An ID-Based Mutual Authentication and Key Exchange Protocol for Low- Power Mobile Devices Authors: Tsu-Yang Wu and Yuh-Min Tseng Source: The Computer Journal (Published online on Sep. 2009) doi: /comjnl/bxp083 Reporter: 陳德祐 Date: Jan 15, 2010

2 Outline Introduction The proposed scheme Security analysis Comments

3 Introduction Das, M.L., A. Saxena, V.P. Gulati and D.B. Phatak (2006). A novel remote user authentication scheme using bilinear pairings. Computers and Security, 25(3), 184–189. Giri, D., and P.D. Srivastava (2006). An improved remote user authentication scheme with smart cards using bilinear pairings. In Cryptology ePrint Archive. Forgery attack Computational cost Multi-server A Pairing-Based User Authentication Scheme for Wireless Clients with Smart Cards Yuh-Min Tseng, Tsu-Yang Wu, Jui-Di Wu Informatica: International Journal,19(2), pp , 2008 The proposed scheme Mutual auth. Session key

4 Bilinear Pairings Bilinear Pairing  Let G 1, G 2, G T be cyclic groups of same order q.  G 1, G 2 : an additive group  G T : a multiplicative group Definition A bilinear map 1.Bilinear: 2.Non-degenerate: 3.Computability:

5 Notations and System setup S : a powerful server C : a low-power computing client e : a bilinear map, e : G 1 × G 2 → G T, ( G 1 =G 2 ) with the same order q ID C : the identity of the client C DID C : the private key of the client C ID S : the identity of the server S P : a generator of the group G 1 s : the system private key in Z q ∗ P pub : the system public key P pub = s · P H 1 () : a one-way hash function, H 1 :{0,1} * × G 1 → {0, 1} k H 2 () : a map-to-point function, H 2 : {0,1} * → G 1 Public parameters: {e, G 1, G T, q, P, P pub, H 1, H 2 }

Key extract phase 6 Client CServer S ID C (DID C, QID C ) DID C = s · H 2 (ID C ) = s · QID C

Mutual authentication and key exchange phase 7 Client CServer S r  R Z q ∗ U = r · QID C K 1 = r · DID C h = H 1 (ID C, U) V = (r+h) · DID C ( ID C, U, V ) QID C = H 2 (ID C ) h = H 1 (ID C, U) e(P, V)?=e(P pub, U+h · QID C ) ( N, Auth) Auth?= H 1 (P pub, ID C, N, U, V, K 1 ) SK= H 1 (Auth, N, U, V, K 1 ) DID C = s · H 2 (ID C ) = s · QID C Acquiring a nonce N K 2 = s ·U Auth= H 1 (P pub, ID C, N, U, V, K 2 ) SK= H 1 (Auth, N, U, V, K 2 )

Security analysis and discussion Secure against 1.ID attack 2.Impersonation attack 3.Passive attack 4.Mutual authentication A.Client-to-server authentication B.Server-to-client authentication 5.Implicit key confirmation 6.Partial forward secrecy Discussion  Replay attack 8 Theorem 1 Theorem 1+2 Theorem 2 Theorem 1 Theorem 3 Theorem 4 (1+2+3) Theorem 5

Challenger C 1 (P, xP, yP) xyP P pub = xP QID C = H 2 (ID C ) = yP Attacker A A can generate two valid message σ' = (ID C, U', V' ) and σ'' = (ID C, U', V'' ) Forking Lemma xyP = (V' − V'')/(h' − h'') e(P, V')=e(P pub, U' +h' · QID C ) e(P, V'')=e(P pub, U' +h'' · QID C ) =e(xP, U' +h' · yP) =e(xP, U' +h'' · yP) =e(P, x·U' +x·h'· yP) =e(P, x·U' + x·h''· yP) V' = x·U' +xy·h' PV '' = x·U' +xy·h'' P Theorem 1. In the random oracle model, if an adversary with a non-negligible advantage ε 0 can violate the client-to-server authentication of the proposed protocol, then there exists a challenger C 1 to solve the CDH problem.(1, 4A) σ' = (ID C, U', V' ) h = H 1 (ID C, U)

Theorem 2. In the random oracle model, if an adversary A can violate the server- to-client authentication of the proposed protocol with a non-negligible advantage ε, then there exists a challenger C 2 to solve the CDH problem with the advantage ε' ≥ ε − 1/2 k − q C 3 /q 2, where q C is the maximum number of queries to the oracle of the client C. Challenger C 2 (ryP, xP) rxyP P pub = xP QID C = H 2 (ID C ) = yP Attacker A (U', P pub ) ( N, Auth) Auth= H 1 (P pub, ID C, N, U', V, K 2 ) K 2 = x · U' = x · r ·QID C = xryP U' = r ·QID C = ryP P pub = xP 10

11 Theorem 3. In the random oracle model, if an adversary A can guess the coin b involved in the Test query with a non-negligible advantage ε, then there exists a challenger C 2 to solve the CDH problem. Challenger C 2 (ryP, xP) rxyP P pub = xP QID C = H 2 (ID C ) = yP Attacker A (U', P pub ) K 1 = r ·DID C = rxyP U' = r ·QID C = ryP P pub = xP Session key K 1 Secure against the passive attack  Secure against the disclosure of the session key

Proof. Implicit key confirmation: if the client (server) is assured that the server (client) is able to compute the session key and no one other than the client/server can compute it. Theorems 1 and 2: the client C and the server S can authenticate each other in the random oracle model and under the CDH assumption. Theorem 3: no one other than the client C and the server S can compute the session key SK. Therefore, the proposed protocol provides implicit key confirmation. 12 Theorem 4. In the random oracle model and under the CDH problem, the proposed protocol provides implicit key confirmation.

Proof. The system private key s is corrupted  all the previous session keys can be recovered from the transcripts  K 2 = s ·U  Auth= H 1 (P pub, ID C, N, U, V, K 2 )  SK= H 1 (Auth, N, U, V, K 2 ) The corruption of the client C (DID C ) cannot help to recover the previous session keys. Therefore, the proposed protocol offers partial forward secrecy. 13 Theorem 5. In the random oracle model and under the CDH problem, the proposed protocol offers partial forward secrecy.

Comparisons 14 (i) TG e : the time of executing a bilinear pairing operation e, e : G 1 × G 2 → G T (ii) TG mul : the time of executing a multiplication operation of point (iii) TG H : the time of executing a map-to-point hash function H 2 ( ) (iv) TG add : the time of executing an addition operation of points (v) T H : the time of executing a one-way hash function H 1 ( ) (vi) T exp : the time of executing a modular exponential operation (vii) T MAC : the time of executing a message authentication code

Mutual authentication and key exchange phase ~ replay attack 15 Client CServer S r  R Z q ∗ U = r · QID C K 1 = r · DID C h = H 1 (ID C, U) V = (r+h) · DID C ( ID C, U, V ) QID C = H 2 (ID C ) h = H 1 (ID C, U) e(P, V)?=e(P pub, U+h · QID C ) Acquiring a nonce N K 2 = s ·U Auth= H 1 (P pub, ID C, N, U, V, K 2 ) SK= H 1 (Auth, N, U, V, K 2 ) ( N, Auth) Auth?= H 1 (P pub, ID C, N, U, V, K 1 ) SK= H 1 (Auth, N, U, V, K 1 ) DID C = s · H 2 (ID C ) = s · QID C h = H 1 (ID C, T, U) Check T h = H 1 (ID C, T, U) ( ID C, T, U, V )

Comments Forward secrecy Nonce-based Explicit key confirmation Multi-server environment 16