1. No category

contributory key agreement

Evolutions and researches
on
group key agreement (GKA) protocols
Yuh-Min Tseng
Information Security Lab. (ISL)
Department of Mathematics
NCUE
E-mail: [email protected]
http://ymtseng.math.ncue.edu.tw
1
Outline
1. Finding Problems
2. Definitions and evolutions of problems
3. Research approaches and related works
4. Problem 1: GKA protocol resistant to insider attacks
5. Problem 2: GKA protocol for imbalanced networks
6. Problem 3: Pairing-based (ID-based) GKA protocol
7. Conclusions
2
ISL, Math.,
1. Finding problems
Assigned by your advisor

Research trend for some problems or applications
Referee of manuscripts submitted to Conferences or Journals

Open / Un-solving problems (Famous problems)

Self-finding problems (Important !)





Seminars
Periodical downloading papers
Conferences: New
of related Conferences and Journals
Journals: Complete
Some experts’ web-sites
Livelihood problems (To solve some practical problems)
3
ISL, Math.,
1. Finding problems => Famous problems
Pythagoras(-572 ~ -492)
x2+y2=z2 , right triangle
?
Fermat’s
Little Theorem
for all primes p and
1≦a≦p-1,
ap-1 ≡ 1 (mod p)
Fermat(1601-1665)
Fermat's conjectures ?
Fermat’s
Last Theorem ?
I have
obtained a
perfect proof,
but no space
xn+yn=zn , n>2
No positive
integer solutions
to write it ?
4
ISL, Math.,
1. Finding problems => Famous problems
Fermat’s
Little Theorem
Euler Theorem
Proof: a corollary
of Euler’s theorem
for all primes p and
1≦a≦p-1,
ap-1 ≡ 1 (mod p)
Fermat’s
Last Theorem
xn+yn=zn , n>2
No positive
integer solutions
Euler(1707-1783)
Wiles Proof
370
years
Wiles (1993)
Taylor (1995, complete)
5
Based on many
previous
theorems and
conjectures
ISL, Math.,
1. Finding problems => Fermat Little Theorem
Public key primitiveness in Cryptography
Euler Theorem: for all aZn*, a(n)≡1 (mod n)

Euler’s Totient Function (n) = |Zn*| =the number of positive
integers less than n and relatively prime to n
Fermat’s Little Theorem: for all primes p, 1≦a≦p-1,
ap-1 ≡ 1 (mod p)

Proof: a corollary of Euler’s theorem since (p)=p-1 and gcd(a,p)=1
for 1≦a≦p-1.
Both theorems are useful in public key systems (RSA, DSA, and
ElGamal) and Primality testing.
6
ISL, Math.,
1. Finding problems => Fermat Last Theorem
One conjecture => Fermat Last Theorem
History







Fermat (n=4), Euler (n=3), Gauss (n=3, complete)
Legendre (n=5) => Legendre Symbol (Primality test)
Dirichlet (n=14), Lame (n=7), Kummer (1810 - 1893) (n<100)
………..
Wolfskehl (1908, Offering $100000 Marks bonus)
Taniyama-Shimura theorem/conjecture (1960): Relationships
=> Fermat last theorem, Elliptic Curve and modular forms
Wiles (1993, 1995): A proof of Fermat last theorem
 Based on Taniyama-Shimura theorem/conjecture
Elliptic Curve Cryptography (ECC, Secure and Efficient)
7
ISL, Math.,
1. Finding problems => Fermat Last Theorem
A. Wiles: Modular elliptic curves and Fermat's Last Theorem,
Annals of Mathematics 141 (1995), pp. 443-551,
=> 1998 Fields Medal (Specific Award, 44 years old)
R.Taylor and A.Wiles: Ring theoretic properties of certain Hecke algebras,
Annals of Mathematics 141 (1995), pp. 553-572
8
ISL, Math.,
1. Finding problems => Famous problems
Fermat’s another conjecture: Fn=22n+1 is prime


F1=5, F2=17, F3=257, F4=65537
Error => F5=641*6700417
Mersenne prime (1588-1648): 2p-1 is prime => p is prime

22-1=3, 23-1=7, 25-1=31, 27-1=127
Error => 211-1=23*89

GIMPS: The Great Internet Mersenne Prime Search

44 th Mersenne prime (2006, September 4)

 232582757 -1 = Known large prime (9,808,358 decimal digits)
 10,000,000
decimal digits => US$100,000
9
ISL, Math.,
1.Finding problems => Personal experiences
Group key agreement protocols
Deep: Focusing on one issue deeply
Broad: Understanding related issues


Co-assistive
Two-party key agreement protocols
Group (Conference, multi-party) key establishment
 Conference key distribution protocols
 Group key agreement (GKA) protocols

Resource-limited devices: Elliptic Curve
 Imbalanced network (WLAN, Cellular network)
 Mobile Ad Hoc networks
 Sensor networks

Based on various cryptographic systems (ID-based, Pairing)
10
ISL, Math.,
2. Definitions and evolutions of problems
=> Diffie-Hellman key exchange (1976)
DH-scheme provides two-party key agreement
Global parameters: (g, p)
 p: a large prime, say, 1024-bit long
*
 g: a generator for group Zp
(1) Randomly select a,
Compute Ya=ga mod p
Discrete logarithm
problem
(1) Randomly select b,
Compute Yb=gb mod p
(2) Ya
Alice
Bob
(2*) Yb
(3*) Compute Yba=(Ya)b mod p
(3) Compute Yab=(Yb)a mod p
K=Yab=Yba=gab mod p
11
ISL, Math.,
2. Definitions and evolutions of problems
Group key establishment protocol
 allows users to construct a group key that is used to
encrypt/decrypt transmitted messages among the users
over an open communication channel.
Categories:
 Group key distribution
 there is a chairman who is responsible for generating a
common key and then securely distributing this group key to
the other users.

Group key agreement
 involves all users cooperatively constructing a group key.
12
ISL, Math.,
2. Definitions and evolutions of problems
=> Categories
Group key distribution
U2
U1
Group key agreement
U3
Chair/key
U2
U4
U1
Un …… U5
U3
key
U4
Un …… U5
Easy issue
Challenging issue
13
ISL, Math.,
2. Definitions and evolutions of problems
=> Group key agreement
Four research approaches
Parallel processors
Concurrent Ring (1982, Ingemarsson et al.)
First group key agreement
 Linear Ring + 1 Broadcast (many protocols)
 Binary Tree (many protocols)
 Broadcast (many protocols)

14
ISL, Math.,
2. Definitions and evolutions of problems
=> (1) Concurrent Ring (1982, Ingemarsson et al.)
First group key agreement
U2 x2
g
x1
U2
x2
g
x1 U1
x1x3
g
U3
x3
x3
g
U1
U2
g
x1x2x3
U1
x1x2x3
g
g
x2 x3
U3
Note: n participants
1. It requires (n-1) rounds
2. Concurrent
x1x2x3
g
x1x2
g
Easy ? How to devise ?
U3
15
ISL, Math.,
2. Definitions and evolutions of problems
=> (2) Linear Ring + 1 Broadcast
Concept: (many protocols, 2002)
U1
U2
………………
Un-1
Broadcast
Un
Note: n participants
1. It requires (n-1) rounds
2. Ui must sends i messages
16
ISL, Math.,
2. Definitions and evolutions of problems
=> (3)Binary Tree
Concept: Button-up (many protocols, 2005)
gg
gg
x1x2 x3x4
g
Note: n participants
1. It requires log n rounds
2. Semi-concurrent
x3x4
g
g
x1x2
gx3x4
gx 1x2
gx 1
U1
x1
gx2
gx3
U2
U3
x2
x3
gx4
U4
x4
17
ISL, Math.,
2. Definitions and evolutions of problems
=> (4)Broadcast
Burmester and Demedt (1994, 2005)
……
U1
U1
Un
Step 1 (Round 1)
Ui (1≤ i ≤ n): Keeps xi secret
Broadcast channel
x
i
broadcasts yi=g mod p
Step 2 (Round 2)
Ui (1≤ i ≤ n): broadcasts zi=(yi+1/ yi-1)xi mod p
Step 3 Each Ui computes common key K
K  (yi-1 )nxi  zin -1  zin-12    zi -2 mod p
 g x1x2  x2 x3 ...  xn x1 mod p
18
ISL, Math.,
3. Research approaches and related works
=> Burmester and Demedt scheme
Burmester and Demedt (1994)


Non-authenticated: requires a secure authenticated
broadcast channel
(2005, IPL) They provide a complete proof.
Research approaches based on BD scheme
 Authenticated
 Performance
 Security properties
19
ISL, Math.,
3. Research approaches and related works
=> Three approaches
Authenticated: based on different cryptographic systems
 General Public-key system (RSA, DSA, or ElGamal)
 Password-based
 ID-based (Weil pairing and Elliptic curve)
Performance:
 Number of Rounds
 Message size sent by each participant
 Computational cost required for each participant
Security properties:
 Withstanding impersonator attacks
 Providing forward secrecy
 Resisting malicious participant (Insider) attacks (New)
20
ISL, Math.,
3. Research approaches and related works
=> History and remarks
[1]Diffie-Hellman – 1976 (Two- party)
First key agreement
[2] Ingemaresson - 1982
First group key agreement
[3,4] BD – 1994 and 2005
Efficient and Proof
Performance
[5, 15]
Authenticated
[6,8,9,10,16-19]
Transformation
to authenticated
[7,11]
21
Malicious
participant
[12, 13, 14]
ISL, Math.,
3. Research approaches and related works
=> History and remarks
Performance
[5, 15]
[5] Horng – 2001
Comp. Efficient
[15] Jung – 2006
Dynamic case
(Join/leave)
Authenticated
[6,8,9,10,16-19]
[6,8] 2002, 2003
Transformation
to authenticated
[7,11]
Malicious
participant
[12, 13, 14]
[7] Katz – 2003
Round Efficient
[12]Tang – 2005
First Transformation
[16] Abdalla – 2006
Password-based
Attack it.
Insider attack
[11] Tang – 2005
Round Efficient
[10] Tan – 2005
[9, 17,18] 2004,
2005. ??????
Batch-verification
ID-based (Pairing)
[14] Tseng – 2005
Insider attack
[13] Katz – 2005
Insider attack
[19] Tseng – 2007
Insider attack
22
ISL, Math.,
3. Research approaches and related works
=> Related papers
[1] Diffie, W. and Hellman, M.E. (1976) New directions in cryptography. IEEE
Trans. on Infom. Theory, 22, 644-654.
[2] Ingemaresson, I., Tang, T.D. and Wong, C.K. (1982) A conference key
distribution system. IEEE Trans. Infom. Theory, 28, 714-720.
[3] Burmester, M. and Desmedt, Y. (1994) A secure and efficient conference key
distribution system. Advances in Cryptology - Proceedings of Eurocrypt’94,
Perugia, Italy, 9-12 May, LNCS 950, pp. 275-286, Springer-Verlag, Berlin.
[4] M. Burmester and Y. Desmedt (2005) A secure and scalable group key
exchange system, Information Processing Letters, vol. 94, pp. 137-143, 2005.
[5] G. Horng (2001) An efficient and secure protocol for multi-party key
establishment, The Computer Journal 44 (5) (2001) 463-470.
[6] W. G. Tzeng (2002) A secure fault-tolerant conference-key agreement
protocol, IEEE Trans. on Computers 51 (4) (2002) 373-379.
[7] Katz, J. and Yung, M. (2003) Scalable Protocols for Authenticated Group
Key Exchange. Advances in Cryptology - Proceedings of Crypto’03, Santa
Barbara, CA, 17-21 August, LNCS 2729, pp. 110-125, Springer-Verlag, Berlin.
[8] Boyd, C. and Nieto, G. (2003) Round-Optimal Contributory Conference
Key Agreement. Proc. Public-Key Cryptography’03, Miami, USA, 6-8 January,
LNCS 2567, pp. 161-174, Springer-Verlag, Berlin.
23
ISL, Math.,
3. Research approaches and related works
=> Related papers
[9] X. Yi (2004) Identity-Based Fault-Tolerant Conference Key Agreement, IEEE
TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178,
JULY-SEPTEMBER 2004.
[10] C. Tan and J. Teo, (2005) An Authenticated Group Key Agreement for
Wireless Networks, IEEE Communications Society, WCNC 2005, pp.2100-2105.
[11] Q. Tang and C. J. Mitchell, (2005) Efficient Compilers for Authenticated
Group Key Exchange, Computational Intelligence and Security: International
Conference, CIS 2005, Xi'an, China, December 15-19 2005, Proceedings, Part II,
Springer-Verlag LNCS 3802, Berlin (2005), pp.192-197.
[12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated
conference key agreement protocols' (pdf), in: S. Qing, W, Mao, J. Lopez, and G.
Wang (eds.), Information and Communications Security: 7th International
Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings,
Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314.
[13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange
Protocols. ACM Conference on Computer and Communications Security 2005, pp.
180-189 .
[14] Tseng, Y.M. (2005) A robust multi-party key agreement protocol resistant to
malicious participants. The Computer Journal, 48, 480-487.
24
ISL, Math.,
3. Research approaches and related works
=> Related papers
[15] B. E. Jung (2006) An Efficient Group Key Agreement Protocol, IEEE
communications letters, vol.10, no. 2, pp. 106-107, Feb. 2006
[16] M. Abdalla, E. Bresson, O. Chevassut, D. Pointcheval (2006) Password-based
Group Key Exchange in a Constant Number of Rounds, PKC2006, LNCS 3958, pp.427442.
[17] K. Y. Choi, J. Y. Hwang and D. H. Lee, “Efficient ID-based Group Key Agreement
with Bilinear Maps”, 2004 International Workshop on Practice and Theory in Public
Key Cryptography (PKC2004).
[18]Y. Shi, G. Chen, and J. Li,” ID-Based One Round authenticated Group Key
Agreement Protocol with Bilinear Pairings”, Proceedings of the International
Conference on Information Technology: Coding and Computing (ITCC’05), 2005.
[19] Y.M. Tseng, “A communication-efficient and fault-tolerant conference-key
agreement protocol with forward secrecy”, Journal of Systems and Software, ,
2006, Accepted and to appear.
[20]Y.M. Tseng, “A secure authenticated group key agreement protocol for
resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 4152, 2007.
25
ISL, Math.,
3. Research approaches and related works
=> Finding worth-to-work problems
Keep cranky and thinking continuously !!!
Finding solutions:


Writing a research paper or patent
Developing application systems
Keeping a research record (Important !!)



Finding new problems => solutions
It could be a good approach/technique.
In the future, it is possible to adopt it for other applications
or problems.
26
ISL, Math.,
3. Research approaches and related works
=> Finding worth-to-work problems
Problem 1: Malicious participant (Insider) attack


The malicious legal participant broadcasts a wrong message to disrupt
the conference key establishment
The proposed protocol must find who are the malicious participants
Problem 2: Imbalanced wireless networks


Resource-limited PDA, Smart phone, or UMD (Ultra mobile device)
It is a flexible approach to shift the computational burden to the
powerful node and reduce the computational cost of mobile nodes
Problem 3: Pairing-based (ID-based) public-key system
 Practical ID-based public-key system (Elliptic Curve)
 2001, New
27
ISL, Math.,
4. Problem 1:
GKA protocol resistant to insider attacks
Motivation and finding a solution


All related GKA protocols based on the BD scheme suffer from
insider attacks.
Some secure conferences must be held prior to a special time, such
as military applications, rescue missions and emergency negotiations.
Related papers: (2005)



[14] Y.M. Tseng (2005) A robust multi-party key agreement protocol resistant to
malicious participants. The Computer Journal, 48, 480-487. (2006, Wilkes Award)
[12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated
conference key agreement protocols', in: S. Qing, W, Mao, J. Lopez, and G. Wang
(eds.), Information and Communications Security: 7th International Conference,
ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag
LNCS 3783, Berlin (2005), pp.304-314.
[13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange
Protocols. ACM Conference on Computer and Communications Security 2005, pp.
180-189.
28
ISL, Math.,
4. Problem 1:
GKA protocol resistant to insider attacks
Insider attacks (Malicious participants) on BD scheme
……
U1
U1
Un
Step 1 (Round 1)
Ui (1≤ i ≤ n): Keeps xi secret
Broadcast channel
x
i
broadcasts yi=g mod p
Step 2 (Round 2)
Ui (1≤ i ≤ n, ij): broadcasts zi=(yi+1/ yi-1)xi mod p
Uj broadcasts a random value zj
Who is the malicious
Step 3 Each Ui compute different key K
participant ?
K  (yi-1 )nxi  zin -1  zin-12    zi -2 mod p
 g x1x2  x2 x3 ...  xn x1 mod p
29
ISL, Math.,
4. Problem 1: Solution
GKA protocol resistant to insider attacks
Step 1 (Round 1) Ui (1≤ i ≤ n): Keep xi secret
broadcasts yi=gxi mod p
Step 2 (Round 2)
U i ( 1  i  n) : broadcasts (zi , i , i , i )
zi  (yi 1 / y i -1 )xi mod p,
αi  g ri mod p
 i  (yi 1 / y i -1 )r mod p,
 i  ri  H ( zi , i , i ) xi mod q
i
Step 3 Ui (1≤ i ≤ n) checks and computes K
( 1 )g
j
  j y j mod p
C

(2)( y j 1 / y j -1 ) j   j z j mod p, where C  H ( z j ,  j ,  j )
C
K  (yi-1 )nxi  zin -1  zin-12    zi - 2 mod p
 g x1x2  x2 x3 ...  xn x1 mod p
30
Zi is computed correctly”
ISL, Math.,
4. Problem 1:
GKA protocol resistant to insider attacks
Security Proofs



Assumption 1: Decision Diffie-Hellman Problem
Theorem 1: The proposed GKA protocol is secure against
passive attacks
Theorem 2: The proposed GKA protocol is secure against
insider attacks
Discussions



Based on BD scheme, first protocol with resisting to insider attacks
In fact, the proposed GKA protocol can be applied to other group
key agreement protocols with t-round (t>1) to withstand insider
attacks. (Reviewer comments)
Expanding to authenticated (Tseng, 2007, JSS)
31
ISL, Math.,
5. Problem 2:
GKA protocol for imbalanced wireless networks
Motivation and finding a solution


Resource-limited devices: PDA, Cellular phone, or UMD (Ultra
mobile device)
It is a flexible approach to shift the computational burden to the
powerful node and reduce the computational cost of mobile nodes
Related papers:




Bresson, E. Chevassut, O., Essiari, A. and Pointcheval, D. (2004) Multual
authentication and group key agreement for low-power mobile devices.
Computer Communications, 27, 1730-1737.
Nam, J., Kim, S., and Won, D. (2005) A weakness in the BressonChevassut-Essiari-Pointcheval's group key agreement scheme for lowpower mobile devices. IEEE Communications Letters, 9, 429-431.
Nam, J., Kim, S., and Won, D. (2005) DDH-based group key agreement in
a mobile environment. The Journal of Systems and Software, 78, 73-83.
Y.M. Tseng (2007) “A secure authenticated group key agreement protocol
for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1,
pp. 41-52.
32
ISL, Math.,
5. Problem 2:
GKA protocol for imbalanced wireless networks
Weaknesses of Bresson et al.’s Protocol (2004)

Without forward secrecy
Without key authentication

Not a contributory key agreement

Weaknesses of Nam et al. ‘s Protocol (2005)



It provides a authenticated protocol based on the Katz-Yung
transformation [7] (2003). (Time-consuming)
In this case, computational cost is expensive for mobile device
Not a contributory key agreement
33
ISL, Math.,
5. Problem 2:
GKA protocol for imbalanced wireless networks
Goal:



A real contributory key agreement protocol (Proof)
Authenticated GKA protocol
The proposed protocol must be well suited for mobile devices with
limited computing capability.
Some related issues and knowledge

Give an example to prove that both Bresson et al.’s and Nam
et al. ‘s protocols are not contributory key agreement.

Given a complete proof to show our proposed protocol is a real
contributory key agreement.
Understanding the computing capability of mobile devices such as
PDA.

34
ISL, Math.,
35
ISL, Math.,
5. Problem 2:
GKA protocol for imbalanced wireless networks
Security Proofs



Theorem 1: It is a contributory group key agreement protocol
Theorem 2: Against passive adversary
Lemma 1, Lemma 2, and Theorem 3: Against impersonator’s
attack


Theorem 4: Implicit key authentication
Theorem 5: Forward secrecy
Discussions



Comparisons: Computational cost and security properties
This is first protocol which provides the proof of contributory group
key agreement
A simulation result shows that the proposed protocol is well suited
for mobile devices with limited computing capability.
36
ISL, Math.,
5. Problem 2:
GKA protocol for imbalanced wireless networks
Some other possible problems and future works


Possible inherent problems of a powerful node
 Communication Bottleneck
 Single point fail
 Trust
Lower bound of the communication cost in a
contributory group key agreement for imbalanced
networks.=> Optimal solution
.
37
ISL, Math.,
6. Problem 3:
Pairing-based (ID-based) GKA protocol
Motivation and finding a problem

Based on Factoring problem





Shamir (1984)
ID=> Name, [email protected] and some other information.
The motivation is to simplify certificate management
However, it is not practical.
Based on Bilinear Diffie-Hellman assumption
 In 2001, D. Boneh and M. Franklin presented first ID-based encryption
scheme.
 Afterwards, it is a important issue for cryptography research.
Question:
If you focus on this topic,
what knowledge should you prepare and own ?
38
ISL, Math.,
6. Problem 3:
Pairing-based (ID-based) GKA protocol
Related knowledge:



Elliptic curve
Bilinear Pairing (Weil pairing and Tate pairing)
Less books focus on this cryptographic systems
ID-based cryptographic protocols
 ID-based signature (batch, threshold, blind, …)
 ID-based encryption (Broadcast, authenticated)
 ID-based two-party key agreement/authentication
 Fast pairing computation
 ID-based authenticated Group key agreement
39
ISL, Math.,
6. Problem 3:
Pairing-based (ID-based) GKA protocol
Related papers of ID-based signature/encryption









D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," Crypto
2001, LNCS 2139, pp.213--229, Springer-Verlag, 2001.
D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," SIAM J.
of Computing, Vol. 32, No. 3, pp. 586-615, 2003.
D. Boneh, B. Lynn and H. Shacham, "Short signature from Weil pairing," Asiacrypt
2001, LNCS 2248, pp. 514--532, Springer-Verlag, 2001.
K. Paterson. ID-based Signatures from Pairings on Elliptic Curves. Electronics Letters,
Vol. 38, No. 18, pp. 1025{1026, 2002.
F. Hess, "Efficient identity based signature schemes based on pairings," SAC 2002,
LNCS 2595, pp. 310--324, Springer-Verlag, 2003.
J. C. Cha and J. H. Cheon, "An identity-based signature from gap Diffie-Hellman
groups," PKC 2003, LNCS 2567, pp. 18--30, Springer-Verlag, 2003.
Yoon H. J., Cheon J. H., Kim Y. Batch verifications with ID-based signatures. Proc.
ICISC‘2004, December 2–3, Seoul, Korea Berlin Springer-Verlag pp. 233–248, LNCS
3506, 2005.
N. Koblitz and A. Meneze, "Pairing-based cryptography at high security levels,"
Cryptography and Coding: 10th IMA International Conference, LNCS 3796, pp. 13-36, Springer-Verlag, 2005.
S. Cui, P. Duan, C. W. Chan, An efficient identity-based signature scheme with batch
verifications, Proceedings of the 1st international conference on Scalable information
systems , Article No. 22 , May 30 - June
ISL, Math.,
40 01, 2006
6. Problem 3:
Pairing-based (ID-based) GKA protocol
Related papers of ID-based key agreement/authentication






NP Smart. An identity based authenticated key agreement protocol based on the Weil
pairing. Electronics Letters, volume 38 (13): 630--632, June 2002 .
L. Chen and C. Kudla , Identity Based Authenticated Key Agreement Protocols from
Pairings, 16th IEEE Computer Security Foundations Workshop (CSFW'03), 2003, p.
219
Y. Wang. Efficient identity-based and authenticated key agreement protocol.
Cryptology ePrint Archive, Report 2005/108.
G. Xie. An ID-based key agreement scheme from pairing. Cryptology ePrint Archive,
Report 2005/093.
Q. Yuan and S. Li. A new efficient ID-based authenticated key agreement protocol.
Cryptology ePrint Archive, Report 2005/309.
L. Chen, Z. Cheng, and N.P. Smart, Identity-based Key Agreement Protocols From
Pairings, http://grouper.ieee.org/groups/1363/IBC/submissions/Chen-IBE.pdf
(Good-survey) 2006.

X. Yi, Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON
DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULYSEPTEMBER 2004.

M. Das, A. Saxena, A. Gulati, and D. Phatak A novel remote user
authentication scheme using bilinear pairings, Computers & Security,
Volume: 25, Issue: 3, May, 2006, pp. 184-189
41
ISL, Math.,
6. Problem 3:
Pairing-based (ID-based) GKA protocol
Goal: Pairing-based (ID-based) GKA protocol

Finding some possible solutions => No concrete publication
Extra results: by surveying pairing-based systems


Reviewer of a ID-based partially blind signature (2006)
 Improving performance of the Sherman et al.’s scheme (2005)
 I presented that their scheme suffers from a forgery attack, reject it!
 Try to propose an efficient scheme.
 Until now, no concrete result.
Seminar => a two-party key agreement protocol (2006, C&S)
 Finding some drawbacks
 We have obtained concrete results Conferences
42
ISL, Math.,
7. Conclusions
Based on the previous knowledge and
new applications/environments
Thinking other problems
43
ISL, Math.,
7. Conclusions
=> Thinking other problems
Wireless environments (Resource-limited devices)
 Imbalanced networks (WLAN, Cellular network)
 Mobile Ad Hoc networks
 Distributed architectures
 No on-line certificate authority
 Sensor networks
 Specific Architectures (Pre-distributed secret keys,
or passwords)
 Energy-aware (Computation V.S. Communication)
44
ISL, Math.,
7. Conclusions
=> Other Problems => Energy consuming
Sensor networks (2005, Wander et al.)
 Specific Architecture (Pre-distributed secret keys)
 Energy-aware (Computation V.S. Communication)
Field
Value
Effective data rate
12.4kbps
Energy to transmit
59.2μJ/byte
Energy to receive
28.6μJ/byte
ATmega128L active mode
13.8mW
ATmega128L power down mode
0.0075mW
ATmega128L MIPS/Watt
289MIPS/W
Mica2dot sensor platform, 2002, …..
45
ISL, Math.,
7. Conclusions
=> Other Problems => Energy consuming
Algorithm
Energy
SHA-1
5.9μJ/byte
AES-128
Enc/Dec
1.62/2.49μJ/b
yte
Energy cost of digital signature
and key exchange computations
[mJ]
Signature
Key Exchange
Algorithm
Sign
RSA-1024
ECDSA-160
RSA-2048
ECDSA-224
Verify
Client
Server
304
11.9
15.4
304
22.82
45.09
22.3
22.3
2302.7
53.7
57.2
2302.7
61.54
121.98
60.4
60.4
46
ISL, Math.,
7. Conclusions
Research
「當你進入大廈的第一個房間,裏面很黑,伸
手不見五指。你在傢俱之間跌跌撞撞,但是
你會逐漸搞清楚每一件傢俱所在的位置。最
後…你找到了電燈開關(Switch),打開了燈。
突然…你能確切地明白你身在何處。」
------ Wiles
打通 任、督 二脈
47
ISL, Math.,
7. Conclusions
Thanks for your participation !
Questions and Answers !
48
ISL, Math.,

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz