Identity-based
authentication protocol
for grid
Source: Journal of Systems Engineering and Electronics
Vol. 19, No. 4, pp.860-864, 2008
Authors: Li Hongwei, Sun Shixin, and Yang Haomiao
Reporter: 陳德祐
Outline
Weil pairing properties
 Identity-based architecture for grid
 Identity-based encryption
 Identity-based signature
 Identity-based authentication protocol
 Security on the proposed scheme

2
Bilinear Pairings

Bilinear Pairing




Let G1, G2 be cyclic groups of same order q.
G1 : an additive group E(Fp)
G2 : a multiplicative group
P : a generator of G1
Definition
A bilinear map e : G1  G1  G2
1. Bilinear: e(aP, bQ)  e( P, Q) ab , for all P, Q  G1 and a, b  Z q*
2. Non-degenerate: there exists P, Q  G1 such that e( P, Q)  1
3. Computability: there is an efficient algorithm to compute e( P, Q) for all P, Q  G1
3
Identity-based architecture for grid (IBAG)
Root PKG
DN0
(0-level)
The identity:
• ID0=DN0
Virtual Organization
• IDM= DN0||DNM
Sub-PKG
• IDN=DN0||DNM||DNN
DNM
(1-level)
• IDN|0=DN0
Entity
(2-level)
DNN
• IDN|1= DN0||DNM
• IDN|2=DN0||DNM||DNN
4
Root PKG setup

G1, G2 : two groups of prime order q
An admissible pairing : eˆ : G1  G1  G2
A generator PG1
H1:{0, 1}* G1
H2 : G2  {0, 1}n

Zq* and set Q0=P, P0=H1(DN0), S0= P0






The root PKG’s master key : S0
System parameters:<G1, G2, ê, P, Q0, P0, H1,
H2>
5
Lower-level setup
Root PKG acts for node X in 1-level as follows:
 Compute the public key of node X: PX=H1(IDX), where
IDX=DN0||DNX
 Set secret key of node X:SX=S0+ρXPX , whereρXZq*,
known by X and its parent node
 Compute Q-value: QIDX|1= ρX P, where QIDX|1 is public
Each node in the 1-level similarly performs the above
steps, all nodes in 2-level get their

secret key Sy= S0 + ρXPX + ρYPY, and secret point ρY



ρX is the secret point of node DN0||DNX
ρY is the secret point of node DN0|| DNX||DNY
public keyPy=H1(IDy), and public value Q-value. QID
E y |1
  X P, QIDE
y
|2
 Y P
6
Zq* and
Root PKG
DN0
(0-level)
The
set Q0=P, P0=H1(DN0), S0= P0
root PKG’s master key : S0
System
Virtual Organization
parameters:<G1, G2, ê, P, Q0, P0, H1, H2>
public
key : PX=H1(IDX), where IDX=DN0||DNX
secret
key :SX=S0+ρXPX , whereρX(Zq*) is
Sub-PKG
DNM
(1-level)
X
known by X and its parent node?!
Q-value:
QIDX|1= ρX P, where QIDX|1 is public
ifρX is known by X, then DN0’s secret
key :S0=SX –ρXPX ><
Entity
DNN
(2-level)
Y knows SX = S0 + ρXPX = Sy - ρYPY
Y
public
key: PY=H1(IDY), where IDY=DN0||DNX||DNY
secret key: Sy= S0 + ρXPX + ρYPY, and secret point ρY
ρX
is the secret point of node DN0||DNX
ρY
is the secret point of node DN0|| DNX||DNY
public
Q-value QIDEY |1   X P, QIDEY |2  Y P
7
Identity-based encryption


E1 and E2 , let IDE2=(DN0||DN1||DN2)
Encrypt m with IDE2, E1 computes
 P1=H1(DN0||DN1)
 P2=H1(DN0||DN1 ||DN2)
a random rZq*
 Output C=<rP, rP1, rP2, H2(gr)⊕m>, where g  eˆ(Q0 , P0 )
 Choose
g  eˆ(Q0 , P0 )  eˆ( P, P0 )
 C=<U0,
U1, U2, V>
P0  H1 ( ID0 )
8
Identity-based decryption

C=<rP, rP1, rP2, H2(gr)⊕m>
E2 decrypts C=<U0, U1, U2, V> using its secret
key SE2 = S0 + ρ1P1 + ρ2P2,
 ρ1
is the secret point of node DN0||DN1
 ρ2 is the secret point of node DN0|| DN1||DN2
eˆ(U 0 , S E )
eˆ(rP, S0  1 P1  2 P2 )
d 2

eˆ( 1 P, rP1 )eˆ(  2 P, rP2 )
ˆ
2
 e(Q
i 1
IDE2 |i
,U i )
eˆ(rP,  P0 )eˆ(rP, 1P1   2 P2 )

,
eˆ(rP, 1 P1   2 P2 )
where S E2  S0  1 P1   2 P2 , QIDE |1  1 P, QIDE |2  2 P
2

2
m=H2(d)⊕V.
9
Cryptanalysis of Identity-based decryption

C=<rP, rP1, rP2, H2(gr)⊕m>
An entity E3 under the same VO knows the
parent node’s secret key S (= S0 +ρ1P1) and can
decrypt C=<U0, U1, U2, V>
d
eˆ(U 0 , S )
eˆ(rP, S0  1 P1 ) eˆ(rP,  P0  1P1 )


eˆ(QIDE |1 , U1 )
eˆ( 1 P, rP1 )
eˆ( 1 P, rP1 )
2
eˆ(rP,  P0 )eˆ(rP, 1 P1 )

 eˆ(rP,  P0 )  eˆ( P, P0 ) r  g r ,
eˆ( 1 P, rP1 )
where S  S0  1 P1 , QIDE |1  1 P
2

m=H2(d)⊕V.
10
Identity-based signature

E2 signs m as follows.
 Compute
Pm=H1(DN0||DN1||DN2||m)
 Compute δ=SE2+ ρ2Pm, whereρ2 is the secret point of E2
 Output the signature   , Pm , QIDE 2 |1 , QIDE 2 |2 

Other entities can verify 2the signature
eˆ( P,  )?  eˆ( P,  2 Pm )eˆ(Q0 , P0 ) eˆ(QIDE |i , Pi )
i 1
2
2
?= eˆ(QIDE |2 , Pm )eˆ(Q0 , P0 ) eˆ(QIDE |i , Pi ) QIDE2 |2  2 P
2
2
i 1
eˆ( P,  )  eˆ( P,  P0  1 P1   2 P2   2 Pm )
 eˆ(  2 P, Pm )eˆ( P, P0 )eˆ( 1P, P1 )eˆ(  2 P, P2 )
= eˆ(QIDE |2 , Pm )eˆ(Q0 , P0 )eˆ(QIDE |1 , P1 )eˆ(QIDE |2 , P2 )
2
2
2
where S E2  S0  1 P1   2 P2 , Q0 = P, QIDE |1  1 P, QIDE |2   2 P
2
2
11
Identity based authentication protocol

Notations
 nc,
ns: the fresh random number
 ID: the session identifier
 specificationC: the cipher specification of C
 specificationS: the cipher specification of S
 FCS: a pre-master secret key used to generate
the shared key
 EPC[FCS]:encrypt FCS with the public key PC of
the entity C
 SigSS[M]: sign M with the private key SS of the
entity S
12
Identity based authentication protocol




CS: ClientHello (nc, ID, specificationC)
ClientHelloDone
SC: ServerHello (nS, ID, specificationS)
ServerKeyExchange(EPC[FCS])
IdentityVerify (SigSS[M])
ServerHelloDone
CS: ClientFinished.
Session key KCS=PRF(FCS, nc, nS ,) , where PRF
is a pseudo-random function
Security on the proposed protocol
•
Masquerade as C
•
Known the session key
13