Mot+: an Efficient and Secure Identity-Based Diffie-Hellman Protocol Over
Total Page:16
File Type:pdf, Size:1020Kb
mOT+: An Efficient and Secure Identity-based Diffie-Hellman Protocol over RSA Group Baoping Tian, Fushan Wei, and Chuangui Ma State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Information Science and Technology Institute, Zhengzhou 450001, China.fbaoping [email protected] Abstract. In 2010, Rosario Gennaro et al. revisited the old and elegant Okamoto- Tanaka scheme and presented a variant of it called mOT. However the compromise of ephemeral private key will lead to the leakage of the session key and the user's static private key. In this paper, we propose an improved version of mOT(denoted as mOT+). Moreover, based on RSA assumption and CDH assumption we provide a tight and intuitive security reduction in the id-eCK model. Without any extra computational cost, mOT+ achieves security in the id-eCK model, and furthermore it also meets full perfect forward secrecy against active adversary. Keywords: public key cryptography, Diffie-Hellman, composite modulus, id-eCK model 1 Introduction Designing authenticated key exchange protocol that is as efficient as the original unauthen- tivated Diffie-Hellman protocol [1] attracts many cryptographers. In the process of pursuing this objects, many excellent protocols are born, such as HMQV [2] and MQV [3]. Efficient as they are, but when considering the verification and transmission of public key certificates, they will lose some efficiency and also result to a larger bandwidth. At the same time, the use of certificates will introduce some other troubles. Of note are the problems of certificate manage- ment, such as revocation, storage and distribution. In order to eliminate the requirement for certificates in the traditional PKI and some related issues with them, Adi Shamir [4] first in- troduced the concept of identity-based public key cryptography(ID-PKC) in 1984. Since then, much work has been dedicated to designing identity-based authenticated key exchange(IB- AKE) protocols [5, 6, 7], most of them are pairing-based after the pioneering work by Joux [8]. However, pairings are hard to implement in the real word and the computational cost is very expensive. Thus, pairing-free IB-AKE protocol has some advantages over pairing-based ones both in efficiency and implementation. Among the pairing-free IB-AKE protocols, the old and elegant Okamoto-Tanaka scheme [9] catches our eyes. The exponentiation per user is very close to that in unauthentivated Diffie- Hellman protocol [1] when e takes the value of small exponent, e.g. e = 3. Masahiro Mambo and Hiroki Shizuya [10] showed that breaking the Okamoto-Tanaka scheme can be reduced to breaking the Diffie-Hellman scheme over ZN . Later, Seungjoo KIM et al. [11] analyzed the the security of the Okamoto-Tanaka protocol against active attacks, and they showed the rigorous security of Okamoto-Tanaka scheme in their attack models. In 2010, Rosario Gennaro et al. [12] analyzed Okamoto-Tanaka scheme at length, and they showed that the original Okamoto- Tanaka scheme is susceptible to some attacks, particularly known-key and malleability attacks. After some simple modifications, they obtained a variant(denoted as mOT) of Okamoto-Tanaka scheme and provided a security proof of mOT in the Canetti-Krawczyk(CK) model [13] based on the RSA assumption. In addition, they proved full perfect forward secrecy of mOT against active attacks. Yet, both mOT [12] and the original Okamoto-Tanaka scheme [9] suffer from ephemeral key compromise. The compromise of ephemeral key will lead to that the adversary can compute the shared secret value by itself, then followed by the leakage of session key. Furthermore, the compromise of ephemeral key can also result to the leakage of the user's long-term private key. 2 Baoping Tian et al. Menezes and Ustaoglu [14] pointed out that the compromise of ephemeral key may happen in the cases of side-channel attack, the using of a weak random number generator and stored insecurely. Taking the ephemeral key compromise into account, Lamacchia et al. [15] proposed the eCK model on the foundation of the Canetti-Krawczyk(CK) model [13]. Afterwards, huang et al. [16] extended the eCK model so that it can be applied to identity-based setting, hence called id-eCK model. In this paper, by applying the NAXOS trick [15] to mOT without incurring any compu- tational overhead, we obtain a securer two-pass authenticated Diffie-Hellman protocol named mOT+ . Further, based on RSA assumption and CDH assumption with composite modulus, we prove the security of mOT+ in the id-eCK model [16]. Organization. The rest of this paper is organized as follows : In section 2, we introduce some related preliminaries. Secion 3 outlines the id-eCK model. Then, we give the protocol description and prove the security of the first one in section 5. In the final section, we draw a conclusion on this paper. 2 Preliminaries Notations. Let k be the security parameter. By A(x; y; ··· ), we denote a polynomial time algorithm A with inputs (x; y; ··· ). And By r R A(x; y; ··· ), we denote that running the polynomial time algorithm A with inputs (x; y; ··· ), it outputs r. We denote by z 2R Z choosing an element z uniformly at random from Z. The Group of Quadratic Residues. Let N = PQ be a safe-prime RSA modulus(P = Z Z∗ 2p + 1;Q = 2q + 1 and p; q are also primes) and N be the set of integers modulo N. N is defined as the set of elements from ZN that have an inverse modulo N. The set of quadratic QR residues modulo N forms a multiplicative cyclic group denoted as N .The order of which is ϕ(N) QR 2 Z∗ 4 = pq. When selecting a random element u from N , by convention we choose v R N 2 QR QR and set u = v . A random element from N is the generator of N with overwhelming probability. Definition 1 (Computational Diffie-Hellman(CDH) Assumption with Composite Modulus). Let IG be an integer instance generator that on input 1k, outputs (N; P; Q) where P = 2p+1;Q = 2q +1 and P; Q; p; q are primes. Let g be a random generator of order pq. CDH assumption holds for IG, if for all probabilistic polynomial time adversary A, given (g; gu; gv) where u; v 2R Zpq, the probability is bounded by uv u v k Pr[g R A(g; N; U = g ;V = g ):(N; P; Q) R IG(1 ); u; v 2R Zpq] < ϵ(k) where ϵ(k) is negligible in k. The probability is taken over the coin tosses of A, uniformly random choice of u; v from Zpq and integer instance generator IG. remark. It is worth noting that if there exist an efficient algorithm to factor N, then it is left with the CDH problem modulo the factors of N, which is intractable provided P and Q are large enough. Actually, CDH assumption with composite modulus can be implied by the hardness of factoring [17]. Definition 2 (RSA Assumption). Let IG be an RSA instance generator that on input 1k 2 Z∗ outputs (N; e) such that N = PQ where P; Q are safe primes and e ϕ(N) where ϕ is Euler's totient function. The RSA assumption holds relative to IG if for all probabilistic polynomial time adversary A, the successful probability is ∗ A IG k 2 Z Pr[x R (N; e; y):(N; e) R (1 ); y R N ] < ϵ(k) where xe ≡ y (mod N) and ϵ(k) is negligible in k. The probability is taken over the coin tosses A Z∗ IG of , uniformly random choice of y from N and RSA instance generator . An Identity-based Diffie-Hellman Protocol over RSA group 3 Lemma 1 ([18]). Let N; e; d be the RSA parameters and b be an integer such that gcd(e; b) = d b d 2 Z∗ 1, then we can obtain x (mod N) from (x ) (mod N) where x N . 3 A Review of id-eCK model We model the users from the finite set U of size n as probabilistic polynomial time Turing machines(PPT). Each user owns an unique identifier IDi(e.g. a binary string related to their actual name). The user obtains the static private key corresponding to her/his identity from the KGC through a secure channel. Sessions. An instance of a protocol is called a session which can be activated by an incoming message of the forms (IDi;IDj) or (IDi;IDj;Y ). If it's activated by the first form, then IDi is called the session initiator, otherwise the session responder. The session can be uniquely identified by the session identifier which is in the form of sid = (IDi;IDj; X; Y ) where X and Y are the messages prepared by IDi and IDj respectively. For sid = (IDi;IDj; X; Y ), we call s th IDi the owner of session sid and IDj the peer. We denote by Πi;j the s session executed by th the owner IDi with intended peer IDj. If the session identifier of the t session between IDi 0 t and IDj is of the form sid = (IDj;IDi; X; Y ), then we say Πj;i is the matching session of s Πi;j and vice versa. Adversary. The PPT adversary owns the competence of controlling all the communica- tions between users(e.g. intercept, modify, delay, inject its own messages, schedule sessions etc) except that between users and KGC. The adversary can capture the leakage of private information of users via the following queries 1. StaticKeyReveal(IDi) : The adversary learns the static private key of IDi.