Buchmann-Williams Authenticated Key Agreement Protocol With Pre-shared Password

Based on Buchmann-Williams key exchange protocol, a Buchmann-Williams Authenticated Key Agreement (BWAKA) protocol with pre-shared password is proposed. Its security relies on the Discrete Logarithm Problem over class groups of number fields. It provides identity authentication, perfect forward secrecy and key validation.


INTRODUCTION
Two decades ago, Buchmann and Williams (1988) proposed a key exchange protocol based on Imaginary Quadratic fields (IQC).The security of this protocol rests on the discrete logarithm problem over the class groups of imaginary quadratic fields.The best known methods to solve this problem are exponential and subexponential under Riemann Hypotheses.Thus the strength-per-key-bit is substantially greater in (IQC) than that in conventional Discrete Logarithm (DL) systems and smaller parameters can be used in (IQC) but with equivalent levels of security.For example, (IQC) keys of about 687 bits are about equivalent in strength to RSA or DSA (Digital Signature Algorithm) keys of about 1024 bits, which is a significant saving.These advantages are especially important in environments where processing power, storage space, or power consumption is constrained.
Furthermore, Aydos et al. (1998) proposed an ECC based authentication and key agreement protocol for wireless communication.It makes use of Diffie-Hellman protocol and provides identity authentication and key validation.A trusted authority, named certificate authority, is incorporated and thus the user end is required to process certificates.Another method for achieving an authenticated key agreement protocol is to use a pre-shared secret password.SAKA algorithm, which is proposed by Seo and Sweeney (1999).Researchers have made many modifications to SAKA (Ku and Wang, 2000).
Combining the above two protocols with and elliptic curves authenticated key agreement with preshared password given by Aifen et al. (2005), a Buchmann-Williams Authenticated Key Agreement (BWAKA) protocol is proposed.The pre-shared password mechanism is used to lighten the computation and storage burden of the user equipment.The protocol is proved theoretically and the security features are analyzed.

BUCHMANN-WILLIAMS KEY EXCHANGE SYSTEM
This section recall briefly what is the Buchmann-Williams protocol.Let D<0 be a square free integer and let K = Q (√D) be the imaginary quadratic field.It is well known that the ring of algebraic integers O K , of K is Z + Zω. where, where, a, b, c ∈ Z, a>0, c>0, c|a, c|b and ac|N K/Q (b+cω).We denote a by L (I).The ideal I is called primitive when c = 1.Further, it is said to be reduced if it is primitive and there does not exist a nonzero β ∈ I so that |β| < |a|.
It is well known that each equivalence class of ideals of O K contains a reduced ideal.Indeed, there is an algorithm for finding such a reduced ideal.

Algorithm:
• For a given primitive ideal The value of r here is that defined above.
where by Ne (γ) we denote an This algorithm requires a polynomial running time.Indeed, one can find a reduced ideal at most after Throughout the paper, for any ideal I of O K , we note I red to be the reduced ideal equivalent to I. Now, we are able to describe the Buchmann-Williams protocol: Two users Alice and Bob select a value of D so that |D| is large and an ideal I in O K .The value of D and the ideal I are public: • Alice selects at random an integer x and computes a reduced ideal J such that J ~ I x .She sends J to Bob.
• Bob selects at random an integer y and computes a reduced ideal L such that L ~ I y .He sends L to Alice.• Alice computes a reduced ideal L x red equivalent to L x ; Bob computes a reduced ideal J y red equivalent to J y .Since L x ~ J y ~ I xy , the reduced ideal computed by Alice and Bob is the same and so L x red = J y red .They can take as the common secret key L (L x red ) = L (J y red ).

AUTHENTICATED KEY AGREEMENT ALGORITHM
We recall the Simple Authenticated Key Agreement (SAKA), our presentation is largely inspired by Aifen et al. (2005).The main problem of the Diffie-Hellman key exchange method is that it is vulnerable to man-in-the-middle attacks.To solve this problem, user authentication is required by adopting certificates into a key exchange.Thus, Eve cannot impersonate Alice or Bob and cannot substitute the original public keys with her own because they are signed.One example of this scheme is the authenticated Diffie-Hellman key agreement protocol, or Station-to-Station (STS) protocol (Diffie et al., 1992).But the extension to a larger system may be difficult (Seo and Sweeney, 1999).They need a larger storage for certificates and more bandwidth for verification of the signature as the number of users increase.Furthermore, if the authority is compromised then the total system would be in danger.
Another kind of authenticated key exchange protocol assumes a pre-shared secret password between two users.Encrypted Key Exchange (Bellovin and Merritt, 1992) is a famous example.But it is complicated.The SAKA, which is also based on Diffie-Hellman protocol, requires only two packets to agree on the secret session key.The steps in the SAKA are described as follows.The system possesses two public values n and g as in the original Diffie-Hellman scheme.
Assume Alice and Bob share a secret password P before the protocol begins.Each computes two integers Q and Q-1 mod (n-1) from the password P. Q is computed in predetermined way from P and is prime to (n -1), with low probability that two different passwords will give the same value of Q: • Alice chooses a random large integer a and sends X 1 = g aQ mod n to Bob • Bob chooses a random large integer b and sends Key validation follows: B mod n = g abQ mod n to Alice • Both Alice and Bob compute the other's key by applying Q -1 and compared with his/her own session key The weakness of the SAKA is due to the same values of the two validation messages.
In the validation phase, Eve receives K Q A in 1 from Alice.Then Eve impersonates Bob to re-send K Q A to Alice.Now the validation in 3 is always correct.Though Eve cannot establish a session key with Alice, Alice is convinced that she has obtained a correct session key.Thus the protocol does not provide identity authentication.
Since the validation messages K Q A and K Q B are transmitted over the channel.When a password Q is compromised, the old session key K B can be recovered using (K Q B ) Q-1 mod n.Thus SAKA does not provide perfect forward secrecy.Though with the above disadvantages, SAKA is simple to be implemented.Based on SAKA, a Buchmann-Williams Authenticated Key Agreement (BWAKA) protocol is proposed to adapt to wireless environments.The pre-shared password mechanism is adopted to lighten the computation and storage burden of the user's equipment.

BUCHMANN-WILLIAMS AUTHENTICATED KEY AGREEMENT PROTOCOL
Choosing a square free integer D<0 and the imaginary quadratic field K = Q (√D).Given any ideal I of O K with the big order n in the class group of K. Now, Alice and Bob share a secret password S. Individually, they compute two integers t and -t.t is derived from S in any predetermined way and it yields a unique value.The whole protocol is divided into two phases: Key establishment phase and validation phase.

Key establishment phase:
• Alice chooses a random integer computes the reduced ideal Q Ared equivalent to computes the reduced ideal Q Bred equivalent to

I
. Even if t (or the password S) is compromised, the random number d A and d B are still kept secret.Due to the difficulty in computing discrete logarithms over imaginary quadratic fields, no old session key can be recovered.Thus the protocol has the characteristics of perfect forward secrecy.
Bred to Alice• Alice computes the reduced ideals X red , K Ared equivalents to impossible for Eve to know.Thus Eve cannot share a session key with Bob or Alice.Key validation: Through the key validation phase, Alice and Bob are convinced that they have obtained the same session key

•
Alice computes the reduced ideal Bob believes that he and Alice have obtained the same session key K Ared = K Bred .Since Bob knows d B , he believes he has obtained the correct Q Ared .Since Alice knows d A , Bob believes Alice has obtained the correct Q Bred .i.e., Bob is convinced that K Bred is validated and sends the reduced ideal Alice believes that Bob has obtained the correct Q Ared .Since only Bob knows t besides Alice, Alice believes that she has obtained the correct Q Bred and they have obtained the same session key K Ared = K Bred .Alice is convinced that K Ared is validated After the verification procedure has been completed by both sides, Alice and Bob are now ready to use the session key.On the one hand, assuming Eve can impersonate Bob.When Eve receives Q A , she sends the reduced ideal Q Ered equivalent to In the original Diffie-Hellman protocol, Eve can alter the public values such as g a mod n or g b mod n with her own values.Thus Eve can share session keys with Alice or Bob.In our protocol, when Eve receives