1 evolutions and researches on group key agreement (gka) protocols yuh-min tseng information...

1

Evolutions and researcheson

group key agreement (GKA) protocols

Yuh-Min TsengInformation Security Lab. (ISL)

Department of Mathematics NCUE

E-mail: [email protected] http://ymtseng.math.ncue.edu.tw

2 ISL, Math., NCUE

Outline

1. Finding Problems

2. Definitions and evolutions of problems

3. Research approaches and related works

4. Problem 1: GKA protocol resistant to insider attacks

5. Problem 2: GKA protocol for imbalanced networks

6. Problem 3: Pairing-based (ID-based) GKA protocol

7. Conclusions

3 ISL, Math., NCUE

1. Finding problems

Assigned by your advisor Research trend for some problems or applications Referee of manuscripts submitted to Conferences or Journals

Open / Un-solving problems (Famous problems)

Self-finding problems (Important !) Seminars Conferences: New Journals: Complete Some experts’ web-sites Livelihood problems (To solve some practical problems)

Periodical downloading papersof related Conferences and Journals

4 ISL, Math., NCUE

1. Finding problems => Famous problems

Fermat(1601-1665)Fermat's conjectures ?

Fermat’s Last Theorem ?

Fermat’s Little Theorem

for all primes p and 1≦a≦p-1, ap-1 ≡ 1 (mod p)

xn+yn=zn , n>2 No positiveinteger solutions

Pythagoras(-572 ~ -492) x2+y2=z2 , right triangle ?

I have obtained a

perfect proof, but no space

to write it ?

5 ISL, Math., NCUE


Euler(1707-1783)

Fermat’s Last Theorem

Fermat’s Little Theorem

Wiles (1993) Taylor (1995, complete)

for all primes p and 1≦a≦p-1, ap-1 ≡ 1 (mod p)

xn+yn=zn , n>2 No positiveinteger solutions

Euler Theorem

Proof: a corollary of Euler’s theorem

370years

Wiles Proof

Based on many previous theorems and conjectures

6 ISL, Math., NCUE

1. Finding problems => Fermat Little Theorem

Public key primitiveness in Cryptography

Euler Theorem: for all aZn*, a(n)≡1 (mod n)

Euler’s Totient Function (n) = |Zn*| =the number of positive integers less than n and relatively prime to n

Fermat’s Little Theorem: for all primes p, 1 a p-1,≦ ≦ ap-1 ≡ 1 (mod p) Proof: a corollary of Euler’s theorem since (p)=p-1 and gcd(a,p)=1

for 1 a p-1.≦ ≦

Both theorems are useful in public key systems (RSA, DSA, and ElGamal) and Primality testing.

7 ISL, Math., NCUE

1. Finding problems => Fermat Last Theorem

One conjecture => Fermat Last Theorem History Fermat (n=4), Euler (n=3), Gauss (n=3, complete) Legendre (n=5) => Legendre Symbol (Primality test) Dirichlet (n=14), Lame (n=7), Kummer (1810 1893) (n<100) ……….. Wolfskehl (1908, Offering $100000 Marks bonus) Taniyama-Shimura theorem/conjecture (1960): Relationships

=> Fermat last theorem, Elliptic Curve and modular forms Wiles (1993, 1995): A proof of Fermat last theorem

Based on Taniyama-Shimura theorem/conjecture

Elliptic Curve Cryptography (ECC, Secure and Efficient)

8 ISL, Math., NCUE

1. Finding problems => Fermat Last Theorem

A. Wiles: Modular elliptic curves and Fermat's Last Theorem,

Annals of Mathematics 141 (1995), pp. 443-551,

=> 1998 Fields Medal (Specific Award, 44 years old)R.Taylor and A.Wiles: Ring theoretic properties of certain Hecke algebras,

Annals of Mathematics 141 (1995), pp. 553-572

9 ISL, Math., NCUE


Fermat’s another conjecture: Fn=22n+1 is prime F1=5, F2=17, F3=257, F4=65537

Error => F5=641*6700417

Mersenne prime (1588-1648): 2p-1 is prime => p is prime 22-1=3, 23-1=7, 25-1=31, 27-1=127 Error => 211-1=23*89 GIMPS: The Great Internet Mersenne Prime Search

44 th Mersenne prime (2006, September 4)232582757 -1 = Known large prime (9,808,358 decimal digits) 10,000,000 decimal digits => US$100,000

10 ISL, Math., NCUE

1.Finding problems => Personal experiences

Group key agreement protocolsDeep: Focusing on one issue deeply

Broad: Understanding related issues Two-party key agreement protocols Group (Conference, multi-party) key establishment

Conference key distribution protocols Group key agreement (GKA) protocols

Resource-limited devices: Elliptic Curve Imbalanced network (WLAN, Cellular network) Mobile Ad Hoc networks Sensor networks

Based on various cryptographic systems (ID-based, Pairing)

Co-assistive

11 ISL, Math., NCUE

2. Definitions and evolutions of problems => Diffie-Hellman key exchange (1976)

DH-scheme provides two-party key agreementGlobal parameters: (g, p) p: a large prime, say, 1024-bit long g: a generator for group Zp

*

BobAlice(2) Ya

(2*) Yb

(1) Randomly select a,

Compute Ya=ga mod p (1) Randomly select b,

Compute Yb=gb mod p

(3) Compute Yab=(Yb)a mod p (3*) Compute Yba=(Ya)b mod p

K=Yab=Yba=gab mod p

Discrete logarithm problem

12 ISL, Math., NCUE


Group key establishment protocol allows users to construct a group key that is used to

encrypt/decrypt transmitted messages among the users over an open communication channel.

Categories: Group key distribution

there is a chairman who is responsible for generating a common key and then securely distributing this group key to the other users.

Group key agreement involves all users cooperatively constructing a group key.

13 ISL, Math., NCUE

2. Definitions and evolutions of problems=> Categories

Chair/key

U2 U3

U1 U4

Un U5……

key

U2 U3

U1 U4

Un U5……

Group key distribution Group key agreement

Easy issue Challenging issue

14 ISL, Math., NCUE

2. Definitions and evolutions of problems => Group key agreement

Four research approaches Concurrent Ring (1982, Ingemarsson et al.)

First group key agreement Linear Ring + 1 Broadcast (many protocols) Binary Tree (many protocols) Broadcast (many protocols)

Parallel processors

15 ISL, Math., NCUE

2. Definitions and evolutions of problems => (1) Concurrent Ring (1982, Ingemarsson et al.)

First group key agreement

U1

U2

U3x1

x2

x3

gx1 g

x2

gx3

U1

U2

U3

gx1x2

gx2x3

gx1x3

U1

U2

U3

gx1x2x3

gx1x2x3

gx1x2x3

Note: n participants1. It requires (n-1) rounds2. Concurrent Easy ? How to devise ?

16 ISL, Math., NCUE

2. Definitions and evolutions of problems => (2) Linear Ring + 1 Broadcast

Concept: (many protocols, 2002)

U1 U2 Un-1

Un

………………

Broadcast

Note: n participants 1. It requires (n-1) rounds 2. Ui must sends i messages

17 ISL, Math., NCUE


=> (3)Binary Tree

Concept: Button-up (many protocols, 2005)

Note: n participants 1. It requires log n rounds 2. Semi-concurrent

U1 U2 U3 U4

x1 x2

gx1x2

x3 x4

gx3x4

ggx1x2 g

x3x4

ggx1x2 gg

x3x4

gx1 gx2 gx3 gx4

18 ISL, Math., NCUE

2. Definitions and evolutions of problems => (4)Broadcast

Burmester and Demedt (1994, 2005)

Step 1 (Round 1)

Ui (1≤ i ≤ n): Keeps xi secret

broadcasts yi=gxi mod p

Step 2 (Round 2)

Ui (1≤ i ≤ n): broadcasts zi=(yi+1/ yi-1)xi mod p

Step 3 Each Ui computes common key K

pg

pz zz)(yK xxxxxx

ini

ni

nxi-

n

i

mod

mod13221 ...

22

11

1

U1 U1 Un……

Broadcast channel

19 ISL, Math., NCUE

3. Research approaches and related works => Burmester and Demedt scheme

Burmester and Demedt (1994) Non-authenticated: requires a secure authenticated broa

dcast channel (2005, IPL) They provide a complete proof.

Research approaches based on BD scheme Authenticated Performance Security properties

20 ISL, Math., NCUE

3. Research approaches and related works => Three approaches

Authenticated: based on different cryptographic systems General Public-key system (RSA, DSA, or ElGamal) Password-based ID-based (Weil pairing and Elliptic curve)

Performance: Number of Rounds Message size sent by each participant Computational cost required for each participant

Security properties: Withstanding impersonator attacks Providing forward secrecy Resisting malicious participant (Insider) attacks (New)

21 ISL, Math., NCUE

3. Research approaches and related works => History and remarks

[1]Diffie-Hellman – 1976 (Two- party)First key agreement

[2] Ingemaresson - 1982 First group key agreement

[3,4] BD – 1994 and 2005

Efficient and Proof

Performance[5, 15]

Authenticated [6,8,9,10,16-19]

Transformationto authenticated

[7,11]

Malicious participant

[12, 13, 14]

22 ISL, Math., NCUE

3. Research approaches and related works => History and remarks

[5] Horng – 2001 Comp. Efficient

[14] Tseng – 2005 Insider attack

[15] Jung – 2006 Dynamic case(Join/leave)

[6,8] 2002, 2003 Round Efficient

[7] Katz – 2003 First Transformation

[13] Katz – 2005 Insider attack

[11] Tang – 2005 Round Efficient

[9, 17,18] 2004, 2005. ??????ID-based (Pairing)

[16] Abdalla – 2006 Password-based

[10] Tan – 2005 Batch-verification

[12]Tang – 2005 Attack it.

Insider attack

Performance[5, 15]

Authenticated [6,8,9,10,16-19]

Transformationto authenticated

[7,11]

Malicious participant

[12, 13, 14]

[19] Tseng – 2007Insider attack

23 ISL, Math., NCUE

3. Research approaches and related works => Related papers

[1] Diffie, W. and Hellman, M.E. (1976) New directions in cryptography. IEEE Trans. on Infom. Theory, 22, 644-654. [2] Ingemaresson, I., Tang, T.D. and Wong, C.K. (1982) A conference key distribution system. IEEE Trans. Infom. Theory, 28, 714-720. [3] Burmester, M. and Desmedt, Y. (1994) A secure and efficient conference key distribution system. Advances in Cryptology - Proceedings of Eurocrypt’94, Perugia, Italy, 9-12 May, LNCS 950, pp. 275-286, Springer-Verlag, Berlin. [4] M. Burmester and Y. Desmedt (2005) A secure and scalable group key exchange system, Information Processing Letters, vol. 94, pp. 137-143, 2005.[5] G. Horng (2001) An efficient and secure protocol for multi-party key establishment, The Computer Journal 44 (5) (2001) 463-470. [6] W. G. Tzeng (2002) A secure fault-tolerant conference-key agreement protocol, IEEE Trans. on Computers 51 (4) (2002) 373-379. [7] Katz, J. and Yung, M. (2003) Scalable Protocols for Authenticated Group Key Exchange. Advances in Cryptology - Proceedings of Crypto’03, Santa Barbara, CA, 17-21 August, LNCS 2729, pp. 110-125, Springer-Verlag, Berlin. [8] Boyd, C. and Nieto, G. (2003) Round-Optimal Contributory Conference Key Agreement. Proc. Public-Key Cryptography’03, Miami, USA, 6-8 January, LNCS 2567, pp. 161-174, Springer-Verlag, Berlin.

24 ISL, Math., NCUE


[9] X. Yi (2004) Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004.[10] C. Tan and J. Teo, (2005) An Authenticated Group Key Agreement for Wireless Networks, IEEE Communications Society, WCNC 2005, pp.2100-2105.[11] Q. Tang and C. J. Mitchell, (2005) Efficient Compilers for Authenticated Group Key Exchange, Computational Intelligence and Security: International Conference, CIS 2005, Xi'an, China, December 15-19 2005, Proceedings, Part II, Springer-Verlag LNCS 3802, Berlin (2005), pp.192-197. [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated conference key agreement protocols' (pdf), in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314. [13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security 2005, pp. 180-189 . [14] Tseng, Y.M. (2005) A robust multi-party key agreement protocol resistant to malicious participants. The Computer Journal, 48, 480-487.

25 ISL, Math., NCUE


[15] B. E. Jung (2006) An Efficient Group Key Agreement Protocol, IEEE communications letters, vol.10, no. 2, pp. 106-107, Feb. 2006

[16] M. Abdalla, E. Bresson, O. Chevassut, D. Pointcheval (2006) Password-based Group Key Exchange in a Constant Number of Rounds, PKC2006, LNCS 3958, pp.427-442.

[17] K. Y. Choi, J. Y. Hwang and D. H. Lee, “Efficient ID-based Group Key Agreement with Bilinear Maps”, 2004 International Workshop on Practice and Theory in Public Key Cryptography (PKC2004).

[18]Y. Shi, G. Chen, and J. Li,” ID-Based One Round authenticated Group Key Agreement Protocol with Bilinear Pairings”, Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC’05), 2005.

[19] Y.M. Tseng, “A communication-efficient and fault-tolerant conference-key agreement protocol with forward secrecy”, Journal of Systems and Software, , 2006, Accepted and to appear.

[20]Y.M. Tseng, “A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52, 2007.

26 ISL, Math., NCUE

3. Research approaches and related works => Finding worth-to-work problems

Keep cranky and thinking continuously !!!

Finding solutions: Writing a research paper or patent Developing application systems

Keeping a research record (Important !!) Finding new problems => solutions It could be a good approach/technique. In the future, it is possible to adopt it for other applications

or problems.

27 ISL, Math., NCUE

3. Research approaches and related works => Finding worth-to-work problems

Problem 1: Malicious participant (Insider) attack The malicious legal participant broadcasts a wrong message to disrupt

the conference key establishment The proposed protocol must find who are the malicious participants

Problem 2: Imbalanced wireless networks Resource-limited PDA, Smart phone, or UMD (Ultra mobile device) It is a flexible approach to shift the computational burden to the

powerful node and reduce the computational cost of mobile nodes

Problem 3: Pairing-based (ID-based) public-key system Practical ID-based public-key system (Elliptic Curve) 2001, New

28 ISL, Math., NCUE


Motivation and finding a solution All related GKA protocols based on the BD scheme suffer from insi

der attacks. Some secure conferences must be held prior to a special time, such a

s military applications, rescue missions and emergency negotiations.

Related papers: (2005) [14] Y.M. Tseng (2005) A robust multi-party key agreement protocol resistant to m

alicious participants. The Computer Journal, 48, 480-487. (2006, Wilkes Award) [12] Q. Tang and C. J. Mitchell (2005) Security properties of two authenticated con

ference key agreement protocols', in: S. Qing, W, Mao, J. Lopez, and G. Wang (eds.), Information and Communications Security: 7th International Conference, ICICS 2005, Beijing, China, December 10-13, 2005. Proceedings, Springer-Verlag LNCS 3783, Berlin (2005), pp.304-314.

[13] J. Katz, J. S. Shin (2005) Modeling Insider Attacks on Group Key Exchange Protocols. ACM Conference on Computer and Communications Security 2005, pp. 180-189.

29 ISL, Math., NCUE


Insider attacks (Malicious participants) on BD scheme

Step 1 (Round 1)

Ui (1≤ i ≤ n): Keeps xi secret


Step 2 (Round 2)

Ui (1≤ i ≤ n, ij): broadcasts zi=(yi+1/ yi-1)xi mod p

Uj broadcasts a random value zj

Step 3 Each Ui compute different key K

pg

pz zz)(yK xxxxxx

ini

ni

nxi-

n

i

mod

mod13221 ...

22

11

1

U1 U1 Un……

Broadcast channel

Who is the malicious participant ?

30 ISL, Math., NCUE

4. Problem 1: Solution GKA protocol resistant to insider attacks

Step 1 (Round 1) Ui (1≤ i ≤ n): Keep xi secret


Step 2 (Round 2)

Step 3 Ui (1≤ i ≤ n) checks and computes K

qx,,zHrp)/ y(y

p gαp)/ y(yz

),,, (z n)i (U

iiiiiir

iii

ri

xiii

iiiii

i

ii

mod)( ,mod

mod ,mod

broadcasts:1

11

11

pg

pz zz)(yK

zHCpzyy

py)g(

xxxxxx

ini

ni

nxi-

jjjC

jjjj

Cjj

n

i

j

j

mod

mod

),,( where,mod)/)(2(

mod1

13221 ...

22

11

1

11

Zi is computed correctly”

31 ISL, Math., NCUE


Security Proofs Assumption 1: Decision Diffie-Hellman Problem Theorem 1: The proposed GKA protocol is secure against

passive attacks Theorem 2: The proposed GKA protocol is secure against

insider attacks

Discussions Based on BD scheme, first protocol with resisting to insider attacks In fact, the proposed GKA protocol can be applied to other group ke

y agreement protocols with t-round (t>1) to withstand insider attacks. (Reviewer comments)

Expanding to authenticated (Tseng, 2007, JSS)

32 ISL, Math., NCUE

5. Problem 2: GKA protocol for imbalanced wireless networks

Motivation and finding a solution Resource-limited devices: PDA, Cellular phone, or UMD (Ultra mo

bile device) It is a flexible approach to shift the computational burden to the pow

erful node and reduce the computational cost of mobile nodesRelated papers:

Bresson, E. Chevassut, O., Essiari, A. and Pointcheval, D. (2004) Multual authentication and group key agreement for low-power mobile devices. Computer Communications, 27, 1730-1737.

Nam, J., Kim, S., and Won, D. (2005) A weakness in the Bresson-Chevassut-Essiari-Pointcheval's group key agreement scheme for low-power mobile devices. IEEE Communications Letters, 9, 429-431.

Nam, J., Kim, S., and Won, D. (2005) DDH-based group key agreement in a mobile environment. The Journal of Systems and Software, 78, 73-83.

Y.M. Tseng (2007) “A secure authenticated group key agreement protocol for resource-limited mobile devices”, The Computer Journal, Vol.50, No.1, pp. 41-52.

33 ISL, Math., NCUE


Weaknesses of Bresson et al.’s Protocol (2004) Without forward secrecy Without key authentication Not a contributory key agreement

Weaknesses of Nam et al. ‘s Protocol (2005) It provides a authenticated protocol based on the Katz-Yung transfo

rmation [7] (2003). (Time-consuming) In this case, computational cost is expensive for mobile device Not a contributory key agreement

34 ISL, Math., NCUE


Goal: A real contributory key agreement protocol (Proof) Authenticated GKA protocol The proposed protocol must be well suited for mobile devices with

limited computing capability.

Some related issues and knowledge Give an example to prove that both Bresson et al.’s and Nam

et al. ‘s protocols are not contributory key agreement. Given a complete proof to show our proposed protocol is a real con

tributory key agreement. Understanding the computing capability of mobile devices such as

PDA.

35 ISL, Math., NCUE

36 ISL, Math., NCUE


Security Proofs Theorem 1: It is a contributory group key agreement protocol Theorem 2: Against passive adversary Lemma 1, Lemma 2, and Theorem 3: Against impersonator’s

attack Theorem 4: Implicit key authentication Theorem 5: Forward secrecy

Discussions Comparisons: Computational cost and security properties This is first protocol which provides the proof of contributory group

key agreement A simulation result shows that the proposed protocol is well suited

for mobile devices with limited computing capability.

37 ISL, Math., NCUE


Some other possible problems and future works Possible inherent problems of a powerful node

Communication BottleneckSingle point failTrust

Lower bound of the communication cost in a contributory group key agreement for imbalanced networks.=> Optimal solution

.

38 ISL, Math., NCUE


Motivation and finding a problem Based on Factoring problem

Shamir (1984) ID=> Name, [email protected] and some other information. The motivation is to simplify certificate management However, it is not practical.

Based on Bilinear Diffie-Hellman assumption In 2001, D. Boneh and M. Franklin presented first ID-based encryption

scheme. Afterwards, it is a important issue for cryptography research.

Question: If you focus on this topic,

what knowledge should you prepare and own ?

39 ISL, Math., NCUE


Related knowledge: Elliptic curve Bilinear Pairing (Weil pairing and Tate pairing) Less books focus on this cryptographic systems

ID-based cryptographic protocols ID-based signature (batch, threshold, blind, …) ID-based encryption (Broadcast, authenticated) ID-based two-party key agreement/authentication Fast pairing computation ID-based authenticated Group key agreement

40 ISL, Math., NCUE


Related papers of ID-based signature/encryption D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," Crypto

2001, LNCS 2139, pp.213--229, Springer-Verlag, 2001. D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing," SIAM J.

of Computing, Vol. 32, No. 3, pp. 586-615, 2003. D. Boneh, B. Lynn and H. Shacham, "Short signature from Weil pairing," Asiacrypt 2

001, LNCS 2248, pp. 514--532, Springer-Verlag, 2001. K. Paterson. ID-based Signatures from Pairings on Elliptic Curves. Electronics Letters,

Vol. 38, No. 18, pp. 1025{1026, 2002. F. Hess, "Efficient identity based signature schemes based on pairings," SAC 2002, L

NCS 2595, pp. 310--324, Springer-Verlag, 2003. J. C. Cha and J. H. Cheon, "An identity-based signature from gap Diffie-Hellman grou

ps," PKC 2003, LNCS 2567, pp. 18--30, Springer-Verlag, 2003. Yoon H. J., Cheon J. H., Kim Y. Batch verifications with ID-based signatures. Proc. I

CISC‘2004, December 2–3, Seoul, Korea Berlin Springer-Verlag pp. 233–248, LNCS 3506, 2005.

N. Koblitz and A. Meneze, "Pairing-based cryptography at high security levels," Cryptography and Coding: 10th IMA International Conference, LNCS 3796, pp. 13--36, Springer-Verlag, 2005.

S. Cui, P. Duan, C. W. Chan, An efficient identity-based signature scheme with batch verifications, Proceedings of the 1st international conference on Scalable information systems , Article No. 22 , May 30 - June 01, 2006

41 ISL, Math., NCUE


Related papers of ID-based key agreement/authentication NP Smart. An identity based authenticated key agreement protocol based on the Weil

pairing. Electronics Letters, volume 38 (13): 630--632, June 2002 . L. Chen and C. Kudla , Identity Based Authenticated Key Agreement Protocols from

Pairings, 16th IEEE Computer Security Foundations Workshop (CSFW'03), 2003, p. 219

Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108.

G. Xie. An ID-based key agreement scheme from pairing. Cryptology ePrint Archive, Report 2005/093.

Q. Yuan and S. Li. A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/309.

L. Chen, Z. Cheng, and N.P. Smart, Identity-based Key Agreement Protocols From Pairings, http://grouper.ieee.org/groups/1363/IBC/submissions/Chen-IBE.pdf (Good-survey) 2006.

X. Yi, Identity-Based Fault-Tolerant Conference Key Agreement, IEEE TRANS. ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 3, pp.170-178, JULY-SEPTEMBER 2004.

M. Das, A. Saxena, A. Gulati, and D. Phatak A novel remote user authentication scheme using bilinear pairings, Computers & Security, Volume: 25, Issue: 3, May, 2006, pp. 184-189

42 ISL, Math., NCUE


Goal: Pairing-based (ID-based) GKA protocol Finding some possible solutions => No concrete publication

Extra results: by surveying pairing-based systems Reviewer of a ID-based partially blind signature (2006)

Improving performance of the Sherman et al.’s scheme (2005) I presented that their scheme suffers from a forgery attack, reject it! Try to propose an efficient scheme. Until now, no concrete result.

Seminar => a two-party key agreement protocol (2006, C&S) Finding some drawbacks We have obtained concrete results Conferences

43 ISL, Math., NCUE

7. Conclusions

Based on the previous knowledge and new applications/environments

Thinking other problems

44 ISL, Math., NCUE

7. Conclusions => Thinking other problems

Wireless environments (Resource-limited devices) Imbalanced networks (WLAN, Cellular network) Mobile Ad Hoc networks

Distributed architecturesNo on-line certificate authority

Sensor networks Specific Architectures (Pre-distributed secret keys,

or passwords) Energy-aware (Computation V.S. Communication)

45 ISL, Math., NCUE

7. Conclusions => Other Problems => Energy consuming

Sensor networks (2005, Wander et al.) Specific Architecture (Pre-distributed secret keys) Energy-aware (Computation V.S. Communication)

Field Value

Effective data rate 12.4kbps

Energy to transmit 59.2μJ/byte

Energy to receive 28.6μJ/byte

ATmega128L active mode 13.8mW

ATmega128L power down mode 0.0075mW

ATmega128L MIPS/Watt 289MIPS/W

Mica2dot sensor platform, 2002, …..

46 ISL, Math., NCUE

7. Conclusions => Other Problems => Energy consuming

Algorithm Energy

SHA-1 5.9μJ/byte

AES-128 Enc/Dec

1.62/2.49μJ/byte

AlgorithmSignature Key Exchange

Sign Verify Client Server

RSA-1024 304 11.9 15.4 304

ECDSA-160 22.82 45.09 22.3 22.3

RSA-2048 2302.7 53.7 57.2 2302.7

ECDSA-224 61.54 121.98 60.4 60.4

Energy cost of digital signature and key exchange computations [mJ]

47 ISL, Math., NCUE

7. Conclusions

Research 「當你進入大廈的第一個房間，裏面很黑，伸手不見五指。你在傢俱之間跌跌撞撞，但是你會逐漸搞清楚每一件傢俱所在的位置。最後…你找到了電燈開關 (Switch) ，打開了燈。突然…你能確切地明白你身在何處。」

------ Wiles

打通任、督二脈

48 ISL, Math., NCUE

7. Conclusions

Thanks for your participation !

Questions and Answers !

1 evolutions and researches on group key agreement (gka) protocols yuh-min tseng information...

Documents

euler n

theorem history fermat

mod p x n y n

lame n

gauss n

n fermat s little theorem

evolutions of problems

primes p