ZHANG BO (CN)
KANG XIN (SG)
"Chapter 12: Key Establishment Protocols ED - Menezes A J; Van Oorschot P C; Vanstone S A", 1 October 1996 (1996-10-01), XP001525012, ISBN: 978-0-8493-8523-0, Retrieved from the Internet
| CLAIMS: 1 . A system for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk, based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the master public key mpk; communicate to the second device the first element k, and the identity id, of the first device ; the second device configured to: compute a second element k based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element k, using a signing function of an Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k, and the signature σ,; the first device configured to: verify the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the second device idj, and compute signature σ, by signing the second element k, using the signing function of the Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified; compute a common-secret cs, based on the second element k , the master public key mpk, and the first random value a; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function. 2. The system according to claim 1 wherein the first device is further configured to communicate the signature σ, to the second device, whereby the system further comprises: the second device being configured to: verify the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common-secret csj based on the first element k,, the master public key mpk, and the second random value b, and generate the common session key SK by providing the common-secret csj to the Key Deriving Function. 3. The system according to claims 1 or 2, wherein the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G1 with prime order q defined over an elliptic curve and s is a parameter obtained from the master secret key msk; the first element k is defined as k, = a-P; the second element kj is defined as kj = b-P; and the common-secret cs, and the common secret cSj are computed using a symmetric bilinear map e: Gi x Gi→ G2 where G2 is a cyclic group with prime order q defined over the elliptic curve and cs, is defined as cs, = e(b-P, s-P)a and CSj is defined as CSj = e(a-P, s-P)b . 4. The system according to claim 3 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cskgc based on the first element k,, the second element kj and a parameter s obtained from the master secret key msk wherein the common- secret cskgc is defined as cskgc = e(a-P, b-P)s. 5. The system according to claims 1 or 2 wherein the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G1 with prime order q defined over an elliptic curve, Q is a generator of cyclic group G2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k is defined as k, = a-P; the second element kj is defined as kj = (b-P, b-Q); and the common-secret cs, and the common secret cSj are computed using an asymmetric bilinear map e: Gi x G2→ G where G is cyclic group with prime order q defined over the elliptic curve, and cs, is defined as cs, = e(b-P, s-Q)a and CSj is defined as CSj = e(a-P, s-Q)b . 6. The system according to claim 5 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cskgc based on the first element k,, a part of the second element k and a parameter s obtained from the master secret key msk and the common-secret cskgc is defined as cskgc = e(a-P, b-Q)s. 7. A system for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the private key sk,; communicate to the second device the first element k, and the identity id, of the first device ; the second device configured to: compute a second element kj based on a second random value b generated by the second device, and the first element k,; compute a signature Oj by signing a part of the first element k, and the second element kj using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element kj and the signature σ,; the sever configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id,, and compute signature σ, by signing a part of the second element kj and a part of the private key skj as combined with the random value a using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified; compute a common-secret cs, by providing the master public key mpk, the first random value a, the identity of the second device id,, a part of the private key sk , the second element kj and a part of the private key sk, to a two input function f( ); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function. 8. The system according to claim 7 wherein the first device is further configured to communicate the part of the private key sk as combined with the random value a and the signature σ, to the second device, whereby the system further comprises: the second device being configured to: verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common-secret cSj by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, a part of the private key skj and the communicated part of the private key skj as combined with the random value a to a two input function f( ); and generate the common session key SK by providing the common-secret CSj to a Key Deriving Function. 9. The system according to any one of claims 7 or 8, wherein the master public key mpk comprises gx where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = , s, = r, + xH{R„ id ) and the private key skj is define as skj = (Rj = cfi , s, = η + xH{Rh idj)) where η and are random numbers and HQ is a collision-resistant hash function; the first element k is defined as kt = (Ri, ga) ; the second element kj is defined as kj = (Rib, gb) ; the two input function f( )comprises a concatenation function or an exclusive-OR function where cs, is defined as cs; = (#")s7 ft and csj is defined as 10. The system according to claim 9 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cskgc by providing the master secret key msk, a part of the first element k,, the identity of the second device id, with a part of the private key skj, a part of the second element k , the identity of the first device id, with a part of the private key skj, to a two input function f( ) wherein the common-secret cskgc is defined as cskgc = Rj) yb.hiidj, 1 1 . A system for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key skj based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key skj to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device; communicate to the second device the first element k, and the identity id, of the first device ; the second device configured to: compute an element us based on the first element k, and on a second random value b generated by the second device; compute a second element kj based on the element us and the second random value b; generate a signature σ, by signing the first element k, and the second element kj using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element kj and the signature σ,; the first device configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device idj, and compute a signature σ, by signing a part of the second element kj using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature is verified; compute an element u, based on the part of the second element k and the first random value a; compute a common-secret cs, based on the element u, and the master public key mpk; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function. 12. The system according to claim 1 1 wherein the first device is further configured to communicate the signature σ, to the second device, whereby the system further comprises: the second device being configured to: verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common-secret csj based on the element us and the master public key mpk; and generate the common session key SK by providing the common-secret csj to the Key Deriving Function. 13. The system according to any one of claims 1 1 or 12, wherein the master public key mpk comprises gx where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k is defined as k, = gf; the second element k is defined as k = (U, gf) where U is defined as U = guJ , and the element us is defined as u7 = gab; the common-secret cs, is defined as csj = gXUi and the common secret csj is defined as csj = gxuJ where the element u, is defined as ut = gab. 14. The system according to claim 13 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cskgc based on the element uy orthe element u, and a parameter x obtained from the master secret key msk wherein cskgc is defined as cskgc = Ux. 15. A system for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk, based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the master public key mpk; compute signature σ, by signing the first element k, using a signing function of an Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device; the second device configured to: verify the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the first device id,; compute a second element kj based on a second random value b generated by the second device, and the master public key mpk, when the signed first element k, is verified; compute a signature σ, by signing the first element k, and the second element kj using the signing function of the Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element kj and the signature σ,; the first device configured to: verify the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the second device id, and compute a common- secret OS, based on the second element kj, the master public key mpk, and the first random value a, when the signature σ, is verified; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function. 16. The system according to claim 15 wherein the first device is further configured to communicate the verification data vd, to the second device, whereby the system further comprises: the second device being configured to: compute a common-secret csj based on the first element k,, the master public key mpk, and the second random value b; generate a verification key vkj by providing the common-secret cSj to the Key Deriving Function; compute a verification data vdj by providing the verification key vkj to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vdj; and generate the common session key SK by providing the common-secret CSj to a Key Deriving Function, when the verification data vd, matches with the verification data vdj. 17. The system according to claims 15 or 16, wherein the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G7 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element kj is defined as kj = b-P; and the common-secret cs, and the common secret cSj are computed using a symmetric bilinear map e: Gi x Gi→ G2 where G2 is a cyclic group with prime order q and where cs, is defined as cs, = e(s-P, b-P)a and CSj is defined as CSj = e(s-P, a-P)b. 18. The system according to claim 17 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cskgc based on the first element k,, the second element kj and a parameter s obtained from the master secret key msk wherein the common- secret cskgc is defined as cskgc = e(a.P, b.P)s. 19. The system according to claims 15 or 16, wherein the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G7 with prime order q, Q is a generator of cyclic group G2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element kj is defined as kj = (b-P, b-Q); and the common-secret cs, and the common secret CSj are computed using an asymmetric bilinear map e: G, x G2→ G where cs, is defined as cs, = e(b-P, s-Q)a and CSj is defined as CSj = e(a-P, s-Q)b . 20. The system according to claim 19 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cskgc based on the first element k,, a part of the second element kj and a parameter s obtained from the master secret key msk wherein the common-secret cskgc is defined as cskgc = e(a.P, b.Q)s. 21 . A system for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key skj based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key skj to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the private key sk,; compute a signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device; the second device configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute a second element k based on a second random value b generated by the second device, and the first element k,, when the signature σ, is verified; compute a signature by signing a part of the first element k, and the second element k, using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element kj and the signature aj; the first device configured to: verify the signature Oj using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id,; compute a common-secret cs, by providing the master public key mpk, the first random value a, the identity of the second device idj, a part of the private key skj, the second element kj and a part of the private key sk, to a two input function f( ), when the signature σ, is verified; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function. 22. The system according to claim 21 wherein the first device is further configured to communicate the verification data vd, and the part of the private key sk as combined with the random value a to the second device, whereby the system further comprises: the second device being configured to: compute a common-secret cSj by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, the private key skj and the communicated part of the private key skj as combined with the random value a to a two input function f( ) ; generate a verification key vkj by providing the common-secret CSj to the Key Deriving Function ; compute a verification data vdj by providing the verification key vkj to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vdj; and generate the common session key SK by providing the common-secret CSj to a Key Deriving Function, when the verification data vd, matches with the verification data vdj. 23. The system according to claims 21 or 22, wherein the master public key mpk comprises gx where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = , s, = r, + xH{R„ id)) and the private key skj is define as skj = (Rj = cfi , s, = η + xH(Rj, idj)) where r, and are random numbers and HQ is a collision-resistant hash function; the first element k, is defined as kt = (ga); the second element kj is defined as kj = (Rib, gb) ; the two input function f( )comprises a concatenation function or an exclusive-OR function where cs, is defined as cst = f(yaHidj.Rj)i (9 ) 1 j ϋ) and csj is defined as / Ri CSj = yb ai,Ri)i ^a)s ^a) . 24. The system according to claim 23 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cskgc by providing the master secret key msk, the first element k,, the identity of the second device idj with a part of the private key skj, a part of the second element kj, the identity of the first device id, with a part of the private key sk,, to a two input function f( ) wherein the common-secret cskgc is defined as cskgc = f[ya'h{ldr Rj) yb.h{idi, Rj) 25. A system for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device; compute signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device; the second device configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute an element us based on the first element k, and on a second random value b generated by the second device, when the signature σ, is verified; compute a second element kj based on the element u and the second random value b; compute signature Oj by signing the first element k, and the second element k using the signing function of the self-certified Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element k, and the signature σ,; the first device configured to: verify the signature using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id,, and compute an element u, based on a part of the second element k and the first random value a, when the signature is verified; compute a common-secret cs, based on the element u, and the master public key mpk; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function. 26. The system according to claim 25 wherein the first device is further configured to communicate the verification data vd, to the second device, whereby the system further comprises: the second device being configured to: compute a common-secret csj based on the element uj and the master public key mpk; generate a verification key vk by providing the common-secret csj to the Key Deriving Function; compute a verification data vdj by providing the verification key vk to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd,; and generate the common session key SK by providing the common-secret cSj to a Key Deriving Function, when the verification data vd, matches with the verification data vdj. 27. The system according to claims 25 or 26, wherein the master public key mpk comprises gx where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k, is defined as k, = cf; the second element k, is defined as k, = (U, g ) where U is defined as U = guJ , and the element Uj is defined as u7 = gab ; the common-secret cs, is defined as cs; = gXUi and the common secret csj is defined as csj = gxuJ where the element u, is defined as ut = gab . 28. The system according to claim 27 wherein the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cskgc based on the element uy orthe element u, and a parameter x obtained from the master secret key msk wherein the common-secret cskgc is defined as cskgc = Ux. 29. A method for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: generating, by a secure server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key skj based on an identity id, of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk, to the second device; receiving a first element k, and a first random value a from the first device; wherein the a first element k, is computed based on the first random value a generated by the first device; receiving second element k, and a second random value b from the second device; wherein the second element k is computed based on the second random value b generated by the second device; computing a common-secret cskgc based on the first element k,, the second element k , the first random value a, the second random value b and a parameter s obtained from the master secret key msk. 30. The method according to claim 29 , wherein the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G7 with prime order q defined over an elliptic curve; the first element k is defined as k, = a-P; and the second element k, is defined as k, = b-P. 31 . The method according to claim 29, wherein the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G1 with prime order q defined over an elliptic curve, and Q is a generator of cyclic group G2 with prime order q; the first element k is defined as k, = a-P; and the second element k, is defined as k, = (b-P, b-Q). 32. A server for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key skj based on an identity id, of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; receive a first element k, and a first random value a from the first device; wherein the a first element k, is computed based on the first random value a generated by the first device; receive second element kj and a second random value b from the second device; wherein the second element kj is computed based on the second random value b generated by the second device; compute a common-secret cskgc based on the first element k,, the second element kj, the first random value a, the second random value b and a parameter s obtained from the master secret key msk. 33. A method for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: receiving, by the first device, a master public key mpk and a private key sk, from a secure server; computing, by the first device, a first element k, based on a first random value a generated by the first device, and the master public key mpk; communicating, by the first device, to the second device the first element k, and the identity id, of the first device; receiving a second element kj and a signature Oj from the second device; verifying, by the first device, the signature using a verification function of the Identity Based Signature Scheme and the identity of the second device id,, and compute signature σ, by signing the second element kj using the signing function of the Identity Based Signature Scheme and the private key skj, when the signature σ, is verified; computing, by the first device, a common-secret cs, based on the second element kj, the master public key mpk, and the first random value a; and generating, by the first device, the common session key SK by providing the common-secret cs, to a Key Deriving Function. 34. The method according to claim 33 wherein the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G1 with prime order q defined over an elliptic curve, Q is a generator of cyclic group G2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k is defined as k, = a-P; the common-secret cs, is computed using an asymmetric bilinear map e: G x G2 → G where G is cyclic group with prime order q defined over the elliptic curve, and cs, is defined as cs, = e(b-P, s-Q)a . 35. The method according to claims 33, wherein the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G7 with prime order q defined over an elliptic curve and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; and the common-secret cs, is computed using a symmetric bilinear map e: G x G → G2 where G2 is a cyclic group with prime order q defined over the elliptic curve and cs, is defined as cs, = e(b-P, s-P)a . 36. A first device /' for generating a common session key SK for encoding digital communications between the first device /' and a second device j, comprising: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: receive, by the first device, a master public key mpk and a private key sk, from a secure server; compute, by the first device, a first element k, based on a first random value a generated by the first device, and the master public key mpk; communicate, by the first device, to the second device the first element k, and the identity id, of the first device; receive a second element k, and a signature Oj from the second device; verify, by the first device, the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the second device id,, and compute signature σ, by signing the second element kj using the signing function of the Identity Based Signature Scheme and the private key sk,, when the signature Oj is verified; compute, by the first device, a common-secret cs, based on the second element kj, the master public key mpk, and the first random value a; and generate, by the first device, the common session key SK by providing the common-secret cs, to a Key Deriving Function. 37. A method for generating a common session key SK for encoding digital communications between a first device /' and a second device j, comprising: receiving, by the second device, a master public key mpk and a private key from a secure server; receiving a first element k, and the identity id, of the first device from the first device i; compute a second element k based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element kj using a signing function of an Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element kj and the signature σ,; receiving a signature σ, from the first device; verifying, by the second device, the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, computing a common-secret cSj based on the first element k,, the master public key mpk, and the second random value b, and generating the common session key SK by providing the common-secret CSj to the Key Deriving Function. 38. The method according to claim 37, wherein the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G7 with prime order q defined over an elliptic curve and s is a parameter obtained from the master secret key msk; the second element k, is defined as k, = b-P; and the common secret CSj is computed using a symmetric bilinear map e: ΰ, χ θ^ G2 where G2 is a cyclic group with prime order q defined over the elliptic curve and CSj is defined as CSj = e(a-P, s-P)b . 39. The method according to claim 37 wherein the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G1 with prime order q defined over an elliptic curve, Q is a generator of cyclic group G2 with prime order q and s is a parameter obtained from the master secret key msk; the second element kj is defined as kj = (b-P, b-Q); and the common secret cSj is computed using an asymmetric bilinear map e: Gi x G2 → G where G is cyclic group with prime order q defined over the elliptic curve, and CSj is defined as CSj = e(a-P, s-Q)b . 40. A second device j for generating a common session key SK for encoding digital communications between the first device / and the second device j, comprising: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: receiving, by the second device, a master public key mpk and a private key from a secure server; receiving a first element k, and the identity id, of the first device from the first device /; compute a second element kj based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element kj using a signing function of an Identity Based Signature Scheme and the private key skj; transmit to the first device the second element kj and the signature σ,; receive a signature σ, from the first device; verify, by the second device, the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the first device id,, and when the signature 0 is verified, comput a common-secret CSj based on the first element k,, the master public key mpk, and the second random value b, and generating the common session key SK by providing the common-secret CSj to the Key Deriving Function. |
Field of the Invention
This invention relates to a system and method for generating common session keys that each have strong forward security for encoding digital communications between devices. In particular, the system utilizes a forward secure identity-based authenticated key exchange scheme to allow two devices to verify the veracity of each device before these authenticated devices proceed to generate a common session key that is then utilized to encode digital communications between these two devices.
Summary of the Prior Art
Due to a convergence of multiple technologies, an ever increasing number of devices are now able to seamlessly communicate wirelessly with the Internet or wirelessly exchange communications between themselves. This convergence has resulted in the vision of the Internet of Things (loT) gaining more traction through recent years. In the Internet of Things, millions of entities or devices (i.e. Things) will be connected to one another. These devices, which comprise devices or entities such as smart chips, smart plugs, smart watches, smart phones, smart vehicles, smart buildings, and etc., either communicate directly with one another or via the Internet.
As the Internet of Things spreads into more areas, these devices become more prone to cyber-attacks from hackers or unauthorized users as a compromised device would grant a malicious user access to the network to which the device belongs. Hence, it is of utmost importance that a security protocol be set in place to allow one entity to verify the authenticity of a peer entity, with which it communicates with, before data is exchanged between these two entities. In addition to the above, once the authenticity of the entities have been verified, a common secret key known to only these two entities, has to be established to facilitate the signing of data messages between these entities. This is to ensure that data communicated between these two entities will not be compromised even if the data were intercepted or redirected.
A common method of establishing a secret key for signing data communications between entities involves the pre-sharing of a common symmetric secret key between the relevant parties. For such a method, data messages that are to be transmitted between the entities will be signed using this pre-shared or pre-agreed-upon secret key. If the receiving entity is able to decrypt the received message using this pre-shared secret key, this implies that the authenticity of the sender has been verified and the receiver may then proceed to process the decrypted message accordingly. Unfortunately, this method is not scalable and is quite inflexible as it requires the common secret to be pre-shared or communicated to all trusted entities or devices before the entities or devices may communicate with one another. In the loT setting, the high mobility of devices is a norm and devices that are required to exchange data with one another may not have had the opportunity to establish a secret key beforehand.
Another approach that has been proposed utilizes public key infrastructure (PKI) based solutions whereby key-pairs allocated to each authorized entity are bound to its holders by means of a public key certificate. The key pair then utilizes a public key cryptosystem such as public-key encryption or digital signature methodologies to sign data messages or to verify the authenticity of a sender by validating the public key certificate of the sender. The setup and maintenance of such public key infrastructures are notoriously expensive and requires entities to constantly maintain contact with a PKI server to validate the respective public key certificates.
Yet another approach that has been proposed utilizes identity based cryptography methodologies to authenticate entities and to sign data messages. Such identity based cryptosystems are special public key cryptosystems, which are based on bilinear pairing and utilize an entity's identity, such as user name, email address, telephone number, IP address, etc. as the public key and a corresponding private key is then derived from the entity's identity by a Key Generation Centre (KGC) which contains a master secret key, which is utilized in the generation of private keys for entities.
It is quite challenging for identity based signature schemes having authenticated key exchange protocols to possess both strong forward security and escrow of session keys to an approved KGC. As a result, those skilled in the art have proposed various schemes to address this.
One of the approaches proposed by those skilled in the art involves a tailored construction, which does not directly make use of the signing or encryption functionality of identity-based cryptography to authenticate entities and to exchange keys. In this tailored construction, escrow of the common session keys is achieved because the Key Generation Centre (KGC) is able to compute the users' private keys that were generated by the Key Generation Centre. The downside to this approach is that only weak forward security is achievable. Another method that has been proposed utilizes an explicit escrow approach whereby the escrow agent (i.e. the KGC) is configured to have an extra key pair for public key encryption such that the common session keys are encrypted under the escrow agent's public key and in transmission together with other key exchange messages between users. The downside to this approach is that it is difficult for any party (except the encryptor) to check whether the escrowed object is indeed an encryption of the secret session key to be established.
For the above reasons, those skilled in the art are constantly striving to come up with a system and method to generate common session keys for users of an identity based signature scheme whereby the generated common session keys have strong forward security and the session keys must be able to be computed by the KGC when required.
Summary of the Invention
The above and other problems are solved and an advance in the art is made by systems and methods provided by embodiments in accordance with the invention.
A first advantage of embodiments of systems and methods in accordance with the invention is that the common session keys generated in accordance with the invention are able to achieve strong forward security. Further, the invention allows the generated common session keys to be escrowed to an authorized Key Generation Centre.
A second advantage of embodiments of systems and methods in accordance with the invention is that the invention may be executed using general identity based authenticated key exchange protocols by utilizing the signature signing functionality of such identity based signature schemes for entity authentication and key exchange.
A third advantage of embodiments of systems and methods in accordance with the invention is that the escrow of the generated common session keys is not dependent on the escrow of the users' private keys to the KGC. In other words, the KGC can compute the common session key by gathering all communications that took place between users of key exchange, and the KGC does not necessarily know the users' private keys (in fact, in certain identity based signature schemes, a user's private key is jointly generated by the KGC and the user, so the KGC itself does not learn the user's private key).
A fourth advantage of embodiments of systems and method in accordance with the invention is that an implicit escrow of the common session keys takes place without the need for an extra key pair to be maintained and stored at the KGC, and the escrow object that enables the KGC to compute the escrowed session key is verifiable to the KGC.
The above advantages are provided by embodiments of a method in accordance with the invention operating in the following manner.
According to a first aspect of the invention, a system for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk, based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the master public key mpk; communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element k using a signing function of an Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k, and the signature σ,; verify the signature using a verification function of the Identity Based Signature Scheme and the identity of the second device id j , and compute signature σ, by signing the second element k j using the signing function of the Identity Based Signature Scheme and the private key sk,, when the signature is verified; compute a common-secret cs, based on the second element k , the master public key mpk, and the first random value a; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the first aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the signature σ, to the second device, whereby the system further comprises: the second device being configured to: verify the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common- secret cSj based on the first element k,, the master public key mpk, and the second random value b, and generate the common session key SK by providing the common-secret CSj to the Key Deriving Function. With reference to the first aspect, in accordance with embodiments of the invention, the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G 1 with prime order q defined over an elliptic curve and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k j = b-P; and the common-secret cs, and the common secret cs j are computed using a symmetric bilinear map e: Gi x Gi → G 2 where G 2 is a cyclic group with prime order q defined over the elliptic curve and cs, is defined as cs, = e(b-P, s-P) a and cSj is defined as cs j = e(a-P, s-P) b .
With reference to the first aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cs kgc based on the first element k, the second element k j and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a-P, b-P) s .
With reference to the first aspect, in accordance with embodiments of the invention, the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G 1 with prime order q defined over an elliptic curve, Q is a generator of cyclic group G 2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k j = (b-P, b-Q); and the common-secret cs, and the common secret CSj are computed using an asymmetric bilinear map e: G 1 x G 2 →G where G is cyclic group with prime order q defined over the elliptic curve, and cs, is defined as cs, = e(b-P, s-Q) a and CSj is defined as cs j = e(a-P, s-Q) b .
With reference to the first aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cs kgc based on the first element k,, a part of the second element k j and a parameter s obtained from the master secret key msk and the common-secret cs kgc is defined as cs kgc = e(a-P, b-Q) s .
According to a second aspect of the invention, a system for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the private key sk,; communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k, based on a second random value b generated by the second device, and the first element k,; compute a signature σ, by signing a part of the first element k, and the second element k using a signing function of a self-certified Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element k and the signature σ,; verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j , and compute signature σ, by signing a part of the second element k and a part of the private key sk j as combined with the random value a using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature Oj is verified; compute a common-secret OS, by providing the master public key mpk, the first random value a, the identity of the second device id j , a part of the private key sk j , the second element k j and a part of the private key sk, to a two input function f( ); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the second aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the part of the private key sk j as combined with the random value a and the signature σ, to the second device, whereby the system further comprises: the second device being configured to: verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common- secret cS j by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, a part of the private key sk j and the communicated part of the private key sk j as combined with the random value a to a two input function f( ); and generate the common session key SK by providing the common-secret CS j to a Key Deriving Function.
With reference to the second aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = , s, = r, + xH{R„ id)) and the private key sk j is define as sk j = (R j = cfi , s, = η + xH(R j , idj)) where r, and are random numbers and HQ is a collision-resistant hash function; the first element k, is defined as k t = (Ri, g a ); the second element k is defined as k j = (Ri b , g b ); the two input function f( )co function or an exclusive-OR function where cs, is defined as cs t =
and cs j is defined as cs 7 =
With reference to the second aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; and compute a common- secret cs kgc by providing the master secret key msk, a part of the first element k,, the identity of the second device id, with a part of the private key sk,, a part of the second element k j , the identity of the first device id, with a part of the private key sk,, to a two input function f( ) wherein the common-secret cs kgc is defined as cs kgc =f(y aMldj, Rj • 'Ή "/)).
According to a third aspect of the invention, a system for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device; communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute an element u s based on the first element k, and on a second random value b generated by the second device; compute a second element k j based on the element u s and the second random value b; generate a signature Oj by signing the first element k, and the second element k j using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k j and the signature σ,; verify the signature Oj using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j , and compute a signature σ, by signing a part of the second element k j using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature is verified; compute an element u, based on the part of the second element k and the first random value a; compute a common-secret cs, based on the element u, and the master public key mpk; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the third aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the signature σ, to the second device, whereby the system further comprises: the second device being configured to: verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common-secret cs j based on the element u j and the master public key mpk; and generate the common session key SK by providing the common-secret cs j to the Key Deriving Function.
With reference to the third aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k, is defined as k, = g 3 ; the second element k, is defined as k, = (U, g ) where U is defined as = g u i , and the element Uj is defined as u ; = g ab ; the common-secret cs, is defined as est = g XUi and the common secret cs j is defined as csj = g xu J where the element u, is defined as u; = g ab .
With reference to the third aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cs kgc based on the element tv,- or the element u, and a parameter x obtained from the master secret key msk wherein cs kgc is defined as cs kgc = U x .
According to a fourth aspect of the invention, a system for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the master public key mpk; compute signature σ, by signing the first element k, using a signing function of an Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the first device id,; compute a second element k j based on a second random value b generated by the second device, and the master public key mpk, when the signed first element k, is verified; compute a signature Oj by signing the first element k, and the second element k j using the signing function of the Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element k j and the signature σ,; verify the signature Oj using the verification function of the Identity Based Signature Scheme and the identity of the second device id j and compute a common-secret cs, based on the second element k j , the master public key mpk, and the first random value a, when the signature σ, is verified; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the fourth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the verification data vd, to the second device, whereby the system further comprises: the second device being configured to: compute a common-secret cS j based on the first element k,, the master public key mpk, and the second random value b; generate a verification key vk j by providing the common-secret CS j to the Key Deriving Function; computing a verification data vd j by providing the verification key vk j to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd j ; and generate the common session key SK by providing the common-secret CS j to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the fourth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G 1 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k j = b-P; and the common-secret cs, and the common secret CS j are computed using a symmetric bilinear map e: G, x G,→ G 2 where G 2 is a cyclic group with prime order q and where cs, is defined as cs, = e(s-P, b-P) a and CS j is defined as CS j = e(s-P, a-P) b . With reference to the fourth aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cs kgc based on the first element k, the second element k, and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a.P, b.P) s .
With reference to the fourth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G 1 with prime order q, Q is a generator of cyclic group G 2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k, is defined as k j = (b-P, b-Q); and the common-secret cs, and the common secret cSj are computed using an asymmetric bilinear map e: Gi x G 2 → G where OS, is defined as cs, = e(b-P, s-Q) a and CSj is defined as CSj = e(a-P, s-Q) b .
With reference to the fourth aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cs kgc based on the first element k,, a part of the second element k j and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a.P, b.Q) s .
According to a fifth aspect of the invention, a system for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key s based on an identity id, of the first device and generate a private key sk, based on an identity id j of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device, and the private key sk,; compute a signature σ, by signing the first element k, using a signing function of a self- certified Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute a second element k based on a second random value b generated by the second device, and the first element k,, when the signature σ, is verified; compute a signature by signing a part of the first element k, and the second element k, using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k, and the signature a j; verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id,; compute a common- secret OS, by providing the master public key mpk, the first random value a, the identity of the second device id,, a part of the private key sk,, the second element k, and a part of the private key sk, to a two input function f( ), when the signature σ, is verified; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF) ; and generate the common session key SK by providing the common-secret OS, to a Key Deriving Function.
With reference to the fifth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the verification data vd, and the part of the private key sk as combined with the random value a to the second device, whereby the system further comprises: the second device being configured to: compute a common-secret cSj by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, the private key sk and the communicated part of the private key sk as combined with the random value a to a two input function f( ); generate a verification key vk, by providing the common-secret CSj to the Key Deriving Function; computing a verification data vd j by providing the verification key vk to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd,; and generate the common session key SK by providing the common- secret CSj to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the fifth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = {R, = φ , s, = r, + xH{R„ idi)) and the private key sk j is define as sk j = (R j = φ ,
S j = η + xH(R j , id j j) where η and are random numbers and HQ is a collision-resistant hash function ; the first element k, is defined as k t = (g ) ;the second element k is defined as kj = (Ri b , g b , the two input function f( )comprises a concatenation function or an exclusive- OR function where cs, is defined as cs; = f(y a - h . ld j' R j) > ) 1 1 ^ anc | cs . j S defined as
/ Ri
With reference to the fifth aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cs kgc by providing the master secret key msk, the first element k, the identity of the second device id, with a part of the private key sk,, a part of the second element k,, the identity of the first device id, with a part of the private key sk,, to a two input function f( ) wherein the common- secret cs kgc is defined as cs kgc = ftf- h(id r «,- ) )_
According to a sixth aspect of the invention, a system for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: a secure server configured to: generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk; generate a private key sk, based on an identity id, of the first device and generate a private key sk, based on an identity id, of the second device; communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; the first device configured to: compute a first element k, based on a first random value a generated by the first device; compute signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute an element u j based on the first element k, and on a second random value b generated by the second device, when the signature σ, is verified; compute a second element k, based on the element U j and the second random value b; compute signature σ, by signing the first element k, and the second element k, using the signing function of the self- certified Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element k, and the signature σ,; verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id,, and compute an element u, based on a part of the second element k, and the first random value a, when the signature σ, is verified; compute a common-secret cs, based on the element u, and the master public key mpk; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the sixth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the verification data vd, to the second device, whereby the system further comprises: the second device being configured to: compute a common-secret cSj based on the element u s and the master public key mpk; generate a verification key vk j by providing the common-secret CSj to the Key Deriving Function; computing a verification data vd j by providing the verification key vk j to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd j ; and generate the common session key SK by providing the common-secret CSj to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the sixth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k, is defined as k, = cf 3 ; the second element k j is defined as k j = (U, cf) where U is defined as = g u i , and the element u s is defined as uj = g ab ; the common-secret cs, is defined as csj = g XUi and the common secret cs j is defined as csj = g xu J where the element u, is defined as u j = g ab .
With reference to the sixth aspect, in accordance with embodiments of the invention, the secure server is further configured to: receive all communications and transmissions exchanged between the first and second devices; compute a common-secret cs kgc based on the element u y orthe element u, and a parameter x obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = U x .
According to a seventh aspect of the invention, a method for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises the steps of generating, by a secure server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key sk j based on an identity id j of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; computing, by the first device, a first element k, based on a first random value a generated by the first device, and the master public key mpk; communicating, by the first device, to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k j based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element k j using a signing function of an Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element k and the signature σ,; verifying, by the first device, the signature using a verification function of the Identity Based Signature Scheme and the identity of the second device id,, and compute signature σ, by signing the second element k j using the signing function of the Identity Based Signature Scheme and the private key skj, when the signature σ, is verified; computing, by the first device, a common-secret cs, based on the second element k j , the master public key mpk, and the first random value a; and generating, by the first device, the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the seventh aspect, in accordance with embodiments of the invention, the first device further communicates the signature σ, to the second device, and the method further comprises: verifying, by the second device, the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, computing a common-secret cs j based on the first element k,, the master public key mpk, and the second random value b, and generating the common session key SK by providing the common-secret cs j to the Key Deriving Function.
With reference to the seventh aspect, in accordance with embodiments of the invention, the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G 7 with prime order q defined over an elliptic curve and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k, = b-P; and the common-secret cs, and the common secret cs j are computed using a symmetric bilinear map e: Gi x Gi→ G 2 where G 2 is a cyclic group with prime order q defined over the elliptic curve and cs, is defined as cs, = e(b-P, s-P) a and cSj is defined as cs j = e(a-P, s-P) b .
With reference to the seventh aspect, in accordance with embodiments of the invention, the secure server further: receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc based on the first element k,, the second element k, and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a-P, b-P) s .
With reference to the seventh aspect, in accordance with embodiments of the invention, the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G 1 with prime order q defined over an elliptic curve, Q is a generator of cyclic group G 2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k, = (b-P, b-Q); and the common-secret cs, and the common secret cs j are computed using an asymmetric bilinear map e: G 1 x G 2 →G where G is cyclic group with prime order q defined over the elliptic curve, and cs, is defined as cs, = e(b-P, s-Q) a and cs j is defined as cs j = e(a-P, s-Q) b .
With reference to the seventh aspect, in accordance with embodiments of the invention, the secure server further receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc based on the first element k,, a part of the second element k and a parameter s obtained from the master secret key msk and the common-secret cs kgc is defined as cs kgc = e(a-P, b-Q) s .
According to an eighth aspect of the invention, a method for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises the steps of generating, by a secure server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key sk j based on an identity id j of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; computing, by the first device, a first element k, based on a first random value a generated by the first device, and the private key sk,; communicating to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k j based on a second random value b generated by the second device, and the first element k,; compute a signature by signing a part of the first element k, and the second element k j using a signing function of a self-certified Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element k j and the signature o{, verifying, by the first device, the signature using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j , and computing signature σ, by signing a part of the second element k j and a part of the private key sk j as combined with the random value a using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified; computing a common-secret cs, by providing the master public key mpk, the first random value a, the identity of the second device id,, a part of the private key sk j , the second element k j and a part of the private key sk, to a two input function f( ); and generating the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the eighth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the part of the private key sk j as combined with the random value a and the signature σ, to the second device, whereby the method further comprises: verifying, by the second device, the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, computing a common-secret cs j by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, a part of the private key sk j and the communicated part of the private key sk j as combined with the random value a to a two input function f( ); and generating the common session key SK by providing the common-secret cs j to a Key Deriving Function.
With reference to the eighth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = cf i , s, = r, + xH{R„ idi)) and the private key sk j is define as sk j = (R j = cfi ,
Sj = η + xH(R j , id j i) where r, and are random numbers and HQ is a collision-resistant hash function ; the first element k, is defined as k t = (Ri, g a ); the second element k j is defined as kj = (Ri b , g b , the two input function f( )comprises a concatenation function or an exclusive-
OR function where cs, is defined as cs t = f(y a H id j. R j) i ) 1 / ϋ ) an d cs j is defined as
With reference to the eighth aspect, in accordance with embodiments of the invention, the secure server further: receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc by providing the master secret key msk, a part of the first element k,, the identity of the second device id j with a part of the private key sk j , a part of the second element k j , the identity of the first device id. with a part of the private key sk,, to a two input function f( ) wherein the common-secret cs kgc is defined as cs kgc
According to a ninth aspect of the invention, a method for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: generating, by a secure server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device and generate a private key sk j based on an identity id, of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; computing, by the first device, a first element k, based on a first random value a generated by the first device; communicating to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute an element Uj based on the first element k, and on a second random value b generated by the second device; compute a second element k based on the element u y and the second random value b; generate a signature by signing the first element k, and the second element kj using a signing function of a self-certified Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element kj and the signature σ,; verifying, by the first device, the signature Oj using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j , and compute a signature σ, by signing a part of the second element kj using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified; computing an element u, based on the part of the second element kj and the first random value a; computing a common-secret cs, based on the element u, and the master public key mpk; and generating the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the ninth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the signature σ, to the second device, the method further comprising: verifying, by the second device, the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, computing a common-secret cs j based on the element Uj and the master public key mpk; and generating the common session key SK by providing the common-secret cs j to the Key Deriving Function. With reference to the ninth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k, is defined as k, = cf 3 ; the second element k is defined as k = (U, cf) where U is defined as = g u J , and the element u s is defined as u 7 = g ab ; the common-secret cs, is defined as cs; = g XUi and the common secret cs j is defined as csj = g xu J where the element u, is defined as u t = g ab .
With reference to the ninth aspect, in accordance with embodiments of the invention, the secure server further: receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc based on the element Uj orthe element u, and a parameter x obtained from the master secret key msk wherein cs kgc is defined as cs kgc = U x .
According to a tenth aspect of the invention, a method for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprises: generating, by a second server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device and generate a private key sk j based on an identity id j of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; computing, by the first device, a first element k, based on a first random value a generated by the first device, and the master public key mpk; computing signature σ, by signing the first element k, using a signing function of an Identity Based Signature Scheme and the private key sk,; communicating to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the first device id,; compute a second element k based on a second random value b generated by the second device, and the master public key mpk, when the signed first element k, is verified; compute a signature by signing the first element k, and the second element k j using the signing function of the Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element k, and the signature o , verifying, by the first device, the signature using the verification function of the Identity Based Signature Scheme and the identity of the second device id, and compute a common-secret cs, based on the second element k , the master public key mpk, and the first random value a, when the signature σ, is verified; generating a verification key vk, by providing the common-secret cs, to a Key Deriving Function; computing a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generating the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the tenth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the verification data vd, to the second device, the method comprising: computing, by the second device, a common-secret cs j based on the first element k,, the master public key mpk, and the second random value b; generating a verification key vk by providing the common-secret cs j to the Key Deriving Function; computing a verification data vd j by providing the verification key vk to the Authentication Data Deriving function (AdDF); determining if the verification data vd, matches with the verification data vd,; and generating the common session key SK by providing the common-secret cs j to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the tenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G 1 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k j = b-P; and the common-secret cs, and the common secret cSj are computed using a symmetric bilinear map e: Gi x Gi→ G 2 where G 2 is a cyclic group with prime order q and where cs, is defined as cs, = e(s-P, b-P) a and CSj is defined as CSj = e(s-P, a-P) b .
With reference to the tenth aspect, in accordance with embodiments of the invention, the secure server further: receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc based on the first element k,, the second element k and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a.P, b.P) s .
With reference to the tenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G 1 with prime order q, Q is a generator of cyclic group G 2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k, is defined as k, = (b-P, b-Q); and the common-secret cs, and the common secret cSj are computed using an asymmetric bilinear map e: Gi x G 2 → G where cs, is defined as cs, = e(b-P, s-Q) a and CSj is defined as CSj = e(a-P, s-Q) b .
With reference to the tenth aspect, in accordance with embodiments of the invention, the secure server further receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc based on the first element k,, a part of the second element k and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a.P, b.Q) s .
According to an eleventh aspect of the invention, a method for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprising: generating, by a secure server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device and generate a private key sk j based on an identity id, of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; computing, by the first device, a first element k, based on a first random value a generated by the first device, and the private key sk,; computing a signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicating to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute a second element k j based on a second random value b generated by the second device, and the first element k,, when the signature σ, is verified; compute a signature by signing a part of the first element k, and the second element k j using the signing function of the self-certified Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element k j and the signature o j; verifying, by the first device, the signature using the verification function of the self- certified Identity Based Signature Scheme and the identity of the second device id,; computing a common-secret cs, by providing the master public key mpk, the first random value a, the identity of the second device id,, a part of the private key sk j , the second element k j and a part of the private key sk, to a two input function f( ), when the signature is verified; generating a verification key vk, by providing the common-secret cs, to a Key Deriving Function; computing a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generating the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the eleventh aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the verification data vd, and the part of the private key sk, as combined with the random value a to the second device, whereby the method further comprises: computing, by the second device, a common-secret cSj by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, the private key sk and the communicated part of the private key sk j as combined with the random value a to a two input function f( ); generating a verification key vk j by providing the common-secret CSj to the Key Deriving Function; computing a verification data vd j by providing the verification key vk to the Authentication Data Deriving function (AdDF); determining if the verification data vd, matches with the verification data vd,; and generating the common session key SK by providing the common- secret cs j to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the eleventh aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = cf i , s, = r, + xH{R„ idi)) and the private key sk j is define as sk j = (R j = cfi ,
Sj = η + xH(R j , id j i) where r, and are random numbers and HQ is a collision-resistant hash function; the first element k, is defined as k t = (g a ); the second element k j is defined as k j = (Ri b , g b , the two input function f( )comprises a concatenation function or an exclusive-
OR function where cs, is defined as cs; = f y a H ld j' R j) i (9 ) 1 1 ^ anc | cs . j S defined as
With reference to the eleventh aspect, in accordance with embodiments of the invention, the secure server further: receives all communications and transmissions exchanged between the first and second devices; and computes a common-secret cs kgc by providing the master secret key msk, the first element k,, the identity of the second device id j with a part of the private key sk j , a part of the second element k j , the identity of the first device id, with a part of the private key sk,, to a two input function f( ) wherein the common-secret cs kgc is defined as cs kgc According to a twelfth aspect of the invention, a method for generating a common session key SK for encoding digital communications between a first device / ' and a second device j, comprising: generating, by a secure server, a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, generating a private key sk, based on an identity id, of the first device and generate a private key sk, based on an identity id, of the second device, and communicating the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; computing, by the first device, a first element k, based on a first random value a generated by the first device; computing signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicating to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute an element Uj based on the first element k, and on a second random value b generated by the second device, when the signature σ, is verified; compute a second element k j based on the element u and the second random value b; compute signature Oj by signing the first element k, and the second element k j using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k j and the signature σ,; verifying, by the first device, the signature Oj using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j , and compute an element u, based on a part of the second element k j and the first random value a, when the signature Oj is verified; computing a common-secret cs, based on the element u, and the master public key mpk; generating a verification key vk, by providing the common-secret cs, to a Key Deriving Function; computing a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generating the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the twelfth aspect, in accordance with embodiments of the invention, the first device is further configured to communicate the verification data vd, to the second device, whereby the method further comprises: computing, by the second device, a common-secret cs j based on the element Uj and the master public key mpk; generating a verification key vk j by providing the common-secret cs j to the Key Deriving Function; computing a verification data vd j by providing the verification key vk, to the Authentication Data Deriving function (AdDF); determining if the verification data vd, matches with the verification data vd,; and generating the common session key SK by providing the common- secret cSj to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the twelfth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k, is defined as k, = cf 3 ; the second element k is defined as k = (U, cf) where U is defined as = g u i , and the element u s is defined as uj = g ab ; the common-secret cs, is defined as csj = g XUi and the common secret cs j is defined as csj = g xu J where the element u, is defined as u j = g ab .
With reference to the twelfth aspect, in accordance with embodiments of the invention, the secure server further: receives all communications and transmissions exchanged between the first and second devices; computes a common-secret cs kgc based on the element Uj or the element u, and a parameter x obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = U x .
According to a thirteenth aspect of the invention, a first device / ' for generating a common session key SK for encoding digital communications between the first device / and a second device j, the first device comprising: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: instruct a secure server to generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key sk j based on an identity id, of the second device, and to communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; compute a first element k, based on a first random value a generated by the first device, and the master public key mpk; communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element k, using a signing function of an Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element k, and the signature σ,; verify the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the second device id j , and compute signature σ, by signing the second element k, using the signing function of the Identity Based Signature Scheme and the private key sk,, when the signature Oj is verified; compute a common-secret cs, based on the second element k,, the master public key mpk, and the first random value a; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the thirteenth aspect, in accordance with embodiments of the invention, the instructions for directing the processor to communicate to the second device further comprises: instructions for directing the processor to: communicate the signature σ, to the second device, whereby upon receiving the communication, the second device is configured to: verify the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, and compute a common-secret cs j based on the first element k,, the master public key mpk, and the second random value b, and generate the common session key SK by providing the common-secret cs j to the Key Deriving Function.
With reference to the thirteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G 1 with prime order q defined over an elliptic curve and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k j = b-P; and the common-secret cs, and the common secret cs j are computed using a symmetric bilinear map e: Gi x Gi → G 2 where G 2 is a cyclic group with prime order q defined over the elliptic curve and cs, is defined as cs, = e(b-P, s-P) a and cSj is defined as cs j = e(a-P, s-P) b .
With reference to the thirteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cs kgc based on the first element k,, the second element k and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a-P, b-P) s .
With reference to the thirteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G 1 with prime order q defined over an elliptic curve, Q is a generator of cyclic group G 2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k j = (b-P, b-Q); and the common-secret cs, and the common secret cSj are computed using an asymmetric bilinear map e: Gi x G 2 → G where G is cyclic group with prime order q defined over the elliptic curve, and OS, is defined as cs, = e(b-P, s-Q) a and CSj is defined as CSj = e(a-P, s-Q) b .
With reference to the thirteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cs kgc based on the first element k,, a part of the second element k and a parameter s obtained from the master secret key msk and the common-secret cs kgc is defined as cs kgc = e(a-P, b-Q) s .
According to a fourteenth aspect of the invention, a first device / ' for generating a common session key SK for encoding digital communications between the first device / and a second device j, comprises a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: instruct a secure server to generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device and generate a private key sk j based on an identity id, of the second device, and to communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; compute a first element k, based on a first random value a generated by the first device, and the private key sk,; communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k j based on a second random value b generated by the second device, and the first element k,; compute a signature Oj by signing a part of the first element k, and the second element k j using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k j and the signature σ,; verify the signature Oj using a verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j , and compute signature σ, by signing a part of the second element k j and a part of the private key sk j as combined with the random value a using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified; compute a common-secret cs, by providing the master public key mpk, the first random value a, the identity of the second device id,, a part of the private key sk j , the second element k j and a part of the private key sk, to a two input function f( ) ; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the fourteenth aspect, in accordance with embodiments of the invention, the instructions for directing the processor to communicate to the second device further comprises: instructions for directing the processor to: communicate the part of the private key sk j as combined with the random value a and the signature σ, to the second device, whereby upon receiving the communication, the second device is configured to: verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common-secret CS j by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, a part of the private key sk j and the communicated part of the private key sk j as combined with the random value a to a two input function f( ); and generate the common session key SK by providing the common- secret cS j to a Key Deriving Function.
With reference to the fourteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = , s, = r, + xH{R„ id)) and the private key sk j is define as sk j = (R j = cfi , s, = η + xH(R j , idj)) where r, and are random numbers and HQ is a collision-resistant hash function ; the first element k, is defined as k t = (¾ #") ; the second element k j is defined as kj = (Ri b , g b ); the two input function f( )comprises a concatenation function or an exclusive-OR function where cs, is defined as cs; = f(y a H ldj ' Rj ) i ) 1 1 ^
I Ri
With reference to the fourteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and compute a common-secret cs kgc by providing the master secret key msk, a part of the first element k,, the identity of the second device id, with a part of the private key sk j , a part of the second element k,, the identity of the first device id, with a part of the private key sk,, to a two input function f( ) wherein the common-secret cs kgc is defined as cs kgc "ί).
According to a fifteenth aspect of the invention, a first device / ' for generating a common session key SK for encoding digital communications between the first device / and a second device j, comprising: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: instruct a secure server to generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device and generate a private key sk j based on an identity id, of the second device, and communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; compute a first element k, based on a first random value a generated by the first device; communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute an element u s based on the first element k, and on a second random value b generated by the second device; compute a second element k, based on the element u s and the second random value b; generate a signature σ, by signing the first element k, and the second element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk j ; transmit to the first device the second element k, and the signature σ,; verify the signature σ, using a verification function of the self- certified Identity Based Signature Scheme and the identity of the second device id,, and compute a signature σ, by signing a part of the second element k, using the signing function of the self-certified Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified; compute an element u, based on the part of the second element k, and the first random value a; compute a common-secret cs, based on the element u, and the master public key mpk; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the fifteenth aspect, in accordance with embodiments of the invention, the instructions for directing the processor to communicate to the second device further comprises: instructions for directing the processor to: communicate the signature σ, to the second device, whereby upon receiving the communication, the second device is configured to: verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and when the signature σ, is verified, compute a common-secret cSj based on the element u s and the master public key mpk; and generate the common session key SK by providing the common-secret CSj to the Key Deriving Function.
With reference to the fifteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k, is defined as k, = cf 3 ; the second element k is defined as k = (U, cf) where U is defined as = g u i , and the element u s is defined as uj = g ab ; the common-secret cs, is defined as csj = g XUi and the common secret cs j is defined as csj = g xu J where the element u, is defined as u j = g ab .
With reference to the fifteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and to compute a common-secret cs kgc based on the element Uj or the element u, and a parameter x obtained from the master secret key msk wherein cs kgc is defined as cs kgc = U x .
According to a sixteenth aspect of the invention, a first device / ' for generating a common session key SK for encoding digital communications between the first device / and a second device j, comprises: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: instruct a secure server to generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key sk j based on an identity id, of the second device and communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; compute a first element k, based on a first random value a generated by the first device, and the master public key mpk; compute signature σ, by signing the first element k, using a signing function of an Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the Identity Based Signature Scheme and the identity of the first device id,; compute a second element k, based on a second random value b generated by the second device, and the master public key mpk, when the signed first element k, is verified; compute a signature σ, by signing the first element k, and the second element k, using the signing function of the Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k, and the signature σ,; verify the signature σ, using the verification function of the Identity Based Signature Scheme and the identity of the second device id, and compute a common- secret cs, based on the second element k , the master public key mpk, and the first random value a, when the signature σ, is verified; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the sixteenth aspect, in accordance with embodiments of the invention, the instructions for directing the processor to communicate to the second device further comprises: instructions for directing the processor to: communicate the verification data vd, to the second device, whereby upon receiving the communication, the second device is configured to: compute a common-secret cS j based on the first element k,, the master public key mpk, and the second random value b; generate a verification key vk, by providing the common-secret CS j to the Key Deriving Function; computing a verification data vd j by providing the verification key vk j to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd j ; and generate the common session key SK by providing the common-secret CS j to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the sixteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (P, s-P) where P is a generator of cyclic group G 7 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k j is defined as k, = b-P; and the common-secret cs, and the common secret CS j are computed using a symmetric bilinear map e: G, x G,→ G 2 where G 2 is a cyclic group with prime order q and where cs, is defined as cs, = e(s-P, b-P) a and CS j is defined as CS j = e(s-P, a-P) b .
With reference to the sixteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and to compute a common-secret cs kgc based on the first element k,, the second element k, and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a.P, b.P) s .
With reference to the sixteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises (s-Q, Q, P), where P is a generator of cyclic group G 1 with prime order q, Q is a generator of cyclic group G 2 with prime order q and s is a parameter obtained from the master secret key msk; the first element k, is defined as k, = a-P; the second element k, is defined as k, = (b-P, b-Q); and the common-secret cs, and the common secret cs, are computed using an asymmetric bilinear map e: G, x G 2 → G where cs, is defined as cs, = e(b-P, s-Q) a and cs, is defined as cs, = e(a-P, s-Q) b .
With reference to the sixteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and to compute a common-secret cs kgc based on the first element k,, a part of the second element k and a parameter s obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = e(a.P, b.Q) s .
According to a seventeenth aspect of the invention, a first device / ' for generating a common session key SK for encoding digital communications between the first device / and a second device j, comprises a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: instruct a secure server to generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key sk j based on an identity id, of the second device, and communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk to the second device; compute a first element k, based on a first random value a generated by the first device, and the private key sk,; compute a signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute a second element k j based on a second random value b generated by the second device, and the first element k,, when the signature σ, is verified; compute a signature σ, by signing a part of the first element k, and the second element k j using the signing function of the self- certified Identity Based Signature Scheme and the private key sk,; transmit to the first device the second element k j and the signature o j; verify the signature σ, using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id j ; compute a common-secret cs, by providing the master public key mpk, the first random value a, the identity of the second device id j , a part of the private key sk j , the second element k j and a part of the private key sk, to a two input function f( ), when the signature Oj is verified; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the seventeenth aspect, in accordance with embodiments of the invention, the instructions for directing the processor to communicate to the second device further comprises: instructions for directing the processor to: communicate the verification data vd, and the part of the private key sk as combined with the random value a to the second device, whereby upon receiving the communication, the second device is configured to: compute a common-secret cS j by providing the master public key mpk, the second random value b, the identity of the first device id,, the first element k,, the private key sk j and the communicated part of the private key sk j as combined with the random value a to a two input function f( ); generate a verification key vk j by providing the common-secret CS j to the Key Deriving Function; computing a verification data vd j by providing the verification key vk j to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd j ; and generate the common session key SK by providing the common-secret CS j to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the seventeenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the private key sk, is defined as sk, = (R, = , s, = r, + xH{R„ id ) and the private key sk j is define as sk j = (R j = cfi , s, = η + xH{R h idj)) where η and are random numbers and HQ is a collision-resistant hash function; the first element k, is defined as k t = (g a ) ; the second element k j is defined as k j = (Ri b , g b ); the two input function f( )comprises a concatenation function or an exclusive-OR function where cs, is defined as cs; = and cSj is defined as csj = f(y b.h(idi,Ri) (g a ) Sj
a)
,
With reference to the seventeenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and to compute a common-secret cs kgc by providing the master secret key msk, the first element k, the identity of the second device id j with a part of the private key sk j , a part of the second element k j , the identity of the first device id, with a part of the private key sk,, to a two input function f( ) wherein the common- secret cs kgc is defined as cs kgc = f(y aMid r R i .
According to an eighteenth aspect of the invention, a first device / ' for generating a common session key SK for encoding digital communications between the first device / and a second device j, comprises: a processor; and a non-transitory media readable by the processor, the non-transitory media storing instructions that when executed by the processor, cause the processor to: instruct a secure server to generate a master secret key msk and a master public key mpk, wherein the master secret key msk corresponds to the master public key mpk, a private key sk, based on an identity id, of the first device, a private key sk j based on an identity id j of the second device, and to communicate the master public key mpk and the private key sk, to the first device, and the master public key mpk and the private key sk j to the second device; compute a first element k, based on a first random value a generated by the first device; compute signature σ, by signing the first element k, using a signing function of a self-certified Identity Based Signature Scheme and the private key sk,; communicate to the second device the signature σ,, the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: verify the signature σ, using a verification function of the self-certified Identity Based Signature Scheme and the identity of the first device id,, and compute an element Uj based on the first element k, and on a second random value b generated by the second device, when the signature σ, is verified; compute a second element k j based on the element u and the second random value b; compute signature by signing the first element k, and the second element k using the signing function of the self-certified Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element k and the signature σ,; verify the signature using the verification function of the self-certified Identity Based Signature Scheme and the identity of the second device id,, and compute an element ui based on a part of the second element k, and the first random value a, when the signature Oj is verified; compute a common-secret cs, based on the element u, and the master public key mpk; generate a verification key vk, by providing the common-secret cs, to a Key Deriving Function; compute a verification data vd, by providing the verification key vk, to a Authentication Data Deriving function (AdDF); and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
With reference to the eighteenth aspect, in accordance with embodiments of the invention, the instructions for directing the processor to communicate to the second device further comprises: instructions for directing the processor to: communicate the verification data vd, to the second device, whereby upon receiving the communication, the second device is configured to: compute a common-secret cs j based on the element Uj and the master public key mpk; generate a verification key vk by providing the common-secret cs j to the Key Deriving Function; compute a verification data vd j by providing the verification key vk j to the Authentication Data Deriving function (AdDF); determine if the verification data vd, matches with the verification data vd,; and generate the common session key SK by providing the common-secret cs j to a Key Deriving Function, when the verification data vd, matches with the verification data vd j .
With reference to the eighteenth aspect, in accordance with embodiments of the invention, the master public key mpk comprises g x where g is a generator of a cyclic multiplicative group G and x is a parameter obtained from the master secret key msk; the first element k is defined as k, = g 3 ; the second element k, is defined as k, = (U, g ) where U is defined as = g u J , and the element u s is defined as u 7 = g ab ; the common-secret cs, is defined as cs; = g XUi and the common secret cs j is defined as cs j = g xu J where the element Ui is defined as u t = g ab .
With reference to the eighteenth aspect, in accordance with embodiments of the invention, the instructing the secure server further comprises: instructions for directing the processor to: instruct the secure server to receive all communications and transmissions exchanged between the first and second devices; and to compute a common-secret cs kgc based on the element U j orVne element u, and a parameter x obtained from the master secret key msk wherein the common-secret cs kgc is defined as cs kgc = U x . Brief Description of the Drawings
The above advantages and features in accordance with this invention are described in the following detailed description and are shown in the following drawings:
Figure 1 illustrating a block diagram representative of an entity-pair authentication and a common session key generation system for the authenticated entity-pair in accordance with embodiments of the invention;
Figure 2 illustrating a block diagram representative of components in an electronic device or server for implementing embodiments in accordance with embodiments of the invention;
Figure 3 illustrating a timing diagram for the authentication of an entity-pair and for the generation of a common session key for the authenticated entity-pair in accordance with embodiments of the invention;
Figure 4 illustrating a flow diagram of a process for verifying the authenticity of a second entity and for generating a common session key in accordance with embodiments of the invention.
Detailed Description
This invention relates to a system and method for generating common session keys that have strong forward security for encoding digital communications between devices. In particular, the system utilizes a forward secure identity-based authenticated key exchange scheme to allow two devices to verify the veracity of each device before these authenticated devices proceed to generate a common session key that is then utilized to encode digital communications between these two devices.
Further, the invention allows the generated common session keys to be escrowed to an authorized Key Generation Centre (KGC) whereby the escrow of the generated common session keys is not dependent on the escrow of users' private keys to the KGC. This means that, the common session keys of the users may be computed by the KGC itself once the KGC has gathered all communications that took place between users of the scheme, without the KGC being able to compute/know the users' private keys.
Figure 1 illustrates a block diagram of an entity-pair authentication and a common session key generation system in accordance with embodiments of the invention. One skilled in the art will recognize that the term entity and device may be used interchangeably throughout the description without departing from the invention.
The system illustrated in Figure 1 comprises devices or entities 105, 1 10, that are connected to secure server 120. Entities 105 and 1 10 each may comprise, but is not limited to, any device that is able to carry out wireless communicative functions such as a smart phone, a tablet computer, a mobile computer, a netbook, a wearable electronic device such as smart watch, smart plugs, or transceivers that may be found in smart devices or Internet of Things (loT) enabled devices, and etc.
As for secure server 120, this server may comprise a secure cloud server or a remotely located secure server which is able to communicate wirelessly with entities 105 and 1 10 either through Internet 1 15 or directly with entities 105 and 1 10. If server 120 is configured to communicate with entities 105 and 1 10 through Internet 1 15, server 120 may do so via wired networks or wireless networks 125 such as, but are not limited to, cellular networks, satellite networks, telecommunication networks, or Wide Area Networks (WAN). Alternatively, if server 120 is configured to communicate directly with entities 105 and 1 10, this may be accomplished through wireless networks 130 such as, but not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, or Near Field Communication (NFC). It should be noted that entities 105 and 1 10 may utilize either one of wireless network 125 (via the Internet) or wireless network 130 (direct communication) to exchange data messages with one another.
Figure 2 illustrates a block diagram representative of components of an electronic device 200 that is provided within entities 105, 1 10 and server 120 for implementing embodiments in accordance with embodiments of the invention. One skilled in the art will recognize that the exact configuration of each electronic device provided within the entities or the server may be different and the exact configuration of electronic device 200 may vary and Figure 2 is provided by way of example only.
In embodiments of the invention, device 200 comprises controller 201 and user interface 202. User interface 202 is arranged to enable manual interactions between a user and electronic device 200 and for this purpose includes the input/output components required for the user to enter instructions to control electronic device 200. A person skilled in the art will recognize that components of user interface 202 may vary from embodiment to embodiment but will typically include one or more of display 240, keyboard 235 and trackpad 236. Controller 201 is in data communication with user interface 202 via bus 215 and includes memory 220, Central Processing Unit (CPU) 205 mounted on a circuit board that processes instructions and data for performing the method of this embodiment, an operating system 206, an input/output (I/O) interface 230 for communicating with user interface 202 and a communications interface, in this embodiment in the form of a network card 250. Network card 250 may, for example, be utilized to send data from electronic device 200 via a wired or wireless network to other processing devices or to receive data via the wired or wireless network. Wireless networks that may be utilized by network card 250 include, but are not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, Near Field Communication (NFC), cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN) and etc.
Memory 220 and operating system 206 are in data communication with CPU 205 via bus 210. The memory components include both volatile and non-volatile memory and more than one of each type of memory, including Random Access Memory (RAM) 220, Read Only Memory (ROM) 225 and a mass storage device 245, the last comprising one or more solid- state drives (SSDs). Memory 220 also includes secure storage 246 for securely storing secret keys, or private keys. It should be noted that the contents within secure storage 246 are only accessible by a super-user or administrator of device 200 and may not be accessed by any user of device 200. One skilled in the art will recognize that the memory components described above comprise non-transitory computer-readable media and shall be taken to comprise all computer-readable media except for a transitory, propagating signal. Typically, the instructions are stored as program code in the memory components but can also be hardwired. Memory 220 may include a kernel and/or programming modules such as a software application that may be stored in either volatile or non-volatile memory.
Herein the term "CPU" is used to refer generically to any device or component that can process such instructions and may include: a microprocessor, microcontroller, programmable logic device or other computational device. That is, CPU 205 may be provided by any suitable logic circuitry for receiving inputs, processing them in accordance with instructions stored in memory and generating outputs (for example to the memory components or on display 240). In this embodiment, CPU 205 may be a single core or multi- core processor with memory addressable space. In one example, CPU 205 may be multi- core, comprising— for example— an 8 core CPU.
Referring back to Figure 1 , prior to adding devices 105 and 1 10 to the device-pair authentication and the common session key generation system in accordance with embodiments of the invention, server 120, which is configured as a Key Generation Centre, will first initiate a setup procedure based on identity based signature schemes to generate a master secret key msk and a master public key mpk.
Server 120 will then select a cryptographic collision-resistant hash function H: {0,1 } * {0,1 } whereby \ is an appropriate integer known to a person skilled in the art. Server 120 may also select an Authentication Data Deriving Function and a Key Deriving Function that is to be adopted for use in the system. In embodiments of the invention, the Authentication Data Deriving Function (AdDF) may include any algorithm or scheme for verifying the authenticity of a message such as a scheme for generating a message authentication code (MAC), a scheme for generating a message integrity code or a keyed hash function while the Key Deriving Function (KDF) may include any scheme for deriving a secret key from a secret value such as a collision-resistant hash function.
When device 105 or 1 10 joins the system, a private key unique to each of these devices will be issued by secure server 120. These unique private keys once generated will then be communicated to each of these devices whereby the respective private keys will then be stored in the secure memory within each of devices 105 and 1 10.
In particular, when device 105 registers itself with server 120, device 105 will communicate its identity to server 120. The identity of device 105 may comprise its user name, email address, telephone number, IP address, MAC address, or any alphanumeric combination that may be utilized to uniquely identify entity 105. Server 120 then provides the identity id 0 5 associated with device 105 to a selected identity based signature scheme to generate a secret private key sk 105 for entity 105.
Similarly, when device 1 10 registers itself with server 120, device 1 10 will also transmit its identity to server 120. Server 120 then provides identity idn 0 associated with device 1 10 to the same selected identity based signature scheme to generate a secret private key sk 110 for device 1 10.
The private keys sk 105 and sk 110 are then communicated to their respective devices. Once the private keys have been stored in the secure memory of the respective devices, the device pair, i.e. device 105 and 1 10, may then commence authentication procedures. Upon successfully authenticating each other, the device -pair may then proceed to generate a common session key for encoding or signing digital communications sent between each other. In the following description, for ease of reading, device 105 may also be identified as device "i" while device 1 10 may also be identified as device "j"- Embodiments Based On Symmetric Bilinear Map
In a first embodiment of the invention, the selected identity based signature scheme may be based on a symmetric bilinear map e: G G G 2 , where G and G 2 are cyclic groups with prime order q defined over an elliptic curve. For such identity based signature schemes, the master public key mpk may be defined as mpk = (s.P, P), where P is a generator of Gi and msk = s e Zq where Zq are non-zero residuals of modular q. In this embodiment, device 105's private key is defined as sk, while device 1 10's private key is defined as sk , as per the selected identity based signature scheme.
The generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the invention is illustrated in Figure 3. In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value a and the master public key mpk. The element k may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk.
Device 105 will then transmit the element k, and the identity of device 105 id, to device 1 10 at step 310. Upon receiving the element k, from device 1 10, at step 315, device 1 10 will then generate a random number b £ Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k based on the random value b, and the master public key mpk. The element k j may be defined as k j = (b-P) where P is a parameter obtained from the master public key mpk. The element k, and the element k j are then signed using a signing function associated with the selected Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature which is defined as = Sign(sk j , a-P|| b-P), where || denotes concatenation.
At step 320, device 1 10 then transmits the signature σ,, i.e. = Sign (sk j , a-P || b-P), and the second element k , to device 105.
Upon receiving and k j from device 1 10, device 105 then proceeds to verify the received signature using a verification function associated with the selected Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id,. This takes place at step 325 as Verify (id,, σ). If the verification function returns a negative result, meaning if the signature may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 105 will then proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (sk,, b-P). Device 105 then proceeds to calculate its common-secret cs, as e(b-P, s-P) a where s P is a parameter obtained from the master public key mpk and e is the symmetric bilinear map e: Gi x Gi G 2 , where Gi and G 2 are cyclic groups with prime order q. The calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSi).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate its signature σ, to device 1 10. Alternatively, device 105 may also communicate its signature σ, to device 110 once it has computed its signature σ,. This takes place at step 330.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the selected Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 335 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to calculate its common- secret cSj as e (a-P, s-P) b where s P is the parameter obtained from the master public key mpk and e is the symmetric bilinear map e: Gi χ Gi G 2 , where Gi and G 2 are cyclic groups with prime order q. The calculated common-secret CSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj).
In this embodiment of the invention, if server 120 were to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to utilize its own master secret key s to generate the common session key SK. In particular, server 120 may utilize the element k, as shared by device 105 and the element k j as shared by device 1 10 to generate a common secret cs kgc as cs kgc = e (a-P, b-P) s and a common session key SK as SK = KDF(cs kgc ).
In another embodiment of the first embodiment of the invention, the generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the may be as follows.
In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a" and the master public key mpk. The element k, may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk. Device 105 will also at this step proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ,
Device 105 will then transmit its signature σ, the element k, and the identity of device 105 idi to device 1 10 at step 310.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 315 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to generate a random number b £ Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k j based on the random value b, and the master public key mpk. The element k may be defined as k, = (b-P) where P is a parameter obtained from the master public key mpk. The element k, and the element kj are then signed using a signing function associated with the Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature which is defined as = Sign(sk j , a-P|| b-P).
At step 320, device 1 10 then transmits the signature σ,, i.e. = Sign (sk j , a-P || b-P), and the second element k , to device 105.
Upon receiving Oj and k j from device 1 10, device 105 then proceeds to verify the received signature using a verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id,. This takes place at step 325 as Verify (id,, σ). If the verification function returns a negative result, meaning if the signature may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature o h device 105 then proceeds to calculate its common- secret cs, as e(b-P, s-P) a where s-P is a parameter obtained from the master public key mpk and e is the symmetric bilinear map e: G^ x. G^ G 2 , where G and G 2 are cyclic groups with prime order q. The common-secret cs, is then provided to a Key Deriving Function (KDF) to obtain verification key vk, as vk, = KDF (cs,). The obtained verification key vk, is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd, as vd. = AdDF(vki). The calculated common-secret cs, is also simultaneously provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs,).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate verification data vd, to device 1 10. Alternatively, device 105 may also communicate verification data vd, to device 1 10 once it has computed verification data vd,. This takes place at step 330.
Upon receiving verification data vd, at step 335, device 1 10 will then compute its common-secret cs j as e (a-P, s-P) b where s P is the parameter obtained from the master public key mpk and e is the symmetric bilinear map e: G χ G G 2 , where G and G 2 are cyclic groups with prime order q. The common-secret cs j is then provided to a Key Deriving Function (KDF) to obtain verification key vk j as vk j = KDF (cs j ). The obtained verification key vk j is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd j as vd j = AdDF(vk j ). Verification data vd j is then compared with verification data vd, and if a match is not found, device 1 10 will cancel the process. If a match is found, the calculated common-secret cSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs j ).
Similarly, for this embodiment of the invention, if server 120 were to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to utilize its own master secret key s to generate the common session key SK. In particular, server 120 may utilize the element k, as shared by device 105 and the element k j as shared by device 1 10 to generate a common secret cs kgc as cs kgc = e (a-P, b-P) s and a common session key SK as SK = KDF(cs kgc ).
In yet another embodiment of the first embodiment of the invention, option fields op_f 1 , op_f2, op_f3, op_f4, op_f5, op_f6 or op_f7 may be added to the various functions such as the signing and verification functions, and the Key Deriving Function and may comprise identities of entities of the system where applicable or any application specific data as determined by the entities themselves. These option fields may be applied to both embodiments above.
If the option fields are adopted, the generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the invention may be as follows. In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value a and the master public key mpk. The element k, may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk.
Device 105 will then transmit an option field op_f1 , the element k, and the identity of device 105 id, to device 1 10 at step 310. Upon receiving the element k, from device 1 10, at step 315, device 1 10 will then generate a random number b e Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k j based on the random value b, and the master public key mpk. The element k j may be defined as k j = (b-P) where P is a parameter obtained from the master public key mpk. The element k, and the element kj are then signed with option field op_f2 using a signing function associated with a Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature Oj which is defined as σ = Sign(sk j , a-P|| b-P|| op_f2).
At step 320, device 110 then transmits an option field op_f3, the signature Oj, i.e. Oj = Sign (sk j , a-P || b-P || op_f2), and the second element k j , to device 105.
Upon receiving Oj and k j from device 1 10, device 105 then proceeds to verify the received signature Oj using a verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ). If the verification function returns a negative result, meaning if the signature Oj may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature Oj, device 105 will then proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (skj, b-P|| op_f4). Device 105 then proceeds to calculate its common-secret cs, as e(b-P, s-P) a where s-P is a parameter obtained from the master public key mpk and e is the symmetric bilinear map e: G^ x. G^ G 2 , where G and G 2 are cyclic groups with prime order q. The calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj, opt_f6).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate an option field op_f5 and its signature σ, to device 1 10. Alternatively, device 105 may also communicate its signature σ, to device 1 10 once it has computed its signature σ,. This takes place at step 330.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 335 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to calculate its common-secret cs j as e (a-P, s-P) b where s-P is the parameter obtained from the master public key mpk and e is the symmetric bilinear map e: Gi χ Gi G 2 , where Gi and G 2 are cyclic groups with prime order q. The calculated common-secret cSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj, opt_f6).
In still yet another embodiment of the first embodiment of the invention, the generation of a common session key for devices 105 and 1 10 using option fields in accordance with this embodiment may be as follows.
In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a" and the master public key mpk. The element k, may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk. Device 105 will also at this step proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (ski, a-P|| opt_f1).
Device 105 will then transmit an option field opt_f2, its signature σ,, the element k, and the identity of device 105 id, to device 1 10 at step 310.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 315 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to generate a random number b £ Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k j based on the random value b, and the master public key mpk. The element k j may be defined as k j = (b-P) where P is a parameter obtained from the master public key mpk. The element k, and the element kj with option field opt_f3 are then signed using a signing function associated with the Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature Oj which is defined as Oj = Sign(sk j , a-P|| b-P|| opt_f3). At step 320, device 1 10 then transmits an option field opt_f4, the signature σ,, i.e. σ, = Sign (sk j , a- P || b- P|| opt_f3), and the second element k j , to device 1 05.
Upon receiving Oj and k j from device 1 10, device 105 then proceeds to verify the received signature Oj using a verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of the device 1 1 0 id j . This takes place at step 325 as Verify (id j , Oj). If the verification function returns a negative result, meaning if the signature Oj may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature o h device 105 then proceeds to calculate its common- secret cs, as e(b- P, s- P) a where s P is a parameter obtained from the master public key mpk and e is the symmetric bilinear map e: Gi χ Gi G 2 , where Gi and G 2 are cyclic groups with prime order q. The common-secret cs, is then provided to a Key Deriving Function (KDF) to obtain verification key vk, as vk, = KDF (cs,, opt_f5). The obtained verification key vk, is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd, as vd, = AdDF(vki, opt_f6). The calculated common-secret cs, is also simultaneously provided to a Key Deriving Function (KDF) to generate a common session key SK as SK =
Once device 1 05 has completed the computation of the common session key SK, device 105 will then communicate the option field opt_f6 and verification data vd, to device 1 1 0. Alternatively, device 105 may also communicate the option field opt_f6 and verification data vd, to device 1 1 0 once it has computed verification data vd,. This takes place at step 330.
Upon receiving verification data vd, at step 335, device 1 10 will then compute its common-secret cs j as e (a-P, s- P) b where s P is the parameter obtained from the master public key mpk and e is the symmetric bilinear map e: Gi χ Gi G 2 , where Gi and G 2 are cyclic groups with prime order q. The common-secret cs j is then provided to a Key Deriving Function (KDF) to obtain verification key vk as vk = KDF (cs j , opt_f5). The obtained verification key vk j is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd, as vd, = AdDF(vk j , opt_f6). Verification data vd, is then compared with verification data vd, and if a match is not found, device 1 1 0 will cancel the process. If a match is found, the calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs j , opt_f7). The application of the option fields to the signing function, the verifying function, the Key Deriving Function and/or the AdDF function may also be applied to the second, third and fourth embodiments as described in the following sections.
Embodiments Based On Asymmetric Bilinear Map
In a second embodiment of the invention, the selected identity based signature scheme may be based on an asymmetric bilinear map e: G χ G 2 -> G t , where G^ G 2 and G t are cyclic groups with prime order q; in addition, G^ G 2 are defined over an elliptic curve. For such identity based signature schemes, the master public key mpk may be defined as mpk = (s.O, Q, P), where P is a generator of G^ Q is a generator of G 2 and msk = s e Z q * where Z q * are non-zero residuals of modular q. In this embodiment, device 105's private key is defined as sk, while device 1 10's private key is defined as skj as per the selected identity based signature scheme.
The generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the invention is illustrated in Figure 3. In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value a and the master public key mpk. The element k may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk.
Device 105 will then transmit the element k, and the identity of device 105 id, to device 1 10 at step 310. Upon receiving the element k, from device 1 10, at step 315, device 1 10 will then generate a random number b £ Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k based on the random value b, and the master public key mpk. The element k j may be defined as k j = (b-P, b-Q) where P and Q are parameters obtained from the master public key mpk. The element k, and the element kj are then signed using a signing function associated with the Identity Based Signature Scheme, Sign ( ), and the private key skj to generate signature which is defined as = Sign(sk j , a-P|| b-P I I b-Q).
At step 320, device 110 then transmits the signature σ,, i.e. = Sign (sk j , a-P || b-P|| b-Q), and the second element k j , to device 105.
Upon receiving Oj and k j from device 1 10, device 105 then proceeds to verify the received signature σ, using a verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 105 will then proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (sk,, b-P). Device 105 then proceeds to calculate its common-secret cs, as e(b-P, s-Q) a where s Q is a parameter obtained from the master public key mpk and e is the asymmetric bilinear map e: Gi x G 2 -> G ; , where G 1 ? G 2 and G ; are cyclic groups with prime order q. The calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSi).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate its signature σ, to device 1 10. Alternatively, device 105 may also communicate its signature σ, to device 110 once it has computed its signature σ,. This takes place at step 330.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 335 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to calculate its common-secret cs j as e (a-P, s-Q) b where s Q is the parameter obtained from the master public key mpk and e is the asymmetric bilinear map e: G χ G 2 -> G ; , where G 1 ? G 2 and G ; are cyclic groups with prime order q. The calculated common-secret cs j is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj).
In this embodiment of the invention, if server 120 were to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to utilize its own master secret key s to generate the common session key SK. In particular, server 120 may utilize the element k, as shared by device 105 and a part of the element k as shared by device 1 10 to generate a common secret cs kgc as cs kgc = e (a-P , b-Q) s and a common session key SK as SK = KDF(cs kgc ). In another embodiment of the second embodiment of the invention, the generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the may be as follows.
In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a" and the master public key mpk. The element k, may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk. Device 105 will also at this step proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ,
Device 105 will then transmit its signature σ, the element k, and the identity of device 105 idi to device 1 10 at step 310.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 315 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to generate a random number b £ Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k j based on the random value b, and the master public key mpk. The element k j may be defined as k j = (b-P, b-Q) where P and Q are parameters obtained from the master public key mpk. The element k, and the element k j are then signed using a signing function associated with the Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature σ, which is defined as Oj = Sign(sk j , a-P|| b-P || b-Q).
At step 320, device 1 10 then transmits the signature σ,, i.e. σ, = Sign (sk j , a-P || b-P || b-Q), and the second element k j , to device 105.
Upon receiving Oj and k j from device 1 10, device 105 then proceeds to verify the received signature σ, using a verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature a h device 105 then proceeds to calculate its common- secret cs, as e (b-P, s-Q) a where s Q is a parameter obtained from the master public key mpk and e is the asymmetric bilinear map e: Gi χ G 2 -> G ; , where Gi , G 2 and G ; are cyclic groups with prime order q. The common-secret cs, is then provided to a Key Deriving Function (KDF) to obtain verification key vk, as vk, = KDF (cs,). The obtained verification key vk, is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd, as vd, = AdDF(vki). The calculated common-secret cs, is also simultaneously provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs,).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate verification data vd, to device 1 10. Alternatively, device 105 may also communicate verification data vd, to device 1 10 once it has computed verification data vd,. This takes place at step 330.
Upon receiving verification data vd, at step 335, device 1 10 will then compute its common-secret cs j as e (a-P, s-Q) b where s Q is the parameter obtained from the master public key mpk and e is the symmetric bilinear map e: Gi χ G 2 -> G ; , where Gi , G 2 and G ; are cyclic groups with prime order q. The common-secret cs j is then provided to a Key Deriving Function (KDF) to obtain verification key vk j as vk j = KDF (cs j ). The obtained verification key vk j is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd j as vd j = AdDF(vk j ). Verification data vd j is then compared with verification data vd, and if a match is not found, device 1 10 will cancel the process. If a match is found, the calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs j ).
Similarly, for this embodiment of the invention, if server 120 were to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to utilize its own master secret key s to generate the common session key SK. In particular, server 120 may utilize the element k, as shared by device 105 and a part of the element k as shared by device 1 10 to generate a common secret cs kgc as cs kgc = e (a-P, b-Q) s and a common session key SK = KDF(cs kgc ).
In yet another embodiment of the second embodiment of the invention, option fields op_f 1 , op_f2, op_f3, op_f4, op_f5, op_f6 or op_f7 may be added to the various functions such as the signing and verification functions, and the Key Deriving Function and may comprise identities of entities of the system where applicable or any application specific data as determined by the entities themselves. These option fields may be applied to both embodiments above.
If the option fields are adopted, the generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the invention may be as follows. In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value a and the master public key mpk. The element k, may be defined as k, = (a-P) where P is a parameter obtained from the master public key mpk.
Device 105 will then transmit an option field op_f1 , the element k, and the identity of device 105 id, to device 1 10 at step 310. Upon receiving the element k, from device 1 10, at step 315, device 1 10 will then generate a random number b e Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k j based on the random value b, and the master public key mpk. The element k j may be defined as k j = (b-P, b-Q) where P and Q are parameters obtained from the master public key mpk. The element k, and the element k j with option field op_f2 are then signed using a signing function associated with the Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature σ, which is defined as Oj = Sign(sk j , a-P|| b-P || b-Q|| opt_f2).
At step 320, device 110 then transmits an option field op_f3, the signature Oj, i.e. Oj = Sign (sk j , a-P || b-P|| b-Q|| op_f2), and the second element k j , to device 105.
Upon receiving and k j from device 1 10, device 105 then proceeds to verify the received signature σ, using a verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature Oj, device 105 will then proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (sk,, b-P|| opt_f4). Device 105 then proceeds to calculate its common-secret cs, as e(b-P, s-Q) a where s-Q is a parameter obtained from the master public key mpk and e is the asymmetric bilinear map e: G χ G 2 G t , where G 1 ? G 2 and G t are cyclic groups with prime order q. The calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSi, opt_f6). Once device 105 has completed the computation of the common session key SK, device 105 will then communicate an option field op_f5 and its signature o, to device 1 10. Alternatively, device 105 may also communicate the option field op_f5 and its signature o, to device 1 10 once it has computed its signature σ,. This takes place at step 330.
Upon receiving o, from device 105, device 1 10 then proceeds to verify the received signature o, using the same verification function associated with the Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 335 as Verify (id,, Oi) . If the verification function returns a negative result, meaning if the signature o, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to calculate its common-secret cs j as e (a-P, s-Q) b where s-Q is the parameter obtained from the master public key mpk and e is the asymmetric bilinear map e: Gi χ G 2 -> G ; , where Gi , G 2 and G ; are cyclic groups with prime order q. The calculated common-secret cs j is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj, opt_f6).
Those skilled in the art may construct alternatives to the above embodiments based on asymmetric bilinear map by observing that k, for device 105 may be defined as k, = (a-P, a.Q) and k j for device 1 10 may be defined as k j = (b.P). In the alternatives, if server 120 were configured to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to utilize its own master secret key s to generate a common secret cs kgc as cs kgc = e(b.P, a.Q) s and in turn the common session key SK.
Embodiments Based on Self-Certified IBS With Weak Forward Security
In a third embodiment of the invention, the selected identity based signature (IBS) scheme may be based on self-certified identity based signature schemes, which are a special class of IBS schemes. These self-certified IBS schemes are based on DLP (Discrete Logarithm Problem) or ECDLP (Elliptic Curve Discrete Logarithm Problem), and the signatures generated by a particular private key always contains a fixed component specific to that private signing key (thus it is called key-specific data, KSD), where the KSD assists in the verification of the signatures and is often attached to the signatures as part thereof. Typical examples of self-certified IBS schemes include ISO/IEC 29192-4 and IETF RFC 6507. Self-certified IBS can be implemented over either conventional finite field, or elliptic curves (defined upon a finite field). In the subsequent description, although multiplicative notations are utilized for finite field arithmetic operations; it should be straightforward for a person skilled in the art to realize that the arithmetic operations should be described using additive notations when implemented over elliptic curves.
The structure of the private keys of the specific self-certified IBS scheme defined in ISO/IEC 19192-4 will be utilized in this embodiment for illustration purposes, but the idea contained in this embodiment is directly applicable to the scheme in IETF RFC 6507 and other self-certified IBS schemes as well. In the IBS scheme selected for this embodiment, the master key pair held by KGC is (mpk, msk) = (y = g*, x), where g is a generator of a cyclic multiplicative group G with prime order q, and x e Zq where Z q * are non-zero residuals of modular q. The private key for device 105 is sk, = (R, = cf s, = r, + xh{id h Ri) ), and the private key for device 1 10 is sk j = (R j = cf j , s, = η + xh(id j , Rj) ), where r, and η e R Z q ' and h(.) is a cryptographic hash function.
The generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the invention is illustrated in Figure 3. In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a" and the private key sk,. The element k, may be defined as k, = (g a , R,) where R, is a parameter obtained from the private key sk, and g is a generator of a cyclic multiplicative group G with prime order q.
Device 105 will then transmit the element k, and the identity of device 105 id, to device 1 10 at step 310.
Upon receiving the element k, from device 1 10, at step 315, device 1 10 will then generate a random number b e Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate an element k j based on the random value b, and the first element k,. The element k j may be defined as k j = (g b , Ri b ) where R, is a parameter obtained from the element k, and g is a generator of a cyclic multiplicative group G with prime order q. A part of the element k, and the element k, are then signed using a signing function or algorithm associated with the self-certified Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature which is defined as Oj = Sign (sk j , g a | | g b || R, b ).
At step 320, device 110 then transmits the signature Oj, i.e. Oj = Sign (sk j , g a | | g b | | R b ), and the second element k j , to device 105.
Upon receiving Oj and k j from device 1 10, device 105 then proceeds to verify the received signature Oj using a verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 105 will then proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (sk,, g b | |
proceeds to calculate its common-secret where f(.) is a two-input function such as a concatenation function || or an exclusive-OR function Θ, and h(.) is a cryptographic hash function. The calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSi).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate its signature σ, and a part of the private key sk j as combined with the random value a, i.e. R j a , to device 1 10. Alternatively, device 105 may also communicate its signature σ, and a part of the private key sk j as combined with the random value a, i.e. R j a , to device 1 10 once it has computed its signature σ,. This takes place at step 330.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 335 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process.
Conversely, if the verification function is successful in verifying the signature σ, , devic proceed to calculate its common-secret CSj as
CSj = where f(.) is a two-input function such as a concatenation function || or an exclusive-OR function Θ, and h(.) is a cryptographic hash function. The calculated common-secret CSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cs j ). In this embodiment of the invention, if server 120 were to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to compute cs kgc = f(y a id P R j) > y b ^»Rd) and in turn SK = KDF(cs kgc ).
In another embodiment of the third embodiment of the invention, the generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the may be as follows.
In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a". The element k, may be defined as k, = (g a ) where g is a generator of a cyclic group G with prime order q. Device 105 will also at this step proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (sk,, g a ).
Device 105 will then transmit its signature σ, the element k, and the identity of device 105 idi to device 1 10 at step 310.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 315 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to generate a random number b £ Z q * where Z q * are non-zero residuals of modular q.
Device 1 10 will then generate an element k j based on the random value b, and the first element k,. The element k j may be defined as k j = (g b , Ri b ) where R, is a parameter obtained from the signature σ, and g is a generator of a cyclic multiplicative group G with prime order q. A part of the element k, and the element k are then signed using a self- certified Identity Based Signature Scheme, Sign ( ), and the private key sk to generate signature which is defined as = Sign (sk j , g a | | g b | | R b ).
At step 320, device 110 then transmits the signature σ,, i.e = Sign (sk j , g a | | g b | | R b ), and the second element k , to device 105.
Upon receiving and k j from device 1 10, device 105 then proceeds to verify the received signature using a verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process.
Conversely, if the verification function is successful in verifying the signature σ, , proceeds to calculate its common-secret cs, as cs; = f(y a - h . ld j' R j) > ) 1 1 ^ w here f(.) is a
/ Ri two-input function such as a concatenation function | | or an exclusive-OR function Θ, and h(.) is a cryptographic hash function. The common-secret cs, is then provided to a Key Deriving Function (KDF) to obtain verification key vk, as vk, = KDF (cs,). The obtained verification key vk, is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd, as vd, = AdDF(vk,, R j a ). The calculated common-secret cs, is also simultaneously provided to a Key Deriving Function (KDF) to generate a common session key SK as SK =
Once device 1 05 has completed the computation of the common session key SK, device 1 05 will then communicate verification data vd, and R a to device 1 10. Alternatively, device 1 05 may also communicate verification data vd, and R j a to device 1 1 0 once it has computed verification data vd,. This takes place at step 330.
Upon receiving verification data vd, at step 335, device 1 1 0 will then proceed to calculate where f(.) is a two-input function such as a concatenation function | | or an exclusive-OR function Θ, and h(.) is a cryptographic hash function. The common-secret cS j is then provided to a Key Deriving Function (KDF) to obtain verification key vk, as vk, = KDF (cs j ). The obtained verification key vk j is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd j as vd j = AdDF(vk j , R a ). Verification data vd j is then compared with verification data vd. and if a match is not found, device 1 10 will cancel the process. If a match is found, the calculated common-secret CSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs j ).
Similarly, for this embodiment of the invention, if server 1 20 were to receive all communications that were exchanged between device 105 and device 1 1 0, server 120 would be able to compute cs kgc = f(y a h ( id j' R j) yb- ii i.Rd^ Embodiments Based on Self-Certified IBS With Strong Forward Security
In a fourth embodiment of the invention, the selected identity based signature (IBS) scheme may be based on existing self-certified identity based signature schemes, which are a special class of IBS schemes. These self -certified IBS schemes are based on DLP (Discrete Logarithm Problem) or ECDLP (Elliptic Curve Discrete Logarithm Problem), and the signatures generated by a particular private key always contains a fixed component specific to that private signing key (thus it is called key-specific data, KSD), where the KSD assists in the verification of the signatures and is often attached to the signatures as part thereof. Typical examples of self-certified IBS schemes include ISO/IEC 29192-4 and IETF RFC 6507. Self-certified IBS can be implemented over either conventional finite field, or elliptic curves (defined upon a finite field). In the subsequent description of this embodiment, although multiplicative notations are utilized for finite field arithmetic operations; it should be straightforward for a person skilled in the art to realize that the arithmetic operations should be described using additive notations when implemented over elliptic curves.
The structure of the private keys of the specific self-certified IBS scheme defined in ISO/IEC 19192-4 will be utilized in this embodiment for illustration purposes, but the idea contained in this embodiment is directly applicable to the scheme in IETF RFC 6507 and other self-certified IBS schemes as well. In the IBS scheme selected for this embodiment, the master key pair held by KGC is (mpk, msk) = (y = g*, x), where g is a generator of a cyclic multiplicative group G with prime order q, and x e Z q * where Z q * are non-zero residuals of modular q. The private key for device 105 is sk, and the private key for device 1 10 is sk,.
The generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the invention is illustrated in Figure 3. In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a" and the private key sk,. The element k, may be defined as k, = g a where g is a generator of a cyclic multiplicative group G with prime order q.
Device 105 will then transmit the element k, and the identity of device 105 id, to device 1 10 at step 310.
Upon receiving the element k, from device 1 10, at step 315, device 1 10 will then generate a random number b e Z q * where Z q * are non-zero residuals of modular q. Device 1 10 will then generate element Uj as Uj = g ab . Element Uj is then used to compute a parameter U as U = g"J. Device 1 10 then computes an element k, based on the parameter U and the random number b. In particular, the element k may be defined as k = (U, g b ) where g is a generator of a cyclic group G with prime order q. The element k, and the element k, are then signed using a signing function associated with a self-certified Identity Based Signature Scheme, Sign ( ), and the private key sk j to generate signature σ, which is defined as σ, = Sign (sk j , g a | | g b II U).
At step 320, device 1 10 then transmits the signature σ,, i.e. σ, = Sign (sk j , g a | | g b || U), and the second element k , to device 105.
Upon receiving σ, and k, from device 1 10, device 105 then proceeds to verify the received signature σ, using a verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id,. This takes place at step 325 as Verify (id,, σ). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature o- device 105 will then proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ, = Sign (skj, g b ).
Device 105 will then generate element u, as u, = g ab and device 105 then proceeds to calculate its common-secret cs, as cs; = y Ui where y is the master public key mpk. The calculated common-secret cs, is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj).
Once device 105 has completed the computation of the common session key SK, device 105 will then communicate its signature σ, to device 1 10. Alternatively, device 105 may also communicate its signature σ, to device 110 once it has computed its signature σ,. This takes place at step 330.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 335 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process.
Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to calculate its common-secret cs j as cs j = y u i where y is the master public key mpk. The calculated common-secret cSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF(cSj).
In this embodiment of the invention, if server 120 were to receive all communications that were exchanged between device 105 and device 1 10, server 120 would be able to compute cs kgc = U x and in turn SK = KDF(cs kgc ).
In another embodiment of the fourth embodiment of the invention, the generation of a common session key for devices 105 and 1 10 in accordance with this embodiment of the may be as follows.
In particular, at step 305, device 105 will initiate the common session key generation process by first generating a random number a £ Z q * where Z q * are non-zero residuals of modular q. Device 105 will then compute an element k, using the random value "a" and the private key sk,. The element k, may be defined as k, = g a where g is a generator of a cyclic multiplicative group G with prime order q. Device 105 will also at this step proceed to compute its own signature σ,. In particular, device 105's signature σ, may be computed as σ,
Device 105 will then transmit its signature σ, the element k, and the identity of device 105 idi to device 1 10 at step 310.
Upon receiving σ, from device 105, device 1 10 then proceeds to verify the received signature σ, using the same verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of device 105 id,. This takes place at step 315 as Verify (id,, σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 105 id,, device 1 10 will abort the common session key generation process. Conversely, if the verification function is successful in verifying the signature σ, , device 1 10 will then proceed to generate a random number b £ Z q * where Z q * are non-zero residuals of modular q.
Device 1 10 will then generate element Uj as Uj = g ab . Element Uj is then used to compute a parameter U as U = g" Device 1 10 then forms an element k based on the parameter U and the random number b. In particular, the element k j may be defined as k j = (U, g b ) where g is a generator of a cyclic multiplicative group G with prime order q. The element k, and the element k are then signed using a signing function associated with the self-certified Identity Based Signature Scheme, Sign ( ), and the private key sk to generate signature which is defined as = Sign (sk j , g a | | g b | | U). At step 320, device 1 10 then transmits the signature σ,, i.e. σ, = Sign (sk j , g a | | g b | | U), and the second element k,, to device 1 05.
Upon receiving σ, and k, from device 1 10, device 105 then proceeds to verify the received signature σ, using a verification function associated with the self-certified Identity Based Signature Scheme, Verify( ), and the identity of the device 1 10 id j . This takes place at step 325 as Verify (id j , σ,). If the verification function returns a negative result, meaning if the signature σ, may not be verified using the identity of the device 1 10 id j , device 105 will abort the common session key generation process.
Conversely, if the verification function is successful in verifying the signature σ, , proceeds to generate element u, as u, = g ab and device 1 05 then proceeds to calculate its common-secret cs, as cs; = y Ui where y is the master public key mpk.
The common-secret cs, is then provided to a Key Deriving Function (KDF) to obtain verification key vk, as vk, = KDF (cs,). The obtained verification key vk, is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd, as vd, = AdDF(vki). The calculated common-secret cs, is also simultaneously provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (cs,).
Once device 1 05 has completed the computation of the common session key SK, device 105 will then communicate verification data vd, to device 1 10. Alternatively, device 105 may also communicate verification data vd, to device 1 10 once it has computed verification data vd,. This takes place at step 330.
Upon receiving verification data vd, at step 335, device 1 1 0 will then proceed to calculate its common-secret cSj as csj = y u J where y is the master public key mpk. The common-secret CSj is then provided to a Key Deriving Function (KDF) to obtain verification key vk j as vk, = KDF (cs j ). The obtained verification key vk, is then used with an Authentication Data Deriving function (AdDF) to generate verification data vd j as vd j = AdDF(vk j ). Verification data vd j is then compared with verification data vd. and if a match is not found, device 1 1 0 will cancel the process. If a match is found, the calculated common- secret CSj is then provided to a Key Deriving Function (KDF) to generate a common session key SK as SK = KDF (CSj).
Similarly, for this embodiment of the invention, if server 1 20 were to receive all communications that were exchanged between device 105 and device 1 1 0, server 120 would be able to compute cs kgc = U x . Those skilled in the art may construct alternatives to the above embodiments based on self-certified IBS with strong forward security by observing that device 105 may compute and transmit U = g u > and σ, = Sign (sk,, g b ||U) to device 1 10 at step 330, while k, for device
1 10 may be defined as k, = (g b ) and σ, for device 110 as = Sign (sk j , g a || g b ).
In accordance with an embodiment of the invention, a method for a device "i" to generate a common session key SK for encoding digital communications between device "i" and a second device "j", comprises the following steps:
Step 1 , receive a master public key mpk and the private key sk i;
Step 2, compute a first element k, based on a first random value a generated by the first device, and the master public key mpk;
Step 3, communicate to the second device the first element k, and the identity id, of the first device such that upon receiving the communication, the second device is configured to: compute a second element k based on a second random value b generated by the second device, and the master public key mpk; compute signature σ, by signing the first element k, and the second element k, using a signing function associated with an Identity Based Signature Scheme and the private key sk ; transmit to the first device the second element k, and the signature a j;
Step 4, verify the signature σ, using a verification function associated with the Identity Based Signature Scheme and the identity of the second device id,, and compute signature σ, by signing the second element k, using the signing function associated with the Identity Based Signature Scheme and the private key sk,, when the signature Oj is verified; and
Step 5, compute a common-secret cs, based on the second element k,, the master public key mpk, and the first random value a; and generate the common session key SK by providing the common-secret cs, to a Key Deriving Function.
In order to provide such a system or method, a process is needed for a device "i" to generate a common session key SK for encoding digital communications between the device "i" and a second device "j"- The following description and Figure 4 describe embodiments of processes that provide processes in accordance with this invention.
Figure 4 illustrates process 400 that is performed by a first device "i" to generate a common session key SK for encoding digital communications between the first device "i" and a second device "j"- Process 400 begins at step 405 with process 400 receiving a master public key mpk and the private key sk, from a secure server configured as a Key Generation Centre. At step 410, process 400 then computes a first element k, based on a first random value a generated by the first device, and the master public key mpk. At step 415, process 400 communicates to the second device the first element k, and the identity id, of the first device. Upon receiving the communication, the second device is then configured to: compute a second element k, based on a second random value b generated by the second device, and the master public key mpk, compute signature σ, by signing the first element k, and the second element k, using a signing function associated with the Identity Based Signature Scheme and the private key sk , and then transmit to the first device the second element k, and the signature σ, . Process 400 then verifies the signature σ, using a verification function associated with the Identity Based Signature Scheme and the identity of the second device id j , and proceeds to compute signature σ, by signing the second element k j using the signing function associates with the Identity Based Signature Scheme and the private key sk,, when the signature σ, is verified. Process 400 then computes a common- secret cs, based on the second element k , the master public key mpk, and the first random value a; and then generates the common session key SK by providing the common-secret cs, to a Key Deriving Function at step 425. Process 400 then ends.
The above is a description of embodiments of a system and process in accordance with the present invention as set forth in the following claims. It is envisioned that others may and will design alternatives that fall within the scope of the following claims.