Informatica 41 (2017) 31–37 31 Identity-based Signcryption Groupkey Agreement Protocol Using Bilinear Pairing Sivaranjani Reddi, Anil Neerukonda Institute of Technology and Science, Bhimunipatnam, India E-mail: sivaranjani.cse@anits.edu.in Surekha Borra K.S. Institute of Technology, Bangalore, India E-mail: borrasurekha@gmail.com Keywords: bilinear pairing, encryption, group key agreement, signcryption Received: January 2, 2017 This paper proposes a key agreement protocol with the usage of pairing and Malon-Lee approach in key agreement phase, where users will contribute their key contribution share to other users to compute the common key from all the users key contributions and to use it in encryption and decryption phases. Initially the key agreement is proposed for two users, later it is extended to three users, and finally a generalized key agreement method, which employs the alternate of the signature method and authentication with proven security mechanism, is presented. Finally, the proposed protocol is compared with the against existing protocols with efficiency and security perspective. Povzetek: Razvit je nov varnostni protokol za uporabo več ključev. 1 Introduction Key Establishment is the procedure in which more than one user launches the session key, and is consequently used in accomplishing the cryptographic services like confidentiality or integrity. In general, key establishment protocols follow the key transfer approach, where one user decides the key and communicate it to other user. In contrast, for key agreement protocols all the users in the communication are involved in key establishment process. Further, these key agreement protocols provides the implicit authentication if the user assures that no other user or intruder involved in the communication knows the confidential key value. Hence, a protocol which possesses the implied key authentication to all the users involved in the group communication is called authenticated group key agreement protocol. Key Confirm is one property of the group key agreement protocol where one user involved in group communication assures that the other user in the group is under the control of the confidential key. When a protocol possesses both implicit authentication and key confirmation, that protocol is called as explicit key authentication. More details about key agreement protocols are discussed in [1, 21, 22, 23, 24]. This paper emphasis is on an authentic key agreement technique. Diffie-Hellman [2] proposed first key agreement. However, it is insecure against middle attack. Afterwards, many key agreement methodologies were published by various authors, but some users prerequisite a Public Key Infrastructure (PKI), needs more calculation and preserving efforts. Shamir[4] had initiated the concept called cryptosystem using user identity in which users public key can be calculated using the users unique attributes (e.g. Email, mobile no. etc), his private key is estimated by the trustworthy user referred as Private Key Generator (PKG). After that public key crypto system is formulated using user identity, which had simplified the process of key administration thus become a substitute to certificate centred PKI. Later, Joux[3] had proposed, Bilinear pairing based group key agreement protocol. Boneh[5],formally published an ID based encryption scheme using bilinear pairings. Many protocols were proposed [13, 11, 10, 8, 15], analyzed and some of them were broken [14,9,17,12,16]. Few pairing based applications use a pairing-friendly elliptic curve of prime numbers. There are different coordinate systems that can be used to represent points on elliptic curves such as Jacobian, Affine and Homogeneous. Inversion to multiplication ratio threshold can be used to decide the efficiency of coordinate system. In this work timing results of pairing is being reported for both affine and projective coordinates using BN-curve. All fast algorithms to compute pairings on elliptic curves are based on so as Miller’s algorithm [26]. In this paper, focus is on ID based authenticated key agreement using pairings with the two users. It is based on the signature scheme suggested Malone-Lee [6]. Furthermore, it is elaborated and evaluated against some of the existing ones in terms of efficiency and security. Pairing based mathematical properties were discussed in section 2, Marko Hölbl protocol the existing protocol was discussed in section 3, the proposed protocol was explained in section 4 and the next talks about performance of proposed technique against the existing protocols and finally it was concluded. 32 Informatica 41 (2017) 31–37 S. Reddi et al. 2 Preliminaries This section presents a notation of bilinear pairing operations which are to be used next. Bilinear maps[5] [6]: Let (G1,+), (G2,+) and (GT, ・) are the two additive and one multiplicative group of prime order q > 2k for a security parameter k N, then there exists a bilinear map ê : G1 × G2 → GT that has the following properties: 1. Bilinearity: ê (aP, bQ) = ê (P,Q)ab, where P,Q Є G1, and a, b Є Z, can be reformulated as: e(P + Q,R) = e(P,R) e(Q,R) and e(P,Q + R) = e(P,Q)e(P,R) for P,Q,R Є G1 2. Non-degeneracy: ê (P, Q) = 1, if Q Є G2iff P = 1 Є G1. 3. Computability: ê (P, Q) is efficiently computable if P Є G1 and Q Є G2. When G1=G2 and P=Q then that group is termed as symmetric bilinear map. 2.1 Signcryption Signcryption is a type of crypto mechanism and offers security services. It performs encryption and data signing in a single operation, and satisfies the requirements of smaller bandwidth and less computational cost by doing the operations sequentially. In symmetric encryption schemes it is computationally impossible to extract the plaintext from the signcrypted message without receiver’s private key. As in symmetric digital signature, creation of signcrypted text without using the private key of the sender is computationally infeasible. Some of the existing signcryption mechanisms are as follows: A. Malone -Lee ID-based encryption scheme[6] The detailed description of the Malonee Lee identity based encryption is as follows: Step 1: (Setup): A PKG considers hash functions 𝐻1: {0,1} ∗ → 𝐺1, 𝐻2: {0,1} ∗ → 𝑍𝑞 ∗ , 𝐻3: 𝐺2→ {0,1} 𝑙 and a generator P. The PKG can choose a random integer as master private key s and calculates 𝑃𝑝𝑢𝑏=sP. Finally publishes the parameters <𝑃, ?̂?, 𝑃𝑝𝑢𝑏 , 𝐻1, 𝐻2, 𝐻3>, by keeping PKG’s secret keys as secret. Step 2: (Extract): For given user identification 𝐼𝐷 ∈ {0,1}∗, the PKG calculates the public key 𝑄𝐼𝐷= 𝐻1(𝐼𝐷) and secret key 𝑆𝐼𝐷= s*𝑄𝐼𝐷. Step 3: (sign): For the given secret key 𝑆𝐼𝐷 and message M ∈ {0,1}∗ , the sender selects random number r ∈ 𝑍𝑞 ∗ , and U=rP, then computes r=H2(U|| M), W= r*𝑃𝑝𝑢𝑏 , V=r*SID+W, y=e(W,QID), x=𝐻3(𝑦) and C=x⨁ M, finalizes the signature as (C,U,V) and then send it to receiver side. Step 4:(unsigncrypt): Upon receiving the signature (C,U,V), receiver computes public key of the sender using his identity 𝑄𝐼𝐷= 𝐻1((𝐼𝐷), parse the signature (C,U,V) then computes y=e(SID,U), x=𝐻3(𝑦), M=x⨁ C, r=H2(U|| M), and then accepts M if e(V,P)= e(U, 𝑃𝑝𝑢𝑏)*e(𝑄𝐼𝐷, 𝑃𝑝𝑢𝑏) 𝑟 Advantages: Eliminates distribution of the public key. Authentication of the public key is implicitly guaranteed as long as individual user kept his private key secure. Disadvantage: Establishment of the secure channel is required between the user and the PKG. B. Boneh IBE cryptosystem[5] Boneh has proposed an identity based encryption technique to encrypt the message using pairing. It mainly contains four algorithms described as follows: Step 1: (Setup): A PKG considers two hash functions, 𝐻1 and 𝐻3. The PKG can choose random s ∈ 𝑍𝑞 master private key, and calculates 𝑃𝑝𝑢𝑏=sP. Finally, publishes the parameters <𝑃, ?̂?, 𝑃𝑝𝑢𝑏 , 𝐻1 , 𝐻3>, by keeping PKG’s secret keys as secret. Step 2: (Extract): For the given user identity (𝐼𝐷) ∈ {0,1}∗ the PKG calculates publickey 𝑄𝐼𝐷= 𝐻1((𝐼𝐷) and secret key 𝑆𝐼𝐷= s*𝑄𝐼𝐷. Step 3: (encrypt): An user can choose r, then calculates ciphertext(C) for M, be C= (rP, M⨁𝐻3(𝑔𝐼𝐷 𝑟 )) where 𝑔𝐼𝐷= e (𝑄𝐼𝐷, 𝑃𝑝𝑢𝑏) Step 4: (decrypt): from the received C= (U, V) receiver computes V ⨁𝐻3(e (𝑆𝐼𝐷, 𝑈)) in order to extract M. Advantage: This mechanism is secure against forgery under the chosen plaintext attack under Strong Diffie Hellman(SDH) assumption without using oracle model. Disadvantages: All the hash functions are random hash functions. Further, as the public keys are directly computed, it leads to avoidance of certificate maintenance. C. Hesse identity based signature[25] A signature is computed and enclosed to M before sending onto other side. Upon receiving M along with the signature; the receiver tries to verify the signature before accepting the M. The detailed Hesse mechanism is as follows: Step 1: (Setup): A PKG considers hash function 𝐻1, 𝐻: {0,1} ∗𝑋𝐺2 → 𝑍𝑞 ∗. The PKG can choose s master private key and calculates 𝑃𝑝𝑢𝑏=sP. Finally publish the parameters <𝑃, ?̂?, 𝑃𝑝𝑢𝑏 , 𝐻1, 𝐻>, by keeping PKG’s secret key s as secret. Step 2: (Extract): For given user with identity (ID), the PKG calculates the public key 𝑄𝐼𝐷= 𝐻1(𝐼𝐷) and the secret key 𝑆𝐼𝐷= s*𝑄𝐼𝐷. Step 3: (Sign): for the given secret key𝑆𝐼𝐷 and M ∈ {0,1}∗ , the sender selects 𝑃1 ∈ 𝐺1 and k ∈ 𝑍𝑞 ∗, and then computes r= e(𝑃1, 𝑃) 𝑘 , v=H(M,r) and u=v*𝑆𝐼𝐷 + 𝑘*𝑃1., finalizes the signature is (u,v). Identity-based Signcryption Groupkey... Informatica 41 (2017) 31–37 33 Step 4: (Verify): for a given public key 𝑄𝐼𝐷 , the received M and the signature is (u,v). The receiver computes r= 𝑒(𝑢, 𝑃)e(𝑄𝐼𝐷, −𝑃𝑝𝑢𝑏) 𝑘 and accept if v=H (M, r). Advantages: It is secure against adaptive chosen message attack in the random oracle model. Disadvantages: As PKG is generating the private keys of user, there may be a scope to decrypt or sign any message without any authorization. Hence it may not be fit to attain non repudiation 2.2 Security analysis The protocol mechanism presented in this paper is equipped with the following listed attributes: (i) Known key Security: For each session, the participant randomly selects hi and ri, results separate independent group encryption key and decryption keys for other sessions. A leakage of group decryption keys in one session will not help in derivation of other session group decryption keys. (ii) Unknown key share: In proposed protocol, each participant Ui generates a signature 𝜌i using xi. Therefore, group participants can verify the 𝜌i if it is from authorized person or not. Hence, no non group participant can be impersonated. (iii) Key compromise impersonate: Due to generation of unforgeable signature by the participant Ui,, the challenger cannot create the valid signature on behalf of Ui. Even if participant Uj’s private key is compromised by the adversary, he cannot mimic other participant Ui with Uj’s private key. Hence, key is not impersonated in the proposed protocol. 3 Marko Hölbl protocol [7] This is an ID-based signature technique using the Hess algorithm. It is a two party ID-based authenticated key agreement protocol requiring PKG. Mainly divided into system setup, private key estimation and key agreement phase. Phase 1 (setup): In this phase PKG decides the parameters called system parameters, which helps in the derivation of common group key agreement by all the users in the communication. A PKG formulates 𝐺1 , 𝐺2 and ?̂? and computes the cryptographic function H, P, a random integers as PKG’s private key and 𝑃𝑝𝑢𝑏 as PKGs publickey. All elements are of order q. Finally he publishes all the parameters <𝐺1, 𝐺2, 𝑃, ?̂?, 𝑃𝑝𝑢𝑏 , 𝐻>, by keeping PKG’s secret keys as secret. Where mapping function ?̂?: 𝐺1 × 𝐺1 → 𝐺2 Primitive Generator P: P ∈ 𝐺1 Random integer s: s ∈ 𝑍𝑞 ∗ Public Key 𝑃𝑝𝑢𝑏 =sP Hash function H: 𝑍𝑞 ∗ → 𝐺1 Phase 2 (Private key extraction): In this phase PKG derives the public key Qi and private key Si of individual user by using their identity IDi and then broad casts the public key and firmly send the privatekey to the respective user through secured channel, where Qi = H(IDi) and Si = s*Qi. Phase 3 (Key agreement): Since signature verification will authenticate the data in deciding which user issued this, a message generated from this phase will be used later to derive the session key. After choosing the receiver (B), sender (A) decides the message and then signed the message. Later on both message and the signature are sent to the receiver. The receivers compute the signature from the received message and then compare against the received signature, before deriving the key sent by sender. Procedure 1 shows the operations summary in key agreement phase. Procedure 1: Marko Hölbl protocol. Marko Hölbl protocol mechanism results in the following computational requirements:  In order to exchange message, each user has to compute two scalar multiplications, exponentiation, hash function and summation.  In session key computation, 2 pairings and 2 hashing operation, scalar multiplication and exponentiation are required. 4 Proposed protocols Group key agreement is the mechanism where two or more users are involved in the derivation of the group key used to encrypt/decrypt the data. The major phases in the proposed algorithm are: setup, extract, signcrypt and unsigncrypt phases as shown in Fig.1. This section describes the key agreement protocol between two users, three users and n numbers of users. Global Parameters <𝐺1, 𝐺2, 𝑃, ?̂?, 𝑃𝑝𝑢𝑏 , 𝐻> User A Key Generation a ∈ 𝑍𝑞 ∗ 𝑇𝐴 = 𝑎𝑃, 𝑈𝐴 = ?̂?(𝑆𝐴 , 𝑃) 𝑎, 𝑉𝐴 = 𝐻(𝑇𝐴 , 𝑟𝐴), 𝑊𝐴 = H(𝑉𝐴𝑆𝐴 + 𝑎𝑆𝐴) User B Key Generation b ∈ 𝑍𝑞 ∗ 𝑇𝐵 = 𝑏𝑃, 𝑈𝐵 = ?̂?(𝑆𝐵, 𝑃) 𝑏, 𝑉𝐵 = 𝐻(𝑇𝐵, 𝑟𝐵), 𝑊𝐵 = H(𝑉𝐵𝑆𝐵 + 𝑏𝑆𝐵) Calculation of secret key by User A 𝑈𝐵 ′ =?̂?(𝑊𝐵, 𝑃)?̂?(𝑄𝐵, −𝑃𝑝𝑢𝑏) 𝑉𝐵 𝑉𝐵=H(𝑇𝐵,𝑈𝐵 ′ ) 𝐾𝐴𝐵=a𝑇𝐵=abP Calculation of secret key by User B 𝑈𝐴 ′ =?̂?(𝑊𝐴, 𝑃)?̂?(𝑄𝐴, −𝑃𝑝𝑢𝑏) 𝑉𝐴 𝑉𝐴=H(𝑇𝐴,𝑈𝐴 ′ ) 𝐾𝐴𝐵=b𝑇𝐴=abP 34 Informatica 41 (2017) 31–37 S. Reddi et al. 4.1 Proposed protocol for two users This protocol is designed based on the Malone-Lee [6] ID-based crypto system scheme. It is protected against chosen random oracle model under BDH. The advantage of this algorithm is to perform the message encryption and decryption in only one step to attain security services more efficiently, instead of first signing and then encryption. This scheme is the combination of Boneh IBE cryptosystem with the variant of Hesses Identity based signature. Step 1: (Setup): This phase usually finalizes the number of users willing to join the group communication. Once the number of users is decided, then PKG will finalize the common parameters to be used in the derivation of other phase parameters. A PKG considers three hash functions H1, H2, H3 and P. PKG can choose a random integer s, master private key and calculates Ppub=sP. Finally publishes the parameters , by keeping PKG’s secret key s as secret. Step 2: Extract: PKG employs user's identity information in the derivation of secret and public keys. The input for this phase is user identity and produces QID and D. PKG uses user A Identity (IDA) ∈ {0,1} ∗and calculates public key QIDA= H1(IDA) and secret key SIDA= s* QIDA. Once generated SIDAis securely sent to user A. This process repeats for user B, in calculating QIDB and SIDB using the identity(IDB). Step 3: Signcrypt: Both users A and B can execute this phase in parallel, where individual user uses their SID, along with other users public key QID and their key contribution k in the derivation of ciphertext and the signature generation. Figure 1: Group key agreement protocol. The steps for the signcrypt at user A side is as follows: a. User A selects ka ∈ {0,1}𝑙, computes 𝑄𝐼𝐷𝐵= 𝐻1(𝐼𝐷𝐵). ------(1) b. User A chooses a random number 𝑋𝐴 ← 𝑍𝑞 ∗ and set 𝑈𝐴 = 𝑋𝐴P -----(2) c. Calculates 𝑅𝐴= 𝐻1(𝑈𝐴 ||𝑘𝑎), 𝑊𝐴= 𝑋𝐴.𝑃𝑝𝑢𝑏 , 𝑉𝐴= 𝑅𝐴.𝑆𝐼𝐷𝐴 + 𝑊𝐴, 𝑌𝐴 =e(𝑊𝐴, 𝑄𝐼𝐷𝐵) , 𝑇𝐴=𝐻3(𝑌𝐴). ---(3) d. Finally computes 𝜎𝐴= 𝑇𝐴⨁ ka and then sends 𝐶𝐴=(𝜎𝐴, 𝑈𝐴, 𝑉𝐴) to B. ----(4) Here A chooses the key ka and communicates to B by adding a signature for the verification. Parallely B also chooses his contribution in key agreement kb, User B follows the above steps, uses his private key 𝑆𝐼𝐷𝐵 and A’s public key 𝑄𝐼𝐷𝐴 and then sends 𝐶𝐵=(𝜎𝐵 , 𝑈𝐵 , 𝑉𝐵) to A. Figure 2: Key agreement among three users. Step 4: Unsigncrypt: Key contribution of A can be extracted from 𝐶𝐴 after comparing the signature validation condition. B uses the following steps in the derivation of ka from received 𝐶′𝐴. a) Computes the A’s public key 𝑄𝐼𝐷𝐴=𝐻1(𝐼𝐷𝐴) ---(5) b) parse 𝐶′𝐴=(𝜎′𝐴, 𝑈′𝐴, 𝑉′𝐴), compute 𝑌′𝐴 =e(𝑆𝐼𝐷𝐵 , 𝑈′𝐴) , 𝑇′𝐴=𝐻3(𝑌′𝐴), 𝑘𝑎′= 𝑇′𝐴⨁𝜎′𝐴 and 𝑅′𝐴= 𝐻1(𝑈′𝐴 ||𝑘𝑎). ---(6) c) Accept ka’ when e(𝑉′𝐴 , 𝑃) = 𝑒(𝑄𝐼𝐷𝐴, 𝑃𝑝𝑢𝑏) 𝑅′𝐴.e(𝑈′𝐴,𝑃𝑝𝑢𝑏) ------(7) Limitations of the work:  Proposed technique withstands outsider attacks (i.e. adversary is not permitted to exhibit the sender's private key with which the cipher text was created).  Another limitation is due to the procedure used by the receiver in non repudiation. The receiver needs to prove to the third party that sender is the authorized person of a given plaintext. 4.2 Group key agreement with three users The proposed algorithm is extended to three users and their arrangement is shown in Figure 2, where, the setup and extraction phase is same as described in section 3. During the signcrypt phase, user-1 uses other users public key with whom he wants to share the key and then computes the respective value C1, j where j ∈{3,2}. From the diagram, user-1 calculates 𝐶12 and 𝐶13 and send to user-2 and user-3 respectively. Similarly user-2 calculates their contributions 𝐶21 and 𝐶23 and then send to user 1 and 3. After signcrypt phase each user will receive the encrypted contributions from other users in the group. All the keys will be decrypted and then extract the individual key user contributions after validating the signature. Once all user signatures were satisfied, individual user adds his contribution and apply the XOR 𝐶𝐴=(𝜎𝐴, 𝑈𝐴, 𝑉𝐴 ) 𝐶𝐵=(𝜎𝐵, 𝑈𝐵 , 𝑉𝐵 ) User A Step 1: Setup Step 2: Extract (𝐼𝐷𝐴) Step3: signcrypt( 𝑆𝐼𝐷𝐴, 𝐼𝐷𝐵 , 𝑘𝑎) Step 4: Unsigncrypt( 𝑆𝐼𝐷𝐴, 𝐼𝐷𝐵 , 𝜎𝐵) extract kb K=ka ⨁ kb User B Step 1: Setup Step 2: Extract (𝐼𝐷𝐵) Step3: signcrypt( 𝑆𝐼𝐷𝐵, 𝐼𝐷𝐴, 𝑘𝑏) Step 4: Unsigncrypt( 𝐼𝐷𝐴, 𝑆𝐼𝐷𝐵, 𝜎𝐴) extract ka K=ka ⨁ kb Identity-based Signcryption Groupkey... Informatica 41 (2017) 31–37 35 operation on all the users in group in order to derive the session group key. 4.3 Generalized group key agreement Step 1: (Setup): This phase usually finalizes the number of users willing to join in the group communication. Once the users joining task gets completed, then PKG will finalize the common parameters to be used in the derivation of other phase parameters. A PKG considers hash functions 𝐻1, 𝐻2, 𝐻3 and P. PKG can choose a random integer s, master private key and calculates 𝑃𝑝𝑢𝑏=s*P. Finally publish the parameters <𝑃, ?̂?, 𝑃𝑝𝑢𝑏 , 𝐻1 , 𝐻2, 𝐻3>, by keeping PKG’s secret key s as secret. Step 2: Extract: PKG uses individual user's identity information in the derivation of secret and public keys. The input for this phase is user identity and produces 𝑄𝐼𝐷 and 𝑆𝐼𝐷 which represents public and private keys respectively. PKG uses user i (1≤ i ≤n) identity (𝐼𝐷𝑖)and computes 𝑄𝐼𝐷𝑖= 𝐻1(𝐼𝐷𝑖) and secretkey 𝑆𝐼𝐷𝑖= s*𝑄𝐼𝐷𝑖 , then sends 𝑆𝐼𝐷𝑖securily to i. For i=1 to n Calculate 𝑄𝐼𝐷𝑖= 𝐻1(𝐼𝐷𝑖) ---(8) Calculate 𝑆𝐼𝐷𝑖= s* 𝑄𝐼𝐷𝑖 ---(9) Step 3: Signcrypt: Each user derives the parameters individually to other participant and communicates. User-1 in the group will first decide ka and then calculates other variables:X1, U1, 𝑅1, W1, 𝑌1,i,𝑉1 and 𝑇1,i. Similarly user-i uses the signcrypt algorithm to securely share his key contribution ki. a. A selects ki ∈ {0,1}𝑙, computes 𝑄𝐼𝐷𝑗= 𝐻1(𝐼𝐷𝑗) (1≤ j ≤n, j≠ i) ---(10) b. Afterwards he chooses a random number 𝑋𝑖 ← 𝑍𝑞 ∗ and set 𝑈𝑖 = 𝑋𝑖P ---(11) c. Calculates 𝑅𝑖= 𝐻1(𝑈𝑖 ||𝑘𝑖), 𝑊𝑖= 𝑋𝑖.𝑃𝑝𝑢𝑏 , 𝑉𝑖= 𝑅𝑖.𝑆𝐼𝐷𝑖 + 𝑊𝑖 ---(12) d. For each user j ( j≠ i) , user i computes 𝑌𝑖,𝑗 =e(𝑊𝑖 , 𝑄𝐼𝐷𝑗) , 𝑇𝑖,𝑗=𝐻3(𝑌𝑖). ---(13) e. Finally computes 𝜎𝑖,𝑗= 𝑇𝑖,𝑗⨁ ka and then sends 𝐶𝑖,𝑗=(𝜎𝑖,𝑗 , 𝑈𝐴, 𝑉𝐴) user –j (1≤ j ≤n, j≠ i).---(14) Step 4: Unsigncrypt: User-j uses the following steps in the derivation of ki from received 𝐶′𝑖,𝑗 . key contribution of ith user can be extracted from 𝐶𝑖,𝑗 after comparing the signature validation condition a. . Computes the i’s public key 𝑄𝐼𝐷𝑖=𝐻1(𝐼𝐷𝑖) ---(15) b. Parse 𝐶′𝑖,𝑗=(𝜎′𝑖,𝑗 , 𝑈′𝑖 , 𝑉′𝑖), compute 𝑌′𝑖 =e(𝑆𝐼𝐷𝑗 , 𝑈′𝑖), 𝑇′𝑖=𝐻3(𝑌′𝑖), 𝑘𝑖′= 𝑇′𝑖⨁𝜎′𝑖 and 𝑅′𝑖= 𝐻1((𝑈′𝑖 ||𝑘𝑖). -(16) c. Accept 𝑘𝑖′ when e(𝑉′𝑖 , 𝑃)=𝑒(𝑄𝐼𝐷𝑖 , 𝑃𝑝𝑢𝑏) 𝑅′𝑖 .e(𝑈′𝑖 ,𝑃𝑝𝑢𝑏). --- (17) 5 Performance analyses Proposed protocol is compared with Wang [16], Yuan-Li [18], Chow–Choo without escrow[19], Choie-jeong- Lee[20] and Marko Hölbl et.al [7]. Tables 1&2 illustrate comparison of the suggested protocol against the existing protocols. The efficiency is estimated by considering the communication cost and the execution cost. Communication cost includes number of rounds and the length of message transmitted through the network during protocol execution. Overall number of rounds in protocol Figure 3: Generalized key agreement Protocol. is the primary concern in practical environments where the group users are more in number. Yuan-Li has one round operation in key agreement phase, used one multiplication and exponentiation, one addition. Protocol is secured against the key impersonation, backward and forward secrecy. Wang's method almost uses the same number of operations as yuan's method, but computation time is more. Chow–Choo without escrow key agreement protocol mainly contains two rounds: one is extract phase and the other is key agreement phase. During the extract phase, one hash function and pairing function, remaining operations were used during the key agreement phase. Protocol Name Computation Cost Commu -nication Cost pairing Mul Exp Add Hash XOR [16] 1 3 0 3 3 0 1 [18] 1 3 0 2 1 0 1 [19] 1 4 0 2 1 0 2 [20] 2 4 0 0 2 0 1 [7] 3 3 2 1 3 0 3 Proposed 1 5 0 1 4 1 3 P2P: total point to point communication per user: Pairing: total number of mapping or pairing operations per user: Add: Total number of addition operations per user: Exp : total exponentiations performed per user.: Mul: total scalar multiplications computed : XoR: total XOR operations computed; Hash: total hash functions evaluated per user : Rounds: Number of Rounds Table 1: Efficiency Comparison with other protocols. User-1 User-i User-n User-2 K==k1⨁𝒌2⨁----⨁𝒌i⨁----⨁𝒌n 𝑪𝟏𝟐 𝑪𝟏𝒊 𝑪𝟏𝒏 36 Informatica 41 (2017) 31–37 S. Reddi et al. Protocol name KKS FoS UKS BS KC KI [16] √ √ √ √ √ √ [18] √ √ √ √ √ √ [19] √ √ √ √ √ √ [20] √ √ √ √ √ √ [7] √ √ √ √ √ √ Proposed √ √ √ √ √ √ KI:Key Impersonation BS:Backward Secrecy UKS:Unknown Key Share FoS:Forward Secrecy; KC:Key control Table 2: Security Analysis with existing protocols. Marko Hölbl et.al method uses three multiplications, three pairings, two exponentiations, one addition, and three hashing operations in three rounds for finalizing group key using pairing based key agreement. roposed algorithm has three rounds setup, private key extraction and common key agreement in the group. The computation time for proposed protocol is less compared to [7] and [20] protocols because of less number of pairing operations. The proposed protocol requires more time in scalar multiplication and XOR operation. The protocol does not require any exponential operations. Inspite of more number of hash functions, the proposed protocol requires less computation time because of involvement of less expensive operations. 6 Conclusion An enhanced ID-based authenticated key agreement protocol is proposed and discussed, which employs signatures to authenticate participated user and verifies correctness of transferred messages between two users. The effectiveness and security of proposed technique showed all desired security properties and was compared against existing protocols in terms of efficiency and security. The protocol further confirms all the security properties with minimum time efficiency. In future, the protocol can be extended to hierarchical and cluster based network environment for establishing a secured communication. Also it can be applied in IoT based machine to machine communication, and machine to device communication. 7 References [1] A. Menezes, P.C. Van Oorschot, S. Vanstone,( 1997) Handbook of Applied Cryptography, CRC Press,. [2] W. Diffie, M. Hellman,( 1976), New directions in cryptography, IEEE Trans. Inform. Theory 22 (6),pp. 644–654. [3] A. Joux(2000), A one round protocol for tripartite Diffie–Hellman, in: 4th International Symposium on Algorithmic Number Theory, in: Lecture Notes inComput. Sci., vol. 1838, Springer, New York, pp. 385–394. [4] A. Shamir(1985), Identity-based cryptosystems and signature schemes, in: Advances in Cryptology – CRYPTO’84, Springer, New York, pp. 47–53. [5] D. Boneh, M. Franklin (2003), Identity-based encryption from the Weil pairing, SIAM J. Comput. Vol,32 issue-3,pp: 586–615. [6] J.Malonee-Lee(2002), “Identitity based signcryption, Available at http://eprint.iacr.org/2002/098 [7] Marko Hölbl et.al(2012),” An improved two-party identity-based authenticated key agreement protocol using pairings,journal of computer and system sciences ,vol:78,pp.142-150. [8] L. Chen, C. Kudla(2003), Identity based authenticated key agreement protocols from pairings, in: Computer Security Foundations Workshop, IEEE, USA,pp. 219–233. [9] K.K.R. Choo, McCullagh–Barreto(2005),” two- party ID-based authenticated key agreement protocols”,Internat. J. Netw. Secur.vol-1,issue- 3,pp.154–160. [10] N. McCullagh, P.S.L.M. Barreto(2004), A new two-party identity-based authenticated key agreement, Cryptology ePrint Archive Report . [11] K. Shim(2003), Efficient ID-based authenticated key agreement protocol based on Weil pairing, Electronics Lett. 39 (8) ,pp.653–654. [12] K. Shim(2005), Cryptanalysis of two ID-based authenticated key agreement protocols from pairings, Cryptology ePrint Archive Report 2005/357. [13] N.P. Smart(2002), Identity-based authenticated key agreement protocol based on Weil pairing, Electronics Lett. 38 (13) ,pp.630–632. [14] H.M. Sun, B.T. Hsieh(2003), Security analysis of Shim’s authenticated key agreement protocols from pairings, Cryptology ePrint Archive Report 2003/113. [15] Y. Wang(2005), Efficient identity-based and authenticated key agreement protocol, Cryptology ePrint Archive Report2005/108. [16] S.B. Wang, Z.F. Cao, H.Y. Bao(2005), Security of an efficient ID-based authenticated key agreement protocol from pairings, in: Parallel and Distributed Processingand Applications – ISPA2005, in: Lecture Notes in Comput. Sci., vol. 3759, Springer, New York, pp. 342–349. [17] G. Xie(2004), Cryptanalysis of Noel McCullagh and Paulo S.L.M. Barreto’s two-party identity- based key agreement, Cryptology ePrint Archive Report 2004/308. [18] Q. Yuan(2005), S. Li, A new efficient ID-based authenticated key agreement protocol, Cryptology ePrint Archive Report 2005/309. [19] Z. Cheng, L. Chen(2007), “ On security proof of McCullaghBarretos key agreement protocol and its variants” , Internat. J. Secur. Networks 2 ,pp.251– 259. [20] Y.J. Choie, E. Jeong, E. Lee (2005), Efficient identity-based authenticated key agreement protocol from pairings, Appl. Math. Comput. 162 (1) ,pp.179–188. [21] Chakraborty, S., Chatterjee, S., Dey, N., Ashour, A. S., & Hassanien, A. E. (2017). Comparative Identity-based Signcryption Groupkey... Informatica 41 (2017) 31–37 37 Approach Between Singular Value Decomposition and Randomized Singular Value Decomposition- based Watermarking. In Intelligent Techniques in Signal Processing for Multimedia Security (pp. 133-149). Springer International Publishing.. [22] Dey, N., Samanta, S., Yang, X. S., Das, A., & Chaudhuri, S. S. (2013). Optimisation of scaling factors in electrocardiogram signal watermarking using cuckoo search. International Journal of Bio- Inspired Computation, 5(5), 315-326. NilanjanDey et al.(2015), “Tamper Detection of Electrocardiographic Signal using Watermarked Bio-hash Code in Wireless “, International Journal of Signal and Imaging Systems Engineering , Volume 8, Issue 1-2 . [23] Dey, N., Pal, M., & Das, A. (2012). A Session Based Blind Watermarking Technique within the NROI of Retinal Fundus Images for Authentication Using DWT, Spread Spectrum and Harris Corner Detection. arXiv preprint arXiv:1209.0053.. [24] Hess, F. (2002, August). Efficient identity based signature schemes based on pairings. In International Workshop on Selected Areas in Cryptography (pp. 310-324). Springer Berlin Heidelberg.. [25] Beuchat, J. L., González-Díaz, J. E., Mitsunari, S., Okamoto, E., Rodríguez-Henríquez, F., & Teruya, T. (2010, December). High-speed software implementation of the optimal ate pairing over Barreto–Naehrig curves. In International Conference on Pairing-Based Cryptography (pp. 21-39). Springer Berlin Heidelberg.