The integral part can be evaluated which can thus be expressed in the form 100,
m
B
10-31where 2F1( . , . , . ;
.
) is the Gaussian confluent hypergeometric func- tion. Let us define x = m-
(1/6) = - m / d , we can express ( 6 ) with the help of [7] asU L m
+
0.5) r .. 8 - L m1 n-5 4
\
\
\
Also using r71. we can exoress ,F1(Lm. 1/2. Lm+ 1: x‘bIN0 (7)
.,
- 1 the- -
I-
.~ /(x- I ) ) =))-LmBx,(x- ,)(Lm, O S ) Finally, putting this equation in (7),
strikingly simple result
2 f i T[Lm] (8)
I r[Lm + o s ]
Pb = ~ B,,(x-I)(Lm, 0.5)
where, B, ( , ) is the incomplete beta function defined in [7]. The expression in (8) is plotted in Figs 1. and 2 for selected diversity branches L and Nakagami parameter m. Fig. 1 shows for L = 5 , 4 , 3 , 2 , 1 and m = 1 (Rayleigh). Fig. 2 shows for L = 5 , 4 , 3 and m = 0.5 and 2. We have checked the results with the literature and perfect agreement exists [4].
Fig. 1 BERfor BPSK in Nukugumifading (L = 5, 4, 3, 2, I , m = I )
‘“1
I10-1
-I
‘bIN0
Fig. 2 BERfor BPSK in Nakugumi fading (L = 5, 4, 3; tn = 2 and m = 0.5)
Since branch fading is assumed to be statistically independent, and ak,ls are Nakagami random variables, y also follows the Nakagami distribu- tion with parameter a Lm [ 6 ] , with the pdf
(3)
Results: The error probability performance can be obtained by averaging the probability of error conditioned on the fading over the pdf of (3). For BPSK the unconditional probability of error can be expressed thus
Conclzision: A simple but exact expression has been derived for BPSK with an MRC receiver in Nakagami fading. The expression is valid for all values of m, fast to compute and is computationally efficient. Acknowledgment: The authors acknowledge the support o f KFUPM.
0
IEE 2002Electronics Letters Online No: 20020997 DOI: lO.lO49/el:20020997
A.B. Adinoyi and S.A. AI-Semari (Electrical Engineering Department, King Fahd University of Petroleum & Minerals,
KFUPM Box 207, Dhahran 31261, Saudi Arabia) E-mail: [email protected]
22 April 2002
References I
2
SCHWARTZ, M., BENNETTE, w.R., and STEW, s.: ‘Communication systems and techniques’ (McGraw-Hill, 1966)
NAKAGAMI, M.: ‘The m-distribution - a general formula of intensity distribution of rapid fading in statistical methods in radio wave propagation’ in HOFFMAN, WG. (Ed.): ‘Statistical Methods in Radio Wave Propagation’ (Pergamon, Oxford, England 1960)
3 BRAUN, R., and DERSCH, u.: ‘A physical mobile radio channel model’, IEEE Trans. Veh. Technol., 1991, VT-40, pp. 4 724 82
4 AALO, I!and PATTARAMALI, , S.: ‘Average error rate for coherent MPSK signals in Nakagami fading channel’, Electron. Lett., 1996, 32, (17), pp. 1538-1539
ANNAMALI, A.: ‘Analysis of selection diversity on Nakagami fading channels’, Electron. Lett., 1997, 33, (7), pp. 548-549
AL-HUSSAINI, E., and AL-BASSIOUNNI, A,: ‘Performance of MRC diversity systems for the detection of signals in Nakagami fading’, IEEE Trans.
Commun., 1985,33, pp. 1315-1319
GRADSHTEYN, I.S., and RYZHIK, I.M.: ‘Table O f integrals, series, and
products’ (Academic Press, San diego, CA, 1984) 5
6
7
l m mLn,
Ph =
5
lo
e r f c ( m ) - yLm-’e-mydy (4)Improved YenJoye‘s authenticated
I-(Lm)
multiple-key agreement protocol
Now, define 6 = d/(m( 1
+
d )) andP
= ym( 1+
d ), where d = E,/No,then the error probability can be written as
Min-Shiang Hwang, Chih-Wei Lin and Cheng-Chi Lee
An authenticated multiple-key agreement protocol is proposed. The protocol is not only secure against the unknown-key attack but also more efficient than other protocols.Introduction: Diffie and Hellman first proposed key agreement protocol to establish a session key for two parties [l]. However, the protocol was later proven to be vulnerable to the unknown-key attack by Diffie et al. [2] because the protocol did not include any key authentication process during the negotiation between the two parties [3, 41.
In 1997, Ham first proposed the authenticated key agreement protocol [5] without using a one-way hash function 161. In 1998, Ham and Lin proposed an authenticated multiple-key agreement protocol based on the Diffie-Hellman distribution scheme [7]. There are two main features in this protocol: it operates without using a one- way hash function and it enables two communication entities to share multiple secret keys.
Later, Yen-Joye [8] indicated that the Ham-Lin protocol is not secure because an attacker can successfully forge a short-term public key pair and pass the verification equation. Then, they proposed an improved Ham-Lin protocol to get rid of this shortcoming. However, in 1999, Wu et al. [9] pointed out that the Yen-Joye protocol is insecure and can be successfully attacked the same way as the Ham-Lin protocol. Wu et al. then proposed a protocol to enhance the security. Nevertheless, the protocol violated the original expectation of the Ham-Lin protocol that no one-way hash function should be used in the authenticated key agreement protocol.
In this Letter, we shall propose a modification of the Yen-Joye protocol. The modification does not only ameliorate the security but also is more efficient than Ham’s protocol proposed in 2001 [lo].
Review of Yen-Joye protocol: In this Section, we shall briefly review the Yen-Joye protocol [8]. There are two phases in the protocol. The first phase is the authentication phase where two users exchange n
temporary random public keys in an authenticated way. The second phase is the key-sharing phase where the users share n2 - 1 secret
keys with each other.
There are two users Alice and Bob who want to establish multiple keys by the protocol. Here, we only describe what Alice has to do because Bob has to do basically the same. Initially, the system has a large prime p , and a is a primitive number in GF(P). Alice has a long- term secret key xA and the corresponding long-term public key yA =
mod p. Then Alice randomly generates two short-term secret keys kAl and kA2 and computes their corresponding short-term public keys
rA1 =akA‘ mod p and rA2=&f2 modp, respectively. The range of rA1
and rA2 is set to be (rp/2, p - 11) so that no attacker can forge the keys.
Alice computes the signature S A through rAl and rA2 as
SA = XA - (rAl . Y A ~ )
.
kA mod(p - I ) (1) where kA = kA I . kA2 mod p . Finally, Alice sends rA I,rA2,
sA, cert(yA) to Bob, where cert(yA) is a certificate for Alice’s public key yA. After receiving them, Bob verifies them via the computation as follows:If it holds, Bob establishes the multiple secret keys in the second phase. Bob can derive the session keys as follows:
Here, three of the four keys can be used because of perfect forward secrecy [ l 11. Thus, three authenticated session keys can be established in this protocol.
Improved protocol: The Yen-Joye protocol is an improvement on the Ham-Lin protocol. However, according to Wu et al., the Yen-Joye protocol is no more secure than its predecessor. They pointed out the Yen-Joye protocol cannot resist the same attack that bothers the Ham-Lin protocol. The attacker can forge a pair
{.a,,
rL2} in the range (rp/2, p - 11) to satisfy rLlra2=rAlrA2 at the probability ofgreater than 1/18. Although Wu et al. later proposed an enhanced protocol with a one-way hash function, this improved protocol violates the original expectation from the Ham-Lin protocol that no
one-way hash function should be used in the authenticated multiple keys agreement protocol. In 2001, the Harn-Lin proposed an improved authenticated multiple keys agreement protocol and claimed their protocol can eliminate the attack from [8, 91.
However, the Ham-Lin protocol is not as efficient as the Yen-Joye protocol. In this Letter, we propose two straightforward modifications to enhance the security of the Yen-Joye protocol. The proposed protocol can withstand the attack on Wu et al‘s scheme and is more efficient than [lo]. First, we suggest that the pair of short-term public keys rAl and rA2
in the generation phase should be prime numbers. This modification can help the new scheme prevent the attacker from forging another pair (r;,, rL2) because the prime numbers are unique. In addition, it obeys the original requirement of the Ham-Lin protocol that the range of rAl and rA2 should be in (1, p - 1). Secondly, we suggest that the great common divisor (GCD) of rAl and rA2 should be equal to 1. This suggestion is to prevent the attacker from finding the factor q of rAl or
rA2. Furthermore, the range of rA I and rA2 will fall in the (rp/21, p - 1) as the Yen-Joye protocol proposed. Both of the modifications of on the Yen-Joye protocol can make it secure against any forgery of the pair ( r A l , rA2). Besides, our modification protocol is more efficient than the Ham-Lin protocol [lo] because we only perform the exponentiation computation four times, less than six times required by the Ham-Lin protocol.
Conclusion: We have proposed an improved scheme to enhance the security of the Yen-Joye protocol. We require that rA I and rA2 should be primes or GCD(rAI, rA2) should be equal to 1 to withstand the attack of forging another pair
(~LI,
rL2) so that rA1 . rA2 = r A l . r ~ 2 .The pair r A l and rA2 should be made unique so that no attacker can find another pair to replace them. Furthermore, the Harn-Lin protocol [lo] uses six exponentiation computations, while the Yen-Joye scheme four takes only. That means the Ham-Lin protocol is less efficient.
In this Letter, we have proposed two straightforward modifications to withstand the forgery attack on the Yen-Joye protocol. The proposed protocol retains the original expectation on the Ham-Lin protocol that the range of the short-term public key be (1, p - 1). Furthermore, the new protocol uses fewer exponentiation computations than the Ham- Lin protocol [lo].
I ,
Acknowledgment: This research was partially supported by the National Science Council, Taiwan, R.O.C., under contract no.: NSC90-22 13-E-324-004.
0
IEE 2002Electronics Letters Online No: 20020998 DOI: 10. 1049/el:20020998
Min-Shiang Hwang and Chih-Wei Lin (Institute of Networks and Communications, Chaoyang University of Technology, 168 Gifeng E. Rd., Wujeng, Taichung County, Taiwan 413, R.O.C.)
E-mail: [email protected]
Cheng-Chi Lee (Department oj. Computer and Information Science, National Chiao-Tung University, I001 Ta Hsueh Road, Hsinchu, Taiwan, R. 0. C.)
8 April 2002
References
1 WHITFIELD DIFFIE, and HELLMAN, M : ‘New directions in cryptology’,
IEEE Trans. In$ Theov, 1976, IT-22, (6), pp. 644454
WHITFIELD DIFFIE, VAN OORSCHOT, P.C., and WIENER, M.J.: ‘Authentication and authenticated key exchanges’, Des., Codes Cryptogr, 1992, 2, (2), pp. 107-125
3 CHENG-CHI LEE, MIN-SHIANG HWANG, LI-HUA LI: ‘A new key authentication scheme based on discrete logarithms’, Appl. Math. Conput. (to be published)
ERIC JUI-LIN LU, and MIN-SHIANG HWANG: ‘An improvement of a simple authenticated key agreement algorithm’, Puk. 1 Appl. Sci., 2002, 2, (l), pp. 64-65
LElN HARN: ‘Digital signatures for Diffie-Hellman public keys without using one-way function’, Electron. Lett., 1997, 33, (2), pp. 125-126 2
4
5
MIN-SHIANG HWANG, CHIN-CHEN CHANG, and KUO-FENG HWANG: 'A watermarking technique based on one-way hash functions', IEEE
Trans. Consum. Electron., 1999, 45, (2), pp. 286-294
LEIN HARN, and HUNG-YU LIN: 'An authenticated key agreement protocol without using one-way functions'. Proceedings of the 8th National Conference on Information Security, Kaohsiung, Taiwan, May 1998 pp. 155-160
SUNG-MING YEN, and IOYE, M.: 'Improved authenticated multiple-key agreement protocol', Electron. Lett., 1998, 34, (18), pp. 1738-1739 TZONC- SUN, WEI-HUA HE, and CHIEN-LUNG HSU: 'Security of authenticated multiple-key', Electron. Lett., 1999, 35, (5), pp. 391-392 IO HARN, LEIN, and'LIN, HUNG-YU: 'Authenticated key agreement without
using one-way hash functions', Electron. Lett., 2001, 37, (lo), pp. 629-630
11 LIN, C.H., and LEE, P.J.: 'Security of interactive DSA batch verification', Electron. Lett., 1994, 30, (19), pp. 1592-1593
Key function of normal basis multipliers
in GF(2")
Haining Fan and Yiqi Dai
A new definition of the key function in GF(2") is given. Based on this definition, a method to speed up software implementations of the normal basis multiplication is presented. It is also shown that the normal basis with maximum complexity can be used to design low complexity multipliers, In particular, it is shown that the circuit complexity of a type 1 optimal normal basis multiplier can be further reduced.
Introduction; An important advance in GF(2") arithmetic is the Massey-Omura algorithm. It is well known that the realisation of
GF(2") operations can be made more efficient by choosing optimal normal basis or low complexity normal basis [l]. Since the complex- ity of the normal basis multipliers depends on the choice of key function for multiplication, it is desirable to have a key function with minimal complexity to implement the multiplication algorithm [2].
In this Letter, we give a new definition of the key function and present a method to speed up software implementations of the normal basis multiplication. We also show that the circuit complexity of a type I optimal normal basis multiplier can be further reduced.
Preliminaries: Let y be an element of GF(2"), for simplicity, denote y2' by y z . Given a normal basis
N =
{Po,
PI,
b2,
. . . ,fl,t-l}
of GF(2") over GF(2), a field element A can be represented by a binary vector(ao, a l , . . . , with respect to this basis as A =
C:'=-a,
.b,,
where a, E GF(2) and i=O, 1 , . . . , n - 1.For 1 5 i 5 n - 1, let
popi
=XC;
4,. ;Pi
be the expansion ofbobI
with respect to the normal basis N , & E GF(2). Let
R={0,1, . . . , n-I}, Si={j14i,,=l}, h,=ISiI, and T,={j14i,j= 0). Obviously, S i n
z=@
and S,U T<=R. Write Si as Si= { w ~ , ~ ,wi,2, . . .
,
wi,rtj}, where 0 5 wi,l < w ; , ~ < . . . wt,/,, 5 n - 1. Clearly,popi
= Note that for a particular normal basisN,
the representation of flOfii is Let (x) denote the non-negative residue of x mod n. D = A 5 can beC;Llbw,,k.
fixed and so is M J ~ , ~ .
computed by the following identity [ 1, 31:
n-1 n-l D = A 5 =
C
a,bjb,bJ i=O J=O So we have D = (B&A)1+
5
5
(B&A,-,), r = I k = l n-I r = l keS, = (B&A)I+
C
C ( B & A n - J kBased on this identity and the symmetry of S, [ l , 31, a multiplication algorithm is given in [3].
Let D=(do, d l , . . . , dn-J be the binary vector of D=AB with respect to the normal basis
N,
the key functionfofN
is defined as follows [1]:Recall that Si is defined as Si=
c\4z,j=
1). When k = n - 1 - j runs through S,, we haveThe circuit complexity of a normal basis multiplier depends on the key function for multiplication. In [2], the complcxity of multiplication with respect to the normal basis N is defined as the quantity C,"= 1
+
C:=;'h,,
where h,= ISJ.New key function; Recall that the trace function of A E GF(2") over GF(2) is defined as Tr(A) =
Cy=;J'A,.
In particular, Tr(A) equals to the least significant bit of A's Hamming weight in GF(2"). In software implementations Tr(A) can be found easily in a look-up table. For example, if we create a table with 216 entries on a 32-bit micro- processor, the cost to compute A's Hamming weight is nearly twice that of a field addition operation.When 5&A,,-; = (aibo, U ( , + ~ + J ~ , . . . , a(i+n-l)bn-l) is treated as a field
element,
Tr(E&A,-,) = C(B&A,-l)k = C(B&An-i)k
+
C(B&An-j)kk € R keS,
ke7,
Hence, if (Si( - c (const c depends on the cost to compute Tr(A), for example, c = 2) then
C k s
sJ5&A,-,)k can be computed faster by the id entity :(B&A,_,)k = Tr(B&A,-,)
+
(B&A,-,), k e S , k t T ,Now define 6, = where i = 1,2,. . . , n - 1. We have
D
= @&A),+
5
(B&A,-,),, = I keS,
Thus software normal basis multiplication algorithms of [3], which are designed for all normal bases of GF(2"), can be speeded up by the following method: first, select i's such that IS,( - 17;1 > c (for example, c= 2); then for each selected i, compute CkEs,(5&A,-i)k using the identity Ckes8(E&An-i)k= T Y ( ~ & A , - ~ )
+
E k e
@ & A n - J k . This method saves (Si( - IT,( field addition operations for each selected i (excluding computation of TY(B&A,,-~)).In particular, when N is a type I optimal normal basis, the only i satisfying ISil - > c is n / 2 . In this case,
