The Protocol. Based on Scheme 1 and the n-DHI assumption, we formulate a two-party key agreement protocol that is secure in the AM. The proof of the security is in fact very similar to the proof of Theorem 8 in [8]. The established session key is often required as a binary string. Since we have no requirements for the representations of the algebras, we assume that for any particular representation of an algebra A, there is an injective public function B that maps elements of the algebra to binary strings. This function can be used to derive a valid session key. Protocol 1. Common information: a member (Ak, Bk, Kk) from a family of algebras and homomorphisms An → B and an injective function B : Bk → {0, 1}∗. Step 1: The principal Pi on input (Pi, Pj, s, initiator) • randomly samples a sequence (a1, a2, . . . , an) of distinct elements of Ak such that Ak is generated by these elements, • randomly samples a homomorphism α ∈ Kk, • computes α(a1), α(a2), . . . , α(an), • transmits (Pi, Pj, s, (a1, α(a1)), (a2, α(a2)), . . . , (an, α(an))) to Pj. Step 2: After receiving (Pi, Pj, s, (a1, α(a1)), (a2, α(a2)), . . . , (an, α(an))), the responder Pj randomly applies the finitary operations of Bk on α(a1), α(a2), . . . , α(an) to obtain an element α(b), applies the corresponding sequence of operations of Ak on a1, a2, . . . , an • transmits (Pj, Pi, s, b) to Pi, • computes B(α(b)), • erases α(b), • outputs the session key B(α(b)) under the session identifier s. Step 3: After receiving (Pj, Pi, s, b), the principal Pi • computes B(α(b)), • outputs the session key B(α(b)) under the session identifier s.
Appears in 2 contracts
Sources: Key Agreement Protocol, Key Agreement Protocol