An Efficient Bilinear Pairing-Free Certificateless Two-Party Authenticated Key Agreement Protocol in the eCK Model

Recent study on certificateless authenticated key agreement focuses on bilinear pairing-free certificateless authenticated key agreement protocol. Yet it has got limitations in the aspect of computational amount. So it is important to reduce the number of the scalar multiplication over elliptic curve group in bilinear pairing-free protocols. This paper proposed a new bilinear pairing-free certificateless two-party authenticated key agreement protocol, providing more efficiency among related work and proof under the random oracle model.

💡 Research Summary

The paper presents a new certificateless two‑party authenticated key agreement (CTAKA) protocol that eliminates bilinear pairings and dramatically reduces the number of elliptic‑curve scalar multiplications required for each session. The authors begin by reviewing the state of the art: most certificateless key agreement schemes rely on bilinear pairings, which are roughly twenty times more expensive than a scalar multiplication on an elliptic curve. Even the recent pairing‑free protocols (e.g., those by Yang et al. and He et al.) still need five to nine scalar multiplications per session, which is too heavy for resource‑constrained devices such as smartphones or IoT nodes.

The paper’s contribution is threefold. First, it defines a concrete system setup: a master secret s and public key P_pub = s·P are generated by a Key Generation Center (KGC); two cryptographic hash functions H1 and H2 are modeled as random oracles. Each user obtains a partial private key from the KGC (derived from the user’s identity) and independently chooses a secret value x_ID. The full private key is the pair (partial key, x_ID) and the public key is x_ID·P. This construction preserves the certificateless property— the KGC never learns the user’s secret value, eliminating key escrow.

In the key‑agreement phase, each participant selects an ephemeral secret r (r_A or r_B), computes the corresponding point R = r·P, and exchanges (ID, R) with the peer. Both parties then compute two shared intermediate values using their own private key, the peer’s public key, and the received R value. The final session key is derived by hashing the identities, the two R points, and the two intermediate values with H2. The protocol requires only four scalar multiplications (two for generating the R points, two for the intermediate values) and a handful of hash evaluations, making it substantially lighter than prior work.

Security is proved in the extended Canetti‑Krawczyk (eCK) model, which captures strong properties such as key‑compromise impersonation (KCI) resistance, weak perfect forward secrecy (wPFS), resilience to disclosure of ephemeral secrets, and KGC forward secrecy. The authors adopt the random‑oracle model and base the reduction on the Gap Diffie‑Hellman (GDH) problem. They construct simulators for both type‑1 (outside) and type‑2 (inside) adversaries. If an adversary could distinguish the real session key from random with non‑negligible advantage, the simulator would solve GDH, contradicting the hardness assumption. The proof explicitly handles all eCK queries, including reveal of partial keys, replacement of public keys (type‑1 only), and session‑key reveal, while maintaining freshness conditions.

Performance evaluation compares the new protocol against pairing‑based CTAKA schemes and the existing pairing‑free schemes. The pairing‑based protocols incur the high cost of pairings; the prior pairing‑free schemes need 5–9 scalar multiplications. The proposed protocol’s 4 scalar multiplications represent a 30–45 % reduction in computational effort, while preserving the same two‑round communication pattern. Message sizes are also smaller because no pairing‑related parameters are transmitted.

In conclusion, the authors deliver a pairing‑free certificateless key agreement protocol that is provably secure in the strongest eCK model and is markedly more efficient than existing alternatives. The work is particularly relevant for environments where computational resources and bandwidth are limited. Future directions suggested include extending the design to multi‑party settings, investigating post‑quantum adaptations, and implementing the scheme on real embedded platforms to validate the theoretical gains.