1. Introduction
Internet of Things (IoT) applications have been increasingly exploited as information technology, operational technology, communication technology, and electronic technology develop. Examples include Smart Grid, Internet of Vehicles, Industrial IoT, and Agriculture IoT, which have enhanced living conditions greatly. With the development of 5G, secure and efficient communication demands have become huge as massive IoT devices are participating in these IoT applications. In general, IoT end devices and IoT servers play important roles in IoT applications. IoT end devices, mounted with sensors, collect useful information and transmit data to the IoT servers over the open network. When these IoT data are transmitted among different IoT devices, the sensitive information inserted in these IoT data needs more secure cryptographic algorithms to protect IoT user privacy and data security.
To protect the security of data transmission, cryptographic means that require secret keys are presented. For IoT user identity authentication, the shared key, public key certificate, and zero-knowledge proof are some common cryptographic methods [1]. For secure IoT data transmission, the digital signature can help confirm data ownership [2], the key agreement can help establish a secure session key [3], and the public key encryption can guarantee IoT data security with ciphertext in the public Internet environment [4]. For IoT data with fine-grained access control, attribute-based encryption can help establish a secure access control strategy with the attributes of IoT users and data [5], and security policy protocol can solve Internet control message protocol (ICMP) attacks [6]. Many cryptographic algorithms guarantee secure and efficient communication among different IoT applications—there are too many to mention one by one. However, these cryptographic algorithms are public; therefore, the keys are essential for secure data transmission. Moreover, blockchain technology has been applied to IoT applications to solve the centralized management problem [7].
Key agreement (KA) is an important method to protect keys, which supports building a common session key between no less than two different users for subsequent communications. Authenticated key agreement (AKA) not only generates a common session key, but also prevents active attacks and implicitly authenticates the participants simultaneously. In the public-key infrastructure (PKI) setting, the user’s long-term public key is matched with the corresponding identity in a certificate, which is derived by a trusted certificate authority. However, managing and transmitting these certificates results in heavy computation and storage costs. Considering IoT end-devices are usually resource-constrained and have limited memory, computation power, storage, and battery life, PKI-based AKA protocols (e.g., [3,8]) are not suitable for IoT applications. Therefore, to avoid the PKI certificate problem, AKA (ID-AKA) protocols with identity are proposed [9]. In ID-AKA protocols, every user owns a unique identity, the long-term public key is constructed by the user’s personal identity, and the private key is composed of the identity and a master key, which is created by the trusted key generation center (KGC). Since the introduction of the first ID-AKA protocol in [10], many ID-AKA protocols have been introduced based on bilinear pairings [11,12,13,14,15,16,17,18], which is a high time-complexity operation. Because of the resource restriction of IoT end devices, ID-AKA protocols without pairings are more suitable for IoT applications.
Currently, the modified Bellare and Rogaway (mBR) model [12], the Canetti–Krawczyk (CK) model [19], and the extended Canetti–Krawczyk (eCK) model [20] are some famous security models for AKA protocols. In particular, the eCK model can achieve the most security properties [13]. Meanwhile, to satisfy the communication demands of the high speed, low latency, and large connections in IoT applications, a more secure and efficient AKA protocol is needed. Thus, designing efficient ID-AKA protocols without pairings while maintaining eCK security would be more suitable for IoT applications.
Motivation and Our Contribution
Aiming at considering the aforementioned problems, this paper presents some efficient ID-AKA protocols while holding the eCK security for IoT applications.
-
We provide the preliminaries of some Diffie–Hellman assumptions and the forking lemma, provide a detailed description of the eCK-security model for two-party ID-AKA protocols, and draw a figure to show the network model for these protocols.
-
We analyze three recently proposed ID-AKA protocols without pairings [21,22,23], and point out the security flaws against some known attacks.
-
We propose a family of pairing-free ID-AKA protocols in the eCK security model. The security proof also considers the case where the public key materials related to the long-term private key can be altered by an active adversary. Furthermore, events in our security proof are complementary.
-
We provide some more efficient protocols that need four elliptic curve point multiplication operations. Protocol comparison shows that our efficient protocols have the advantage over similar protocols with the items of security, computation, and communication efficiency.
The paper is organized as follows: Section 2 provides some related work, Section 3 presents the cryptanalysis of several ID-AKA protocols, Section 4 proposes a family of pairing-free ID-AKA protocols, Section 5 shows some more efficient instantiations, Section 6 presents the performance and comparison, and Section 7 gives the conclusion.
2. Related Work
Some related works about the cryptographic methods for IoT applications and developments of KA protocols are provided in the following two subsections.
2.1. Cryptographic Methods for IoT Applications
In IoT applications, the IoT data generally contain plenty of sensitive information about the system users, such as their personal identity, location, and production data. When these IoT data are transmitted among different IoT devices and applications, cryptographic technologies play an essential role in the processes of user identity authentication, IoT data transmission, IoT data fine-grained access control, and so on. Jayabalasamy et al. [2] proposed an aggregate signature scheme to solve the nonrepudiation problem in blockchain ecosystems, which could also confirm the data ownership in the untrusted IoT environment. Li et al. [3] designed a KA protocol based on the SM2 algorithm, which could help establish a secure session key between different system users in smart grid communications. Pu et al. [4] introduced a public key authentication encryption scheme, and added the function of keyword search into this scheme to guarantee IoT data security in industrial IoT applications. Rasori et al. [5] provided a survey of the attributed-based encryption protocols in recent years, and figured out the problems and challenges of IoT data fine-grained access control in most current IoT applications. Onyema et al. [6] presented a security policy protocol for the detection and prevention of Internet control message protocol (ICMP) attacks in software-defined networks. For these different cryptographic algorithms, the key is an essential part of secure IoT communication. Therefore, establishing a secure session key is the first issue that should be taken into consideration for secure communication in IoT applications.
2.2. Developments of KA Protocols
Numerous interesting pairing-free ID-AKA protocols have been introduced in recent years. In 2010, Cao et al. [24] provided a one-round ID-AKA protocol without pairing and presented the security proof in the mBR model. Then, two pairing-free ID-AKA protocols were proposed in [25,26], which utilized the CK model to prove its security. In 2016, Ni et al. [27] showed that the security proof of Sun et al.’s protocol neglected the case where the public key materials related to the long-term private key could be altered by an active adversary, and proposed two eCK-secure ID-AKA protocols without pairings. However, events in the security proof of their protocols were not complementary, which resulted in a mismatch in the freshness definition. Moreover, KGC needed to generate one extra long-term private key, which increased the storage, computation, and communication costs with the increase in the number of users. Bala et al. [21] presented an ID-AKA scheme without pairing for wireless sensor networks and claimed it was secure in the eCK security model. But Dang et al. [28] showed that its security proof had the same problem. Furthermore, the eCK security model was not secure as it suffered from an ephemeral key reveal attack.
In 2018, Dang et al. [28] provided a pairing-free ID-AKA protocol that could achieve eCK security in vehicular ad hoc networks. However, in 2021, Deng et al. [29] showed that it was not eCK-secure and put forward a new scheme that required only four scale multiplication operations. However, we found that the security proof had some flaws, for example, it was inappropriate that the challenger grasped the private key of KGC in the proof Cases CA2, CA3, CA4, and CA6. Mohammadali et al. [22] proposed the NIKE protocol, an ID-AKA protocol without pairing. However, there were still some drawbacks to it. Firstly, we found this scheme had a design flaw, i.e., if an individual was to learn about the long-term private keys of two parties (say and ), they could easily obtain KGC’s master key. Secondly, it could not resist a KCI attack. Thirdly, although the NIKE protocol only needed, at most, three elliptic curve point multiplication operations, it needed three hash-to-point operations, which was a more time-consuming operation than the point multiplication operation. In 2019, Zhang et al. [23] gave two pairing-free and unbalanced ID-AKA protocols for disaster scenarios. Their protocols were actually unbalanced versions of the protocol in [24]. Their protocols reduced one elliptic curve point multiplication operation for the limited party. However, Zhang et al.’s protocols did not have ephemeral key reveal resistance. In 2020, Daniel et al. [30] pointed out that Bala et al.’s protocol [21] could not resist an ephemeral key reveal attack. They also provided an ID-AKA protocol and presented its security proof in the eCK model [27]. However, its computational cost was still higher, which needed five-point multiplication operations in the elliptic curve. Furthermore, they pointed out that protocol [27] suffered from key offset attacks; however, key offset attacks could be simply avoided by adding a message authentication code using the same method in [30].
In 2021, Kumar and Chand [31] presented an ID-AKA protocol with cloud for the wireless body area network for anonymous health data authentication. However, Rakeei and Moazami [32] pointed out that this protocol could not resist a man-in-the-middle attack and achieve perfect forward secrecy. In 2022, Pu et al. [33] provided a mutual authentication and KA protocol for data privacy preserving in unmanned aerial vehicles (UAVs). Zhang et al. [34] designed a group key agreement (GKA) protocol for user privacy protection and data resource secure sharing in an intelligent IoT system. In 2023, Zhou et al. [35] presented an AGKA protocol for an AI-based automation system, which utilized a semi-trusted authority to perform precomputation operations. Pan et al. [36] focused on the communication security of UAVs to introduce a heterogeneous AKA protocol. Zhang et al. [37] provided a symmetric-key AKA protocol for edge-cloud IIoT, which could achieve perfect forward secrecy based on both authentication and derivation master keys. Abdussami et al. [38] proposed an AKA protocol for secure patient health-related data sharing in IoMT.
The security comparisons of these ID-AKA protocols are shown in Table 1, and the security items of the KGC’s master key (MSS), weak perfect forward secrecy (wPFS), key compromise impersonation resilience (KCIR), ephemeral secrets reveal resistance (ESRR), and assumption (AS) were compared. Facing these problems and secure IoT communication demands, a secure ID-AKA protocol is needed to strengthen the security of session keys between different IoT users. The next sections will present the cryptanalysis of several ID-AKA protocols [21,22,23] first, and then provide the proposed ID-AKA protocols.
3. Preliminaries
Some basic concepts including complexity assumptions and the eCK security model for two-party ID-AKA protocols are reviewed in this section.
3.1. Complexity Assumptions
Let be an elliptic curve additive group with a large prime order q, and P is a generator of . Some Diffie–Hellman assumptions over are recalled as follows.
-
Computational Diffie–Hellman (CDH) Assumption: Given three points, and , where , the advantage to compute is negligible for any probabilistic polynomial time (PPT) adversary .
-
Decision Diffie–Hellman (DDH) Assumption: Given four points and , where , the advantage to decide whether mod q is negligible for any PPT adversary .
-
Gap Diffie–Hellman (GDH) Assumption: Given four points and , where , the advantage to compute by accessing a DDH oracle is negligible for any PPT adversary .
3.2. The Forking Lemma
The forking lemma is applied in the security proof of our proposed protocols. Here, we recall it described in [27].
Let be a generic digital signature scheme. Given an input message m, produces a triple , where K is a randomly selected value in a large set, h is the hash value of , and v is only dependent on K, m, and h. Assume that a PPT algorithm can produce a valid signature on the message m with non-negligible probability. Then, with non-negligible probability, a replay of this algorithm can output two valid signatures and on the same message m, such that .
3.3. eCK-Security Model for Two-Party ID-AKA Protocols
We now recall the eCK-security model for two-party ID-AKA protocols in [13,27].
-
Participants. Let be a finite set of L honest parties. Each participant is modeled as a PPT Turing machine. Any two parties can be involved in a protocol execution. Each party may execute multiple instances (sessions) in parallel. Let denote the mth protocol session, which runs at party (the owner) with intended partner party . Every session has internal state variables and to record the state of , and the transcript of messages sent and received by , respectively. If can compute a session key , . The messages in are ordered according to the protocol specification.
-
Adversary Model. The adversary is modeled as a PPT Turing machine and has full control of the communication network. Active attacks are formulated by allowing the adversary to perform the following queries:
-
–. EphemeralKeyReveal (). The adversary is provided the ephemeral private key of .
-
–. SessionKeyReveal (). The session key held by a completed session is returned to .
-
–. Corrupt (). The long-term private key of is returned to the adversary .
-
–. KGCStaticKeyReveal. The adversary obtains the master key of KGC. This query is used to model master key forward secrecy.
-
–. RegCT (). Via this query, the adversary is able to register a dishonest party with identity . Meanwhile, obtains ’s long-term private key and totally controls .
-
–. Send (). Via this query, the adversary can send any message M to party in session on behalf of party . The adversary is responded to according to the protocol specification. can be initiated by when . In general, for simplicity is required, i.e., two identical participants will not run a session. Internal states of should be maintained accordingly.
-
–. Test (). The input session must be fresh. In response to this query, flips a fair coin , and returns the real session key if , or a random sample from the distribution of the session key if .
-
-
Security Experiment. The security experiment between the adversary and the challenger consists of the following phases.
-
–. Setup. The challenger generates the system parameters along with the master private key and valid long-term secret keys for each party. The adversary is then provided all public data, including the identities of all the honest parties.
-
–. The first phase of the game. Adversary is allowed to issue a polynomial number of EphemeralKeyReveal, SessionKeyReveal, Corrupt, KGCStaticKeyReveal, RegCT, and Send queries in any order.
-
–. The second phase of the game. At some point, adversary chooses a fresh session (see Definition 2) and issues a Test() query at most once. After this, adversary can keep asking other queries under the condition that the test session must remain fresh.
-
–. The end of the game. makes a guess for b.
-
-
Advantage. wins the above security experiment if the test session is still fresh and . The advantage of in winning the above security experiment is defined as , where wins refers to can distinguish the tested session key from a random string.
In the following, we introduce definitions for Matching Session, Freshness, and eCK Security.
(Matching Session). If two completed sessions and have the same message transcript, they are said to be matching.
(Freshness). Let be a completed session between honest party and , is said to be fresh if none of the following three conditions hold:
- (1)
The adversary knows the session key of or its matching session (if exists);
- (2)
has a matching session , and the adversary knows both the long-term private key of participant and the ephemeral private key of , or both the long-term private key of participant and the ephemeral private key of .
- (3)
has no matching session, and the adversary knows both the long-term private key of participant and the ephemeral private key of , or the long-term private key of participant .
The first condition in Definition 2 is to exclude the trivial attack that obtains the session key directly. The second and third conditions in Definition 2 are to exclude the trivial attack that obtains the long-term private key and the ephemeral private key of one party simultaneously. If has no matching session, it means that has obtained the ephemeral private key of participant ; therefore, cannot obtain the long-term private key of .
(eCK Security). We say that an ID-AKA protocol is secure in the eCK model if the following conditions hold:
- (1)
If two honest parties successfully complete matching sessions, they both compute the same session key.
- (2)
For any PPT adversary,,is negligible in security parameter k.
If a protocol is secure under Definition 3, then it achieves implicit mutual key authentication and the basic security properties, including weak perfect forward secrecy (wPFS), key compromise impersonation resilience (KCIR), ephemeral secrets reveal resistance (ESRR), known key security, no key control, resistance to basic impersonation attack, replay attack resilience, resistance to man-in-the-middle attack, and unknown key share resilience.
4. Cryptanalysis of Several ID-AKA Protocols
Figure 1 shows the network model for ID-AKA protocols considered in our paper. Here, user A, user B, and trusted authority (acts as KGC) are the three main parties of an ID-AKA protocol. A and B obtain their long-term private keys in the extract phase and use them to reach AKA each other. Next, this section provides the cryptanalysis of several ID-AKA protocols.
4.1. The PF-ID-2PAKA Protocol
PF-ID-2PAKA [21] is also composed of three stages, i.e., setup, extract, and key agreement. The former two stages are the same as those of the DXCLCZF-18 protocol [28]. Here, we only describe the key agreement stage in Figure 2.
4.1.1. Ephemeral Key Reveal Attack
Suppose that A’s ephemeral key is compromised by an adversary. Next, we show that the PF-ID-2PAKA protocol suffers from an ephemeral key reveal attack.
-
(1). The adversary initializes a session through the query Send(), and then obtains the message , where with a random element .
-
(2). Upon receiving the message, , randomly picks an ephemeral private key , calculates , and returns to impersonating B via the query Send(). Note that B’s identity and correct public key material can be obtained from the response of the query Send().
-
(3). Upon the receipt of , A calculates the shared session key and completes this session. Specifically, A calculates , where and
-
(4). Now, performs the query EphemeralKeyReveal() to reveal an ephemeral private key . With the knowledge of and , computes , , and .
Correctness. The following provides the correctness of the attack process.
As a result of , we can obtain
Thus, A and receive the same session key, which means that the PF-ID-2PAKA protocol suffers from an ephemeral key reveal attack. Note that our construction cannot suffer from the above attack as both of the two shared secrets not only depend on the ephemeral private key, but also depend on the long-term private key, and they are linearly independent. Therefore, it is impossible to remove the long-term private key from the two shared secrets simultaneously.
4.1.2. Flaws in the Security Proof
The PF-ID-2PAKA protocol can not be proved secure under the hardness of the GDH problem in Case 3 (i.e., can neither obtain the long-term private key of nor that of ). Meanwhile, the ephemeral key of may be created by , then cannot know . In ignorance of , does not calculate CDH. Therefore, the challenger cannot solve the GDH instance.
4.2. The ZHWY-19 Protocol
Here, we only describe the key agreement stage of the ZHWY-19-I protocol [23] in Figure 3. For more details, one can refer to [23]. Note that Cheng et al. [39] pointed out that the ZHWY-19-I protocol [23] cannot achieve forward security and resist the key compromise impersonation attack. Here, we point out that this protocol is weak against the ephemeral key reveal attack and flaws in the security proof.
4.2.1. Ephemeral Key Reveal Attack
If and in a past session have been compromised by the adversary , can compute the session key .
-
(1). accesses to and of the session.
-
(2). Given {} and {}, calculates the keys of , , , and as the shared session key.
Thus, the ZHWY-19-I protocol is weak against the ephemeral secret key leakage. Note that they did not claim their protocol holds ephemeral key reveal resistance.
4.2.2. Flaws in the Security Proof
In the ZHWY-19-I protocol, the answer to oracle Corrupt() is improper. Actually, Corrupt() should return the long-term private key rather than to the adversary.
4.3. Mohammadali et al.’s Protocols
Mohammadali et al. [22] proposed two protocols, the NIKE protocol and the NIKE protocol. These two protocols contain three stages, namely setup, extract, and key agreement. The NIKE protocol is briefly shown in Figure 4. Note that, here, we did not analyze the flaws in the security proof as there was no security proof in [22].
4.3.1. The Insecurity of the KGC’s Master Key
If the user and the user launch collusion attacks, they can know the KGC’s master key s. As , they can obtain with the knowledge of and .
4.3.2. Key Compromise Impersonation (KCI) Attack
The NIKE protocol suffers from a key compromise impersonation (KCI) attack, i.e., if the user ’s long-term private key is compromised by , can impersonate any user (say ) with ’s long-term private key to communicate with . The details are as follows. Note that they did not claim their protocol held KCI resistance.
-
(1). obtains by eavesdropping on a connection between and any user. Then, picks at random, calculates , and sends to .
-
(2). Upon the receipt of , generates according to the protocol.
-
(3). Upon receiving , calculates , and , and finally sends to .
-
(4). Upon receiving , verifies is correct and computes the session key according to the protocol.
Correctness. The following provides the correctness of the attack process.
As and , we can obtain
Thus, A and obtain the same session key, which means that the NIKE protocol suffers from a KCI attack. The KCI attack on the NIKE protocol is the same as above.
5. Our General Construction
This section firstly provides the construction , secondly show the construction is correct, and thirdly provides the security proof.
5.1. Construction Description
The is composed of three stages, i.e., setup, extract, and key agreement.
-
Setup: Select security parameter k, KGC performs as follows:
-
(1). Pick an elliptic curve , where is a finite filed, and p is a prime number with k bits.
-
(2). Create a cyclic additive group with the order q, which is generated by a base point P over .
-
(3). Choose randomly, and then set the master private key s and the system public key .
-
(4). Pick and .
-
(5). Expose , and meanwhile retain s unrevealed.
-
-
Extract: KGC derives the long-term private key for user as below.
-
(1). KGC randomly selects , and calculates and .
-
(2). KGC computes mod q and derives as the user’s long-term private key.
-
(3). KGC sends to the user securely.
Upon receiving , the user can verify . If this verification succeeds, the key pair is correct and valid. serves as the real public key in relation to .
-
-
Key Agreement: Assume that user A with identity hopes to compute a key with user B with identity .
-
(1). A randomly picks an ephemeral secret key , calculates , and returns to B. The agreement process in Figure 5.
-
(2). When is received, B picks an ephemeral secret key , calculates , and returns to A. Next, B calculates as the shared session key, where , , , and . Finally, B sends to A.
-
(3). When is received, A calculates , and two shared secrets and where and . Finally, A calculates the shared session key .
-
Note that our construction provides a method to construct eCK secure ID-AKA protocols; however, parameters , and should be fixed in the real execution environment. One can choose a concrete and efficient protocol derived from our construction to execute in the real environment, e.g., protocol , protocol and protocol described in Section 6.
5.2. Construction Correctness
The following provides the correctness of our construction. As , , and , we can obtain:
Thus both A and B compute as their session key. Hence the correctness holds.
5.3. Security Proof
Here, the events in our security proof are complementary, while they are not complementary in [27], and the security proof can be reduced to the following theorems.
Provide two random oracles, and , the proposed ID-AKA protocol is secure in the eCK model based on the GDH assumption over the elliptic curve group.
This theorem is under the condition that the two conditions shown in Definition 3 hold. The correctness analysis shows that the first condition stands. The second condition would be proven by contradiction, i.e., there is an adversary who can execute a PPT algorithm to win the game with non-negligible probability, we can use to create a GDH solver who can find a solution for the GDH instance. □
Assume is a polynomially (in security parameter k) bounded adversary whose advantage is . Suppose that activates no more than different honest parties, and each party can take part in no more than sessions. Suppose that chooses , the nth protocol session which executes between party (the owner) and the target party (the peer) as the test session. Assume that performs, at most, queries.
According to , we can derive that is non-negligible as is non-negligible. As is modeled as a random oracle, can make a clear distinction between a random string and the tested session key in the following three ways:
A1.. Guessing attack: directly guesses the correct session key.
A2.. Key replication attack: successfully creates a session that cannot match the test session while holding the same session key. Here, can obtain the test session key by querying the non-matching session key.
A3.. Forging attack: Sometimes, makes queries on in the test session. Here, calculates and itself.
The guessing of ’s output is with the negligible probability . If two sessions are different, has the same input by probability , which is also negligible. Then, can provide the difference between a random string and the tested session key only by forging attack.
Next, a reduction approach is applied to analyze the forging attack. This approach reduces the protocol security to the hardness of mathematical problems in the GDH assumption. By making assumptions about the adversary, a challenger can solve a GDH instance with the queried data and forged session key derived by a query-respond game between them. As the GDH instance cannot be solved with the current computation ability in polynomial time, the assumptions about the adversary are invalid, and the proposed ID-AKA protocols are secure.
Now, the detailed descriptions of the reduction proofs are as follows.
If can successfully execute forging attack with non-negligible probability , we will use to create a GDH solver to find a solution for the GDH instance with . Here, GDH instance is , and , plans to calculate GDH performing the DDH oracle. acts as a challenger that performs the eCK game with and makes response for ’s queries.
Before the game starts, guesses the test session that ’s choices is with a correct probability at least . Next, needs to guess the strategy that adopts. Then, according to Definition 2, test session has the matching session , then can only passively forward messages between participant and participant , i.e., messages including public key materials and ephemeral keys of and are selected by . Test session has no matching session, then alters some messages at its own will, i.e., messages including the public key material and the ephemeral key of are chosen by , and another one of is chosen by , and, thus, for , can only consider the long-term private key of . With the former analysis and the freeness definition, guesses the operation that selects one of the following six complementary choices. Note that, strictly speaking, the ephemeral private key of refers to ’s ephemeral private key, and the ephemeral private key of refers to the matching session ’s ephemeral private key.
-
S1:. has , and obtains neither the long-term private key of nor the ephemeral private key of .
-
S2:. has , and cannot obtain any information about the ephemeral private keys of and .
-
S3:. has , and knows neither the ephemeral private key of nor the long-term private key of .
-
S4:. has , and cannot obtain any information about the long-term private keys of and .
-
S5:. does not have a matching session, and knows neither the ephemeral private key of nor the long-term private key of .
-
S6:. does not have a matching session, and does not know any information about the long-term private keys of and .
One of the former operation successes is if succeeds in a forging attack with non-negligible probability. Therefore, the assumption about adversary is invalid, and the proposed ID-AKA protocol is secure in the eCK model.
5.3.1. The Analysis of Strategy S1
In this subsection, we analyze strategy S1.
-
Setup: initializes a list with entries of . creates the system parameters and long-term private keys of all parties as follows.
-
–. picks at random, and exposes . Thus, cannot obtain any information about KGC’s master key.
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For every participant, transfers to , and stores the tuple and in and (described later), respectively.
-
-
Queries: maintains four lists, , , , and , which are initially empty and used to record , , Send, and SessionKeyReveal oracles, respectively. starts by answering ’s queries, as follows.
-
–. : If an entry is recorded in , responds with . Then, randomly selects , appends to , and sends back to .
-
–. : List is with .
-
*. If a matching entry is stored in , replies with .
-
*. Else, seeks in . Then, if such an entry exists, sees if and are produced correctly by validating DDH( and DDH(, respectively, where and . If both verifications pass, receives the corresponding and sets . Otherwise (at least one verification fails or none), picks at random. Finally, inserts the tuple into and provides as the answer.
-
-
–. Corrupt(): If , discontinues. Otherwise, responds with .
-
–. KGCStaticKeyReveal: discontinues.
-
–. EphemeralKeyReveal(): If , discontinues. Otherwise, provides the stored ephemeral key as the answer.
-
–. Send(,M): List is with , where , and are the transcript by now, the ephemeral secret key, and the state by now, respectively.
-
*. If M is the second message on the transcript, sets and updates .
-
*. Else executes as follows.
-
·. If , sets , gets from and replies with .
-
·. Else randomly chooses , obtains from and replies with .
-
·. Finally, updates , and updates to if the newly generated message is the second message on the transcript.
-
-
-
–. SessionKeyReveal(): List is of the form , where and denote the initiator and the responder of , respectively.
-
*. receives from . If , returns ⊥.
-
*. Else if or , aborts.
-
*. Else if the session key already exists, responds with .
-
*. Else obtains and from , and looks up to see if there is a tuple . Then, if it exists, sees if and are produced correctly by validating DDH( and DDH(, respectively, where and . If both verifications pass, receives the corresponding and sets . Otherwise (at least one verification fails or no such a tuple exists), picks at random. Finally, inserts the tuple into and returns .
-
-
–. Test(): If , picks at random and sends back to . Otherwise, aborts.
-
-
Analysis: If can successfully execute a forging attack in Strategy S1 with non-negligible probability, the following conditions should be met.
-
(1). continues following the above simulation. If chooses Strategy S1, with and as the test session and its corresponding matching session, respectively, this condition can be met.
-
(2). For the test session , adversary must have conducted queries on the values , where and are the public key materials of and picked by the challenger , respectively, and V are the outgoing messages of and picked by the challenger , respectively, and and are correctly formed.
-
*. If is an initiator, the correct input of should be , where , , and .
-
*. If is a responder, the correct input of should be , where , , and .
-
Finally, receives the item in and outputs GDH if is an initiator or GDH if is a responder by the knowledge of . Note that since and , the solution of GDH is correct. The success rate is at least
As is non-negligible, can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.
-
5.3.2. The Analysis of Strategy S2
In this subsection, we analyze strategy S2.
-
Setup: is an initially empty list with . creates the system parameters and all parties’ long-term private keys as follows.
-
–. picks at random, computes , and exposes system parameters . Thus, cannot obtain any information about KGC’s master key.
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For every participant, transfers to , and stores the tuple and in and (described later), respectively.
-
-
Queries: maintains four lists , , , and to store , , Send, and SessionKeyReveal oracles, respectively. performs the queries game with as follows:
-
–. , SessionKeyReveal(), Test(), and : These four queries are described in the same as those in Strategy S1.
-
–. Corrupt(): responds with .
-
–. KGCStaticKeyReveal: responds with s to .
-
–. EphemeralKeyReveal(): If or , discontinues. Otherwise, provides the stored ephemeral key as the answer.
-
–. Send(,M): List has , where , and are the transcript by now, the ephemeral secret key, and the state by now, respectively.
-
*. If M is the second message on the transcript, sets and updates .
-
*. Else performs the following steps.
-
·. If , sets , receives from , and replies with .
-
·. Else If , sets , receives from , and replies with .
-
·. Else randomly chooses , obtains from , and replies with .
-
·. Finally, updates , and updates to if the newly generated message is the second message on the transcript.
-
-
-
-
Analysis: Here, we assume that is an initiator here. If indeed chooses Strategy S2, and as the test session and its matching session, respectively, then continues this simulation. If successfully executes the forging attack, it must have queried oracle , where , and V are all picked by the challenger , , , and .
Finally, receives the item in , and outputs GDH by the knowledge of . Note that as and , the solution of GDH is correct. ’s success probability is at least
As is non-negligible, can also be seen as also non-negligible. Now, it derives the contradiction of the GDH assumption.
5.3.3. The Analysis of Strategy S3
Here, we omit the detailed analysis of Strategy S3 as the analysis is almost the same as that for Strategy S1.
5.3.4. The Analysis of Strategy S4
In this subsection, we analyze strategy S4.
-
Setup: initializes a list with . creates the system parameters and all parties’ long-term private keys.
-
–. picks at random, and exposes . Thus, does not obtain any information about KGC’s master key.
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For every participant, transfers to , and stores and in and (described later), respectively.
-
-
Queries: maintains four lists , , , and , which are initially empty and used for recording , , Send, and SessionKeyReveal oracles, respectively. performs the queries game with as follows:
-
–. , SessionKeyReveal(), Test(), , and KGCStaticKeyReveal: These five queries are described in the same way as those in Strategy S1.
-
–. Corrupt(): If or , discontinues. Otherwise, responds with .
-
–. EphemeralKeyReveal(): responses with .
-
–. Send(,M): List is of the form , where , , and are the transcript by now, the ephemeral secret key, and the state by now, respectively.
-
*. If M is the second message on the transcript, sets and updates .
-
*. Else randomly chooses , obtains from , and replies with . Then, updates , and updates to if the newly generated message is the second message on the transcript.
-
-
-
Analysis: Here, we assume that is an initiator. If selects Strategy S4, and as the test session and its matching session, then does not abort in the simulation. If successfully performs the forging attack, it must have queried oracle , where , and V are all picked by the challenger , , , , and .
Finally, receives the item in , and outputs GDH by the knowledge of . Note that as and , the solution of GDH is correct. ’s success probability is at least
As is non-negligible, can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.
5.3.5. The Analysis of Strategy S5
has no matching session in strategy S5, thus at least one of ’s public key material and ’s ephemeral private key is chosen by . If the adversary selects themselves, then the change in means the change in the ’s long-term private key . Hence, a GDH instance cannot be embedded in the long-term private key in strategy S5.
-
Setup: is an initially empty list and is needed in this phase. creates the system parameters and all parties’ long-term private keys.
-
–. sets V as the system public key and exposes the system parameters . Thus cannot know KGC’s master key.
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For every participant, transfers to , and stores and in and (described later), respectively.
-
-
Queries: maintains four lists, , , , and to store , , Send, and SessionKeyReveal oracles, respectively. performs the queries game with as follows:
-
–. , KGCStaticKeyReveal, Test(), and are described the same as those in Strategy S1.
-
–. Corrupt(): If , discontinues. Otherwise, responds with .
-
–. EphemeralKeyReveal(): If , discontinues. Otherwise, provides the stored ephemeral key as the answer.
-
–. Send(,M): List is with , where , , and are the transcript by now, the ephemeral secret key, and the state by now, respectively.
-
*. If M is the second message on the transcript, sets and updates .
-
*. Else performs the following steps.
-
·. If , sets , receives from , and replies with .
-
·. Else randomly chooses , obtains from , and replies with .
-
·. Finally, updates , and updates to if the newly generated message is the second message on the transcript.
-
-
-
–. SessionKeyReveal(): This query is the same as that in Strategy S1, except that “Else if or ” is modified to “Else if ”. This is because the matching session certainly exists in Strategy S1, while does not exist in Strategy S5.
-
-
Analysis: Here, we assume that is an initiator. If selects Strategy S5 and as the test session, then continues using the above simulation. If successfully performs the forging attack with non-negligible probability, it should execute the query on , where , , and . Note that ’s public key material and outgoing message U are both picked by the challenger , and at least one of ’s public key material and outgoing message is chosen by .
By the forking lemma [27], replays with the same input and tossing coins. Here, only changes the query results of , i.e., sets to , where and . Then, if succeeds, it should perform a query on with , where , .
Finally, receives the item in , and outputs GDH using the knowledge of . Note that as , the solution of GDH is correct. Let be a factor from the forking lemma for Strategy S5. ’s success probability is at least
As is non-negligible, can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.
5.3.6. The Analysis of Strategy S6
In this subsection, we will analyze strategy S6. A GDH instance cannot be embedded in the long-term private key in Strategy S6.
-
Setup: is an initially empty list, and is needed in this phase. creates the system parameters and all parties’ long-term private keys.
-
–. sets V as the system public key and exposes . Thus, does not obtain any information about KGC’s master key.
-
–. For , sets the long-term private key , where , . Thus, .
-
–. For , sets as the long-term private key, where , . Thus, .
-
–. For every participant, transfers to , and stores and in and (described later), respectively.
-
-
Queries: maintains four lists, , , , and , which are initially empty and used for recording , , Send, and SessionKeyReveal oracles, respectively. starts by answering ’s queries as follows:
-
–. The five queries , SessionKeyReveal(), Test(), KGCStaticKeyRevea, and are described in the same way as those in Strategy S5.
-
–. Corrupt(), EphemeralKeyReveal() and Send(,M): These three queries are described to be the same as those in Strategy S4.
-
-
Analysis: Here, we assume that is an initiator. If selects Strategy S6 and as the test session, then continues this simulation. If successfully performs the forging attack, it should execute query on , where ,, and . Note that ’s public key material and outgoing message are both picked by the challenger , and at least one of ’s public key material and outgoing message is chosen by .
By the forking lemma [27], replays with the same input and tossing coins. Here, only changes the query results of , i.e., sets to , where and . Then, if succeeds, it should perform a query on with , where , .
Here, receives the item in , and outputs GDH using the knowledge of . Note that as , the solution of GDH is correct. Let be a factor from the forking lemma in Strategy S6. ’s success probability is at least
As is non-negligible, can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.
The former formal security proof has proven that the proposed ID-AKA protocol is secure against some comment attacks of guessing attacks, key replication attacks, and forging attacks. Its security can be reduced to the hardness of GDH assumption over the elliptic curve group in the eCK model.
6. More Efficient Instantiations
As , our construction needs six scalar multiplications (here, we ignore less time-consuming point additions and general hash function outputs), which is a bit higher than the NCL-16-II protocol [27] at the same security level. However, the NCL-16-II protocol is only a special protocol, while our construction will result in different special protocols with different values, for example, protocol and protocol . How should the values of , and be chosen in the real execution environment? It would be better to select values that result in more efficient instantiation as different protocols have different computation costs. The following provides some efficient instantiations of our construction.
(). In this protocol, . A computes the shared secrets and . B compute the shared secrets and . This protocol reduces two scalar multiplications compared with the general construction.
(). In this protocol, . A computes the shared secrets and . B computes the shared secrets and . This protocol has the same efficiency as .
(). In this protocol, . A computes the shared secrets and . B computes the shared secrets and . This protocol only adds a point addition operation compared with the protocol of .
7. Performance and Comparison
This section presents the efficiency and security comparison between our Protocols 1 and 2 with other competitive ID-AKA protocols. Note that only the HC protocols [13] were pairings-based ID-AKA protocols, the other ID-AKA protocols [21,22,23,24,25,26,27,28] and ours were all pairing-free.
7.1. Comparison of Computation Overheads
To evaluate the computational overhead, Table 2 lists the same execution time of different cryptographic operations, reported in [40]. The execution time was calculated using the MIRACL library on a Samsung Galaxy S5 smartphone, equipped with a 2.5 GHz ARM Krait processor with 2GB RAM memory running the Android 4.4.2 operating system.
Next, the total execution times of these two protocols and the competitive ID-AKA protocols [13,21,22,23,24,25,26,27,28] were computed, which are shown in Table 3. In our Protocols 1 and 2, to agree on a session key, each party needed to compute four ECC-based scalar multiplications, three ECC-based point additions, and two general hash function outputs. Therefore, the total computation time at each party was about ms. Similarly, the communication costs of protocols in [13,21,24,25,26,27,28] were computed. In protocols ZHWY-19 [23] and NIKE [22], two parties had unbalanced computation costs, i.e., one party had a lower computation cost than the other party. Here, we adopted the lower computation cost of one party. According to Table 2, our Protocols 1 and 2 were nearly 80% of protocols NCL-16-II [27] and CKD [24], 100% of protocols [25] and [21,23,28], 72% of protocol XW [26], and 8% of the HC protocol [13] with relation to the computation cost. That is to say, our Protocols 1 and 2 almost had the lowest computation cost. The comparison results are shown in Figure 6.
Energy consumption is one essential item for IoT communication, and the energy consumption of ID-AKA protocol decides the energy efficiency of IoT communication as it is executed by the IoT device. As shown in the former comparative computation overheads in Table 3, the computation costs were calculated. To compute the energy consumption of these key agreement algorithms, the IoT devices equipped with 3.0 V and 8.0 mA were selected. This parameter was set according to the power level of MICA 2 [41]. For the proposed ID-AKA protocol, the energy consumption was 3.0 ∗ 8.0 ∗ 13.454 = 322.896 mj, and the comparison results with similar protocols are shown in Figure 7. Therefore, the low computation overheads led to low energy consumption, and the proposed ID-AKA protocol had more advantages than similar protocols in relation to the costs of computation and energy.
7.2. Comparison of Communication Overheads
Let , , , and represent elements sizes of , , , and , respectively. Furthermore, assume and represent the length of an identifier and a general hash output, respectively. Considering the Ate pairing and elliptic curves, , , , , and are 1024, 1024, 320, 160, and 160 bits, respectively. We assumed is 32 bits in length.
Table 4 demonstrates the communication cost comparison of the key agreement phase. Note that in our Protocol 1 (Protocol 2), party A sends to party B, where and is the identity of A. Party B symmetrically sends to party A, where and is the identity of B. Therefore, the communication cost of our protocol 1 (protocol 2) is +2 bits. The results show that Protocols 1 and 2 have the lowest communication cost.
7.3. Security Comparisons
As shown in Table 1, some related ID-AKA protocols can capture other security attributes, including known key security, no key control, resistance to basic impersonation attacks, replay attack resilience, resistance to man-in-the-middle attacks, and unknown key share resilience. But, for the proposed IA-AKA protocols, we did not consider explicit mutual authentication, as it can be easily achieved for all one-round protocols [13,21,24,25,26,27,28] by adding a key confirmation. Here, the protocol PWCAS-22 [33] is based on physical unclonable function (PUF), and ZHVLH-23 [37] is based on pseudo-random permutation (PRF). The HC protocol [13], the NCL-16-II protocol [27], the DRS-20 protocol [30], and our protocols are provably secure in the eCK security model. But events in the security proof of NCL-16-II [27] are not complementary, which mismatches the freshness definition. Table 3 shows that our Protocols 1 and 2 can reach the best computation efficiency.
Compared with similar ID-AKA protocols, the proposed Protocols 1 and 2 presented the lowest computation and communication overheads, which could improve IoT communication efficiency in IoT applications. Meanwhile, with the increase in the number of devices, these ID-AKA protocols could also maintain high efficiency, as the key agreement process was executed between two different IoT users. The key agreement between the two parties was less affected by the number of devices in IoT applications and only affected by the hardware, software, and communication protocol in the public internet environment. Although the key agreement times will increase more, this can be ignored with the increasing IoT computation ability.
8. Conclusions
This paper first reviews several ID-AKA protocols without pairings in terms of security and efficiency. We carefully studied them and pointed out the security weaknesses against the ephemeral key reveal attack, key compromise impersonation attack, and launch collusion attack. We also proposed a family of ID-AKA protocols without pairings and proven the security in the eCK security model, a widely accepted security model for AKA protocols. Six strategy analyses were provided, and these ID-AKA protocols were proven to be secure in the eCK model based on the GDH assumption over the elliptic curve group. Then, the instantiations, performance and comparison were presented, and the results show that the proposed ID-AKA protocols were more efficient than other protocols in similar literature. In addition, these ID-AKA protocols no only improved communication security and efficiency in IoT applications, but also saved energy consumption for the communication process.
In the future, with the increasing amount of IoT devices, some security issues of identity authentication, data fine-grained access control, and user privacy protection should still be taken into consideration. Especially with the development of quantum computers and quantum computation, the anti-quantum attack security ID-AKA protocol will be a hot research direction. Meanwhile, many customized ID-AKA schemes should be designed to meet the special requirements of future IoT applications.
Methodology, H.S. and C.L.; Validation, W.H.; Formal analysis, J.Z.; Investigation, S.L. All authors have read and agreed to the published version of the manuscript.
Data are contained within the article.
The authors declare no conflicts of interest.
Footnotes
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Figure 5. The key agreement phrase of our proposed construction [Forumla omitted. See PDF.].
Security comparisons.
Protocols | Security Model | wPFS | KCIR | ESRR | MSS | AS |
---|---|---|---|---|---|---|
CKD [ |
mBR* | Yes | Yes | No | Yes | GDH |
FG-I [ |
CK | Yes | Yes | No | Yes | GDH |
XW [ |
CK | Yes | Yes | No | Yes | GDH |
PF-ID-2PAKA [ |
eCK* (flawed) | Yes | Yes | No | Yes | GDH |
DXCLCZF-18 [ |
eCK (flawed) | Yes | No | No | Yes | GDH |
ZHWY-19 [ |
mBR* (flawed) | No | No | No | Yes | GDH |
NIKE [ |
– (flawed) | Yes | No | Yes | No | – |
NCL-16-II [ |
eCK@ | Yes | Yes | Yes | Yes | GDH |
DRS-20 [ |
eCK | Yes | Yes | Yes | Yes | GDH |
DSH-21 [ |
eCK* | Yes | Yes | Yes | Yes | GDH |
PWCAS-22 [ |
eCK* | Yes | Yes | Yes | Yes | PUF |
ZHVLH-23 [ |
eCK* | Yes | Yes | Yes | Yes | PRF |
eCK* and mBR* are without the case where an active adversary may alter all public key materials not only the temporary public key. “–” denotes that there is no formal security proof for the protocol. eCK@ denotes that events in the proof are not complementary.
Execution time on a Samsung Galaxy S5.
Notation | Explanation (The Execution Time of) | Time (ms) |
---|---|---|
|
A bilinear pairing e: |
32.713 |
|
A pairing-based scalar multiplication in |
13.405 |
|
A pairing-based point addition in |
0.056 |
|
An exponentiation operation in |
2.249 |
|
A hash-to-point in |
33.582 |
|
An ECC-based scalar multiplication in |
3.350 |
|
An ECC-based point addition in |
0.014 |
|
A hash-to-point in |
8.250 |
|
A general hash function | 0.006 |
Comparative computation overheads.
Protocols | Computations | Computation Cost (ms) | Energy Consumption (mj) |
---|---|---|---|
PF-ID-2PAKA [ |
|
13.44 | 322.56 |
DXCLCZF-18 [ |
|
13.44 | 322.56 |
NIKE [ |
|
31.45 | 754.8 |
ZHWY-19 [ |
|
13.46 | 323.04 |
NCL-16-II [ |
|
16.824 | 403.776 |
DRS-20 [ |
|
16.822 | 403.728 |
DSH-21 [ |
|
13.460 | 323.04 |
PWCAS-22 [ |
|
13.514 | 324.336 |
ZHVLH-23 [ |
|
16.860 | 404.64 |
Our protocols |
|
13.454 | 322.896 |
Comparative communication overheads.
Protocols | Messages No. | Communication Cost | Cost (bits) |
---|---|---|---|
PF-ID-2PAKA [ |
2 |
|
1344 |
DXCLCZF-18 [ |
2 |
|
1984 |
ZHWY-19 [ |
3 |
|
2400 |
NIKE [ |
3 |
|
1664 |
NCL-16-II [ |
2 |
|
1984 |
DRS-20 [ |
2 |
|
1504 |
DSH-21 [ |
2 |
|
1344 |
PWCAS-22 [ |
2 |
|
1664 |
ZHVLH-23 [ |
2 |
|
1632 |
Our protocols | 2 |
|
1344 |
References
1. Khan, M.A.; Din, I.U.; Majali, T.E.; Kim, B.S. A survey of authentication in Internet of things-enabled healthcare systems. Sensors; 2022; 22, 9089. [DOI: https://dx.doi.org/10.3390/s22239089]
2. Jayabalasamy, G.; Koppu, S. High-performance Edwards curve aggregate signature (HECAS) for nonrepudiation in IoT-based applications built on the blockchain ecosystem. J. King Saud Univ.-Comput. Inf. Sci.; 2022; 34, pp. 9677-9687. [DOI: https://dx.doi.org/10.1016/j.jksuci.2021.12.001]
3. Li, W.; Li, R.; Wu, K.; Cheng, R.; Su, L.; Cui, W. Design and implementation of an SM2-based security authentication scheme with the key agreement for smart grid communications. IEEE Access; 2018; 6, pp. 71194-71207. [DOI: https://dx.doi.org/10.1109/ACCESS.2018.2875681]
4. Pu, L.; Lin, C.; Chen, B.; He, D. User-friendly public-key authenticated encryption with keyword search for industrial Internet of things. IEEE Internet Things J.; 2023; 10, pp. 13544-13555. [DOI: https://dx.doi.org/10.1109/JIOT.2023.3262660]
5. Rasori, M.; La Manna, M.; Perazzo, P.; Dini, G. A survey on attribute-based encryption schemes suitable for the Internet of things. IEEE Internet Things J.; 2022; 9, pp. 8269-8290. [DOI: https://dx.doi.org/10.1109/JIOT.2022.3154039]
6. Onyema, E.M.; Kumar, M.A.; Balasubaramanian, S.; Bharany, S.; Rehman, A.U.; Eldin, E.T.; Shafiq, M. A security policy protocol for detection and prevention of internet control message protocol attacks in software defined networks. Sustainability; 2022; 14, 11950. [DOI: https://dx.doi.org/10.3390/su141911950]
7. Alam, S.; Shuaib, M.; Ahmad, S.; Jayakody, D.N.K.; Muthanna, A.; Bharany, S.; Elgendy, I.A. Blockchain-based solutions supporting reliable healthcare for fog computing and Internet of medical things (IoMT) integration. Sustainability; 2022; 14, 15312. [DOI: https://dx.doi.org/10.3390/su142215312]
8. Sun, F.; He, S.; Zhang, X.; Zhang, J.; Li, Q.; He, Y. A fully authenticated Diffie-Hellman protocol and its application in WSNs. IEEE Trans. Inf. Forensics Secur.; 2022; 17, pp. 1986-1999. [DOI: https://dx.doi.org/10.1109/TIFS.2022.3173536]
9. Shamir, A. Identity-based cryptosystems and signature schemes. Advances in Cryptology: Proceedings of CRYPTO 84 4; Springer: Berlin/Heidelberg, Germany, 1985; pp. 47-53.
10. Smart, N.P. Identity-based authenticated key agreement protocol based on Weil pairing. Electron. Lett.; 2002; 38, pp. 630-632. [DOI: https://dx.doi.org/10.1049/el:20020387]
11. Wang, S.; Cao, Z.; Choo, K.K.R.; Wang, L. An improved identity-based key agreement protocol and its security proof. Inf. Sci.; 2009; 179, pp. 307-318. [DOI: https://dx.doi.org/10.1016/j.ins.2008.09.020]
12. Chen, L.; Cheng, Z.; Smart, N.P. Identity-based key agreement protocols from pairings. Int. J. Inf. Secur.; 2007; 6, pp. 213-241. [DOI: https://dx.doi.org/10.1007/s10207-006-0011-9]
13. Huang, H.; Cao, Z. An ID-based authenticated key exchange protocol based on bilinear Diffie-Hellman problem. Proceedings of the 4th International Symposium on Information, Computer, and Communications Security; Sydney, Australia, 10–12 March 2009; pp. 333-342.
14. Choo, K.K.R.; Nam, J.; Won, D. A mechanical approach to derive identity-based protocols from Diffie-Hellman-based protocols. Inf. Sci.; 2014; 281, pp. 182-200. [DOI: https://dx.doi.org/10.1016/j.ins.2014.05.041]
15. Wu, L.; Wang, J.; Choo, K.K.R.; Li, Y.; He, D. An efficient provably-secure identity-based authentication scheme using bilinear pairings for Ad hoc network. J. Inf. Secur. Appl.; 2017; 37, pp. 112-121. [DOI: https://dx.doi.org/10.1016/j.jisa.2017.10.003]
16. Odelu, V.; Das, A.K.; Wazid, M.; Conti, M. Provably secure authenticated key agreement scheme for smart grid. IEEE Trans. Smart Grid; 2016; 9, pp. 1900-1910. [DOI: https://dx.doi.org/10.1109/TSG.2016.2602282]
17. Gupta, D.S.; Islam, S.H.; Obaidat, M.S.; Vijayakumar, P.; Kumar, N.; Park, Y. A provably secure and lightweight identity-based two-party authenticated key agreement protocol for IIoT environments. IEEE Syst. J.; 2020; 15, pp. 1732-1741. [DOI: https://dx.doi.org/10.1109/JSYST.2020.3004551]
18. Lian, H.; Pan, T.; Wang, H.; Zhao, Y. Identity-Based Identity-Concealed Authenticated Key Exchange. Computer Security-ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, 4–8 October 2021; Proceedings, Part II 26 Springer International Publishing: Berlin/Heidelberg, Germany, 2021; pp. 651-675.
19. Canetti, R.; Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. Proceedings of the International conference on the theory and applications of cryptographic techniques; Innsbruck, Austria, 6–10 May 2001; Springer: Berlin/Heidelberg, Germany, 2001; pp. 453-474.
20. LaMacchia, B.; Lauter, K.; Mityagin, A. Stronger security of authenticated key exchange. Proceedings of the International Conference on Provable Security; Wollongong, Australia, 1–2 November 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 1-16.
21. Bala, S.; Sharma, G.; Verma, A.K. PF-ID-2PAKA: Pairing free identity-based two-party authenticated key agreement protocol for wireless sensor networks. Wirel. Pers. Commun.; 2016; 87, pp. 995-1012. [DOI: https://dx.doi.org/10.1007/s11277-015-2626-5]
22. Mohammadali, A.; Haghighi, M.S.; Tadayon, M.H.; Mohammadi-Nodooshan, A. A novel identity-based key establishment method for advanced metering infrastructure in smart grid. IEEE Trans. Smart Grid; 2016; 9, pp. 2834-2842. [DOI: https://dx.doi.org/10.1109/TSG.2016.2620939]
23. Zhang, J.; Huang, X.; Wang, W.; Yue, Y. Unbalancing pairing-free identity-based authenticated key exchange protocols for disaster scenarios. IEEE Internet Things J.; 2018; 6, pp. 878-890. [DOI: https://dx.doi.org/10.1109/JIOT.2018.2864219]
24. Cao, X.; Kou, W.; Du, X. A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges. Inf. Sci.; 2010; 180, pp. 2895-2903. [DOI: https://dx.doi.org/10.1016/j.ins.2010.04.002]
25. Fiore, D.; Gennaro, R. Making the Diffie-Hellman protocol identity-based. Topics in Cryptology-CT-RSA 2010: The Cryptographers’ Track at the RSA Conference 2010, San Francisco, CA, USA, 1–5 March 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 165-178.
26. Xie, M.; Wang, L. One-round identity-based key exchange with perfect forward security. Inf. Process. Lett.; 2012; 112, pp. 587-591. [DOI: https://dx.doi.org/10.1016/j.ipl.2012.05.001]
27. Ni, L.; Chen, G.; Li, J.; Hao, Y. Strongly secure identity-based authenticated key agreement protocols without bilinear pairings. Inf. Sci.; 2016; 367, pp. 176-193. [DOI: https://dx.doi.org/10.1016/j.ins.2016.05.015]
28. Dang, L.; Xu, J.; Cao, X.; Li, H.; Chen, J.; Zhang, Y.; Fu, X. Efficient identity-based authenticated key agreement protocol with provable security for vehicular ad hoc networks. Int. J. Distrib. Sens. Netw.; 2018; 14, 1550147718772545. [DOI: https://dx.doi.org/10.1177/1550147718772545]
29. Deng, L.; Shao, J.; Hu, Z. Identity based two-party authenticated key agreement scheme for vehicular ad hoc networks. Peer-to-Peer Netw. Appl.; 2021; 14, pp. 2236-2247. [DOI: https://dx.doi.org/10.1007/s12083-021-01181-8]
30. Daniel, R.M.; Rajsingh, E.B.; Silas, S. An efficient ECK secure identity based two party authenticated key agreement scheme with security against active adversaries. Inf. Comput.; 2020; 275, 104630. [DOI: https://dx.doi.org/10.1016/j.ic.2020.104630]
31. Kumar, M.; Chand, S. A lightweight cloud-assisted identity-based anonymous authentication and key agreement protocol for secure wireless body area network. IEEE Syst. J.; 2020; 15, pp. 2779-2786. [DOI: https://dx.doi.org/10.1109/JSYST.2020.2990749]
32. Rakeei, M.A.; Moazami, F. Cryptanalysis of an anonymous authentication and key agreement protocol for secure wireless body area network. Cryptol. ePrint Arch.; 2020; pp. 1-4.
33. Pu, C.; Wall, A.; Choo, K.K.R.; Ahmed, I.; Lim, S. A lightweight and privacy-preserving mutual authentication and key agreement protocol for Internet of Drones environment. IEEE Internet Things J.; 2022; 9, pp. 9918-9933. [DOI: https://dx.doi.org/10.1109/JIOT.2022.3163367]
34. Zhang, Q.; Zhu, L.; Li, Y.; Ma, Z.; Yuan, J.; Zheng, J.; Ai, S. A group key agreement protocol for intelligent internet of things system. Int. J. Intell. Syst.; 2022; 37, pp. 699-722. [DOI: https://dx.doi.org/10.1002/int.22644]
35. Zhou, T.; Wang, C.; Zheng, W.; Tan, H. Secure and efficient authenticated group key agreement protocol for AI-based automation systems. ISA Trans.; 2023; 141, pp. 1-9. [DOI: https://dx.doi.org/10.1016/j.isatra.2023.04.010]
36. Pan, X.; Jin, Y.; Li, F. An efficient heterogeneous authenticated key agreement scheme for unmanned aerial vehicles. J. Syst. Archit.; 2023; 136, 102821. [DOI: https://dx.doi.org/10.1016/j.sysarc.2022.102821]
37. Zhang, Y.; He, D.; Vijayakumar, P.; Luo, M.; Huang, X. SAPFS: An Efficient Symmetric-Key Authentication Key Agreement Scheme with Perfect Forward Secrecy for Industrial Internet of Things. IEEE Internet Things J.; 2023; 10, pp. 9716-9726. [DOI: https://dx.doi.org/10.1109/JIOT.2023.3234178]
38. Abdussami, M.; Amin, R.; Vollala, S. Provably secured lightweight authenticated key agreement protocol for modern health industry. Ad Hoc Netw.; 2023; 141, 103094. [DOI: https://dx.doi.org/10.1016/j.adhoc.2023.103094]
39. Cheng, Q.; Li, Y.; Jiang, Q.; Li, X. Security Analysis of Two Unbalancing Pairing-free Identity-based Authenticated Key Exchange Protocols. Int. J. Netw. Secur.; 2020; 22, pp. 597-601.
40. He, D.; Wang, H.; Khan, M.K.; Wang, L. Lightweight anonymous key distribution scheme for smart grid using elliptic curve cryptography. IET Commun.; 2016; 10, pp. 1795-1802. [DOI: https://dx.doi.org/10.1049/iet-com.2016.0091]
41. Gura, N.; Patel, A.; Wander, A.; Eberle, H.; Shantz, S.C. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. Cryptographic Hardware and Embedded Systems-CHES 2004: 6th International Workshop Cambridge, MA, USA, 11–13 August 2004; Proceedings 6 Springer: Berlin/Heidelberg, Germany, 2004; pp. 119-132.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.
Abstract
Internet of Things (IoT) applications have been increasingly developed. Authenticated key agreement (AKA) plays an essential role in secure communication in IoT applications. Without the PKI certificate and high time-complexity bilinear pairing operations, identity-based AKA (ID-AKA) protocols without pairings are more suitable for protecting the keys in IoT applications. In recent years, many pairing-free ID-AKA protocols have been proposed. Moreover, these protocols have some security flaws or relatively extensive computation and communication efficiency. Focusing on these problems, the security analyses of some recently proposed protocols have been provided first. We then proposed a family of eCK secure ID-AKA protocols without pairings to solve these security problems, which can be applied in IoT applications to guarantee communication security. Meanwhile, the security proofs of these proposed ID-AKA protocols are provided, which show they can hold provable eCK security. Some more efficient instantiations have been provided, which show the efficient performance of these proposed ID-AKA protocols. Moreover, comparisons with similar schemes have shown that these protocols have the least computation and communication efficiency at the same time.
You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer
Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer