, and stores the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list

8


3.

4. 5. 6.

7.

8.

9.

Rlist . If the entry exists and i 6¼ B, the challenger S sets h2 = sk, and stores the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . Otherwise (no such an entry exists in the list Rlist or Kij is not correctly generated), the challenger S selects h2 2 f0, 1gk at random and adds the entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . EstablishParty(IDi ). S selects hi , si 2R Zp , computes Ri = si P hi Ppub , sets H1 (IDi jjRi ) = hi , and reveals IDi ’s long-term private key (si , Ri ) to the adversary M. M totally controls the party IDi . StaticKeyReveal(IDi ). If i 6¼ B, S returns (si , Ri ) to M. Otherwise, S aborts. MasterPrivateKeyReveal.QS aborts.Q Q EphemeralSecretReveal( si, j ). If si, j = SA, B , S aborts. Otherwise, S reveals the ephemeral privateQkey to M. Send( si, j , m). At first, the challenger S maintains an empty list Rlist in which each entry is the 1 2 1 2 form ofQ (IDi , IDQ j , Ti , Ti , Tj , Tj , sk). s S If i, j = A, B and m = l, S picks U 2 G, and then returns sA X hA U and U to M. If i = B and m = (sj Z hj W , W ), S randomly chooses V 2 G, chooses b2R Zp as its ephemeral private key, and returns bY hB V and V to the adversary M. Then, S looks for the matching entry in the list H2list . If the entry exists, S checks if Kij is correctly generated by verifying whether DDH((Ti1 + hi Ti2 ), (Tj1 + hj Tj2 ), Kij ) = 1. If Kij is correct, the challenger S sets sk = h2 , and adds the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , sk) to the list Rlist . Otherwise (no such an entry exists in the list H2list or Kij is not correctly generated), the challenger S chooses sk 2 f0, 1gk at random and adds the entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , sk) to the list Rlist . If i 6¼ B, S responds in accordance with the protocol specification. Q Qs QS SessionKeyReveal( si, j ). If i, j = A, B or Qs QT i, j = B, A , S aborts. Otherwise, S returns list the stored Qssk in the QS list R to M. Qs value Test( i, j ). If i, j = A, B , S selects j 2 f0, 1gk and returns it to the adversary M. Otherwise, S aborts.

Analysis. If the adversary M succeeds in forging attack with non-negligible probability, M should have made a query to H2 with the input KAB = sA DLOG(X )(bY hB V + hB V ) = sA DLOG(X )bY . To settle the GDH(X , Y ) problem, S verifies whether

there is an H2 query issued by M on the value (IDA , IDB , TA1 , TA2 , TB1 , TB2 , KAB ), such that DDH((TA1 + hA TA2 ), (TB1 + hB TB2 ), KAB ) = 1. If there is such an H2 query, the challenger solves GDH(X , Y ) = DLOG(X )Y = (bsA )1 KAB . S correctly computes the GDH problem with the following advantage AdvGDH ðk Þ S

AdvSM ðk Þ 6p(k)2 sðk Þ

S2. M does not know the long-term private keys of IDA and IDB , and M correctly transmits IDB ’s public key material RB . Setup. The challenger S sets the KGC’s master public key and all parties’ long-term keys as below: 1. 2.

3.

4.

5.

The challenger S selects a value Ppub 2 G as the KGC’s master public key. For the party IDA , S selects hA 2R Zp as H1 (IDA jjRA ), computes RA = X hA Ppub , and sets (?, RA ) as party IDA ’s long-term private key. Therefore, party IDA ’s long-term public key PKA = RA + hA Ppub = X . For the party IDB , S selects hB 2R Zp as H1 (IDB jjRB ), computes RB = Y hB Ppub , and sets (?, RB ) as party IDB ’s long-term private key. Therefore, party IDB ’s long-term public key PKB = RB + hB Ppub = Y . For any party IDi (i 6¼ A and i 6¼ B), S selects hi , si 2R Zp , computes Ri = si P hi Ppub , sets H1 (IDi jjRi ) = hi , and sets (si , Ri ) as long-term private key of party IDi . Therefore, party IDi ’s long-term public key PKi = Ri + hi Ppub = si P. For each party IDi , S passes (IDi , Ri ) to M, and inserts the entry (IDi , Ri , hi ) to H1list .

Queries. S maintains three initially empty lists H1list , and Rlist to handle the H1 , H2 , and SessionKeyReveal queries. S responds to the queries issued by M as follows. Note that S answers H1 (IDi , Ri ), EstablishParty(ID Q Q i ), MasterPrivateKey Reveal, Session KeyReveal( si, j ), and Test( si, j ) as it does in S1. H2list ,

1.

H2 (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij ). At first, S maintains an empty list H2list in which each entry consists of (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ). If (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) already exists in H2list , S responds to M with h2 . Otherwise, S looks for the matching entry in the list Rlist . If the entry exists and i = A or i = B, S checks if Kij is correctly generated by verifying whether DDH((Ti1 + hi Ti2 ), (Tj1 + hj Tj2 ), Kij ) = 1. If Kij is correct,

Dang et al.

2. 3. 4.

9

the challenger S sets h2 = sk, and stores the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . If the entry exists and i 6¼ A and i 6¼ B, the challenger S sets h2 = sk, and stores the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . Otherwise (no such an entry exists in the list Rlist or Kij is not correctly generated), the challenger S randomly chooses h2 2 f0, 1gk and adds the entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . StaticKeyReveal(IDi ). If i 6¼ A and i 6¼ B, S S aborts. returns (si , Ri ) to M. Otherwise, Q EphemeralSecretReveal( si, j ). S responds to M with Q the ephemeral private key. Send( si, j , m). At first, S maintains an empty list Rlist whose each entry is (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , sk). Q Q If si, j = SA, B , the challenger S randomly chooses U 2 G, chooses a2R Zp as its ephemeral private key, and then returns aX hA U and U to the adversary M. If i = B, the challenger S randomly chooses V 2 G, chooses b2R Zp as its ephemeral private key, and returns bY hB V and V to the adversary M. Then S simulates the oracle in the same way as does in S1. If i = A, the simulation of S is similar to that when i = B. Otherwise, the challenger S responds according to the protocol specification.

Analysis. If the adversary M is successful in forging attack with non-negligible probability, M should have made a query to H2 with the input KAB = aDLOG(X )(bY hB V + hB V ) = abDLOG(X )Y . To settle the GDH(X , Y ) problem, S verifies whether there is an H2 query issued by M on the value (IDA , IDB , TA1 , such that DDH((TA1 + hA TA2 ), TA2 , TB1 , TB2 , KAB ), 1 2 (TB + hB TB ), KAB ) = 1. If there is such an H2 query, S calculates GDH(X , Y ) = DLOG(X )Y = (ab)1 KAB . S correctly computes the GDH problem with the following advantage AdvGDH ðk Þ S


S3. M does not know the ephemeral private keys of IDA and IDB . Setup. The challenger S sets the master keys of KGC and all parties’ long-term keys as below:

1.

2.

3.

S selects s2R Zp as the master private key of KGC and computes Ppub = sP as the master public key of KGC. Therefore, S3 simulates MFS. S picks hi , si 2R Zp , computes Ri = si P hi Ppub , sets H1 (IDi jjRi ) = hi , and sets (si , Ri ) as longterm private key of party IDi . Therefore, party IDi ’s long-term public key PKi = Ri + hi Ppub = si P. For each party IDi , S passes (IDi , Ri ) to M, and inserts the entry (IDi , Ri , hi ) to H1list .

Queries. S maintains three initially empty lists H1list , H2list , and Rlist to handle the H1 , H2 , and SessionKey Reveal queries. S responds to the queries issued by M as follows. Note that S answers Q H1 (IDi , Ri ), Establish Q Party(IDi ), SessionKeyReveal( si, j ), and Test( si, j ) as it does in S1. 1.

2. 3. 4.

5.

H2 (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij ). Originally, S maintains an empty list H2list in which each entry is (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ). If (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) is already in the list H2list , the challenger S returns h2 to M. Otherwise, S looks up the matching entry in Rlist . If the entry exists, the challenger S sets h2 = sk, and stores the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . Otherwise, the challenger S chooses h2 2 f0, 1gk at random and adds the entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , Kij , h2 ) to the list H2list . StaticKeyReveal(IDi ). S returns (si , Ri ) to M. MasterPrivateKeyReveal.QS returnsQ s to M.Q s s S ). If EphemeralSecretReveal( i, j i, j = A, B Qs QT or i, j = B, A , S aborts. Otherwise, S reveals the ephemeral private key to M. Q Send( si, j , m). At first, S maintains an empty list Rlist whose each entry is (IDi , IDj , Ti1 , 2 Ti2 , Tj1 , TQ j , sk). Q If si, j = SA, B , the challenger S randomly chooses U 2 G, and then returns hA U and sA X Q QT U to the adversary M. s If = i, j B, A , S randomly chooses V 2 G, and returns sB Y hB V and V to M. Then S looks up the matching entry in H2list . If the entry exists, the challenger S sets sk = h2 , and adds the new entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , sk) to the list Rlist . Otherwise, the challenger S chooses sk 2 f0, 1gk at random and adds the entry (IDi , IDj , Ti1 , Ti2 , Tj1 , Tj2 , sk) to the list H2list . Otherwise, the challenger S responds according to the protocol specification.

10


Analysis. If the adversary M successfully mounts the forging attack with non-negligible probability, M should issue a query to H2 with the input KAB = DLOG(X )sA (sB Y hB V + hB V ) = DLOG(X )sA sB Y . To solve the GDH(X , Y ) problem, S verifies whether there is an H2 query issued by M on the value (IDA , IDB , TA1 , TA2 , TB1 , TB2 , KAB ), such that DDH((TA1 + hA TA2 ), (TB1 + hB TB2 ), KAB ) = 1. If there is such an H2 query, S calculates GDH(X , Y ) = DLOG(X )Y = (sA sB )1 KAB . S successfully solves the GDH problem with the following advantage AdvGDH ðk Þ S


S4. M does not know IDA ’s long-term private key and IDB ’s ephemeral private key. For S4, the simulation of S is similar to that in S1 (only IDA and IDB are exchanged). The details are omitted. S successfully solves the GDH problem with the advantage AdvGDH ðk Þ S

AdvSM ðk Þ

(IDA , IDB , TA1 , TA2 , TB1 , TB2 , KAB ), such that DDH((TA1 + hA TA2 ), (TB1 + hB TB2 ), KAB ) = 1. According to the forking lemma,53 S replays M with the same input and tossing coins. During this run, 0 0 S selects hB 2R Zp , and sets H1 (IDB jjR(B, M) ) = hB , where 0 h 6¼ hB . If the adversary M succeeds in forging attack B with non-negligible probability, M should make a ~ AB = DLOG(Y ) query to H2 with the input K sA (bPKB bhB X + H1 (IDB jjR(B, M) )bX ) = DLOG(Y )sA 0 (bPKB bhB X + hB bX ). S verifies whether there is an H2 query issued by M on the value (IDA , IDB , ~ AB ), such that DDH((T 1 + hA T 2 ), TA1 , TA2 , TB1 , TB2 , K A A 1 2 ~ (TB + hB TB ), KAB ) = 1. To solve the GDH(X , Y ) problem, S computes ~ AB = DLOG(Y )sA (bPKB bhB X + hB bX ) DLOG KAB K 0 0 (Y )sA (bPKB bhB X + hB bX ) = DLOG(Y )sA (hB hB )bX , and then S computes GDH(X , Y ) = DLOG(Y )X = 0 ~ AB ). Suppose that l is the utili(bsA (hB hB ))1 (KAB K zation factor of the forking lemma in S5. Consequently, S successfully solves the GDH problem with the following advantage AdvGDH ðk Þ S

lAdvSM ðk Þ 6p(k)2 sðk Þ

6p(k)2 sðk Þ

S5. M does not know IDA ’s ephemeral private key and IDB ’s long-term private key, and the adversary M may alter IDB ’s public key material RB . Initially, the challenger S randomly selects X 2 G as the KGC’s master public key. Then, S sets all parties’ long-term keys as follows. S selects hi , si 2R Zp , computes Ri = si P hi Ppub , sets H1 (IDi jjRi ) = hi , and sets (si , Ri ) as long-term private key of party IDi . Therefore, party IDi ’s long-term public key PKi = Ri + hi Ppub = si P. For each party IDi , S passes (IDi , Ri ) to M, and inserts the entry (IDi , Ri , hi ) to H1list . Specifically, S randomly chooses Y , U 2 G, and sets the ephemeral public keys of IDA to sA Y hA U and U . Since S is aware of all parties’ long-term private keys, the answers to all queries are easy. Assume Q that M neither queries EphemeralSecret Reveal( SA, B ) nor StaticKeyReveal(IDB ), and the simulation does not abort. Assume that the session QS A, B has the incoming message (IDB , R(B, M) , bPKB bhB X , bX ) which can possibly be generated by M. Here the adversary M selects b2R Zp , and may alter IDB ’s public key material RB . Suppose that S selects hB 2R Zp , and sets H1 (IDB jjR(B, M) ) = hB . If the adversary M is successful in forging attack with non-negligible probability, M should make a query to H2 with the input KAB = DLOG(Y )sA (bPKB bhB X + H1 (IDB jjR(B, M)) bX ) = DLOG(Y )sA (bPKB bhB X + hB bX ). S verifies whether there is an H2 query issued by M on the value

S6. M does not know the long-term private keys of IDA and IDB , and the adversary M may alter IDB ’s public key material RB . Initially, the challenger S randomly selects X 2 G as the KGC’s master public key. Then S sets all parties’ long-term keys as follows. For any party IDi (i 6¼ A), S selects hi , si 2R Zp , computes Ri = si P hi Ppub , sets H1 (IDi jjRi ) = hi , and sets (si , Ri ) as long-term private key of party IDi . Therefore, party IDi ’s long-term public key PKi = Ri + hi Ppub = si P. For the party IDA , S as H1 (IDA jjRA ), computes selects hA 2R Zp RA = Y hA Ppub , and sets (?, RA ) as party IDA ’s longterm private key. Therefore, party IDA ’s long-term public key PKA = RA + hA Ppub = Y . For each party IDi , S passes (IDi , Ri ) to M, and inserts the entry (IDi , Ri , hi ) to H1list . Specifically, S randomly chooses U 2 G, chooses a2R Zp , and sets the ephemeral public keys of IDA to aY hA U and U . Assume that M neither queries StaticKey Reveal(IDA ) nor StaticKeyReveal(IDB ), and the simuQ lation does not abort. Assume that the session SA, B has the incoming message (IDB , R(B, M) , bPKB bhB X , bX ) which can possibly be generated by M. Here the adversary M selects b2R Zp , and may alter IDB ’s public key material RB . Suppose that S selects hB 2R Z and sets H1 (IDB jjR(B, M) ) = hB . If the success p probability of the adversary in forging attack is nonnegligible, it must have queried H2 with inputs of the (IDB jj form KAB = aDLOG(Y )(bPKB bhB X + H1 R(B, M)) bX )) = aDLOG(Y )(bPKB bhB X + hB bX ). S

Dang et al.

11

verifies whether there is an H2 query issued by M on the value (IDA , IDB , TA1 , TA2 , TB1 , TB2 , KAB ), such that DDH((TA1 + hA TA2 ), (TB1 + hB TB2 ), KAB ) = 1. According to the forking lemma, S replays M with the same input and tossing coins. In the course of this 0 0 run, S selects hB 2R Zp and sets H1 (IDB jjR(B, M) ) to hB , 0 where hB 6¼ hB . If the success probability of the adversary in forging attack is non-negligible, it should make ~ AB = aDLOG(Y ) a query to H2 with the input K R(B, M) )bX ) = aDLOG(Y ) (bPKB bhB X + H1 (IDB jj 0 (bPKB bhB X + hB bX ). S checks if there is an H2 query issued by M on the value (IDA , IDB , TA1 , TA2 , ~ AB ), such that DDH((T 1 + hA T 2 ), (T 1 + TB1 , TB2 , K A A B 2 ~ hB TB ), KAB ) = 1. To solve the GDH(X , Y ) problem, S computes KAB ~ AB = aDLOG(Y )(bPKB bhB X + hB bX ) aDLOG(Y ) K 0 0 (bPKB bhB X + hB bX ) = aDLOG(Y )(hB hB )bX , and then S computes GDH(X , Y ) = DLOG(Y )X = 0 ~ AB ). Suppose that u is the utilihB ))1 (KAB K (ab( hB zation factor of the forking lemma in S6. Therefore, S successfully solves the GDH problem with the following advantage AdvGDH ðk Þ S

4.

5.

6.

uAdvSM ðk Þ 6p(k)2 sðk Þ

For the six strategies, since AdvSM (k) is assumed to be (k) is also non-negligible. This is non-negligible, AdvGDH S in contradiction to the GDH assumption. The proof of Theorem 1 is complete. h 7.

Security attributes Our protocol S catches all essential security attributes. 1.

2.

3.

K-SKS. The eCK model can cover the K-SKS property because it supports the SessionKey Reveal query. According to the fresh definition, the adversary M may reveal the session keys of other sessions than the test session and its matching session (if its matching session exists). The probability that M differentiates between the test session key and a random value is negligible. Therefore, the test session key is not disclosed even if M has known any other session keys. FS. Our protocol captures the wPFS and MFS properties. In section ‘‘Security proof,’’ our protocol is proven to be secure in the eCK model. Therefore, the adversary cannot know the longterm and ephemeral secrets of one party, which implies wPFS. Moreover, the proof of S3 guarantees MFS. BIR. When the long-term secret of party A is not revealed to an adversary M, M does not

know the key of the session of party A with any other party because it cannot calculate the correct input to H2 . Therefore, the adversary cannot impersonate party A. KCIR. The property is guaranteed by the proofs of S1, S3, S4, and S5. Even when M learns the long-term secret of party A and modifies the message sent to party A, it cannot calculate the key of the session of party A with any other party with no knowledge of party A’s ephemeral secret. Therefore, M cannot masquerade as any other party to party A. That is to say, the proposed protocol can catch KCIR. UKSR. Unknown key share (UKS) attack should not be launched successfully in ID-based AKA protocols because the involved parties’ identities are the input of the key derivation function. In addition, a party’s public key is derived from its ID, which also resists UKS attack. NKC. Because two sessions that are not matched do not have the same input of the key derivation function H2 , the session key cannot be forced to a predetermined value by one involved party or an outside adversary. Moreover, from the security proof, we can know that the adversary M cannot differentiate between the test session key and a random value. Thus, our protocol can prevent key control attack. ESRR. The property is guaranteed by the proofs of all strategies except for S3. The proofs for S1, S4, and S5 guarantee the proposed protocol is secure when ephemeral secrets are revealed partially. The proofs for S2 and S6 guarantee the proposed protocol is secure when ephemeral secrets are disclosed entirely.

Comparisons with the existing protocols We compare our protocol with other existing ID-based 2PAKA protocols: the most efficient ID-based 2PAKA protocol using pairings (McCullagh-Barreto (MB)-I protocol20), a provably secure ID-based one-round 2PAKA protocol with pairings in the eCK model that catches all essential security attributes (Huang et al.’s28 protocol), and four latest provably secure pairing-free ID-based one-round 2PAKA protocols that catch all essential security attributes (Sun et al.’s46 protocol, Bala et al.’s47 protocol, Ni et al.’s48 protocols; and Islam and Biswas’s49 protocol). Table 1 shows the comparison results in term of security, in which we only list security model, assumption, and the properties of KCIR and ESRR because these compared protocols catch other basic desirable

12


Table 1. Security comparison of ID-based 2PAKA protocols. Protocol

Security model

Assumption

KCIR

ESRR

MB-I20 Huang and Cao28 Sun et al.46 Bala et al.47 Ni-I48 Ni-II48 Islam and Biswas49 Our protocol

mBR eCK eCK eCK eCK eCK BAN eCK

BIDH CBDH GDH GDH CDH GDH GDH GDH

3 = = = = = = =

3 = = = = = = =

ID: identity; 2PAKA: two-party authenticated key agreement; KCIR: key compromise impersonation resistance; ESRR: ephemeral secrets reveal resistance; MB: McCullagh-Barreto; mBR: modified Bellare-Rogaway; BIDH: bilinear inverse Diffie-Hellman; eCK: extended Canetti-Krawczyk; CBDH: computational bilinear Diffie-Hellman; GDH: Gap Diffie-Hellman; CDH: computational Diffie–Hellman; BAN: Burrows-Abadi-Needham.

Table 2. Cryptographic Operating Time (in milliseconds). Pairing

Exponent. in mult.group

Pairing-based poi.mult.

ECC-based poi.mult.

18.32

5.30

5.54

2.01

security properties including K-SKS, wPFS, BIR, UKSR, and NKC. ‘‘=’’ and ‘‘ 3 ’’ mean that the security property is captured and is not captured by the protocol, respectively. ‘‘eCK ’’ is used to denote the eCK model that does not take active adversaries into account. From Table 1, it is clear that Huang and Cao’s28 protocol, Sun et al.’s46 protocol, and Bala et al.’s47 protocol do not consider active adversaries although they are given the security proofs in strong model such as eCK model. In addition, the security analysis based on BAN logic model does not make certain that Islam and Biswas’s49 protocol is secure.51 Therefore, among these compared ID-based 2PAKA protocols, only Ni-I,48 Ni-II,48 and our protocol are proven secure under the passive and active adversaries in the eCK model. It can be concluded that Ni et al.’s48 protocols and our protocol achieve higher security than the five protocols.20,28,46,47,49

Performance analyses In this section, the efficiency of our protocol is compared with the existing protocols in terms of message size, computational cost, and running time. We omit the communication round because these compared protocols all have one-round communication. We implement the cryptographic operations by using MIRACL,54 a standard cryptographic library. Since a vehicle has unlimited computation ability and power in VANETs,55 the hardware platform that we select is an Intel Core 2 E8400 processor with 2 GB memory and a Windows XP operation system. For the two protocols using pairings,20,28 to provide the 80-bit security level, we choose the Tate pairing on the elliptic curve

y2 = x3 + x over Fp with embedding degree 2, where q is a 160-bit prime q = 2159 + 217 + 1 and p is a 512-bit prime meeting the condition of p + 1 = 12qr. As for the pairing-free protocols,46–49 to reach the same level of security, we employ the group on elliptic curve cryptography (ECC) secp160r1. The cryptographic operating times are shown in Table 2 where Exponent. in mult.group and poi.mult. stands for exponentiation in a multiplicative group and point multiplication, respectively. Table 3 lists the comparison results in terms of message size, computational cost, and running time. Assume that one user ID is 2 bytes long. Our protocol’s exchanged message is one ID and three points, and thus the message size is (2 3 8 + 160 3 3)=8 = 62 bytes. In Bala et al.’s47 protocol, the exchanged message comprises one ID and two points, and thus the message size is (2 3 8 + 160 3 2)=8 = 42 bytes. Similarly, the message sizes of other compared protocols can be given. In the comparison of the computational cost, for simplicity, we only consider the expensive operations including pairing operation, exponentiation in a multiplicative group, pairing-based point multiplication, and ECC-based point multiplication, which are denoted as P, E, PM, and EM, respectively. The values in parentheses are the computational costs of these protocols when pre-computation is considered. The running time of an AKA protocol is approximately equal to the computation time of one party and the transmission times of two exchanged messages in wireless links. In vehicular environments, the time spent on one message transmission is the sum of transmission times of the physical layer convergence procedure (PLCP) preamble (i.e. 0:032 ms), the SIGNAL field (i.e. 0:008 ms), and DATA field. The DATA field consists

Dang et al.

13

Table 3. Performance comparison of ID-based 2PAKA protocols (using pre-computation). Protocol

Message size

Computational cost

Running time

MB-I20 Huang and Cao28 Sun et al.46 Bala et al.47 Ni-I48 Ni-II48 Islam and Biswas49 Our protocol

64 66 42 42 62 62 62 62

1P + 1E + 1PM 2P + 3PM 6EM(5EM) 4EM(3EM) 7EM(6EM) 5EM(4EM) 5EM(4EM) 4EM(2EM)

24:276 ms 42:852 ms 10:594 ms 6:574 ms 12:716 ms 8:696 ms 8:696 ms 4:676 ms

bytes bytes bytes bytes bytes bytes bytes bytes

ID: identity; 2PAKA: two-party authenticated key agreement; MB: McCullagh and Barreto.

of the 16-bit SERVICE field, the physical service data unit (PSDU) (i.e. the medium-access control (MAC) frame), the 6-bit TAIL field, and the PAD field. The length of PAD field satisfies the condition that the number of bits in the DATA field should be a multiple of the number of data bits per orthogonal frequency division multiplexing (OFDM) symbol. According to 802.1156 and dedicated short-range communications (DSRC) standards,57 the data rate varies from 3 to 27 Mbps. In addition, the network and transport layers, Wave Short Message (WSM) header is at least 5 bytes in length, and subnetwork access protocol (SNAP) header and the logical link control (LLC) sublayer header are 5 and 3 bytes in length, respectively. The MAC sublayer header is 28 bytes in length. In order to better reflect the performation advantages of our protocol, the minimum data rate (i.e. 3 Mbps) and the corresponding number of data bits per OFDM symbol (i.e. 24 data bits) are chosen to compute the running time of compared protocols. Accordingly, the running time of our protocol can be computed as follows: 2EM + 2 (the transmission time of PLCP preamble + the transmission time of SIGNAL + (PSDU + TAIL + PAD) / (data rate)) = 4.676 ms. Similiarly, the running times of other compared protocols are listed in Table 3. As listed in Table 3, it is clear that the ID-based pairing-free 2PAKA protocols achieve much better performance than the ID-based 2PAKA protocols using pairings. In addition, it is found that our protocol is superior to Ni-I48 protocol and Ni-II48 protocol in terms of computational cost and running time while having the same message size as them. Specifically, the running time of our protocol is 36.8% of Ni-I protocol, 53.8% of Ni-II protocol when pre-computation is considered. From Table 3, we can observe that our protocol is computationally more efficient than Bala et al.’s47 protocol considering pre-computation with the disadvantage of slightly increased message size. The reason is that, (1) the intended partner vehicles communicating with vehicle A are not the same in different sessions of vehicle A; (2) in our protocol, aRA and aPpub are suitable for pre-computation as these two values have nothing

to do with other parties and party A only needs to store two points; (3) in Bala’s protocol, vehicle A is not suitable to pre-compute and store hB Ppub for large numbers of unpredictable vehicles due to the rapid topology changes nature of vehicular networks. Therefore, Bala et al.’s47 protocol and our protocol require three and two ECC-based point multiplication operations, respectively, when pre-computation is carried out. Moreover, the security proof of Bala et al.’s47 protocol does not take active adversaries into account. Although the message size of our protocol is one point more than that of Bala’s protocol, our protocol has less running time than Bala’s protocol. Namely, the running time of our protocol is 77.1% of that of Bala’s protocol. Figure 2 illustrates the comparison result of Bala et al.’s47 protocol, Ni-I,48 Ni-II,48 and our protocol in terms of running time when pre-computation is carried out. To summarize, our protocol has better performance than previous ID-based protocols while achieving higher or the same security level. It is concluded that our protocol is more suitable to real-time application environments with highly dynamic topology such as VANETs than the existing ID-based 2PAKA protocols.

Discussion The proposed 2PAKA protocol enables two authentic vehicles to agree on a shared session key, which can be used for secure communication. For example, the secure communication protocol for VANETs58 achieves the multi-level conditional privacy preservation authentication and integrity of transmitted messages based on ring signature. However, the signature is generated by using the private key of sender and L collected public keys, and the transmitted message consists of payload, timestamp, signature, and L public keys. Therefore, the message size is a little long and the signature verification requires 2 3 L + 3 time-consuming pairing operations. The secure communication protocol for VANETs2 offers the confidentiality, conditional privacy preservation authentication, and integrity of

14


Figure 2. Comparison result of the running time (with pre-computation).

transmitted messages based on group signcryption. The session key used for signcryption is derived from the group secret key, which is generated by the group secret key agreement. However, the group secret key and group public key need to be updated on all unrevoked vehicles each time a member is revoked or quits the group. In addition, the group-based communication protocols for VANETs2,58 are only suitable for the application scenarios with low mobility and little topology changing, such as traffic jam, urban road, and parking lot. Therefore, the article focuses on 2PAKA for VANETs.

providing stronger or the same security level. As a result, our protocol is more applicable than other existing ID-based 2PAKA protocols for real-time application environments with quickly changing topology such as VANETs. Our future work is to present a provably secure and efficient certificateless 2PAKA protocol without pairings. Declaration of conflicting interests The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Conclusions and future works This article presents a provably secure and efficient one-round ID-based 2PAKA protocol without pairings for VANETs. The proposed protocol is given the formal proof under the passive and active adversaries in the eCK model. We also analyze that the proposed protocol can capture all essential security properties including K-SKS, wPFS, MFS, BIR, KCIR, UKSR, NKC, ESRR, and so on. The proposed protocol outperforms the existing ID-based 2PAKA protocols in terms of computational cost and running time while providing higher or the same level of security. In particular, if pre-computation is considered, our protocol reduces the running time to 77.1% of Bala’s protocol, 36.8% of Ni-I protocol, and 53.8% of Ni-II protocol while

Funding The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Natural Science Foundation of China (NSFC) (grant number 61402351), the Fundamental Research Funds for the Central Universities (grant number JB140116), and the Programme of Introducing Talents of Discipline to Universities (111 Project) (grant numbers B16037, B08038).

References 1. Bu¨ttner C, Bartels F and Huss S. Real-world evaluation of an anonymous authenticated key agreement protocol for vehicular ad-hoc networks. In: 2015 IEEE 11th international conference on wireless and mobile computing,

Dang et al.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

networking and communications (WiMob), Abu Dhabi, United Arab Emirates, 19–21 October 2015, pp.651–658. New York: IEEE. Xiong H, Zhu G, Chen Z, et al. Efficient communication scheme with confidentiality and privacy for vehicular networks. Comput Electr Eng 2013; 39(6): 1717–1725. Zhang L. OTIBAAGKA: a new security tool for cryptographic mix-zone establishment in vehicular ad hoc networks. IEEE T Inf Foren Sec 2017; 12(12): 2998–3010. Zhang L, Wu Q, Domingo-Ferrer J, et al. Distributed aggregate privacy-preserving authentication in VANETs. IEEE T Intell Transp 2017; 18(3): 516–526. Zhang L, Hu C, Wu Q, et al. Privacy-preserving vehicular communication authentication with hierarchical aggregation and fast response. IEEE T Comput 2016; 65(8): 2562–2574. Zhang L, Meng X, Raymond Choo K-K, et al. Privacypreserving cloud establishment and data dissemination scheme for vehicular cloud. IEEE T Depend Secure 2018; 99: 1–1. Bellare M and Rogaway P. Entity authentication and key distribution. In: Stinson DR (ed.) Advances in cryptology—CRYPTO’93, LNCS 773. Berlin: SpringerVerlag, pp.232–249. Bellare M and Rogaway P. Provably secure session key distribution: the three party case. In: Proceedings of the 27th annual ACM STOC, Las Vegas, NV, 29 May–1 June 1995, pp.57–66. New York: ACM. Blake-Wilson S, Johnson D and Menezes A. Key agreement protocols and their security analysis. In: Darnell M (ed.) International conference on cryptography and coding, LNCS 1355. Berlin: Springer-Verlag, pp.30–45. Blake-Wilson S and Menezes A. Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: Christianson B, Crispo B, Lomas M, et al. (eds) International workshop on security protocols, LNCS 1361. Berlin: Springer-Verlag, pp.137–158. Bellare M, Pointcheval D and Rogaway P. Authenticated key exchange secure against dictionary attacks. In:Preneel B (ed.) Advances in cryptology—EUROCRYPT 2000, LNCS 1807. Berlin: Springer-Verlag, pp.139–155. Canetti R and Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B (ed.) Advances in cryptology—EUROCRYPT 2001, LNCS 2045. Berlin: Springer-Verlag, pp.453–474. Choo KKR, Boyd C and Hitchcock Y. Examining indistinguishability-based proof models for key establishment protocols. In: Roy B (ed.) Advances in cryptology— ASIACRYPT 2005, LNCS 3788. Berlin: Springer-Verlag, pp.585–604. LaMacchia B, Lauter K and Mityagin A. Stronger security of authenticated key exchange. In: Susilo W, Liu JK and Mu Y (eds) International conference on provable security, LNCS 4784. Berlin: Springer-Verlag, pp.1–16. Smart NP. Identity based authenticated key agreement protocol based on the Weil pairing. Electron Lett 2002; 38(13): 630–632. Chen L and Kudla C. Identity based authenticated key agreement protocols from pairings. In: Proceedings of the 16th IEEE computer security foundations workshop,

15

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

29.

30.

31.

32.

Pacific Grove, CA, 30 June–2 July 2003, pp.219–233. New York: IEEE. Shim K. Efficient ID-based authenticated key agreement protocol based on Weil pairing. Electron Lett 2003; 39(8): 653–654. Sun H and Hsieh B. Security analysis of Shim’s authenticated key agreement protocols from pairings. Cryptology ePrint Archive, Report 2003/113, 2003, http://eprint.iacr.org/2003/113/ Ryu E, Yoon E and Yoo K. An efficient ID-based authenticated key agreement protocol from pairings. In: Mitrou N, Kontovasilis K, Rouskas GN, et al. (eds) Proceedings of the networking ’04, LNCS 3042. Berlin: Springer-Verlag, pp.1458–1463. McCullagh N and Barreto P. A new two-party identitybased authenticated key agreement. In: Menezes A (ed.) Topics in cryptology—CT-RSA 2005, LNCS 3376. Berlin: Springer-Verlag, pp.262–274. Xie G. Cryptanalysis of Noel McCullagh and Paulo S.L.M. Barreto’s two-party identity-based key agreement. Cryptology ePrint Archive, Report 2004/308, 2004, http://eprint.iacr.org/2004/308/ Li S, Yuan Q and Li J. Towards security two-party authenticated key agreement protocols. Cryptology ePrint Archive, Report 2005/300, 2005, http://eprint.iacr.org/2005/300/ Choie YJ, Jeong E and Lee E. Efficient identity-based authenticated key agreement protocol from pairings. Appl Math Comput 2005; 162(1): 179–188. Yuan Q and Li S. A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/309, 2005, http://eprint.iacr.org/2005/309/ Chen L, Cheng Z and Smart NP. Identity-based key agreement protocols from pairings. Int J Inf Secur 2007; 6(4): 213–241. Wang S, Cao Z and Cao F. Efficient identity-based authenticated key agreement protocol with PKG Forward Secrecy. Int J Netw Sec 2008; 7(2): 181–186. Wang S, Cao Z, Choo K, et al. An improved identitybased key agreement protocol and its security proof. Inform Sciences 2009; 179(3): 307–318. Huang H and Cao Z. An ID-based authenticated key exchange protocol based on bilinear Diffie-Hellman problem. In: Proceeding of the ACM ASIACCS 2009, Sydney, NSW, Australia, 10–12 May 2009, pp.333–342. New York: ACM. Ni L, Chen G, Li J, et al. Strongly secure identity-based authenticated key agreement protocols. Comput Electr Eng 2011; 37(2): 205–217. Zhang J, Wu Z and Li Y. An improved identity-based authenticated key agreement protocol using pairings. In: International conference on computer science and network technology, Harbin, China, 24–26 December 2011, pp.45– 49. New York: IEEE. Ho¨lbl M, Welzer T and Brumen B. An improved twoparty identity-based authenticated key agreement protocol using pairings. J Comput Syst Sci 2012; 78(1): 142–150. Ni L, Chen G and Li J. Escrowable identity-based authenticated key agreement protocol with strong security. Comput Math Appl 2013; 65(9): 1339–1349.

16 33. Ni L, Chen G, Li J, et al. Strongly secure identity-based authenticated key agreement protocols in the escrow mode. Sci China Inform Sci 2013; 56(8): 1–14. 34. Shamir A. Identity-based cryptosystems and signature schemes. In: Blakley GR and Chaum D (eds) Advances in cryptology—EUROCRYPT 1984, LNCS 196. Berlin: Springer-Verlag, pp.47–53. 35. Cao X, Kou W and Du X. A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges. Inform Sciences 2010; 180(15): 2895–2903. 36. Aranha D, Faz-Herna´ndez A, Lo´pez J, et al. Faster implementation of scalar multiplication on Koblitz curves. In: Hevia A and Neven G (eds) International conference on cryptology and information security in Latin America, LNCS 7533. Berlin: Springer-Verlag, pp.177– 193. 37. Zhu R, Yang G and Wong D. An efficient identity-based key exchange protocol with KGS forward secrecy for low-power devices. Theor Comput Sci 2007; 378(2): 198–207. 38. Cao X, Kou W, Yu Y, et al. Identity-based authentication key agreement protocols without bilinear pairings. IEICE T Fund Electr 2008; 91(12): 3833–3836. 39. Fiore D and Gennaro R. Making the Diffie-Hellman protocol identity-based. In: Pieprzyk J (ed.) Topics in cryptology—CT-RSA 2010, LNCS 5985. Berlin: SpringerVerlag, pp.165–178. 40. Hou M and Xu Q. An efficient and secure one-round authenticated key agreement protocol without pairings. In: 2011 international conference on multimedia technology, Taipei, Taiwan, 28–30 March 2005, pp.160–163. New York: IEEE. 41. Hou M and Xu Q. A one-round ID-based authenticated key agreement protocol with enhanced security. In: 2011 2nd international conference on intelligent control and information processing, Harbin, China, 25–28 July 2011, pp.194–197. New York: IEEE. 42. Islam SH and Biswas GP. An improved pairing-free identity-based authenticated key agreement protocol based on ECC. Procedia Engineer 2012; 30: 499–507. 43. Xie M and Wang L. One-round identity-based key exchange with Perfect Forward Security. Theor Comput Sci 2012; 112(14): 587–591. 44. Vivek S, Selvi S, Venkatesan L, et al. Efficient, pairingfree, authenticated identity based key agreement in a single round. In: Susilo W and Reyhanitabar R (eds) International conference on provable security, LNCS 8209. Berlin: Springer-Verlag, pp.38–58. 45. Ghoreishi SM, Isnin I, Razak S, et al. A novel secure two-party identity-based authenticated key agreement protocol without bilinear pairings. In: Abraham A, Muda


46.

47.

48.

49.

50.

51.

52.

53.

54. 55.

56.

57.

58.

A and Choo YH (eds) Pattern analysis, intelligent security and the Internet of Things, AISC 355. Cham: SpringerVerlag, pp.287–294. Sun H, Wen Q, Zhang H, et al. A strongly secure identity based authenticated key agreement protocol without pairings under the GDH assumption. Secur Commun Netw 2015; 8(17): 3167–3179. Bala S, Sharma G and Verma AK. PF-ID-2PAKA: pairing free identity-based two-party authenticated key agreement protocol for wireless sensor networks. Wireless Pers Commun 2016; 87(3): 995–1012. Ni L, Chen G, Li J, et al. Strongly secure identity-based authenticated key agreement protocols without bilinear pairings. Inform Sciences 2016; 367: 176–193. Islam SH and Biswas GP. A pairing-free identity-based two-party authenticated key agreement protocol for secure and efficient communication. J King Saud Univ: Comput Inform Sci 2017; 29(1): 63–73. Boneh D and Franklin M. Identity-based encryption from the Weil pairing. In: Kilian J (ed.) Advances in cryptology—CRYPTO 2001, LNCS 2139. Berlin: SpringerVerlag, pp.213–229. Cheng Z, Nistazakis M, Comley R, et al. On the indistinguishability-based security model of key agreement protocols in simple cases. Cryptology ePrint Archive, Report 2005/300, 2005, http://eprint.iacr.org/ 2005/300/ Krawczyk H. HMQV: a high-performance secure DiffieHellman protocol. In: Shoup V (ed.) Advances in cryptology—CRYPTO 2005, LNCS 3621. Berlin: Springer-Verlag, pp.546–566. Pointcheval D and Stern J. Security arguments for digital signatures and blind signatures. J Cryptol 2000; 13(3): 361–396. Shamus Software Ltd. MIRACL library, http://www.shamus.ie/index.php?page=home Li CT, Hwang MS and Chu YP. A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks. Comput Commun 2008; 31(12): 2803–2814. IEEE 802.11-2016:2016. IEEE Standard for Information Technology —telecommunications and information exchange between systems local and metropolitan area networks—specific requirements—part 11: wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications. Kenney J. Dedicated Short-Range Communications (DSRC) Standards in the United States. Proc IEEE 2011; 99(7): 1162–1182. Xiong H, Chen Z and Li F. Efficient and multi-level privacy-preserving communication protocol for VANET. Comput Electr Eng 2012; 38(3): 573–581.