![can authenticate each other and encrypt messages in a way that only a com-
puted session key can decrypt them. AKA protocol was introduced to prevent
the passive and active attacks [1]. The implementation of AKA protocols can be
realized by deploying a public-key infrastructure (PKI) or identity-based (ID-
based) cryptography, which was proven to be difficult and vulnerable because of
the PKI-based protocols suffer from heavy certificate management burden while
ID-based cryptographic systems require all parties to trust a KGC. Our paper
investigate AKA schemes and design a lightweight certificateless AKA which can
be applied in different areas of technology such as on wireless sensor networks
(WSN), wireless body area networks, as well as on other IoTs systems. The first
introduced certificateless AKA without trust of third party was proved infor-
mally in [2]. Since then, alot of certificateless protocols have been designed. The
formal proof of certificateless AKA was presented in [3], and has attracted many
researches. Numerous certificateless AKA schemes using pairings have been pro-
posed. However, the computation cost of a pairing is very higher than scalar
multiplication over elliptic curve group. Therefore, certificateless AKA without
pairing CLAKA protocols would be more useful in terms of efficiency. Recently,
several lightweigh AKA protocols have been designed. Authors in [4] proposed an
authentication and key agreement protocol to be used for WSNs. It established
a session key between sensor node and management server. Their protocol can
achieves important security properties for IoTs such as forward secrecy, known
session key prevention, and key control. The KGC computes private keys for both
entities. Authors in [5] proposed a certificateless AKA for WBAN. Their pro-
tocol achieves differents security properties and it is high in computation costs
due to the bilinear pairings involved in their scheme. Gervais et al.[6] proposed
a CLAKA protocol for healthcare based on decentralized system. Their protocol
achieves the well known certificateless security properties and uses security me-
diated signature. Authors in [7] proposed a cloud-aided lightweight certificateless
authentication protocol with anonymity for WBANs. Their protocol consists of
a three layer structure, provides anonymity, and its cost for equipment could be
high. Li et al. [8] designed an enhanced authentication protocol for body sensors.
It provides mutual authentication and session key. The protocol is certificate-
less, resistant to offline-password guessing attack and was proved in BAN logic.
Jiang et al. [9] designed a pairing-based anonymous authentication scheme for
body sensors. The protocol establishes a session key between client and appli-
cation server. It is a lightweight and it is proved under CDH assumption. An
anonymous AKA fog computing for healthcare system was proposed in [10]. The
protocol requires a password for user registration and fog revocation while estab-
lishing the session key between IoT devices, the fog devices and cloud. Authors
[11] proposed an authentication scheme for WBAN. Their protocol offers some
known security features such as anonymity and unlinkability. A mobile client
and application server compute a shared key agreement. Authors of [12] pro-
posed an authentication and key agreement protocol. Their protocol achieves
some important security features such as anonymity and untraceability.
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
12](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-2-320.jpg)
![Notation Description
Ppub The public key of KGC
s Master secret key
i ith Users
Qi The partial private key of user i
IDi The user’s identity
ui The secret value of user i
Xi The public key of user i
di The private key of user i
Kij , Kji The session key of user i and user j
a, b, y, and ri random numbers
p A large prime number
Fp Prime field
E An elliptic curve E over a prime field Fp
G Additive group
P Generator of G
H, H1, H2 Hash functions
p, q Prime numbers
xB The receiver’s private key
PB The receiver’s public key
A User A considered as a sending user
B User B considered as a requesting node
V User V considered as a verifier node
P r User P r considered as a proxy signing node
xs The signer’s private key
ys The signer’s public key
xp The proxy’s private key
yp The proxy’s public key
Qs The proxy’s public key of the signer Qs = xs.G
G A finite point with order n in E/Fp
Authors in [2] were the first to propose a certificateless AKA protocol. Since
then, several researches about certificateless AKA protocols have been conducted
based on pairings and without pairings. Most of the AKA protocols have been
designed based on PKI and ID-based cryptography. The PKI certificate manage-
ment is difficult in terms of computation and storage and ID-based cryptography
trusts KGC which can launch an active attack to eavesdrop the communication
between users [13]. Therefore, we are required to solve the problem of PKI and
avoid the trust on KGC in ID-based AKA. Much efforts have been made to al-
leviate the previous limitations in authentication and key agreement protocols.
The approach to solve the PKI and ID-based AKA problems has been the imple-
mentation of certificateless cryptography [14]. During the design of certificateless
AKA protocols, the KGC creates a half of the private keys for communicating
parties. Users can generate their own private keys using the random selected
secret values. Therefore, the key escrow problem is prevented in certificateless
cryptography. Hence, certificateless cryptography does not need additional cer-
tificate to show the ownership of a public key [15].
Let set p as a prime number. The finite field Fp is comprised of the set of integers
{0, 1, 2, ..., p − 1} with the following arithmetic operations:
• Addition: If a, b ∈ Fp, then a + b = r where r is the reminder when a + b is
divided by p and 0 ≤ r ≤ p − 1. This is known as addition modulo p
Table 1. Notations and description
2.2 Background of Certifcateless AKA
2.3 The Finite Field
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
14](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-4-320.jpg)
![• Multiplication: If a, b ∈ Fp, then a.b = s. where s is the reminder when a.b is
divided by p and 0 ≤ r ≤ p − 1. This is known as multiplication modulo p
• Inversion: If a non-zero element in Fp, the inverse of a modulo p, denoted a−1
,
is the unique integer c ∈ Fp for which a.c = 1.
p be elliptic curve E over a finite field Fp, defined by the
equation:
y2
= (x3
+ ax + b), a, b ∈ Fp (1)
the discriminant
⃗
∆ = (4a3
+ 27b2
) ̸= 0. (2)
The points on E/Fp, and the point at infinity make a group of points G.
G = {(x, y) : x, y ∈ Fp, E(x, y) = 0} ∪ {O} . (3)
Assume q to be the order of G. The scalar multiplication over E/Fp is defined
as
tP = P + P + P + · · · + P (t times). (4)
The detailed mathematical operations related to elliptic curve can be found in
[16]. The following defined problems over G are assumed to be intractable within
polynomial time.
Definition 1. DLP assumption: Given (P, aP), for an unknown selected value
a ∈ Z∗
q and P generator of G, compute aP. The DLP states that it is intractable
to determine the value a for any probabilistic polynomial-time
Definition 2. CDH assumption: Given (P, aP, bP), for unknown a, b ∈ Z∗
q and
P generator of G, compute abP. The CDH hard assumption states that for any
probabilistic polynomial-time, it is intractable to solve the CDH problem.
system parameter list params.
• Partial-Private-Key-Extract: A KGC takes as input params, a master key,
and a user identity IDi to return a user partial private key Qi.
• Set-Secret-Value: The algorithm takes as input params and a user IDi to
return user’s secret value ui.
• Set-Private-Key: The algorithm takes as inputs params, IDi, a partial pri-
vate key Qi, and a secret value ui to return a private key di for the user.
2.4 Elliptic curve defnition
For p ≥ 3 let E/F
2.5 Hard assumptions
2.6 Algorithms for Certifcateless AKA
We achieve a Certificateless AKA protocol following six algorithms.
• Setup: A KGC takes ȷ as input security parameter, output a master key and
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
15](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-5-320.jpg)
![• Set-Public-Key: This algorithm takes as inputs params, user IDi, and the
secret value ui to return a public key Xi for the user.
• Key-Agreement: It is a polynomial participative algorithm for both users.
It takes as inputs params for users A and B, with (dA, IDA, XA) for user A,
and (dB, IDB, XB) for user B; where dA and dB are private keys for users A
and B; IDA and IDB are identities for users A and B. The XA and XB are
set to be public key of users A and B. Finally both users compute a session
key KAB = KBA = K.
In this section, we present the security model and system model for the proposed
certificateless AKA.
The certificateless AKA protocol requires to be resistant to the two types of
attacks said Type I and Type II adversaries as described in [17].
• Type I Adversary A1: The A1 does not have access to the master secret key,
but can replace public key of any party with a value of his choice.
• Type II Adversary A2: The A2 has access to the master secret key but can
not replace public key of any party.
The system model is composed of two phases with the following entities: KGC,
user A and B for the first phase. The KGC registers and computes partial private
keys for both users. Upon receiving partial private keys, both users computes a
session key to authenticate themselves and secure data transmission. Note that
the key is established in every session when the two entities want to communi-
cate by preventing the known key share problem. In the second phase, we have
A, proxy Pr, Verifier V , and other decentralized nodes. Two nodes of the sec-
ond phase participate in proxy blind signature creation. Figure 1 illustrates the
proposed system model architecture as explained in the following steps.
• The KGC is dedicated to register the users A and B. Also, it generates system
parameters list. KGC cannot know about the private keys of users A and B.
• The user A can communicate and transmits data to user B via wireless net-
work. User A computes its private key and establishes a session key with
user B. The session key will encrypt data transmitted from A to the receiver
B.
• The receiver B should be registered with KGC and get partial-private key and
system parameters. It also establishes a session key with A. The session key
is used to encrypt and decrypt data that is sent by A over an open network.
• User B and proxy Pr and the verifier V participate in the establishment of
proxy blind signature for decentralized system
3 Model of the proposed protocol
3.1 Security modeling of the proposed protocol
3.2 System model
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
16](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-6-320.jpg)
![The formal security model follow the model discussed in [18]. It is modeled as the
game between challenger C and adversary A ∈ {A1, A2}. The adversary monitors
all interactions between two parties. Every party possesses an identity IDi. The
characteristics of A represented by the number of oracles kept by C . Assume
that an oracle ϕr
i,j represents rth
instance of party i and his counterpart j in a
session. The game starts when C sets up algorithm with security parameter ȷ to
return master secret and system pars. If A is Type I adversary A1, C transmits
params to A and maintains master key secret; else A is Type II adversary A2,
C issues params and master key to A. Adversary A is a probabilistic polynomial
time turing machine. All communications go through A. Parties answer to the
queries from A and do not interact between them. A acts as benign, i.e A is
deterministic and prefer to choosing two oracles ϕn
i,j and ϕl
j,i and takes each
message from one oracle to another. in addition, A can ask for the following
queries, including one Test query in the following way:
• Create(IDi): This query permits A to request C to create a new party i whose
identity is IDi. Upon receiving such query, C creates private and public keys
for i.
• Public-Key(IDi): A can may ask for public key of a party i whose identity
is IDi. To answer, C replays with the public key Xi of party i.
• Partial-Private-Key(IDi): A may ask for partial private key of party i
whose identity is IDi. To respond, C replays with partial private key Qi
of party i.
• Corrupt(IDi): A may ask for private key of party i whose identity is IDi.
To respond, C replays with the private key di of party i.
Fig. 1. System model
3.3 Formal security model
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
17](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-7-320.jpg)
![• Public-Key-Replacement(IDi, X
′
i ): For a party i whose identity is IDi; A
may select another public key X
′
and set X
′
as the public key. C record this
change to be used in the future.
• Send(ϕn
i,j, µ): A may select and issues a message µ to an oracle Φn
i,j, by which,
a party i assumes to be sent from party j. A can also create a particular
Send query with µ ̸= α to an oracle Φn
i,j, which tells i to start a protocol
runs with j. It is called an initiator oracle when the first message it has
obtained is α. Otherwise, it is called a responder oracle.
• Reveal(ϕn
i,j): A may request a special oracle to reveal the session key, if any,
it is currently holding to A.
• Test(ϕn
i,j): At certain level, A can choose one of the oracles, for example ΦT
I,J
to request for one Test query. Such oracle should be fresh. To answer the
query, the oracle guesses a coin b ∈ {0, 1}, and outputs the session key held
by ΦT
I,J if b = 0, or a random sample from the distribution of session key if
b = 1.
An oracle (ϕn
i,j) can be set to one of the three states
• Accepted: An oracle is in Accepted state if it has accepted the request to create
a session key.
• Rejected: An oracle is in Rejected state if it has rejected the request to create
a session key.
• State*: If none of the previous states decision has been taken.
• Opened: If an oracle has answered the Reveal query.
Definition 3. A matching conversation: Two oracles (ϕn
i,j) and (ϕl
j,i) have a
matching conversation if they have identical session key.
Definition 4. Fresh Oracle: An oracle (ϕn
i,j) is fresh if it is in the accepted
state; or it is not in the opened state; or party j ̸= i is not corrupted; or (ϕl
j,i)
does not exist in opened state to have the matching conversation with (ϕn
i,j); or
if A is Type I and has not requested the private key of party j and if A is Type
II and has not replaced the public key of party j
The fresh oracle definition can allow party i to be corrupted so that it is used
to solve the key compromise impersonation attack.
After a Test query, A may go on to query the oracles except make Reveal
query to test oracle ΦT
I,J , or to Φl
J,I who has a matched conversation with ΦT
I,J ,
and it can not corrupt the user J. In addition, if A is Type I, A can not ask
for partial private key of the participant J; and if A is a Type II adversary, J
cannot replace the public key of the user J. At the end of the game, A must
output a guess bit b
′
. A wins if and only if b
′
= b. A’s advantage to win the
game, is defined as:
Aȷ
= Pr[b
′
− b] −
1
2
(5)
Definition 5. A certificateless AKA protocol is secured if:
• In the presence of a benign adversary on Φn
i,j and Φl
j,i, both oracles always agree
on the same session key, and this key is distributed uniformly at random.
• For an adversary A, advantage Aȷ
of winning game is negligible.
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
18](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-8-320.jpg)
![• Distinguishability. The proxy signature must be distinguishable from other
digital signature.
• Strong unforgeability. Only the dedicated proxy signer can create the proxy
blind signature for the original signer.
• Non repudiation. Non among The signers either origin or the proxy cannot
deny their signatures against anyone.
• Verifiability.The proxy blind signature can be verified by everyone. After veri-
fication, the verifier can be convinced of the original signer’s message is from
legit node.
• Strong undeniability. Due to fact that the delegation information is signed
by the original signer and the proxy signature are generated by the proxy
signer’s secret key. Both the signer can not deny their behavior.
• Unlinkability. When the signer is revealed, the proxy signer can not identify
the association between the message and the blind signature he generated.
• Secret key dependencies. Proxy key or delegation pair can be computed only
by the original signer’s secret key.
• Prevention of misuses.The proxy signer cannot use the proxy secret key for
purposes other than generating valid proxy signatures. In case of misuse, the
responsibility of the proxy signer should be determined explicitly.
Proxy blind signature In this section, We present a proxy blind signature
from [19] which is lightweight with low computation costs and provides more
security features compared to the existing blind signature schemes. The protocol
involves three entities including signer or requester B, which is the receiver of
data from user A; the proxy signer Pr acting as proxy, the verifier node V acting
as the verifying node, and other decentralized nodes. The signature is designed
through the following steps
• Proxy delegation phase
1. Proxy generation. Given the Qs = xs.G as the public key of the
signer. The signer B selects a random number k ∈ [1, n − 1] and then
calculates α = kG = (α1, α2) where u ≡ α1mod n and α1 is regarded as
an integer element of [1, q − 1]. Computes β ≡ (xs + ku)(mod n) and
computes Qp = βG.
2. Proxy delivery. The signer B sends (β, u) to the proxy Pr in a secure
channel, and make Qp public.
3. Proxy verification. On the receiving the secret key pair (β, u), the
proxy signer Pr verifies the correctness of the secret key pair (β, u) by
computing the following equation:
Qp = βG = Qs + uα (8)
• Proxy signing phase
1. The proxy signer Pr selects a random integer t ∈ [1, n − 1], and calcu-
lates Z = t.G and sends it to the verifier V
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
21](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-11-320.jpg)
![2. On the receiving it, the verifier selects randomly ω, γ ∈ [1, n − 1] and
computes the following equations:
α′
= Z + ωG − γQp (9)
g = H(α′
||M) (10)
g′
= (g + γ)mod n (11)
And the verifier V sends g′
to the proxy signer node Pr
3. On the receiving of g′
, Pr calculates the following equation
β′
= (t − β.g′
)mod n (12)
and sends it to V
4. V calculates
β′′
= (β′
+ ω) mod n (13)
The tuples (M, β′′
, g) is the proxy blinded signature
• Verification phase The verifying node V computes the following equation
δ = H((β′′
G + g.Qp)||M) (14)
and finally check whether the proxy blind signature holds with δ = g
• Correctness
The computed proxy blind signature is verified because the following equation
holds:
H((β′′
.G + g.Qp)||M) = H(α′
||M) (15)
That is to verify
β′′
.G + g.Qp = α′
= (β′
+ ω).G + g.Qp
= β′
G + ωG + g.Qp
= (t − β.g′
)G + ωG + g.Qp
= t.G − g′
Qp + ω.G + g.Qp
= t.G − (g + δ).Qp + ωG + g.Qp
= t.G − g.Qp − δ.Qp + ωG + g.Qp
= t.G − δ.Qp + ωG
= Z − δ.Qp + ωG
= Z + ωG − δ.Qp
= α′
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
22](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-12-320.jpg)
![• User A sends a message M to the receiver B by encrypting it using a session
key SKas follows:
(SK||M)
B obtains the encrypted message M and uses the session key SK to recover
the message from A. B deletes SK.
The paper analysis the designed scheme following formal ROM security analysis,
informal discussion of security properties and compares the proposed scheme
with existing protocols.
The security analysis of the proposed protocol relays on CDH assumption. We
followed the security prove analyzed in [20]. The CDH hard problem in group G
is stated. Two random oracles H1 and H2 follow the same idea as explained in
[21] [21]. For security prove, we follow theorems and lemmas given bellow.
Theorem 1. The proposed protocol is a secure Certificateless AKA.
Proof: The Certificateless AKA protocol is proved to be secure against two
types of adversaries. The proof of Theorem 1 is discussed using the following
Lemmas 1, 2 and 3.
Lemma 1. . In the presence of benign adversary, two matching oracles Φn
i,j and
Φl
j,i establish the same session key as if there is no adversary. The session key
is distributed uniformly at random.
Proof Suppose that i and j are two users in the protocol and Adv is a benign
adversary. In this case, the two oracles gets correctly identical message to the
original messages from other oracle; therefore, they consent on the same session
key. Since a and b were chosen randomly by users i and j, the common session
key is considered as the output of hash function H2 on a random input. Based
on the properties of hash function, the session key is uniformly distributed over
{0, 1}
ȷ
. As it is detailed in our protocol correctness. The numbers a and b are
randomly chosen, two oracles are matching, they are authorized either and the
session key is consistently shared.
Thus user A computes
H2(IDA, IDB, TA, TB, KA)
And application server/User B computes
H2(IDA, IDB, TA, TB, KB)
KA = KB = K
4.3 Data encryption
5 Security analysis
5.1 Formal analysis
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
23](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-13-320.jpg)
![Finally the matching oracles compute the session key
SK=H2(IDA, IDB, TA, TB, K)
Lemma 2. Assuming that the CDH problem is intractable, the advantage of a
Type I adversary in winning game is negligible in the ROM.
Proof. Assume that Adv can make at most qH2
times H2 queries and create
at most qc parties. Advantage for Adv to win the game is Aȷ
dv. Therefore, the
challenger can solve the CDH problem with the advantage 1
q2
c qsqH2
Aȷ
dv, qs is the
number of sessions each user can participate in at most.
Assuming that a Type I adversary Adv can win with a non negligible ad-
vantage Aȷ
dv in polynomial time t. We demonstrate that challenger C can solve
CDH problem with a non negligible probability. We demonstrate how challenger
C uses Adv to compute abP.
All adversary’s queries now pass through C. The game is initiated when
C selects a and sets Ppub = aP; C selects at random I, J ∈ [1, qH1 ], T ∈
[1, qs], sI, uI, hI ∈ Z∗
q and computes RI = sIP, XI = uIP, and sets Ppub as
the system public key and sends system params = {G, P, Ppub, H1, H2, ȷ} to
Adv.
• Create(IDi): A challenger C maintains an empty list Lc initially consisting
of the tuples
(IDi, Qi, ui, Xi). If IDi = IDI, challenger C lets partial private key, private
key and public key to be Qi = (sI, RI), di = (uI, QI) and XI separately.
Challenger C also lets H1(IDI, RI) ← hI where RI, uI, hI are mentioned
above. Otherwise, challenger C chooses randomly ui, si, hi ∈ Z∗
q and com-
putes Ri = siP − hiPpub, public key is Xi = uiP, then i’s partial private
key Qi = (si, Ri), private key di = (ui, Qi) and public key Xi. Finally adds
the tuples (IDi, Qi, ui, Xi) and (IDi, Ri, Xi, hi) to the list Lc and LH1 sep-
arately.
• H1 query: Challenger C keeps initial empty list LH1
which has tuples of the
form
(IDi, Ri, Xi, hi). If (IDi, Ri, Xi) is on the list LH1
, then hi is returned. Else,
challenger C executes the query Create(IDi) and returns hi.
• Public-Key(IDi): Upon obtaining such query, challenger C looks for a tuple
(IDi, Qi, ui, Xi) in the list Lc indexed by IDi, and outputs Xi as response.
• Partial-Private-Key(IDi): Once a challenger C is given such query, if IDi =
IDI, C aborts. Otherwise, C looks for a tuple (IDi, Qi, ui, Xi) in a list Lc
indexed by IDi, and outputs Qi as response.
• Corrupt(IDi): Once a challenger C is given such query, if IDi = IDI, C
aborts; else, C looks for a tuple (IDi, Qi, ui, Xi) in a list Lc indexed by
IDi, if ui = ⊥, challenger C outputs ⊥. Else challenger C gives (ui, Qi) as
response.
• Public-Key-Replacement(IDi, X
′
i ): If IDi = IDI, C aborts. Otherwise,
challenger C looks for a tuple (IDi, Qi, ui, Xi) in Lc indexed by IDi and
upgrades Xi to X
′
i and sets ui = ⊥.
Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
24](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-14-320.jpg)
![query of the form (IDi
T , IDj
T , Ti
T , Tj
T , Ki,j
T ). If ΦT
I,J is the initiator oracle
or else (IDi
T , IDj
T , Ti
T , Tj
T , Ki,j
T ), with overwhelming probability because H2
is a random oracle. Thus C can find the corresponding item in the H2 list
with probability and 1
qH2
and outputs Ki
T − sIaP − (RJ + hJ Ppub − rT
I,J Xi)
as a solution to the CDH problem. The probability that C solves the CDH
problem is ε
q2
c qsqH2
.
Lemma 3. Under the assumption that the CDH problem is intractable, the ad-
vantage of a Type II adversary A2
dv against our protocol is negligible in the ROM.
Proof. Suppose that there is a Type II adversary A2
dv who can win the game
defined in section 4, with a non-negligible advantage Aȷ
in polynomial time t.
Then, A2
dv can win the game with no-negligible probability ε. Therefore, We
show how to use the ability of A2
dv to construct an algorithm C to solve the
CDH problem. Suppose a challenger C is given an instance (aP, bP) of the CDH
problem, and wants to compute cP with c = ab mod q. C first chooses s ∈ G
at random, sets sP as the system public key Ppub, selects the system params
⟨Fp, E/Fp, G, P, Ppub, H1, H2⟩, sends params and master key s to A2
dv. Supposed
A2
dv makes at most qHi
times Hi queries and creates at most qc participants. Let
qs be the maximum number of sessions each participant can compute. Then, C
selects randomly I, J ∈ [qH1
], T ∈ [1, qs], responds to the queries as follows.
• Create(IDi): C maintains an initially empty list Lc consisting of tuples of
the form (IDi, ui, Xi). If IDi = IDI, C selects a random ri, hi ∈ Z∗
q and
computes Ri = riP, si = (ei + his)mod q, public key Xi = uiP then i ’s
partial private key, private key and public key are Qi = (si, Ri), di = {⊥, Qi}
and i’s public key is Xi. Otherwise, C selects randomly ui, ei, hi ∈ Z∗
n and
computes si = ei + shi, Ri = eiP and Xi = uiP separately. Then i’s partial
private key, private key and public key are Qi = (si, Ri), di = {ui, Qi}
and Xi. Finally, C adds a tuple (IDi, Ri, hi) and (IDi, Qi, ui, Xi) to the list
LH1
and Lc, separately. C answers A2
dv’s H1(IDi, Ri), Public − Key(IDi),
Corrupt(IDi), Send(Φn
i,j, µ), Reveal(Φn
i,j), H2 and Test(ΦT
I,J ) queries as
it is done in Lemma 2. The probability that challenger C selects ΦT
I,J as
the Test oracle is 1
q2
c qs
. In this case, challenger C would not have made
Corrupt(ΦT
I,J ) or Reveal(ΦT
I,J ) queries, and so challenger C would not have
aborted. If challenger C can win in such game, then challenger C must have
made the corresponding f2 query of the form (IDi
T , IDj
T , Ti
T , Tj
T , Ki,j
T ). If
ΦT
I,J is the initiator oracle. Else (IDj
T , IDi
T , Tj
T , Ti
T , Ki,j
T ), with overwhelming
probability because H2 is a random oracle. Thus challenger C can find the
corresponding item in the H2-list with the probability 1
qH2
and outputs Ki
T −
sIbP − (RJ + hJ Ppub − rT
I,J Xj) as a solution to the CDH problem. The
probability that C solves the CDH problem is ε
q2
c qsqH2
.
Theorem 2. The proposed protocol provides the perfect forward security if the
CDH assumption in G is hard.
Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
26](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-16-320.jpg)
![key and proxy’s private key. Thus the signer knows neither the message nor
the signature associated with the signature scheme.
• Indistinguishable: The proxy’s key is not similar to original signer’s private
key and proxy keys created by different proxy signers are different from each
other, any proxy signature is distinguishable from original signer’s signature
and different proxy signer’s signature are different.
In this section, we compare our protocol in terms of security features, compu-
tation costs and communication costs with other recent related protocols. Five
related protocols were compared including our proposed certificateless AKA. The
protocols designed in [4], [11], [1], [5], and our proposed protocol achieve different
security properties. We take into consideration five security properties such as
key escrow avoidance, distinguishability, verifiability,unlinkability, con-
sensus,strong undeniable,decentralized architecture. Table 2 presents the
comparison about the achieved security properties. We represent point multipli-
Feature [4] [11] [1] [5] Ours
Key escrow ✗ ✓ ✗ ✓ ✓
Distinguishability ✓ ✗ ✗ ✗ ✓
Unlinkability ✗ ✗ ✗ ✗ ✓
Strong undeniability ✗ ✗ ✗ ✗ ✓
Decentralized ✗ ✗ ✗ ✓ ✓
cation as Tm, hash function operations as Th, bilinear pairing operations as Te,
symmetric encryption and decryption as Tse. Table 3 illustrates the comparative
charts of computation cost and communication cost. Assuming that the size of
|m| = 160
80 bytes, similar to that of Z∗
q, the size of |ID| = 80
8 bytes, the size of
compressed is reduced to |G1| = 65 bytes, the size of |tc| = 2 bytes [11].
Schemes Computation costs Communication costs
User A User B
[5] 2Tm + Te + 2Th 2Tm + Te + 2Th 2ID + 2Z∗
q
[4] 6Tm 6Tm 4Z∗
q + 4G1 + 2tc + 2ID
[11] 3Tm + 4Th 7Tm + 4Th2 Z∗
q + G1 + tc
[1] 2Tm + 1Th 1Te + 1Tse + 1Th 1Z∗
q + 1G1 + ID + Right + tc + MAC
Ours 4Tm + 2Th 4Tm + 2Th 2ID + 2Z∗
q
The comparison in Table 3 about computation and communication costs of
five protocols shows that our proposed protocol has less computation costs with
4Tm + 2Th on user A and B.
5.3 Performance analysis
Table 2. Functionality features comparison
Table 3. The comparison based on computation and communication costs
Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
28](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-18-320.jpg)
![Authenticated key agreement protocols are important for critical power devices
to provide security and privacy of sensitive information. Thus, a certificateless
AKA is proposed. A session key is established between user A and decentral-
ized user B to assure a secure communication. A certificate AKA achieves more
security features than the existing compared AKA protocols such as key es-
crow, avoidance, distinguishability, verifiability, consensus, and strong undeni-
able. In addition to that, a lightweight proxy blind signature between decentral-
ized users/nodes is presented to provide the anonymity of the content of message.
The proposed protocol is secure in a random oracle model. It is a lightweight
for low capability devices. In the future, we propose and recommend to design
lightweight AKA based on proxy re-signature that can work on both cloud and
IoT big data.
This work is supported by the Pivot Access Ltd, Kigali, Rwanda
ment for decentralized wbans. In: International Conference on Frontiers in Cyber
authentica- tion protocol for wireless body area networks. Future generation
1- round authentication protocol for wireless body area networks with user
based anonymous authentication scheme in wireless body area networks for
scheme for fog-driven iot healthcare system. Wireless Networks 25(8),
4737–4750(2019)
mhealth.Journal of medical systems 40(11), 1–10 (2016)
[10] Jia, X., He, D., Kumar, N., Choo, K.K.R.: Authenticated key agreement
anonymity.Computers Electrical Engineering 61, 238–249 (2017)
[9] Jiang, Q., Lian, X., Yang, C., Ma, J., Tian, Y., Yang, Y.: A bilinear pairing
computer systems78, 956–963 (2018)
[8] Li, X., Peng, J., Kumari, S., Wu, F., Karuppiah, M., Choo, K.K.R.: An enhanced
Security. pp. 268–290. Springer (2019)
[7] Shen, J., Chang, S., Shen, J., Liu, Q., Sun, X.: A lightweight multi-layer
for blockchain-based wbans. Journal of Systems Architecture 110, 101777 (2020)
[6] Gervais, M., Sun, L., Wang, K., Li, F.: Certificateless authenticated key agree-
keyagreement for internet of things. Wireless Networks 25(6), 3081–3101 (2019)
[5] Mwitende, G., Ye, Y., Ali, I., Li, F.: Certificateless authenticated key agreement
[3] Swanson, C.M.: Security in key agreement: Two-party certificateless schemes.
Mas-ter’s thesis, University of Waterloo (2008)
[4] Saeed, M.E.S., Liu, Q.Y., Tian, G., Gao, B., Li, F.: Akaiots: Authenticated
[2] Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In:
Inter- national conference on the theory and application of cryptology and
informationsecurity. pp. 452–473. Springer (2003)
[1] Li, T., Zheng, Y., Zhou, T.: Efficient anonymous authenticated key agreement
scheme for wireless body area networks. Security and Communication Networks
2017 (2017)
6 Conclusion and future work
Acknowledgements
References
Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
29](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-19-320.jpg)
![[14] Li, F., Shirase, M., Takagi, T.: Key management using certificateless public
key cryptography in ad hoc networks. In: IFIP international conference on
networkand parallel computing. pp. 116–126. Springer (2008)
[15] Sayid, J., Sayid, I., Kar, J.: Certificateless public key cryptography: A research
survey. International Journal of Security and Its Applications 10(7), 103–118 (2016)
[16] Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to elliptic curve cryptography.
Springer Science Business Media (2006)
[17] He, D., Chen, J., Hu, J.: A pairing-free certificateless authenticated keyagreement
protocol. International Journal of Communication Systems 25(2), 221–230 (2012)
[18] Zhang, L., Zhang, F., Wu, Q., Domingo-Ferrer, J.: Simulatable certificateless two-
party authenticated key agreement protocol. Information Sciences 180(6), 1020–
1030 (2010)
[19] Alghazzawi, D.M., Salim, T.M., Hasan, S.H.: A secure proxy blind signature
scheme using ecc. In: International Conference on Networked Digital Technologies.
pp. 47–52. Springer (2011)
[20] He, D., Chen, Y., Chen, J., Zhang, R., Han, W.: A new two-round certificateless
authenticated key agreement protocol without bilinear pairings. Mathematical and
Computer Modelling 54(11-12), 3143–3152 (2011)
[21] Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing
efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and
Communications Security. pp. 62–73 (1993)
[13] Hou, M., Xu, Q.: A two-party certificateless authenticated key agreement
protocol without pairing. In: 2009 2nd IEEE International Conference on
Computer Scienceand Information Technology. pp. 412–416. IEEE (2009)
[12] Wazid, M., Das, A.K., Kumar, N., Conti, M., Vasilakos, A.V.: A novel authentica-
tion and key agreement scheme for implantable medical devices deployment. IEEE
journal of biomedical and health informatics 22(4), 1299–1309 (2017)
[11] Omala, A.A., Kibiwott, K.P., Li, F.: An efficient remote authentication scheme
forwireless body area network. Journal of medical systems 41(2), 1–9 (2017)
Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023
30
BIOGRAPHY
Dr. Mwitende Gervais is Deputy Principal of Academics
and Training, Senior Lecturer at Rwanda Polytechnic/IPRC
Gishari. He started his career of education from former
National University of Rwanda-NUR for four years and
moved to Rwanda Polytechnic in 2013 as Lecturer in ICT
department. Gervais is a consultant of ICT industry in
Cybersecurity R D and Compliance. During his 16 years in
Education many students were supervised and graduated
under his responsibilities. He earned his bachelor degree of
computer science from National University of Rwanda,
Postgraduate from CDAC Mohali India, Masters of computer
science NUR, PhD in Cryptography and Cybersecurity from
University of Electronic science and Technology of
China-UESTC. He published 6 scientific industry oriented
papers in well-known journals and He is a member of
Telecommunication Systems-Springer, and Blockchain
Cryptocurrency B2C. He is Certified of ISO27003 of
Cybersecurity Lead Auditor, Certified as Inclusive Education
Trainer, and recently completed the certification of GVV](https://image.slidesharecdn.com/13623cseij02-240112041915-8158d75e/85/Lightweight-Certificateless-Authenticated-Key-Agreement-Protocoln-20-320.jpg)
Lightweight Certificateless Authenticated Key Agreement Protocoln
- 1. Lightweight Certificateless Authenticated Key Agreement Protocol Pivot Access Ltd, Kigali, Rwanda Abstract. Data security and privacy are important to prevent the re- veal, modification and unauthorized usage of sensitive information. The introduction of using critical power devices for internet of things (IoTs), e-commerce, e-payment, and wireless sensor networks (WSNs) has brought a new challenge of security due to the low computation capability of sen- sors. Therefore, the lightweight authenticated key agreement protocols are important to protect their security and privacy. Several researches have been published about authenticated key agreement. However, there is a need of lightweight schemes that can fit with critical capability de- vices. Addition to that, a malicious key generation center (KGC) can become a threat to watch other users, i.e impersonate user by causing the key escrow problem. Therefore, we propose a lightweight certificate- less Authenticated Key Agreement (AKA) based on the computation Diffie-Hellman problem (CDHP). The proposed protocol maintains the characteristics of certificateless public key cryptography. The protocol is split into two combined phases. In the first phase, our protocol es- tablishes a session key between users (sender and receiver). In the sec- ond phase, we use a lightweight proxy blind signature based on elliptic curve discrete logarithm problem (ECDLP). The used proxy signature has small computation costs, and can fit for small devices such sensors and protects against un-authentication and un-authorization on decen- tralized system. Compared to the existing AKA schemes, our scheme has small computation costs. The protocol achieves the well known security features compared to the related protocols. Keywords: Cerificateless AKA · distinguishability· Session key · proxy blind signature · forward secrecy · decentralized. AKA protocols are one of the most important primitive that are useful for infor- mation security and privacy. AKA protocol involves the participation of two or more parties that share their public parameters so that they can compute a secret key for their secure communication over an open network. The parties in AKA 1 Introduction Dr. Eng. MwitendeGervais Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 DOI:10.5121/cseij.2023.13602 11
- 2. can authenticate each other and encrypt messages in a way that only a com- puted session key can decrypt them. AKA protocol was introduced to prevent the passive and active attacks [1]. The implementation of AKA protocols can be realized by deploying a public-key infrastructure (PKI) or identity-based (ID- based) cryptography, which was proven to be difficult and vulnerable because of the PKI-based protocols suffer from heavy certificate management burden while ID-based cryptographic systems require all parties to trust a KGC. Our paper investigate AKA schemes and design a lightweight certificateless AKA which can be applied in different areas of technology such as on wireless sensor networks (WSN), wireless body area networks, as well as on other IoTs systems. The first introduced certificateless AKA without trust of third party was proved infor- mally in [2]. Since then, alot of certificateless protocols have been designed. The formal proof of certificateless AKA was presented in [3], and has attracted many researches. Numerous certificateless AKA schemes using pairings have been pro- posed. However, the computation cost of a pairing is very higher than scalar multiplication over elliptic curve group. Therefore, certificateless AKA without pairing CLAKA protocols would be more useful in terms of efficiency. Recently, several lightweigh AKA protocols have been designed. Authors in [4] proposed an authentication and key agreement protocol to be used for WSNs. It established a session key between sensor node and management server. Their protocol can achieves important security properties for IoTs such as forward secrecy, known session key prevention, and key control. The KGC computes private keys for both entities. Authors in [5] proposed a certificateless AKA for WBAN. Their pro- tocol achieves differents security properties and it is high in computation costs due to the bilinear pairings involved in their scheme. Gervais et al.[6] proposed a CLAKA protocol for healthcare based on decentralized system. Their protocol achieves the well known certificateless security properties and uses security me- diated signature. Authors in [7] proposed a cloud-aided lightweight certificateless authentication protocol with anonymity for WBANs. Their protocol consists of a three layer structure, provides anonymity, and its cost for equipment could be high. Li et al. [8] designed an enhanced authentication protocol for body sensors. It provides mutual authentication and session key. The protocol is certificate- less, resistant to offline-password guessing attack and was proved in BAN logic. Jiang et al. [9] designed a pairing-based anonymous authentication scheme for body sensors. The protocol establishes a session key between client and appli- cation server. It is a lightweight and it is proved under CDH assumption. An anonymous AKA fog computing for healthcare system was proposed in [10]. The protocol requires a password for user registration and fog revocation while estab- lishing the session key between IoT devices, the fog devices and cloud. Authors [11] proposed an authentication scheme for WBAN. Their protocol offers some known security features such as anonymity and unlinkability. A mobile client and application server compute a shared key agreement. Authors of [12] pro- posed an authentication and key agreement protocol. Their protocol achieves some important security features such as anonymity and untraceability. Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 12
- 3. It is important to protect sensitive information transmitted and processed over small devices. A malicious can weaken a vulnerable medical system and gains access to the sensitive without authorization. Therefore, we set up a secure lightweight authenticated key agreement between communicating nodes/users. Additional to that, the service provider and storage should avoid security risks of single point of failure and management. Since the body sensors for healthcare are critical devices, the designed protocols require to be lightweight due to run on medical sensors. Hence, in this paper, we setup a lightweight certificateless AKA protocol to secure transmission in a decentralized system. The protocol prevents important security features for AKA and proxy blind signature while a decentralized architecture improves the security by avoiding the system ad- ministrator ownership of system. Our work contributes briefly in the following ways: • A Certificateless AKA for decentralized-based system is designed to provide forward secrecy. A session key is established between user A who is the owner of the sensitive data and the user B who is the receiver of the data at the same time B acts as the decentralized node. • A lightweight proxy blind signature based on ECDLP is used to provide some important security features such as authentication and verification of the data origin among the decentralized nodes. The proxy blinded signature pro- vides distinguishability and unlinkability. It is an efficient signature suitable for resource constrained devices. • The protocol has less computation overhead due to few point multiplication and hash function used during the protocol design. • The formal and informal analysis prove that our protocol is secure in random oracle model under CDH and ECDL assumptions. In section 2, the preliminaries are discussed. In section 3, the modeling of cer- tificateless AKA protocol is presented. In section 4, the proposed protocol is designed. Section 5, the analysis of the proposed protocol is discussed. Section 6, we conclude our paper. The common notation used in this paper are listed as follows in Table 1. 1.1 Motivation and Contribution 1.2 Organization 2 Preliminaries 2.1 Notations Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 13
- 4. Notation Description Ppub The public key of KGC s Master secret key i ith Users Qi The partial private key of user i IDi The user’s identity ui The secret value of user i Xi The public key of user i di The private key of user i Kij , Kji The session key of user i and user j a, b, y, and ri random numbers p A large prime number Fp Prime field E An elliptic curve E over a prime field Fp G Additive group P Generator of G H, H1, H2 Hash functions p, q Prime numbers xB The receiver’s private key PB The receiver’s public key A User A considered as a sending user B User B considered as a requesting node V User V considered as a verifier node P r User P r considered as a proxy signing node xs The signer’s private key ys The signer’s public key xp The proxy’s private key yp The proxy’s public key Qs The proxy’s public key of the signer Qs = xs.G G A finite point with order n in E/Fp Authors in [2] were the first to propose a certificateless AKA protocol. Since then, several researches about certificateless AKA protocols have been conducted based on pairings and without pairings. Most of the AKA protocols have been designed based on PKI and ID-based cryptography. The PKI certificate manage- ment is difficult in terms of computation and storage and ID-based cryptography trusts KGC which can launch an active attack to eavesdrop the communication between users [13]. Therefore, we are required to solve the problem of PKI and avoid the trust on KGC in ID-based AKA. Much efforts have been made to al- leviate the previous limitations in authentication and key agreement protocols. The approach to solve the PKI and ID-based AKA problems has been the imple- mentation of certificateless cryptography [14]. During the design of certificateless AKA protocols, the KGC creates a half of the private keys for communicating parties. Users can generate their own private keys using the random selected secret values. Therefore, the key escrow problem is prevented in certificateless cryptography. Hence, certificateless cryptography does not need additional cer- tificate to show the ownership of a public key [15]. Let set p as a prime number. The finite field Fp is comprised of the set of integers {0, 1, 2, ..., p − 1} with the following arithmetic operations: • Addition: If a, b ∈ Fp, then a + b = r where r is the reminder when a + b is divided by p and 0 ≤ r ≤ p − 1. This is known as addition modulo p Table 1. Notations and description 2.2 Background of Certifcateless AKA 2.3 The Finite Field Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 14
- 5. • Multiplication: If a, b ∈ Fp, then a.b = s. where s is the reminder when a.b is divided by p and 0 ≤ r ≤ p − 1. This is known as multiplication modulo p • Inversion: If a non-zero element in Fp, the inverse of a modulo p, denoted a−1 , is the unique integer c ∈ Fp for which a.c = 1. p be elliptic curve E over a finite field Fp, defined by the equation: y2 = (x3 + ax + b), a, b ∈ Fp (1) the discriminant ⃗ ∆ = (4a3 + 27b2 ) ̸= 0. (2) The points on E/Fp, and the point at infinity make a group of points G. G = {(x, y) : x, y ∈ Fp, E(x, y) = 0} ∪ {O} . (3) Assume q to be the order of G. The scalar multiplication over E/Fp is defined as tP = P + P + P + · · · + P (t times). (4) The detailed mathematical operations related to elliptic curve can be found in [16]. The following defined problems over G are assumed to be intractable within polynomial time. Definition 1. DLP assumption: Given (P, aP), for an unknown selected value a ∈ Z∗ q and P generator of G, compute aP. The DLP states that it is intractable to determine the value a for any probabilistic polynomial-time Definition 2. CDH assumption: Given (P, aP, bP), for unknown a, b ∈ Z∗ q and P generator of G, compute abP. The CDH hard assumption states that for any probabilistic polynomial-time, it is intractable to solve the CDH problem. system parameter list params. • Partial-Private-Key-Extract: A KGC takes as input params, a master key, and a user identity IDi to return a user partial private key Qi. • Set-Secret-Value: The algorithm takes as input params and a user IDi to return user’s secret value ui. • Set-Private-Key: The algorithm takes as inputs params, IDi, a partial pri- vate key Qi, and a secret value ui to return a private key di for the user. 2.4 Elliptic curve defnition For p ≥ 3 let E/F 2.5 Hard assumptions 2.6 Algorithms for Certifcateless AKA We achieve a Certificateless AKA protocol following six algorithms. • Setup: A KGC takes ȷ as input security parameter, output a master key and Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 15
- 6. • Set-Public-Key: This algorithm takes as inputs params, user IDi, and the secret value ui to return a public key Xi for the user. • Key-Agreement: It is a polynomial participative algorithm for both users. It takes as inputs params for users A and B, with (dA, IDA, XA) for user A, and (dB, IDB, XB) for user B; where dA and dB are private keys for users A and B; IDA and IDB are identities for users A and B. The XA and XB are set to be public key of users A and B. Finally both users compute a session key KAB = KBA = K. In this section, we present the security model and system model for the proposed certificateless AKA. The certificateless AKA protocol requires to be resistant to the two types of attacks said Type I and Type II adversaries as described in [17]. • Type I Adversary A1: The A1 does not have access to the master secret key, but can replace public key of any party with a value of his choice. • Type II Adversary A2: The A2 has access to the master secret key but can not replace public key of any party. The system model is composed of two phases with the following entities: KGC, user A and B for the first phase. The KGC registers and computes partial private keys for both users. Upon receiving partial private keys, both users computes a session key to authenticate themselves and secure data transmission. Note that the key is established in every session when the two entities want to communi- cate by preventing the known key share problem. In the second phase, we have A, proxy Pr, Verifier V , and other decentralized nodes. Two nodes of the sec- ond phase participate in proxy blind signature creation. Figure 1 illustrates the proposed system model architecture as explained in the following steps. • The KGC is dedicated to register the users A and B. Also, it generates system parameters list. KGC cannot know about the private keys of users A and B. • The user A can communicate and transmits data to user B via wireless net- work. User A computes its private key and establishes a session key with user B. The session key will encrypt data transmitted from A to the receiver B. • The receiver B should be registered with KGC and get partial-private key and system parameters. It also establishes a session key with A. The session key is used to encrypt and decrypt data that is sent by A over an open network. • User B and proxy Pr and the verifier V participate in the establishment of proxy blind signature for decentralized system 3 Model of the proposed protocol 3.1 Security modeling of the proposed protocol 3.2 System model Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 16
- 7. The formal security model follow the model discussed in [18]. It is modeled as the game between challenger C and adversary A ∈ {A1, A2}. The adversary monitors all interactions between two parties. Every party possesses an identity IDi. The characteristics of A represented by the number of oracles kept by C . Assume that an oracle ϕr i,j represents rth instance of party i and his counterpart j in a session. The game starts when C sets up algorithm with security parameter ȷ to return master secret and system pars. If A is Type I adversary A1, C transmits params to A and maintains master key secret; else A is Type II adversary A2, C issues params and master key to A. Adversary A is a probabilistic polynomial time turing machine. All communications go through A. Parties answer to the queries from A and do not interact between them. A acts as benign, i.e A is deterministic and prefer to choosing two oracles ϕn i,j and ϕl j,i and takes each message from one oracle to another. in addition, A can ask for the following queries, including one Test query in the following way: • Create(IDi): This query permits A to request C to create a new party i whose identity is IDi. Upon receiving such query, C creates private and public keys for i. • Public-Key(IDi): A can may ask for public key of a party i whose identity is IDi. To answer, C replays with the public key Xi of party i. • Partial-Private-Key(IDi): A may ask for partial private key of party i whose identity is IDi. To respond, C replays with partial private key Qi of party i. • Corrupt(IDi): A may ask for private key of party i whose identity is IDi. To respond, C replays with the private key di of party i. Fig. 1. System model 3.3 Formal security model Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 17
- 8. • Public-Key-Replacement(IDi, X ′ i ): For a party i whose identity is IDi; A may select another public key X ′ and set X ′ as the public key. C record this change to be used in the future. • Send(ϕn i,j, µ): A may select and issues a message µ to an oracle Φn i,j, by which, a party i assumes to be sent from party j. A can also create a particular Send query with µ ̸= α to an oracle Φn i,j, which tells i to start a protocol runs with j. It is called an initiator oracle when the first message it has obtained is α. Otherwise, it is called a responder oracle. • Reveal(ϕn i,j): A may request a special oracle to reveal the session key, if any, it is currently holding to A. • Test(ϕn i,j): At certain level, A can choose one of the oracles, for example ΦT I,J to request for one Test query. Such oracle should be fresh. To answer the query, the oracle guesses a coin b ∈ {0, 1}, and outputs the session key held by ΦT I,J if b = 0, or a random sample from the distribution of session key if b = 1. An oracle (ϕn i,j) can be set to one of the three states • Accepted: An oracle is in Accepted state if it has accepted the request to create a session key. • Rejected: An oracle is in Rejected state if it has rejected the request to create a session key. • State*: If none of the previous states decision has been taken. • Opened: If an oracle has answered the Reveal query. Definition 3. A matching conversation: Two oracles (ϕn i,j) and (ϕl j,i) have a matching conversation if they have identical session key. Definition 4. Fresh Oracle: An oracle (ϕn i,j) is fresh if it is in the accepted state; or it is not in the opened state; or party j ̸= i is not corrupted; or (ϕl j,i) does not exist in opened state to have the matching conversation with (ϕn i,j); or if A is Type I and has not requested the private key of party j and if A is Type II and has not replaced the public key of party j The fresh oracle definition can allow party i to be corrupted so that it is used to solve the key compromise impersonation attack. After a Test query, A may go on to query the oracles except make Reveal query to test oracle ΦT I,J , or to Φl J,I who has a matched conversation with ΦT I,J , and it can not corrupt the user J. In addition, if A is Type I, A can not ask for partial private key of the participant J; and if A is a Type II adversary, J cannot replace the public key of the user J. At the end of the game, A must output a guess bit b ′ . A wins if and only if b ′ = b. A’s advantage to win the game, is defined as: Aȷ = Pr[b ′ − b] − 1 2 (5) Definition 5. A certificateless AKA protocol is secured if: • In the presence of a benign adversary on Φn i,j and Φl j,i, both oracles always agree on the same session key, and this key is distributed uniformly at random. • For an adversary A, advantage Aȷ of winning game is negligible. Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 18
- 9. The proposed protocol consists of a new lightweight certificateless AKA for WBAN sensors and other IoT environments. In this section, a certificate AKA scheme is proposed. It consists of six polynomial time algorithms. • Setup: This algorithm takes security parameter ȷ as its input and returns system parameters and master key. KGC performs the following operations. 1. Given a security parameter ȷ, KGC selects an additive group G of prime order q and P is a generator of the group. 2. Selects a random master key s ∈ Z∗ q and calculates Ppub = sP as master public key. 3. Selects hash functions H1 : {0, 1} ∗ ×G −→ Z∗ q and H2 : {0, 1} ∗ ×{0, 1} ∗ × G × G × G × G −→ {0, 1} ȷ 4. KGC publishes system params (Fp, E/Fp, G, q, P, Ppub, H1, H2) and keeps s secret. • Partial-Private-Key: KGC takes as inputs params, the master key s and user identity IDi and returns partial private key of users as follows 1. KGC selects a random number ei ∈ Z∗ q computes Ri = eiP, hi = H1(IDi, Ri). 2. KGC computes KGC computes si = (ei + shi) mod q. 3. KGC sets Qi = (si, Ri) as user’s partial private key. 4. User i verifies whether the partial private key is valid by computing the equation siP = Ri + H1(IDi, Ri)Ppub. • Set-Secret-Value: This algorithm takes params and user’s ID, selects ran- domly ui ∈ Z∗ q. ui is sets as secret value. • Set-Private-Key: The algorithm takes as inputs params, partial private key Qi, user’s IDi, and secret value ui and returns user’s private key di = (ui, Qi). • Set-Public-Key: The algorithm takes as input params, user IDi and user’s secret value ui to return user’s public key Xi = uiP. • Key-Agreement: Assuming that user A can establish an authenticated key agreement with user B. Lets users A and B establish a certificateless AKA, and one is the sender another one receiver. The sender A with identity IDA possesses the private key dA = (uA, QA) and the public key XA = uAP. The receiver B with identity IDB possesses the private key dB = (uB, QB) and the public key XA = uAP. The sender A and receiver B compute the protocol as follows: 1. User A selects a ∈ Z∗ q, computes TA = aP and sends a message (IDA, TA) to B. 4 The proposed protocol 4.1 The proposed Certifcateless AKA Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 19
- 10. 2. B selects b ∈ Z∗ q, computes TB = bP and sends a message (IDB, TB) to A. Both A and B can compute the secrets as the following: A computes KA = (RB + hBPpub) + sAP + aXB + uATB + aTB (6) B computes KB = (RA + hAPpub) + sBP + bXA + uBTA + bTA (7) Correctness KA = (RB + hBPpub) + sAP + aXB + uATB + aTB = (eB + shB)P + (eA + shA)P + auBP + uATN + abP = sBP + (eA + shA)P + auBP + buAP + baP = sBP + (eA + shA)P + bXA + uBTA + bTA = (RA + hAPpub) + sBP + bXA + uBTA + bTA = KB = K The established session key SK = H2(IDA, IDB, TA, TB, K). Algorithm 1 Algorithm for Certificateless AKA scheme Input: {IDi, params, Qi, Ri, hi, si} Output: SK = H2(IDA, IDB, TA, TB, K) 1: User randomly selects ui ∈ Z∗ q 2: Compute di = (ui, Qi) 3: Compute Xi = uiP 4: A session key is computed as follows 5: A randomly select a ∈ Z∗ q and 6: Compute TA = aP 7: A send (IDA, TA) to B 8: B randomly select b ∈ Z∗ q and 9: Compute TB = bP 10: B send (IDB, TB) to A 11: B computes KB = (RA + hAPpub) + sBP + bXA + uBTA + bTA 12: A computes KA = (RB + hBPpub) + sAP + aXB + uATB + aTB 13: if KB = KA = K then 14: Return a session key SK = H2(IDA, IDB, TA, TB, K) 15: end if The adopted proxy blind signature scheme satisfies the following security prop- erties: 4.2 User authentication and verifcation Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 20
- 11. • Distinguishability. The proxy signature must be distinguishable from other digital signature. • Strong unforgeability. Only the dedicated proxy signer can create the proxy blind signature for the original signer. • Non repudiation. Non among The signers either origin or the proxy cannot deny their signatures against anyone. • Verifiability.The proxy blind signature can be verified by everyone. After veri- fication, the verifier can be convinced of the original signer’s message is from legit node. • Strong undeniability. Due to fact that the delegation information is signed by the original signer and the proxy signature are generated by the proxy signer’s secret key. Both the signer can not deny their behavior. • Unlinkability. When the signer is revealed, the proxy signer can not identify the association between the message and the blind signature he generated. • Secret key dependencies. Proxy key or delegation pair can be computed only by the original signer’s secret key. • Prevention of misuses.The proxy signer cannot use the proxy secret key for purposes other than generating valid proxy signatures. In case of misuse, the responsibility of the proxy signer should be determined explicitly. Proxy blind signature In this section, We present a proxy blind signature from [19] which is lightweight with low computation costs and provides more security features compared to the existing blind signature schemes. The protocol involves three entities including signer or requester B, which is the receiver of data from user A; the proxy signer Pr acting as proxy, the verifier node V acting as the verifying node, and other decentralized nodes. The signature is designed through the following steps • Proxy delegation phase 1. Proxy generation. Given the Qs = xs.G as the public key of the signer. The signer B selects a random number k ∈ [1, n − 1] and then calculates α = kG = (α1, α2) where u ≡ α1mod n and α1 is regarded as an integer element of [1, q − 1]. Computes β ≡ (xs + ku)(mod n) and computes Qp = βG. 2. Proxy delivery. The signer B sends (β, u) to the proxy Pr in a secure channel, and make Qp public. 3. Proxy verification. On the receiving the secret key pair (β, u), the proxy signer Pr verifies the correctness of the secret key pair (β, u) by computing the following equation: Qp = βG = Qs + uα (8) • Proxy signing phase 1. The proxy signer Pr selects a random integer t ∈ [1, n − 1], and calcu- lates Z = t.G and sends it to the verifier V Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 21
- 12. 2. On the receiving it, the verifier selects randomly ω, γ ∈ [1, n − 1] and computes the following equations: α′ = Z + ωG − γQp (9) g = H(α′ ||M) (10) g′ = (g + γ)mod n (11) And the verifier V sends g′ to the proxy signer node Pr 3. On the receiving of g′ , Pr calculates the following equation β′ = (t − β.g′ )mod n (12) and sends it to V 4. V calculates β′′ = (β′ + ω) mod n (13) The tuples (M, β′′ , g) is the proxy blinded signature • Verification phase The verifying node V computes the following equation δ = H((β′′ G + g.Qp)||M) (14) and finally check whether the proxy blind signature holds with δ = g • Correctness The computed proxy blind signature is verified because the following equation holds: H((β′′ .G + g.Qp)||M) = H(α′ ||M) (15) That is to verify β′′ .G + g.Qp = α′ = (β′ + ω).G + g.Qp = β′ G + ωG + g.Qp = (t − β.g′ )G + ωG + g.Qp = t.G − g′ Qp + ω.G + g.Qp = t.G − (g + δ).Qp + ωG + g.Qp = t.G − g.Qp − δ.Qp + ωG + g.Qp = t.G − δ.Qp + ωG = Z − δ.Qp + ωG = Z + ωG − δ.Qp = α′ Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 22
- 13. • User A sends a message M to the receiver B by encrypting it using a session key SKas follows: (SK||M) B obtains the encrypted message M and uses the session key SK to recover the message from A. B deletes SK. The paper analysis the designed scheme following formal ROM security analysis, informal discussion of security properties and compares the proposed scheme with existing protocols. The security analysis of the proposed protocol relays on CDH assumption. We followed the security prove analyzed in [20]. The CDH hard problem in group G is stated. Two random oracles H1 and H2 follow the same idea as explained in [21] [21]. For security prove, we follow theorems and lemmas given bellow. Theorem 1. The proposed protocol is a secure Certificateless AKA. Proof: The Certificateless AKA protocol is proved to be secure against two types of adversaries. The proof of Theorem 1 is discussed using the following Lemmas 1, 2 and 3. Lemma 1. . In the presence of benign adversary, two matching oracles Φn i,j and Φl j,i establish the same session key as if there is no adversary. The session key is distributed uniformly at random. Proof Suppose that i and j are two users in the protocol and Adv is a benign adversary. In this case, the two oracles gets correctly identical message to the original messages from other oracle; therefore, they consent on the same session key. Since a and b were chosen randomly by users i and j, the common session key is considered as the output of hash function H2 on a random input. Based on the properties of hash function, the session key is uniformly distributed over {0, 1} ȷ . As it is detailed in our protocol correctness. The numbers a and b are randomly chosen, two oracles are matching, they are authorized either and the session key is consistently shared. Thus user A computes H2(IDA, IDB, TA, TB, KA) And application server/User B computes H2(IDA, IDB, TA, TB, KB) KA = KB = K 4.3 Data encryption 5 Security analysis 5.1 Formal analysis Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 23
- 14. Finally the matching oracles compute the session key SK=H2(IDA, IDB, TA, TB, K) Lemma 2. Assuming that the CDH problem is intractable, the advantage of a Type I adversary in winning game is negligible in the ROM. Proof. Assume that Adv can make at most qH2 times H2 queries and create at most qc parties. Advantage for Adv to win the game is Aȷ dv. Therefore, the challenger can solve the CDH problem with the advantage 1 q2 c qsqH2 Aȷ dv, qs is the number of sessions each user can participate in at most. Assuming that a Type I adversary Adv can win with a non negligible ad- vantage Aȷ dv in polynomial time t. We demonstrate that challenger C can solve CDH problem with a non negligible probability. We demonstrate how challenger C uses Adv to compute abP. All adversary’s queries now pass through C. The game is initiated when C selects a and sets Ppub = aP; C selects at random I, J ∈ [1, qH1 ], T ∈ [1, qs], sI, uI, hI ∈ Z∗ q and computes RI = sIP, XI = uIP, and sets Ppub as the system public key and sends system params = {G, P, Ppub, H1, H2, ȷ} to Adv. • Create(IDi): A challenger C maintains an empty list Lc initially consisting of the tuples (IDi, Qi, ui, Xi). If IDi = IDI, challenger C lets partial private key, private key and public key to be Qi = (sI, RI), di = (uI, QI) and XI separately. Challenger C also lets H1(IDI, RI) ← hI where RI, uI, hI are mentioned above. Otherwise, challenger C chooses randomly ui, si, hi ∈ Z∗ q and com- putes Ri = siP − hiPpub, public key is Xi = uiP, then i’s partial private key Qi = (si, Ri), private key di = (ui, Qi) and public key Xi. Finally adds the tuples (IDi, Qi, ui, Xi) and (IDi, Ri, Xi, hi) to the list Lc and LH1 sep- arately. • H1 query: Challenger C keeps initial empty list LH1 which has tuples of the form (IDi, Ri, Xi, hi). If (IDi, Ri, Xi) is on the list LH1 , then hi is returned. Else, challenger C executes the query Create(IDi) and returns hi. • Public-Key(IDi): Upon obtaining such query, challenger C looks for a tuple (IDi, Qi, ui, Xi) in the list Lc indexed by IDi, and outputs Xi as response. • Partial-Private-Key(IDi): Once a challenger C is given such query, if IDi = IDI, C aborts. Otherwise, C looks for a tuple (IDi, Qi, ui, Xi) in a list Lc indexed by IDi, and outputs Qi as response. • Corrupt(IDi): Once a challenger C is given such query, if IDi = IDI, C aborts; else, C looks for a tuple (IDi, Qi, ui, Xi) in a list Lc indexed by IDi, if ui = ⊥, challenger C outputs ⊥. Else challenger C gives (ui, Qi) as response. • Public-Key-Replacement(IDi, X ′ i ): If IDi = IDI, C aborts. Otherwise, challenger C looks for a tuple (IDi, Qi, ui, Xi) in Lc indexed by IDi and upgrades Xi to X ′ i and sets ui = ⊥. Computer Science & Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 24
- 15. • Send(Φn i,j, µ) : Challenger C keeps empty list Ls consisting of tuples of the form (Φn i,j, rn i,j, µn i,j, µn j,i, Xn i , Xn j , SKn i,j), where µn j,i is the coming message, Xn j is the public key of the participant j received by Φn i,j, Xn i is the current public key owned by the user i, rn i,j, µn i,j are described below. Upon receiving such query, if µ ̸= α, challenger C sets µn j,i = µ; else at the end of protocol, a message will be returned. If Φn i,j is accepted, challenger sets message to be µn j,i and similar response from Ls is given once the query has been requested before, if not the challenger does as the following: 1. If n = T, IDi = IDI, IDj = IDJ , challenger C sets SKn i,j = rn i,j = ⊥ sets µn i,j = aP, return µn i,j as the answer and adds the tuple (Φn i,j, rn i,j, µn i,j, µn j,i, Xn i , Xn j , SKn i,j) to the list Ls. 2. Else, if IDi ̸= IDJ , selects a random rn i,j ∈ Z∗ n, computes µn i,j = rn i,jPpub, returns µn i,j as the response, sets SKn i,j = ⊥ and adds (Φn i,j, rn i,j, µn i,j, µn j,i, Xn i , Xn j , SKn i,j) to the list Ls. 3. Else, selects a random rn i,j ∈ Z∗ n, computes µn i,j = rn i,jP, returns µn i,j as the response, sets SKn i,j = ⊥, and adds (Φn i,j, rn i,j, µn i,j, µn j,i, Xn i , Xn j , SKn i,j) to the list Ls. • Reveal(Φn i,j): Once receive such query, challenger C calls Ls for a tuple (Φn i,j, rn i,j, µn i,j, µn j,i, Xn i , Xn j , SKn i,j), sets µn i,j = Ti and µn j,i = Tj if SKn i,j ̸= ⊥, then challenger C returns SKn i,j as the response. Otherwise, challenger C looks for the tuple (IDi, Qi, ui, Xi) on the list Lc and does the following: – If n = T, IDi = IDI, IDj = IDJ or (Φn i,j) is oracle which has the matched conversation with (ΦT I,J ), challenger C aborts. – Else if IDi ̸= IDI, there are two steps: 1. Challenger C looks in the list LH2 and Lc for the corresponding tuples IDi, IDj, Ti, Tj, Xi, XjKn i,j, hu and (IDi, Qi, ui, Xi), then computes Kn i,j = (Ri + hiPpub) + siP + rn i,jXi + uiTn j,i + rn i,jTn j,i, 2. Otherwise, randomly sample SKi ∈ {0, 1} ȷ and return SKn i;j as the answer. • H2query: Challenger C maintains a list LH2 of the form (IDi u, IDj u, Ti u, Tj u, Ki,j u , hu) and responds with H2 queries (IDi u, IDj u, Ti u, Tj u, Ki,j u ) in the following ways: 1. If a tuple indexed by (IDi u, IDj u, Ti u, Tj u, Ki,j u ) is already in LH2 , chal- lenger responds with the corresponding hu. 2. Else challenger C chooses hu ∈ {0, 1} ȷ . Challenger C chooses hu ∈ {0, 1} ȷ and add the tuple (IDi u, IDj u, Ti u, Tj u, Ki,j u , hu) to the list LH2 • Test(Φn i,j): At certain level, challenger C will request a test query on some oracles. If challenger C does not choose one of the oracles ΦT I,J to request the Test query, then C aborts. Otherwise, C only outputs a random value b ∈ {0, 1} ȷ . The probability that C selects ΦT I,J as the Test oracle is 1 q2 c qs . For this case, challenger C wouldn’t have made Corrupt(ΦT I,J ) or Reveal(ΦT I,J ) queries, and so challenger C would not have aborted. If challenger C can win a such game, then challenger C must have made the corresponding H2 Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 25
- 16. query of the form (IDi T , IDj T , Ti T , Tj T , Ki,j T ). If ΦT I,J is the initiator oracle or else (IDi T , IDj T , Ti T , Tj T , Ki,j T ), with overwhelming probability because H2 is a random oracle. Thus C can find the corresponding item in the H2 list with probability and 1 qH2 and outputs Ki T − sIaP − (RJ + hJ Ppub − rT I,J Xi) as a solution to the CDH problem. The probability that C solves the CDH problem is ε q2 c qsqH2 . Lemma 3. Under the assumption that the CDH problem is intractable, the ad- vantage of a Type II adversary A2 dv against our protocol is negligible in the ROM. Proof. Suppose that there is a Type II adversary A2 dv who can win the game defined in section 4, with a non-negligible advantage Aȷ in polynomial time t. Then, A2 dv can win the game with no-negligible probability ε. Therefore, We show how to use the ability of A2 dv to construct an algorithm C to solve the CDH problem. Suppose a challenger C is given an instance (aP, bP) of the CDH problem, and wants to compute cP with c = ab mod q. C first chooses s ∈ G at random, sets sP as the system public key Ppub, selects the system params ⟨Fp, E/Fp, G, P, Ppub, H1, H2⟩, sends params and master key s to A2 dv. Supposed A2 dv makes at most qHi times Hi queries and creates at most qc participants. Let qs be the maximum number of sessions each participant can compute. Then, C selects randomly I, J ∈ [qH1 ], T ∈ [1, qs], responds to the queries as follows. • Create(IDi): C maintains an initially empty list Lc consisting of tuples of the form (IDi, ui, Xi). If IDi = IDI, C selects a random ri, hi ∈ Z∗ q and computes Ri = riP, si = (ei + his)mod q, public key Xi = uiP then i ’s partial private key, private key and public key are Qi = (si, Ri), di = {⊥, Qi} and i’s public key is Xi. Otherwise, C selects randomly ui, ei, hi ∈ Z∗ n and computes si = ei + shi, Ri = eiP and Xi = uiP separately. Then i’s partial private key, private key and public key are Qi = (si, Ri), di = {ui, Qi} and Xi. Finally, C adds a tuple (IDi, Ri, hi) and (IDi, Qi, ui, Xi) to the list LH1 and Lc, separately. C answers A2 dv’s H1(IDi, Ri), Public − Key(IDi), Corrupt(IDi), Send(Φn i,j, µ), Reveal(Φn i,j), H2 and Test(ΦT I,J ) queries as it is done in Lemma 2. The probability that challenger C selects ΦT I,J as the Test oracle is 1 q2 c qs . In this case, challenger C would not have made Corrupt(ΦT I,J ) or Reveal(ΦT I,J ) queries, and so challenger C would not have aborted. If challenger C can win in such game, then challenger C must have made the corresponding f2 query of the form (IDi T , IDj T , Ti T , Tj T , Ki,j T ). If ΦT I,J is the initiator oracle. Else (IDj T , IDi T , Tj T , Ti T , Ki,j T ), with overwhelming probability because H2 is a random oracle. Thus challenger C can find the corresponding item in the H2-list with the probability 1 qH2 and outputs Ki T − sIbP − (RJ + hJ Ppub − rT I,J Xj) as a solution to the CDH problem. The probability that C solves the CDH problem is ε q2 c qsqH2 . Theorem 2. The proposed protocol provides the perfect forward security if the CDH assumption in G is hard. Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 26
- 17. Proof: Assuming that user A and B compute the session key SK by apply- ing Certificateless AKA protocol, therefore, the private keys KA and SKB get compromised. Assume that a and b are secret values used by user A and user B when they compute a common session key. For an attacker who possesses SKA, SKB, TA = aP and TB = bP for secrets a and b, must reveal abP. To reveal the value abP without knowing either a or b, the attacker should be able to solve the CDH problem in G. Under the CDH, the probability is negligible. Therefore, the Certificateless AKA proves the perfect forward secrecy feature. We present informally the security features provided by our proposed lightweight Certificateless AKA. • Unknown key share: An attacker the session key to encrypt and sign the message M because at each session a new key is established between A and user B, and it is hard to compute the CDH problem c = ab. • Key compromise impersonation: If a user A long-term key leaks, the adversary will send a request to the KGC to query users’s partial private key; then the Type I attack is met. However in our protocol if an adversary wants to find the master key or a private key of a user, he has to give aP to seek a; from our assumption of it is a hard problem on the elliptic curve, of a group G with generator P. • Key control: None of the users can compute the key agreement because it is derived from a temporary key and computed by two parties A and B. • Key escrow: Since a malicious KGC can calculate a partial private key Qi. It does not compute di = (ui, Qi) because the user A and user B select randomly ui to complete their private keys. • Anonymity: The proposed protocol protects anonymity of nodes during the mediated signature creation. since the content of the message is not revealed due to the proxy signature blindness. • Norepudiation: Other nodes on the chain can not deny the use of data since they can verify the authenticity of user B since the proxy blind signature is verifiable. • Immutability: Since the data broadcast by user B forms a decentralized ledger; no other user/node can modify its content. • Verifiability: Blockchain/Decentralized transaction are publicly known to the chain. Any user can check the transactions and hash along way back to the previous block. • Consensus mechanism: A user A send a consensus message K||M to the blockchain as a permission to use its data. This is important before the use of data. • Unlinkability: When the signer is revealed, the proxy signer Pr can not identify the association between the message and the blind signature he created. This shown in verification phase, the signer checks only whether δ = H((β′′ G+g.Qp)||M) holds. He is not aware of the original signer’s private 5.2 Informal analysis of security requirements Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 27
- 18. key and proxy’s private key. Thus the signer knows neither the message nor the signature associated with the signature scheme. • Indistinguishable: The proxy’s key is not similar to original signer’s private key and proxy keys created by different proxy signers are different from each other, any proxy signature is distinguishable from original signer’s signature and different proxy signer’s signature are different. In this section, we compare our protocol in terms of security features, compu- tation costs and communication costs with other recent related protocols. Five related protocols were compared including our proposed certificateless AKA. The protocols designed in [4], [11], [1], [5], and our proposed protocol achieve different security properties. We take into consideration five security properties such as key escrow avoidance, distinguishability, verifiability,unlinkability, con- sensus,strong undeniable,decentralized architecture. Table 2 presents the comparison about the achieved security properties. We represent point multipli- Feature [4] [11] [1] [5] Ours Key escrow ✗ ✓ ✗ ✓ ✓ Distinguishability ✓ ✗ ✗ ✗ ✓ Unlinkability ✗ ✗ ✗ ✗ ✓ Strong undeniability ✗ ✗ ✗ ✗ ✓ Decentralized ✗ ✗ ✗ ✓ ✓ cation as Tm, hash function operations as Th, bilinear pairing operations as Te, symmetric encryption and decryption as Tse. Table 3 illustrates the comparative charts of computation cost and communication cost. Assuming that the size of |m| = 160 80 bytes, similar to that of Z∗ q, the size of |ID| = 80 8 bytes, the size of compressed is reduced to |G1| = 65 bytes, the size of |tc| = 2 bytes [11]. Schemes Computation costs Communication costs User A User B [5] 2Tm + Te + 2Th 2Tm + Te + 2Th 2ID + 2Z∗ q [4] 6Tm 6Tm 4Z∗ q + 4G1 + 2tc + 2ID [11] 3Tm + 4Th 7Tm + 4Th2 Z∗ q + G1 + tc [1] 2Tm + 1Th 1Te + 1Tse + 1Th 1Z∗ q + 1G1 + ID + Right + tc + MAC Ours 4Tm + 2Th 4Tm + 2Th 2ID + 2Z∗ q The comparison in Table 3 about computation and communication costs of five protocols shows that our proposed protocol has less computation costs with 4Tm + 2Th on user A and B. 5.3 Performance analysis Table 2. Functionality features comparison Table 3. The comparison based on computation and communication costs Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 28
- 19. Authenticated key agreement protocols are important for critical power devices to provide security and privacy of sensitive information. Thus, a certificateless AKA is proposed. A session key is established between user A and decentral- ized user B to assure a secure communication. A certificate AKA achieves more security features than the existing compared AKA protocols such as key es- crow, avoidance, distinguishability, verifiability, consensus, and strong undeni- able. In addition to that, a lightweight proxy blind signature between decentral- ized users/nodes is presented to provide the anonymity of the content of message. The proposed protocol is secure in a random oracle model. It is a lightweight for low capability devices. In the future, we propose and recommend to design lightweight AKA based on proxy re-signature that can work on both cloud and IoT big data. This work is supported by the Pivot Access Ltd, Kigali, Rwanda ment for decentralized wbans. In: International Conference on Frontiers in Cyber authentica- tion protocol for wireless body area networks. Future generation 1- round authentication protocol for wireless body area networks with user based anonymous authentication scheme in wireless body area networks for scheme for fog-driven iot healthcare system. Wireless Networks 25(8), 4737–4750(2019) mhealth.Journal of medical systems 40(11), 1–10 (2016) [10] Jia, X., He, D., Kumar, N., Choo, K.K.R.: Authenticated key agreement anonymity.Computers Electrical Engineering 61, 238–249 (2017) [9] Jiang, Q., Lian, X., Yang, C., Ma, J., Tian, Y., Yang, Y.: A bilinear pairing computer systems78, 956–963 (2018) [8] Li, X., Peng, J., Kumari, S., Wu, F., Karuppiah, M., Choo, K.K.R.: An enhanced Security. pp. 268–290. Springer (2019) [7] Shen, J., Chang, S., Shen, J., Liu, Q., Sun, X.: A lightweight multi-layer for blockchain-based wbans. Journal of Systems Architecture 110, 101777 (2020) [6] Gervais, M., Sun, L., Wang, K., Li, F.: Certificateless authenticated key agree- keyagreement for internet of things. Wireless Networks 25(6), 3081–3101 (2019) [5] Mwitende, G., Ye, Y., Ali, I., Li, F.: Certificateless authenticated key agreement [3] Swanson, C.M.: Security in key agreement: Two-party certificateless schemes. Mas-ter’s thesis, University of Waterloo (2008) [4] Saeed, M.E.S., Liu, Q.Y., Tian, G., Gao, B., Li, F.: Akaiots: Authenticated [2] Al-Riyami, S.S., Paterson, K.G.: Certificateless public key cryptography. In: Inter- national conference on the theory and application of cryptology and informationsecurity. pp. 452–473. Springer (2003) [1] Li, T., Zheng, Y., Zhou, T.: Efficient anonymous authenticated key agreement scheme for wireless body area networks. Security and Communication Networks 2017 (2017) 6 Conclusion and future work Acknowledgements References Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 29
- 20. [14] Li, F., Shirase, M., Takagi, T.: Key management using certificateless public key cryptography in ad hoc networks. In: IFIP international conference on networkand parallel computing. pp. 116–126. Springer (2008) [15] Sayid, J., Sayid, I., Kar, J.: Certificateless public key cryptography: A research survey. International Journal of Security and Its Applications 10(7), 103–118 (2016) [16] Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to elliptic curve cryptography. Springer Science Business Media (2006) [17] He, D., Chen, J., Hu, J.: A pairing-free certificateless authenticated keyagreement protocol. International Journal of Communication Systems 25(2), 221–230 (2012) [18] Zhang, L., Zhang, F., Wu, Q., Domingo-Ferrer, J.: Simulatable certificateless two- party authenticated key agreement protocol. Information Sciences 180(6), 1020– 1030 (2010) [19] Alghazzawi, D.M., Salim, T.M., Hasan, S.H.: A secure proxy blind signature scheme using ecc. In: International Conference on Networked Digital Technologies. pp. 47–52. Springer (2011) [20] He, D., Chen, Y., Chen, J., Zhang, R., Han, W.: A new two-round certificateless authenticated key agreement protocol without bilinear pairings. Mathematical and Computer Modelling 54(11-12), 3143–3152 (2011) [21] Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security. pp. 62–73 (1993) [13] Hou, M., Xu, Q.: A two-party certificateless authenticated key agreement protocol without pairing. In: 2009 2nd IEEE International Conference on Computer Scienceand Information Technology. pp. 412–416. IEEE (2009) [12] Wazid, M., Das, A.K., Kumar, N., Conti, M., Vasilakos, A.V.: A novel authentica- tion and key agreement scheme for implantable medical devices deployment. IEEE journal of biomedical and health informatics 22(4), 1299–1309 (2017) [11] Omala, A.A., Kibiwott, K.P., Li, F.: An efficient remote authentication scheme forwireless body area network. Journal of medical systems 41(2), 1–9 (2017) Computer Science Engineering: An International Journal (CSEIJ), Vol 13, No 5/6, December 2023 30 BIOGRAPHY Dr. Mwitende Gervais is Deputy Principal of Academics and Training, Senior Lecturer at Rwanda Polytechnic/IPRC Gishari. He started his career of education from former National University of Rwanda-NUR for four years and moved to Rwanda Polytechnic in 2013 as Lecturer in ICT department. Gervais is a consultant of ICT industry in Cybersecurity R D and Compliance. During his 16 years in Education many students were supervised and graduated under his responsibilities. He earned his bachelor degree of computer science from National University of Rwanda, Postgraduate from CDAC Mohali India, Masters of computer science NUR, PhD in Cryptography and Cybersecurity from University of Electronic science and Technology of China-UESTC. He published 6 scientific industry oriented papers in well-known journals and He is a member of Telecommunication Systems-Springer, and Blockchain Cryptocurrency B2C. He is Certified of ISO27003 of Cybersecurity Lead Auditor, Certified as Inclusive Education Trainer, and recently completed the certification of GVV