Self-certified key distribution protocols 1 System model of the self-certified key distribution protocols

The self-certified key distribution protocol can be divided into three stages: system setup, user registration, and key distribution. The system requires a system authority (SA) that is responsible for defining system parameters and dealing with the user registration. In the system setup stage, SA generates his/her private-key/public-key pair that will be used in the latter time and defines system parameters. In the user registration stage, the registering user prepares his/her identity information such as the identifier, name, and address, etc. and then performs a zero-knowledge proof protocol in collaboration with SA to determine his/her self-certified private-key/public-key pair by randomly choosing a master key. Here, we elaborate an exponentiation function to construct the zero-knowledge proof protocol where computing the discrete logarithm over finite field is computationally infeasible [10]. Hence, SA cannot obtain the master key from the registering commitment sent from the registering user. After completing the zero-knowledge proof protocol, the registering user will obtain his/her self-certified public key and witness for the public key sent from SA via a secret channel. He/she can derive his/her private key with the knowledge of the witness issued by SA as well as his/her chosen master key. Meanwhile he/she can use the derived private key to check the validity of the self-certified public key issued by SA.

Thereafter, the self-certified private-key/public-key pair will be used in the key distribution stage. Note that SA cannot derive the private key of the registering user and masquerade as him/her in the latter time due to the unknown master key.

Illustration of the user registration stage is depicted in Figure 1.

January 25-27, 2010, Grand Lisboa, Macau

2535

Fig. 1. User registration stage

To establish a secret shared key between two communicating users in key distribution stage, two key distribution protocols will be proposed. In the first key distribution protocol (being abbreviated as KDP1), the shared key established by two communicating users is fixed and the same for every session initiated by the same users. That is, the shared key is computed from user’s private key and the other user’s self-certified public key. Illustration of KDP1 is depicted in Figure 2(a). In contrast to KDP1, the shared key established by two communicating users for every session is variable in the second key distribution protocol (being abbreviated as KDP2). In KDP2, each communicating user randomly chooses an integer (protected by discrete logarithm problem) and sends the corresponding commitment together with his/her identity information and self-certified public key to the other. Thereafter, they can use respective private keys to derive the shared key from the received messages.

Illustration of KDP2 is showed in Figure 2(b). Notice that: (i) Verification of respective public keys and the shared keys established in KDP1/KDP2 are implicitly integrated. (ii) The identities of participants can be corroborated. (iii) KDP2 is secure against the known-key attack (i.e., if compromise of the past shared key, then the adversary can compromise the future shared key or plot impersonation [8]), but KDP1 is not.

Fig. 2. Key distribution protocols User’s self-certified public key and witness for the public key

User’s identity information and registering commitment

User SA

User j User i’s identity information, self-certified public key

(a) KDP1 (b) KDP2

User j’s identity information, self-certified public key

User i User i User j

User i’s identity information, self-certified public key, commitment

User j’s identity information, self-certified public key,

January 25-27, 2010, Grand Lisboa, Macau

2536

2.2 Realization of the self-certified key distribution protocols

The system setup, user registration, and key distribution stages of the proposed self-certified key distribution protocols are stated below:

System setup -- For system setup, SA randomly selects two large primes p and q, where q|p1, and a generator D of order q over GF(p). Meanwhile, SA also chooses a one-way hash function h that accepts a variable length input and produces a fixed length output. After that, SA publishes p, q, D , and h. SA also determines a private-key/public-key pair (J ^,E^{), where} JZq^* and E D^J modp, to be used in the remaining stages.

User registration -- Let u be the registering user and _i I be the identity _i information with respect to u such as the identifier, name, and address, etc. _i u_i could send a registration request to SA and then collaborate with SA to determine his/her self-certified private-key/public-key pair as follows. First, u computes a _i registering commitment v as_i

p

v_i D^h(ki||Ii)mod ⁽¹⁾

where k_i_R Z_q (that is regarded as a secret master key) and then transmits {I_i,v_i} to SA. Upon receiving {I_i,v_i} transmitted from u , SA should check whether or not _i

I has been registered. If i I has been registered, SA must request _i u to re-send _i new identity information and registering commitment until the chosen identity information has not been registered. Furthermore, SA computes a self-certified public key y and a witness _i w with respect to _i u as._i

With above equality holding, (x_i,y_i) will be regarded as a valid self-certified private-key/public-key pair of u . Otherwise, _i u performs this stage renewedly. _i Note that the private key x is unknown to SA due to the unknown master key _i k ._i

January 25-27, 2010, Grand Lisboa, Macau

2537

Theorem 1. The authenticity of the key pair (x_i,y_i) with respect to u will be _i verified correctly by eqn. 5.

Proof: Substituting eqn. 3 into eqn. 4, we can have

Raising both sides of above equation to exponents to based D , we have

)

which implies eqn. 5. Q.E.D.

Key distribution protocols. Let u and _i u be two users who want to establish a _j secret shared key between them by applying either KDP1 or KDP2. Details of these two protocols are described respectively as follows.

The first key distribution protocol (KDP1): Each user transmits his/her identity information and public key to his/her correspondent, i.e., u transmits {_i I ,_i y } to _i u_j and u send {_j I ,_i y } to _i u as Figure 2. Thereafter, _i u and _i u can compute the _j shared key by himself/herself from the following equality respectively:

p KDP1 is showed as follows. From eqn. (6), we can have

SK =ij ((y_j h(I_j))˜E^yjh(Ij))^xi

=((v_j˜D^zj)˜E^yjh(Ij))^xi by eqn. (2)

January 25-27, 2010, Grand Lisboa, Macau

2538

=((v_j˜D^zj)˜D^{J˜(yjh(Ij))})^xi

=((D^h(kj,Ij)˜D^zj)˜D^{J˜(yjh(Ij))})^xi by eqn. (1)

=(D^wjh(kj,Ij))^xi by eqn. (3)

=D^xj˜xi(mod p) by eqn. (4) Similarly, eqn. (7) can also be rewritten as SK_ji D^xi˜xj modp that implies any two communicating users can share a secret key with knowing identity information and his/her correspondent’s public key.

The second key distribution protocol (KDP2) -- To establish a shared key, u_i computes t_i D^ri modp^{, where} riR Zq, and sends {I_i,y_i,t_i} to u . Meanwhile, _j

u also computes j t_j D^rj modp^{, where} rjR Zq, and sends {I_j,y_j,t_j} to u ._i Finally, u and _i u computes the shared key by the following equality respectively: _j

p t

I h y

SK_ij (( _j  ( _j))˜E^yjh(Ij))^ri ˜ _j^ximod ⁽¹⁰⁾ p

t I

h y

SK_ji (( _i ( _i))˜E^yih(Ii))^rj ˜ _i^xj mod ⁽¹¹⁾ Notice that, t and _i t are variable according to time-variant parameters _j r and _i r ._j

Thus, the shared key SK (or _ij SK ) is variable and different for each session since _ji they are computed from t and _i t . From eqns. (10) and (11), If _j SK is equal to _ij

SK , then it implies that the authenticity of public keys ji y and _i y are verified. _j The correctness of the protocol is showed as follows.

SK =ij ((y_jh(I_j))˜E^yjh(Ij))^ri ˜t_j^xi

=((v_i˜D^zj)˜E^yjh(Ij))^ri ˜t_j^xi by eqn. (2)

=((v_i˜D^zj)˜D^{J˜(yjh(Ij))})^ri ˜t_j^xi

January 25-27, 2010, Grand Lisboa, Macau

2539

=((D^h(kj,Ij)zj)˜D^{J˜(yjh(Ij))})^ri ˜t_j^xi by eqn. (1)

=(D^wjh(kj,Ij))^ri ˜t_j^xi by eqn. (3)

=D^xj˜ri ˜t_j^xi by eqn. (4)

=D^xj˜ri ˜D^rj˜xi(mod p) by eqn. (9) Similarly, eqn. (11) can also be written as SK_ji D^xi˜rj ˜D^ri˜xj(mod p) which implies eqn. (10).