\(e(aU,bV) = e(U,V)^{ab} = e(abU, V) = e(U, abV ) = e(bU,aV)\)
In this case we will use Bob and Alice's ID to generate a secret shared key, and use the MIRACL library. It uses the method proposed by Chen [2].
Enhanced Identity-based (authenticated) key agreement with Rust
[MIRACL Home][Home]
With pairing-based cryptography we have two cyclic groups (\(G_1\) and \(G_2\)), and which are of an order of a prime number (\(n\)). A pairing on \((G_1,G_2,G_T)\) defines the function \(e:G_1 \times G_2 \rightarrow G_T\), and where \(g_1\) is a generator for \(G_1\) and \(g_2\) is a generator for \(G_2\). If \(U\) is a point on \(G_1\), and \(V\) is a point on \(G_2\), we have following rules:
\(e(aU,bV) = e(U,V)^{ab} = e(abU, V) = e(U, abV ) = e(bU,aV)\) In this case we will use Bob and Alice's ID to generate a secret shared key, and use the MIRACL library. It uses the method proposed by Chen [2]. |
First we have two curves (\(G_1\) and \(G_2\)) and initially we define a large prime number (\(q\)). Initially the KGC (Key Generation Centre) creates a secret random value (\(s\)) and shares it with Bob and Alice. We then have a known ID for Bob (\(ID_{bob}\)) and for Alice (\(ID_{alice}\)). Their public key will then become the hash of these values mapped to a curve:
\(Q_A = H(ID_A)\)
\(Q_B = H(ID_B)\)
Alice generates a secret value for the secret sharing (\(a\)) and Bob generates his own secret (\(b\)).
The KGC generates a secret (\(s\)). Bob sends his public key \(bQ_B\) to Alice, and Alice send her public key of \(aQ_A\).
The key for Alice is:
\(K_A=e(sA, bQ_B+aQ_B)\)
Bob computes:
\(K_B=e(aQ_A+bQ_A, sB)\)
This works because:
\(K_A=e(SA, W_B+aQB) = e(sQA,W_B) \cdot e(sA,aQB) = e(sQA,bQB) \cdot e(sQa,aQB) = e(bQA,sQB) \cdot e(sQa,sQB) = e(bQA+sQa,sQB) = e(sB,W_A+bQA) = K_B\)
and where \(W_A=aQ_A\) is Alice's public key, and \(W_B=bQ_B\) is Bob's public key.
The outline coding using the library from the MIRACL library [here] is
extern crate rand_core; use mcore::bn254::big; use mcore::bn254::ecp; use mcore::bn254::ecp2; use mcore::bn254::fp2; use mcore::bn254::pair; use mcore::bn254::rom; use mcore::rand::{RAND,RAND_impl}; use rand::Rng; use sha2::{Sha256,Digest}; use std::env; fn get_random() ->RAND_impl{ let random_bytes = rand::thread_rng().gen::<[u8; 32]>(); let mut rng = RAND_impl::new(); rng.seed(32, &random_bytes); rng } fn main() { let mut rng = get_random(); let mut BobID="athome"; let mut AliceID="myaddress"; let args: Vec= env::args().collect(); if args.len() >1 { BobID = args[1].as_str(); } if args.len() >2 { AliceID = args[2].as_str();} let q = big::BIG::new_ints(&rom::CURVE_ORDER); let s = big::BIG::randomnum(&q, &mut rng); let a = big::BIG::randomnum(&q, &mut rng); let b = big::BIG::randomnum(&q, &mut rng); let mut hasher = Sha256::new(); hasher.update(BobID.as_bytes()); let Q_B = hasher.finalize(); let mut hasher = Sha256::new(); hasher.update(AliceID.as_bytes()); let Q_A = hasher.finalize(); let mut QA=ecp::ECP::mapit(Q_A.as_slice()); let mut Wa = pair::g1mul( &QA, &a); let mut bQA = pair::g1mul( &QA, &b); let mut sA = pair::g1mul( &QA, &s); let mut QB=ecp2::ECP2::mapit(Q_B.as_slice()); let mut Wb = pair::g2mul( &QB, &b); let mut aQB = pair::g2mul( &QB, &a); let mut sB = pair::g2mul( &QB, &s); println!("Bob ID:\t\t{}\n",BobID); println!("Alice ID:\t{}\n",AliceID); println!("Alice secret (a):\t{}",a.to_string()); println!("Bob secret (b):\t\t{}",b.to_string()); println!("s:\t{}",s.to_string()); println!("QB:\t{}",QB.to_string()); println!("QA:\t{}",QA.to_string()); // e(SA, WB+aQB) Wb.add(&aQB); let mut key = pair::ate(&Wb, &sA); key = pair::fexp(&key); println!("Key = e(SA, WB+aQB):\t{}\n",key.to_string()); // e(sB,WA+bQA) Wa.add(&bQA); let mut key = pair::ate(&sB, &Wa); key = pair::fexp(&key); println!("Key = e(WA+bQA, SB):\t{}\n",key.to_string()); }
A sample run is:
Bob ID: bob@home Alice ID: alice@home Alice secret (a): 18344BEDE3CCD1D5033AB85EBCD4A9A5090F3A881799F64E5CECCC49E08CEF97 Bob secret (b): 151E84D2E69206B80E7808615F66E8DA1081BF9B9FF2BC21C77609C609D06CD8 s: 123C221E9A9796BA66C232B53A1FC2EE8E81B6878FF45EB8452C2182C2011049 QB: ([097D7042DFA70E4707BAD92D22EAA22891D6285236E4BBB4D9EA5239EEDA96B3,23A7B7AB5BD365840AAEC1721327B4F133621C39591BFF83E1EFFFA1DE41A390],[1953A0CE5D2C93C6E9E86F18DB76A9B9B74F49DBF46B50AF0276666E9437C678,207921F3793262B50396B01D8FA77A7E51EEF592E80A8102D7B2E32E77982A1D]) QA: (15CBDD7378E1F6920877CB3608E4E8BFE19D1F2CC04AD03EB5A18957E10DBD3C,157DF7A008ADED46761BC1ECCC28DBEE18875983B40652E730BB1281B47DB140) Key = e(SA, WB+aQB) - first 20 bytes: [[[1EE7649EA526F4E52B3566252994E979D4DFC1EA6DCAAF7F00CD2C122874A1F0,10E55086CD743713B02FEDBE55FE96CCDDEAB02335DB2C45DAAAACADAD4F06D0],[03BBF8665A8B258104809882D74860614C16BDCD3B131C20316731DC73D2369B,0EA8CAB00D7932810F4038906C4C7DB7AFD4793755612D4BE00EAD0DDAEBB4C7]],[[175E43088B019E6CBA4F035A255315748E916D398688296322B29100D619B69E,006AFB7B2FADF27DA33B6F892E8B3DC803EEE517C741298B77A2E379B6291461],[03175B14D82DBE930BEEEB05EED699B741C5150B071B37405C5C204CA742C8AA,1349CDCE3D0E99B1E907281096D0FAB05805A8B70AA94404B831C50AB165569F]],[[00221BA73000AA24FF679C2180FEC4FB2DDD3AE2BCD605BE3868642B31407566,1465BA6EC59B1021BFAAFD483B213A2190F3216ACC2B1CC61BD8FBDA2263E820],[1FA08D1C710A5A580668E3C29AE9BE5D2D5D6551141C0487CD06CE779FE880FB,04DDE85363A73FFBC63BF8F72BF14FC2E050C4457FE959537810A2C5C1DDD599]]] Key = e(WA+bQA, SB)- first 20 bytes: [[[1EE7649EA526F4E52B3566252994E979D4DFC1EA6DCAAF7F00CD2C122874A1F0,10E55086CD743713B02FEDBE55FE96CCDDEAB02335DB2C45DAAAACADAD4F06D0],[03BBF8665A8B258104809882D74860614C16BDCD3B131C20316731DC73D2369B,0EA8CAB00D7932810F4038906C4C7DB7AFD4793755612D4BE00EAD0DDAEBB4C7]],[[175E43088B019E6CBA4F035A255315748E916D398688296322B29100D619B69E,006AFB7B2FADF27DA33B6F892E8B3DC803EEE517C741298B77A2E379B6291461],[03175B14D82DBE930BEEEB05EED699B741C5150B071B37405C5C204CA742C8AA,1349CDCE3D0E99B1E907281096D0FAB05805A8B70AA94404B831C50AB165569F]],[[00221BA73000AA24FF679C2180FEC4FB2DDD3AE2BCD605BE3868642B31407566,1465BA6EC59B1021BFAAFD483B213A2190F3216ACC2B1CC61BD8FBDA2263E820],[1FA08D1C710A5A580668E3C29AE9BE5D2D5D6551141C0487CD06CE779FE880FB,04DDE85363A73FFBC63BF8F72BF14FC2E050C4457FE959537810A2C5C1DDD599]]]
[1] Smart, N. P. (2002). Identity-based authenticated key agreement protocol based on Weil pairing. Electronics letters, 38(13), 630-632. [link].
[2] Chen, L., & Kudla, C. (2003, June). Identity based authenticated key agreement protocols from pairings. In 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings. (pp. 219-233). IEEE. [link]