Interdomain Identity-Based Key Agreement Schemes

Fan, Chun-I; Lin, Yi-Hui; Hsu, Tuan-Hung; Hsu, Ruei-Hau

doi:https://doi.org/10.1155/2014/865367

Mathematical Problems in Engineering

On this page

Abstract Introduction Preliminaries Conclusion References Copyright Related Articles

Research Article | Open Access

Volume 2014 | Article ID 865367 | https://doi.org/10.1155/2014/865367

Interdomain Identity-Based Key Agreement Schemes

Chun-I Fan,¹Yi-Hui Lin,²Tuan-Hung Hsu,¹and Ruei-Hau Hsu³

Academic Editor: Tadeusz Kaczorek

Received15 Apr 2014

Accepted11 Aug 2014

Published30 Nov 2014

Abstract

In order to simplify key management, two-party and three-party key agreement schemes based on user identities have been proposed recently. Multiparty (including more than three parties) key agreement protocols, which also are called conference key schemes, can be applied to distributed systems and wireless environments, such as ad hoc networks, for the purpose of multiparty secure communication. However, it is hard to extend two- or three-party schemes to multiparty ones with the guarantee of efficiency and security. In addition to the above two properties, interdomain environments should also be considered in key agreement systems due to diversified network domains. However, only few identity-based multiparty conference key agreement schemes for single domain environments and none for interdomain environments were proposed in the literature and they did not satisfy all of the security attributes such as forward secrecy and withstanding impersonation. In this paper, we will propose a novel efficient single domain identity-based multiparty conference key scheme and extend it to an interdomain one. Finally, we prove that the proposed schemes satisfy the required security attributes via formal methods.

1. Introduction

The technique of key agreement allows two or more parties to exchange information and negotiate a common session key. The first key exchange scheme was proposed by Diffie and Hellman in 1976 [1] where two parties can exchange public information and then compute a common key by their private keys and received information. However, the basic Diffie-Hellman protocol lacks mutual authentication between two parties such that the man-in-the-middle attack is valid in this scheme. Many researchers modified Diffie-Hellman protocol to ensure mutual authentication between two parties, which are called authenticated key agreement (AKA) protocols. Lots of varieties of Diffie-Hellman protocol have been proposed and several different kinds of key agreement mechanisms have been shown in [2]. Up to now, Diffie-Hellman key exchange protocol is still an important basis for most key agreement protocols.

In 1984, Shamir proposed an identity-based cryptosystem [3], where the public key of each user is her/his public identity information, and there exists a private key generator (PKG), a key generation center (KGC), or a Trusted Authority (TA) which is trusted by all users. PKG, KGC, or TA, which will be called TA below, can produce each user’s private key according to her/his public key. In almost all of the identity-based key agreement schemes, TA provides the private/public key generation services for users. When a user registers with TA, the user’s public information like ID or email address will be her/his public key and TA gives the user the private key corresponding to her/his public key.

Pairing is a tool which is initially applied to cryptography to convert the Discrete Logarithm problem in elliptic curves to that in finite fields, and it can be derived from bilinear pairing, namely, Weil pairing [4] or Tate pairing [5]. First, Joux [6] used pairing to construct the first 3-party key agreement protocol based on a certificate system in 2000 and his scheme. Later, researchers found that pairing is suitable for the implementation of identity-based cryptosystems. Smart [7] proposed a two-party identity-based authenticated key agreement scheme in 2002. Boneh and Franklin [4] proposed an identity-based encryption scheme based on Weil pairing in 2003. Afterwards, pairing has become an important mathematic foundation of cryptography. There are many identity-based key agreement schemes, which have been proposed in the literature [7–11], based on pairings.

A conference key agreement scheme is a variety of a multiparty key agreement or group key agreement scheme, but it is different from conference key distribution scheme. In a conference key distribution scheme, a session conference chair decides the conference key and then broadcasts it to every member in this session conference. In particular, in a conference key agreement scheme, we must guarantee that the protocol satisfies the following three properties.(1)Each conference key is negotiated by all session members.(2)Every session member can compute the conference key via the same algorithm.(3)No session member can predict or preselect the conference key.

The first formal security analysis in an identity-based two-party key agreement scheme was introduced by Chen and Kudla [9] and they improved the first identity-based key agreement scheme based on pairings [7]. Chen and Kudla proved that their protocol is secure on the security model of Bellare and Rogaway [12]. Later, Al-Riyami and Paterson also proposed four kinds of tripartite authenticated key agreement protocols by improving Joux’s scheme [13], and they showed that their scheme is secure. Unfortunately, Shim and Woo [14] pointed out that their scheme has some weaknesses. Furthermore, there are several conference key agreement schemes based on bilinear pairing which have been proposed in the literature [15–19], but they are all insecure, where their security weaknesses will be shown in Section 3 of the paper.

Section 4 will present two new hard problems, the -Linear Diffie-Hellman (-LDH) problem and the Decisional -Linear Diffie-Hellman (-DLDH) problem, on which our key agreement schemes are based.

In Section 5, we will propose a novel efficient identity-based conference key agreement scheme by combining the concepts of [16, 19]. In addition to a single TA, we also discuss how the users, who have registered with distinct TAs, negotiate a common conference key. Moreover, in order to formally demonstrate the security of our proposed schemes, we adopt the random oracle method, which was proposed by Bellare and Rogaway [12], to prove the security of our schemes under some well-known assumptions. We will define several security attributes in the third part of Section 2 and formally prove the security of our schemes in Section 6. Finally, we also provide performance comparison to demonstrate that our proposed schemes are more efficient than others.

Our contributions are summarized as follows.(1)We find some security flaws in the schemes of [15–19].(2)We introduce two new hard problems.(3)We propose interdomain identity-based conference key agreement schemes.(4)We formally prove that our schemes completely satisfy all of the security attributes.

2. Preliminaries

In this section, we review the concept of pairing which includes definitions, computationally hard problems, and security attributes of key agreement based on pairings.

2.1. Pairing

Pairing [20] in an elliptic curve cryptosystem is a function which maps a pair of elliptic curve points to an element of a multiplicative group in a finite field. It has been applied to key agreement, signatures, broadcast encryption, and identity-based encryption widely. In the following, we will review the definitions and properties of pairings.

2.1.1. Bilinear Pairing

We briefly describe the concept of bilinear pairing [20]. Let and be abelian groups written in additive notation with prime order and identity elements and , respectively, such that and , where and . Suppose that is a cyclic group of order written in multiplicative notation with identity element . Now we have the groups , , and . The mapping function is

Typically, and are subgroups of the points on an elliptic curve over a finite field and is a subgroup of a multiplicative group over a finite field.

In addition, the following additional properties must be satisfied:(i)bilinearity , and , for all ;(ii)nondegeneracy , with , such that , , with , such that , and , ;(iii)computability if and , there exists an efficient algorithm which can compute in polynomial time.

The schemes in Section 3 use symmetric bilinear pairing, so they set . In order to make the following decisional problems remain hard, we set and there is no polynomial-time computable isomorphism , such that , where is a generator of and is a generator of .

2.2. Hard Problems

(1) The Discrete Logarithm (DL) problem: given , find an integer such that .(2) The Computational Diffie-Hellman (CDH) problem: for , given , compute .(3) The Decisional Diffie-Hellman (DDH) problem: for , given where (mod ) or is decided by flipping a coin. Output “Yes” if (mod ); otherwise output “No”.(4) The Divisible Computational Diffie-Hellman (DCDH) problem [21]: for , given , compute .(5) The Decisional Linear Diffie-Hellman (DLDH) problem in [22, 23]: for , given , where or is decided by flipping a coin. Output “Yes” if ; otherwise output “No”. This hard problem was first proposed by Boneh et al. [22] in 2004 and then Boyen and Waters [23] extended it to asymmetric bilinear groups in 2006.(6) The co-Bilinear Diffe-Hellman (co-BDH) problem [4]: given and in asymmetric bilinear map groups , compute . We propose the variant-CDH problem and extend the DLDH problem to the -LDH and -DLDH problems. We will prove that they are also hard in Section 4.(7) The Variant Computational Diffie-Hellman (variant-CDH) problem: given and , compute .(8) The n-Linear Diffie-Hellman (-LDH) problem: given , ’s, and ’s for all , with , , , and , compute .(9) The Decisional n-Linear Diffie-Hellman (-DLDH) problem: given , , ’s, and ’s for all , with , , , and , where or is decided by flipping a coin. Output “Yes” if ; otherwise output “No”.

2.3. Security Attributes

There are some security definitions in the identity-based key agreement schemes based on pairing [13, 14]. We describe them as follows.

Known Session Key Security. A key agreement protocol should produce a unique common secret key, which is called a session key, for every session. The protocol should still achieve this goal when an adversary has learned all of the other session keys.

(Perfect) Forward Secrecy. Forward secrecy is that any adversary cannot derive previous session keys from compromised long-term private keys of one or more parties. Partial forward secrecy is that one or more (not all) parties’ long-term private keys are corrupted but any adversary cannot get any previous session keys which were established by these parties. Perfect forward secrecy means that any adversaries cannot derive previous session keys even though they have obtained the long-term private keys of all parties. In ID-based systems, perfect forward secrecy implies that TA’s and all users’ long-term private keys are corrupted but any previous session key established by the registered users cannot be derived by adversaries. We also call it TA forward secrecy.

Key-Compromise Impersonation. A protocol can resist key-compromise impersonation if an adversary cannot impersonate some users even though the other users’ long-term private keys were disclosed.

Man-in-the-middle attack is a special case of key-compromise impersonation in ID-based systems. If an adversary intercepts messages, retransmits them, and then communicates with users without being detected in the key agreement protocol, we say that he succeeds in impersonation.

Withstanding key-compromise impersonation also covers unknown key-share resilience. It is the basic security attribute for key agreement scheme. Some users cannot have a key agreement with the other users without the knowledge of them. If some users cannot impersonate the others, they cannot run the key agreement scheme for them.

Key Control. It should be impossible for any participant (or an adversary) to preselect a value as a session key or predict the value of the session key.

3. Security Problems in the Previous Schemes

In the section, we briefly introduce security weaknesses on the schemes [15–19, 24–26]. The details of the security problems in these schemes are in the Appendices.

Shi et al. [19] proposed an ID-based authenticated group key agreement protocol in 2005. The design of the protocol is efficient because it only takes one round to finish a group key agreement and it needs no exponentiation computation besides a pairing computation. We find that the protocol does not resist key-compromise impersonation since the users do not verify the messages with one another in the protocol. Moreover, it only achieves partial forward secrecy.

Du et al. [15] proposed an ID-based authenticated group key agreement protocol in 2003 and improved it in the same year. Both of them does not achieve perfect forward secrecy. Although they embed a signature scheme to verify the messages, both of the protocols still suffer from key-compromise impersonation found by Zhang and Chen [29]. In the attack of [29], the adversaries collect the messages of the user in the previous session and replay them after modifying the messages. Zhang and Chen [30] also attacked Choi et al. [24] with the same method in 2004. The protocol of Zhang et al. [18] in 2005 has the same security problem as Du’s since they embed the same signature scheme in the protocol.

Kim et al. [17] aims to design a one-round key agreement protocol. But we find that the protocol cannot even achieve known session key security. Anyone can compute the session key through collecting the broadcasting messages.

Zhou et al. [26] proposed two schemes, one is one-round and the other is two-round. We find that both of them cannot withstand key-compromise impersonation. For the first scheme, the other users can collide to impersonate the user . For the second one, the user can impersonate any other user he wants. We also find that the protocol of Yao et al. [25] is not immune to key-compromise impersonation, either. A user can impersonate another by rebroadcasting the messages. The work of [31] improved the flaw but did not provide any formal proofs. Yuan et al. [27] improved it with formal proofs.

4. Three New Hard Problems

We formally prove our proposed problems, the Variant Computational Diffie-Hellman problem, the -Linear Diffie-Hellman problem, and the Decisional -Linear Diffie-Hellman problem, being hard by using problem reduction and generic model, respectively.

4.1. The Variant Computational Diffie-Hellman (Variant-CDH) Problem

Theorem 1. The variant-CDH problem is hard if the co-BDH problem is hard.

Proof. Suppose that there exists an oracle which can solve the variant-CDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the co-BDH problem with nonnegligible probability. Given any parameters of the co-BDH problem, and , we input and into the variant-CDH oracle. The oracle will output . Then, we solve the co-BDH problem by computing .

4.2. The -Linear Diffie-Hellman (-LDH) Problem

Theorem 2. The -LDH problem is hard if and only if the DCDH problem is hard.

Proof. (1) -LDH DCDH. Suppose that there exists an oracle which can solve the -LDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the DCDH problem with nonnegligible probability.
For any DCDH triple , we convert them into the -LDH oracle’s input parameters which are shown in (2):
We randomly pick and , compute , and set other parameters in (3):
Equation (2) is equal to (3); that is, , , in row 1, , in row 2 (suppose that ), , in row , and , , in row . The oracle will output . Thus, we have that From (4), we can get .
(2) -LDH DCDH. Suppose that there exists an oracle which can solve the the DCDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the -LDH problem with nonnegligible probability, too.
For any -LDH tuple in (2), we input , and into the oracle. Then the oracle outputs , and , respectively.
Finally, we can compute to solve the -LDH problem.

We use a way similar to [22] to prove the -DLDH problem being hard. In the generic model, elements of , , and are encoded as unique random strings, where and are additive groups and is a multiplicative group. There is a bilinear pairing function . Let , , and be the sets of strings. The opaque encoding of the elements of is modeled as an injective function , where , which maps all to the string representation of . Analogous mapping and map all to the string representation of and of , where .

4.3. The Decisional -Linear Diffie-Hellman (-DLDH) Problem

Theorem 3. Let be an algorithm that solves the -DLDH problem in the generic bilinear group model with at most oracle queries. Let ’s, ’s, and be chosen at random, where , , and , , , and are random encoding functions for , , and , and is a random bit. Let and . The probability is

Proof. plays the following game with . maintains the lists , , and . Let ’s, ’s, , and (, , ) be indeterminate. All ’s, ’s, and ’s ’s, ’s, are polynomials and ’s, ’s, ’s are distinct strings. At the beginning of the game, sets , , , , , , , and the following polynomials: [, ,, ], where the symbol “” means emptiness and gives the distinct strings , , and . In the initial list index, the numbers of the records in , , and are , , and , respectively, where . At any step in the game, can make the group and pairing queries. performs and responds to as follows.
Group Action. gives two operands , and a sign bit, where , . sets . If for some , sets . Otherwise, sets to be a string in distinct from . Finally, adds to the list , gives to , and sets . The group action queries in and are simulated similarly.
Pairing. gives two operands and with and . sets the product . If for some , sets . Otherwise, sets to be a string in distinct from . Finally, adds to the list , gives to , and sets .

Consider the operation that performs: adds/subtracts all polynomials in the list , , and by any ’s query. produces any of two polynomials in and to generate a new polynomial in . For any variant , it occurs within the monomials in and lists and it occurs no monomial in list. Therefore, cannot produce any polynomial that contains the monomial ’s in or and the monomial ’s in for any coefficient and any nonzero monomial in in the available operations.

After at most queries, terminates and returns a guess . The distinct values of operands provide no information to because they are random bit strings. Therefore, the probability that wins the game in the generic model is .

However, when randomly chooses ’s, ’s, and , sets and , and assigns , and , a nontrivial equality relation may occur and give some information that is not revealed in the generic model; that is, for some (and , resp.) and (and , resp.), ’s, ’s, ) = ’s, ’s, ) (and ’s, ’s, ) = ’s’s), resp.).

The probability of the occurrence is computed according to the following lemma.

Lemma 4 (see [32]). Let be prime and let . Let be a nonzero polynomial of total degree . Then for random , the probability that is at most .

By Lemma 4, all polynomials in the have degree at most 2, so that, for some and , the probability of ’s, ’s, = ’s, ’s, ’s, ’s, is at most . The degree of polynomials in the is 0. All polynomials in the have degree at most 2, so that, for some and , the probability of ’s, ’s, = ’s’s’s, ’s, is at most . Therefore, wins the game with the probability . Since , we have , where the advantage is not greater than .

5. Our Key Agreement Schemes

In this section, we propose two conference key agreement schemes. The first scheme is designed for the situation where the users who register with a single TA (single domain) want to negotiate a session conference key. Furthermore, the second scheme makes it possible for the users in distinct groups who register with different TAs (interdomain) to negotiate a session conference key. In addition, we will prove the security of the two proposed schemes in Section 6 and compare them with others in Section 7.

5.1. The Proposed Scheme in Single TA

Setup. TA inputs a security parameter into a setup algorithm which returns groups , , and () of prime order with , a suitable bilinear mapping , generators , , and three hash functions , , and where is the output length of the hash functions. TA randomly generates a long-term private key and the public key and then publishes .

Extract. When a user registers a public identity (ID), such as an email address, with TA, TA will check whether the ID belongs to the user. If true, TA issues a long-term private key to where (TA’s ID’s ID) is ’s public key.

Conference Key Agreement. Suppose that there are legal users , and who want to negotiate a conference key. Our conference key agreement scheme contains three rounds described as follows.

Round 1: every user randomly picks an integer as a blinding factor, and then computes and broadcasts to all users who join this session. The flow is shown in Algorithm 1.



Pick
Compute

Round 2: after receives all ’s , , she/he randomly picks an integer as an ephemeral key and computes , and then broadcasts . The flow is shown in Algorithm 2.



Pick
Compute

,

Round 3: for all ’s in Round 2, we can rearrange them as shown in (7). When receiving ’s, only stores and drops other useless information ’s . For example, stores column 1 and stores column 2 in (7). Then computes as follows:

All ’s in Round 2 computes , , and , and then she/he broadcasts . When receives all ’s , she/he first verifies all ’s by checking if for each . If they are true, randomly chooses , computes , and verifies whether or not. If true, accepts and computes the session conference key . Algorithm 3 illustrates the flow in Round 3.



Compute






Verify:


Compute session conference key SCK =

5.2. The Proposed Scheme in Distinct TAs

Our single domain conference key agreement scheme can be extended to an interdomain conference key agreement scheme. Interdomain means that there are distinct domains with different TAs’, respectively. In this subsection, we present our interdomain conference key scheme. Assume that there are Trusted Authorities , and and user groups , and who register with the distinct TAs, respectively. In the proposed scheme, the users in different groups can negotiate a session conference key SCK via the following process.

Setup. , , inputs a security parameter into a setup algorithm which returns two groups , , and () of prime order , a suitable bilinear mapping , generators , , and three hash functions , , , and where is the output length of the hash functions. randomly generates a long-term key and public key and then publishes .

Extract. When a user in group registers a public ID with , will check whether the ID belongs to the user. If true, issues private key to the user, where (’s ID’s ID) is the public key and denotes user who has registered with .

Interdomain Conference Key Agreement. Suppose that users in distinct domains or groups want to negotiate a conference key. Let be the number of users in the th domain and be the number of the total users . Our interdomain conference key agreement protocol contains three rounds where Round 1 and Round 2 are similar to those of the proposed single domain conference key protocol.

Round 1: every user randomly picks an integer and then broadcasts to the users who join this session.

Round 2: after receiving ’s , computes , where is ’s ephemeral key, and broadcasts .

Round 3: when receiving ’s, only stores ’s , and and drops other useless information ’s , and . Then computes every domain’s key as follows:

computes , , , and , and then she/he broadcasts . When receives all messages, first verifies all ’s by examining if for each and , and . If all ’s are correct, randomly chooses integers ’s, where each , computes , and checks if . If it is true, accepts and computes the session conference key .

6. Security Proof

Bellare-Rogaway random oracle model [12, 33], which was extended by Blake-Wilson et al. [34], is suitably modified and adapted in analyzing the security of key agreement protocols like those in the literatures [9, 13]. In this section, we modify Bellare-Rogaway random oracle model and adopt the similar concepts and definitions in [8] to set our security game.

Definition 5 (game environment). Let adversary be a probabilistic polynomial time Turing machine and a simulator to simulate this game for . Let be all users and the group users who follow our first identity-based conference key scheme, where is the order of and . In the game, we allow to make the following types of queries. (1)Execute: when makes the Execute query, simulates to run the first protocol (Section 5.1) and responds with all public messages (i.e., ’s for all ’s in the th session.(2)Send: when makes the Send query with a set of users and a message which is the set of ’s broadcast by the users in , simulates all ’s to interact with by broadcasting the messages ’s of ’s in the th session.(3)Reveal: reveals the session conference key which was held by in the th session.(4)Corrupt: responds with the long-term private key of .(5)Test: when makes the Test query, returns the broadcast messages of the th session and gives the adversary either the session key of the th session or a random string. then outputs a bit to decide whether the string is the session key or not.(6): when a participant inputs a string to , it responds with the hashed value of the string and the hashed value will be recorded.(7): when a participant inputs a message to , it responds with the hashed value of and the hashed value will be recorded, too.(8): when a participant inputs , where and , to , it responds with the hashed value of and the hashed value will be recorded, too.

6.1. Correctness

Theorem 6 (correctness). In the presence of a benign adversary , all the parties always accept holding the same session conference key, which is distributed randomly and uniformly in , where is the security parameter.

Proof. Every user can generate a valid message by following our proposed single domain scheme (Section 5.1), verify the correctness of the message = + = , and negotiate a common session conference key .
In our proposed interdomain scheme (Section 5.2), can generate a valid message and verify the correctness of the message because

6.2. Known Session Key Security

After given broadcast messages and previous session keys according to the scheme, an adversary makes a Test query and then receives a random string or a current session key. The adversary can continue asking for broadcast messages and other session keys. If no polynomial-time adversary can decide whether the received string is the current session key or not with nonnegligible advantage, we say that the scheme satisfies known session key security.

Definition 7 (known session key security). An scheme is with known session key security if no polynomial-time adversary can decide if a challenge string is a current session key or a random string under the knowledge of previous session keys with the probability at least where , called the advantage, is nonnegligible.

Theorem 8. If an adversary can -decide whether the string received from a Test query is the session key SCK held by or not with advantage at least , where is the running time and , and are the numbers of making Execute queries, Send queries, Corrupt queries, Reveal queries, and queries, respectively, there exists an algorithm which can solve the -DLDH problem with advantage at least in time , where , , and are the computing time of the Execute oracle, the Send oracle, the Corrupt oracle, the Reveal oracle, and oracle, respectively.

Proof. Initially, we construct a simulator which prepares the pairing parameters and simulates the system as follows. randomly picks as the system master private key and computes as the system master public key. computes each user’s long-term public/private key pair . allows to make the following queries (i)Execute(): can request that is a set of users who are chosen by itself to run the key agreement protocol in session . follows the protocol (Section 5.1) to produce every , and , and then records them. Finally, responds every to , where .(ii)Send(): if actively broadcasts the messages of users to run the key agreement protocol in session , follows the protocol (Section 5.1) to produce every and generate the session conference key in the end of the protocol and then records them. Finally, responds to for each .(iii)Reveal(: if does not exist, creates . returns the session conference key .(iv)Corrupt: returns to .(v): after given , randomly chooses , returns , and stores in a list, called -list.(vi)Test(): guesses that will send a Test query at the th session in advance. If makes a Test query at the th session, where , randomly answers “YES” or “NO” to the -DLDH problem. When makes a Test query at the th session, where , checks whether there exists which has been corrupted or not, where and . If one of them has been corrupted, returns and aborts the game. Otherwise, is given the parameters of an instance of the -DLDH problem, , and ’s for all with , , and , and takes the advantage of to decide whether or not. sets the public messages of every user in in the th session as follows. First, forms , , , , and prepares , for each ; that is, sets and computes and , where . responds every and to . can continue making the queries of Execute(), Send(), Reveal(, and Corrupt, where and , until outputs a bit . If is the key in session from ’s point of view, will output ; otherwise, . If , outputs “YES”; that is, ; otherwise, outputs “NO”.
If the adversary can compromise known session key security of the scheme with advantage at least , can solve the -DLDH problem with the advantage at least .

By Theorem 8, we can solve the -DLDH problem in polynomial time with nonnegligible advantage if there exists a polynomial-time adversary that can break the known session key security with nonnegligible advantage of the proposed single domain key agreement scheme.

As for the proof of the interdomain case, we can let be the number of the total users from all domains; that is, . Then, by the proof of Theorem 8, the -DLDH problem can be solved if the adversary can distinguish the session key from a random string in the proposed interdomain key agreement scheme.

6.3. Key-Compromise Impersonation

An adversary is given all users’ long-term keys by making Corrupt queries except the one that he claims to impersonate. If no adversary can output the correct messages of the user with nonnegligible probability, the scheme can withstand key-compromise impersonation.

Definition 9 (key-compromise impersonation). An scheme can withstand key-compromise impersonation if no adversary can have nonnegligible probability to impersonate a user without the long-term private key of the user.

Lemma 10 (the forking lemma [35]). Let be a valid authentic parameter of user , where is ’s private key, is TA’s public key, is randomly chosen by , and is a hashed value of shared by all users. Let be a probabilistic polynomial time Turing machine. Given only the public data of the key agreement scheme as input, if can find, with nonnegligible probability, a valid authentic parameter with , then, with nonnegligible probability, a replay of this machine, with the same random tape and a different value returned by the random oracle, can output two valid authentic parameters with and with , such that .

Lemma 11 (the splitting lemma [36]). Let such that . For any , define and . Then the following statements hold: (1),(2),(3).

Lemma 12. Assume that . Let be an event that occurs if there is at least one such that . Then, the probability , where is a security parameter.

Proof. The proof is using the technique of the small exponents test in [37]. If for some , then . That is, there exists (mod ) such that .
Let where and . As , (mod ). Hence, (mod ). Since is randomly chosen from , .

Theorem 13. If an adversary can -impersonate a user without the long-term private key of with probability at least , where is the running time, , , , , and are the numbers of making Send queries, Corrupt queries, Reveal queries, queries, and queries, respectively, there exists an algorithm to solve the variant-CDH problem with probability at least in time , where is the length of ’s output, is a set of users, and is the computing time of oracle.

Proof. At first, inputs to generate pairing parameters and a variant-CDH tuple , where . We will show that can solve the variant-CDH problem with the assistance of an adversary . ’s task is to compute and output the value .
simulates the system as follows. We define as the system master public key and does not know the master private key . and are two random oracles simulated by to respond the queries to and , respectively. randomly chooses one user and let be ’s long-term public key. Except , computes other users’ long-term public/private key pairs by . allows to make the following queries. (i): after given TA’s ID’s ID, responds the query, , and maintains the -list as follows. If = (TA’s ID’s ID), returns and stores a record in the -list. Otherwise, randomly chooses , returns , and stores a record in the -list, where and are the long-term public and private keys, respectively, of .(ii): after given , randomly chooses , returns , and stores a record in the -list.(iii)Execute(): can choose and ask to run the key agreement protocol. returns the public messages )’s of all ’s in to . produces the messages as follows. If , picks and computes , , and . For each of the other ’s , randomly picks and computes , , and . Thus, can follow the protocol to compute for each and sets where .(iv)Send(): if actively broadcasts the message of users to run the key agreement protocol in session , can produce each of the other as that in the Execute query. Once if , can obtain from -list while is making the query for .(v)Reveal(: looks up the -list to obtain by checking if and returns the session conference key .(vi)Corrupt: if , returns and aborts the game. Otherwise, searches in the -list. If is not in the -list, calls to produce and store in the -list. Then, returns .
If impersonates at some point, according to Lemma 12, it must send out with the probability at least , where . Once produces a correct , replays with the same random tape by forking lemma. At this time, gets two different hashed values and and generates two valid and . can compute . Finally, outputs .
Let and be the set of any possible input messages of the random tape and , respectively. fails in making Corrupt queries with probability . guesses the value without making queries with probability , where is the length of ’s output. Therefore, the probability is . By splitting lemma, we set such that . Overall, performs two executions of , so that we have

As for the proof of the interdomain case, , the parameters of the variant-CDH problem are the public keys of some TA and some user who belongs to the CA, respectively. The private keys of the other TAs and users are randomly generated by . Likewise, the proposed interdomain key agreement scheme can also withstand key-compromise impersonation.

6.4. Forward Secrecy

After given broadcast messages, session keys, and all users’ long-term keys according to an scheme, an adversary makes a Test query and then receives a random string or a session key. The adversary can continue making queries. If no adversary can decide whether the received string is a session key or not with nonnegligible advantage, we say that the scheme satisfies forward secrecy.

Definition 14 (forward secrecy). An scheme has forward secrecy if any adversary who obtains the other session keys and all users’ long term keys can distinguish a previous session key from a random string with the probability at least where , called the advantage, is negligible.
After running time at most , making at most queries to , Execute queries, Send queries, Corrupt queries, and Reveal queries, an adversary can obtain all users’ long-term private keys and receives a string through a Test query. -FS-breaks our scheme if he can determine whether the received string is a previous session key negotiated by users with nonnegligible advantage at least .

Theorem 15. If an adversary can -FS-determine whether SCK is a previous session key or not, where is the running time, , , , , and are the numbers of making Send queries, Corrupt queries, Reveal queries, and hash queries to , respectively, there exists an algorithm to solve the -DLDH problem with nonnegligible advantage at least in time , where and .

Proof. The simulation and the queries answered by are the same as those in the proof of Theorem 8 except that is allowed to make query, where , after making Test(). That is, has to activate the th session first before any is corrupted. In the end, can decide whether or not according to the value of output by , where

Similarly, the proposed interdomain key agreement scheme can also achieve forward secrecy.

6.5. Key Control

An adversary who is one of the users can obtain broadcast messages, session keys, and the other users’ long-term keys. Then, the adversary is given a preselected value. If the adversary cannot make the given preselected value become a new session key with nonnegligible probability, the scheme can withstand key control attacks.

Definition 16 (key control). An scheme can withstand key control attacks if no adversary can predict a session key or preselect a session key with nonnegligible probability.

Theorem 17. If an adversary can -predict a session key or preselect a session key with probability at least , where is the running time, , and are the numbers of making Send queries, Corrupt queries, Reveal queries, and hash queries to , respectively, there exists an algorithm to solve the CDH problem with nonnegligible probability at least in time , where and .

Proof. At first, inputs to generate pairing parameters and a CDH triple , where . We show that an algorithm can solve the CDH problem with the help of an adversary . ’s task is to compute and output the value .
simulates the system as follows. We define that is the system master public key by randomly choosing the master private key . allows to make the following queries. (i): after given TA’s ID’s ID, responds the query and maintains the -list as follows: randomly chooses , returns , and stores a record in the -list.(ii)Execute(): can choose a set of users to run the key agreement protocol in session . follows the protocol to produce every and computes . Finally, responds every to .(iii)Send: if can actively send the message of users to run the key agreement protocol in session , can produce of each as that in the Execute query.(iv)Reveal: returns the session conference key .(v)Corrupt: searches in -list and returns . If is not in -list, calls oracle to produce and returns .
When finishes making the above queries, sets , where , and returns it to . Suppose that is user and simulates other users to negotiate a session conference key with . returns , to , where and . must broadcast in round 2 such that . Therefore, and .
Overall, we have that

Following a proof similar to that for the above theorem, we can show that the proposed interdomain key agreement scheme withstands key control attacks.

7. Discussions

In this section, we compare our schemes with the schemes of [15–19, 24–27] according to the properties shown in Table 1 and performance factors in Table 2. We prove that our scheme in single domain satisfies all security attributes in Section 6 and it can be easily extended to an interdomain version. Besides, we do our best to extend each scheme in [15–19, 24–27] to an interdomain one, but only the schemes [17, 18, 24, 25] can achieve this goal with little modification. Therefore, we use the straightforward way [38] to extend the remaining schemes [15, 16, 19, 26, 27] to interdomain versions for performance comparisons. The result is shown in Table 3.

In the design of a conference key agreement scheme, the other researchers always divide the protocol into two main parts: the authentication stage and the stage of the construction of a common secret value. These proposed schemes [15–19, 24–26] all perform the authentication stage first and then make a session conference key, so that they have some problems in security. We have showed that [15–19, 24–26] are insecure in Section 3 because an adversary can get the valid parameters in the authentication stage and replay them in different sessions. In particular, we design our protocol in inverse order such that users share a common secret value first and then run the authentication stage. If we only consider a single TA, some schemes are more efficient than our proposed scheme. However, none of them are secure.

8. Conclusion

Many researchers proposed two- or three-party identity-based authenticated key agreement schemes, but general multiparty authenticated key agreement schemes are rare. When the number of the members is more than three, the multiparty scheme is difficult to achieve both security and efficiency at the same time. In this paper, we proposed a novel efficient identity-based conference key agreement scheme and proved its security via formal method. Furthermore, our scheme can be extended to an interdomain one.

Consider the application of key agreement among the employees in a company. The focus of the past papers is that how users interact under a single TA. It means that the employees of a company can negotiate a common session key when they want to organize a private conference. But now, our schemes provide more flexibility for the users. Even if the users register with different TAs, they can also negotiate a common session key easily. In other words, when two or more companies want to hold a conference, the employees from different companies can still compute a common session key by our interdomain key agreement scheme.

Our conference key agreement can be applied to the ad hoc networks, too. In the wireless environment, reliable communication and authentication is desired. By performing our method, it is unnecessary for ad hoc sensors to store a large amount of data in advance and they can still negotiate a session key under mutual authentication. We can ensure that the transmitted messages are reliable and also secure against malicious sensors in wireless networks.

Appendices

A. Shi et al.’s Scheme [19]

In [19], KGC gives each user, , as a public key and as a private key, where is the hashed value of the identity information ; and are randomly chosen by KGC. Each computes the key as follows.

Step 1. randomly chooses , computes , and then sends to for each .

Step 2. After receiving from the other users, computes

There are two security problems shown as follows.

A.1. Key-Compromise Impersonation

Case 1. Let , and be legal users who are going to negotiate a session conference key. Assume that the private key of is compromised. Thus, an adversary can act as and impersonate another user . The attack holds even if has no ’s long-term private key . picks two random integers as her/his ephemeral private keys and then computes and . The session conference key and is impersonated by in this session [26] and even showed that can impersonate without participating in session key negotiation.

Case 2. Suppose that an adversary obtains ’s and ’s long-term private keys and , where . can impersonate the other users , and to beguile into negotiating a session conference key. randomly picks integers and computes . randomly picks an integer and computes . Following the protocol, can compute the session conference key , where . According to the message , computes . Hence, can compute the session conference key .

A.2. Forward Secrecy

Suppose that an adversary gets user ’s long-term private key . can compute but cannot compute . If two or more users’ long-term private keys are compromised, can compute the previous session keys. Assume that user ’s long-term private key is also obtained by . can compute and derive the session key . Therefore, this scheme offers partial forward secrecy only.

B. Du et al.’s Scheme [15, 16]

Let be the identifiers of the users . Each has the public key and the private key , where is the master key of KGC. The protocol is described below.

Step 1. randomly chooses , computes and , where , and then broadcasts .

Step2. If , broadcasts . Besides, let and .

Step 3. Finally, computes the session key .

The following two attacks are valid.

B.1. Key-Compromise Impersonation [29]

When wants to negotiate a session conference key with others, she/he must compute the authenticated factor and broadcast it. Two adversaries and can get in a previous session. Suppose that is and is . Thus, and can impersonate by rebroadcasting that satisfies the verification formula in Step 2. When and collude, they can compute .

Now, and have a valid message , so that they can impersonate to construct a session conference key without being detected by other users.

B.2. Forward Secrecy

Assume that an adversary gets TA’s long-term private key . , and negotiated a key in a previous session and got all transmitted messages , and . Then can compute the previous session key as follows:

Du et al. improved their scheme in [16]. They added a synchronous counter which was held by all users. The initial value of is 1 and is increased by 1 after a successful session. In the improved scheme, they modified in Step 1 and verified if in Step 2. However, [16] still has the same vulnerability as [15] to the key-compromise impersonation attack (because and who act as and , resp., know , which is public among users) and lacks forward secrecy as shown above.

C. Zhang et al.’s Scheme [18]

Each has the public key and the private key , which are the same as those of Du et al.’s scheme. The protocol is shown below.

Step 1. randomly chooses and computes and and then sends with the signature to , and .

Step 2. After verifying each received by checking that , and compute , , if is odd; otherwise and compute , , . The other ’s compute and if is odd; otherwise they do nothing. Finally, each , with an odd , broadcasts with the signature.

Step 3. Each user ( is odd) and can compute the session conference key if is odd where (when ) or (when ) for each odd . Otherwise, if is even where (when ) or (when ) for each odd .

It is easy to impersonate a user whose index is even in the scheme since the users only sends the message . We show an example as follows. Suppose that there are six users , and who want to negotiate a conference key. By this scheme, we can know that only submits to , and in Step 1. If , and collude, they can negotiate a randomly-chosen pair of to cheat without joining in the session because does not need to verify . Besides, even though broadcasts the message and every user can check the correctness of the message, the scheme still suffers from key-compromise impersonation by resending as that of Du et al.’s scheme [29].

D. Kim et al.’s Scheme [17]

First, KGC sets up as the master key and as public parameters, where . Then, KGC generates a key pair for each user. Let be the identifiers of users , respectively. Each has the public key and the private key .

Step 1. broadcasts with the signature , where , , and are randomly chosen by .

Step 2. After verifying the signature by checking that , the conference key is computed as follows: where .

This scheme has a serious problem. In the protocol, since every user broadcasts the message , one can collect all ’s and compute all ’s to derive even if she/he does not join the session.

E. Choi et al.’s Scheme [24]

First, KGC sets up as the master key and as public parameters, where . Then, KGC generates a key pair for each user. Let be the identifiers of users , respectively. Each has the public key and the private key .

Step 1. broadcasts the signature , where , , is randomly chosen by .

Step 2. After receiving , , and , verifies the messages by checking whether . then broadcasts .

Step 3. can compute the session key .

Reference [30] has shown that [24] is vulnerable to key-compromise impersonation as follows.

Suppose that attacker is and attacker is . Thus, and can rebroadcast and then broadcast = = to impersonate .

F. Zhou et al.’s Schemes [26]

Zhou et al. proposed two group key agreement schemes. One is a one-round scheme with security proofs. The other based on the former is a two-round scheme with lower communication cost. These schemes are depicted as below:

KGC sets up as the master key and as public parameters, where . Then, KGC generates a key pair for each user. Let be the identifiers of users , respectively. Each has the public key and the private key .

In the former scheme, each user randomly picks , , and , computes for each and , and broadcasts . After receiving all ’s, computes for each and . Thus, the session key .

In the latter scheme, only randomly picks , , and and broadcasts such that , . When each receives , he computes and broadcasts , where is randomly chosen by . Finally, all ’s compute and , , and verify by checking . Finally, all users can compute the session key .

Both of the schemes only achieve partial forward secrecy. Once all of the private keys ’s of the users are revealed or KGC’s secret key is corrupted, an attacker is able to compute previous session keys by intercepting the previous broadcast messages. Moreover, the schemes cannot withstand key-compromise impersonation. In the first scheme, if the private keys are revealed, an attacker can impersonate by broadcasting the message with random strings , , and . In the second scheme, if ’s private key is revealed, an attacker can impersonate any other by computing and broadcasting , , where , , , and are randomly chosen.

G. Yao et al.’s Scheme [25]

KGC sets up as the master key and as public parameters, where . Then, KGC generates a key pair for each user. Let be the identifiers of users , respectively. Each has the public key and the private key .

Step 1. Each generates a random string , computes and , where , and broadcasts .

Step 2. Each verifies the received , and , by checking whether . If true, computes and broadcasts and , where .

Step 3. After receiving ’s, checks if . Then, computes and broadcasts .

Step 4. checks whether each received equals , where . If the condition holds, the session key .

The scheme is not immune to key-compromise impersonation, either. Suppose that an adversary who obtains ’s private key attempts to impersonate . can rebroadcast previous messages and in Step 1 and Step 2, respectively. Then, broadcasts in Step 3.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This work was partially supported by the Ministry of Science and Technology of Taiwan under Grant MOST 103-2221-E-110-057, NSYSU-KMU Joint Research Project (NSYSUKMU 103-I001), and Aim for the Top University Plan of the National Sun Yat-sen University and Ministry of Education, Taiwan.

References

W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976.
View at: Google Scholar | MathSciNet
R. Dutta and R. Barua, “Overview of key agreement protocols,” Tech. Rep. 2005/289, Cryptology ePrint Archive, 2005, http://eprint.iacr.org/2005/289.pdf.
View at: Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Advance in Cryptology, vol. 196 of Lecture Notes in Computer Science, pp. 47–53, Springer, Berlin, Germany, 1985.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
G. Frey, M. Müller, and H. Rüuck, “The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems,” IEEE Transactions on Information Theory, vol. 45, no. 5, pp. 1717–1719, 1999.
View at: Publisher Site | Google Scholar | MathSciNet
A. Joux, “A one round protocol for tripartite Diffie-Hellman,” Journal of Cryptology, vol. 17, no. 4, pp. 263–276, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
N. P. Smart, “Identity-based authenticated key agreement protocol based on Weil pairing,” Electronics Letters, vol. 38, no. 13, pp. 630–632, 2002.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
L. Chen, Z. Cheng, and N. P. Smart, “Identity-Based Key Agreement Protocols from Pairings,” Cryptology, Report 2006/199, 2006, http://eprint.iacr.org/2006/199.pdf.
View at: Google Scholar
L. Chen and C. Kudla, “Identity based key agreement protocols from pairings,” in Proceedings of the 16th IEEE Computer Security Foundations Workshop, pp. 219–233, Pacific Grove, Calif, USA, 2003.
View at: Google Scholar
Y. J. Choie, E. Jeong, and E. Lee, “Efficient identity-based authenticated key agreement protocol from pairings,” Applied Mathematics and Computation, vol. 162, no. 1, pp. 179–188, 2005.
View at: Publisher Site | Google Scholar | Zentralblatt MATH | MathSciNet
N. McCullagh and P. S. L. M. Barreto, “A new two-party identity-based authenticated key agreement,” in Topics in Cryptology—CT-RSA 2005, vol. 3376 of Lecture Notes in Computer Science, pp. 262–274, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar
M. Bellare and P. Rogaway, “Entity authentication and key distribution,” in Advances in Cryptology-CRYPTO 93, vol. 773 of Lecture Notes in Computer Science, pp. 232–249, Springer, 1994.
View at: Publisher Site | Google Scholar | MathSciNet
S. S. Al-Riyami and K. G. Paterson, “Tripartite authenticated key agreement protocols from pairings,” in Cryptography and Coding, vol. 2898 of Lecture Notes in Computer Science, pp. 332–359, Springer, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
K. Shim and S. S. Woo, “Cryptanalysis of tripartite and multi-party authenticated key agreement protocols,” Information Sciences, vol. 177, no. 4, pp. 1143–1151, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
X. Du, Y. Wang, J. Ge, and Y. Wang, “An ID-based authenticated two round multi-party key agreement,” Cryptology ePrint Archive, Report 2003/247, 2003, http://eprint.iacr.org/2003/247.pdf.
View at: Google Scholar
X. Du, Y. Wang, J. Ge, and Y. Wang, “An improved ID-based authenticated group key agreement scheme,” Cryptology ePrint Archive, Report 2003/260, 2003, http://eprint.iacr.org/2003/260.pdf.
View at: Google Scholar
J. S. Kim, H. C. Kim, K. J. Ha, and K. Y. Yoo, “One round identity-based authenticated conference key agreement protocol,” in Proceedings of the 3rd European Conference (ECUMN '04), vol. 3262 of Lecture Notes in Computer Science, pp. 407–416, 2004.
View at: Google Scholar
P. Zhang, C. Ye, X. Li, and X. Ma, “An efficient keys agreement for multi-party's communication,” in Proceedings of the 6th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT '05), pp. 267–269, Dalian, China, December 2005.
View at: Publisher Site | Google Scholar
Y. Shi, G. Chen, and J. Li, “ID-based one round authenticated group key agreement protocol with bilinear pairings,” in Proceeding of the International Conference on Information Technology: Coding and Computing (ITCC '05), vol. 1, pp. 757–761, April 2005.
View at: Publisher Site | Google Scholar
I. F. Blake, G. Seroussi, and N. P. Smart, Advances in Elliptic Curve Cryptography, London Mathematical Society Lecture Note Series, No. 317, 2005.
F. Bao, R. H. Deng, and H. Zhu, “Variations of Diffie-Hellman problem,” in Infromation and Communications Security, vol. 2836 of Lecture Notes in Computer Science, pp. 301–312, 2003.
View at: Google Scholar
D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Advances in Cryptology-CRYPTO 04, vol. 3152 of Lecture Notes in Computer Science, pp. 41–55, Springer, 2004.
View at: Google Scholar
X. Boyen and B. Waters, “Anonymous hierarchical identity-based encryption (without random oracles),” in Advances in Cryptology—CRYPTO 2006, vol. 4117 of Lecture Notes in Computer Science, pp. 209–307, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
K. Y. Choi, J. Y. Hwang, and D. H. Lee, “Efficient ID-based group key agreement with bilinear maps,” in Public Key Cryptography—PKC 2004, vol. 2947 of Lecture Notes in Computer Science, pp. 130–144, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
G. Yao, H. Wang, and Q. Jiang, “An authenticated 3-round identity-based group key agreement protocol,” in Proceedings of the 3rd International Conference on Availability, Security, and Reliability (ARES '08), pp. 538–543, Barcelona, Spain, March 2008.
View at: Publisher Site | Google Scholar
L. Zhou, W. Susilo, and Y. Mu, “Efficient ID-based authenticated group key agreement from bilinear pairings,” in Proceedings of the 2nd International Conference (MSN '06), vol. 4325 of Lecture Notes in Computer Science, pp. 521–532, 2006.
View at: Google Scholar
W. Yuan, L. Hu, H. Li, and J. Chu, “An enhanced authenticated 3-round identity-based group key agreement protocol,” in Green Communications and Networks, vol. 113 of Lecture Notes in Electrical Engineering, pp. 549–556, Springer, Amsterdam, The Netherlands, 2012.
View at: Publisher Site | Google Scholar
N. Koblitz, A. Menezes, and S. Vanstone, “The state of elliptic curve cryptography,” Designs, Codes and Cryptography, vol. 19, no. 2-3, pp. 173–193, 2000.
View at: Publisher Site | Google Scholar | MathSciNet
F. G. Zhang and X. F. Chen, “Attack on Two ID-based Authenticated Group Key Agreement Schemes,” Cryptology, Report 2003/259.
View at: Google Scholar
F. Zhang and X. Chen, “Attack on an ID-based authenticated group key agreement scheme from PKC 2004,” Information Processing Letters, vol. 91, no. 4, pp. 191–193, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
H. Park, T. Asano, and K. Kim, “Improved ID-based authenticated Group key agreement secure against impersonation attack by insider,” in Proceedings of the Symposium on Cryptography and Information Security, Otsu, Japan, 2009.
View at: Google Scholar
V. Shoup, “Lower bounds for discrete logarithms and related problems,” in Advances in Cryptology—EUROCRYPT '97, vol. 1233 of Lecture Notes in Computer Science, pp. 256–266, 1997.
View at: Publisher Site | Google Scholar
M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73, November 1993.
View at: Google Scholar
S. Blake-Wilson, D. Johnson, and A. Menezes, “Key agreement protocols and their security analysis,” in Crytography and Coding: Proceedings of the 6th IMA International Conference on Cryptography and Coding, vol. 1355 of Lecture Notes in Computer Science, pp. 30–45, 1997.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security proofs for signature schemes,” in Advances in Cryptology—EUROCRYPT '96, vol. 1070 of Lecture Notes in Computer Science, pp. 387–398, Springer, Berlin, Germany, 1996.
View at: Publisher Site | Google Scholar
D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, vol. 13, no. 3, pp. 361–396, 2000.
View at: Publisher Site | Google Scholar | Zentralblatt MATH
M. Bellare, J. A. Garary, and T. Rabin, “Fast batch verification for modular exponentiation and digital signatures,” in Advances in Cryptology—EUROCRYPT'98, vol. 1403 of Lecture Notes in Computer Science, pp. 236–250, Springer, Berlin, Germany, 1998.
View at: Publisher Site | Google Scholar
R. Barua, R. Dutta, and P. Sarkar, “Extending Joux's protocol to multi party key agreement,” in Progress in Cryptology-INDOCRYPT 03, vol. 2904 of Lecture Notes in Computer Science, pp. 205–217, 2003.
View at: Google Scholar

Copyright

Copyright © 2014 Chun-I Fan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

912

Downloads

699

Citations