Keywords

1 Introduction

Key agreement (KA) is a fundamental functionality for secure communication. Ultimate goal of a KA scheme is to let a pair of users agree on a unique shared key; thus allowing them to use this agreed key(s) for secure communications.

Key agreement may be troublesome for large networks that may well be spread over large geographical region. Practical instances of such networks are military network or internal network of a multi national company (MNC) like Microsoft which has its office all across the world. Yet another example is that of an ad-hoc networks where communications between users is expected to be volatile.

All these network will be well served by a protocol that ensures pair-wise keys for every level. Whereas inter level communications may involve subsets of users to share common keys. For example, for a MNC team leads are responsible for their team member’s (child’s) performance and interactions (intra and inter). Users above a lead takes collective feedback from these leads. These practical instances are not captured by existing protocols and motivates our key agreement protocols.

1.1 Related Schemes and Their Limitations

Legendary public key protocols like Diffie-Hellmann [3] and RSA [9] use a private key-public key pair and are interactive (post deployment). For proper implementations (to avoid active attacks like man-in-the-middle attack), these pairs are certified by trusted certifying agencies; making their implementations costly.

This led to alternate thoughts of identity-based key agreement (IB-KA) conceptualized by Shamir [11] in 1984, though first such efficient scheme was develop in 2000 by Sakai-Ogishi-Kasahara (SOK) [10]. Their non-interactive pairing based scheme is applicable in distributed scenarios but not in hierarchical environments. Horwitz and Lynn [8] proposed the first hierarchical identity-based cryptosystem that supported only two levels. Their key agreement uses a pairing-based scheme at the top level and a polynomial-based key distribution scheme (imitating Blom [2]) is placed at second level. Gennaro et al. [5] cleverly reversed the order in [8] in their first of two proposals, while they used subset based key predistribution scheme of Eschenauer and Glogor [4] (instead of [2]) for their second construction. Underlying polynomial or subset based symmetric schemes generally brings in additional key sharing complexity and thereby threshold resilience against node compromise. Resultant hierarchical identity-based key agreement protocols suffers from rapidly increasing threshold value and can support small number of level owing to fast diminishing of keyrings per tier. Another problem is that ‘intermediate’ users may collude to trace shared key(s) of their ancestors.

Guo et al. [7] attempted a HIBKA protocol using bilinear pairing and claimed that their scheme is resilient against corruption of any number of nodes in hierarchy. Unfortunately, Zhu et al. [12] concretely established that Guo et al.’s scheme is vulnerable against corruption of end-users in the hierarchy. This may be a crucial drawback while implementing many such protocols for tactical networks deployable in real life scenarios like military or MANET applications or in an MNC.

There are certain authenticated key exchange (AKE) or agreement (AKA) protocols that authenticate the identities during exchange of session keys. These schemes were consequences of the pioneering work of Bellare and Rogaway [1] who uses pre-shared symmetric secrets to achieve desired purposes.

1.2 Design Goals and Motivation of Our Work

Through the above literature survey of prominent schemes, we identified certain crucial properties that a key agreement schemes (KAS) should have. They are:

  • Identity-based (IB) [11]: to avoid (expensive) certification of third parties. Such protocols allow users to compute their secret keys that will be shared with peers using only their own private key and identity of concerned peer.

  • Hierarchical (H) structure [5, 6]: decentralizes a network and distributes the load of the (root) PKG to lower level PKGs (i.e. lower level parents).

    • – Inductive: ensures a scheme must be applicable to networks with unrestricted depth. That is, given positive integers ml, the scheme should permit key agreement between any user at level m and level l.

  • Resilient (in a ‘strong sense’ [5]): in view of limited physical protection of end devices, the scheme should resilient against compromise of [a] threshold of non-ancestral users in upper levels of hierarchy of concerned (key agreeing) nodes; and, [b] any children joining the network;

  • pre-deployment (ancestral) interactions (secure and inexpensive): is considered in our work. We achieve (i) a scheme that uses HIBC [6]; and, (ii) an inexpensive secure communication by use of inductively agreed symmetric key. Ideally, any given pair of users should be able to compute their unique shared secret key(s) without interaction among themselves.

We address these concerns through our i-H-IB-KA-pdi protocols. Finally, both our protocols employ bilinear pairing map like Sakai-Ogishi-Kasahara [10]. We recommend use of our hybrid protocol due to fast efficient implementation of underlying symmetric key cryptosystem;Footnote 1 thereby our scheme finds wide-spread applicability. Conducting these (fast) communications among ancestors before a child’s deployment slightly deteriorates the communication complexity as compared to non-interactive schemes [5, 10]. However resilience is much improved.

2 Definitions: I-H-IB-KA-pdi; Related Concepts

This section is adapted from [6] and recalls adequate background for our work.

  1. 1.

    ID-Tuple: ID tuple \((Id_{1_i}, Id_{2_i},\dots ,Id_{l_i}), l\in \mathbb {Z}_+\) of an user A defines its (hierarchical) position. A’s ancestors in the hierarchy tree are root PKG and lower-level PKGs whose ID-tuples are \(\{(Id_{1_i}, Id_{2_i},\dots ,Id_{a_i}): 1 \le a < l, i\in \mathbb {Z}_+ \}\). For convenience, let \(E_{l_i}\) denote the \(i^{th}\) user at level l. So that ID-tuples of \(E_{l_i}\)’s ancestors at any level a \((1 \le a \le l-1)\) are \(Id_{1_{i_1}}, Id_{2_{i_2}},\dots ,Id_{a_{i_a}}\).

  2. 2.

    Hierarchical Identity-Based Key Agreement (HIBKA): is a specified by four randomized algorithms: Root Setup, Lower-level Setup, Extraction and finally, Key Agreement (KA) with consistency check(s). Details in Sect. 3.

  3. 3.

    Admissible Paring map: For cyclic groups \(G,G_T\) of large prime order \(p\approx (160-300\ BITS)\), a map \(e: G \times G \longmapsto G_T\) is a ‘pairing admissible’ if it is:

    1. (a)

      Non-degenerate map: does not send all pairs in \(G\times G\) to identity of \(G_T\).

    2. (b)

      Computable: There exists an efficient polynomial time algorithm to compute e(AB) for any \(A,B \in G\).

    3. (c)

      Bilinear (multiplicatively): \(e(A^x, B^y) = e(A,B)^{xy} \forall A,B \in G,x,y \in \mathbb {Z}_p\).

    4. (d)

      Symmetric: \(e(A,B)=e(B,A)\forall A,B \in G\) follows from cyclic nature of the group G and bilinear property of the map e.

  4. 4.

    Hard problem and computational assumption for security proof: Our security proofs are based on the following computational assumptions:

    1. (a)

      Bilinear Diffie-Hellman (BDH): Given \(g^x,g^y,g^z \in G\) for \(x,y,z,r \in _{\mathfrak {R}} \mathbb {Z}_p\), computing \(e(g,g)^{abc}\) is hard. Here \(g\in G\) is a generator, as usual.

    2. (b)

      Decisional Bilinear Diffie-Hellman (DBDH): Given \(x,y,z,r \in _{\mathfrak {R}} \mathbb {Z}_p\), it is hard to differentiate \((g^x,g^y,g^z,e(g,g)^{xyz})\) and \((g^x,g^y,g^z,e(g,g)^r)\).

3 Our I-H-IB-KA-pdi Protocols

Inner region key agreement of our hierarchical for any level \(a, a>1\) is a direct (inductive) consequence of SOK protocol. However, inter clusters key agreement is still a major challenge which we try to solve with the help these four protocols:

Root Setup: The root PKG:

  1. 1.

    runs \(\mathscr {G}\) on input K to generate groups \(G,G_T\) of some (large) prime order p and an admissible pairing \(e: G\,\times \,G \longmapsto G_T\);

  2. 2.

    chooses an arbitrary generator \(g\in G\);

  3. 3.

    picks the master secret key (msk) \(s \in _{\mathfrak {R}} \mathbb {Z}_p\) and sets \(g_0=g^s\);

  4. 4.

    chooses cryptographic hash functions \(H_1: \{0,1\} \longmapsto G\) and \(H_2: G_T \longmapsto \{0,1\}^n\) for \(n \in \mathbb {Z}_+\). Our security analysis treats \(H_1\) and \(H_2\) as random oracles.

The user identity space is \(\mathscr {I} = \{0,1\}^*\). The (eventual agreed) key space is \(\mathscr {K} = \{0,1\}^n\). For instance, \(n=128\) in case we desire to implement AES\(-128\) with eventual agreed (symmetric) keys. Public parameters of the system are \(pp = (G, G_T , e, g, g^s, H_1, H_2)\). The root PKG’s msk is \(s\in \mathbb {Z}_p\).

Lower-Level Setup: Entity \(E_i\), i.e., \(i^{th}\) would be parent at level \(l-1\):

  1. 1.

    randomly picks a secret \(s_l \in _{\mathfrak {R}} \mathbb {Z}_p\) meant for HIBC scheme [6].

  2. 2.

    picks additional secrets \(t^i\) meant for key agreement of \(E_i'\)s children with upper level users and \(t^j_i (\ne t^i\ne s_l) \in _{\mathfrak {R}} \mathbb {Z}_p, i,j=1,2,\dots r_l, j\ne i\). We assume that a maximum of \(r_l (\in \mathbb {Z}_+)\) many children join under each level \(l-1\) user.

  3. 3.

    securely transmits these \(t^j_i\) to existing users at level \(l-1\) using (i) existing HIBC [6] setup, or (ii) agreed symmetric key at parental level \(l-1\) by the previous step of this inductive setup. We recommend later process due to faster encryption-decryption owing to application of suitable light weight symmetric key. Of course, a fast hybrid (using public and symmetric cryptosystem) key agreement technique evolves, which is a certain novelty;

  4. 4.

    raises \(g^{t^i}\); securely broadcasts them to existing users at level \(i (i\le l-1)\) to facilitate their key agreement with incomers under \(E_i\).

  5. 5.

    calculates \(u_{ij}:=t^j_i\cdot t^i_j, j\ne i\) for exponentiation; then loads into each child.

Last four steps are supplemented to HIBC’s lower-level setup in [6] facilitate key agreement in our protocols. Maximum users at level \(a:=R_a=r_{a-1}R_{a-1}, a\in \mathbb {Z}_+\).

Extraction: Let \(E_{l_i}\) be an incoming user(incomer) at level l under \(i^{th}\) parent \(E_i\), i.e. \(E_{i_{(l-1)}}\) of level \(l-1\). We consider ID-tuple of \(E_{l_i}\) to be \(Id_{1_{i_1}}, Id_{2_{i_2}},\dots ,Id_{{l-1}_i},Id_l\) (refer to Sect. 2). In case of no confusion, simplified notations may be used for an incomer under a fixed parent \(E_i\) at level \(l-1\). In the footsteps of HIBC [6], set \(S_0\) to be the identity element of G. Then \(E_{l_i}\)’s parent \((E_i)\) at level \(l-1\):

  1. 1.

    computes \(P_{i_l} = H_1 (Id_{1_{i_1}}, Id_{2_{i_2}},\dots ,Id_{{l-1}_i},Id_l) \in G\);

  2. 2.

    sets \(E_{l_i}\)’s secret point \(S_l\) to be \(S_{l-1}\cdot P_{i_l}^{s_{l-1}}= \prod \limits ^l_{a=1} P_{i_a}^{s_{i-1}}\);

  3. 3.

    exponentiates the additional secrets \(P_{i_l}^{t^i},P_{i_l}^{u_{ij}}, j=1,2,\dots , r_{l-1},j\ne i\);

  4. 4.

    passes down these secret computed in above step to \(E_{l_i}\);

  5. 5.

    gives \(E_{l_i}\) the values of \(Q_a= g^{s_a}\) for \(1 \le a \le l-1\). In fact, \(g^{s_a}\) of existing user must be provided to \(E_{l_i}\) to facilitate key agreement with them. Case 3 of Key Agreement protocol (below) exploits these preloaded \(g^{s_a}\) to compute eventual shared keys of \(E_{l_i}\) and concerned existing user.

Key Agreement: Algorithm consists of three sub-algorithms for distinct cases:

  1. case 1

    both the incomers are under the same parent: This case is similar to the SOK scenario with each level \(l-1\) parent playing the role of (lower level) PKG. User \(E_{l_i}\) computes \(e(P^{s_l}_{i_l},P_{j_l})\) and user \(E_{j_l}=e(P_{i_l},P^{s_l}_{j_l})\) The agreed key between incomers \(E_{l_i}\) and \(E_{j_l}=e(P_{i_l},P_{j_l})^{s_l}\) which shows the correctness.Footnote 2

  2. case 2

    concerned pair of incomers are under the different parents: key agreement in this case is a major outcome of our proposal. Elegant use of our pre-deployment secure communications yield shared secrets (symmetric information \({u_{ij}})\). These are exponentiated \((P_{i_l}^{u_{ij}})\) and passed down for computing:

    • \(e(P_{i_l}^{u_{ij}},P_{j_l})\) by an incomer \(E_{l_i}\) at level l under \(i^{th}\) parent \(E_i\) of level \(l-1\).

    • \(e(P_{j_l}^{u_{ji}},P_{i_l})\) by another level l incomer \(E_{j_l}\) under \(j^{th}\) parent \(E_j\).

    • correctness: \(e(P_{i_l}^{u_{ij}},P_{j_l})=e(P_{i_l},P_{j_l})^{u_{ij}}=e(P_{j_l}^{u_{ji}},P_{i_l})\) \(\because u_{ij}=u_{ji}\).

  3. case 3

    one entity is an existing user and the other an incomer \(E_{l_i}\) at level l:

    • the incomer \(E_{l_i}\) calculates \(e(P_{i_l}^{t^i},g^{s_a})\) (since it possesses both \(t^i,g^{s_a})\).

    • existing user at level \(a, (a\le l-1)\) similarly calculates \(e(P_{i_l},(g^{t^i})^{s_a})\).

    • correctness: \(e(P_{i_l}^{t^i},g^{s_a})=e(P_{i_l},g)^{s_a\dot{t}^i}=e(P_{i_l},(g^{t^i})^{s_a})\) (tautology).

Remark 1

(Limitation of our HIBKA scheme). Every intermediate users between an incomer at level l and an existing user get to see secrets \(g^{s_a}, a < l-1\) meant for key exchange. This implies that they can compute \(e(P_{i_l}^{t^i},g^{s_a})\) in a fashion similar to all its children. Thus the key constructed in case 3 of our Key Agreement protocol is known to all intermediate users. This is a potential weakness of our scheme. Of course, level \(l-1\) parent \(E_i\) of any incomers can compute all keys of its children. However, such scenarios are similar to all prominent schemes like [5, 7, 10, 12] and is useful in assuring escrow, non-repudiation, etc.

4 Security of Our Scheme

An adversary in our models like most is assumed to be a probabilistic polynomial-time algorithm and controls the communication between each pair of parties. Moreover, the adversary can mount several attacks on communicating parties that include revealing session keys, corrupting a party, etc. After an adversary finishes initial round of queries (i.e. various attacks), a “TEST” query (attack) is send by the adversary on identities of a pair of parties whose keys are being agreed upon. The two parties specified in the “TEST” query are referred to as the target parties. There are certain restriction on this “TEST” query, viz:

  1. 1.

    an adversary cannot mount “TEST” attack on concerned incomers whose keys are being established and their respective parents.

  2. 2.

    an adversary obviously should not mount an attack on a corrupted party.

A challenger \(\mathscr {B}\) who controls BDDH parameters responds to this “TEST” query by sending either:

  • the secret keyring of the party on which the “TEST” query is made; or

  • random strings of same length as any keyring.

The value returned to the adversary has equal probability and is called target key. Idea is that an adversary must not be able to distinguish between the above two cases with non-negligible advantage. We formally state and prove our security result based on BDDH problem stated in Sect. 2.

Theorem 1

Consider \(G; G_T\) and e to be two groups of order p and a bilinear pairing that satisfy the BDDH assumption. We model our hash function \(H_1\) as a random oracle. Then our schemes guarantee secure key agreement of:

  • two incomers at any level against an adversary who can compromise all but these two users and their parents;

  • an incomer and an existing user against an adversary who can compromise all incomer user other than this one.Footnote 3

Proof

We prove this result by a reduction from security of our scheme to BDDH assumption. We construct a challenger (algorithm) \(\mathscr {B}\) using an adversary \(\mathscr {A}\) that can break our scheme with a non-negligible probability. This leads to a contradiction that our challenger can solve an instance of BDDH problem with essentially the same non-negligible advantage. Given an instance of the BDDH problem:\(p; k; G; G_T ; e ; g; g^a; g^b; g^c; D; R,\) where e is a bilinear pairing \(e: G\times G\mapsto G_T\), and \(D=e(g,g)^{abc}, R= e(g,g)^r\), \(\mathscr {B}\)’s task is to decide which one among \((g,g^a,g^b,g^c,D)\) and \((P,g^a,g^b,g^c,R)\) is a BDDH tuple. Our challenger \(\mathscr {B}\) embeds BDDH input ab into hash queries and c into “TEST” query issued by \(\mathscr {A}\).Footnote 4 Setup algorithm and responses to hash, id. compromise and “TEST” queries are below:

Setup algorithm is simulated by challenger \(\mathscr {B}\) as follows:

  • \(\mathscr {B}\) fixes system’s public parameters, viz. generator of the group G(g) and the hash function \(H_1\) which is treated as a random oracle controlled by \(\mathscr {B}\).

  • \(\mathscr {B}\) sends the system parameters to adversary \(\mathscr {A}\).

Hash queries are smartly used to embed ab. Challenger \(\mathscr {B}\) answers these queries to our adversary \(\mathscr {A}\) in arbitrary order as described below:

\(\mathbf {H_1(ID_i)}\) queries: Challenger \(\mathscr {B}\) maintains an initial empty list \(H_1^{list}\) with entries of the form \((ID_i,h_i)\). When the oracle \(H_1\) is queried at \(ID_i\) by the adversary \(\mathscr {A}\), challenger \(\mathscr {B}\) responds to this query as follows:

  • \(\mathscr {B}\) responds with responds with \(H_1(ID_i)=h_i\) in case \(ID_i\) already appears on the \(H_1^{list}\) as the a tuple \((ID_i,h_i)\);

  • when \(ID_i\) is identity of the parent of first target incomer, \(\mathscr {B}\) stores \((ID_i,g^a)\) into the tuple list; responds with \(H_1(ID_i)=g^a\);

  • there are two cases while embedding b and responding with \(g^b\):

    • – first, in case of key agreement between two incomers. Let \(ID_j\) be the identity of the parent of second target incomer. Our challenger \(\mathscr {B}\) stores \((ID_j,g^b)\) into the tuple list and responds with \(H_1(ID_j)=g^b\);

    • – second case: for key agreement involving an existing user, \(ID_j\), we consider the same identity \(ID_j\) as \(c=s_a\) is generates by it. Therefore our challenger \(\mathscr {B}\) stores \((ID_j,g^b)\) into the tuple list; responds with \(H_1(ID_j)=g^b\);

  • or else, our challenger \(\mathscr {B}\) randomly selects \(r_i \in \mathbb {Z}^*_p\), computes \(H_1(ID_i)=h_i=g^{r_i}\), inserts \((ID_i,h_i)\) into the tuple list and responds with \(H_1(ID_i)=h_i\).

Compromise identity \((ID_s)\) queries: Challenger \(\mathscr {B}\) responds to identity compromise queries mounted by our adversary \(\mathscr {A}\) in the following manner:

  • in case queried on identity of the parent of any target user or is either of the target node, \(\mathscr {B}\) aborts the game. This case concerns only parents of key agreeing parties or themselves. Therefore probability of occurrence of such queries (events) is negligible (analysis to be presented in extended version).

  • Otherwise, all secret held by user i are returned by \(\mathscr {B}\) to \(\mathscr {A}\).

A “TEST” query is mounted by an adversary after compromise queries. The game between an adversary and the challenger is as below:

TEST query: Our adversary \(\mathscr {A}\) zooms on two identities with restrictions mentioned above and is responded by our challenger \(\mathscr {B}\) with a value D as follows:

  • \(\mathscr {B}\) chooses a bit \(b\in \{0,1\}\) at random;

  • if \(b=1\), the real secret key D shared between these two identities is returned; \(\mathscr {B}\) computes \(D=e(H_1(ID^1),H_1(ID^2))^c\)

  • otherwise \(\mathscr {B}\) returns a randomly sampled value \(R=e(H_1(ID^1),H_1(ID^2))^{r_x}\) for identity \(ID_x\) generated according to the distribution of the secret key.

Of course \(D=e(H_1(ID^1),H_1(ID^2))^c=e(g^a,g^b)^c=e(g,g)^{abc}\) where \(ID^1,ID^2\) are first and second users. Challenger’s simulation yields \(e(H_1(ID^1))=g^a\) and \(e(H_1(ID^2))=g^b\), so that the response \(D=e(g,g)^{abc}=e(H_1(ID^1),H_1(ID^2))^c\) is the correct key. We find that our challenger \(\mathscr {B}\) is able to respond satisfactorily to all simulation queries. So we conclude that this run of \(\mathscr {A}\) under \(\mathscr {B}\) is identical to its view in a real run against our scheme.

The “TEST” query may be followed by second round compromise queries. After \(\mathscr {A}\) finishes the queries, it returns its challenge \(b'\) as his/her guess of b. \(\mathscr {B}\) outputs this same bit \(b'\) as its guess to BDDH problem. We observe that since parent of two identities cannot be queried upon, so challenger \(\mathscr {B}\) always responds with \(r_i\) in the hash queries; thereby resulting in random keys. This proves the theorem assuring security of our schemes under the restrictions mentioned.

5 Comparison

We present a comparative study of our protocols in terms of security and complexity efficiencies. First we present a comparison among themselves and then, due to page limits, with only prominent works [1, 35, 710, 12]. A more comprehensive analytical study will be presented in an extended version our work.

Both our protocols uses identity based key exchange like of SOK [10] and pre-deployment interaction. Interactions in our purely public key agreement protocol uses HIBC [6], whereas our hybrid protocol uses inductively derived symmetric keys for pre-deployment encryption decryption. Consequently later protocol has faster implementations than purely public key agreement protocol like ours (previous) and exiting works in identity based key agreement [5, 7, 8, 10, 12]. Moreover, existing protocols either uses purely public key or purely symmetric key techniques–but not an hybrid of both. This is a specialty of our hybrid proposal.

Bellare and Rogaway [1] uses pre-shared symmetric secrets to derive successive session keys and authenticate devices. Our mission is different–we try to establish secret symmetric secrets or keys. In some sense, the eventual share keys resulting out of our schemes can be taken as the pre-shared secret that can be used for their scheme [1]. Moreover, our hybrid design uses these secrets inductively thereby having similar one-time use as [1]; but not successive use.

Use of identity based cryptography [10, 11] in our protocols bypasses the costly requirement of certifications which was prevalent in public key infrastructure schemes that follow footsteps of [3, 9]. This certainly reduces trust on third parties and thereby enhances security efficiency of our protocols. Moreover, our schemes involve only pre-deployment secure communication and not post deployment. Most of such computations can be done off-line as opposed to critical on-line computations in (post deployment) interactive schemes based on [3, 9]. Therefore, our protocols outperform such schemes in terms of complexity efficiency.

A specialty of our construction is inductive increment in depth of hierarchy. Prominent identity based schemes like Gennaro et al. [5] fail to assure this property. There are attempts in this directions [7] that have been proved futile by [12].

6 Conclusion and Future Prospects of Our Work

Our protocols achieve most design goals described in Sect. 1.2. Clever inductive use of symmetric keys during encryption of randomly generated secrets \((t^i_j,t^j_i)\) after first round using public keys (HIBC [6]) makes our hybrid scheme highly efficient. This paper primarily presents theoretical aspects with some lights on implementation. Further work needs to be done to implement of our protocols. We plan to extend our schemes in future work to secure a hierarchical network under compromise of threshold number of users at ancestral level.