View
214
Download
0
Category
Tags:
Preview:
Citation preview
1
Evolutions and researcheson
group key agreement (GKA) protocols
Yuh-Min TsengInformation Security Lab. (ISL)
Department of Mathematics NCUE
E-mail: ymtseng@cc.ncue.edu.tw http://ymtseng.math.ncue.edu.tw
2 ISL, Math., NCUE
Outline
1. Finding Problems
2. Definitions and evolutions of problems
3. Research approaches and related works
4. Problem 1: GKA protocol resistant to insider attacks
5. Problem 2: GKA protocol for imbalanced networks
6. Problem 3: Pairing-based (ID-based) GKA protocol
7. Conclusions
3 ISL, Math., NCUE
1. Finding problems
Assigned by your advisor Research trend for some problems or applications Referee of manuscripts submitted to Conferences or Journals
Open / Un-solving problems (Famous problems)
Self-finding problems (Important !) Seminars Conferences: New Journals: Complete Some experts’ web-sites Livelihood problems (To solve some practical problems)
Periodical downloading papersof related Conferences and Journals
4 ISL, Math., NCUE
1. Finding problems => Famous problems
Fermat(1601-1665)Fermat's conjectures ?
Fermat’s Last Theorem ?
Fermat’s Little Theorem
for all primes p and 1≦a≦p-1, ap-1 ≡ 1 (mod p)
xn+yn=zn , n>2 No positiveinteger solutions
Pythagoras(-572 ~ -492) x2+y2=z2 , right triangle ?
I have obtained a
perfect proof, but no space
to write it ?
5 ISL, Math., NCUE
1. Finding problems => Famous problems
Euler(1707-1783)
Fermat’s Last Theorem
Fermat’s Little Theorem
Wiles (1993) Taylor (1995, complete)
for all primes p and 1≦a≦p-1, ap-1 ≡ 1 (mod p)
xn+yn=zn , n>2 No positiveinteger solutions
Euler Theorem
Proof: a corollary of Euler’s theorem
370years
Wiles Proof
Based on many previous theorems and conjectures
6 ISL, Math., NCUE
1. Finding problems => Fermat Little Theorem
Public key primitiveness in Cryptography
Euler Theorem: for all aZn*, a(n)≡1 (mod n)
Euler’s Totient Function (n) = |Zn*| =the number of positive integers less than n and relatively prime to n
Fermat’s Little Theorem: for all primes p, 1 a p-1,≦ ≦ ap-1 ≡ 1 (mod p) Proof: a corollary of Euler’s theorem since (p)=p-1 and gcd(a,p)=1
for 1 a p-1.≦ ≦
Both theorems are useful in public key systems (RSA, DSA, and ElGamal) and Primality testing.
7 ISL, Math., NCUE
1. Finding problems => Fermat Last Theorem
One conjecture => Fermat Last Theorem History Fermat (n=4), Euler (n=3), Gauss (n=3, complete) Legendre (n=5) => Legendre Symbol (Primality test) Dirichlet (n=14), Lame (n=7), Kummer (1810 1893) (n<100) ……….. Wolfskehl (1908, Offering $100000 Marks bonus) Taniyama-Shimura theorem/conjecture (1960): Relationships
=> Fermat last theorem, Elliptic Curve and modular forms Wiles (1993, 1995): A proof of Fermat last theorem
Based on Taniyama-Shimura theorem/conjecture
Elliptic Curve Cryptography (ECC, Secure and Efficient)
8 ISL, Math., NCUE
1. Finding problems => Fermat Last Theorem
A. Wiles: Modular elliptic curves and Fermat's Last Theorem,
Annals of Mathematics 141 (1995), pp. 443-551,
=> 1998 Fields Medal (Specific Award, 44 years old)R.Taylor and A.Wiles: Ring theoretic properties of certain Hecke algebras,
Annals of Mathematics 141 (1995), pp. 553-572
9 ISL, Math., NCUE
1. Finding problems => Famous problems
Fermat’s another conjecture: Fn=22n+1 is prime F1=5, F2=17, F3=257, F4=65537
Error => F5=641*6700417
Mersenne prime (1588-1648): 2p-1 is prime => p is prime 22-1=3, 23-1=7, 25-1=31, 27-1=127 Error => 211-1=23*89 GIMPS: The Great Internet Mersenne Prime Search
44 th Mersenne prime (2006, September 4)232582757 -1 = Known large prime (9,808,358 decimal digits) 10,000,000 decimal digits => US$100,000
10 ISL, Math., NCUE
1.Finding problems => Personal experiences
Group key agreement protocolsDeep: Focusing on one issue deeply
Broad: Understanding related issues Two-party key agreement protocols Group (Conference, multi-party) key establishment
Conference key distribution protocols Group key agreement (GKA) protocols
Resource-limited devices: Elliptic Curve Imbalanced network (WLAN, Cellular network) Mobile Ad Hoc networks Sensor networks
Based on various cryptographic systems (ID-based, Pairing)
Co-assistive
11 ISL, Math., NCUE
2. Definitions and evolutions of problems => Diffie-Hellman key exchange (1976)
DH-scheme provides two-party key agreementGlobal parameters: (g, p) p: a large prime, say, 1024-bit long g: a generator for group Zp
*
BobAlice(2) Ya
(2*) Yb
(1) Randomly select a,
Compute Ya=ga mod p (1) Randomly select b,
Compute Yb=gb mod p
(3) Compute Yab=(Yb)a mod p (3*) Compute Yba=(Ya)b mod p
K=Yab=Yba=gab mod p
Discrete logarithm problem
12 ISL, Math., NCUE
2. Definitions and evolutions of problems
Group key establishment protocol allows users to construct a group key that is used to
encrypt/decrypt transmitted messages among the users over an open communication channel.
Categories: Group key distribution
there is a chairman who is responsible for generating a common key and then securely distributing this group key to the other users.
Group key agreement involves all users cooperatively constructing a group key.
13 ISL, Math., NCUE
2. Definitions and evolutions of problems=> Categories
Chair/key
U2 U3
U1 U4
Un U5……
key
U2 U3
U1 U4
Un U5……
Group key distribution Group key agreement
Easy issue Challenging issue
14 ISL, Math., NCUE
2. Definitions and evolutions of problems => Group key agreement
Four research approaches Concurrent Ring (1982, Ingemarsson et al.)
First group key agreement Linear Ring + 1 Broadcast (many protocols) Binary Tree (many protocols) Broadcast (many protocols)
Parallel processors
15 ISL, Math., NCUE
2. Definitions and evolutions of problems => (1) Concurrent Ring (1982, Ingemarsson et al.)
First group key agreement
U1
U2
U3x1
x2
x3
gx1 g
x2
gx3
U1
U2
U3
gx1x2
gx2x3
gx1x3
U1
U2
U3
gx1x2x3
gx1x2x3
gx1x2x3
Note: n participants1. It requires (n-1) rounds2. Concurrent Easy ? How to devise ?
16 ISL, Math., NCUE
2. Definitions and evolutions of problems => (2) Linear Ring + 1 Broadcast
Concept: (many protocols, 2002)
U1 U2 Un-1
Un
………………
Broadcast
Note: n participants 1. It requires (n-1) rounds 2. Ui must sends i messages
17 ISL, Math., NCUE
2. Definitions and evolutions of problems
=> (3)Binary Tree
Concept: Button-up (many protocols, 2005)
Note: n participants 1. It requires log n rounds 2. Semi-concurrent
U1 U2 U3 U4
x1 x2
gx1x2
x3 x4
gx3x4
ggx1x2 g
x3x4
ggx1x2 gg
x3x4
gx1 gx2 gx3 gx4
18 ISL, Math., NCUE
2. Definitions and evolutions of problems => (4)Broadcast
Burmester and Demedt (1994, 2005)
Step 1 (Round 1)
Ui (1≤ i ≤ n): Keeps xi secret
broadcasts yi=gxi mod p
Step 2 (Round 2)
Ui (1≤ i ≤ n): broadcasts zi=(yi+1/ yi-1)xi mod p
Step 3 Each Ui computes common key K
pg
pz zz)(yK xxxxxx
ini
ni
nxi-
n
i
mod
mod13221 ...
22
11
1
U1 U1 Un……
Broadcast channel
19 ISL, Math., NCUE
3. Research approaches and related works => Burmester and Demedt scheme
Burmester and Demedt (1994) Non-authenticated: requires a secure authenticated broa
dcast channel (2005, IPL) They provide a complete proof.
Research approaches based on BD scheme Authenticated Performance Security properties
20 ISL, Math., NCUE
3. Research approaches and related works => Three approaches
Authenticated: based on different cryptographic systems General Public-key system (RSA, DSA, or ElGamal) Password-based ID-based (Weil pairing and Elliptic curve)
Performance: Number of Rounds Message size sent by each participant Computational cost required for each participant
Security properties: Withstanding impersonator attacks Providing forward secrecy Resisting malicious participant (Insider) attacks (New)
21 ISL, Math., NCUE
3. Research approaches and related works => History and remarks
[1]Diffie-Hellman – 1976 (Two- party)First key agreement
[2] Ingemaresson - 1982 First group key agreement
[3,4] BD – 1994 and 2005
Efficient and Proof
Performance[5, 15]
Authenticated [6,8,9,10,16-19]
Transformationto authenticated
[7,11]
Malicious participant
[12, 13, 14]
22 ISL, Math., NCUE
3. Research approaches and related works => History and remarks
[5] Horng – 2001 Comp. Efficient
[14] Tseng – 2005 Insider attack
[15] Jung – 2006 Dynamic case(Join/leave)
[6,8] 2002, 2003 Round Efficient
[7] Katz – 2003 First Transformation
[13] Katz – 2005 Insider attack
[11] Tang – 2005 Round Efficient
[9, 17,18] 2004, 2005. ??????ID-based (Pairing)
[16] Abdalla – 2006 Password-based
[10] Tan – 2005 Batch-verification
[12]Tang – 2005 Attack it.
Insider attack
Performance[5, 15]
Authenticated [6,8,9,10,16-19]
Transformationto authenticated
[7,11]
Malicious participant
[12, 13, 14]
[19] Tseng – 2007Insider attack
23 ISL, Math., NCUE
3. Research approaches and related works => Related papers
[1] Diffie, W. and Hellman, M.E. (1976) New directions in cryptography. IEEE Trans. on Infom. Theory, 22, 644-654. [2] Ingemaresson, I., Tang, T.D. and Wong, C.K. (1982) A conference key distribution system. IEEE Trans. Infom. Theory, 28, 714-720. [3] Burmester, M. and Desmedt, Y. (1994) A secure and efficient conference key distribution system. Advances in Cryptology - Proceedings of Eurocrypt’94, Perugia, Italy, 9-12 May, LNCS 950, pp. 275-286, Springer-Verlag, Berlin. [4] M. Burmester and Y. Desmedt (2005) A secure and scalable group key exchange system, Information Processing Letters, vol. 94, pp. 137-143, 2005.[5] G. Horng (2001) An efficient and secure protocol for multi-party key establishment, The Computer Journal 44 (5) (2001) 463-470. [6] W. G. Tzeng (2002) A secure fault-tolerant conference-key agreement protocol, IEEE Trans. on Computers 51 (4) (2002) 373-379. [7] Katz, J. and Yung, M. (2003) Scalable Protocols for Authenticated Group Key Exchange. Advances in Cryptology - Proceedings of Crypto’03, Santa Barbara, CA, 17-21 August, LNCS 2729, pp. 110-125, Springer-Verlag, Berlin. [8] Boyd, C. and Nieto, G. (2003) Round-Optimal Contributory Conference Key Agreement. Proc. Public-Key Cryptography’03, Miami, USA, 6-8 January, LNCS 2567, pp. 161-174, Springer-Verlag, Berlin.
24 ISL, Math., NCUE
3. Research approaches and related works => Related papers
[9] X. Yi (2004) Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004.[10] C. Tan and J. Teo, (2005) An Authenticated Group Key Agreement for Wireless Networks, IEEE Communications Society, WCNC 2005, pp.2100-2105.[11] Q. Tang and C. J. Mitchell, (2005) Efficient Compilers for Authenticated Group Key Exchange, Computational Intelligence and Security: International Conference, CIS 2005, Xi'an, China, December 15-19 2005, Proceedings, Part II, Springer-Verlag LNCS 3802, Berlin (2005), pp.192-197. [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated conference key agreement protocols' (pdf), in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314. [13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security 2005, pp. 180-189 . [14] Tseng, Y.M. (2005) A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 48, 480-487.
25 ISL, Math., NCUE
3. Research approaches and related works => Related papers
[15] B. E. Jung (2006) An Efficient Group Key Agreement Protocol, IEEE communications letters, vol.10, no. 2, pp. 106-107, Feb. 2006
[16] M. Abdalla, E. Bresson, O. Chevassut, D. Pointcheval (2006) Password-based Group Key Exchange in a Constant Number of Rounds, PKC2006, LNCS 3958, pp.427-442.
[17] K. Y. Choi, J. Y. Hwang and D. H. Lee, “Efficient ID-based Group Key Agreement with Bilinear Maps”, 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC2004).
[18]Y. Shi, G. Chen, and J. Li,” ID-Based One Round authenticated Group Key Agreement Protocol with Bilinear Pairings”, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05), 2005.
[19] Y.M. Tseng, “A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy”, Journal of Systems and Software, , 2006, Accepted and to appear.
[20]Y.M. Tseng, “A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52, 2007.
26 ISL, Math., NCUE
3. Research approaches and related works => Finding worth-to-work problems
Keep cranky and thinking continuously !!!
Finding solutions: Writing a research paper or patent Developing application systems
Keeping a research record (Important !!) Finding new problems => solutions It could be a good approach/technique. In the future, it is possible to adopt it for other applications
or problems.
27 ISL, Math., NCUE
3. Research approaches and related works => Finding worth-to-work problems
Problem 1: Malicious participant (Insider) attack The malicious legal participant broadcasts a wrong message to disrupt
the conference key establishment The proposed protocol must find who are the malicious participants
Problem 2: Imbalanced wireless networks Resource-limited PDA, Smart phone, or UMD (Ultra mobile device) It is a flexible approach to shift the computational burden to the
powerful node and reduce the computational cost of mobile nodes
Problem 3: Pairing-based (ID-based) public-key system Practical ID-based public-key system (Elliptic Curve) 2001, New
28 ISL, Math., NCUE
4. Problem 1: GKA protocol resistant to insider attacks
Motivation and finding a solution All related GKA protocols based on the BD scheme suffer from insi
der attacks. Some secure conferences must be held prior to a special time, such a
s military applications, rescue missions and emergency negotiations.
Related papers: (2005) [14] Y.M. Tseng (2005) A robust multi-party key agreement protocol resistant to m
alicious participants. The Computer Journal, 48, 480-487. (2006, Wilkes Award) [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated con
ference key agreement protocols', in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314.
[13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security 2005, pp. 180-189.
29 ISL, Math., NCUE
4. Problem 1: GKA protocol resistant to insider attacks
Insider attacks (Malicious participants) on BD scheme
Step 1 (Round 1)
Ui (1≤ i ≤ n): Keeps xi secret
broadcasts yi=gxi mod p
Step 2 (Round 2)
Ui (1≤ i ≤ n, ij): broadcasts zi=(yi+1/ yi-1)xi mod p
Uj broadcasts a random value zj
Step 3 Each Ui compute different key K
pg
pz zz)(yK xxxxxx
ini
ni
nxi-
n
i
mod
mod13221 ...
22
11
1
U1 U1 Un……
Broadcast channel
Who is the malicious participant ?
30 ISL, Math., NCUE
4. Problem 1: Solution GKA protocol resistant to insider attacks
Step 1 (Round 1) Ui (1≤ i ≤ n): Keep xi secret
broadcasts yi=gxi mod p
Step 2 (Round 2)
Step 3 Ui (1≤ i ≤ n) checks and computes K
qx,,zHrp)/ y(y
p gαp)/ y(yz
),,, (z n)i (U
iiiiiir
iii
ri
xiii
iiiii
i
ii
mod)( ,mod
mod ,mod
broadcasts:1
11
11
pg
pz zz)(yK
zHCpzyy
py)g(
xxxxxx
ini
ni
nxi-
jjjC
jjjj
Cjj
n
i
j
j
mod
mod
),,( where,mod)/)(2(
mod1
13221 ...
22
11
1
11
Zi is computed correctly”
31 ISL, Math., NCUE
4. Problem 1: GKA protocol resistant to insider attacks
Security Proofs Assumption 1: Decision Diffie-Hellman Problem Theorem 1: The proposed GKA protocol is secure against
passive attacks Theorem 2: The proposed GKA protocol is secure against
insider attacks
Discussions Based on BD scheme, first protocol with resisting to insider attacks In fact, the proposed GKA protocol can be applied to other group ke
y agreement protocols with t-round (t>1) to withstand insider attacks. (Reviewer comments)
Expanding to authenticated (Tseng, 2007, JSS)
32 ISL, Math., NCUE
5. Problem 2: GKA protocol for imbalanced wireless networks
Motivation and finding a solution Resource-limited devices: PDA, Cellular phone, or UMD (Ultra mo
bile device) It is a flexible approach to shift the computational burden to the pow
erful node and reduce the computational cost of mobile nodesRelated papers:
Bresson, E. Chevassut, O., Essiari, A. and Pointcheval, D. (2004) Multual authentication and group key agreement for low-power mobile devices. Computer Communications, 27, 1730-1737.
Nam, J., Kim, S., and Won, D. (2005) A weakness in the Bresson-Chevassut-Essiari-Pointcheval's group key agreement scheme for low-power mobile devices. IEEE Communications Letters, 9, 429-431.
Nam, J., Kim, S., and Won, D. (2005) DDH-based group key agreement in a mobile environment. The Journal of Systems and Software, 78, 73-83.
Y.M. Tseng (2007) “A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52.
33 ISL, Math., NCUE
5. Problem 2: GKA protocol for imbalanced wireless networks
Weaknesses of Bresson et al.’s Protocol (2004) Without forward secrecy Without key authentication Not a contributory key agreement
Weaknesses of Nam et al. ‘s Protocol (2005) It provides a authenticated protocol based on the Katz-Yung transfo
rmation [7] (2003). (Time-consuming) In this case, computational cost is expensive for mobile device Not a contributory key agreement
34 ISL, Math., NCUE
5. Problem 2: GKA protocol for imbalanced wireless networks
Goal: A real contributory key agreement protocol (Proof) Authenticated GKA protocol The proposed protocol must be well suited for mobile devices with
limited computing capability.
Some related issues and knowledge Give an example to prove that both Bresson et al.’s and Nam
et al. ‘s protocols are not contributory key agreement. Given a complete proof to show our proposed protocol is a real con
tributory key agreement. Understanding the computing capability of mobile devices such as
PDA.
36 ISL, Math., NCUE
5. Problem 2: GKA protocol for imbalanced wireless networks
Security Proofs Theorem 1: It is a contributory group key agreement protocol Theorem 2: Against passive adversary Lemma 1, Lemma 2, and Theorem 3: Against impersonator’s
attack Theorem 4: Implicit key authentication Theorem 5: Forward secrecy
Discussions Comparisons: Computational cost and security properties This is first protocol which provides the proof of contributory group
key agreement A simulation result shows that the proposed protocol is well suited
for mobile devices with limited computing capability.
37 ISL, Math., NCUE
5. Problem 2: GKA protocol for imbalanced wireless networks
Some other possible problems and future works Possible inherent problems of a powerful node
Communication BottleneckSingle point failTrust
Lower bound of the communication cost in a contributory group key agreement for imbalanced networks.=> Optimal solution
.
38 ISL, Math., NCUE
6. Problem 3: Pairing-based (ID-based) GKA protocol
Motivation and finding a problem Based on Factoring problem
Shamir (1984) ID=> Name, ymtseng@cc.ncue.edu.tw and some other information. The motivation is to simplify certificate management However, it is not practical.
Based on Bilinear Diffie-Hellman assumption In 2001, D. Boneh and M. Franklin presented first ID-based encryption
scheme. Afterwards, it is a important issue for cryptography research.
Question: If you focus on this topic,
what knowledge should you prepare and own ?
39 ISL, Math., NCUE
6. Problem 3: Pairing-based (ID-based) GKA protocol
Related knowledge: Elliptic curve Bilinear Pairing (Weil pairing and Tate pairing) Less books focus on this cryptographic systems
ID-based cryptographic protocols ID-based signature (batch, threshold, blind, …) ID-based encryption (Broadcast, authenticated) ID-based two-party key agreement/authentication Fast pairing computation ID-based authenticated Group key agreement
40 ISL, Math., NCUE
6. Problem 3: Pairing-based (ID-based) GKA protocol
Related papers of ID-based signature/encryption D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," Crypto
2001, LNCS 2139, pp.213--229, Springer-Verlag, 2001. D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," SIAM J.
of Computing, Vol. 32, No. 3, pp. 586-615, 2003. D. Boneh, B. Lynn and H. Shacham, "Short signature from Weil pairing," Asiacrypt 2
001, LNCS 2248, pp. 514--532, Springer-Verlag, 2001. K. Paterson. ID-based Signatures from Pairings on Elliptic Curves. Electronics Letters,
Vol. 38, No. 18, pp. 1025{1026, 2002. F. Hess, "Efficient identity based signature schemes based on pairings," SAC 2002, L
NCS 2595, pp. 310--324, Springer-Verlag, 2003. J. C. Cha and J. H. Cheon, "An identity-based signature from gap Diffie-Hellman grou
ps," PKC 2003, LNCS 2567, pp. 18--30, Springer-Verlag, 2003. Yoon H. J., Cheon J. H., Kim Y. Batch verifications with ID-based signatures. Proc. I
CISC‘2004, December 2–3, Seoul, Korea Berlin Springer-Verlag pp. 233–248, LNCS 3506, 2005.
N. Koblitz and A. Meneze, "Pairing-based cryptography at high security levels," Cryptography and Coding: 10th IMA International Conference, LNCS 3796, pp. 13--36, Springer-Verlag, 2005.
S. Cui, P. Duan, C. W. Chan, An efficient identity-based signature scheme with batch verifications, Proceedings of the 1st international conference on Scalable information systems , Article No. 22 , May 30 - June 01, 2006
41 ISL, Math., NCUE
6. Problem 3: Pairing-based (ID-based) GKA protocol
Related papers of ID-based key agreement/authentication NP Smart. An identity based authenticated key agreement protocol based on the Weil
pairing. Electronics Letters, volume 38 (13): 630--632, June 2002 . L. Chen and C. Kudla , Identity Based Authenticated Key Agreement Protocols from
Pairings, 16th IEEE Computer Security Foundations Workshop (CSFW'03), 2003, p. 219
Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108.
G. Xie. An ID-based key agreement scheme from pairing. Cryptology ePrint Archive, Report 2005/093.
Q. Yuan and S. Li. A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/309.
L. Chen, Z. Cheng, and N.P. Smart, Identity-based Key Agreement Protocols From Pairings, http://grouper.ieee.org/groups/1363/IBC/submissions/Chen-IBE.pdf (Good-survey) 2006.
X. Yi, Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004.
M. Das, A. Saxena, A. Gulati, and D. Phatak A novel remote user authentication scheme using bilinear pairings, Computers & Security, Volume: 25, Issue: 3, May, 2006, pp. 184-189
42 ISL, Math., NCUE
6. Problem 3: Pairing-based (ID-based) GKA protocol
Goal: Pairing-based (ID-based) GKA protocol Finding some possible solutions => No concrete publication
Extra results: by surveying pairing-based systems Reviewer of a ID-based partially blind signature (2006)
Improving performance of the Sherman et al.’s scheme (2005) I presented that their scheme suffers from a forgery attack, reject it! Try to propose an efficient scheme. Until now, no concrete result.
Seminar => a two-party key agreement protocol (2006, C&S) Finding some drawbacks We have obtained concrete results Conferences
43 ISL, Math., NCUE
7. Conclusions
Based on the previous knowledge and new applications/environments
Thinking other problems
44 ISL, Math., NCUE
7. Conclusions => Thinking other problems
Wireless environments (Resource-limited devices) Imbalanced networks (WLAN, Cellular network) Mobile Ad Hoc networks
Distributed architecturesNo on-line certificate authority
Sensor networks Specific Architectures (Pre-distributed secret keys,
or passwords) Energy-aware (Computation V.S. Communication)
45 ISL, Math., NCUE
7. Conclusions => Other Problems => Energy consuming
Sensor networks (2005, Wander et al.) Specific Architecture (Pre-distributed secret keys) Energy-aware (Computation V.S. Communication)
Field Value
Effective data rate 12.4kbps
Energy to transmit 59.2μJ/byte
Energy to receive 28.6μJ/byte
ATmega128L active mode 13.8mW
ATmega128L power down mode 0.0075mW
ATmega128L MIPS/Watt 289MIPS/W
Mica2dot sensor platform, 2002, …..
46 ISL, Math., NCUE
7. Conclusions => Other Problems => Energy consuming
Algorithm Energy
SHA-1 5.9μJ/byte
AES-128 Enc/Dec
1.62/2.49μJ/byte
AlgorithmSignature Key Exchange
Sign Verify Client Server
RSA-1024 304 11.9 15.4 304
ECDSA-160 22.82 45.09 22.3 22.3
RSA-2048 2302.7 53.7 57.2 2302.7
ECDSA-224 61.54 121.98 60.4 60.4
Energy cost of digital signature and key exchange computations [mJ]
47 ISL, Math., NCUE
7. Conclusions
Research 「當你進入大廈的第一個房間,裏面很黑,伸手不見五指。你在傢俱之間跌跌撞撞,但是你會逐漸搞清楚每一件傢俱所在的位置。最後…你找到了電燈開關 (Switch) ,打開了燈。突然…你能確切地明白你身在何處。」
------ Wiles
打通 任、督 二脈
Recommended