Research On Some Issues In Authenticated Key Agreement Protocols

Key agreement (KA) protocols are important tools to secure communications overopen networks. By a KA protocol, two or more parties can generate a shared session keyby making use of their long-term keys and ephemeral messages exchanged over an opennetwork. The shared secret session key is then used for secure communication.Authenticated key agreement (AKA) protocols not only allow parties to establish theshared session key but also ensure the authenticity of the involved parties. AKA protocolscan be implemented in various cryptographic settings. At present, public keyinfrastructure (PKI) based AKA protocols have been in depth studied and widely used.However, the implementation of such protocols in the traditional public cryptographicsetting needs to maintain, transfer and validate users' public key certificates, which incursa high overhead. Identity-based (ID-based) and certificateless cryptosystems abolish thepublic key certificate, avoid the requirement of a large PKI and greatly simplify themanagement of public keys. Hence the research on AKA protocols in the ID-based andcertificateless cryptographic settings has important academic value and broad applicationprospects. Besides, provable security based on complexity theory has become aprevailing method to evaluate the security of these two novel types of AKA protocols.In this thesis, we mainly study the design and analysis of ID-based andcertificateless AKA protocols with provable security as well as security models for suchprotocols. The main results are as follows:1. We summarize some basic design specifications of AKA protocols. Also, wegeneralize the basic design requirements of AKA protocols.2. We construct two new ID-based two-party AKA protocols from bilinear pairingsand prove they are secure in the ID-based extended Canetti-Krawczyk (eCK) model. By using the trapdoor test technique proposed by Cash, Kiltz and Shoup inEurocrypt2008, we show the first protocol bases its security on the standardComputational Bilinear Diffie-Hellman (CBDH) assumption which is weaker thanthe Gap assumptions of some previous protocols in this category. The secondprotocol bases its security on the Gap Bilinear Diffie-Hellman (GBDH) assumptionwith a lower computational overhead. The eCK model provides the stongestdefinition of security among the existing security models for two-party AKAprotocols. At present, only a few ID-based AKA protocols are provably secure in thestrong eCK model. Compared with most previous schemes in this category, ourprotocols can provide stronger security guarantee; compared with the existingeCK-secure ID-based AKA schemes, our protocols are more efficient when off-lineprecomputaion is possible, and our security proof is more concise and morestraightforward.3.We adapt the original eCK model to the escrowable ID-based setting, and designfour provably secure escrowable ID-based two-party AKA protocols from bilinearpairings in this eCK model. By using the trapdoor test technique we show some ofthese protocols base their security on the standard CBDH assumption which isweaker than the Gap assumptions of some previous protocols in this category.Compared with the existing escrowable protocols, our protocols provide strongersecurity. To the best of our knowledge, these new schemes are the first escrowableID-based AKA protocols provably secure in the strong eCK model.4.We design a novel pairing-free ID-based AKA mechanism for the session initiationprotocol (SIP) by using the Canetti-Krawczyk (CK) model. Our proposal has theability of resisting the various possible attacks suffered in the current SIPauthentication mechanism and previous proposals. Through introducing some designideas from certificateless cryptography, our proposal successfully avoids not onlythe requirement of a large PKI but also the key escrow flaw existing in previousID-based proposals. Compared with previous ID-based and certificateless proposalsfrom relatively expensive pairings, our pairing-free proposal is constructed with thestandard elliptic curve additive group and is computationally more efficient.5.We construct two provably secure ID-based two-party AKA protocols withoutbilinear pairings in the ID-based eCK model. By using the trapdoor test technique, we show the first protocol bases its security on the standard ComputationalDiffie-Hellman (CDH) assumption which is weaker than the Gap assumptions ofsome previous protocols in this category. The second protocol bases its security onthe Gap Diffie-Hellman (GDH) assumption with a lower computational overhead.Our schemes require only two-message communication and can be implementedover the standard elliptic curve additive group. Most existing ID-based AKAprotocols require relatively costly bilinear pairing operations. At present, only a fewID-based AKA protocols are provably secure in the strong eCK model, amongwhich eCK-secure pairing-free schemes are even more rare. Compared withprevious protocols in this category, our schemes have advantages over them insecurity, efficiency or both.6. We present a strong security model for certificateless two-party AKA protocol,which is an extension of the original eCK model. Also, we construct a provablysecure certificateless two-party AKA protocol from bilinear pairings in this model.By using the trapdoor test technique, we show the security of the protocol relies onthe standard CDH and CBDH assumptions which are weaker than the Gapassumptions of some previous protocols in this category. The model proposed byLippold, Boyd and Nieto in Pairing2009is known as the current strongest securitymodel for certificateless two-party AKA protocols, and our model is comparable tothis model. At present, work in the area of certificateless KA protocols is relativelylimited, among which only a few protocols are secure in such stong models.Compared with previous certificateless two-party AKA schemes, our protocol hasadvantages over them in security or efficiency.