Keywords

1 Introduction

A Key Agreement protocol enables two or more entities to establish a shared secret through an unsecure channel. In an Identity-Based Key Agreement protocol, the public key of involving entities is driven from their public identity. Since providing a secure session key in an unsecure channel is one of the most significant challenging issues, Key Agreement protocols received widespread attention in cryptography research community. It is worth to note that the focus of this paper is on two-party Identity-Based Key Agreement protocols.

In order to avoid complex certificate management in traditional public key cryptosystems (PKC), Shamir in [1] introduced a novel idea named identity-based cryptography. In this category of PKC, users’ public key is their identity (e.g., telephone number, image, and email address). Therefore, both communicating entities should have knowledge about each other’s identifier before starting the communication.

However, making this theory functional remained an open problem until 2001 that Boneh and Franklin in [2] could propose a fully functional identity-based encryption scheme.

Following the work of Boneh and Franklin, various identity-based cryptosystems including Key Agreement protocols have been published based on bilinear pairings [36]. Bilinear pairing is a cryptographic function that maps a pair of elements of two elliptic curve-based algebraic groups to an element of a determined finite field [7]. However, pairing operations have been considered as an expensive cryptographic function by consuming about twenty times more expensive computational cost than scalar multiplication over an elliptic curve group [7]. Hence, to avoid high computational cost of pairings, several Identity-Based pairing-free Key Agreement protocols have been proposed recently (refer to Sect. 2).

To improve the efficiency, we proposed a pairing-free Identity-Based Key Agreement protocol, named PF ID KA.

The rest of this paper is organized as follows. Some related works are reviewed in the Sect. 2. In Sect. 3, preliminaries including utilized notations and description of main phases of Identity-Based Key Agreement protocols are described. Section 4 assigns to our proposed pairing-free Key Agreement protocol in detail. In Sect. 5, analysis over security and efficiency of the proposed protocol is provided. At last, we draw the conclusion.

2 Related Works

There exist many pairing-free two-party Key Agreement protocols over elliptic curve-based algebraic groups. In 2010, Cao et al. in [8] proposed a pairing-free Identity-Based authenticated Key Agreement protocol with two message exchanges. They could reduce the required message exchange in comparison with previous related works presented in [9, 10]. However, as shown in [11], the proposed protocol by Cao et al. in [10] was not secure against known session-specific temporary information attack and key offset attack. Islam and Biswas in [11] could propose an improved version that does not suffer from mentioned security flaws. Their proposed scheme requires less computational cost by the use of three scalar multiplication and one point addition.

Besides the proposed protocols above, Farash and Attari in [12] have tried to modify the proposed protocol of Cao et al. [10] by considering different private key generators.

3 Preliminaries

In this section, we are going to present the required preliminaries for this article.

3.1 Notations

The suggested notations and assumptions, which are needed to realize following sections, are listed as follows:

q :

A large prime number

\( {\mathbb{F}}_{q} \) :

A finite field over q

\( E/{\mathbb{F}}_{q} \) :

An elliptic curve over \( {\mathbb{F}}_{q} \)

G :

A subgroup of \( E/{\mathbb{F}}_{q} \)

P :

A generator of the group G

s :

A randomly chosen element of \( {\mathbb{Z}}_{q}^{ * } \)

P pub :

sP

H 1H 2 :

Two collision-free one-way hash functions

ID i :

Identity of user i

k s :

Session key

Next section explains the main phases of Key Agreement protocols in the context of identity-based cryptosystems in detail.

3.2 Main Phases of Identity-Based Key Agreement Protocols

A possible way to define an Identity-Based two-party Key Agreement protocol is to partition four sub-protocols as main phases. Based on this categorization, these phases are named SETUP, EXTRACTION, EXCHANGE, and COMPUTATION.

SETUP

In this phase, the corresponding algorithm takes the security parameter to generate Params and master key. A trusted third party named private key generator (PKG) keeps master key confidential, whereas Params must be publicly known to all entities.

EXTRACTION

In this phase, each entity can obtain his private key by interacting with the PKG.

EXCHANGE

In this phase, communicating parties compute a trapdoor one-way function of a randomly chosen value and exchange it.

COMPUTATION

In this phase, communicating parties can compute the considered session key as a function of Params and other possessing public and secret parameters.

4 Our Proposed Identity-Based Key Agreement Protocol

In this section, we propose our efficient pairing-free Identity-Based Key Agreement protocol (named PF ID KA) which can satisfy all security requirements. The outline of current section is to investigate this protocol in detail.

SETUP

This algorithm generates the master key \( s \in_{r} {\mathbb{Z}}_{q}^{ * } \) randomly and then outputs Params \( \left\langle {q,{\mathbb{F}}_{q} ,E/{\mathbb{F}}_{q} , G, P,P_{\text{Pub}} ,H_{1} ,H_{2} } \right\rangle \) by the use of taken security parameter. In Params, \( H_{1} {:}\;\left\{ {0,1} \right\}^{ * } \times G \to {\mathbb{Z}}_{q}^{ * } \) and \( H_{2} {:}\;\left\{ {0,1} \right\}^{ * } \times \left\{ {0,1} \right\}^{ * } \times G \times G \times G \to {\mathbb{Z}}_{q}^{ * } \). The rest elements are introduced in Sect. 3.

EXTRACTION

In this phase, an entity such as the one who possesses ID i identifier refers to PKG to take corresponding private key. The PKG first randomly chooses \( r_{i} \in_{r} {\mathbb{Z}}_{q}^{ * } \), then computes \( R_{i} = r_{i} P \) and \( h_{i} = H_{1} (ID_{i} ,R_{i} ) \). Finally, the entity’s private key would be \( \left\langle {R_{i} , s_{i} } \right\rangle \) where \( s_{i} = r_{i} + h_{i} s( {\text{mod}}\,q ) \).

Now assume that two entities, A and B, are going to agree on a session key. The EXCHANGE and COMPUTATION phases are as follows:

EXCHANGE

To explain the EXCHANGE phase, mentioned entities do the following:

  1. 1.

    A chooses a random \( a \in_{r} {\mathbb{Z}}_{q}^{*} \), computes the key token \( T_{A} = a(s_{A} P) = a(( r_{A} + h_{A} s( {\text{mod}}\,q ) )P ) \) and sends \( T_{A} , R_{A} \) to the entity B.

  2. 2.

    B chooses a random \( b \in_{r} {\mathbb{Z}}_{q}^{*} \), computes the key token \( T_{B} = b(s_{B} P) = b( {( {r_{B} + h_{B} s( {\text{mod}}\,q )} )P} ) \) and sends \( T_{B} ,R_{B} \) to the entity A.

COMPUTATION

In this phase, mentioned entities are able to compute the shared secret as follows:

  • A computes \( K_{AB} = [ {a( {r_{A} + h_{A} s( {\text{mod}}\, q )} )} ]T_{B} \)

    B computes \( K_{BA} = [ {b( {r_{B} + h_{B} s( {\text{mod}}\,q )} )} ]T_{A} \)

Following equation proves that the two computed values for this shared secrets would be the same.

$$ \begin{aligned} K_{AB} & = \left[ {a(r_{A} + h_{A} s({\text{mod}}\, q))} \right]T_{B} \\ & = (as_{A} )\left[ {b((r_{B} + h_{B} s({\text{mod}}\, q))P)} \right] \\ & = \left( {as_{A} } \right)\left( {bs_{B} } \right)P \\ & = \left[ {b(r_{B} + h_{B} s({\text{mod}}\, q))} \right]T_{A} \\ & = K_{BA} \\ \end{aligned} $$

Finally, the agreed session key, k s , is a key derivation function of K AB :

$$ \begin{aligned} k_{s} & = H_{2} \left( {ID_{A} ,ID_{B} ,T_{A} ,T_{B} ,K_{AB} } \right) \\ & = H_{2} \left( {ID_{A} ,ID_{B} ,T_{A} ,T_{B} ,K_{BA} } \right) \\ \end{aligned} $$

Figure 1 illustrates PF ID KA protocol in a general form.

Fig. 1
figure 1

Our proposed protocol

Full size image

5 Security and Efficiency Analysis

In this section, we will explain the required security considerations for a Key Agreement protocol. Moreover, we represent the computational cost of existing related works to compare them with our proposed protocol from computational efficiency viewpoint.

5.1 Security Considerations

In order to evaluate the security of Key Agreement protocols, one common approach is the use of following security features explained in [13, 14].

Known-Key Security (KKS)

The KKS indicates that any knowledge about past secret session keys do not lead to finding future ones. The main reason is that the secret session key is unique and independent from past established ones.

Forward Secrecy (FS)

A protocol can support this property if in the condition of leakage of entities’ long-term private keys, the previously established session keys remain secret.

Perfect Forward Secrecy (PFS)

A protocol has this property if in the condition of leakage of entities’ long-term private keys including PKG, the previously established session keys remain secret.

Key-Compromise Impersonation (KCI)

In the condition of compromising the long-term key of one of the entities, adversary can impersonate the victim to others but not vice versa.

Unknown Key-Share Resilience (UKSR)

Unknown key-share happens if an adversary could convince an entity to share a secret session key with him instead of a legitimate entity. A Key Agreement protocol should be resilient against this type of attack.

Key Control (KC)

This security property indicates that the secret session key would be generated by both communicating entities together. It means the session key should not be predetermined by one of them alone.

Known Session-Specific Temporary Information (KSSTI)

If the session key can be computable by the adversary in the condition of the leakage of a and b (refer to the EXCHANGE phase in Sect. 4), the protocol would be vulnerable to this attack.

It is worth to note that our proposed protocol supports all mentioned security attributes. In addition, it can provide key confirmation and prevent key offset attack if the entities A and B exchange message authentication code (MAC) of a significant message which is generated based on the session key (for more information refer to [11]).

5.2 Efficiency Considerations

As mentioned in the second section, related to our proposed protocol, several two-party Identity-Based Key Agreement protocols without bilinear pairings have been proposed. Cao et al. in [8] proposed a pairing-free Key Agreement protocol that has four scalar multiplications and one point addition. The proposed protocol by Islam and Biswas in [11] has only three scalar multiplications and one point addition. Moreover, in 2014, another pairing-free two-party Identity-Based Key Agreement scheme has been proposed by Farash and Attari in [12] that has four scalar multiplications.

To clear our claim, Table 1 depicts details of proposed protocols in [8, 11] and the assigned computational costs.

Table 1 Efficiency comparisons of different protocols
Full size table

As illustrated in Table 1, our proposed pairing-free Identity-Based Key Agreement protocol is quite efficient because it just requires three scalar multiplications without any point addition performed by each communicating participant.

6 Conclusion

In recent years, various pairing-free cryptosystems have been designed in order to reduce high cost of computation resulted by utilizing pairing maps. In this area, several pairing-free Key Agreement protocols in the context of Identity-Based cryptosystems have been proposed. In this paper, we could propose an authenticated Identity-Based two-party Key Agreement protocol without using pairing maps. The proposed protocol is efficient in comparison with existing related works.