Research Article  Open Access
Silan Zhang, Jianhua Chen, Jingbo Xia, Xiaochuan Ai, "An XTRBased Constant Round Key Agreement Scheme", Mathematical Problems in Engineering, vol. 2013, Article ID 596868, 9 pages, 2013. https://doi.org/10.1155/2013/596868
An XTRBased Constant Round Key Agreement Scheme
Abstract
A new XTRbased key agreement scheme with constant rounds is presented. Three theorems are formulated to reveal the logarithmic computational complexity of this scheme. Furthermore, the computation framework of XTRbased key agreement scheme is introduced, and security of the scheme is proven under the formal model.
1. Introduction
Key agreement is to construct secure infrastructures for networks by computing a common session key among a pool of group members. It is a central issue in various multicast applications such as pay preview broadcast of TV program, teleconferencing, military communication, and distributed interactive games.
The pioneer work can be traced to Steiner et al. [1] in 1996, who proposed the first key agreement scheme, GDH. As an extension of DiffieHellman key exchange based on the discrete logarithm problem in , GDH achieves group key exchange, and it is known as the first key agreement scheme. After that, various improved schemes of GDH are presented such as CLIQUES [2] and TGDH [3]. Unfortunately, the improved schemes are still flawed in excessive computation or unreasonable communication.
Nowadays, it has been widely accepted that a reliable key agreement scheme should meet three utmost crucial demands: fast computation, less communication, and provable security. Here the first demand, that is, fast computation, relies heavily on the algorithm one designed. With the outcome of the new ideas in cryptosystems, including elliptic curve cryptography (ECC) and Hash, computation efficiency in key agreement scheme was increased gradually. At first, the computations were based on the discrete logarithm problem, like Steiner’s classic work [1, 2], Kim’s TGDH [3], and a lot of forthcoming schemes [4–6]. Afterwards, Hash function was incorporated into some schemes to increase the computation efficiency, referring to Tso et al.’s work [7], Fu et al.’s work [8], and so forth. With the development of elliptic curves cryptography, faster computing module like Weil paring was regarded as a good replacement for common exponentiations or multiplications computations in traditional scheme. By using Weil paring on elliptic curve, the pairwise key agreement protocol [9], the tripartite key agreement protocol [10], and the IDbased authenticated group key agreement scheme [11] were given. A newer tendency was to constructing key agreement without using pairing computation; see He et al.’s work [12].
The second demand is less communicate, which refers to less information exchange between group members. In 2004, the bottleneck of key agreement scheme was illustrated as communication rounds, instead of computation rounds, which reveals the emphasis of design for an efficient key agreement scheme. In the beginning, GDH.3, proposed by Steiner et al. [1], need rounds of communications. Kim et al. [3] and Dutta and Barua [4] reduced the rounds of communications to and , respectively. Afterwards, key agreement with four rounds of communications are proposed by Tso et al. [7], Fu et al. [8], Zheng et al. [13], and so forth, and computation complexity of these schemes is slight. From Tso et al. [7], Fu et al. [8] to Zheng et al. [13], the number of exponentiations is decreased from , to , and the numbers of hash are , , and , respectively. In the meantime, the reduction of communication rounds has been regarded as a central issue. Three rounds scheme is obtained by Nam et al. [5], Augot et al. [6] Yao et al. [14], and so forth. Recently, the rounds of communications have been reduced to two rounds, where Lv and Li [11], He et al. [12], and Feng et al. [15] contribute a lot. In short, key agreement with less communications has drawn many attentions nowadays, and for recent researches and reviews, refer to [16, 23, 24].
Besides the computation cost and communication, another focus on research of the key agreement scheme is the security analysis. The reason lies in two aspects. Firstly, it was widely accepted that a secure key agreement should meet several demands, including key completeness, forward secrecy, and backward secrecy. Secondly, the claim of a secure new scheme should be on the basis of a strict and formal proof, instead of colloquial illustration or informal proof. The strict proof of scheme was commenced by Bresson et al. [17], who modeled the execution of an authenticated group DiffieHellman scheme and proved its security by defining a formal model. Raymond Choo et al. [18] gave formal proof of certain known protocol to reveal their weakness in the security and henceforth encourage the future designer to provide proofs of security for new protocols. Actually, the importance of provable security has been widely accepted nowadays, and it has been an indispensable part of almost all key agreement schemes appeared in the newly published literatures.
Unfortunately, few schemes can achieve all the three goals because of the unbalance between security and efficiency. However, a suitable balance between computation, communication, and security is utmost importance in current key agreement research. In terms of this, this study is to propose a reliable scheme which meets the above three demands by taking the advantages of Lenstra’s XTR cryptosystem [19, 20]. Here, XTR stands for ECSTR, which is an abbreviation for Efficient and Compact Subgroup Trace Representation. Actually, XTR is an efficient cryptosystem and the mathematics underlying XTR is straightforward while compared to ECC [19]. Moreover, the corresponding XTR public keys are only about twice as large as ECC keys, assuming global system parameters. Unlike RSA and ECC, parameter initiation from scratch for XTR takes a negligible amount of computing time [21]. Furthermore, Verheul [22] showed that XTR is at least as secure as supersingular elliptic curve system. This conclusion relied on a deduction that the elapse of XTR might lead to the elapse of ECC. Henceforth, the security of XTR was ensured.
In this paper, three algorithms with computation complexity in XTR theory are given. Based on these algorithms, an XTRbased key agreement scheme with constant rounds (XTRCR) is proposed. The scheme achieves high efficiency and is scalable in computation and security as well. Moreover, the efficiency in computation and communication between XTRCR and XTRGDH, which is the natural analogue of GDH in XTR, is compared and the better efficiency of the XTRCR is shown. Finally, under a decisional DiffieHellman (DDH) assumption, the XTRCR is proved to be secure against active adversary in the formal model. The paper is organized as follows. In Section 2, introductions of XTR cryptosystem with three computation theorems are given. Section 3 introduces our new scheme. The security proof of the new scheme is presented in Section 4. Conclusions are given in the last section.
2. XTR Cryptosystem
As a reliable key agreement scheme which is aiming to achieve good balance in efficiency and security, this scheme is designed on the basis of XTR. Since the XTR cryptosystem has not ever been incorporated into key agreement scheme, preliminaries of XTR cryptosystem are introduced in Section 2.1. By giving and proving three related computation theorems in Section 2.2, computation complexity of our XTRbased scheme is clarified.
2.1. Preliminaries
For a given , let be the polynomial with roots in , and denote for all . The trace over of is the sum of conjugates over , that is, . Security analysis of the XTR system is based on the difficulties of the following three computational problems:(i)XTRDL problem: discrete logarithm problem in XTR system. Given , one computes such that ,(ii)XTRDH problem: DiffieHellman problem in XTR system. This problem is the computation of with given and . The XTRDiffieHellman value is denoted by , ,(iii)XTRDDH problem: decisional DiffieHellman problem of determining whether with given .
Unlike RSA and Elgamal, the computation in XTR is involved in a subgroup of multiplicative group with order . The computation owns polynomial complexity, and as a result, it ensures the high efficiency of the implementation. Furthermore, in order to evaluate the security level of XTR, the following equivalence was proven [19].(i)The XTRDL problem is equivalent to the DL problem in .(ii)The XTRDH problem is equivalent to the DH problem in.(iii)The XTRDL problem is equivalent to the DDH problem in.
where the problem A is equivalent to problem B, if any instance of problem A (or B) can be solved by at most (or ) calls to an algorithm solving problem B (or A).
2.2. Computation Theorem of XTR
For simplicity, denote , , and , and denote as the hash function from to.
Let be matrix over with and defined above, and let be the center column of a matrix .
Following six lemmas are necessary for the proof of Theorems 7, 8, and 9.
Lemma 1 (Theorem in [19]). Given , computation of takes multiplications in .
Lemma 2 (Lemma in [19]). , for .
Lemma 3 (Corollary in [19]). , where is defined before.
Lemma 4 (Lemma in [19]). The determinant of equals . If, then
Lemma 5 (Corollary in [19]). .
Lemma 6 (Theorem in [19]). Given and , the trace of is computed at a cost of multiplications in , for and unknown .
Based on the above lemmas, three theorems crucial to the implementation of XTRCR scheme can be obtained.
Theorem 7. It takes 12 multiplications in to compute with and .
Proof. From Lemmas 3, 4, and 5, it is straight that Note that the matrix is computed in advance, by analyzing the computation cost of , ; the conclusion is direct.
Theorem 8. For unknown , givenand, the multiplicationis computed at a cost of 40 multiplications in.
Proof. First and can be computed from Lemma 2, that is,
As a result, and can be obtained from the computed vector . From Theorem 7, we have
Thus is computed.
Note that and are computed in advance, so it takes 4 multiplications to compute and . From Theorem 7, it costs 12 rounds multiplications in each turn to compute and , summing up to 36. Thus the total demanded multiplication is 40, and the proof of Theorem 8 is now complete.
Theorem 9. For given , , and unknown , the computation of takes multiplications in .
Proof. From given , , and unknown , one can compute via Lemma 6 by multiplications. Since the matrix is precomputed, 22 multiplications can be reduced. Similarly, the computation of takes multiplications. Thus is computed. In conjunction with Lemma 1, the claim is direct.
3. The XTRBased Key Agreement Scheme
In this section, the new scheme XTRCR is presented. For this, the fundamental application of Lenstra and Verheul’s work [19] is mentioned first in Section 3.1. After that, two group extension protocols, XTRGDH and XTRCR, are listed in Section 3.2. Among them, XTRGDH is the natural extension of GDH by combining XTR, while XTRCR is our proposed new scheme with low computation complexity and two rounds of communications. Finally, explicit comparisons of XTRCR, XTRGDH, and other competitive schemes are performed in Section 3.3, so as to reveal the advantage of XTRbased schemes, especially XTRCR.
3.1. Key Exchange between Alice and Bob
XTRDiffieHellman key exchange protocol between two members is a routine idea in Lenstra and Verheul’s work [20], and it is remarkable enough to illustrate here in detail.
Suppose that Alice and Bob, who both have access to the XTR public key data , , , want to agree on a shared secret key . This is done by using the following XTR version of DiffieHellman protocol.
Step 1. Alice selects a random , uses Algorithm 2.37 in [19], computes , and sends to Bob.
Step 2. Bob receives from Alice, selects randomly, similarly computes , and sends to Alice.
Step 3. Alice receives , computes , and determines based on .
Step 4. Bob receives , computes , and also determines based on .
3.2. Key Agreement of Group
Here, we present two constantround communication protocols for the group key agreement. One is an analogue of GDH in XTR, denoted as XTRGDH, another is the proposed scheme, XTRCR.
Assume that there are members in group, that is, , and an identity code has been assigned to each member in advance.
3.2.1. Analogue of GDH in XTR: XTRGDH
The first protocol XTRGDH is a natural extension of . Steiner’s Group DiffieHellman protocol [19].
Algorithm XTRGDH
Step 1. selects randomly, computes , and broadcast message to .
Step 2. selects a random , computes , and sends message back to .
Step 3. computes via XTRDH method, hashes it to . Let , and broadcasts messages to .
Step 4. The session key is .
3.2.2. Proposed Scheme: XTRCR
Below is the scheme we proposed, Algorithm XTRCR.
Step 1. selects a random , computes , and broadcasts message to .
Step 2. selects at random. With and , computes by the algorithm in Theorem 9 of last section, where .
Let , computes by Theorem 8, .
Then, broadcasts message to .
Step 3. Each computes by Theorem 9. By doing this, reveal the session key by computing . Thus is the session key. The key agreement procedure is finished.
The flow charts of two schemes are depicted in Figure 1.
(a)
(b)
During the whole process, the latter member acts as a sponsor which carries heavier computation burden than other members. The obligation of sponsor is reasonable and necessary, because the presence of sponsor not only provides high efficiency for the scheme but also keeps the member equality in the group. This property is similar to that in the scheme of GDH [1] and TGDH [3].
3.3. Comparison of XTRGDH, XTRCR, and Other Competitive Key Agreement Schemes in Communication and Computation
The performances of XTRbased scheme are compared with several competitive key agreement schemes by considering the computations, message amount, and communications. Twelve typical key agreement schemes are listed in Table 1 for comparison with XTRbased schemes in terms of efficiency. All of the chosen schemes are listed with the descending order according to the number of communication rounds. Among them, GDH.3 [1] and TGDH [3] are classic and traditional protocols, while Dutta95 [4] show better performance in the rounds of communication. Other schemes are typical and competitive key agreement schemes in the literature, as introduced in the first section, and the number of communication rounds is sorted from four, three to two. As a typical one round protocol, Shim’s work [23] is designed for threeparty key agreement instead of arbitraryentities, and signature is demanded; therefore, it is not equal to give a computation comparison. The explicit information of these schemes could be found in Table 1.

As shown in Table 1, both XTRGDH and XTRCR perform good in the rounds of communications. In the following, performances in XTRbased schemes will be compared with other two or three round communication schemes.
Among these schemes with three rounds communications, XTRGDH only demands scalar multiplications, which seems better than YWJ08 [9] and slightly weaker than NPKW07 [5], and the latter need exponentiations. Though Daniel07 [6] need much less computations than XTRGDH, it could be easily found that XTRGDH owns the least message amount. These results show that XTRGDH is also a competitive scheme.
While observing the performance of XTRCR among two rounds communication schemes, scalar multiplications are counted for XTRCR. The computation load in XTRCR is less than that in FWM08 [15] but a little heavier than that in LL10 [11] and Xiong13 [24]. Taking into account thatorpairing computation is timeconsuming for LL10 [11] and Xiong13 [24], XTRCR needs comparatively less computations than the above schemes. Besides, message amount of XTRCR is the least among all of the schemes.
If compared XTRGDH with XTRCR, the latter performs better in communication and message amount. Meanwhile, XTRCR shows slight weakness in computation complexity. For the sake of rapid development of XTR cryptosystem, the weakness in XTRCR is subtle. Moreover, as mentioned in Section 1, key agreement with less communication is critical in the implementation. Since XTRGDH needs one more communication than XTRCR, the proposed scheme is a better and more efficient scheme than XTRGDH.
In short, result from full comparisons of fourteen competitive key agreement schemes shows that XTRGDH and XTRCR achieve good balance in the performance of computation and communication. Moreover, XTRCR performs the best both in computation and communication.
4. Security Analysis of XTRCR
In this section, a formal model is utilized to prove that XTRCR scheme is secure against adversary under XTRDDH assumption. The explicit security proof of the proposed scheme is given in Section 4.2.
4.1. Security Basis of Formal Model
Let be a set of users who wish to participate in a group key agreement. One assumes that is polynomially bounded in the security parameter . A player has many instances called oracles, involved in distinct concurrent executions of protocols. The instances of player are denoted as .
The adversary has an endless supply of oracles and makes various queries to them. Each query models a capability of adversary.(i)Execute (). This query returns a transcript of an honest protocol execution among instances of users in . (ii)Send (). This query sends message to oracle . When oracle receives the message , it proceeds as specified in the protocol; the oracle updates its state and then generates and sends out a response message as needed. The response message is returned to the adversary . A query of form Send () allows adversary to initiate an execution of the protocol. (iii)Reveal (). This query returns the session key if oracle has computed a session key. This query models the capability of adversary to obtain some session keys. (iv)Corrupt (). The longterm private key of user is returned in response to the query which is considered to deal with forward secrecy. (v)Dump (). This query returns all shortterm secret values used by oracle , modeling the adversary’s capability to embed a Trojan horse or other forms of malicious code into a system and then log all the sessionspecific information of victim. But neither the session key computed by nor the longterm private key is returned. (vi)Test (). This query is asked only once when the adversary wants to attempt to distinguish the real session key from a random fake key, modeling the semantic security of session key . To answer the query, one flips a secret coin and returns the real session key if , or else a random string chosen from , if , where is the length of session key to be distributed in the protocol. This query is made only if oracle is fresh, and the definition of which will be given below.
To quantify the ability of an adversary , one consider the query action of here. During the execution of protocol, the adversary , at any time, asks a Test query to a fresh oracle, then gets back an bit string as the response to this query, and at some later point, outputs a bit as a guess for the hidden bit . Let Correct Guess () be the event that . Then we define the advantage of in attacking protocol to be We define protocol as secure against an adversary if is negligible.
According to the illustration of XTRDDH problem in Section 2, a formal description of XTRDDH assumption is displayed below.
Let be XTR group, and let be randomly chosen elements in . Informally, the XTRDDH assumption is that it is difficult to distinguish between the distributions of and .
More formally, if we define as the XTRDDH assumption holds in if is negligible for any probabilistic polynomial time adversary . We denote by the maximum value of over all adversaries running in time at most .
4.2. Security Proof of the Key Agreement Protocol
Theorem 10. Let be a passive adversary attacking protocol XTRCR, running in time and making Execute queries. Then one has where , with being the time required to compute an exponentiation in .
Proof. Assume that can guess the hidden bit correctly with probability . Then we construct from a distinguisher that solves the XTRDDH problem in with probability .
Before describing the construction of , we define the following two distributions.
Consider the followingwhere as in protocol XTRCR, is the transcript of message and is the hash value. We now construct a distribution by the triple , as below:where , are defined above and , , .
If is a XTRDH triple (i.e., ), then , since triple for all . If not, is a random triple, so . Thus a distribution is constructed to display the advantage of XTRDDH.
Hence, let be an algorithm that, given computing from and distributions, runs in time and outputs or . Then, we have
On the other hand, it is clear to find that the transcript in experiment is independent of , which implies that for any computationally unbounded adversary , we have The detail of construction of distinguisher is given now. Assume without loss of generality that makes its Test query to an oracle activated by the th Execute query. The distinguisher begins by choosing a random bit as a guess for the value of . Then invokes and simulates the queries of . answers all the queries from in a specified way, following the protocol, except in the th query. In this latter case, embed the DDH problem instance into the transcript as follows.
Given a triple , generates according to the distribution and answers the th Execute query of with . The distinguisher aborts and outputs a random bit of . Otherwise, answers the Test query of with .
When terminates and outputs its guess , outputs if , and otherwise. If is a XTRDDH triple, from the deduction mentioned before, it is deduced that , and thus . If not, is a random triple, and then and . Finally, since , we obtain
From , we have that
Therefore,
Thus the theorem follows.
The result of the above theorem shows that the security of proposed key agreement scheme is based on the computational difficulty of XTRDDH problem. Also, it is shown that the proposed scheme is secure against adversary’s attacking under XTRDDH assumption.
Moreover, the result of this security proof also supports the idea of Steiner et al. [1], who proved that DDH assumption implied the GDDH assumption. Here, GDDH is short for group decisional DiffieHellman assumption, which refers to the difficulty of distinguishing from a random value by knowing elements for some subsets of indices . Actually, Theorem 10 could be regarded as an evidence for this result.
5. Conclusions
In this paper, a constant round key agreement scheme XTRCR is proposed on the basis of XTR cryptosystem. Three theorems are given to make a theoretical guarantee of the quick implementation of system. Moreover, under XTRDHH assumption, the security of scheme is proved in the formal model. It is believed that this scheme is efficient both in communication and computation. Hence, this proposed scheme is reliable in the sense of achieving three efficient and secure demands: less communication, fast computation, and provable security.
Acknowledgments
This work is supported by doctoral fund of Huazhong Agricultural University, 5220406072, National Natural Science Foundation of China (Grant no. 61202305), and Project 2013PY120 supported by the fundamental research funds for the central universities. Thanks are also given to the anonymous reviewers for their appreciated suggestions.
References
 M. Steiner, G. Tsudik, and M. Waidner, “DiffieHellman key distribution extended to group communication,” in Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 31–37, March 1996. View at: Google Scholar
 M. Steiner, Secure group key agreement [Ph.D. thesis], Universitat des Saarlandes, 2002.
 Y. Kim, A. Perrig, and G. Tsudik, “Treebased group key agreement,” ACM Transactions on Information and System Security, vol. 7, no. 1, pp. 60–96, 2004. View at: Publisher Site  Google Scholar
 R. Dutta and R. Barua, “Dynamic group key agreement in treebased setting,” in Proceedings of the 10th Australasian Conference on Information Security and Privacy (ACISP '05), pp. 101–112, July 2005. View at: Google Scholar
 J. Nam, J. Paik, U. M. Kim, and D. Won, “Constantround authenticated group key exchange with logarithmic computation complexity,” Applied Cryptography and Network Security, Springer, Heidelberg, Germany, vol. 4521, pp. 158–176, 2007. View at: Google Scholar
 D. Augot, R. Bhaskar, V. Issarny, and D. Sacchetti, “A three round authenticated group key agreement protocol for ad hoc networks,” Pervasive and Mobile Computing, vol. 3, no. 1, pp. 36–52, 2007. View at: Publisher Site  Google Scholar
 R. Tso, X. Yi, and E. Okamoto, “IDbased key agreement for dynamic peer groups in mobile computing environments,” in Proceedings of the 2nd IEEE AsiaPacific Services Computing Conference (APSCC '07), pp. 103–108, December 2007. View at: Publisher Site  Google Scholar
 X. Fu, Q. Xu, and H. Wang, “A provablysecure passwordauthenticated group key agreement in the standard model,” Journal of Networks, vol. 4, no. 8, pp. 763–770, 2009. View at: Publisher Site  Google Scholar
 G. Yao and D.G. Feng, “Pairwise key agreement protocols based on the weil pairing,” Journal of Software, vol. 17, no. 4, pp. 907–914, 2006. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 A. Joux, “A one round protocol for tripartite DiffieHellman,” in Algorithmic Number Theory, vol. 1838 of Lecture Notes in Computer Science, pp. 385–394, 2001. View at: Google Scholar
 X. Lv and H. Li, “IDbased authenticated group key agreement from bilinear maps,” Frontiers of Computer Science in China, vol. 4, no. 2, pp. 302–307, 2010. View at: Publisher Site  Google Scholar
 D. He, Y. Chen, J. Chen, R. Zhang, and W. Han, “A new tworound certificateless authenticated key agreement protocol without bilinear pairings,” Mathematical and Computer Modelling, vol. 54, no. 1112, pp. 3143–3152, 2011. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 M.H. Zheng, H.H. Zhou, J. Li, and G.H. Cui, “Efficient and provably secure passwordbased group key agreement protocol,” Computer Standards and Interfaces, vol. 31, no. 5, pp. 948–953, 2009. View at: Publisher Site  Google Scholar
 G. Yao, H. Wang, and Q. Jiang, “An authenticated 3round identitybased group key agreement protocol,” in Proceedings of the 3rd International Conference on Availability, Security, and Reliability (ARES '08), pp. 538–543, March 2008. View at: Publisher Site  Google Scholar
 T. Feng, Y. Wang, and J. Ma, “A secure and efficient group key agreement for ad hoc networks,” in Proceedings of the International Symposium on Computer Science and Computational Technology (ISCSCT '08), pp. 540–543, December 2008. View at: Google Scholar
 E. Makri and E. Konstantinou, “Constant round group key agreement protocols: a comparative study,” Computers and Security, vol. 30, no. 8, pp. 643–678, 2011. View at: Publisher Site  Google Scholar
 E. Bresson, O. Chevassut, and D. Pointcheval, “Provably authenticated group DiffieHellman key exchange—the dynamic case,” in Advances in Cryptology—ASIACRYPT 2001, C. Boyded, Ed., vol. 2248 of Lecture Notes in Computer Science, pp. 290–309, Springer, Berlin, Germany, 2001. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 K. K. Raymond Choo, C. Boyd, and Y. Hitchcock, “The importance of proofs of security for key establishment protocols: formal analysis of JanChen, YangShenShieh, KimHuhHwangLee, LinSunHwang, and YehSun protocols,” Computer Communications, vol. 29, no. 15, pp. 2788–2797, 2006. View at: Publisher Site  Google Scholar
 A. K. Lenstra and E. R. Verheul, “The XTR public key system,” in Advances in Cryptology, vol. 1880 of Lecture Notes in Computer Science, pp. 1–19, Springer, Berlin, Germany, 2000. View at: Google Scholar
 A. K. Lenstra and E. R. Verheul, “An overview of the XTR public key system,” in Proceedings of the Conference on Public Key Cryptography and Computational Number Theory, pp. 151–180, Warsaw, Poland, 2000. View at: Google Scholar
 M. Stam and A. K. Lenstra, “Speeding up XTR,” in Advances in Cryptology—ASIACRYPT 2001, vol. 2248 of Lecture Notes in Computer Science, pp. 125–143, Springer, Berlin, Germany, 2001. View at: Google Scholar
 E. Verheul, “Evidence that XTR is more secure than supersingular ellipticcurve cryptosystems,” in Advances in Cryptology—EUROCRYPT 2001, B. Pfitzmann, Ed., vol. 2045 of Lecture Notes in Computer Science, pp. 195–210, Springer, Berlin, Germany, 2001. View at: Google Scholar
 K.A. Shim, “A roundoptimal threeparty IDbased authenticated key agreement protocol,” Information Sciences, vol. 186, no. 1, pp. 239–248, 2012. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 H. Xiong, Z. Chen, and F. Li, “New identitybased threeparty authenticated key agreement protocol with provable security,” Journal of Network and Computer Applications, vol. 36, no. 2, pp. 927–932, 2013. View at: Publisher Site  Google Scholar
Copyright
Copyright © 2013 Silan Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.