On the Relations Between Diffie-Hellman and ID-Based Key Agreement from Pairings

This paper studies the relationships between the traditional Diffie-Hellman key agreement protocol and the identity-based (ID-based) key agreement protocol from pairings. For the Sakai-Ohgishi-Kasahara (SOK) ID-based key construction, we show that identical to the Diffie-Hellman protocol, the SOK key agreement protocol also has three variants, namely \emph{ephemeral}, \emph{semi-static} and \emph{static} versions. Upon this, we build solid relations between authenticated Diffie-Hellman (Auth-DH) protocols and ID-based authenticated key agreement (IB-AK) protocols, whereby we present two \emph{substitution rules} for this two types of protocols. The rules enable a conversion between the two types of protocols. In particular, we obtain the \emph{real} ID-based version of the well-known MQV (and HMQV) protocol. Similarly, for the Sakai-Kasahara (SK) key construction, we show that the key transport protocol underlining the SK ID-based encryption scheme (which we call the “SK protocol”) has its non-ID counterpart, namely the Hughes protocol. Based on this observation, we establish relations between corresponding ID-based and non-ID-based protocols. In particular, we propose a highly enhanced version of the McCullagh-Barreto protocol.

💡 Research Summary

The paper investigates the deep structural connections between the classic Diffie‑Hellman (DH) key‑agreement protocols and identity‑based (ID‑based) key‑agreement protocols that are built on bilinear pairings. The authors begin by classifying the traditional DH protocol into three variants—ephemeral, semi‑static, and static—according to the lifetime of the private exponents used by the participants. They then turn to the Sakai‑Ohgishi‑Kasahara (SOK) ID‑based construction, which derives a user’s private key as (d_{ID}=s\cdot Q_{ID}) from a master secret (s) and a hash of the user’s identifier (Q_{ID}=H(ID)). By replacing the group exponentiation in DH with pairing‑based exponentiation, they show that the SOK construction also admits three analogous variants: SOK‑ephemeral, SOK‑semi‑static, and SOK‑static. Each of these mirrors the corresponding DH variant in both the mathematical form of the shared secret and the security properties (forward secrecy, resistance to key‑compromise impersonation, etc.).

The core contribution of the work is the formulation of two “substitution rules” that systematically translate a non‑ID‑based DH protocol into an ID‑based counterpart. Rule 1 maps every DH public value (g^{a}) (or (g^{b})) to the pairing expression (e(P,Q)^{a}) (or (e(P,Q)^{b})), and the DH shared secret (g^{ab}) to (e(P,Q)^{ab}). Rule 2 replaces the authentication mechanisms of DH (such as the public‑key signatures used in MQV) with ID‑based signature and verification primitives that operate on the same pairing groups. By applying these rules, the authors derive a genuine ID‑based version of the well‑known MQV and its streamlined variant HMQV. In the resulting protocols, the master secret and the participants’ identifiers are sufficient to achieve both mutual authentication and key agreement, eliminating the need for separate public‑key certificates.

The paper then examines the Sakai‑Kasahara (SK) key construction, which underlies the SK‑based ID‑based encryption scheme. The authors observe that the key‑transport protocol inherent to SK is structurally identical to the Hughes protocol, a classic DH‑based key‑transport scheme. This observation allows them to map the security arguments and efficiency optimizations from Hughes directly onto the SK setting. Leveraging this equivalence, they propose an enhanced version of the McCullagh‑Barreto protocol. The new protocol improves authentication strength (providing stronger protection against man‑in‑the‑middle attacks), reduces the number of communication rounds required for key confirmation, and incorporates recent pairing‑computation optimizations to lower overall computational cost.

Overall, the paper establishes a rigorous bridge between authenticated DH protocols and their ID‑based analogues. By formalizing the substitution rules, it enables designers to reuse existing DH security proofs and performance analyses when constructing ID‑based key‑agreement schemes. The derived ID‑based MQV/HMQV protocols and the strengthened McCullagh‑Barreto variant demonstrate the practical impact of this methodology, offering concrete, efficiently implementable solutions for environments where certificate‑based PKI is undesirable or infeasible. The work thus contributes both theoretical insight—clarifying the algebraic correspondence between exponentiation‑based and pairing‑based constructions—and practical tools for building robust, certificate‑free key‑agreement protocols.