Identity-Based Identity-Concealed Authenticated Key Exchange

Abstract

Identity-based authenticated key exchange (ID-AKE) allows two parties (whose identities are just their public keys) to agree on a shared session key over open channels. At ESORICS 2019, Tomida et al. proposed a highly efficient ID-AKE protocol, referred to as the TFNS19-protocol, under the motivation of providing authentication and secure communication for huge number of low-power IoT devices. The TFNS19-protocol currently stands for the most efficient ID-AKE based on bilinear pairings, where each user remarkably performs only a single pairing operation. But it does not consider users’ identity privacy, and the security is based on relatively non-standard assumptions.

In this work, we formulate and design identity-based identity-concealed AKE (IB-CAKE) protocols. Here, identity concealment means that the session transcript does not leak users’ identity information. We present a simple and highly practical IB-CAKE protocol, which is computationally more efficient than the remarkable TFNS19-protocol in total. We present a new security model for IB-CAKE, and show it is stronger than the ID-eCK model used for the TFNS19-protocol. The security of our IB-CAKE protocol is proved under relatively standard assumptions in the random oracle model, assuming the security of the underlying authenticated encryption and the gap bilinear Diffie-Hellman (Gap-BDH) problem. Finally, we provide the implementation results for the proposed IB-CAKE scheme, and present performance benchmark.

Appendices

A Structures of IB-CAKE Protocol with Asymmetric Bilinear Pairing

1.1 A.1 Protocol Structure with Bilinear Pairing of Type-II

For the construction of our IB-CAKE protocol with Type-II bilinear pairing, an additional efficient publicly computable isomorphism \(\psi \) is required. Let \( \kappa \) be a secure parameter, \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) be three multiplicative bilinear map groups of the same prime order q such that the discrete algorithm problems in \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) are intractable, \(g_1\) be a generator of \(\mathbb {G}_1\), \(g_2= \psi (g_1)\) be a generator of \(\mathbb {G}_2\), the isomorphism \(\psi \) is for the purpose of mapping an element from \(\mathbb {G}_1\) to \(\mathbb {G}_2\), \({\hat{e}}:{\mathbb {G}_1}\times {\mathbb {G}_2} \rightarrow {\mathbb {G}_T} \) be a bilinear pairing. Let \( SE=(K_{se}, Enc, Dec) \) be an authenticated encryption with associated data (AEAD) scheme, where \( \mathcal {K} ={\{0,1\}}^{\kappa } \) is the key space of \( K_{se} \). Let \( H:{\{0,1\}}^{*} \rightarrow \mathbb {Z}_q^{*} \) and \( H_1 : {\{0,1\}}^{*} \rightarrow \mathbb {G}_1 \) be one-way collision-resistant cryptographic hash functions modeled as random oracles and \( KDF: {\{0,1\}}^{*} \rightarrow {\{0,1\}}^{p(\kappa )} \) be a key derivation function which is also modeled as a random oracle, where \( p(\kappa ) \) is a polynomial of \( \kappa \). The KGC first produces the system’s public parameters and the master secret key msk. Then it generates the private key \( SK_i=H_1{(ID_i)}^{msk} \) for the user with identity \( ID_i \). For presentation simplicity, we denote by Alice the anonymous session initiator, whose public identity and private key are \( {ID}_A \) and \( {SK}_A={(H_1({ID}_A))}^{msk} \), and by Bob the session responder, whose public identity and private key are \({ID}_B\) and \({SK}_B={(H_1({ID}_B))}^{msk}\). The structure is described in Fig. 2.

• The initiator A selects \( r_A \leftarrow \mathbb {Z}_q^*\), computes \( x=H({SK}_A,r_A) \) and \( X={(H_1({ID}_A))}^{x} \). It sends X to B.

• Upon receiving X, B checks whether \( X \in \mathbb {G}_1/1_{\mathbb {G}_1} \) and aborts if not. B selects \( r_B\leftarrow \mathbb {Z}_q^*\), computes \( y=H({SK}_B,r_B) \) and \( Y={(H_1({ID}_B))}^{y} \). Then B sets the primary secret \( {PS}_B=e(X,\psi (SK_B))^y \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_B,X\parallel Y) \) and computes \( C_B=Enc_{K_1}({ID}_B,y) \). Finally, B sends \( (Y,C_B) \) to A.

• Upon receiving \( (Y,C_B) \), A sets primary secret \( {PS}_A=e({SK}_A,\psi (Y))^x \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_A,X\parallel Y) \) and decrypts the ciphertext \( C_B \) by using \( K_1 \) to get the identity \( ID_B \) and y. Then A verifies if \( y\in {Z_q}^{*} \) and \( Y=(H_1(ID_B))^{y} \), if so, it computes \( C_A=Enc_{K_1}(ID_A,x) \) and the session key is set to be \( K_2 \). Finally, A sends \( C_A \) to B.

• Upon receiving \( C_A \), B runs \( Dec_{K_1}(C_A) \rightarrow (ID_A,x) \). Then it verifies if \( x\in Z_q^{*} \) and \( X={(H_1(ID_A))}^x \), if so, the session key is set to be \( K_2 \).

Fig. 2.

Construction of IB-CAKE with Type-II bilinear mapping

1.2 A.2 Protocol Structure with Bilinear Pairing of Type-III

For the construction of our IB-CAKE protocol with Type-III bilinear pairing, the private key SK of any user ID is replaced by a pair of key \((SK^I,SK^R)\), where \(SK^I\) is used when the user is an initiator in a session and \(SK^R\) is used when the user is a responder in a session. Let \( \kappa \) be a secure parameter, \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) be three multiplicative bilinear map groups of the same prime order q such that the discrete algorithm problems in \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_T\) are intractable, \(g_1\) be a generator of \(\mathbb {G}_1\), \(g_2\) be a generator of \(\mathbb {G}_2\), \({\hat{e}}:{\mathbb {G}_1}\times {\mathbb {G}_2} \rightarrow {\mathbb {G}_T} \) be a bilinear pairing. Let \( H:{\{0,1\}}^{*} \rightarrow \mathbb {Z}_q^{*} \), \( H_1 : {\{0,1\}}^{*} \rightarrow \mathbb {G}_1 \) and \( H_2 : {\{0,1\}}^{*} \rightarrow \mathbb {G}_2 \) be one-way collision-resistant cryptographic hash functions modeled as random oracles. Our IB-CAKE protocol structure using Type-III bilinear pairing is described in Fig. 3.

Fig. 3.

Construction of IB-CAKE with Type-III bilinear mapping

In the following, let A be a session initiator and B be a session responder.

• The initiator A selects \( r_A \leftarrow \mathbb {Z}_q^*\), computes \( x=H(SK_A^I,r_A) \) and \( X={(H_1({ID}_A))}^{x} \). It sends X to B.

• Upon receiving X, B checks whether \( X \in \mathbb {G}_1/1_{\mathbb {G}_1} \) and aborts if not. B selects \( r_B\leftarrow \mathbb {Z}_q^*\), computes \( y=H({SK}_B^R,r_B) \) and \( Y={(H_2({ID}_B))}^{y} \). Then B sets the primary secret \( {PS}_B=e(X, SK_B^R))^y \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_B,X\parallel Y) \) and computes \( C_B=Enc_{K_1}({ID}_B,y) \). Finally, B sends \( (Y,C_B) \) to A.

• Upon receiving \( (Y,C_B) \), A computes primary secret \( {PS}_A=e({SK}_A^I,Y)^x \), derives keys \( (K_1,K_2)\leftarrow KDF({PS}_A,X\parallel Y) \) and decrypts the ciphertext \( C_B \) under the secret value \( K_1 \) to get the identity \( ID_B \) and y. Then A verifies if \( y\in {Z_q}^{*} \) and \( Y=(H_2(ID_B))^{y} \), if so, it computes \( C_A=Enc_{K_1}(ID_A,x) \) and the session key is set to be \( K_2 \). Finally, A sends \( C_A \) to B.

• Upon receiving \( C_A \), B runs \( Dec_{K_1}(C_A) \rightarrow (ID_A,x) \). Then it verifies if \( x\in Z_q^{*} \) and \( X={(H_1(ID_A))}^x \), if so, the session key is set to be \( K_2 \).

B Review of the TFNS19-Protocol

The structure of the TFNS19-protocol [25] is described in Fig. 4. In this protocol, the three hash functions are defined as: \(H, H_1, H_2: \{0,1\}^*\rightarrow \mathbb {Z}_p\), \(H_3: \{0,1\}^*\rightarrow \{0,1\}^\kappa \).

Fig. 4.

Construction of TFNS19-protocol [25]