Sage Journals: Discover world-class research

Abstract

For enhancing the security of ubiquitous communication, we have to consider three keywords: mobility, wireless, and low computing capability. In this paper, we study one of suitable security protocols for the ubiquitous communication environment. We discuss RSA-based password-authenticated key exchange (RSA-PAKE) protocols for imbalanced wireless networks where a party uses a low-power device to communicate with another party equipped with a powerful computing device. For imbalanced wireless network applications, it is important to reduce the cost of communication for a low-power device even though the cost for powerful devices is increasing. The most power-consuming operation in RSA-PAKE protocols is the reliability test of unauthorized RSA public keys. Hence, it is important to design an efficient reliability test method to construct an efficient RSA-PAKE protocol. In this paper, we propose a new reliability test technique and design a provably secure RSA-PAKE protocol using the technique. Our protocol is suitable for securing the communications conducted over imbalanced wireless networks since the operations computed by one communicating party are efficient enough to be implemented on most low-power devices such as mobile phones and PDAs. The cost of a low-power device is reduced by 84.25% compared with CEKEP, the most efficient RSA-PAKE protocol. We prove the security of our protocol under a firmly formalized security model.

1. Introduction

For securing the communications conducted over wireless network, password-authenticated key exchange (PAKE) protocols are needed since two parties can establish a session key without storing any sensitive information in mobile devices. Note that we have an interest in imbalanced wireless networks where two communicating parties have different computational capabilities. Generally, mobile devices have low capabilities. Hence, for imbalanced wireless networks, it is important to reduce the cost of communications for a low-power device even though the cost for a powerful device is increased. For PAKE protocols that have been designed based on the Diffie-Hellman key exchange protocol (DH-PAKE protocol), each communicating party should compute at least two exponentiations with 160-bit exponents (for 80-bit security). Hence, it seems hard to design a DH-PAKE protocol for imbalanced wireless network applications where a party uses a low-power mobile device for communications. For PAKE protocols that have been designed based on the RSA function (RSA-PAKE protocol), one of the two parties can establish a session key by performing a small number of encryptions. Hence, RSA-based PAKE protocols seem to be suitable for imbalanced wireless networks since the cost of the RSA function is imbalanced in the sense that the encryption operation is very efficient while decryption is not. For example, if we use 3 as the public exponent for the RSA function, the encryption operation requires 2 multiplications while the decryption requires one exponentiation with a full-size (1024-bit) exponent.

For RSA-PAKE protocols, the existence of the public-key infrastructure (PKI) is not assumed, and thus a set of unauthorized public key pairs $(n, e)$ is used without any authorized certificate. Therefore, we have to verify the reliability of the unauthorized RSA keys. Due to the additional cost for verifying the reliability of the keys, it is not easy to design an efficient RSA-PAKE protocol. Note that the most power-consuming operation in RSA-PAKE protocols is the reliability test of unauthorized RSA public keys. Hence, it is important to design an efficient reliability test method to improve the performance of an RSA-PAKE protocol. Until now, several researchers have tried to design efficient RSA-PAKE protocols [1–8]. However, they are not sufficiently efficient enough to be implemented on most of low-power devices. Hence, it will be valuable to design a new RSA-PAKE protocol which provides a more efficient key exchange for low-power devices than existing RSA-PAKE protocols.

The goal of this paper is to design a new RSA-PAKE protocol which is suitable for securing the communications conducted over imbalanced wireless networks. To design an efficient RSA-PAKE, we provide very simple and efficient conditions for testing the reliability of a set of RSA parameters. In our protocol, a low-power device can establish a session key by choosing a 52-bit prime and performing one exponentiation with the prime exponent. According to our experimental results, the cost of a client is reduced by 84.25% compared with the CEKEP, which is the most efficient RSA-PAKE protocol until now. Our protocol can be implemented more efficiently by generating the prime before a key exchange protocol is initiated. In this case, the cost of a client can be reduced by 88.46%. We prove the security of our protocol in the random oracle model under a firmly formalized security model.

2. Preliminary

In this section, we briefly review formal security models for RSA-PAKE protocols and some mathematical backgrounds.

2.1. Security Model

Let A and B be two communicating parties, and let $D$ be the password space. We assume that A and B share a password $p w \in D$ . Let E be an active adversary who attacks the key exchange between A and B by controlling their messages. The adversary may capture transmitted messages and verify guessed passwords using the collected information until he/she finds the correct password. This type of attack is called an offline password guessing attack. The security goal of a password-authenticated key exchange protocol is to provide password-enabled key exchange which is secure against offline password guessing attacks mounted by the active adversary E. In this paper, we review the main points of well-formalized security models introduced by Bellare et al. [9]. (Refer to [9] for details.)

Adversarial Model. When a protocol is executed, each party behaves as specified in the protocol. For given queries, each instance returns its outputs. Let $Π_{A}^{i}$ be the ith instance of A. Note that each instance may be used only once. Each instance has a session key $s k$ , a session id $s i d$ , and a partner id $p i d$ . In general, the session id of $Π_{A}^{i}$ is the ordered concatenation of all messages sent and received by $Π_{A}^{i}$ . An adversary can make queries to any instance. When the instance returns its output to the adversary, the internal state of the instance is also updated. E can make the following queries for any instance. (i)

$Send (A, i, m)$ . E sends a message m to the instance $Π_{A}^{i}$ . Then, $Π_{A}^{i}$ executes as specified by the protocol and returns its response to E. If the instance accepts given m as a valid message, the acceptance of the message, the session id $s i d$ , and the partner id $p i d$ will be made visible to E. If the message is not accepted as a valid one, the instance terminates the oracle call, and the termination is also made visible to the adversary.

(ii)

$Execute (A, i, B, j)$ . By this oracle call, E obtains a transcript of an honest execution between two instances $Π_{A}^{i}$ and $Π_{B}^{j}$ , where $Π_{A}^{i}$ and $Π_{B}^{j}$ are unused instances such that $A \neq B$ .

(iii)

$Reveal (A, i)$ . By this oracle call, $s k_{A}^{i}$ is given to the adversary E, where $s k_{A}^{i}$ is the session key of $Π_{A}^{i}$ .

(iv)

$Test (A, i)$ . The instance $Π_{A}^{i}$ generates a random bit b. If $b = 1$ , real session key of the instance is given to E. If $b = 0$ , a random value is given to E as a session key. This query is allowed only once.

In the random oracle model, cryptographic hash functions are treated as random oracles. Hence, the adversary can make queries for random oracles. The queries for random oracles are treated as follows. (v)

$Oracle (m)$ . E obtains a random value for the message m by this oracle call. When the oracle models a hash function, the answer returned by the oracle is the hashed value of m.

Partnering, Freshness, and Correctness. We say that two instances $Π_{A}^{i}$ and $Π_{B}^{j}$ are partnered if they satisfy the following conditions: (1)

$Π_{A}^{i}$ and $Π_{B}^{j}$ have accepted given messages;

(2)

$Π_{A}^{i}$ and $Π_{B}^{j}$ have the same session id $s i d$ ;

(3)

the partner id of $Π_{A}^{i}$ is B and vice versa.

An instance $Π_{A}^{i}$ is called fresh if the instance has accepted given messages and E does not ask $Reveal$ oracle queries for $Π_{A}^{i}$ or its partner instance $Π_{B}^{j}$ . The correctness requires that two instances should have the same session key if they are partnered and they have accepted.

Definitions of Security. Let $P$ be a password-based protocol and let $A$ be an adversary who tries to break the security of the protocol $P$ . Let Succ be the event that $A$ asks a Test query on a fresh instance $Π_{A}^{i}$ and correctly guesses the bit b which was selected during the Test query. Then, the advantage of $A$ is defined as $Adv (A, P) = 2 Pr [Succ] - 1$ . Note that all probabilistic polynomial time adversaries can always test the validity of a guessed password by performing an online dictionary attack. Hence, the protocol $P$ is considered to be secure if an online dictionary attack is the best way to break the security of $P$ . Note that an online attack can be mounted by making a Send oracle query. Based on the above observation, the security of an RSA-PAKE protocol can be defined as follows.

Definition 1.

Let $| D |$ be the size of the password space $D$ and let $q_{S}$ be the number of Send queries. Then, an RSA-PAKE protocol $P$ is secure if the following holds:

\begin{matrix} {A d v}_{P, D}^{P A K E} = \max_{A \in A D V} {A d v (A, P)} \leq \frac{q_{S}}{| D |} + ϵ, \end{matrix}

(1)

where

A D V

is the set of all probabilistic polynomial time adversaries and ϵ is a negligible value.

2.2. Mathematical Background

We recall a well-known theorem, the prime number theorem [10], and use it for obtaining two theorems, Theorems 2 and 3, that are used to demonstrate the security of our protocol.

Recall that the prime number theorem tells us that the number of primes smaller than a positive integer x is approximately $π (x) \approx x / \ln x$ for a large x.

Theorem 2.

Let e be an $l_{e}$ -bit prime chosen uniformly at random. Then, the probability that someone correctly guesses the prime is about $2 l_{e} / 2^{l_{e}}$ .

Theorem 3.

Let e be a randomly chosen $l_{e}$ -bit pseudoprime which is not a prime with the probability $1 / 2^{l_{p}}$ . Then, the probability that someone chooses an $l_{n}$ -bit integer n such that $e | ϕ (n)$ is bounded by $2 l_{n} / 2^{l_{e}} + 1 / 2^{l_{p}}$ .

It is easy to prove the above theorems, and thus we omit (Omitted proofs will be provided in the full-version of this paper.) them due to lack of space.

3. Our RSA-PAKE Protocol

In this section, we propose an efficient RSA-PAKE protocol which is suitable for imbalanced wireless networks. We assume that two communicating parties A and B share a common password $p w$ for establishing a session key. Let $P_{l_{e}}$ be the set of all $l_{e}$ -bit pseudoprimes that are not prime with probability $1 / 2^{l_{p}} \approx 1 / 2 | D |$ . The size of the prime is determined such that $l_{e} \geq \log_{2} l_{n} + \log_{2} | D | + 2$ . We use four hash functions $H : {0,1}^{*} \to Z_{n}$ and $H_{i} : {0,1}^{*} \to {0,1}^{l_{h}}$ for $i = 1,2, 3$ . Then, our RSA-PAKE protocol runs as follows.

Step 1.

A chooses an $l_{n}$ -bit RSA modulus n and a random $r_{A} \in {0,1}^{l_{r}}$ and sends them to B.

Step 2.

If n is not an $l_{n}$ -bit odd number, B terminates the protocol. Otherwise, he/she chooses an $l_{e}$ -bit prime e and a random $r_{B} \in {0,1}^{l_{r}}$ and computes $α = H (p w | | info)$ , where $info = i d_{A} | | i d_{B} | | r_{A} | | r_{B} | | n | | e$ . If $gcd (α, n) \neq 1$ , B chooses a random $z \in Z_{n}^{*}$ . Otherwise, he/she computes $z = α \cdot r^{e} \mod n$ for randomly chosen $r \in Z_{n}^{*}$ . B gives $(i d_{B}, i d_{A}, e, r_{B}, z)$ to A.

Step 3.

If e is not an $l_{e}$ -bit prime, A terminates the protocol execution. A computes $α = H (p w | | info)$ and tests if two conditions $gcd (α, n) = 1$ and $gcd (e, ϕ (n)) = 1$ hold. If one of the conditions does not hold, A chooses a random $\hat{r} \in Z_{n}^{*}$ . Otherwise, he/she computes $\hat{r} = (z \cdot α^{- 1})^{d} \mod n$ , where $d = e^{- 1} \mod ϕ (n)$ . Then, A computes $β = H_{1} (\hat{r} | | info)$ and sends it to B.

Step 4.

If the condition $β = H_{1} (r | | info)$ does not hold, B terminates the protocol. Otherwise, B sends $γ = H_{2} (r | | info)$ to A. B computes $s k_{B} = H_{3} (r | | info)$ and uses it as a session key.

Step 5.

If $γ \neq H_{2} (\hat{r} | | info)$ , A terminates the protocol; otherwise, he/she computes $s k_{A} = H_{3} (\hat{r} | | info)$ and uses it as a session key.

Remark 4.

Note that, in our protocol, we use a pseudoprime which is not prime with probability $1 / 2^{l_{p}}$ . Therefore, the number of iterations of the Miller-Rabin primary test is determined so that a pseudoprime is indeed a prime with probability $1 - 1 / 2^{l_{p}}$ .

4. Security Analysis

In this section, we prove the security of our protocol according to the security model described in Section 2.1. Similar to the work by Zhang [7], we define a series of hybrid experiments where the first experiment describes the real adversary attack and each experiment is gradually modified so that the adversary has negligible advantage in the last experiment. We denote these hybrid experiments by ${Exp}_{i}$ for $i \in {0, \dots, 4}$ . Let $Adv (A, i)$ be the advantage of $A$ in ${Exp}_{i}$ .

Experiment ${Exp}_{0}$ . The first experiment coincides with the real adversary attack. Therefore, all transmitting messages are computed according to the description of the proposed protocol. Since we prove the security of our protocol in the random oracle model, four hash functions are treated as random oracles and we maintain a list of input-output pairs for each random oracle.

Note that we have ${A d v}_{R S A - P A K E, D}^{P A K E} (A) = Adv (A, 0)$ for an adversary $A$ since the first experiment describes the real adversary attack.

Experiment ${Exp}_{1}$ . In this experiment, we modify the Execute oracle. When the $Execute$ oracle is called for two instances $Π_{A}^{i}$ and $Π_{B}^{j}$ , the session keys $s k_{A}^{i}$ and $s k_{B}^{j}$ are replaced by an $l_{h}$ -bit random string rather than an output of the random oracle $H_{3}$ .

In Lemma 5, we will show that the increment of the advantage of $A$ that resulted from the modification of the Execute oracle is bounded by a negligible value. Throughout this paper, $Ad v_{RSA}$ denotes the maximum advantage of adversaries who solve the RSA problem.

Lemma 5.

For any polynomial time adversary $A$ who asks at most $q_{E}$ times of Execute queries and $q_{H}$ times of hash queries, one has the following relation:

\begin{matrix} | A d v (A, 0) - A d v (A, 1) | \leq q_{E} {A d v}_{R S A} + \frac{q_{E} q_{H}}{ϕ (n)} . \end{matrix}

(2)

Proof.

We omit (Omitted proofs will be provided in the full-version of this paper.) the proof of Lemma 5, due to lack of space.

The remainder of our security proof is to show that the Send oracle gives negligible advantage to the adversary. We can classify Send oracle into five types as follows. (i)

${Send}_{0} (A, i)$ . The instance $Π_{A}^{i}$ generates a random $r_{A}$ and an RSA modulus n and returns $r_{A}$ and n.

(ii)

${Send}_{1} (B, j, i d_{A}, r_{A}, n)$ . If n is not an $l_{n}$ -bit odd number, the protocol is terminated. Otherwise, $Π_{B}^{j}$ chooses an $l_{e}$ -bit prime e and a random $r_{B} \in {0,1}^{l_{r}}$ , queries the hash oracle H on $p w | | info$ where $info = i d_{A} | | i d_{B} | | r_{A} | | r_{B} | | n | | e$ , and receives the reply α from the oracle. If $gcd (α, n) \neq 1$ , $Π_{B}^{j}$ chooses a random $z \in Z_{n}^{*}$ . Otherwise, it computes $z = α \cdot r^{e} \mod n$ for randomly chosen $r \in Z_{n}^{*}$ . The instance $Π_{B}^{j}$ returns $(e, r_{B}, z)$ .

(iii)

${Send}_{2} (A, i, r_{B}, z, e)$ . If e is not an $l_{e}$ -bit prime, the protocol execution is terminated. Otherwise, $Π_{A}^{i}$ queries H on $p w | | info$ , receives the answer α from the oracle H, computes $α = H (p w | | info)$ , and tests if $gcd (α, n) = 1$ and $gcd (e, ϕ (n)) = 1$ . If one of the conditions does not hold, $Π_{A}^{i}$ chooses a random $\hat{r} \in Z_{n}^{*}$ ; otherwise, it computes $\hat{r} = (z \cdot α^{- 1})^{d} \mod n$ . Then, $Π_{A}^{i}$ queries the hash oracle $H_{1}$ on $\hat{r} | | info$ and returns the reply β received from $H_{1}$ .

(iv)

${Send}_{3} (B, j, β)$ . If the answer returned by $H_{1}$ on $r | | info$ is not β, $Π_{B}^{j}$ rejects the protocol; otherwise, it queries the hash oracles $H_{2}$ and $H_{3}$ on $r | | info$ and receives the replies γ and $s k$ from $H_{2}$ and $H_{3}$ , respectively. Then, $Π_{B}^{j}$ accepts $s k$ as a session key and returns γ.

(v)

${Send}_{4} (A, i, γ)$ . If the answer returned by $H_{2}$ on $\hat{r} | | info$ is not γ, $Π_{A}^{i}$ rejects the protocol; otherwise, $Π_{A}^{i}$ accepts the answer returned by the oracle $H_{3}$ on $\hat{r} | | info$ as a session key.

A message is called oracle generated if it was returned by an instance; otherwise, the message is called adversary generated. If a message was returned by $Π_{A}^{i}$ , it is called $Π_{A}^{i}$ -oracle-generated message.

Experiment ${Exp}_{2}$ . In this experiment, we modify the following if an instance $Π_{B}^{j}$ receives a $Π_{A}^{i}$ -oracle-generated message $(r_{A}, n)$ in a Send oracle call. (i)

If both $Π_{A}^{i}$ and $Π_{B}^{j}$ accept, we choose a random $l_{h}$ -bit value and give it to two instances as a session key.

(ii)

If $Π_{A}^{i}$ does not accept but $Π_{B}^{j}$ accepts, we choose a random $l_{h}$ -bit value and give it to $Π_{B}^{j}$ as a session key. In this case, no session key is defined for $Π_{A}^{i}$ .

Lemma 6.

For any polynomial time adversary $A$ who asks at most $q_{S}$ Send queries, one has

\begin{matrix} | A d v (A, 1) - A d v (A, 2) | \leq q_{S} {A d v}_{R S A} + \frac{q_{S} q_{H}}{ϕ (n)} . \end{matrix}

(3)

Proof.

Let $n = p q$ be an RSA modulus where p and q are distinct primes. Note that since the modulus n is chosen by the instance $Π_{A}^{i}$ (not by the adversary $A$ ),

\begin{matrix} P r [gcd (α, n) \neq 1] = \frac{n - ϕ (n)}{n} = \frac{p + q - 1}{n} \approx \frac{1}{2^{l_{n} / 2}} \end{matrix}

(4)

for randomly chosen

α \in Z_{n}^{*}

. Hence, we can assume that

gcd (α, n) = 1

for randomly chosen

α \in Z_{n}^{*}

Assume that $Π_{B}^{j}$ receives a $Π_{A}^{i}$ -oracle-generated message $(r_{A}, n)$ in a Send oracle call and returns $(e, r_{B}, z)$ where e is $l_{e}$ -bit prime, $r_{B} \in {0,1}^{l_{r}}$ , and $z = α \cdot r^{e} \mod n$ for random $r \in Z_{n}^{*}$ and $α \in Z_{n}^{*}$ . Note that α is the answer returned by the random oracle H on $p w | | i d_{A} | | i d_{B} | | r_{A} | | r_{B} | | n | | e$ , since $gcd (α, n) = 1$ holds with probability $1 \approx 1 - 2^{- l_{n} / 2}$ . Note that, as proved in Lemma 5, we can show that the probability that $A$ recovers the random value r is $P_{r} \leq Ad v_{RSA} + q_{H} / ϕ (n)$ . Since $A$ cannot generate valid β and γ without the knowledge of r, two instances $Π_{A}^{i}$ and $Π_{B}^{j}$ accept the protocol execution only if the instances $Π_{A}^{i}$ and $Π_{B}^{j}$ receive $Π_{B}^{j}$ -oracle-generated message β and $Π_{A}^{i}$ -oracle-generated message γ, respectively. Hence, $A$ can distinguish ${Exp}_{1}$ and ${Exp}_{2}$ only if the adversary can test to see whether or not a session key is the answer returned by the random oracle $H_{3}$ on $r | | i d_{A} | | i d_{B} | | r_{A} | | r_{B} | | n | | e$ . Without the knowledge of r, the session key seems to be a random value in $A$ 's point of view, and thus $A$ cannot distinguish between two experiments. As a result, we have $| Adv (A, 1) - Adv (A, 2) | = q_{S} P_{r} \leq q_{S} Ad v_{RSA} +$ $q_{S} q_{H} / ϕ (n)$ , since $A$ asks at most $q_{S}$ times of Send queries.

Experiment ${Exp}_{3}$ . In this experiment, we consider the case where an instance $Π_{A}^{i}$ receives a $Π_{B}^{j}$ -oracle-generated message $(e, r_{B}, z)$ in a ${Send}_{2}$ oracle call, while the instance $Π_{B}^{j}$ received a $Π_{A}^{i}$ -oracle-generated message $(r_{A}, n)$ in a ${Send}_{1}$ oracle call. If $Π_{A}^{i}$ and $Π_{B}^{j}$ accept the protocol execution and their session keys are not replaced by a random value in the experiment ${Exp}_{2}$ , we give a random $l_{h}$ -bit value to them as a session key.

Lemma 7.

For any polynomial time adversary $A$ who asks at most $q_{S}$ Send queries, one has $Adv (A, 2) = Adv (A, 3)$ .

Proof.

It is clear that the advantage of $A$ in ${Exp}_{3}$ is identical with its advantage in ${Exp}_{2}$ since the only way to distinguish two experiments is recovering the random value as discussed in Lemma 6.

Experiment ${Exp}_{4}$ . In this experiment, we consider the case where an instance $Π_{A}^{i}$ (or $Π_{B}^{j}$ ) receives an adversary-generated message in a ${Send}_{2}$ (or ${Send}_{1}$ ) oracle call. If $Π_{A}^{i}$ (or $Π_{B}^{j}$ ) accepts the protocol execution, we stop the experiment and the adversary is said to have succeeded. Note that the modification of the experiment certainly improves the adversary's advantage.

Lemma 8.

For any polynomial time adversary $A$ , one has the following relation: $Adv (A, 3) \leq Adv (A, 4)$ .

Proof.

Note that, in ${Exp}_{4}$ , the adversary $A$ can obtain more information than in ${Exp}_{3}$ . Hence, it is obvious that $Adv (A, 4)$ is greater than $Adv (A, 3)$ .

It remains to show that the adversary's advantage in the last experiment is negligible.

Lemma 9.

For any polynomial time adversary $A$ who asks at most $q_{S} Send$ queries and $q_{H}$ random oracle queries, one has $Adv (A, 4)  \leq q_{S} / | D |  + q_{S} Ad v_{RSA} +  q_{S} q_{H} / ϕ (n)  + q_{S} / 2^{l_{h}}$ .

Proof.

We omit (Omitted proofs will be provided in the full-version of this paper.) the proof of Lemma 9, due to lack of space.

By combining Lemmas 5, 6, 7, 8, and 9, we obtain Theorem 10.

Theorem 10.

Let $A$ be a probabilistic polynomial time algorithm which asks at most $q_{E}$ Execute queries, $q_{S}$ Send queries, and $q_{H}$ Oracle queries for hash functions. Let $| D |$ be the size of password space $D$ . Then, one has

\begin{matrix} {A d v}_{R S A - P A K E, D}^{P A K E} (A) \leq \frac{q_{S}}{| D |} + q_{1} {A d v}_{R S A} + \frac{q_{2}}{ϕ (n)} + \frac{q_{S}}{2^{l_{h}}}, \end{matrix}

(5)

where

q_{1} = q_{E} + 3 q_{S}

and

q_{2} = (q_{E} + 3 q_{S}) q_{H}

Proof.

Note that, by Lemma 8, it is easy to see that $Adv (A, 0) \leq \sum_{i = 0}^{2} ‍ | Adv (A, i) - Adv (A, i + 1) | + Adv (A, 4)$ . By Lemmas 5, 6, 7, and 9, we have

\begin{matrix} A d v (A, 0) \leq \frac{q_{S}}{| D |} + q_{1} {A d v}_{R S A} + \frac{q_{2}}{ϕ (n)} + \frac{q_{S}}{2^{l_{h}}}, \end{matrix}

(6)

where

q_{1} = q_{E} + 3 q_{S}

and

q_{2} = (q_{E} + 3 q_{S}) q_{H}

. Since

{A d v}_{R S A - P A K E, D}^{P A K E} (A) = Adv (A, 0)

, we complete the proof of Theorem 10.

Note that Theorem 10 tells us that the proposed RSA-PAKE protocol is secure in terms of the security models described in Section 2.1 if the RSA problem is intractable.

5. Performance

In this section, we compare the proposed protocol with existing RSA-PAKE protocols, except the EPAKE protocol since the insecurity of that protocol has been discovered [11]. Let $C_{Exp}^{a}$ be the cost of an exponentiation under a 1024-bit modulo with an a-bit exponent, let $C_{MGen}^{a}$ be the cost of generating an a-bit RSA modulus, let $C_{PGen}^{a}$ be the cost of generating an a-bit prime, and let $C_{PVer}^{a}$ be the cost of verification of an a-bit prime. Note that $α C_{Exp}^{a} = C_{Exp}^{α a}$ . For comparison, we set $l_{n} = 1024$ , $l_{r} = l_{h} = 160$ , $l_{e_{1}} = 1025$ , $l_{e_{2}} = 96$ , and $l_{e} = 52$ . For determining the number of Miller-Rabin primary tests, we refer to [12]. Our protocol uses a 52-bit pseudoprime e which is indeed prime with probability $1 - 1 / 2^{l_{p}} (= 1 - 2^{- 41})$ , and so it suffices to perform the primary tests 37 times according to the formula given in [12].

We performed experiments under Windows XP Professional with a 3.4 GHz Pentium 4 processor. As seen in Table 1, our protocol provides very efficient key exchange compared with other RSA-PAKE protocols in terms of the computational complexity. The computational complexity of the party is reduced by 84.25% compared to the CEKEP protocol. Moreover, the proposed protocol can be implemented more efficiently by generating a prime before a key exchange protocol is initiated. The PEKEP is the most efficient RSA-PAKE protocol in terms of communication overhead. The size of the communicating message of our scheme is almost the same as that of the PEKEP and shorter than other protocols, and thus our protocol is also efficient in terms of the communication overhead.

Table 1

Performance comparison.

(a) Computational cost of client (low-power device holder).

	Parameters		Encryption		Execution time
	Operation	Time	Operation	Time	Total	Precomp.
SNAPI [3]	$C_{P V e r}^{1025}$	156.89 ms	$C_{E x p}^{1025}$	49.06 ms	205.95 ms	205.95 ms
PEKEP [7]	—	0 ms	${646 C}_{E x p}^{\| e \|}$ ( $e = 3$ )	188.31 ms	188.31 ms	188.31 ms
CEKEP [7]	—	0 ms	${50 C}_{E x p}^{\| e \|}$ ( $e = 3$ )	29.2 ms	29.2 ms	29.2 ms
Ours	$C_{P G e n}^{52}$	1.23 ms	$C_{E x p}^{52}$	3.37 ms	4.6 ms	3.37 ms

(b) Computational cost of server (powerful computing equipment holder).

	Parameters		Encryption		Execution time
	Operation	Time	Operation	Time	Total	Precomp.
SNAPI [3]	$C_{M G e n}^{1024}$	760.58 ms	$C_{E x p}^{1024}$	48.78 ms	809.36 ms	48.78 ms
PEKEP [7]	$C_{M G e n}^{1024}$	760.58 ms	${2 C}_{E x p}^{1024}$	97.56 ms	858.14 ms	97.56 ms
CEKEP [7]	$C_{M G e n}^{1024}$	760.58 ms	${3 C}_{E x p}^{1024}$	146.34 ms	906.92 ms	146.34 ms
Ours	$C_{M G e n}^{1024} + C_{P V e r}^{52}$	761.13 ms	$C_{E x p}^{1024}$	48.78 ms	809.91 ms	49.33 ms

(c) Communication overhead

	Transmitting messages		Rounds
	Components	Length	Rounds
SNAPI [3]	$2 l_{n} + l_{e_{1}} + 2 l_{r} + 2 l_{h}$	3713 bits	4
PEKEP [7]	$2 l_{n} + 2 l_{r} + 2 l_{h}$	2688 bits	4
CEKEP [7]	$3 l_{n} + 4 l_{r} + 2 l_{h}$	4032 bits	6
Ours	$2 l_{n} + l_{e} + 2 l_{r} + 2 l_{h}$	2740 bits	4

6. Conclusion

In this paper, we proposed an efficient RSA-PAKE protocol which is suitable for securing the communications conducted over imbalanced wireless networks and proved the security of our protocol in the random oracle model. Compared with other RSA-PAKE protocols, our protocol provides very efficient key exchange. In our protocol, the cost of a low-power device holder can be reduced by 84.25% compared with the CEKEP. Moreover, our protocol can be implemented more efficiently by pregenerating a prime before a key exchange protocol is initiated.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This research was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning (Grant no. 2011-0029925).

References

Bao

Security analysis of a password authenticated key exchange protocol

2851

Proceedings of the 6th International Conference (ISC '03)

2003

Bristol, UK

Springer

208 217 Lecture Notes in Computer Science

Catalano

Pointcheval

Pornin

Trapdoor hard-to-invert group isomorphisms and their application to password-based authentication

Journal of Cryptology 2007 20 1 115 149

2-s2.0-33846879363

10.1007/s00145-006-0431-8

MacKenzie

Patel

Swaminathan

Password-authenticated key exchange based on RSA

1976

Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT '00)

2000

Springer

599 613 Lecture Notes in Computer Science

Park

Nam

Kim

Won

Efficient password-authenticated key exchange based on RSA

4377

Proceedings of the Cryptographers' Track at the RSA Conference

2007

San Francisco, Calif, USA

Springer

309 323 Lecture Notes in Computer Science

Wong

D. S.

Chan

A. H.

Zhu

More efficient password authenticated key exchange based on RSA

2904

Proceedings of the 4th International Conference on Cryptology (INDOCRYPT '03)

2003

New Delhi, India

Springer

375 387 Lecture Notes in Computer Science

Zhang

Further analysis of password authenticated key exchange protocol based on RSA for imbalanced wireless networks

3225

Proceedings of the 7th International Conference (ISC '04)

2004

Palo Alto, Calif, USA

Springer

13 24 Lecture Notes in Computer Science

Zhang

New approaches to password authenticated key exchange based on RSA

3329

Proceedings of the 10th International Conference on the Theory and Application of Cryptology and Information Security

2004

Jeju Island, Republic of Korea

Springer

230 244 Lecture Notes in Computer Science

Zhu

Wong

D. S.

Chan

A. H.

Password authenticated key exchange based on RSA for imbalanced wireless networks

2433

Proceedings of the 5th International Conference (ISC '02)

2002

Sao Paulo, Brazil

Springer

150 161 Lecture Notes in Computer Science

Bellare

Pointcheval

Rogaway

Authenticated key exchange secure against dictionary attack

1807

Proceedings of the Eurocrypt

2000

Springer

139 155 Lecture Notes in Computer Science

10.

Rosen

K. H.

Elementary Number Theory and Its Applications 2000 4th

Boston, Mass, USA

Addison-Wesley

11.

Youn

T.-Y.

Park

Y.-H.

Kim

Lim

Weakness in a RSA-based password authenticated key exchange protocol

Information Processing Letters 2008 108 6 339 342

2-s2.0-53049102457

10.1016/j.ipl.2008.06.002

12.

Menezes

Oorschot

Vanstone

Handbook of Applied Cryptography 1997

Boca Raton, Fla, USA

CRC Press

Practical RSA-PAKE for Low-Power Device in Imbalanced Wireless Networks

Abstract

1. Introduction

2. Preliminary

2.1. Security Model

Definition 1.

2.2. Mathematical Background

Theorem 2.

Theorem 3.

3. Our RSA-PAKE Protocol

Step 1.

Step 2.

Step 3.

Step 4.

Step 5.

Remark 4.

4. Security Analysis

Lemma 5.

Proof.

Lemma 6.

Proof.

Lemma 7.

Proof.

Lemma 8.

Proof.

Lemma 9.

Proof.

Theorem 10.

Proof.

5. Performance

6. Conclusion

Footnotes

Conflict of Interests

Acknowledgment

References