Secure Certificateless-Based Authenticated Key Agreement Protocol in the

Client-Server Setting
HOU Meng-bo , XU Qiu-liang 
School of Computer Science and Technology, Shandong University, Jinan, 250101, China
houmb@sdu.edu.cn; xuqiuliang@sdu.edu.cn

Abstract
E-learning communication security should be
considered to ensure sensitive message transmission.
Authenticated key agreement protocol in the clientserver setting is the fundamental building block for
ensuring client-server entity authentication, data
confidentiality and integrity. So far, great deals of twoparty authenticated key agreement protocols were
proposed based on traditional public key cryptography
and
identity-based
cryptography,
but
the
certificateless-based authenticated key agreement
protocol is seldom discussed. In this paper, we
propose such a secure protocol from a certificateless
public key encryption scheme due to Park et al.
Compared to other comparable protocols, it achieves
more security attributes, such as no-key escrow,
perfect forward secrecy, known session-specific
temporary information security and no-key control etc.
Meanwhile, it keeps nice efficiency.

1. Introduction
E-learning applications should provide security
mechanism to ensure secure communications between
two parties (such as the clients and servers) over an
open network. Two-party authenticated key agreement
(AK) protocol is a fundamental cryptographic building
block for such setting. It not only allows parties to
compute a session key known only to them for
subsequent session data confidentiality and integrity,
but also ensures authenticity of the parties. An AK
protocol provides key confirmation if one entity is
assured that the partner entity possesses the secret key.
A key agreement protocol that provides mutual key
authentication as well as mutual key confirmation is
called an authenticated key agreement protocol with
key confirmation (AKC). Each AK protocol can be
transformed to an AKC protocol.

_____________________________
978-1-4244-3930-0/09/$25.00 2009 IEEE



AK or AKC protocols may employ either private or

public key cryptography. Commonly, AK or AKC
protocols are designed based on various public key
cryptographic primitives, such as traditional public key
cryptography (PKC) [11], identity-based cryptography
(ID-PKC) [12], certificateless public key cryptography
(CL-PKC) [1] and certificate-based public key
cryptography (CB-PKC) [13].
So far, great deals of two-party AK or AKC
protocols were proposed based on PKC and ID-PKC,
but the CL-PKC-based authenticated key agreement
protocol is seldom discussed. Most of the CL-PKC
schemes are constructed by composing the standard
PKC schemes and ID-PKC schemes. Such a method
eliminates the need of certificates and management
overheads that traditional PKC scheme has and the
key-escrow problem of a users private key that may
be inherent in the ID-PKC scheme. CL-PKC scheme
provides another method to construct secure
authenticated key agreement protocol. Al-Riyami and
Paterson [1] first proposed a two-party certificateless
AK protocol required each party to compute four
bilinear pairings, such operations are computationally
expensive. Later, Mandt and Tan [9] proposed such
type of protocol which relies on the difficulty of the
bilinear Diffie-Hellman problem (BDH). The protocol
actually admits both key compromise impersonation
and known session-specific temporary information
security attack [10]. Wang et al. [6] also proposed a
two-party certificateless AK protocol, it cant
withstand key compromise impersonation too [10]. Shi
and Li [5] proposed a certificateless two-party AK
protocol based on the new key construction for
certificateless public key encryption scheme due to
Libert and Quisquater [7]. It doesnt provide perfect
forward secrecy and known session-specific temporary
information security. It is found that this protocol fails
to provide implicit key authentication by
demonstrating a man-in-the-middle attack by an
outside attacker [10]. Actually, this protocol is

vulnerable to the key replicating attack (another form

of the man-in-the-middle attack) as well. In a recent
work, Wang et al. [4] presented the first certificateless
AK protocol for grid computing based on the DiffieHellman key agreement protocol and certificateless
public key cryptography. We found the scheme cannot
withstand key compromise impersonation attack and
key replicating attack, thus it doesnt possess some
desirable security attributes. In 2007, Park et al. [2]
proposed a CL-PKC encryption scheme (PCHL-CLPKE scheme) that is IND-sID-CPA secure without
random oracles under the q-BDHI and 1-BDHI
assumptions. We construct a secure certificateless twoparty AK protocol based on such certificateless public
key encryption scheme. It achieves almost all the
known security attributes of authenticated key
agreement protocol. Wang et al. [15] proposed a
provably secure identity-based authenticated key
agreement protocols based on the ID-PKC scheme of
Gentry [3] , it is somewhat similar to our scheme. But
their scheme doesnt achieve perfect forward secrecy
and known session-specific temporary information
security. Compared to other comparable certificateless
schemes, it achieves more security attributes,
meanwhile, holds the nice performance.
The remainder of this paper is organized as follows.
Section 2 gives the technical backgrounds. We present
the new construction of the secure and efficient twoparty certificateless AK protocol in Section 3. Then we
analyze the security attributes and performance in
Section 4. Finally, we present the conclusion.

2. Preliminaries
2.1. Desirable security attributes of AK (or
AKC) protocols
It is desirable for AK and AKC protocols to possess
the following security attributes [8].
1) Known-key secrecy. Each run of the protocol
should result in a unique secret session key. The
disclosure of one session key should not compromise
other session keys.
2) Forward secrecy. If long-term private keys of
one or more of the entities are compromised, the
secrecy of previously established session keys should
not be affected. We say that a system has perfect
forward secrecy if the long-term keys of all the
entities involved may be corrupted without
compromising any session key previously established
by these entities.
3) PKG forward secrecy. In identity-based systems,
the PKGs master key may be corrupted without

compromising the security of session keys previously

established by any users. It certainly implies perfect
forward secrecy.
4)
Key-compromise
impersonation.
The
compromise of an entity As long-term private key will
allow an adversary to impersonate A, but it should not
enable the adversary to impersonate other entities to A.
5) Unknown key-share resilience. An entity A
should not be able to be coerced into sharing a key
with any entity C when in fact A thinks that she is
sharing the key with another entity B.
6) No-key control. None of the party involed could
decide the final session key to be some predefined
values.
7) Known session-specific temporary information
security. Some random private information is used as
an input of the session key generation function. The
exposure of this private temporary information should
not compromise the secrecy of (other) generated
session key.
8) Message independence. Flows of a protocol run
should be unrelated. Of course, this property makes the
most sense in the context of an AK protocol. It is not
suitable to AKC protocols.

2.2. Bilinear groups

Let G1 be a cyclic additive group of prime order q
and G2 be a cyclic multiplicative group also of prime
order q, P is a generator of G1 , assume that the discrete
logarithm problem (DLP) is hard in both G1 and G2 .
An admissible pairing e is a bilinear map
e : G1 G1 G2 , which satisfies the following three
properties:
Bilinear: for P, Q G1 and a, b Z q* , we
have e(aP, bQ) = e( P, Q ) ab ;
Non-degenerate: e( P, P) 1 ;
Computable: If P, Q G1 , one can compute
e( P, Q) G2 in polynomial time efficiently.
The Weil and the modified Tate pairings on elliptic
curves can be used to construct such bilinear maps.

2.3. Computational complexity assumptions

The security of this scheme is based on the some
computation complexity assumptions, they are defined
as follows:
Computational
Diffie-Hellman
assumption
(CDH): for g G2 is the generator of G2 , and
a, b Z q* , given g a and g b , computing g ab is hard.



q-Bilinear Diffie-Hellman Inversion assumption

(q-BDHI): Given a tuple ( g , g , g ,..., g ( ) ) G1q +1 for a
random Z *p as input, compute e( g , g )1/ G2 is hard.
q

Informally, we can also say that the decision qBDHI problem in G1 refers to the problem where given
a tuple ( g , g , g ,..., g ( ) , T ) G1q +1 G2 for a random
Z *p , a polynomial-time attacker E is to decide
2

whether T = e( g , g )1/ or T = e( g , g ) for random Z *p .

We say that the decision (t , q, ) BDHI assumption
holds in if no t-time algorithm has advantage at least
in solving the decision (t , q, ) BDHI problem in G1 .

2.4. Revisit the PCHL-CL-PKE encryption

scheme
In 2007, Park et al. [2] proposed a certificateless
public key encryption scheme (PCHL-CL-PKE scheme)
based on the Gentry [3] ID-PKC encryption scheme in
the selective-ID security model, which is provably
secure against chosen plaintext attacks without random
oracle under the q-BDHI and 1-BDHI assumptions.
The scheme works as follows:
Let G1 and G2 be bilinear groups of prime order p ,
and let e : G1 G1 G2 be the bilinear pairing.
Setup: To provide a private key generation service,
the private key generator (PKG) selects a random
generators g G1 and random elements h, u G1 . It
selects a random Z *p , defines g1 = g G1 . The
system public parameters are < g , g1 , h, u > and the
master private key of the PKG is .
Extract-Partial-Private-Key: To generate a partial
private key for the identity ID Z p , the PKG generates
a random sID Z p , and outputs the partial private key
as d ID =< sID , hID > , where hID = (hg s )1/ ( ID ) . The PKG
ensures that ID and it always assigns identical sID
for a given identity ID.
Set-User-Key: The user picks a random xID Z *p as
ID

a secret value, the full private key of user ID is

SK ID =< xID , sID , hID > and the full public key is
xID
PK ID =< X ID , YID > , where X ID = g ID
= ( g1 g ID ) xID

YID = u

and

xID

.
Encryption: The sender picks r Z *p randomly,

using the receivers identity ID, sets the ciphertext to

be ( m G2 is the plaintext):
r
C = (C1 , C2 , C3 ) = ( X ID
, e( g , g ) r , m e( g , h) r ).



Decryption: To decrypt ciphertext C = (C1 , C2 , C3 ) ,

the identity ID computes m = e(C11/ x , hID ) C2s C3 .
Consistence: The recipient can correctly decrypt C
to acquire the plaintext m , because
ID

ID

e(C11/ xID , hID ) C2sID

= e( g r ( ID ) , h1/ ( ID ) g sID / ( ID ) ) e( g , g ) rsID )
= e( g , h ) r

3. The proposed AK scheme

We construct a new certificateless two-party AK
protocol based on the PCHL-CL-PKE encryption
scheme due to Park et al [2].
Suppose two entities called the client and the server
who wish to establish a shared secret session key, and
a PKG that is responsible for the creation and
distribution of entitys private keys using its master
private key. The protocol consists of three phases, i.e.
Setup, Key Generation and Key Agreement. The
Setup and Key Generation stages are identical to that
of PCHL-CL-PKE encryption scheme.
Setup. The PKG first generates the system
parameters < g , g1 , h, u > and its master private
key and master public key g1 = g G1 . In addition,
defines a hash function H :{0,1}* {0,1}k as session
key derivation function and k 1 =|sk| , sk is the session
key of the client and the server derived from the
protocol.
Key Generation. For the client with identity IDc ,
we define its full private key as SK c =< xc , sc , hc > , the
full
public
key
as
PK c = < X c , Yc >
where
1

X c = g cxc = ( g1 g IDc ) xc and Yc = u xc ; For the server with

identity IDs , we define its full private key as

, the full public key as
SK s =< xs , ss , hs >
PK s = < X s , Ys > ; We define g c = g1 g IDc , g s = g1 g IDs ,

and gT = e( g , g ) .
Key Agreement. The client and the server run the
following protocol to establish a shared session key sk
with implicit key authentication. The protocol is a 2pass procedure, the details are as follows.
1) The client picks rc R Z *p , and computes
Tc1 = Tc11 Tc12 , where Tc11 = g src , Tc12 = gTrc

then sends Tc1 to the server.

2) The server picks rs R Z *p , and computes
Ts1 = Ts11 Ts12 , where Ts11 = g crs , Ts12 = gTrs

then sends Ts1 to the client.

3) The client computes

Tc 2 = e(Ts11 , hc ) (Ts12 ) sc e( g , h) rc ,

recover the session keys established by its users.

Tc 3 = Ts12rc = e( g , g ) rc rs ,

4. Security and efficiency

Tc 4 = Ysxc = u xc xs
skc = H ( IDc IDs Tc1 Ts1 Tc 2 Tc 3 Tc 4 ) .

4.1. Security attributes

4) The server computes

Ts 2 = e(Tc11 , hs ) (Tc12 ) ss e( g , h) rs ,
Ts 3 = Tc12rs = e( g , g ) rs rc ,

Ts 4 = Ycxs = u xs xc
sk s = H ( IDc IDs Tc1 Ts1 Ts 2 Ts 3 Ts 4 ) .
Correctness verification.
At the end of the
protocol execution, the client and the server will agree
on the same session key, for

Tc 2 = e(Ts11 , hc ) (Ts12 ) sc e( g , h) rc
= e( g crs ,(hg sc )1/ ( IDc ) ) ( gTrs ) e( g , h) rc
sc

= e( g rs ( IDc ) ,(hg sc )1/ ( IDc ) ) gTrs sc e( g , h) rc

= e( g rs , hg sc ) gTrs sc e( g , h) rc

(1)

= e( g rs , g sc ) e( g rs , h) e( g , g ) rs sc e( g , h) rc
= e( g , h) rs + rc

Ts 2 = e(Tc11 , hs ) (Tc12 ) ss e( g , h) rs
= e( g src ,(hg ss )1/ ( IDs ) ) ( gTrc ) e( g , h) rs
ss

= e( g rc ( IDs ) ,(hg ss )1/ ( IDs ) ) gTrc ss e( g , h) rs

= e( g rc , hg ss ) gTrc ss e( g , h) rs

(2)

= e( g rc , g ss ) e( g rc , h) e( g , g ) rc ss e( g , h) rs
= e( g , h) rc + rs

It is obvious that Tc 2 = Ts 2 from (1) and (2). With

Tc 3 = Ts 3 = e( g , g ) rc rs

and Tc 4 = Ts 4 = u x x ,
s c

we can

know sk = skc = sks .

No-Key Escrow. The PKG knows the long term
key of the server and the client, so it can
calculate e( g , h) r = e(Tc , hs ) (Tc ) s
as well as
c

11

12

e( g , h) rs = e(Ts11 , hc ) (Ts12 ) sc , so the PKG can calculate

Tc 2 or Ts 2 . Whilst the PKG knows the parameters < ,
IDc , IDs >, so it can calculate ( IDc ) 1 from

( IDc ) ( IDc ) 1 = 1 mod p and calculate ( IDs ) 1

from

( IDs ) ( IDs ) 1 = 1 mod p ,

calculate

g = (Ts11 )
rs

( IDc ) 1

and

then

g = (Tc11 )
rc

it

can

( IDs )1

so Tc 3 = Ts 3 = e( g , g ) = e( g , g ) can be calculated. But

Tc 4 and Ts 4 are calculated with the private key of the
client and the server which was generated by
themselves separately, so the PKG could not get it.
This means that the PKG cannot calculate the final
session key skc or sks , i.e., the PKG is unable to
rc rs

rc

rs

We analyze the proposed protocol according to the

desirable security attributes for an authenticated key
agreement protocol. It shows that such a scheme
achieves almost all of the known desirable security
attributes. Moreover, it can withstand some known
attacks such as key replicating attack and public key
replacement attack.
1) Known-key secrecy. In this scheme, rc Z q* and
rs Z q* are ephemeral private keys randomly chosen by

the client and the server respectively. Even when its

participants remain the same, all protocol runs will
produce different session keys. Key replicating attack
can be viewed as the violation to the known-key
secrecy, we will discuss it in the section of no-key
control.
2) Forward secrecy. This scheme achieves the
perfect forward secrecy. Although the adversary can
compute Tc 2 , Ts 2 , Tc 4 , Ts 4 by arming two entities full
long-term private keys, he could not compute Tc 3 or Ts 3 ,
for calculating Tc 3 or Ts 3 is a CDH hard problem.
3) PKG forward secrecy. No-key escrow is the
inherent attribute of CL-PKC-based schemes.
Compromise of the PKGs master private key does
not enable an adversary (include the PKG) to reveal
previously established session keys. In this scheme,
although the adversary may generate partial private
keys, in order to compute the established session key,
both a short-term private key and the long-term private
key of a party involved in a session must be obtained.
4) Key-compromise impersonation. The proposed
protocol is resistant to key-compromise impersonation.
If an adversary wants to impersonate the server to the
client arming with the private key of the client,
although the adversary can replace the public key of
the server to force Tc 3 = Ts 3 and Tc 4 = Ts 4 , he could not
compute Tc 2 or Ts 2 without knowing the servers private
key.
5) Unknown key-share resilience. Suppose an
adversary E attempts to make the client believe a
session key is shared with the server, while the server
instead believes the key is shared with E. For E to
launch this attack successfully, he should force the
client and the server to share the same secret. However,
the client and the server can never share the same key



because of that both parties use the identifier of the

intended peer in computing the session key.
6) No key-control. For randomly selected shortterm keys are used in generating session keys by two
parties separately, neither party can decide the final
session key. In practice, it is difficult to achieve perfect
key control, since it is necessary for one party to
initiate the protocol run and choose his ephemeral key
first, so the responding party has the ability to estimate
some of the bits of the session key through different
choices of ephemeral keys. This deficiency exists in all
interactive key agreement protocols [14].
Key replicating attack is one form of man-in-themiddle attack which affects no key-control security
attribute [8]. In this scheme, any modification to the
exchanged messages will lead to different session keys
on two sides. An outside adversary may play a key
replicating attack by replacing Tc1 and Ts1 with
T ' = Tck1 and T ' = Tsk1 for some k to force Tc 3 = Ts 3 , but it
c1

s1

will lead to Tc 2 Ts 2 .
7) Known session-specific temporary information
security. Compromising the short-term private keys of
a session does not reveal the established key. In this
scheme, obtaining the keys of rc and rs in any session
between the client and the server allows the adversary
to compute Tc 2 (or Ts 2 ) and Tc 3 (or Ts 3 ), but not Tc 4 (or
Ts 4 ), so the scheme achieves such a security attribute.
8) Message independence. As an AK protocol, the
flows of this scheme are unrelated, because rc and
rs are selected by the client and the server
independently.
Another problem should be considered is the public
key replacement attack. With the security assurance of
the underlying certificateless public key encryption
scheme, the public key replacement attack could not
work.
The comparisons of security attributes with other
certificateless AK protocols [1,4,5,6,9] and identitybased AK protocol [15] are listed in Table 1 (Note.
PFS: Perfect forward secrecy; KCI-R: Keycompromise impersonation; UKS-R: Unknown keyshare resilience; KSSTIS: Known session-specific
temporary information security; KRA-R:
Key
replicating attack resilience).

to the cost of all arithmetic computations each entity

must perform in order to carry out the key agreement.
There are some schemes [1, 4, 5, 6, 9] which are based
on certificateless public key encryption schemes, we
give the performance comparisons in Table 2 (only
consider the on-line operations).
Table 1. Security attributes comparisons
Security Attributes
Protocol
KCI UKSPFS
KSSTIS KRA-R
-R
R
Scheme

h
h
[1]
Scheme

h
[4]
Scheme
h

h
h
[5]*
Scheme

h
h
[6]
Scheme

[9]
Scheme
h

[15]
New

scheme
Table 2. Efficiency comparisons
Computational Operations
Protocol
Scalable
exponentiati
pairing
Multiplication on
Scheme
4
2
1
[1]
Scheme
1
3
0
[4]
Scheme
1
2
1
[5]
Scheme
2
2
1
[6]
Scheme
2
3
1
[9]
Scheme
1
0
4
[15]
New
1
0
6
scheme
Note. Pairing and Scalable Multiplication operation costs are much higher than
exponentiation operations.
.

4.2. Efficiency

5. Conclusion

The efficiency of key agreement protocols is

essentially measured by the computational and
communication overhead. Communication overhead
refers to the number of bits transmitted by each entity
in a protocol run, while computational overhead refers

In this paper, we present a secure and efficient twoparty authenticated key agreement protocol based on
the a secure certificateless encryption scheme, which
can be properly used in the client-server e-learning
setting to ensure secure communication. Security



analysis shows that it achieves perfect forward secrecy,

PKG forward secrecy and almost all the other known
security attributes, such as known-key secrecy, keycompromise impersonation resilience, unknown keyshare resilience, known session-specific temporary
information security, message independence and nokey control. Compared to other comparable schemes, it
is more secure and has nice efficiency.

[9] T.K. Mandt and C.H. Tan, Certificateless Authenticated

Two-party Key Agreement Protocols, In Advances in
Computer Science - ASIAN 2006, Secure Software and
Related Issues, Springer Berlin / Heidelberg, Vol. 4435 of
Lecture Notes in Computer Science, 2008, pp. 37-44.
[10] C.M. Swanson, Security in Key Agreement: Two-party
Certificateless Schemes. Masters thesis, University of
Waterloo, Canada, 2008.

Acknowledgment

[11] C. Adams and S. Farrell, Internet X.509 Public Key

Infrastructure: Certificate Management Protocols, Work in
progress, 2004.

This work was supported by National Natural

Science Foundation of China (No. 60873232), also by
Natural Science Foundation of Shandong Province,
China (No. Y2007G37).

[12] A. Shamir, Identity-based Cryptosystems and

Signature Schemes, In CRYPTO84, Vol. 196 of Lecture
Notes in Computer Science, Berlin/Springer-Verlag, 1984,
pp. 47-53.

References
[1] S.S. Al-Riyami and K.G. Paterson, Certificateless Public
Key Cryptography, In C. S. Laih(eds.). Advances in
Cryptology-ASIACRYPT 2003, Lecture Notes in Computer
Science, Vol. 2894, Springer Berlin/Heidelberg, 2003, pp.
452-473.
[2] J. H. Park, K.Y. Choi, J.Y. Hwang, and D.H. Lee,
Certificateless Public Key Encryption in the Selective-ID
Security Model (without random oracles), X T. Takagi et al.
(Eds.), Pairing 2007, Lecture Notes in Computer Science,
Vol. 4575, Springer Berlin/Heidelberg, 2007, pp. 6082.

[13] C. Gentry, Certificate-based Encryption and the

Certificate Revocation Problem, In EUROCRYPT03, Vol.
2656 of Lecture Notes in Computer Science,
Berlin/Springer-Verlag, 2003, pp. 272-293.
[14] C.J. Mitchell, M. Ward, P. Wilson, Key Control in Key
Agreement Protocols, Electronics Letters 34, 1998, pp.
980981.
[15] S.B. Wang, Z.F. Cao, X.L. Dong, Provably Secure
Identity-based Authenticated Key Agreement Protocols in
the Standard Model, Chinese Journal of Computers, Vol.
30(10), 2007, pp. 1842-1854.

[3] C. Gentry, Practical Identity-based Encryption without

Random Oracles, Proc. of the EUROCRYPTO06, Lecture
Notes in Computer Science, Vol. 4004, Berlin: SpringerVerlag, 2006, pp 445-464.
[4] S.B. Wang, Z.F Cao and H.Y. Bao, Efficient
Certificateless Authentication and Key Agreement (CL-AK)
for Grid Computing, International Journal of Network
Security, Vol. 7 (3): 2008, pp. 342347.
[5] Y.J Shi and J.H Li, Two-party Authenticated Key
Agreement in Certificateless Public Key Cryptography,
Wuhan University Journal of Natural Sciences, Vol. 12(1),
2007, pp. 71-74.
[6] S.B. Wang, Z.F Cao and L.C. Wang, Efficient
Certificateless Authenticated Key Agreement Protocol from
Pairings, Wuhan University Journal of Natural Sciences,
Vol.11 (5), 2006, pp. 1278-1282.
[7] B. Libert and J-J. Quisquater. On Constructing
Certificateless Cryptosystems from Identity Based
Encryption, Lecture Notes in Computer Science, Vol. 3958 ,
Berlin/Heidelberg, 2006, pp. 474-490.
[8] S. Blake-Wilson, D. Johnson and A. Menezes, Key
Agreement Protocols and Their Security Analysis, In 6th
IMA International Conference on Cryptography and Coding,
Springer-Verlag, Vol. 1355 of Lecture Notes in Computer
Science, 1997, pp. 3045.