一个可证安全的基于身份多密钥认证协商协议英文

A P r o v a b ly S e c u r e Id e n t it y-b a s e d Au t h e n t ic a t io n Mu lt ip le Ke yAg r e e m e n t P r o t o c o lTan ZuowenSchool of Information T echnology,Jiangxi Univers ity of Finance and Economics,Nanchang330032,P.R.China Key Lab of Network Security and Cryptology,School of Mathematics and Computer Science,Fujian Normal University,Fuzhou350007,P.R.ChinaAb st r act:An auth entication m ultip le k ey agreement protocol allows the users to compute more than one session keys in an authentication way.In the paper,an identity-based authentication multiple key agreement protocol is proposed. Its authentication part is proven secure against existential forgery on adaptively chosen message and ID attacks under the random oracle model upon the CDH assumptions.The session keys are proven secure in a formal CK security model under the random oracle model upon the CBDH assu mp tion s.C om par ed with the pr eviou s multiple key agreement protocols,it requires less communication cost.Key wor ds:authentication;identity-based;key agreementI.INTRODUCTIONA key agreement protocol allows two or more entities to establish a sh ar ed key via o pen communication channels.The shared key can be applied as a session key to provide secure communication between them.An authentication key agreement protocol not only allows entities to compute the session key but also ensures the authenticity of the involved entities.Diffie and Hellman proposed the rst key agreement protocol based on asymmetric cryptography[1].Its security is based on the intractability of the discrete logarithm problems.The MQV protocol is a well-known authentication key agreement protocol[2]. But the protocol is vulnerable to an unknown key share attack[3].An improvement version was given in[4]with one more pass.Sh am ir[5]c on s tr u cted id en ti ty-bas ed encryption and signature protocols to simplify key agreement procedures of certificate-based public key infrastructures.Lots of identity-based key agreement protocols have been developed[6-8]. CK protocol[9]modified Smart’s protocol[7]. Wang,et al.constructed an identity-based key agreement protocol[10]in the standard model. However,they cannot provide perfect forward security.It is n ecessary that an authenticatio n key agreement protocol generates several session keys22011.063论文集锦within one run.Harn and Lin[11]proposed an authentication multiple key agreement protocol in which two entities generate four shared keys at a time,however,only three of these keys can provide perfect forward security.Hwang,et al.proposed a more efficient authentication key agreement protocol[12].Nevertheless,the protocol suffers from the modi cation attack[13].Lee,et al.[14] proposed an authenticated multiple key agreement protocols based on bilinear pairings.Vo,et al.[15]demonstrated that Lee,et al.’s pairing-based authenticated key agreement protocol cannot resist against impersonation attacks and cannot provide perfect forward security.In order to avoid those attacks,V o,et al.proposed improvement.In this paper,an identity-based multiple key ag reemen t pr oto col(I B-MKA)is pr op osed. Compared with the previous MKA protocols,the proposed protocol needs less communication cost. The protocol enforces the multiple key agreements in an authentication manner.Its authentication part is proven secure against existential forgery on adaptively chosen message and ID attacks under the random oracle model upon the hardness of co mpu tational Diff ie-Hellm an pr oblems. The protocol is prov en secure in the rando m oracle m odel in a fo rmal CK security mod el upon the computational Bilinear Diffie–Hellman assumptions.It achieves perfect forward security. Ev en if all th e lo ng s ecr et k eys inclu din g the tr usted authority’s master p rivate key are comprised,the previous session keys would not be affected.The r emainder of this paper is organized as follows.Some preliminaries are given in Section II.In Section III,an IB-MKA protocol is proposed. Section IV an alyzes th e IB-MKA pr otocol. Conclusions are given in Section V.II.PRELIMINARIESDefin it ion1(Computational Bilinear Diffie–Hellman(CBDH)Problem)Given(Q,aQ,bQ,cQ)in a cyclic group1G for unknown*,,pa b c Z∈,output (,)abce Q Q.De ne the advantage of a poly nomial algorithm Aagainst the CBDH problem as12,,GSucc Pr[(,)(,)]CBDH abcAGA Q aQ,bQ,cQ e Q Q==, where th e pro bab ility is over the rand om choice of the generator of1G,the random choiceof*,,pa b c Z∈and random coins chosen b y th e algorithm A.Definition2(Computational Bilinear Diffie–Hellman(CBDH)Assumption)12,,Succ CBDHA G G ofany polynomial algorithm A is negligible.Defin ition3(Computational Diffie–Hellman (CDH)Problem)Given(Q,aQ,bQ,cQ)in1G for unknown*,,pa b c Z∈,compute abQ.The advantage ofa polynomial algorithm A in solving CDH problemis de ned as1*,Succ Pr[(,),,]CDHqAGA aQ bQ abQ a b Z==∈. Defin ition4(Computational Diffie–Hellman (CDH)Assumption)12,,Succ C BDHA G G ofany polynomial algorithm A is negligible.III.THE PROPOSED IB-MKA PROTOCOLWe ass um e th e ex istence of a tr ust ed key generation center(KGC)who is responsible for the creation and secure distribution of entities’secret keys.The new IB-MKA protocol consists of three algorithms,Setup,Extract and Key agreement.S et u p:Let1G b e an ad d itiv e g ro u p o f prime order p with a g enerator Q and2G b ea multiplicative group of prime order p.Let e be an adm issible map fr om11G G×to2G,and 11:{0,1}GH→,*2:{0,1}pZH→be two cryptographic hash functions.KGC chooses a random number*ps Z∈as the master key and computes KGC sQP=as the system’s public key.KGC publishes systemparameters*1212{,,,,,,,}p KGCe Z QG G P H H.Extr act:Alice and Bob are two entities involvedin the IB-MKA protocol.Their identities and public keys are1,))((A AID IDH and1,))((B BID IDH,respectively. KGC generates their private keys:1)(A As IDS H=, 1)(B Bs IDS H=.Key agr eement:Alice and Bob execute the key2011.02733agreement in an authentication manner.Step 1.Alice →Bob:12{,,,}A R V R R .Alice r an dom ly selects a 1,a 2in *p Z ,an d computes:111)(A ID a R H =,211||)(B A ID a R H ID =,(1)12)(A R ID a H =22211||||))((A A R a R V a S H R =++.(2)Then Alice sends 12{,,,}A R V R R to Bob.Step 2.Bob →Alice:12{,,,}B Z V Z Z .Upon receiving 12{,,,}A R V R R ,Bob first checks their authenticity by verifying the formulae:1112(,(||))?((),)A B A e R H ID ID e H ID R ,(3)12121(,)?(()(),)A A KGC e V Q e R R H R ||R ||R H ID P ++.(4)If either of the above formulae does not hold,Bob refuses the session request.Otherwise,Bob randomly chooses 1b ,2b in *pZ ,and computes:111)(B ID b Z H =,211||)(B A ID b Z H ID =,(5)12)(B Z ID b H =,22211||||))((B B Z b Z V b S H Z =++(6)Then,Bob computes {1SK ′,2SK ′,3SK ′,4SK ′}.111212(,())B K e R b H b R S ′=,(7)12111||||||||)(R Z K R SK H Z ′=;21212(,())B K e R b H b R S ′=,(8)22121||||||||)(R Z K R SK H Z ′=;312212(,())B K e R b H b R S ′=,(9)32131||||||||)(R Z K R SK H Z ′=;42212(,())B K e R b H b R S ′=,(10)42141||||||||)(R Z K R S K H Z ′=.Bob sends 12{,,,}B Z V Z Z to Alice.St ep 3.Alice ch eck s au th enticity of the message.22121||||||||||)(t R H R R Z Z Z =,1112(,(||))?((),)ABBe Z H ID ID e H ID Z (11)(,)?(())11e V Q e Z Z tH ID P B B KGC ++=.(12)If both the formulae hold,Alice computes four shared session keys {SK 1,SK 2,SK 3,SK 4}:112121((),)A K e a H a Z S Z =,(13)21111||||||||)(R Z R SK H Z K =;222121((),)A K e a H a Z S Z =,(14)21221||||||||)(R Z R SK H Z K =;31212((),)A K e a H a Z S Z =,(15)21331||||||||)(R Z R SK H Z K =;42212((),)A K e a H a Z S Z =,(16)21441||||||||)(R Z R SK H Z K =.Its correctness is shown by bilinearity of the pairing.112121((),)A K e a H a Z S Z =12121(,())A e a S H a Z Z =12121(,())A e a S H b R Z =1121211((),()())A B e sa H ID H b R b H ID =11212(,())B e R b H b R S =1K ′=.Similarly,22K K ′=,33K K ′=,44K K ′=.So Alice and Bob have four shared session keys:11SK SK ′=,22SK SK ′=,33S K SK ′=,44SK S K ′=.IV .ANALYS ES ON THE NEW IB-MKAPROTOCOLA.Secur ity AnalysesDifferently from the identity-based key agreement protocols [6-10],when one entity issues message,the other entity can check the v alidity of the r eceived m essage and can be assur ed of the identity of the message sender.Now,we show that the authentication par t is proven secur e against existential forgery under adaptively chosen message and ID attacks in the random oracle model upon the CDH assumptions.Theor em 1If there is an adversary E who can (t,H q ,E q ,A q ,ε)-break the authentication par t of the new protocol under an adaptively chosen message and ID attacks in the random oracle model,then there exists an algorithm D who can use E to solve an instance of the CDH problems in G 1with probability and time1,Succ CDH D G …()Adv E (H q +E q +A q )H ε,t ′≤t+(H q +E q +5A q +2)t S +(A q +1)t A +t i n +(A q +1)t a where H εdenotes the collision probability of the hash functions,H q ,E q and A q denote the times of Hash-query,Extract-query and Authentication-query,respectively.t S ,t A ,t a and t in denotes the time for one scalar multiplication,one point addition in G 1,one modular addition and one inversion in *p Z ,respectively.Pr o of:Accord ing to [16],it is enou gh to show that the proposed I B-MKA p rotoco l is proven secure against adaptively chosen message and given ID attacks.Considering this,we fix an identity ID.If an adversary E can break its authentic part with a non-negligible probability282011.03论文集锦()A dv E ,then E is given ID and can output theauthentic message about the given identity ID.W e will construct an algorithm D to solve a randomly chosen instance of CDH problems:given (Q ,aQ ,bQ )in 1G for unkn own *,p a b Z ∈,to compute abQ .D will run E as a subroutine and act as a challenger.D makes responses to the queries as follows.Setup:Take *1212{,,,,,,,}p K GC e Z Q G G P H H as the system parameters where KGC sQ P =.Qu er ies:E m ak es a poly nom ial b oun ded number of the queries in an adaptive manner,where all the hash functions are considered as random oracles.y Hash-quer y:For H1-query about an identity i ID ,D ch ooses r andom ly *p i Z x ∈and gives a response:1,if (),otherwisei i i bQ ID ID H ID x Q ==.Then D puts the pair (i ID ,1()i H ID )in a tableTH 1.For H 1-query about an identity pair (i ID ,k ID ),D searches for (i ID ,)in TH 1.If the pair (i ID ,1()i H ID )is not in TH 1,D makes a response as above.Otherwise,D chooses randomly t ik *p Z ∈and computes11(||)()i k ik i H ID ID t H ID =.Then D stores the triple (i ID ,k ID ,)in a table TH 11.For H 2-query about a message,F chooses a random value in *p Z and stores the results in a table TH 2.y Extr act-quer y:For a query about k ID ,if a pair (k ID ,)is in a table TH 1,D makes a response ()k x aQ and puts the pair (k ID ,)in a table TE.Otherwise,D at first makes a response as in H 1-queries.Note that an Extract-query about ID is not permitted.y Authentication-quer y:Assume that E issues an authentication query (i ID ,k ID ,j ),which means that the query is the j-th authentication between i ID and k ID .D makes a response as follows.(1)Choose 1j y ,0j y *p Z ∈.Set j y =1j y +0j y (mod p).(2)Search TH 1(TH 11)for 1)(i ID H (1||)(k i ID H ID ).If it does not exist,D makes responses as in H 1-queries.(3)Choose randomly j h *p Z ∈and calculate11j j R y Q =,21j j ik R y t Q =,01)(j j j i R y Q h ID H =,()j j V y a Q =.(17)(4)Set 221||||)(j j j j R h H R R =.Pu t 12{,,,}j j j j h R R R in a table TH 2.I f it is already in TH 2and 221||||)(j j j j R h H R R ≠,D goes back to (4)and chooses another j h .(5)Return 12(,,,,,)i k j j j j V ID ID R R R and store it in TA.In fact,it satis es the veri cation equations (3)(4).11(,(||))j i k e R H ID ID 11(,())j i k i e y Q t H ID =11((),)i i k j e H ID t y Q =12((),)i j e H ID R =.12121((),)j j j j j i KGC e R R H (R ||R ||R )H ID P ++=1011(()(),)j j j i j i KGC e y Q y Q h H ID h H ID P ++=(,)j e y aQ Q =(,)j e V Q .O u t p u t :If D d oes no t ab or t du rin g th e simulation,E will output valid 12(,,,,)R h V R R for the xed ID,without accessing any oracles except 2H ().Acco rding to the fo rking lemma [19],by replaying the same r andom tape but different cho ices of 2H ,we h ave 12(,,,,)R h V R R and 12(,,,',')R h V R R with different hash 2H values (h ,h ′)on 12(,,)R R R (hence the different V ,'V ).Then,D can compute abQ =1()()h h V V ′′.This completes the description of the simulation.It is easy to verify the indistinguishability of the view during the simulation with the view during the actual execution of the protocol.If the results of Authentication-query are inco nsistent,D ’s simulation will fail.The probability H εof such collisions is negligible [19].Therefore,D has a probability of success1,Succ CDH D G ≥()A dv E (H q +E q +A q )H ε.D ’s running time is the sum of E ’s running time plus the time of simulation.During the simulation,on e scalar mu ltiplication in G 1is needed in Setup phase,and one scalar multiplication in G 1is needed in a Hash-query (an Extract-query).Each Authentication-query requires one modular2011.02933addition in *p Z ,ve scalar multiplications and one point addition in G 1.In Output phase,one modularaddition in *p Z ,one inversion in *p Z ,one scalar multiplication in G 1and one point addition in G 1are required.The total running time t ′of D is at mostt+(H q +E q +5A q +2)t S +(A q +1)t A +1t m +(A q +1)t a .□Next,we prove the security of the new IB-MKA protocol in the CK security model [11].The model involves an entity set,a KGC set and an adversary E.These entities are modeled by oracles,,n I J ∏,which simulates an entity I carrying out a session with another entity J for the nth time (i.e.the nth run of the protocol between I and J).E is allowed to make three types of oracle queries:y Sen d:Allow E to send a message of her choice to an oracle,say ,n I J ∏,or to initiate a run of the protocol between two entities,I and J.y Reveal:Allow E to ask a particular oracle to reveal the session key (if any)it currently holds to E.y Corr up t:Allow E to ask a particular oracle to reveal the long-term private key.After E issues a polynomial bounded number of queries to the oracles and nally makes a Test-query to a chosen oracle.The chosen oracle ips a coin bit ∈{0,1},and returns the session key if bit =0,or else a random string if bit=1.Then E guesses bit ′.E ’s advantage Adv(E)is the probability that E can distinguish the session key from a random string:Adv(E)=|Pr[bit ′=bit]–|.(18)Theor em 2.If there is an adversary E who can (t,H q ,E q ,A q ,()A dv E )-br eak the new IB-MKA protocol in the random oracle model,then there exists another algorithm F who could apply E to solve an instance of the CBDH problems in G 2with a probability and time12,,Succ Adv()CBDHF G G E …t ′t+(H q +Eq +5A q +2)t S +(A q +1)t A +t m +(A q +1)t a .Pr oof:First,when E is benign,if the oracles ,n I J∏and ,t J I ∏follow the protocol,as shown in the argument about the correctness of the newprotocol,both oracles accept holding the same keys i SK (i=1,2,3,4).Since the hash function H 2()is a random oracle,j SK (i=1,2,3,4)is distributeduniformly at random on {0,1}k,where k is the system security parameter.Next,when the two oracles are uncorrupted and have had matching conversations,since Theorem 1demonstrates that any adversary cannot impersonate the entities,each party has received properly formatted messages fr om the other entity.Therefore,both or acles accept and hold the same session keys.Thirdly,we apply proof by contradiction to prove that the advantage Adv(E)of any adversary E is negligible with some polynomial number of oracle queries upon CBDH assumptions in random oracle model.Suppose that Adv(E)is non-negligible.Now we use E to construct a simulator F which solves the CBDH problem with non-negligible probability.Input:(aQ ,bQ ,cQ )where unknown a,b,c *p Z ∈,Q is a generator of group G 1with order p.Simulation:Denote by q s ,q h at most the number of session oracle queries and the number of H 1-queries by E,respectively.For the entity ,I J ,the simulator randomly chooses j y and n,t ∈{1,2,…,q s },l ∈{1,2,…,q h }.F guesses that E will select ,n I J∏to ask its Test-query after ,t J I ∏has had a matching conversation to ,n I J ∏.y I nitialization:F sets aQ as KGC P .F sets bQ as I ’s public key (with identity i ID ),1()()j y cQ as J ’s public key (with identity j ID ).For other entitiesl ID ,F sets (l x Q ,())l x aQ for *l R p x Z ∈as l ID ’s public/secret key pair.y Extr act-quer y:For an Extract-query about l ID ,l ID {i ID ,j ID },if there is a pair (l ID ,)in a table TH 1,F responds with ()l x aQ and puts the pair (l ID ,)in TE.Otherwise,F responds as in H 1-queries.Note that an Extract-query about i ID and j ID is not permitted.y Hash-quer y:For H 1-query about an identity,F chooses randomly x l *p Z ∈and gives a response.1,if (),if ,otherwisel il j l jl bQ ID ID H ID y Q ID ID x Q ===.2011.033论文集锦Then F puts the pair (l ID ,1()l H ID )in the table TH 1.For H 1-query about an identity pair (i ID ,j ID ),D searches for (i ID ,)in TH 1.If the pair (i ID ,1()i H ID )is not in TH 1,F makes a response as above.Otherwise,F chooses randomly h ij *p Z ∈and computes1(||)()i l ij H ID ID h bQ =.Then F stores the triple (i ID ,j ID ,)in TH 11.For H 2-query about new messages (,,),F chooses a random value in *p Z and stores the results in a table TH 2.For H 2-query about new messages (,,,,,),F chooses a random value in *p Z and stores the results in TH 22.For H 2-query about new messages 2i y Z ,F chooses a random value in *p Z and stores the results in a table TH 21.y Corrupt-query:F responds by revealing the entity ’s long-term private key.When E issues a Corrupt-query about I or J,F gives up.y Reveal-query:F answers it by revealing thesession keys.When E asks ,n I J∏or ,t J I ∏a Reveal-query,F gives up.y Send-query:F answers Send-queries as in the proposed protocol except ,n I J ∏or ,t J I ∏.F answers an Send-query (m ≠n,t)about ,m I J ∏:(1)Choose randomly i y ,ij h ,*0m p y Z ∈.(2)Set 0m i m y y y =+(mod p).(3)Search for 1(||)i j H ID ID in the table TH 11.If it does not exist,F adds it to TH 11.(4)Choose randomly m h *p Z ∈and calculate1i R y Q =,2i ij R y h Q =,0()m m R y Q h bQ =,1()m V y aQ =.(19)(5)Set 212(||||)m h H R R R =.Put 12(,,,)m h R R R in a table TH 2.If (1R ,2R ,R ,)has already been in TH 2and 221||||)(m R h H R R ≠,F goes back to (4)and chooses another m h .(6)Return 121(,,,,,,)I J m V R R R and store it in TA.It satisfies the verification equations (3)and (4).11j (,(||))i e R H ID ID i (,)ij e y Q h bQ =(,)ij i e bQ h y Q =12((),)i e H ID R =.12121((),)i KGC e R R H (R ||R ||R)H ID P ++=0(,)i m m m KGC e y Q y Q h bQ h bQ P ++=(,)m KGC e y Q P =1(,)e V Q .Similarly,F answers an Send-query about ,m J I ∏:(1)Choose randomly jm y and *m p z Z ∈.(2)Search for 1(||)i j H ID ID in the table TH 11.If it does not exist,F adds it to TH 11.(3)Calculate 1()j jm Z y y cQ =,2j ()m ij Z y h bQ =,()m m j Z z Q h y cQ =,2()m V z aQ =.(20)(4)Set 22121||||||||||)(m j m R y h H R R Z Z Z =.Put 1212(,,,,,,)m jm y h R R R Z Z Z in TH 22.If it is in TH 22an d 22121||||||||||)(m jm R y h H R R Z Z Z ≠,F g o es back to (1)and chooses other jm y and *m p z Z ∈.(5)Retur n 122(,,,,,,)J I m V Z Z Z and stor e it in TA.In essence,it satisfies the verification equations (11)(12).11(,(||))i j e Z H ID ID ((),())j jm ij e y y cQ h bQ =((),())j ij jm e y cQ h y bQ =12((),)j e H ID Z =.(,)j jm m m j m j j jm KGC e y y cQ z Q h y cQ h y cQ y y cQ P =++(,)m KGC e z Q P =(,)m e z aQ Q =2(,)e V Q =.y Test-quer y:On a Test-query,F gets a session key and flips a coin bit.If bit=1,F returns the session key.Otherwise,return a random value with the same length.Ou tp ut:The simulation is perfect,so F does not abort.E finally generates valid session keys with the advantage Adv(E).Suppose that E can generate some of four shared keys 1234{,,,}K K K K (fur ther session k ey s).Say,K 1.F com putes1()1(,)i j j my y y h abc e Q Q K =,where h is the hash value through which one can compute the session keys,22()i h H y Z =is the hash value about 2i y Z in the table TH 21maintained by F.This is since1221((),)i i A K e y H y Z S Z =1((),())i i j jm e y haH ID y y cQ =(,())i j jm e y habQ y y cQ =((,))i j jm h y y y ab c e Q Q =.This completes the description of the simulation.E ’s view in the simulation is indistinguishable from its actual view.So,F succeeds in computing (,)abc e Q Q only when the k-th distinct H 1call is made.Therefore,F has a probability of success:12,,Succ Adv()CBDH F G G E ≥≥.F ’s running time t ′is E ’s running time plus the time it takes to simulate the whole security proof:t+(H q +2E q +92S q +2)t S +S q t A +(32S q +3)t m +S q t a +2t i n .2011.0133Theor em 3The proposed protocol holds perfect forward security.P r oo f.Sup posed th at th e master key s is compromised (hence Alice ’s and Bob ’s long-term private keys A S and B S are comprised).The four secret values 1234{,,,}K K K K determine the session keys.The left sides of Eq.(13)-(16)can be written as 121211((),)s K e H a Z R Z =,22121((),)s K e H a Z R Z =,32121((),)s K e H a Z R Z =,4212((),)s K e H a Z R Z =.Note that there must exist a term 212()H a Z or 212()H b R in the secret valu es.2212(,,,)Q Z R Z a and 2122(,,),Q R R b Z are two valid Diffie-Hellman tuples.Upon the CDH assumptions,any adversary with the master key s still cannot compute the secret values 12a Z or 12b R (hence session keys).The compromise of the master key does not lead to the compromise of the session keys previously constructed.B.Per for mance AnalysisCompared with the previous IB-KA pr otocols [6-10],the new IB-MKA protocol contains an authentication part.Moreover,after each execution of the pr otocols [6-10],only one session key will be established.In the following,we make performance comparison among LWW protocol [14]and VLYK protocol [15]and the IB-MKA presented in Table I.Let t e be the time of one pairing computation in 2G and t m is the modular multiplication in *p Z and t me be on e m odular exponent computation in RSA.W e do not consider the time of the addition in *p Z and the time of hash operations,since they are negligible comparing with other computations.The computation time of 1()H is not considered,since it can be pre-computed.The table lists the time consumed by one party.Assume that the size of the elliptic curve group is 2320bit.According to X.509.v3,the certificate of public key contains at least a 1024-bit modulus and a 1024-bit signature.In the new pr otocol,both the communication parties authenticate each other with one more extra pairing computation than LWW pr otocol and VLYK protocol.But one modular exponent computation is requir edto verify the validity of the public keys in LWW protocol and VLYK protocol.The protocol has roughly the same computation cost with the two MKA protocols.Table I Performance comparisonLWW protocolVLYK protocol Ours Compu tation time 6t A +10t S +3t m +7t e +t me 6t A +14t S +2t m +7t e +t me2t A +8t S +2t m +8t e Communication cost 3016bit 3016bit 1280bit th e k ey escr ow Yes Yes No Forwar d secu rity No Yes Yes Authentication pr oofNoNoYesIn LWW protocol and VLYK protocol,each time one user sends information to the other user,a certi cate of public key must be sent.Therefore the co mmunicatio n co st of each r un is mor e than 3016bits for the two protocols.While the communication of each run in the protocol only needs 1280bits.The new IB-MKA protocol needs less communication cost.Since the new protocol does not need the key escrow.V .CONCLUSIONSI n this pap er,we pr opose an id en tity-based multiple key agreement protocol.A formal proof shows that its authentication part is secure against existential forgery on adaptively chosen message and ID attack under the random or acle model and the CDH assumption.The proposed protocol is pr oven secure in the CK mo del un der the random oracle model and the CBDH assumption.Co mpared with th e multiple key ag reem en t protocols in the literature,the protocol has less communication cost.Acknowledg ementsTHIS work is partially supported by a grant from the National Natural Science Foundation of China (10961013).The authors also gratefully thank the editors and the anonymous reviewers for their valuable comments and suggestions,which have improved the presentation.22011.0论文集锦References[1]DIFFIE W,H ELLMAN M E.New Direct ions i nCryptography[J].IEEE Transactions on Information Theory,1976,22:644–654.[2]ME NEZES A,QU M,VANSTONE S.Some NewKey Agreement Protocols Providing Mutual Implicit Authentication[C]//Proceedings of the Second Workshop on Selected Areas in Cryptography,1995:22–32.[3]BURTON S,KALISKI J R.An Unknown Key-shareAttack on the MQV Key Agreement Scheme[J].ACM transactions on Information and System Security,2001, 4(3):275–288.[4]LAW L,MENEZES A,QU M,SOLINAS J,V ANSTONES.A n Effici ent Sch eme fo r Au th enti cated K ey Agreement[R].Technical Report CORR98–05,1998.Available at /law98ef cient.[5]SHAMIR A.Identity-based Cryptosystems and SignatureSchemes[C]//Advances in Cryptology-CRYPTO’84, Lecture Notes in Computer Science,Springer Berlin/ Heidelberg,196,1984:47–53.[6]OKAMOTO E.Proposal for Identity-based Key DistributionSystem[J].Electronics Letters,1986,22:1283–1284. [7]SMART N P.An Identity based Authenticated KeyAgreement Protocol based on the Weil Pairing[J].Electronics Letters,2002,38:630–632.[8]WANG S B,CAO Z F,CHOO K R,W ANG L.An ImprovedIdentity-based Key Agreement Protocol and Its Security Proof[J].Information Science,2009,179(3):307–318. [9]CHEN L,KUDLA C.Identity based Key AgreementProtocols from Pairings[C]//Proceedings of the16th IEEE Computer Security Foundations Workshop,IEEE Computer Society,2002:219–213.[10]WANG S B,CAO Z F,DONG X L.Provably SecureIdentity-based Key Agreement Protocols in the Standard Model[J].Chinese journal of Computer,2007,30(10):1842–1852.[11]HARN L,LIN H Y.Authenticated Key Agreement Exchangewithout Using One-way Hash Function[J].Electron Letter,2001,37(10):629–630.[12]HW ANG R J,SHIAU S H,LAI C H.An EnhancedAuthentication Key Exchange Scheme[C]//Proceedings of the17th international conferenceonAINA,2003:20–25.[13]Lee N Y,Wu C N.Improved Authentication Key ExchangeProtocol without Using One-way Hash Function[J].ACMOperation SystemReview,2004,38(2):85–92.[14]LEE N Y,WU C N,W ANG C C.Authentic ated MultipleKey Exchange Protocols based on Elliptic Curves and BilinearPairings[J].Computers and Electrical Engineering,2008,34(1):12–20.[15]VO D L,LEE H,YEUN C Y,KIM K.Enhancements ofAuthenticated Multiple Key Exchange Protocol based onBilinear Pairings[J].Computers and Electrical Engineering,2010,36:155–159.[16]CHOON J C,CHEON J H.An Identity-Based Signaturefrom Gap Dif e-Hellman Groups[C]//Proceedings of LectureNotes in Computer Science,Springer Berlin/Heidelberg,2567,2002:18–30.BiographyT an Zuowen,received his M.S.degree fromXiangtan University and his Ph.D.degree fromAcademy of Mathematics and Systems Science,Chinese Academy of Sciences.His research interests include Information security andcryptology.2011.0333。