附件一
行政院國家科學委員會補助專題研究計畫
□ 成 果 報 告
■期中進度報告
異質網路環境之行動搜尋關鍵技術-子計畫一:
車用隨意網路存取控制與連結機制之研究(1/3)
計畫類別:□ 個別型計畫 ■ 整合型計畫
計畫編號:97-2221-E-009-049-MY3
執行期間: 97 年 08 月 01 日至 100 年 07 月 31 日
計畫主持人:簡榮宏 教授
共同主持人:
計畫參與人員: 鄭安凱、黃文彬、黃志賢、曾宇田、陶嘉瑋
成果報告類型(依經費核定清單規定繳交):■精簡報告 □完整報告
本成果報告包括以下應繳交之附件:
□赴國外出差或研習心得報告一份
□赴大陸地區出差或研習心得報告一份
□出席國際學術會議心得報告及發表之論文各一份
□國際合作研究計畫國外研究報告書一份
處理方式:除產學合作研究計畫、提升產業技術及人才培育研究計畫、
列管計畫及下列情形者外,得立即公開查詢
■涉及專利或其他智慧財產權,□一年■二年後可公開查詢
執行單位:國立交通大學資訊工程學系(所)
中文摘要:
本子計畫為期三年,主要研究目標在於發展VANET 網路之存取控制協定(Media
Access Control, MAC)及連結機制(Connectivity Support)。
根據統計,每年超過數千萬的交通事故是因為車輛撞擊所引起的。而導致車輛撞擊的
因素因有許多,而駕駛者的行為(driver behavior) 是最重要的因素。在行車過程當中,駕駛
者若無法對緊急發生的事故即時作出煞車反應,則經常會造成一連串的車輛撞擊 (chain car
collision)。 VANET 網路的建構可大幅改善這樣的問題。當緊急事故發生時,前方車輛可
將些事故的訊息,直接透過無線媒介的傳遞給後方的車輛,以避免中間車因為視線上阻隔
的所帶來的延遲。此訊息可再藉由車輛上無線裝置的轉送(message relaying),快速的傳遞給
更後面的車輛,因此可以免除掉駕使者本身所需反應時間,此系統稱作聯合碰撞避免
(cooperative collision avoidance, 簡稱 CCA)。然而,當過多的訊息於無線媒介中傳送時,則
會有嚴重干擾的關題(interference),進而導致較大的傳輸延遲 (delivery delay),這將直接威
脅到駕駛人的安全。另一方面,由於車載隨意網路之網路範圍、車輛行進速度、車輛之相
關地理位置,及其車輛之間連接的分散性,使得車用隨意網路通訊的安全問題隨之而生,
特別是在車用隨意網路中,當行進車輛間有突發的緊急事件發生時,要如何快速以及有效
地驗證此一緊急事件,是個值得探討的議題。
有鑑於此,本子計畫第一年的研究目地有二: (1) 針對 CCA 系統提出一個有效的訊息
廣播機制(broadcast mechanism)。此機制主要是透過功率控制 (power control) 來減少實體層
中(physical layer) 訊息互相干擾的問題,而功率的調整則是根據車輛之間所需的安全距離
(safe distance) 來加以設計。(2) 提出一個安全的聚集訊息驗證機制(secure aggregated
message authentication scheme,簡稱 SAMA)。此機制是基於免憑證公開金鑰密碼系統
(certificateless public key cryptography,簡稱 CL-PKC),用以驗證車用隨意網路之突發緊急
事件。經由效能的評估,此機制可有效地降低聚集訊息驗證所需之計算量。並驗證此一方
法可有效地抵禦偽造攻擊(forgery attacks),同時提供車輛之隱私保護(privacy protection)。
英文摘要:
The goal of subproject 1 is to provide the medium access control mechanism and
connectivity support for vehicle ad-hoc networks.
In each year, over million of traffic accidents occur due to automobile crashes. While
different factor contribute to vehicle crashes, driver behavior is considered to be the leading cause.
The inability of drivers to react in time to emergency situation often creates a potential fro chain
collision. These events can be potentially avoided by the cooperative collision avoidance system
under vehicle ad-hoc network. However, as long as many emergency messages are transmitted on
the air, the interference problem will become very serious, leading to a longer delivery delay. On
the other hand, security issues of VANETs are very challenging, especially on how to ensure the
authenticity of emergency messages efficiently.
In the first year, we have proposed an efficient broadcast mechanism for the CCA system
using power control technique. The main idea for power control is based on the safe distance
between vehicles. Simulation results show that our protocol can efficiently reduce the delivery
delay and confine the broadcast area. For the security issue, we have proposed a secure
aggregated message authentication (SAMA) scheme in certificateless public key settings to
validate emergency messages for VANETs. We make use of aggregation and batch verification
techniques for emergency message verification to reduce the computation overhead. Moreover,
the SAMA scheme is modelled and analyzed with Petri nets. Our analysis shows that the SAMA
scheme can successfully defend forgery attacks and preserve the privacy of vehicles.
Keywords: Vehicle Ad-Hoc Network, Cooperative Collision Avoidance, Power Control,
Secure Message Authentication.
一、 前言
隨著無線通訊網路技術的進步,加上電子元件價格漸漸下降以及行車安全問題越來越
受重視,各國政府紛紛投入智慧型運輸系統(Intelligent Transport Systems, ITS)的研究[1-7]。
ITS 為應用先進的電子、通信、資訊與感測等技術,以整合人、路、車的管理策略,其主
要的目地為提供即時(real-time)的資訊,並增進運輸系統的安全、效率及舒適性,同時也減
少交通對環境的衝擊。
車用隨意網路(Vehicle Ad-hoc Network, VANET),為當前了為實現 ITS 所發展出重要網
路架構[8]。在個架構下,每一個搭載無線通訊設備的車輛,都可以透過路旁的路側系統(Road
Side Unit, RSU) 連線到 Server 端索取所需的資訊。而當車輛距離基地台太遠超出傳訊範圍
時,也可透過其它的車輛幫忙轉送。換句話說,每一個車輛都可視為是一部行動無線路由
器(mobile wireless router)。因此,這樣的架構可大幅提升網路建置彈性,只要有車輛的地方,
即可是 VANET 的涵蓋範圍。
針對車輛安全部分,根據統計,每年超過數千萬的交通事故是因為車輛撞擊所引起的
[9]。而導致車輛撞擊的因素因有許多,諸如車輛機械問題、天候狀況、行車時段等。其中,
駕駛者的行為(driver behavior) 是最重要的因素。在行車過程當中,駕駛者若無法對緊急發
生的事故(如落石、緊急煞車、車輛打滑) 即時作出煞車反應,則經常會造成一連串的車
輛撞擊 (chain car collision),也就是俗稱的連環車禍。
細究其原因,當一連串的車輛於道路上行駛時,每輛車都必需對前方可能發生的事故,
作出即時的反應。然而,受限於視線上的阻隔,駕駛者通常必需視前方車輛的後車燈 (tall
brake light) 閃爍與否,來能決自己是否也要作出煞車的反應。也就說,後方駕駛者可能在
前方事故發生後一段時間才能作出反應。此時,若是有車輛沒有與前方車輛保持足夠的距
離,則有可能發生追撞的事件。另一方面,在察覺到前方事故之後,駕駛人本身也需要一
段額外的時間 (driver reaction time) 來對此訊息作出煞車的回應,這段反應時間通常介於
0.75 至 1.5 秒之間[10]。也就是說,在車速 70mph 下,車輛還必需滑行 75 至 150 英尺後,
駕駛者才會開始踩下煞車。因此,如何減少事故發生以至煞車回應所需的這段時間,成為
避免車輛事故的關鍵議題。
VANET 網路的建構可大幅改善這樣的問題。當緊急事故發生時,前方車輛可將些事故
的訊息,直接透過無線媒介的傳遞給後方的車輛,以避免中間車因為視線上阻隔的所帶來
的延遲。此訊息可再藉由車輛上無線裝置的轉送(message relaying),快速的傳遞給更後面的
車輛,因此可以免除掉駕使者本身所需反應時間。這樣的系統稱作聯合碰撞避免(cooperative
collision avoidance, 簡稱 CCA) [10-14]。然而,當過多的訊息於無線媒介中傳送時,則會有
嚴重干擾的關題(interference),進而導致較大的傳輸延遲 (delivery delay),這將直接威脅到
駕駛人的安全。
因此,本計畫的主要目的之一,為針對 CCA 系統提出一個有效的訊息廣播機制
(broadcast mechanism) 。此機制主要是透過功率控制 (power control) 來減少實體層中
(physical layer) 訊息互相干擾的問題,而功率的調整則是根據車輛之間所需的安全距離
(safe distance) 來加以設計。考慮到 VANET 網路高度的變動性與有限的頻寬,我們所設計
的機制完全不需要任何拓撲的資訊與週期性資料的交換。
另一方面,由於車載隨意網路之網路範圍、車輛行進速度、車輛之相關地理位置,及
其車輛之間連接的分散性,使得車用隨意網路通訊的安全問題隨之而生,特別是在車用隨
意網路中,當行進車輛間有突發的緊急事件發生時,要如何快速以及有效地驗證此一緊急
事件,是個值得探討的議題。
有鑑於此,本子計畫的另一個目的,為提出一個安全的聚集訊息驗證機制(secure
aggregated message authentication scheme,簡稱 SAMA)。此機制是基於免憑證公開金鑰密碼
系統(certificateless public key cryptography,簡稱 CL-PKC),用以驗證車用隨意網路之突發
緊急事件。經由效能的評估,此機制可有效地降低聚集訊息驗證所需之計算量。此外,我
們利用 Petri nets 分析提出之機制,並驗證此一方法可有效地抵禦偽造攻擊(forgery attacks),
同時提供車輛之隱私保護(privacy protection)。
二、 研究目的
本計畫為總計畫「異質網路環境之行動搜尋關鍵技術」之第一子計畫,主要的目的為
提供車用隨意網路之存取控制與連結機制。為了達成這個目標,在第一年的研究中,我們
針對此網路中重要的安全應用(safety applications),進行兩項主要的研究 (1)車用隨意網路
安全訊息廣播機制; (2) 車用隨意網路安全訊息驗證機制。以下分別述之:
1. 車用隨意網路安全訊息廣播機制
當車輛超出傳輸範圍時,安全訊息可透過車輛之間的無線裝制來進行轉送,因此必需
有適當的轉送機制。然而,傳統的隨意行動網路(Mobile Ad Hoc Network, MANET) routing,
確不完全適用於 VANET 的安全應用下,主要原因要二: (1) 傳統的 MANET routing 封包中,
必需指定明確的目地端,但是在 VANET 中的安全訊息經常是沒有固定的對向; (2) MANET
routing 在真正傳送資料封包前,需要一個 route discovery 的階段來建立適當的路徑,而這
個階段需要額外的時間與頻寬,對於低延遲需求要高的安全應用是不允許的。
因此,安全訊息的傳送必需以廣播導向(broadcast oriented)的方式來設計。然而透過無
線媒介進行廣播,經常會造成嚴重的干擾,甚至導致廣播風暴的現像(broadcast storming),
所以在設計上必需利用額外的資訊來降低這樣的問題。常用的方法是透過車輛上的衛星定
位裝置(global positioning system, GPS) 所取得的地理資訊來限制轉送的區域。如文獻
[10][12],在每一個安全訊息中夾帶傳送車輛的位置資訊,收端可依據和送端的距離決定傳
送的優先順序,以避免同時轉送所帶來的干擾。而文獻[11][12]則是用送端相對收端的方
向,來決定是否要進行傳送。文獻[14]更進一步利用地理資訊,估算出可能的威脅程度,使
處在較高危險區域的車輛優先轉送。
雖然現有的方法已利用地理資訊來減少過多轉送帶來的干擾,但是由於傳送功率是固
定的,因此每一次傳送所造成的干擾範圍仍是無法降低。有鑑於此,在提出的方法中,我
們利用功率控制的方式來真正降低干擾範圍。在此同時,我們利用地理資訊所估算的安全
距離限止最低的功率,以確保所有潛在受到威脅的車輛都能收到安全訊息。此外,考慮到
VANET 網路高度的變動性與有限的頻寬,我們所提備的機制完全不需要任何拓撲的資訊與
週期性資料的交換。
2. 車用隨意網路安全訊息驗證機制
在安全訊息驗證方面,Raya 與 Hubaux [15]針對車用隨意網路的安全問題,於 2005 年
提出系統性解決方法。隨後,許多用以增進安全、效率,與功能性之相關研究因應而生
[16-27]。在 2008 年,Zhu [27]等人針對行車突發緊急事件的驗證程序,提出一個聚集訊息
驗證機制。此機制植基於憑證公開金鑰密碼系統(certificate public key cryptography),故此機
制之聚集驗證包括憑證驗證與簽章驗證兩部份。
為了有效地簡化傳統公開金鑰密碼系統所需之憑證管理,Shamir [28]於 1984 年提出以
身份為基礎之公開金鑰密碼系統(ID-based public key cryptography,簡稱 ID-PKC)。此密碼
系統中,使用者的公鑰是由使用者的身份識別碼(identity)推導產生。此系統存在一公正第
三者(trusted third party,簡稱 TTP),亦即私鑰產生者(private key generator,簡稱 PKG),用
以協助使用者產生其私鑰。故 ID-PKC 可能會衍生金鑰托管(key escrow)的問題。
Al-Riyami 與 Paterson [29]為解決 ID-PKC 的金鑰托管問題,提出免憑證公開金鑰密碼
系統(certificateless public key cryptography,簡稱 CL-PKC)的概念,在 CL-PKC 中,存在一
公正第三者,亦即金鑰產生中心(key generation center,簡稱 KGC),協助使用者產生部份使
用者私鑰。使用者隨後自行產生一秘密資訊,再與部份使用者私鑰結合,產生完整者的使
用者私鑰。因此,KGC 無法得知使用者的完整私鑰,即能有效解決 ID-PKC 之金鑰托管問
題,亦同時能降低憑證的使用率。
因此,我們提出一個安全的聚集訊息驗證機制,用以驗證車用隨意網路之突發緊急事
件。此機制乃植基於 CL-PKC,並採用改進之 Zhang 與 Zhang 所提出的免憑證聚集簽證機
制[30],因此驗證聚集訊息只需要驗證聚集簽章的部份。經由效能的評估,此機制可有效地
降低驗證所需之計算量。此外,我們利用 Petri nets [31]分析所提出之機制,並驗證此一方
法可有效地抵禦偽造攻擊,同時提供車輛之隱私保護。
三、 研究方法
以下針對本子計畫第一年的研究成果,分成兩部分進行說明。
1. 車用隨意網路安全訊息廣播機制
此廣播機制的主要概念,是利用功率控制(power control)的方式,來達到減少實體層干
擾(physical interference),以及限制廣播區域(broadcasting area)的效果。而傳送功率的調整是
根據車輛與車輛之間的安全距離 (safe distance)。如圖一所示,在沒有功率控制的情況下(上
圖),每台車輛都必需以最大的功率進行傳輸,因此中間兩台車輛 (車輛 B C)將會收到前方
車輛(車輛 A)所廣播的安全訊息,而這兩台車輛又必需將此訊息轉送給後方車輛,使得至後
方車輛(車輛 D)同時收來相同的訊息,而導致干擾的發生。相較之下,我們的方法只將訊息
傳送給少於安全距離內的車輛,較不會有多台車輛同時進行送或收的問題,因此可減少干
擾的發生。這同時也能避免不受威脅的車輛收到此訊息的情況,如下圖,最左邊的車輛(車
輛 E)已和前面的車陣保持足夠的距離,因此在我們的機制下將不會收到冗餘的訊息。
A
A
B
B
C
C
D
D
E
E
圖一、訊息廣播使用功率控與未使用功率控制之比較
情況下,車輛
會滑行
1的距離後才開始減速,直到滑行了
接下來,我們利用下面的例子介紹安全距離在 VANET 網路下該如何估算。在圖二中,
有三輛車(i+1, i, i-1)由左至右的行駛,車輛 i-1 是第一個察覺事故的車輛,而車輛 i 必需將
此訊息轉將給車輛 i-1,我們將估算車輛 i-1 與車輛 i 之間的安全距離。當車輛 i-1 的駕駛者
察覺事故後,需要一段反應時間
δ
(driver reaction time)才會踩下煞車,因此在車速為 V
i-1的
i-1
δ
V
i-i i iD
V
V
2
2+
δ
距離後才會真正
的停止下來。另一方面,由於訊息傳送本身也會有延遲時間Δ
i,i-1,因此在車速為 V
i的情況
計
下,車輛 i 的駕使人會在滑行了Δ
i,i-1V
i距離後才發覺此訊息,相同的這位駕使者也會在滑行
了
δ
V
i-1的距離後才開始減速。此時,依據車輛的行速度 V
i、煞車力道 D
i,以及車輛間的距
離 d
i-1,i,車輛 i 與車輛 i-1 之間會有三種可的情況: (1) 車輛 i 與車輛 i-1 都安全的停下,沒
有發生任何碰撞; (2)車輛 i 撞擊到已停止下來的車輛 i-1; (3) 車輛 i 撞擊到行徑間的車輛
i-1。這三種情況將導使得車輛 i 在完全停止下來之前,產生不同的滑行距離 M
i,詳細的
算公式如下所示:
⎪
⎪
⎭
⎪
⎪
⎬
⎫
⎪
⎪
⎩
⎪
⎪
⎨
⎧
−
+
+
=
− − − i i i i i i i i id
M
L
D
V
V
M
, 1 1 , 1 2,
2
min
χ
δ
.
圖二、車用隨意網路滑行距離、安全距離、及傳輸半徑之估算
著,根據此滑行距離 M
i,以及後方車輛的煞車力道 D
i+1,行車速度 V
i+1,和所需求的息
接
訊傳遞時間,我們能估算出在車輛移動下的所需保持的安全距離 S
i,i+1,
M
L
D
V
D
V
l
V
S
i,i+1=
(
Δ
i,i+1+
δ
)
i+1+
(
i+1,
i+1,
i+1/
i+1)
+
−
i.
最後,根據此安全距離 S
i,i+1,以及收到訊息前的車距變動,我們能算出對車輛 i+1 所需要
的最小傳輸半徑 T
i,i+1,
}
0
,
max{
1 1 , 1 , 1 ,i+=
ii++
Δ
ii+ i−
i+ iS
V
V
T
.
Fig. 2: Safe distance and Broadcast Range
然而後方車輛的資訊(如 V
i+1 i+1因些在實作上可以改下列的
;
;
其中 V
max及 V
min分別是最大與最小可能的速度(如高速公路的行車上下限制)
。
. 車用隨意網路安全訊息驗證機制
輛的車間通訊,並假設是在無固定路邊設備的協助下
進行
開系統參數,以及定義 SER 格式。
,與其
表一、SER 格式
類
型
(T
i)
地點
(Loc
i)
車輛識
別
(ID
j)
時間
(Time
j簽章
(Sig
j)
車輛
公
(PK
j)
、D )經常是無法事先取得的,
估算公式
S
ˆ
i=
(
τ
+
δ
)
V
max+
l
(
V
max,
D
r,
V
max/
D
r)
+
L
−
M
i}
0
,
max{
ˆ
ˆ
minV
V
S
T
i=
i+
τ
i−
2
本機制運作於車用隨意網路之車
資料的傳遞。本機制存在一 KGC,用以建置系統初始參數的設定與協助車輛產生部份
私鑰。此機制主要分為四個階段:系統設置、註冊、安全緊急報告(security emergency report,
簡稱 SER)產生、SER 聚集驗證。
¾ 系統設置階段:KGC 產生與公
¾ 註冊階段:車輛透過向 KGC 註冊,以取得部份私鑰,隨後自行選取一秘密資訊
部份私鑰結合,以產生完整的車輛私鑰,同時車輛亦自行計算其相對應之公鑰。
¾ SER 產生階段:車輛 j 針對緊急事件 i 所產生之 SER,如表一所示。
ype
碼
i)
i鑰
¾ SER 聚集驗證階段:任何車輛皆可針對所收到緊急事件 i 之 SER 進行批次驗證。
我們使用 Petri nets [31]分析所提出機制之資訊流,並可藉此驗證此機制可抵禦偽造攻
擊,同時提供車輛之隱私保護,詳細說明可於附錄查詢。本機制之 Petri net 模型如圖三所
示,其中的 place 與 transition 定義分別如表二與表三所示。
圖三、SAMA 機制之 Petri net 模型
表二、相關
之定義
Place
定義
Places
定義
Place
P
1Type
iP
13Type
iP
2Loc
iP
14Loc
iP
3ID
jP
15ID
jP
4T
ime
jiP
16T
ime
jiP
5PK
jP
17Sig
jiP
6W
iP
18PK
jP
7S
jP
19Q
jP
8D
jP
20W
iP
9x
jP
21S
jP
10Sig
jiP
22P
P
11SER
jiP
23P
pubP
12SER
jiP
24驗證成功資訊
表三、相關 Transitions 之定義
Transition
定義
Transition
定義
T
1計算
W
iT
6分解 SER
jiT
2計算 S
jT
7計算 Q
jT
3計算 Sig
jiT
8計算 W
iT
4建構 SER
jiT
9計算 S
jT
5傳送 SER
jiT
10驗證
(S
?, )
=
(
,
) (
,
i j j j pub i je ig P
e Q S P
e W PK )
在效能評估方面,如表四所示,我們利用計算量作為效能評估的指標。如表五所示,
當驗證 n 個 SERs 時,Zhu 等人所提之機制[27]需要 5 次群數對(bilinear pairings)的計算,以
驗證聚集簽章與憑證;由於本機制採用免憑證公開金鑰密碼系統,故僅需要
次群數對的
計算來驗證聚集簽章,故本機制可有效地降低聚集訊息驗證之計算量。
符號
定義
3
表四、效能評估參數定義
T
H執行一次單向雜湊函數所需之時間
T
E執行一次指數運算所需之時間
T
P執行一次群數對運算所需之時間
T
M執行一次橢圓曲線點乘積運算所需之時間
T
A執行一次橢圓曲線點加法運算所需之時間
表五、聚集訊息驗證機制效能比較表
階段 方法 Zhu 等人提出之機制[13]
我們所提出之 SAMA 機制
註冊階段
1T
H+ 2T
E1T
H+ 2T
MSER 產生階段
3T
H+ 2
T
E+ 2T
M2T
H+ 2T
M+ 1T
A單一 SER 驗證 4
T + 1T + 5
H ET
P3
T + 3T + 1
H PT
MSER 聚集 2(
n-1)T
M(n-1)T
ASER 批次驗證
H ET
P+ 4(n-1)T
M H PnT
M+
A(n+3)T + nT + 5
(2n+1)T + 3T +
2(n-1)T
四、 本子計畫第二年研究目標
在達成第一年的目標後,車用隨意網路已具備期本傳輸及驗證安全訊息的能力,接著
我要朝第二年的目標——高速載具集化及功率指定之研發——來努力,進一步提升大規模
車用隨意網路的傳輸能力。
叢集化是指在一擁有眾多節點的網路裡,根據網路管理者預先決定好,每個cluster所涵
蓋範圍的大小、裡面所包含的成員數、或是節點間最大所能容忍的hop數來選出cluster。每
個cluster 裡必須至少有一個管理者(cluster-head)來負責管理其cluster裡的每個成員。此行為
稱為intra-cluster communication。Cluster-head除了管理自己cluster裡的成員,每個cluster-head
之間也必須隨時保持聯繫,彼此交換訊息。此即為inter-cluster communication。叢集化的目
的是為了將網路劃分成許多小型網路,使其成為階層式的架構。使用cluster 的方式來管理
網路,除了可以大量減少flooding 的封包數量,更可以簡化原本非常複雜的網路拓撲問題。
在MANET 網路上使用cluster 的觀念來管理網路已經有相當多學者研究。而要將其應用到
VANET 網路上,由於VANET 網路的特性,每台車輛均受到行進方向以及行車速度上的
限制,故必須做進一步的修改。
而關於功率指定部分,在VANET 網路裡,通訊設備可經由車輛的動力得到電力,因
此一般在無線網裡能源有效的問題顯得較為次要。然而,過高的傳輸半行仍然會對網路的
效能帶來負面的影響,因此這部分所提到的研究,主要集中在如何有效地分配VANET 上
車輛通訊所需的功率。在VANET 網路裡,網路密度是多變的,在密度低的情況下,若是
通訊所使用的功率太低,則會造成部分車輛被孤立,而無法與其它車輛的通訊,反之若在
密度高的情況下,卻使用高的發射功率,將會造成多餘的功率浪費,還會使得訊息碰撞的
機率增加。因此,如何配合網路密度來調整車輛的傳輸功率,使得在低密度之情況下能使
用較高功率、較遠的傳輸半徑,在高密度時,轉換成較小功率,便是這部分的重點。
我們將利用第一年在安全訊息傳送的成果與經驗,來達成這兩個目標。
五、 計畫結果
本年度的計畫成果包括 1 篇已發表的會議論文(ICC 2009),以及 2 篇完成的議論文,
這兩篇論文將分別投稿至 PIMRC 2009 以及 ICPADS 2009,並培育了 4 位碩士和 1 位博士。
六、 參考文獻
[1]. Vehicle Safety Communications Consortium, http://www-nrd.nhtsa.dot.gov.
[2]. Dedicated Short Range Communications Project, http://www.leearmstrong.comIDSRC.
[3]. The Pre VENT Project, http://www.prevent-ip.org.
[4]. Car2Car Communication Consortium, http://www.car-to-car.org.
[5]. Internet ITS Consortium, http://www.internetits.org.
[6]. The NOW: Network on Wheels Project, http://twww.network-on-wheels.de.
[7]. ITS Taiwan, http://www.its-taiwan.org.tw.
[8]. National Center for Statistics and Analysis, “Traffic Safety Facts 2003”, Report DOT HS
809 767 Nat’l. Highway Traffic Safety Admin., U.S. Dot, Washington, DC, 2004.
[9]. ASTM E22213-03, “Standard specification for telecommunication and information
exchange between roadside and vehicle ytem – 5GHz band dedicated short range
communications (DSRC) MAC and PHY specifications,” ATM International, July, 2003.
[10]. X. Yang, J. Liu, F. Zhao, N.H. Vaidya, “A vehicle-to-vehicle communication protocol for
cooperative collision warning”, In Proc. of 1
stAnnual International Conference on Mobile
and Ubiquitous Systems, pp. 114-123, 2004.
[11]. [BT06] S. Biswas, R. Tatchikou, and F. Dion, “Vehicle-to-vehicle wireless communication
protocols for enhancing highway traffic safety”, IEEE Communications Magazine, Vol. 44,
No. 1, pp. 535-547, 2006.
[12]. [WT-7] N. Wisitpongphan, O.K. Tonguz, J.S. Parikh, P. Mudalige, F. Bai, and V. Saderar,
“Broadcast storm mitigation techniques in vehicular ad hoc networks”, IEEE Wireless
Communications, Vol. 14, no. 6, pp. 84-94, 2007.
[13]. [BT06] S. Biswas, R. Tatchikou, and F. Dion, “Vehicle-to-vehicle wireless communication
protocols for enhancing highway traffic safety”, IEEE Communications Magazine, Vol. 44,
No. 1, pp. 535-547, 2006.
[14]. [YB08] F. Yu, and S. Biwas, “Impacts of radio access protocols on cooperative vehicle
collision avoidance in urban traffic intersections”, Journal of Communications, 2008.
[15] M. Raya and J. P. Hubaux, “The security of vehicular ad hoc networks,” In Proceedings of
the 3rd ACM Workshop on Security of Ad hoc and Sensor Networks (SASN 2005), Nov.
2005.
[16] M. Raya, A. Aziz, and J. P. Hubaux, “Efficient secure aggregation in VANETs,” In
2006), Sep. 2006, pp. 67-75.
[17] J. Nikodem and M. Nikodem, “Secure and scalable communication in vehicle ad hoc
networks,” In Proceedings of the International Conference on Computer Aided System
Theory (EUROCAST 2007), Feb. 2007, pp. 1167-1174.
[18] M. Raya and J. P. Hubaux, “Securing vehicular ad hoc networks,” Journal of Computer
Security, vol. 15, no. 1, 2007, pp. 39-68.
[19] C. Zhang, R. Lu, P. H. Ho, and A. Chen, “A location privacy preserving authentication
scheme in vehicular networks,” In Proceedings of the IEEE Wireless Communications and
Networking Conference (WCNC 2008), Mar. 2008, pp. 2543-2548.
[20] X. Lin, R. Lu, C. Zhang, H. Zhu, P. H. Ho, and X. Shen, “Security in vehicular ad hoc
networks,” IEEE Communications Magazine, vol. 46, no. 4, Apr. 2008, pp. 88-95.
[21] C. Langley, R. Lucas, and H. Fu, “Key management in vehicular ad-hoc networks,” In
Proceedings of the IEEE International Conference on Electro/Information Technology (EIT
2008), May 2008, pp. 223-226.
[22] N. W. Wang, Y. M. Huang, and W. M. Chen, “A novel secure communication scheme in
vehicular ad hoc networks,” Computer Communications, vol. 31, no. 12, Jul. 2008, pp.
2827-2837.
[23] C. T. Li, M. S. Hwang, and Y. P. Chu, “A secure and efficient communication scheme with
authenticated key establishment and privacy preserving for vehicular ad hoc networks,”
Computer Communications, vol. 31, no. 12, Jul. 2008, pp. 2803-2814.
[24] C. I. Fan, R. H. Hsu, and C. H. Tseng, “Pairing-based message authentication scheme with
privacy protection in vehicular ad hoc networks,” In Proceedings of the International
Conference on Mobile Technology, Applications, and Systems, Sep. 2008.
[25] M. Burmester, E. Magkos, and V. Chrissikopoulos, “Strengthening privacy protection in
VANETs,” In Proceedings of the IEEE International Conference on Wireless and Mobile
Computing (WIMOB 2008), Oct. 2008, pp. 508-513.
[26] C. Zhang, X. Lin, R. Lu, P. H. Ho, and X. Shen, “An efficient message authentication
scheme for vehicular communications,” IEEE Transactions on Vehicular Technology, vol. 57,
no. 6, Nov. 2008, pp. 3357-3368.
[27] H. Zhu, X. Lin, R. Lu, P. H. Ho, and X. Shen, “AEMA: An aggregated emergency message
authentication scheme for enhancing the security of vehicular ad hoc networks,” In
Proceedings of the IEEE International Conference on Communications (ICC 2008), May
2008, pp. 1436-1440.
[28] A. Shamir, “Identity based cryptosystems and signature schemes,” In Proceedings of the
Advances in Cryptology (Crypto 1984), 1984, pp. 47-53.
[29] S. Al-Riyami and K. Paterson, “Certificateless public key cryptography,” In Proceedings of
the ASIACRYPT, 2003, pp. 452-473.
[30] L. Zhang and F. Zhang, “A new certificateless aggregate signature scheme,” Computer
Communications, vol. 32, no. 6, Apr. 2009, pp. 1079-1085.
A Chaotic Maps-based Key Agreement Protocol
that Preserves User Anonymity
Huei-Ru Tseng, Rong-Hong Jan, and Wuu Yang
Department of Computer ScienceNational Chiao Tung University Hsinchu, Taiwan 30010
{hueiru, rhjan, wuuyang}@cs.nctu.edu.tw
Abstract—A key agreement protocol is a protocol whereby two
or more communicating parties can agree on a key or exchange information over an open communication network in such a way that both of them agree on the established session keys for use in subsequent communications. Recently, several key agreement protocols based on chaotic maps are proposed. These protocols require a verification table to verify the legitimacy of a user. Since this approach clearly incurs the risk of tampering and the cost of managing the table and suffers from the stolen-verifier attack, we propose a novel key agreement protocol based on chaotic maps to enhance the security. The proposed protocol not only achieves mutual authentication without verification tables, but also allows users to anonymously interact with the server. Moreover, security of the proposed protocol is modelled and analyzed with Petri nets. Our analysis shows that the proposed protocol can successfully defend replay attacks, forgery attacks, and stolen-verifier attacks.
Index Terms—Key agreement protocol, Chaotic maps,
Stolen-verifier attacks, Anonymity, Petri nets.
I. INTRODUCTION
A key agreement protocol is a protocol whereby two or more communicating parties can agree on a key or exchange information over an open communication network in such a way that both of them agree on the established session keys for use in subsequent communications. In 1976, Diffie and Hellman invented the first key agreement protocol [1], in which two parties jointly exponentiate a generator with random numbers, in such a way that an eavesdropper has no way of guessing the key. However, their protocol does not provide authentication of the communicating parties, and is thus vulnerable to the man-in-the-middle attacks. Since then, a variety of secure key agreement protocols have been developed to prevent man-in-the-middle and related attacks.
Since the 1990s, chaotic systems [2-7] have been used to design secure communication protocols. Two main approaches to the use of chaotic systems in designing communication protocols are analog and discrete digital. The former is based on chaos synchronization using chaotic circuits, and the latter is designed for generating chaotic ciphers.
This work was supported by the National Science Council, Taiwan, Repub-lic of China, under grant NSC E-009-048-MY3 and NSC
97-2221-In 2003, Kocarev and Tasev [8] proposed a public-key encryption algorithm based on Chebyshev chaotic maps [9] as its semi-group properties meet the cryptographic requirements. However, Bergamo et al. [10] proved that Kocarev and Tasev’s protocol [8] is insecure since an adversary can efficiently recover the plaintext from a given ciphertext. Later, in order to address Bergamo et al.’s attack [10], Xiao et al. proposed a novel key agreement protocol [11]. Recently, Han [12] pointed out that Xiao et al.’s protocol [11] is still insecure against their new attacks that can hinder the user and the server from establishing a session key even though the adversary cannot obtain any private information from the communicating parties. In 2008, Yoon and Yoo [13] proposed a new key agreement protocol based on chaotic maps that can resist Han et al.’s developed attacks [12] and off-line password guessing attacks, and can reduce the numbers of communication rounds. However, these protocols [11, 13] still have several security weaknesses. In these protocols, the server needs a verification table. The verification table could be tampered or stolen and there is the cost of managing the table. In addition, users would wish to obtain services anonymously.
Taking the security threats and privacy issues into con-sideration, we propose a chaotic maps-based key agreement protocol that not only fixes these weaknesses, but also aims to preserve user anonymity. The crucial merits of the proposed protocol include: (1) it achieves mutual authentication between a server and a user; (2) it allows users to anonymously interact with the server to agree on session keys; (3) a server and a user can generate sessions keys for protecting the subsequent communications. Moreover, Petri nets [14] may be used to infer what an attacker could know if he happens to know certain items in the security protocol. We used Petri nets in the security analysis of the proposed protocol. Our analysis shows that the proposed protocol can successfully defend replay attacks, forgery attacks, and stolen-verifier attacks.
The rest of this paper is organized as follows: In Section 2, we state the definitions of Chebyshev chaotic map and introduce the hash function based on chaotic maps. Next, our proposed protocol is presented in Section 3. Then, we shall analyze our proposed protocol, show that our protocol can
七、附錄
−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1 −1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1 T1(x) T2(x) T3(x) T4(x)
Fig. 1. Chebyshev polynomials
other key agreement protocols in Section 4. Finally, we will conclude our paper in Section 5.
II. PRELIMINARIES
In this section, we define Chebyshev chaotic maps and introduce the hash functions based on chaotic maps.
A. Chebyshev Chaotic Maps
Chebyshev polynomial [9] and its properties [8, 11, 13] are described as follows.
Definition 1. The Chebyshev polynomial Tn(x) is a
polyno-mial in x of degree n, defined by the following relation: Tn(x) = cos nθ, where x = cos θ (−1 ≤ x ≤ 1) (1)
With Definition 1, the recurrence relation of Tn(x) is
defined as:
Tn(x) = 2xTn−1(x) − Tn−2(x), for any n ≥ 2, (2)
together with the initial conditions T0(x) = 1, T1(x) = x.
Some examples of Chebyshev polynomials are shown as follows: (see Figure 1)
T2(x) = 2x2− 1 (3)
T3(x) = 4x3− 3x (4)
T4(x) = 8x4− 8x2+ 1 (5)
Chebyshev polynomials have two important properties [8, 11, 13]: the semi-group property and the chaotic property.
• The semi-group property:
Tr(Ts(x)) = cos(r cos−1(cos(s cos−1(x))))
= cos(rs cos−1(x)) = Tsr(x)
= Ts(Tr(x)) (6)
• The chaotic property: If the degree n > 1, Chebyshev
polynomial map: Tn : [−1, 1] → [−1, 1] of degree n is a
chaotic map with its invariant density f∗(x) = 1
π√1−x2
for Lyapunov exponent λ = ln n > 0.
B. Hash Functions based on Chaotic Maps
The hash function used in the previous key agreement protocols [11, 13] is based on the following chaotic one-way hash function [15]. A one-dimension piecewise linear chaotic system is defined as:
X(t + 1) = F (X(t), P ) (7) where F (u, P ) = u/P if 0 ≤ u < P, (u − P )/(0.5 − P ) if P ≤ u < 0.5, (1 − u − P )/(0.5 − P ) if 0.5 ≤ u < 1 − P, (1 − u)/P if 1 − P ≤ u ≤ 1,
where X ∈ [0, 1] and P ∈ (0, 0.5). Xiis the chaining variable,
where 0 ≤ i ≤ 3N . X0 is an initial value of the chaining
variable and is chosen from (0, 1).
Given a pending message M , H0 is a constant which is
chosen from (0, 1). The 3-unit iterations—1st to N -th, (N + 1)-th to 2N -th, (2N + 1)-th to 3N -th—ensure that each bit of the final hash value will be related to all bits of the message. The following is a brief referring to how to generate the hash value:
• The pending message M is translated to the
correspond-ing ASCII numbers, then by means of linear transform, these ASCII numbers are mapped into an array C whose length N is the number of characters in the message and whose elements are numbers in [0, 1].
• The iteration process is as follows:
1) 1st: P1 = (C1 + H0)/4 ∈ [0, 0.5), X1 = F (X0, P1) ∈ [0, 1]; 2) 2nd to N -th: Pi= (Ci+ Xi−1)/4 ∈ [0, 0.5), Xi= F (Xi−1, Pi) ∈ [0, 1]; 3) (N + 1)-th: PN +1 = (CN + XN)/4 ∈ [0, 0.5), XN +1= F (XN, PN +1) ∈ [0, 1]; 4) (N + 2)-th to 2N -th: Pi = (C2N −i+1+ Xi−1)/4 ∈ [0, 0.5), Xi= F (Xi−1, Pi) ∈ [0, 1]; 5) (2N + 1)-th: P2N +1 = (C1 + H0)/4 ∈ [0, 0.5), X2N +1= F (X2N, P2N +1) ∈ [0, 1]; 6) (2N + 2)-th to 3N -th: Pi = (Ci−2N + Xi−1)/4 ∈ [0, 0.5), Xi= F (Xi−1, Pi) ∈ [0, 1].
• Next, XN, X2N, X3N are transformed to the
correspond-ing binary format, and 40, 40, 48 bits after the decimal point are extracted, respectively, and are juxtaposed from left to right to form a 128-bit hash value.
For more details, the reader is referred to [15]. III. PROPOSEDKEYAGREEMENTPROTOCOL
In this section, we propose a chaotic maps-based key agreement protocol. The proposed protocol does not require a verification table while achieving both mutual authentication and session key agreement between a server and a user. We list the notations used in this paper in Table I.
Different from the previous key agreement protocols [11, 13] where the server and user i share the hash value hP W =
TABLE I NOTATIONS
Symbol Definition
Ui User i
IDi User i’s identity
P Wi User i’s password
Ks The server’s private key
sn The session number
H(·) A one-way hash function based on chaotic maps
E(·) A symmetric key encryption algorithm
D(·) A symmetric key decryption algorithm
SKi The session key constructed by the server and user i
⊕ The exclusive-or (XOR) operation
H(IDi, P Wi), the server does not require any verification
table in the proposed protocol. Before performing the key agreement protocol, the server first publishes system pa-rameters including Chebyshev polynomials, E(·), D(·), and H(·). Suppose a new user Ui with the identity IDi wants
to communicate with a server for establishing session keys. Ui randomly chooses his password P Wi and sends the pair
(IDi, H(P Wi)) to the server in person or through an existing
secure channel. Upon receiving the message, the server jux-taposes IDi and H(P Wi) from left to right as the pending
message, and uses the one-way hash function H(·) to compute H(IDi, H(P Wi)). Then the server computes Regias follows:
Regi= H(IDi, H(P Wi)) ⊕ H(Ks) (8)
where Ksis the server’s private key.
After that, the server transmits Regiback to Uiover a secure
channel. Note that Ui has to keep Regi secret.
The details of the proposed key agreement protocol are presented as follows.
1) Ui→ Server : {sn, Ri, C1}
Ui first chooses three random numbers ri, r, and v,
where ri ∈ [−1, 1] is the seed x of the Chebyshev
polynomial of degree r and v is a nonce. Next, Ui
computes the pair (Ri, Ki) as follows.
Ri= Regi⊕ H(v) (9)
Ki= H(IDi, H(P Wi)) ⊕ H(v) (10)
Then Ui encrypts IDi, ri, and Tr(x) with Ki:
C1= EKi(IDi, ri, Tr(x)) (11)
Finally, Uitransmits sn, Ri, and C1to the server, where
sn is the session number.
2) Server → Ui: {sn, IDs, C2, AUs}
Upon receiving the message, the server computes Ki=
Ri⊕ H(Ks), and extracts IDi, ri, and Tr(x) from C1
with Ki. The server first checks the validity of IDi,
and then chooses two random numbers s and rt, where
s is the degree of the Chebyshev polynomial and rt is
a nonce. Next, the server computes the pair (C2, SKi)
as follows.
SKi= Ts(Tr(x)) = Trs(x) (13)
Finally, the server computes the authentication value AUsand sends sn, IDs, C2, and AUsback to Ui.
AUs= H(IDi, ri, rt, SKi) (14)
3) Ui→ Server : {sn, AUi}
After receiving the message, Ui extracts IDs, rt, and
Ts(x) from C2 with Ki. Next, Ui computes the pair
(SKi, AUs0) as follows.
SKi= Tr(Ts(x)) = Trs(x) (15)
AU0
s= H(IDi, ri, rt, SKi) (16)
Then Ui checks whether AUs and AUs0 are equal. If
so, the identity of the server is authenticated. Next, Ui
computes AUi as follows.
AUi= H(IDs, ri, rt, SKi) (17)
Finally, Ui sends sn and AUi back to the server.
4) After receiving sn and AUi, the server computes AUi0
as follows. AU0
i = H(IDs, ri, rt, SKi) (18)
Then the server checks whether AUiand AUi0are equal.
If so, the identity of Ui is authenticated.
After mutual authentication and key agreement between Ui
and the server, SKi is used as a shared session key.
IV. ANALYSIS OFOURSCHEME
In this section, we show that our protocol can resist several notorious attacks. In addition, we provide a comparative study with other key agreement protocols.
A. Security Analysis
We first use Petri nets [14] to model and analyze the proposed protocol. Next, security properties of our protocol will be specified.
1) Petri Net Model: We used a Petri net to model our security protocol. The formal definition of a Petri net [16] is listed in Table II. Petri nets are composed from graphical symbols designating places (shown as circles), transitions (shown as rectangles), and directed arcs (shown as arrows). The places denote (atomic and composite) data items. The transitions denote decryption or decomposition operations. Arcs run between places and transitions.
When a transition fires, a composite data item is decom-posed or decrypted, resulting in one or more simpler data items. Since we assume an open network environment, all data items in the transmitted messages are assumed to be public, and are known to the attacker. There will be tokens in the places representing the data items in the transmitted messages initially. From this initial marking, we can infer what an attacker can know eventually. Furthermore, we can also experiment what an attacker can know if he knows
Fig. 2. A Petri net model of the proposed key agreement protocol TABLE II
FORMAL DEFINITION OF APETRI NET
A Petri net is a 5-tuple, P N = (P, T, F, W, M0) where:
P = {P1, P2, · · · , Pm} is a finite set of places,
T = {T1, T2, · · · , Tn} is a finite set of transitions,
F ⊆ (P × T ) ∪ (T × P ) is a set of arcs (flow relation), W : F → {1, 2, 3, · · · } is a weight function,
M0: P → {0, 1, 2, 3, · · · } is the initial marking,
P ∩ T = Ø and P ∪ T 6= Ø.
A Petri net structure N = (P, T, F, W ) without any specific initial marking is denoted by N .
A Petri net with the given initial marking is denoted by (N, M0).
is illustrated in Figure 2. The definitions of the places and transitions used in this model are listed in Table III and Table IV, respectively. The model is simulated with the HPSim Petri net simulation tool [17].
2) Security Properties: The security of the proposed proto-col is based on the difficulty of the discrete logarithm problem (DLP) and the Diffie-Hellman problem (DHP), which are believed to be unsolvable in polynomial time. We first specify the mathematical difficult problems [13] used in this paper. Definition 2. The discrete logarithm problem (DLP) is defined as follows: given an element α, find the integer r such that Tr(x) = α.
Definition 3. The Diffie-Hellman problem (DHP) is defined as follows: given Tr(x) and Ts(x), find Trs(x).
Now we show that our protocol can resist replay attacks, forgery attacks, and stolen-verifier attacks, and also analyze the following security properties: mutual authentication, user anonymity, and known-key security.
Theorem 1. The proposed protocol can resist a replay attack. Proof. Assume an adversary A eavesdrops the messages {sn, Ri, C1} and {sn, AUi} sent by Ui and replays them to
log in to the system in a later session. Upon receiving the replay message, the server computes Ki = Ri ⊕ H(Ks),
and extracts IDi, ri, and Tr(x) from C1 with Ki. The
server first checks the validity of IDi, and then chooses two
TABLE III DEFINITIONS OF PLACES
Place Definition Place Definition
P1 IDi P23 Ts(x) P2 H(P Wi) P24 IDs P3 H(v) P25 C2 P4 Regi P26 SKi P5 ri P27 AUs P6 r P28 P acket{sn, IDs, C2, AUs} P7 Ri P29 sn P8 Ki P30 IDs P9 Tr(x) P31 AUs P10 C1 P32 C2 P11 sn P33 IDs P12 P akcet{sn, Ri, C1} P34 rt P13 sn P35 Ts(x) P14 C1 P36 SKi P15 Ri P37 AUs0
P16 H(Ks) P38 Success verification
mes-sage P17 Ki P39 AUi P18 IDi P40 P acket{sn, AUi} P19 Tr(x) P41 sn P20 ri P42 AUi P21 s P43 AUi0
P22 rt P44 Success verification
mes-sage
TABLE IV
DEFINITIONS OF TRANSITIONS
Trans. Definition Trans. Definition
T1 Perform XOR operation
to compute Ri
T13 Transmit
{sn, IDs, C2, AUs}
T2 Compute Ki T14 Split the packet
T3 Compute Tr(x) T15 Decrypt C2with Ki
T4 Encrypt
{IDi, ri, Tr(x)}
with Ki
T16 Compute SKi
T5 Transmit {sn, Ri, C1} T17 Compute AUs0
T6 Split the packet T18 Check AUs= AU? s0
T7 Perform XOR operation
to compute Ki
T19 Compute AUi
T8 Decrypt C1with Ki T20 Transmit {sn, AUi}
T9 Compute Ts(x) T21 Split the packet
T10 Encrypt {IDs, rt, Ts(x)} with Ki T22 Compute AUi0 T11 Compute SKi T23 Check AUi= AU? i0 T12 Compute AUs
random numbers s∗and r∗
t. Next, the server computes the pair
(C∗ 2, SKi∗) as follows. C2∗= EKi(IDs, r ∗ t, Ts∗(x)) (19) SKi∗= Ts∗(Tr(x)) = Trs∗(x) (20)
Finally, the server computes the authentication value AU∗ s and
sends sn, IDs, C2∗, and AUs∗ back to A.
AU∗
s = H(IDi, ri, rt∗, SKi∗) (21)
After receiving the message, A has to transmit {sn, AU∗ i}
back to the server. However, A cannot just replay the message AUi directly since the random number rtand the session key
session. As shown in Figure 2, computing AUi is defined in
transition T19, which has five input places, P5, P30, P34, P36,
and P38. Place P34 is the value of rt and place P36 is the
value of SKi. Because having no idea about r∗t and SKi∗, the
adversary cannot launch a replay attack. ¤
Theorem 2. The proposed protocol can resist a forgery attack. Proof. If an adversary A wants to impersonate Ui, A has to
create a valid authentication value AU∗
i. Assume A eavesdrops
the message {sn, Ri, C1} sent by Ui and uses it to log in to
the system in a later session. Upon receiving the message, the server computes Ki= Ri⊕ H(Ks), and extracts IDi, ri, and
Tr(x) from C1with Ki. The server first checks the validity of
IDi, and then chooses two random numbers s∗ and r∗t. Next,
the server computes the pair (C∗
2, SKi∗) as follows.
C2∗= EKi(IDs, r
∗
t, Ts∗(x)) (22)
SKi∗= Ts∗(Tr(x)) = Trs∗(x) (23)
Finally, the server computes the authentication value AU∗ s and
sends sn, IDs, C2∗, and AUs∗ back to A.
AU∗
s = H(IDi, ri, r∗t, SKi∗) (24)
However, A cannot compute a correct authentication value AU∗
i = H(IDs, ri, r∗t, SKi∗) unless A can obtain Ki to
get IDi, ri, and Tr(x) by decrypting C1 and get IDs,
r∗
t, and Ts∗(x) by decrypting C2∗, and also derive r from
Tr(x) to compute SKi∗. Based on the difficulty of DLP, it
is computationally infeasible to compute r from Tr(x). As
shown in Figure 2, computing SK∗
i is defined in transition
T16, which has two input places, P6 and P35. Place P6 is
the value of r. Because having no idea about Ki and SKi∗,
the adversary cannot compute a valid authentication value and hence cannot launch a forgery attack. ¤
Theorem 3. The proposed protocol can resist a stolen-verifier attack.
Proof. The stolen-verifier attack means that an adversary who steals the password-verifier from the server can use it directly to masquerade as a legitimate user in an authentication run. Different from the previous key agreement protocols [11, 13] where the server and user i shared the hash value hP W = H(IDi, P Wi), the server does not require any
verification table in the proposed protocol. Since the proposed protocol does not require a verification table, the proposed protocol can prevent the stolen-verifier attack. ¤
Theorem 4. The proposed protocol can provide mutual au-thentication.
Proof. The security of the session key is based on the diffi-culty of DLP and DHP, which are believed to be unsolvable in polynomial time. Using equation (6), the session key between the server and Ui is established as follows:
SKi= Tr(Ts(x)) = Trs(x) = Ts(Tr(x)) (25)
As shown in Figure 2, computing a session key SKi is
defined in transition T16 and transition T11. Therefore, Ui
and the server can use the session key SKi in subsequent
TABLE V
COMPARISON OF SECURITY PROPERTIES
Xiao et al.’s protocol [11]
Yoon & Yoo’s protocol [13]
Proposed pro-tocol Replay attacks Insecure Secure Secure Forgery attacks Insecure Secure Secure Stolen-verifier
attacks Insecure Insecure Secure
Mutual authentica-tion
Not provide Provide Provide User anonymity Not provide Not provide Provide Known-key
security Provide Provide Provide
Theorem 5. The proposed protocol can provide user anonymity.
Proof. If an adversary A eavesdrops the messages, he cannot extract the user’s identity from the ciphertext C1 =
EKi(IDi, ri, Tr(x)) since it is encrypted with Ki, which is
unknown to the adversary. In addition, due to the use of the nonce, the messages submitted to the server are different in each session. As shown in Figure 2, decrypting C1 is defined
in transition T8, which has two input places, P14 and P17.
Place P17 is the value of Ki, which is only known to the
user and the server. Hence, it is difficult for the adversary to discover a user’s identity. Clearly, the proposed protocol can provide user anonymity. ¤
Theorem 6. The proposed protocol can provide known-key security.
Proof. Known-key security means that the compromise of a session key will not lead to further compromise of other secret keys or session keys. Even if a session key SKi is revealed
to an adversary, he still cannot derive other session keys since they are generated from the random numbers r and s. Hence, the proposed protocol can achieve known-key security. ¤
We summarized the security properties of key agreement protocols in Table V.
B. Efficiency Analysis
In this section, we examine the performance of our proposed protocol. The evaluation parameters are defined in Table VI. The performance comparison among the proposed protocol, Xiao et al.’s protocol [11], and Yoon & Yoo’s protocol [13] is presented in Table VII. We use the computational overhead as the metric to evaluate the performance of key agreement protocols. We can see from Table VII that the computations among these protocols are very similar. The only difference is that the proposed protocol takes few more XOR operations and hash operations for each user and the server, due to fixing the security weaknesses in Xiao et al.’s protocol [11] and Yoon and Yoo’s protocol [13] and preserving user anonymity.
V. CONCLUSIONS
We propose a chaotic maps-based key agreement protocol that not only fixes the weaknesses of the existing chaotic maps-based key agreement protocols [11, 13], but also aims to
TABLE VI
EVALUATION PARAMETERS
Symbol Definition
TX Time for performing an XOR operation
TH Time for performing a one-way hash function based on chaotic
maps
TE Time for performing a symmetric encryption operation
TD Time for performing a symmetric decryption operation
TCM Time for performing a Chebyshev chaotic map operation
TABLE VII
PERFORMANCE COMPARISON OF CHAOTIC MAPS-BASED KEY AGREEMENT
PROTOCOLS
Xiao et al.’s
pro-tocol [11] Yoonprotocol [13]& Yoo’s Proposed protocol Per user 1TH + 1TE + 1TD+ 2TCM 2TH + 1TE + 1TD+ 2TCM 2TX + 5TH + 1TE + 1TD + 2TCM The server 1TH + 1TE + 1TD+ 2TCM 2TH + 1TE + 1TD+ 2TCM 1TX + 3TH + 1TE + 1TD + 2TCM
protocol include: (1) it achieves mutual authentication between a server and a user; (2) it allows users to anonymously interact with the server to agree on session keys; (3) a server and a user can generate sessions keys. Moreover, we used Petri nets in the security analysis of the proposed protocol. Our analysis shows that the proposed protocol can successfully defend replay attacks, forgery attacks, and stolen-verifier attacks.
REFERENCES
[1] W. Diffie and M. Hellman, ”New directions in cryptography,” IEEE
Transactions on Information Theory, vol. 22, no. 6, Nov. 1976, pp.
644-654.
[2] F. Dachselt and W. Schwarz, ”Chaos and cryptography,” IEEE
Transac-tions on Circuits and Systems I: Fundamental Theory and ApplicaTransac-tions,
vol. 48, no. 12, Dec. 2001, pp. 1498-1509.
[3] L. Kocarev, ”Chaos-based cryptography: a brief overview,” IEEE
Cir-cuits and Systems Magazine, vol. 1, no. 3, 2001, pp. 6-21.
[4] L. M. Pecora and T. L. Carroll, ”Synchronization in chaotic systems,”
Physical Review Letters, vol. 64, no. 8, Feb. 1990, pp. 821-824.
[5] J. Fridrich, ”Symmetric ciphers based on two-dimensional chaotic maps,” International Journal of Bifurcation and Chaos, vol. 8, no. 6, Jun. 1998, pp. 1259-1284.
[6] L. M. Pecora and T. L. Carroll, ”Driving systems with chaotic signals,”
Physical Review A, vol. 44, no. 4, Aug. 1991, pp. 2374-2383.
[7] K. W. Wong, ”A fast chaotic cryptographic scheme with dynamic look-up table,” Physics Letters A, vol. 298, no. 4, Jun. 2002, pp. 238-242. [8] L. Kocarev and Z. Tasev, ”Public-key encryption based on Chebyshev
maps,” In Proceedings of the International Symposium on Circuits and
Systems (ISCAS ’03), vol. 3, May 2003, pp. III-28-III-31.
[9] J. C. Mason and D. C. Handscomb, Chebyshev polynomials, Chapman & Hall/CRC, Boca Raton, Florida, 2003.
[10] P. Bergamo, P. D’Arco, A. Santis, and L. Kocarev, ”Security of public-key cryptosystems based on Chebyshev polynomials,” IEEE
Transac-tions on Circuits and Systems-I, vol. 52, no. 7, Jul. 2005, pp. 1382-1393.
[11] D. Xiao, X. Liao, and S. Deng, ”A novel key agreement protocol based on chaotic maps,” Information Sciences, vol. 177, no. 4, Feb. 2007, pp. 1136-1142.
[12] S. Han, ”Security of a key agreement protocol based on chaotic maps,”
Chaos, Solitons & Fractals, vol. 38, no. 3, Nov. 2008, pp. 764-768.
[13] E. J. Yoon and K. Y. Yoo, ”A new key agreement protocol based on chaotic maps,” In Proceedings of The Second KES International
Sympo-sium on Agent and Multi-Agent Systems: Technologies and Applications (KES-AMSTA ’08), Mar. 2008, pp. 897-906.
[14] C. A. Petri, ”Kommunikation mit Automaten,” Ph. D. Thesis, University of Bonn, 1962.
[15] D. Xiao, X. Liao, and S. Deng, ”One-way hash function construction based on chaotic map with changeable-parameter,” Chaos, Solitons &
Fractals, vol. 24, no. 1, Apr. 2005, pp. 65-71.
[16] T. Murata, ”Petri nets: Properties, analysis and applications,”
Proceed-ings of the IEEE, vol. 77, no. 4, Apr. 1989, pp. 541-580.
[17] HPSim 1.1 Petri nets simulation tool, copyright c° 1999-2002 Henryk
