Research Article  Open Access
ChunI Fan, YiHui Lin, TuanHung Hsu, RueiHau Hsu, "Interdomain IdentityBased Key Agreement Schemes", Mathematical Problems in Engineering, vol. 2014, Article ID 865367, 18 pages, 2014. https://doi.org/10.1155/2014/865367
Interdomain IdentityBased Key Agreement Schemes
Abstract
In order to simplify key management, twoparty and threeparty key agreement schemes based on user identities have been proposed recently. Multiparty (including more than three parties) key agreement protocols, which also are called conference key schemes, can be applied to distributed systems and wireless environments, such as ad hoc networks, for the purpose of multiparty secure communication. However, it is hard to extend two or threeparty schemes to multiparty ones with the guarantee of efficiency and security. In addition to the above two properties, interdomain environments should also be considered in key agreement systems due to diversified network domains. However, only few identitybased multiparty conference key agreement schemes for single domain environments and none for interdomain environments were proposed in the literature and they did not satisfy all of the security attributes such as forward secrecy and withstanding impersonation. In this paper, we will propose a novel efficient single domain identitybased multiparty conference key scheme and extend it to an interdomain one. Finally, we prove that the proposed schemes satisfy the required security attributes via formal methods.
1. Introduction
The technique of key agreement allows two or more parties to exchange information and negotiate a common session key. The first key exchange scheme was proposed by Diffie and Hellman in 1976 [1] where two parties can exchange public information and then compute a common key by their private keys and received information. However, the basic DiffieHellman protocol lacks mutual authentication between two parties such that the maninthemiddle attack is valid in this scheme. Many researchers modified DiffieHellman protocol to ensure mutual authentication between two parties, which are called authenticated key agreement (AKA) protocols. Lots of varieties of DiffieHellman protocol have been proposed and several different kinds of key agreement mechanisms have been shown in [2]. Up to now, DiffieHellman key exchange protocol is still an important basis for most key agreement protocols.
In 1984, Shamir proposed an identitybased cryptosystem [3], where the public key of each user is her/his public identity information, and there exists a private key generator (PKG), a key generation center (KGC), or a Trusted Authority (TA) which is trusted by all users. PKG, KGC, or TA, which will be called TA below, can produce each user’s private key according to her/his public key. In almost all of the identitybased key agreement schemes, TA provides the private/public key generation services for users. When a user registers with TA, the user’s public information like ID or email address will be her/his public key and TA gives the user the private key corresponding to her/his public key.
Pairing is a tool which is initially applied to cryptography to convert the Discrete Logarithm problem in elliptic curves to that in finite fields, and it can be derived from bilinear pairing, namely, Weil pairing [4] or Tate pairing [5]. First, Joux [6] used pairing to construct the first 3party key agreement protocol based on a certificate system in 2000 and his scheme. Later, researchers found that pairing is suitable for the implementation of identitybased cryptosystems. Smart [7] proposed a twoparty identitybased authenticated key agreement scheme in 2002. Boneh and Franklin [4] proposed an identitybased encryption scheme based on Weil pairing in 2003. Afterwards, pairing has become an important mathematic foundation of cryptography. There are many identitybased key agreement schemes, which have been proposed in the literature [7–11], based on pairings.
A conference key agreement scheme is a variety of a multiparty key agreement or group key agreement scheme, but it is different from conference key distribution scheme. In a conference key distribution scheme, a session conference chair decides the conference key and then broadcasts it to every member in this session conference. In particular, in a conference key agreement scheme, we must guarantee that the protocol satisfies the following three properties.(1)Each conference key is negotiated by all session members.(2)Every session member can compute the conference key via the same algorithm.(3)No session member can predict or preselect the conference key.
The first formal security analysis in an identitybased twoparty key agreement scheme was introduced by Chen and Kudla [9] and they improved the first identitybased key agreement scheme based on pairings [7]. Chen and Kudla proved that their protocol is secure on the security model of Bellare and Rogaway [12]. Later, AlRiyami and Paterson also proposed four kinds of tripartite authenticated key agreement protocols by improving Joux’s scheme [13], and they showed that their scheme is secure. Unfortunately, Shim and Woo [14] pointed out that their scheme has some weaknesses. Furthermore, there are several conference key agreement schemes based on bilinear pairing which have been proposed in the literature [15–19], but they are all insecure, where their security weaknesses will be shown in Section 3 of the paper.
Section 4 will present two new hard problems, the Linear DiffieHellman (LDH) problem and the Decisional Linear DiffieHellman (DLDH) problem, on which our key agreement schemes are based.
In Section 5, we will propose a novel efficient identitybased conference key agreement scheme by combining the concepts of [16, 19]. In addition to a single TA, we also discuss how the users, who have registered with distinct TAs, negotiate a common conference key. Moreover, in order to formally demonstrate the security of our proposed schemes, we adopt the random oracle method, which was proposed by Bellare and Rogaway [12], to prove the security of our schemes under some wellknown assumptions. We will define several security attributes in the third part of Section 2 and formally prove the security of our schemes in Section 6. Finally, we also provide performance comparison to demonstrate that our proposed schemes are more efficient than others.
Our contributions are summarized as follows.(1)We find some security flaws in the schemes of [15–19].(2)We introduce two new hard problems.(3)We propose interdomain identitybased conference key agreement schemes.(4)We formally prove that our schemes completely satisfy all of the security attributes.
2. Preliminaries
In this section, we review the concept of pairing which includes definitions, computationally hard problems, and security attributes of key agreement based on pairings.
2.1. Pairing
Pairing [20] in an elliptic curve cryptosystem is a function which maps a pair of elliptic curve points to an element of a multiplicative group in a finite field. It has been applied to key agreement, signatures, broadcast encryption, and identitybased encryption widely. In the following, we will review the definitions and properties of pairings.
2.1.1. Bilinear Pairing
We briefly describe the concept of bilinear pairing [20]. Let and be abelian groups written in additive notation with prime order and identity elements and , respectively, such that and , where and . Suppose that is a cyclic group of order written in multiplicative notation with identity element . Now we have the groups , , and . The mapping function is
Typically, and are subgroups of the points on an elliptic curve over a finite field and is a subgroup of a multiplicative group over a finite field.
In addition, the following additional properties must be satisfied:(i)bilinearity , and , for all ;(ii)nondegeneracy , with , such that , , with , such that , and , ;(iii)computability if and , there exists an efficient algorithm which can compute in polynomial time.
The schemes in Section 3 use symmetric bilinear pairing, so they set . In order to make the following decisional problems remain hard, we set and there is no polynomialtime computable isomorphism , such that , where is a generator of and is a generator of .
2.2. Hard Problems
(1) The Discrete Logarithm (DL) problem: given , find an integer such that .(2) The Computational DiffieHellman (CDH) problem: for , given , compute .(3) The Decisional DiffieHellman (DDH) problem: for , given where (mod ) or is decided by flipping a coin. Output “Yes” if (mod ); otherwise output “No”.(4) The Divisible Computational DiffieHellman (DCDH) problem [21]: for , given , compute .(5) The Decisional Linear DiffieHellman (DLDH) problem in [22, 23]: for , given , where or is decided by flipping a coin. Output “Yes” if ; otherwise output “No”. This hard problem was first proposed by Boneh et al. [22] in 2004 and then Boyen and Waters [23] extended it to asymmetric bilinear groups in 2006.(6) The coBilinear DiffeHellman (coBDH) problem [4]: given and in asymmetric bilinear map groups , compute . We propose the variantCDH problem and extend the DLDH problem to the LDH and DLDH problems. We will prove that they are also hard in Section 4.(7) The Variant Computational DiffieHellman (variantCDH) problem: given and , compute .(8) The nLinear DiffieHellman (LDH) problem: given , ’s, and ’s for all , with , , , and , compute .(9) The Decisional nLinear DiffieHellman (DLDH) problem: given , , ’s, and ’s for all , with , , , and , where or is decided by flipping a coin. Output “Yes” if ; otherwise output “No”.
2.3. Security Attributes
There are some security definitions in the identitybased key agreement schemes based on pairing [13, 14]. We describe them as follows.
Known Session Key Security. A key agreement protocol should produce a unique common secret key, which is called a session key, for every session. The protocol should still achieve this goal when an adversary has learned all of the other session keys.
(Perfect) Forward Secrecy. Forward secrecy is that any adversary cannot derive previous session keys from compromised longterm private keys of one or more parties. Partial forward secrecy is that one or more (not all) parties’ longterm private keys are corrupted but any adversary cannot get any previous session keys which were established by these parties. Perfect forward secrecy means that any adversaries cannot derive previous session keys even though they have obtained the longterm private keys of all parties. In IDbased systems, perfect forward secrecy implies that TA’s and all users’ longterm private keys are corrupted but any previous session key established by the registered users cannot be derived by adversaries. We also call it TA forward secrecy.
KeyCompromise Impersonation. A protocol can resist keycompromise impersonation if an adversary cannot impersonate some users even though the other users’ longterm private keys were disclosed.
Maninthemiddle attack is a special case of keycompromise impersonation in IDbased systems. If an adversary intercepts messages, retransmits them, and then communicates with users without being detected in the key agreement protocol, we say that he succeeds in impersonation.
Withstanding keycompromise impersonation also covers unknown keyshare resilience. It is the basic security attribute for key agreement scheme. Some users cannot have a key agreement with the other users without the knowledge of them. If some users cannot impersonate the others, they cannot run the key agreement scheme for them.
Key Control. It should be impossible for any participant (or an adversary) to preselect a value as a session key or predict the value of the session key.
3. Security Problems in the Previous Schemes
In the section, we briefly introduce security weaknesses on the schemes [15–19, 24–26]. The details of the security problems in these schemes are in the Appendices.
Shi et al. [19] proposed an IDbased authenticated group key agreement protocol in 2005. The design of the protocol is efficient because it only takes one round to finish a group key agreement and it needs no exponentiation computation besides a pairing computation. We find that the protocol does not resist keycompromise impersonation since the users do not verify the messages with one another in the protocol. Moreover, it only achieves partial forward secrecy.
Du et al. [15] proposed an IDbased authenticated group key agreement protocol in 2003 and improved it in the same year. Both of them does not achieve perfect forward secrecy. Although they embed a signature scheme to verify the messages, both of the protocols still suffer from keycompromise impersonation found by Zhang and Chen [29]. In the attack of [29], the adversaries collect the messages of the user in the previous session and replay them after modifying the messages. Zhang and Chen [30] also attacked Choi et al. [24] with the same method in 2004. The protocol of Zhang et al. [18] in 2005 has the same security problem as Du’s since they embed the same signature scheme in the protocol.
Kim et al. [17] aims to design a oneround key agreement protocol. But we find that the protocol cannot even achieve known session key security. Anyone can compute the session key through collecting the broadcasting messages.
Zhou et al. [26] proposed two schemes, one is oneround and the other is tworound. We find that both of them cannot withstand keycompromise impersonation. For the first scheme, the other users can collide to impersonate the user . For the second one, the user can impersonate any other user he wants. We also find that the protocol of Yao et al. [25] is not immune to keycompromise impersonation, either. A user can impersonate another by rebroadcasting the messages. The work of [31] improved the flaw but did not provide any formal proofs. Yuan et al. [27] improved it with formal proofs.
4. Three New Hard Problems
We formally prove our proposed problems, the Variant Computational DiffieHellman problem, the Linear DiffieHellman problem, and the Decisional Linear DiffieHellman problem, being hard by using problem reduction and generic model, respectively.
4.1. The Variant Computational DiffieHellman (VariantCDH) Problem
Theorem 1. The variantCDH problem is hard if the coBDH problem is hard.
Proof. Suppose that there exists an oracle which can solve the variantCDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the coBDH problem with nonnegligible probability. Given any parameters of the coBDH problem, and , we input and into the variantCDH oracle. The oracle will output . Then, we solve the coBDH problem by computing .
4.2. The Linear DiffieHellman (LDH) Problem
Theorem 2. The LDH problem is hard if and only if the DCDH problem is hard.
Proof. (1) LDH DCDH. Suppose that there exists an oracle which can solve the LDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the DCDH problem with nonnegligible probability.
For any DCDH triple , we convert them into the LDH oracle’s input parameters which are shown in (2):
We randomly pick and , compute , and set other parameters in (3):
Equation (2) is equal to (3); that is, , , in row 1, , in row 2 (suppose that ), , in row , and , , in row . The oracle will output . Thus, we have that
From (4), we can get .
(2) LDH DCDH. Suppose that there exists an oracle which can solve the the DCDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the LDH problem with nonnegligible probability, too.
For any LDH tuple in (2), we input , and into the oracle. Then the oracle outputs , and , respectively.
Finally, we can compute to solve the LDH problem.
We use a way similar to [22] to prove the DLDH problem being hard. In the generic model, elements of , , and are encoded as unique random strings, where and are additive groups and is a multiplicative group. There is a bilinear pairing function . Let , , and be the sets of strings. The opaque encoding of the elements of is modeled as an injective function , where , which maps all to the string representation of . Analogous mapping and map all to the string representation of and of , where .
4.3. The Decisional Linear DiffieHellman (DLDH) Problem
Theorem 3. Let be an algorithm that solves the DLDH problem in the generic bilinear group model with at most oracle queries. Let ’s, ’s, and be chosen at random, where , , and , , , and are random encoding functions for , , and , and is a random bit. Let and . The probability is
Proof. plays the following game with . maintains the lists , , and . Let ’s, ’s, , and (, , ) be indeterminate. All ’s, ’s, and ’s ’s, ’s, are polynomials and ’s, ’s, ’s are distinct strings. At the beginning of the game, sets , , , , , , , and the following polynomials: [, ,, ], where the symbol “” means emptiness and gives the distinct strings , , and . In the initial list index, the numbers of the records in , , and are , , and , respectively, where . At any step in the game, can make the group and pairing queries. performs and responds to as follows.
Group Action. gives two operands , and a sign bit, where , . sets . If for some , sets . Otherwise, sets to be a string in distinct from . Finally, adds to the list , gives to , and sets . The group action queries in and are simulated similarly.
Pairing. gives two operands and with and . sets the product . If for some , sets . Otherwise, sets to be a string in distinct from . Finally, adds to the list , gives to , and sets .
Consider the operation that performs: adds/subtracts all polynomials in the list , , and by any ’s query. produces any of two polynomials in and to generate a new polynomial in . For any variant , it occurs within the monomials in and lists and it occurs no monomial in list. Therefore, cannot produce any polynomial that contains the monomial ’s in or and the monomial ’s in for any coefficient and any nonzero monomial in in the available operations.
After at most queries, terminates and returns a guess . The distinct values of operands provide no information to because they are random bit strings. Therefore, the probability that wins the game in the generic model is .
However, when randomly chooses ’s, ’s, and , sets and , and assigns , and , a nontrivial equality relation may occur and give some information that is not revealed in the generic model; that is, for some (and , resp.) and (and , resp.), ’s, ’s, ) = ’s, ’s, ) (and ’s, ’s, ) = ’s’s), resp.).
The probability of the occurrence is computed according to the following lemma.
Lemma 4 (see [32]). Let be prime and let . Let be a nonzero polynomial of total degree . Then for random , the probability that is at most .
By Lemma 4, all polynomials in the have degree at most 2, so that, for some and , the probability of ’s, ’s, = ’s, ’s, ’s, ’s, is at most . The degree of polynomials in the is 0. All polynomials in the have degree at most 2, so that, for some and , the probability of ’s, ’s, = ’s’s’s, ’s, is at most . Therefore, wins the game with the probability . Since , we have , where the advantage is not greater than .
5. Our Key Agreement Schemes
In this section, we propose two conference key agreement schemes. The first scheme is designed for the situation where the users who register with a single TA (single domain) want to negotiate a session conference key. Furthermore, the second scheme makes it possible for the users in distinct groups who register with different TAs (interdomain) to negotiate a session conference key. In addition, we will prove the security of the two proposed schemes in Section 6 and compare them with others in Section 7.
5.1. The Proposed Scheme in Single TA
Setup. TA inputs a security parameter into a setup algorithm which returns groups , , and () of prime order with , a suitable bilinear mapping , generators , , and three hash functions , , and where is the output length of the hash functions. TA randomly generates a longterm private key and the public key and then publishes .
Extract. When a user registers a public identity (ID), such as an email address, with TA, TA will check whether the ID belongs to the user. If true, TA issues a longterm private key to where (TA’s ID’s ID) is ’s public key.
Conference Key Agreement. Suppose that there are legal users , and who want to negotiate a conference key. Our conference key agreement scheme contains three rounds described as follows.
Round 1: every user randomly picks an integer as a blinding factor, and then computes and broadcasts to all users who join this session. The flow is shown in Algorithm 1.

Round 2: after receives all ’s , , she/he randomly picks an integer as an ephemeral key and computes , and then broadcasts . The flow is shown in Algorithm 2.

Round 3: for all ’s in Round 2, we can rearrange them as shown in (7). When receiving ’s, only stores and drops other useless information ’s . For example, stores column 1 and stores column 2 in (7). Then computes as follows:
All ’s in Round 2 computes , , and , and then she/he broadcasts . When receives all ’s , she/he first verifies all ’s by checking if for each . If they are true, randomly chooses , computes , and verifies whether or not. If true, accepts and computes the session conference key . Algorithm 3 illustrates the flow in Round 3.

5.2. The Proposed Scheme in Distinct TAs
Our single domain conference key agreement scheme can be extended to an interdomain conference key agreement scheme. Interdomain means that there are distinct domains with different TAs’, respectively. In this subsection, we present our interdomain conference key scheme. Assume that there are Trusted Authorities , and and user groups , and who register with the distinct TAs, respectively. In the proposed scheme, the users in different groups can negotiate a session conference key SCK via the following process.
Setup. , , inputs a security parameter into a setup algorithm which returns two groups , , and () of prime order , a suitable bilinear mapping , generators , , and three hash functions , , , and where is the output length of the hash functions. randomly generates a longterm key and public key and then publishes .
Extract. When a user in group registers a public ID with , will check whether the ID belongs to the user. If true, issues private key to the user, where (’s ID’s ID) is the public key and denotes user who has registered with .
Interdomain Conference Key Agreement. Suppose that users in distinct domains or groups want to negotiate a conference key. Let be the number of users in the th domain and be the number of the total users . Our interdomain conference key agreement protocol contains three rounds where Round 1 and Round 2 are similar to those of the proposed single domain conference key protocol.
Round 1: every user randomly picks an integer and then broadcasts to the users who join this session.
Round 2: after receiving ’s , computes , where is ’s ephemeral key, and broadcasts .
Round 3: when receiving ’s, only stores ’s , and and drops other useless information ’s , and . Then computes every domain’s key as follows:
computes , , , and , and then she/he broadcasts . When receives all messages, first verifies all ’s by examining if for each and , and . If all ’s are correct, randomly chooses integers ’s, where each , computes , and checks if . If it is true, accepts and computes the session conference key .
6. Security Proof
BellareRogaway random oracle model [12, 33], which was extended by BlakeWilson et al. [34], is suitably modified and adapted in analyzing the security of key agreement protocols like those in the literatures [9, 13]. In this section, we modify BellareRogaway random oracle model and adopt the similar concepts and definitions in [8] to set our security game.
Definition 5 (game environment). Let adversary be a probabilistic polynomial time Turing machine and a simulator to simulate this game for . Let be all users and the group users who follow our first identitybased conference key scheme, where is the order of and . In the game, we allow to make the following types of queries. (1)Execute: when makes the Execute query, simulates to run the first protocol (Section 5.1) and responds with all public messages (i.e., ’s for all ’s in the th session.(2)Send: when makes the Send query with a set of users and a message which is the set of ’s broadcast by the users in , simulates all ’s to interact with by broadcasting the messages ’s of ’s in the th session.(3)Reveal: reveals the session conference key which was held by in the th session.(4)Corrupt: responds with the longterm private key of .(5)Test: when makes the Test query, returns the broadcast messages of the th session and gives the adversary either the session key of the th session or a random string. then outputs a bit to decide whether the string is the session key or not.(6): when a participant inputs a string to , it responds with the hashed value of the string and the hashed value will be recorded.(7): when a participant inputs a message to , it responds with the hashed value of and the hashed value will be recorded, too.(8): when a participant inputs , where and , to , it responds with the hashed value of and the hashed value will be recorded, too.
6.1. Correctness
Theorem 6 (correctness). In the presence of a benign adversary , all the parties always accept holding the same session conference key, which is distributed randomly and uniformly in , where is the security parameter.
Proof. Every user can generate a valid message