A Provably Secure Revocable ID-Based Authenticated Group Key Exchange Protocol with Identifying Malicious Participants

Wu, Tsu-Yang; Tsai, Tung-Tso; Tseng, Yuh-Min

doi:https://doi.org/10.1155/2014/367264

The Scientific World Journal

On this page

Abstract Introduction Preliminaries Model Conclusions Acknowledgments References Copyright Related Articles

Special Issue

Recent Advances in Information Security

View this Special Issue

Research Article | Open Access

Volume 2014 | Article ID 367264 | https://doi.org/10.1155/2014/367264

A Provably Secure Revocable ID-Based Authenticated Group Key Exchange Protocol with Identifying Malicious Participants

Tsu-Yang Wu,^1,2Tung-Tso Tsai,³and Yuh-Min Tseng³

Academic Editor: Fei Yu

Received12 Mar 2014

Accepted16 May 2014

Published01 Jun 2014

Abstract

The existence of malicious participants is a major threat for authenticated group key exchange (AGKE) protocols. Typically, there are two detecting ways (passive and active) to resist malicious participants in AGKE protocols. In 2012, the revocable identity- (ID-) based public key system (R-IDPKS) was proposed to solve the revocation problem in the ID-based public key system (IDPKS). Afterwards, based on the R-IDPKS, Wu et al. proposed a revocable ID-based AGKE (RID-AGKE) protocol, which adopted a passive detecting way to resist malicious participants. However, it needs three rounds and cannot identify malicious participants. In this paper, we fuse a noninteractive confirmed computation technique to propose the first two-round RID-AGKE protocol with identifying malicious participants, which is an active detecting way. We demonstrate that our protocol is a provably secure AGKE protocol with forward secrecy and can identify malicious participants. When compared with the recently proposed ID/RID-AGKE protocols, our protocol possesses better performance and more robust security properties.

1. Introduction

In the past, group-oriented applications, such as collaboration works and teleconference, were popularly and widely used in the Internet. Authenticated group key exchange (AGKE) protocol [1] is a cryptographic primitive which provides secure group communications for users in cooperative and distributed applications. During executing the protocol, group participants not only cooperatively generate a common key which is used to encrypt the transmitted messages but also authenticate the participants’ identities.

The existence of malicious participants is a major threat for AGKE protocols. The goal of malicious participants is to disturb the establishing of common keys. Hence, how to resist malicious participants in AGKE protocols becomes a critical research. Typically, there are two detecting ways to resist malicious participants. (I) Passive detection [2–4]: it involves an explicit key confirmation approach in AGKE protocols. The resulted protocols only detect the existence of malicious participants and an additional round is required. (II) Active detection [5, 6]: it adopts a noninteractive confirmed computation technique into AGKE protocols. The resulted protocols can identify the identities of malicious participants without additional round. However, the computational cost of active detection is time-consuming than the one of passive detection.

Quite recently, the revocable identity- (ID-) based public key system (R-IDPKS) was proposed to solve the revocation problem of users in the ID-based public key system (IDPKS). The concept of IDPKS was introduced by Shamir [7] in 1984 and was practiced by Bonch and Franklin [8] in 2001. Indeed, they [8] had suggested a solution that the private key generator (PKG) renews these nonrevoked users’ private keys periodically to answer the revocation problem in the IDPKS. The approach can be used to revoke the compromised or misbehaving users. Nevertheless, the heavy workload arose from the PKG for renewing users’ private keys periodically.

In 2008, Boldyreva et al. [9] proposed a revocable ID-based encryption (RIBE) scheme by using binary tree. Their scheme can reduce the PKG’s workload mentioned in the Boneh-Franklin solution [8]. However, this scheme is based on a weak security model called the relaxed selective-ID model [10]. In 2009, Libert and Vergnaud [11] relied on Boldyreva et al.’s RIBE to present a secure RIBE scheme under an adaptive-ID model. Recently, Seo and Emura [12] demonstrated Boldyreva et al.’s scheme [9] is vulnerable to decryption key exposure and then proposed a provably secure tree based RIBE scheme. Subsequently, Seo and Emura [13] presented a hierarchical RIBE scheme to solve the open problem mentioned in [11].

In 2011, Tseng and Tsai [14] proposed a practical RIBE scheme over a public channel. The key construction of the Tseng-Tsai scheme is different from the previous schemes [9, 11–13]. In [14], each user’s private key consists of a fixed initial private key and an update key, where the update key is renewed along with the current period. For an honest (nonrevoked) user, the PKG periodically issues new update key and sends it to the user via a public channel. Upon receiving the new updating key, the user can renew her/his private key by herself/himself. To revoke a malicious user, the PKG only stops issuing the new update key in current period. Thus, the user cannot compute the newest private key. In other words, she/he cannot execute any cryptographic behaviors in later periods. Later on, several revocable ID-based cryptographic schemes based on the Tseng-Tsai R-IDPKS [14] were presented such as encryption [15], signature [16, 17], authenticated group key exchange (AGKE) [4], and signcryption [18].

In 2012, Wu et al. [4] proposed the first provably secure revocable ID-based AGKE (RID-AGKE) protocol. Their protocol adopted a passive detecting way to resist malicious participants. However, it requires three rounds and cannot identify the identities of malicious participants. In this paper, we fuse the key construction of Tseng-Tsai R-IDPKS [14] and a noninteractive confirmed computation technique [6] to present a two-round RID-AGKE protocol with identifying malicious participants. In our protocol, each group participant can confirm whether the broadcast values are correctly computed by other participants. Based on the detecting approach, our protocol can easily identify the participants who maliciously broadcast the incorrect values to disturb the common key establishing. The framework and security notions for RID-AGKE protocols are defined to formalize possible threats and attacks. We demonstrate the security of our protocol in the random oracle model [19] and under two mathematical assumptions (the computational Diffie-Hellman and the decisional bilinear Diffie-Hellman). Finally, we make the comparisons between our protocol and the recently proposed ID/RID-AGKE protocols to show the advantages of the proposed protocol.

The rest of this paper is organized as follows. We briefly review the concepts of bilinear pairings and related mathematical problems in Section 2. The security model and notions of RID-AGKE are presented in Section 3. We propose a concrete RID-AGKE protocol in Section 4. Security analysis of the proposed RID-AGKE protocol is demonstrated in Section 5. We make the performance analysis and comparisons in Section 6. Conclusions are drawn in Section 7.

2. Preliminaries

In this section, we briefly review the properties of bilinear pairings and related mathematical problems. For the details, a reader can refer to [8, 20, 21] for full descriptions.

2.1. Bilinear Pairings

Let and be two groups of a large prime order , where is an additive cyclic group and is a multiplicative cyclic group. A bilinear pairing is a map defined by and satisfies the following three conditions.(1)Bilinearity: for all and , .(2)Nondegeneracy: there exist such that .(3)Computability: for all , there exists an algorithm to compute .

2.2. Mathematical Hard Problems and Assumptions

Here, we present two mathematical hard problems and define the corresponding assumptions as follows.(1)Computational Diffie-Hellman (CDH) problem: given for some , the CDH problem is to compute .(2)Decisional bilinear Diffie-Hellman (DBDH) problem: given for some , the DBDH problem is to distinguish from .

Definition 1 (CDH assumption). Given for some , there does not exist a probabilistic polynomial-time algorithm with a nonnegligible probability to compute . The advantage of within running time is defined as .

Definition 2 (DBDH assumption). Given for some , there does not exist a probabilistic polynomial-time algorithm with nonnegligible probability to distinguish from . The advantage of within running time is defined as .

3. Model and Notions

In this section, we define the model and notions for RID-AGKE protocol. Note that some of the following definitions and notations are referred to in [4, 6, 22–24].

Initialization. The initialization of RID-AGKE protocol has three algorithms.

(1) Setup Algorithm. This algorithm is a probabilistic algorithm which takes as input a security parameter and a total number of periods. It returns a system private key and public parameters param. Note that the whole life time of the system is divide into distinct periods . Here, param is made public.

(2) Initial Key Extract Algorithm. This algorithm is a deterministic algorithm which takes as input the system private key and a participant’s identity . It returns the participant’s initial private key .

(3) Key Update Algorithm. This algorithm is a deterministic algorithm which takes as input the system private key , a participant’s identity , and a period index , where . It returns the participant’s update key .

Here, note that the participant’s private key for period is defined by .

Related Notions. For simplicity, there is a fixed set with polynomial size of potential participants. Assume that each participant has a unique identity . Any subset of may run a RID-AGKE protocol many times (possibly concurrently) in some period index to establish a group session key, where and is a total number of periods. Note that the set of participants’ identities, is known by all participants (including adversary).

An instance of participant in period is denoted by , where is a positive integer. Each instance has associated with seven variables as follows.(i): it presents the current state of instance .(ii) and : they take Boolean values to demonstrate whether has accepted or terminated. Informally, we say that an instance has accepted meaning that it does not detect any incorrect behavior. An instance is called terminating if it has sent and received messages. Note that a terminated instance may also possibly accept.(iii): it indicates whether is used in a RID-AGKE protocol.(iv): the partner ID of instance is a set which contains the identities of participants in the group with whom wants to establish a group session key (including itself).(v): the session ID of instance is a concatenation of all messages sent and received by the instance in a given execution of RID-AGKE protocol.(vi): a group session key which is accepted by instance .

In the following definitions, we will only focus on the three variables , , and . The remaining variables will be left implicit. We say that two instances and are partnered if (1) they have accepted the same group session key; (2) ; and (3) .

Adversarial Model. An adversary can be viewed as a probabilistic polynomial-time algorithm. Here, we assume that can potentially control all communications in a RID-AGKE protocol. The interaction between and instances of participants in the protocol is modeled by the following oracles.(i)Execute : when makes Execute query on , it executes the RID-AGKE protocol between the unused instances of participants in for period index and then returns a transcript of the execution, where is a subset of . Here, Execute query is used to model passive attacks.(ii)Inextract : when makes Initial key extract query on identity , it generates an initial private key corresponding to and returns it to , where .(iii)Kupdate : when makes Key update query on , it generates an update key corresponding to and returns it to , where and is a period index.(iv)Send : when makes Send query on , it sends message to instance and then returns the reply generated by this instance according to procedures of RID-AGKE protocol.(v)Reveal : when makes Reveal query on , it returns a group session key for a terminated instance . Here, Reveal query is used to model known session key attacks.(vi)Corrupt : when makes Corrupt query on , it returns a private key of in period . Note that Corrupt query models the corruption of this participant at a time in which it is not currently executing the protocol. We say that a participant is honest if and only if no Corrupt query has been made by .(vii)Test : at any time, the adversary makes Test query only once to this oracle during ’s execution. In this moment, a random coin is selected. If , a group session key is retuned. Otherwise, a random value is retuned. Here, Test query is used to model the semantic security of group session key.

According to the above adversarial model, we define two types of adversaries. A passive adversary is allowed to make Execute, Reveal, Corrupt, and Test queries. An active adversary is allowed to make the above all queries. In order to get more precise analysis, we still use Execute query though it can be substituted by making Send query repeatedly.

Remark 3. According to the adversarial model above, the adversary can compute the participant ’s private key for period index while makes both Initial key extract query on and Key update query on simultaneously. Hence, we disallow to make both queries in the same time.

Correctness. RID-AGKE protocol is called correct if the following three conditions hold.(1)All participants are honest and all messages are delivered honestly.(2) “True” and .(3)and for all participants with instances and .

Freshness. We say that an instance is called fresh (or called holding a fresh group session key ) if the following three conditions hold.(1) has accepted a group session key .(2)Neither nor its partners have been made Reveal query.(3)No Corrupt query has been made on before Send query to or Send query to , where .

Here, we assume all instances are fresh. Note that the notion of freshness is defined appropriately for the purpose of forward secrecy.

Secure RID-AGKE. A secure RID-AGKE protocol contains the following four parts.

(1) Freshness.

(2) Security of RID-AGKE Protocol. The security of RID-AGKE protocol is defined in the following game played between an active adversary and a set of instances:(a)initialization: the system private key, public parameters, and participants’ private keys are generated in this phase;(b)query: A may make different types of queries to oracles and gets back the answers corresponding to the RID-AGKE protocol;(c)guess: finally, the adversary outputs its guess for the coin in Test query and terminates.

In this game, the goal of is to distinguish a group session key from a random value. Let Succ be the event that correctly guesses the coin in Test query. The advantage of in attacking a RID-AGKE protocol is defined by . We say that the protocol is secure, if the advantage is negligible.

(3) Forward Secrecy. We say that a RID-AGKE protocol provides forward secrecy. It means that though an adversary obtains participants’ private keys in , the previous establishing group session keys is preserved. The advantage of in attacking the protocol within running time is defined by (), where and are the maximum numbers of making Execute and Send queries, respectively.

(4) Authentication. We say that a RID-AGKE protocol provides implicit key authentication if all participants in are guaranteed that nobody other than their partners can learn the session key. In other words, any adversary should not learn the key. Note that this security property does not guarantee that the partners have computed the key.

Malicious Participant. A participant is called malicious in a RID-AGKE protocol if he is a legal participant but is fully controlled by adversary. The goal of malicious participant is to disturb the group key establishing in .

4. Concrete Protocol

In this section, we propose a concrete RID-AGKE protocol with identifying malicious participants. Our protocol fuses the Tseng-Tsai R-IDPKS [14] and a noninteractive confirmed computation technique [6]. In the initialization phase, given a security parameter and a total number of periods, a private key generator (PKG) executes Setup algorithm to generate the system private key and the public parameters defined in Notations section at the end of the paper.

When a participant with identity wants to obtain her/his initial private key , the PKG runs Initial key extract algorithm to compute and returns it to via a secure channel. For a nonrevoked participant with identity in time period , the PKG runs Key update algorithm to compute her/his update key and returns it to via a public channel, where . Hence, any nonrevoked participant can update her/his private key by itself in period .

Let be a set of participants who want to establish a group session key in period . We assume that each has a unique identity as public key and ’s private key is for period . Note that the indices are subject to modulo ; that is, and denote and , respectively. Finally, is a preknown common message by all participants. The details of proposed RID-AGKE protocol are described as follows.

Round 1. Each participant randomly selects a secret value and computes , , and , where denotes the concatenation of all participants’ identities in period ; that is, . Finally, each broadcasts to other participants.

Round 2. Upon receiving and , each first verifies them by checking where . If the verification is true, each uses her/his secret value to compute . Then, randomly selects a value and computes a tuple , where , , , , and . Finally, sends this tuple to all other participants.

Group Key Computation. Upon receiving all for except , each verifies them by checking If the two verifications hold, can confirm that each is computed by using her/his secret honestly for except . Finally, in period , each participant can compute the group session key .

Identifying Malicious Participant. When a malicious participant tries to send a wrong tuple to disrupt the establishment of group session key, he will be identified as a malicious participant by using the following two verifying equations: and . Later on, will be deleted from the participant set and other honest participants may rerun the protocol.

5. Security Analysis

In this section, we prove the security of the proposed RID-AGKE protocol in the random oracle model [19] and under the CDH and DBDH assumptions.

ID and Forgery Attacks

Theorem 4. The proposed RID-AGKE protocol is secure against ID and forgery attacks.

Proof. Note that we adopt a revocable ID-based signature (RIDS) scheme [16] in Round 1 and a pairing-based signature scheme [6] in Round 2, respectively. The two signature schemes had been proven secure against ID and forgery attacks for single signature and multiple signatures with batch verification. Therefore, the proposed RID-AGKE protocol is secure against ID and forgery attacks.
Secure RID-AGKE Providing Forward Secrecy. Now, we demonstrate that the proposed RID-AGKE protocol is a secure RID-AGKE providing forward secrecy. Note that we use a similar technique in [3, 4, 6] to prove Theorem 5.

Theorem 5. Assume that four hash functions , , , and are random oracles. Then, the proposed RID-AGKE protocol is a secure RID-AGKE providing forward secrecy under the decisional bilinear Diffie-Hellman (DBDH) and the computational Diffie-Hellman (CDH) assumptions. Concretely, where and are total numbers of making Execute and Send queries, respectively. Note that denotes the advantage of any forgers successfully attacking the protocol .

Proof. Assume that is an active adversary in attacking the proposed RID-AGKE protocol with a nonnegligible advantage. Now, we consider the two possible cases. The first case is that with the advantage can impersonate a participant (i.e., forging authentication transcripts). Another case is that with the advantage can break the protocol without modifying any transcripts.
Case 1. We assume that the adversary with an adaptive impersonation ability can break the RID-AGKE protocol . Using , we would like to construct a forger which can return valid signature tuples and with respect to the proposed protocol as follows. The forger first generates all needed system parameters and keys. Then, simulates the oracle queries made by . This simulation is called perfect indistinguishable from ’s oracle queries except that makes Corrupt query on , where is a period index. If it occurs, fails and stops. Otherwise, when generates two signature tuples and , returns the tuples and . Let Forge be the event that the adversary successfully generates two valid signature tuples. Then, the probability that successfully returns two valid signature tuples is bounded by .
Case 2. We assume that the adversary can break the proposed RID-AGKE protocol without modifying any transcripts. We first focus on the case that makes Execute query once on and then extends this to the case that makes multiple Execute queries, where the number of participants and period are selected by . The real execution of is given bywhere denotes the transcript and is the group session key for period .
In Real, each . by the bilinear pairing operations. We can use a random value to substitute . Thus, a new distribution is obtained as follows:
Note that can obtain all private keys and hash values by making Corrupt and Hash queries. It means that can compute all for . Since the discrete logarithm assumption in is intractable, cannot obtain some information about from for .
In the following claim, we want to show that to distinguish two distributions Real from can be reduced to solve the decisional bilinear Diffie-Hellman (DBDH) problem. Let .
Claim. For any algorithm with running time , we have
Proof. As mentioned above, each . Here, we use to substitute and then each can be written into for . Hence, the group session key also can be written into , where .
To solve the DBDH problem, we use a technique to dispose the related parameter. Considering the following algorithm which inputs ,, and for some . first generates according to the distribution . Then, runs and outputs whatever outputs. The distribution is defined as follows:Note that this distribution depends on , , and .
By the above distribution , let . Then, we can obtain another distribution called . Obviously, is identical to Real because
Similarly, let for some . Then, we can obtain another distribution called . Obviously, is identical to because Therefore, we have
This completes the proof of claim.
Using the same process in , we can define other distributions for . By a similar approach in claim, we can obtain the following n-1 equations in (11) for any adversary with running time This implies
In , the values are constrained by according to the following equations: where . Since can be expressed as , we can obtain . Because is linear and independent from the set , it implies that is independent for the transcript . In other words, for any adversary Therefore, the advantage of on the event is bounded by . Combining the two cases, the advantage of is bounded by Finally, a standard hybrid argument immediately demonstrates that

Under the decisional bilinear Diffie-Hellman (DBDH) assumption, the advantage is negligible. By Theorem 4, the advantage is also negligible. Hence, we can obtain that the advantage is negligible according to the result in Theorem 5. It implies that the proposed RID-AGKE protocol is a secure RID-AGKE providing forward secrecy.

Identifying Malicious Participant

Theorem 6. The proposed RID-AGKE protocol can identify malicious participants.

Proof. Note that in Round 2 a noninteractive confirmed computation technique is involved in adopted pairing-based signature scheme. The security of confirmed computation had been proven in [6]. Concretely, each participant can confirm the broadcasted value is computed by using her/his secret after passing two verifying equations for except . Hence, if there is a participant who broadcasts a wrong to disturb the group session key establishing, he will be identified as a malicious participant. In other words, the proposed RID-AGKE protocol can identify malicious participants by using the confirmed computation technique.

6. Performance Analysis and Comparisons

For convenience to evaluate the computational cost, we focus on the time-consuming pairing-based operations as follows:(i): the time of executing a bilinear map operation ;(ii): the time of executing a point scalar multiplication operation in ;(iii): the time of executing a map-to-point hash function ;(iv): the time of executing a modular exponentiation operation over a finite field , where is a large prime number;(v): the time of executing a modular multiplicative inverse operation over a finite field , where is a large prime number.

Here, we first analyze the computational cost of our protocol. In Round 1, is required to compute . In Round 2, each participant requires to verify for and to generate . In the group key computation phase, is required to verify all and to compute a group key . Note that to evaluate is required since , where , , , and . As a result, each participant requires in our protocol.

In Table 1, we compare our RID-AGKE protocol with four previously proposed AGKE protocols which include Tseng’s AGKE protocol [25], Choi et al.’s ID-AGKE protocol [26], Wu et al.’s ID-AGKE protocol [6], and Wu et al.’s RID-AGKE protocol [4] in terms of the public key setting, number of rounds, computational cost, and security properties. One recent non-ID-based and non-RID-based AGKE protocol with identifying malicious participants was proposed by Tseng [25]. Since Tseng’s protocol is based on the ElGmal system [29], each participant must verify the other participants’ certificates for participant authentication. It will increase the required computational costs for verifying certificates, besides . On the contrary, Choi et al.’s ID-AGKE [26], Wu et al.’s ID-AGKE [6], Wu et al.’s RID-AGKE [4], and our protocol rely on the IDPKS system [8] or the R-IDPKS system [14]. Thus, they need not manage and verify the participants’ certificates. However, Choi et al.’s ID-AGKE [26] suffered from an insider colluding attack demonstrated by Wu and Tseng [27].

For Wu et al.’s ID-AGKE [6], Wu et al.’s RID-AGKE [4], and our protocol, they are provably secure and are able to resist malicious participants. It is easy to see that our protocol is more efficient than Wu et al.’s ID-AGKE [6] even though both protocols can identify malicious participants via confirmed computation approach. More importantly, Wu et al.’s ID-AGKE protocol [6] does not provide a solution to revoke the compromised or misbehaving user in the group. It is very serious because these revoked participants should not be allowed to establish a common key with other legal (nonrevoked) participants. In another aspect, Wu et al.’s RID-AGKE [4] is a three-round protocol and adopts explicit key confirmation approach to resist malicious participants. Though their protocol can detect the existence of malicious participants, it cannot still identify malicious participant. Our proposed RID-AGKE is a two-round protocol and provides an active detection mechanism to identify malicious participants. According to Table 1, the advantage of our protocol is demonstrated.

7. Conclusions

In this paper, we have fused the Tseng-Tsai R-IDPKS system and a noninteractive confirmed computation technique to propose the first RID-AGKE protocol with identifying malicious participants. The framework and security notions for RID-AGKE protocols have been defined to formalize the possible threats and attacks. When compared with the recently proposed ID/RID-AGKE protocols resistant to malicious participants, our protocol has better performance and provides an active detection way to identify malicious participants. In the random oracle model and under two mathematical assumptions (CDH and DBDH), we have proven that the proposed protocol is a secure RID-AGKE protocol with forward secrecy and identifying malicious participants.

Notations

:	A bilinear map, , defined in Section 2.1
:	The system private key,
:	A generator of group
:	The system public key,
:	The identity of participant
:	The participant ’s initial private key
:	The participant ’s update key for period
:	The participant ’s private key for period ,
:	A map-to-point hash function,
:	A map-to-point hash function,
:	A hash function,
:	A hash function, .

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors thank the referees for their valuable comments and constructive suggestions. This research was partially supported by Shenzhen Peacock Project of China (no. KQC201109020055A) and Shenzhen Strategic Emerging Industries Program of China (no. ZDSY20120613125016389).

References

M. Burmester and Y. Desmedt, “A secure and efficient conference key distribution system,” in Advances in Cryptology—EUROCRYPT '94, vol. 950 of Lecture Notes in Computer Science, pp. 275–286, 1995.
View at: Google Scholar
J. Katz and J. S. Shin, “Modeling insider attacks on group key-exchange protocols,” in Proceedings of the12th ACM Conference on Computer and Communications Security (CCS '05), pp. 180–189, November 2005.
View at: Publisher Site | Google Scholar
T.-Y. Wu, Y.-M. Tseng, and C.-W. Yu, “A secure ID-Based authenticated group key exchange protocol resistant to insider attacks,” Journal of Information Science and Engineering, vol. 27, no. 3, pp. 915–932, 2011.
View at: Google Scholar
T.-Y. Wu, Y.-M. Tseng, and T.-T. Tsai, “A revocable ID-based authenticated group key exchange protocol with resistant to malicious participants,” Computer Networks, vol. 56, no. 12, pp. 2994–3006, 2012.
View at: Publisher Site | Google Scholar
Y.-M. Tseng, “A robust multi-party key agreement protocol resistant to malicious participants,” The Computer Journal, vol. 48, no. 4, pp. 480–487, 2005.
View at: Publisher Site | Google Scholar
T.-Y. Wu and Y.-M. Tseng, “Towards ID-based authenticated group key exchange protocol with identifying malicious participants,” Informatica, vol. 23, no. 2, pp. 315–334, 2012.
View at: Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Identity-Based Cryptosystems and Signature Schemes, vol. 196 of Lecture Notes in Computer Science, pp. 47–53, 1985.
View at: Publisher Site | Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” SIAM Journal on Computing, vol. 32, no. 3, pp. 586–615, 2003, Preliminary version: in Advances in Cryptology—CRYPTO '01, vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, 2001.
View at: Publisher Site | Google Scholar
A. Boldyreva, V. Goyal, and V. Kumart, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM conference on Computer and Communications Security (CCS '08), pp. 417–426, October 2008.
View at: Publisher Site | Google Scholar
R. Canetti, S. Halevi, and J. Katz, “A forward-secure public-key encryption scheme,” Journal of Cryptology, vol. 20, no. 3, pp. 265–294, 2007, Preliminary version: in Advances in Cryptology—EUROCRYPT 2003, vol. 2656 of Lecture Notes in Computer Science , pp. 255–271, 2003.
View at: Publisher Site | Google Scholar
B. Libert and D. Vergnaud, “Adaptive-ID secure revocable identity-based encryption,” in Topics in Cryptology—CT-RSA 2009, vol. 5473 of Lecture Notes in Computer Science, pp. 1–15, 2009.
View at: Publisher Site | Google Scholar
J. H. Seo and K. Emura, “Revocable identity-based encryption revisited: security model and construction,” in Public-Key Cryptography—PKC 2013, vol. 7778 of Lecture Notes in Computer Science, pp. 216–234, 2013.
View at: Publisher Site | Google Scholar
J. H. Seo and K. Emura, “Efficient delegation of key generation and revocation functionalities in identity-based encryption,” in Topics in Cryptology—CT-RSA 2013, vol. 7779 of Lecture Notes in Computer Science, pp. 343–358, 2013.
View at: Google Scholar
Y.-M. Tseng and T.-T. Tsai, “Efficient revocable ID-based encryption with a public channel,” The Computer Journal, vol. 55, no. 4, pp. 475–486, 2012.
View at: Publisher Site | Google Scholar
T.-T. Tsai, Y.-M. Tseng, and T.-Y. Wu, “A fully secure revocable ID-based encryption in the standard model,” Informatica, vol. 23, no. 3, pp. 487–505, 2012.
View at: Google Scholar
T.-Y. Wu, T.-T. Tsai, and Y.-M. Tseng, “Revocable ID-based signature scheme with batch verifications,” in Proceedings of the 8th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP '12), pp. 49–54, July 2012.
View at: Publisher Site | Google Scholar
T. T. Tsai, Y. M. Tseng, and T. Y. Wu, “Provably secure revocable ID-based signature in the standard model,” Security and Communication Networks, vol. 6, no. 10, pp. 1250–1260, 2013.
View at: Publisher Site | Google Scholar
T.-Y. Wu, T.-T. Tsai, and Y.-M. Tseng, “A revocable ID-based signcryption scheme,” Journal of Information Hiding and Multimedia Signal Processing, vol. 3, no. 3, pp. 240–251, 2012.
View at: Google Scholar
M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS '93), pp. 62–73, November 1993.
View at: Google Scholar
L. Chen, Z. Cheng, and N. P. Smart, “Identity-based key agreement protocols from pairings,” International Journal of Information Security, vol. 6, no. 4, pp. 213–241, 2007.
View at: Publisher Site | Google Scholar
T.-Y. Wu and Y.-M. Tseng, “An ID-based mutual authentication and key exchange protocol for low-power mobile devices,” The Computer Journal, vol. 53, no. 7, pp. 1062–1070, 2010.
View at: Publisher Site | Google Scholar
K. Y. Choi, J. Y. Hwang, and D. H. Lee, “Efficient ID-based group key agreement with bilinear maps,” in Public Key Cryptography—PKC 2004, vol. 2947 of Lecture Notes in Computer Science, pp. 130–144, 2004.
View at: Publisher Site | Google Scholar
J. Katz and J. S. Shin, “Modeling insider attacks on group key-exchange protocols,” in Proceedings of the12th ACM Conference on Computer and Communications Security (CCS '05), pp. 180–189, November 2005.
View at: Publisher Site | Google Scholar
R. Steinwandt and A. S. Corona, “Attribute-based group key establishment,” Advances in Mathematics of Communications, vol. 4, no. 3, pp. 381–398, 2010.
View at: Publisher Site | Google Scholar
Y.-M. Tseng, “A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy,” Journal of Systems and Software, vol. 80, no. 7, pp. 1091–1101, 2007.
View at: Publisher Site | Google Scholar
K. Y. Choi, J. Y. Hwang, and D. H. Lee, “ID-based authenticated group key agreement secure against insider attacks,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E91-A, no. 7, pp. 1828–1830, 2008.
View at: Publisher Site | Google Scholar
T. Y. Wu and Y. M. Tseng, “Comments on an ID-based authenticated group key agreement protocol with withstanding insider attacks,” IEICE Transactions on Fundamentals, vol. E92-A, no. 10, pp. 2638–2640, 2009.
View at: Publisher Site | Google Scholar
R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile,” RFC 3280, IETF, Anaheim, Calif, USA, 2002.
View at: Google Scholar
T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, no. 4, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2014 Tsu-Yang Wu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1030

Downloads

744

Citations