WO2000052876A1 - A novel key-agreement system and method - Google Patents

A NOVEL KEY-AGREEMENT SYSTEM AND METHOD

Field of The Invention

The present invention relates to systems and methods for efficiently generating a secret key joint to two communicating parties, based on operations over a finite group of points in which the discrete logarithm applies, and to its use.

Background of the Invention

A 'key agreement system' refers to a situation in which two users exchange public (non-secret) values, over an unprotected communication channel, for the purpose of eventually possessing a joint key, termed 'session key', such that both users have a session key of the same value, without any other party who listens to the exchanged information being able to generate the same session key.

The generation of joint session keys is important in a variety of applications, particularly for protecting information transmitted over cornmunication channels.

A fundamental key-agreement system was proposed in [W. Diffie and M. E. Hellman, "New directions in cryptography", IEEE Transactions on Information Theory, IT-22, pp. 644-654, 1976]. This system, hereinafter referred to as the DH key-agreement system and which is well known to persons skilled in the art, concerns the generation of a session key by operating over a finite group of points in which the discrete logarithm applies. The notation x*G means a general exponentiation operation over said finite group of points, where the group-point G is exponentiated to the power x. Also, it is computationally infeasible to recover said x from the given group-points G and Yi - x*G.

In said DH key-agreement system, two users, Userk and Userj, respectively have as private keys the scalars sk and sj and their public keys are the group-points Yk = sk*G and Yj = sj*G, where G is an agreed generating element of said group. A session key K joint to said two users is then generated by exchanging said public keys. Said Userk generates said K by applying a generation method which involves calculating sk*Yj. Said Userj generates the said same K by calculating sj*Yk.

In a system hereinafter referred to as "fixed-key-agreement system", two specific users always generate the same session key whenever they wish to carry out such a process involving the generation of a key. Said DH key-agreement system is a fixed-key-agreement system.

No authentication is provided in said DH key agreement system. That is, a communicating party is not assured of the identity of his counterpart. Authenticity proof is provided by the existence of a CA (Certifying Authority) that issues a signature which witnesses the association between a user's public key and said user's identification details representatives. Said signature is termed 'certificate' and is owned and submitted by said user whenever he submits his public key.

When operating over a finite group of points in which the discrete logarithm problem applies, all signature generation and verification processes involve a DSS process or the like [National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Register, pp. 42919-43546, August 30, 1991]. This process needs one exponentiation operation for signature generation and two exponentiation operations for signature verification. This means that such fixed-key-agreement system involves two exponentiation operations for certificate verification, and one exponentiation for generating the key K. Altogether, said fixed-key-agreement system involves three exponentiations. This is in addition to the need to store and submit an explicit certificate.

In a system hereinafter referred to as "ephemeral-key-agreement system", two users generate a different session key whenever they wish to carry out such a process involving the generation of a key, based on a random scalar value generated by each user. An ephemeral-key-agreement system can be based on extending said DH key-agreement system, where said Userk and Userj respectively generate random scalar values rk and rj, and ephemeral non-secret keys ENk = rk*G and EVj = rj*G. Each of said users then signs his ephemeral key using a digital signature procedure. The public key of each party is the public key needed for verifying that party's signature, where said public key is further certified by a certificate.

This means that said ephemeral-key-agreement system involves the following exponentiation operations (based on DSS-like certification):

1. Generation of an ephemeral group-point (a single exponentiation);

2. Generation of a signature on said ephemeral group-point (a single exponentiation); (The above two values are sent to the other user, together with the sender's public key, his identification details representatives and a certificate.)

3. DSS verification of the certificate (two exponentiations);

4. DSS verification of said signature on the ephemeral group-point (two exponentiations) ;

(Operations 3-4 are performed on data received from the sender.)

5. Generation of the session key (a single exponentiation).

The execution of said ephemeral-key-agreement system therefore involves seven exponentiations and the storage and submission of an explicit certificate.

An ephemeral-key-agreement system can further be based on the MQV system [L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, "An Efficient Protocol for Authenticated Key-agreement", Technical Report CORR 98-05, Dept. of C&O, University of Waterloo, Canada, March 1998]. As with said DH key-agreement system, the MQV system also requires that the public key of each party be sent to the other party together with a certificate. If the signature generation and verification operations relevant to this system are based on the DSS, an MQV-based ephemeral-key-agreement system involves the following exponentiation operations:

1. Generation of an ephemeral group-point (a single exponentiation);

2. DSS verification of the certificate (two exponentiations);

3. The generation of the ephemeral key (two exponentiations). The execution of said ephemeral-key-agreement system therefore involves five exponentiations.

Thus, the art has so far failed to provide means by which key-agreements can be effectively implemented by saving exponentiations associated with the explicit certificate verification of user's public keys. Saving exponentiations has an important result: it permits to use simpler and less expensive hardware for carrying out the desired process.

It is therefore an object of the present invention to provide a method by which key agreements can be carried out with high efficiency, with a reduced number of exponentiations.

It is another object of the invention to provide an improved method for carrying out the key issuing process needed in order to be able to effect the key-agreement process.

Other objects of the invention will become apparent as the description proceeds.

SUMMARY OF THE INVENTION

In accordance with one preferred embodiment of the invention there is provided a method for effecting a key issuing process over a finite group of points in which the discrete logarithm problem applies, wherein a first member (Userj) and a second member (Userk) of a plurality of users who use the services of a Certifying Authority (CA) are provided with personal keys in collaboration with said Certifying Authority, wherein said Certifying Authority provides said first member (Userj) with a first member's public key (PUj), which is a group-point, and a first member's private key (sj), which is a scalar, and a generating group-point (G) and the Certifying authority public key (PS), which is a group-point, and wherein said Certifying Authority provides said second member (Userk) with a second member's public key (PUk), which is a group-point, and a second member's private key (sk), which is a scalar, and said generating group-point (G) and said Certifying authority public key (PS), comprising the steps of:

(1) permitting said first member to generate a first member's private group-point (PRj) by multiplying said first member's private key by said Certifying authority public key (PRj = sj*PS);

(2) permitting said second member to generate a second member's private group-point (PRk) by multiplying said second member's private key by said Certifying authority public key (PRk = sk*PS).

In another preferred embodiment of the invention there is provided a method for carrying out a fixed-key-agreement process over a finite group of points in which the discrete logarithm problem applies wherein a first member (Userj) and a second member (Userk) of a plurality of users, as hereinbefore defined, generate a joint session key, comprising:

(1) providing means for sending the first member's identification details representatives (IDj) and the first member's public key (PUj) from said first member to said second member;

(2) providing means for sending the second member's identification details representatives (IDk) and the second member's public key (PUk) from said second member to said first smember;

(3) providing means for permitting said first member to calculate a first secret key (Kj) wherein:

- a first scalar value (sj*H(IDk,PUk)) is calculated by operating with the hash transformation (H) on said second member's identification details representatives (IDk) and said second member's public key (PUk) and multiplying the result by the first member's private key (sj) and reducing the obtained result modulo the order of said generating group-point;

- a first group-point value ([sj*H(LDk,PUk)]*PUk) is calculated by multiplying said first scalar value by said second member's public key (PUk);

- said first secret key (Kj) is obtained by adding said first group-point value and the first member's private group-point

(Kj = [sj*H(LDk,PUk)]*PUk + PRj) ;

- said operations being defined based on the characteristics of said finite group of points;

(4) providing means for permitting said second member to calculate a second secret key (Kk) wherein:

- a second scalar value (sk*H(LDj,PUj)) is calculated by operating with said hash transformation (H) on said first member's identification details representatives (IDj) and said first member's public key (PUj) and multiplying the result by the second member's private key (sk) and reducing the obtained result modulo the order of said generating group-point;

- a second group-point value ([sk*H(IDj,PUj)]*PUj) is calculated by multiplying said second scalar value by said first member's public key

(PUj);

- said second secret key (Kk) is obtained by adding said second group-point value and the second member's private group-point

(Kk = [sk*H(IDj,PUj)]*PUj + PRk); - said operations being defined based on the characteristics of said finite group of points;

whereby said first and second members use said first and second secret keys respectively as the secret key joint to the two of them.

According to yet another preferred embodiment of the invention there is provided a method for carrying out an ephemeral-key-agreement process over a finite group of points in which the discrete logarithm problem applies wherein a first member (Userj) and a second member (Userk) of a plurality of users, as hereinbefore defined, generate a joint ephemeral session key, the system comprising:

(1) providing means for permitting said first member (Userj) to generate a first member's random parameter (rj) and calculate a first member's ephemeral group-point (EVj) by multiplying said first member's random parameter by the generating group-point (EVj = rj*G);

(2) providing means for permitting said second member (Userk) to generate a second member's random parameter (rk) and calculate a second member's ephemeral group-point (EVk) by multiplying said second member's random parameter by said generating group-point (EVk = rk*G);

(3) providing means for sending the first member's identification details representatives (IDj) and the first member's public key (PUj) and said first member's ephemeral group-point (EVj) from said first member to said second member;

(4) providing means for sending the second member's identification details representatives (IDk) and the second member's public key (PUk) and said second member's ephemeral group-point (EVk) from said second member to said first smember; (5) providing means for permitting said first member to calculate a first secret key (Kj) wherein:

a first scalar value (rj*H(IDk,PUk)) is calculated by operating with the hash transformation (H) on said second member's identification details representatives (IDk) and said second member's public key (PUk) and multiplying the result by said first member's random parameter (rj) and reducing the obtained result modulo the order of said generating group-point;

a first group-point value ([rj*H(LDk,PUk)]*PUk) is calculated by multiplying said first scalar value by said second member's public key (PUk);

■ a second scalar value (rj+sj) is calculated by adding said first member's random parameter (rj) and the first member's private key (sj) and reducing the obtained result modulo the order of said generating group-point;

- a second group-point value (EVk + PS) is calculated by adding said second member's ephemeral group-point (EVk) and the Certifying authority public key (PS);

- a third group-point value ((rj+sj)*(EVk+PS)) is calculated by multiplying said second scalar value by said second group-point value;

- said first secret key (Kj) is obtained by adding said first and said third group-point values and subtracting the first member's private group-point (PRj) from the obtained result

(Kj = [rj*H(IDk,PUk)]*PUk + (rj+sj)*(EVk + PS) - PRj) ;

- said operations being defined based on the characteristics of said finite group of points; (6) providing means for permitting said second member to calculate a second secret key (Kk) wherein:

a third scalar value (rk*H(IDj,PUj)) is calculated by operating with said hash transformation (H) on said first member's identification details representatives (IDj) and said first member's public key (PUj) and multiplying the result by said second member's random parameter (rk) and reducing the obtained result modulo the order of said generating group-point;

a fourth group-point value ([rk*H(LDj,PUj)]*PUj) is calculated by multiplying said third scalar value by said first member's public key (PUj);

• a fifth scalar value (rk+sk) is calculated by adding said second member's random parameter (rk) and the second member's private key (sk) and reducing the obtained result modulo the order of said generating group-point;

- a fifth group-point value (EVj + PS) is calculated by adding said first member's ephemeral group-point (EVj) and said Certifying authority public key (PS);

- a sixth group-point value ((rk+sk)* (EVj + PS)) is calculated by multiplying said fifth scalar value by said fifth group-point value;

- said second secret key (Kk) is obtained by adding said fourth and said sixth group-point values and subtracting the second member's private group-point (PRk) from the obtained result

(Kk = [rk*H(IDj,PUj)]*PUj + (rk+sk)*(EVj + PS) - PRk);

- said operations being defined based on the characteristics of said finite group of points; whereby said first and second members use said first and second secret keys respectively as the secret key joint to the two of them, and the value of said secret key joint to the two said members is different each time said first and second members generate a joint secret key.

The calculation of the second group-point value (EVk + PS) is done, according to a preferred embodiment of the invention, by the second member (Userk) and wherein said second member submits said calculated second group-point value to the first member (Userj) instead of submitting the second member's ephemeral group-point (EVk).

The calculation of the fifth group-point value (EVj + PS) is done, according to another preferred embodiment of the invention, by the first member (Userj) and wherein said first member submits said calculated fifth group-point value to the second member (Userk) instead of submitting the first member's ephemeral group-point (EVj).

In another aspect, the invention is directed to a fixed-key-agreement system over a finite group of points in which the discrete logarithm problem applies wherein a first member (Userj) and a second member (Userk) of a plurality of users, as hereinbefore defined, generate a joint session key, the system comprising:

(1) means for sending the first member's identification details representatives

(IDj) and the first member's public key (PUj) from said first member to said second member;

(2) means for sending the second member's identification details representatives (IDk) and the second member's public key (PUk) from said second member to said first smember; (3) means for permitting said first member to calculate a first secret key (Kj) wherein:

- a first scalar value (sj*H(LDk,PUk)) is calculated by operating with the hash transformation (H) on said second member's identification details representatives (IDk) and said second member's public key (PUk) and multiplying the result by the first member's private key (sj) and reducing the obtained result modulo the order of said generating group-point;

- a first group-point value ([sj*H(IDk,PUk)]*PUk) is calculated by multiplying said first scalar value by said second member's public key (PUk);

- said first secret key (Kj) is obtained by adding said first group-point value and the first member's private group-point

(Kj = [sj*H(IDk,PUk)]*PUk + PRj) ;

- said operations being defined based on the characteristics of said finite group of points;

(4) means for permitting said second member to calculate a second secret key (Kk) wherein:

- a second scalar value (sk*H(IDj,PUj)) is calculated by operating with said hash transformation (H) on said first member's identification details representatives (IDj) and said first member's public key (PUj) and multiplying the result by the second member's private key (sk) and reducing the obtained result modulo the order of said generating group-point; - a second group-point value ([sk*H(LDj,PUj)]*PUj) is calculated by multiplying said second scalar value by said first member's public key (PUj);

- said second secret key (Kk) is obtained by adding said second group-point value and the second member's private group-point

(Kk = [sk*H(IDj,PUj)]*PUj + PRk);

- said operations being defined based on the characteristics of said finite group of points;

whereby said first and second members use said first and second secret keys respectively as the secret key joint to the two of them.

In yet another aspect the invention provides an ephemeral-key-agreement system over a finite group of points in which the discrete logarithm problem applies wherein a first member (Userj) and a second member (Userk) of a plurality of users, as hereinbefore defined, generate a joint ephemeral session key, the system comprising:

(1) means for permitting said first member (Userj) to generate a first member's random parameter (rj) and calculate a first member's ephemeral group-point (EVj) by multiplying said first member's random parameter by the generating group-point (EVj = rj*G);

(2) means for permitting said second member (Userk) to generate a second member's random parameter (rk) and calculate a second member's ephemeral group-point (EVk) by multiplying said second member's random parameter by said generating group-point (EVk - rk*G);

(3) means for sending the first member's identification details representatives

(IDj) and the first member's public key (PUj) and said first member's ephemeral group-point (EVj) from said first member to said second member; (4) means for sending the second member's identification details representatives (IDk) and the second member's public key (PUk) and said second member's ephemeral group-point (EVk) from said second member to said first smember;

(5) means for permitting said first member to calculate a first secret key (Kj) wherein:

- a first scalar value (rj*H(IDk,PUk)) is calculated by operating with the hash transformation (H) on said second member's identification details representatives (IDk) and said second member's public key (PUk) and multiplying the result by said first member's random parameter (rj) and reducing the obtained result modulo the order of said generating group-point;

- a first group-point value ([rj*H(LDk,PUk)]*PUk) is calculated by multiplying said first scalar value by said second member's public key (PUk);

- a second scalar value (rj+sj) is calculated by adding said first member's random parameter (rj) and the first member's private key (sj) and reducing the obtained result modulo the order of said generating group-point;

- a second group-point value (EVk + PS) is calculated by adding said second member's ephemeral group-point (EVk) and the Certifying authority public key (PS);

- a third group-point value ((rj+sj)*(EVk+PS)) is calculated by multiplying said second scalar value by said second group-point value;

- said first secret key (Kj) is obtained by adding said first and said third group-point values and subtracting the first member's private group-point (PRj) from the obtained result (Kj = [rj*H(IDk,PUk)]*PUk + (rj+sj)*(EVk + PS) - PRj) ;

- said operations being defined based on the characteristics of said finite group of points;

(6) means for permitting said second member to calculate a second secret key (Kk) wherein:

- a third scalar value (rk*H(IDj,PUj)) is calculated by operating with said hash transformation (H) on said first member's identification details representatives (IDj) and said first member's public key (PUj) and multiplying the result by said second member's random parameter (rk) and reducing the obtained result modulo the order of said generating group-point;

- a fourth group-point value ([rk*H(TDj,PUj)]*PUj) is calculated by multiplying said third scalar value by said first member's public key (PUj);

- a fifth scalar value (rk+sk) is calculated by adding said second member's random parameter (rk) and the second member's private key (sk) and reducing the obtained result modulo the order of said generating group-point;

- a fifth group-point value (EVj + PS) is calculated by adding said first member's ephemeral group-point (EVj) and said Certifying authority public key (PS);

- a sixth group-point value ((rk+sk)* (EVj + PS)) is calculated by multiplying said fifth scalar value by said fifth group-point value;

- said second secret key (Kk) is obtained by adding said fourth and said sixth group-point values and subtracting the second member's private group-point (PRk) from the obtained result (Kk = [rk*H(IDj,PUj)]*PUj + (rk+sk)*(EVj + PS) - PRk);

- said operations being defined based on the characteristics of said finite group of points;

whereby said first and second members use said first and second secret keys respectively as the secret key joint to the two of them, and the value of said secret key joint to the two said members is different each time said first and second members generate a joint secret key.

Preferably, but non limitatively, the calculation of the second group-point value (EVk + PS) is done by the second member (Userk) and wherein said second member submits said calculated second group-point value to the first member (Userj) instead of submitting the second member's ephemeral group-point (EVk).

Still preferably and non-limitatively, the calculation of the fifth group-point value (EVj + PS) is done by the first member (Userj) and wherein said first member submits said calculated fifth group-point value to the second member (Userk) instead of submitting the first member's ephemeral group-point (EVj).

In still another aspect the invention is directed to a method wherein a member (Userj) of a plurality of users that use the services of a Certifying Authority generates a joint session key with a party, comprising the steps of:

(1) permitting said Certifying Authority to provide said member with user personal keys;

(2) permitting said Certifying Authority to provide said party with user personal keys; (3) permitting said member to effect a key-agreement process with said party by only referring to said personal keys provided to said member and to values submitted from said party to said member;

(4) permitting said member to verify that said member and said party generated a session key of the same value; whereby assuring said member, without said member referring to any public key associated with said Certifying Authority when effecting said key-agreement process, that the personal keys used by said party in said key-agreement process were provided to said party by said Certifying Authority.

All the above and other characteristics and advantages of the invention will be better understood through the following illustrative and non-limitative description of preferred embodiments thereof.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The following notations are used throughout the description of the various embodiments of this invention:

Useri denotes a member of a plurality of users who use the services of a Certifying ^• Authority CA.

IDi denotes the identification details representatives of said Useri.

The term "group-point" refers to an element of a finite group in which the discrete logarithm problem applies.

Group-points are denoted in bold letters.

The operation of calculating k*B out of the scalar k and the group-point B is referred to as "multiplying the scalar k by the group-point B".

G is a generating group point. That is, for any point B of the group, except for the 0 point, there is some k such that B = k*G.

Scalars are calculated modulo the order of the generating group-point G. d denotes a private key of the said CA.

PS denotes the public key of the C A, where PS = d*G.

si denotes the private key of said Useri.

PUi denotes the public key of said Useri.

IDi denotes the identification details representatives or, generally, claimed attributes, of said Useri.

H(q,w) denotes a hash transformation which converts a scalar q and a group-point w into a scalar.

According to a first preferred embodiment of the invention the various operations are effected using a method by which a Certifying Authority CA provides personal keys to a general user termed Useri. Said personal keys, which are distinct for each user, are provided for the purpose of effecting public key cryptographic applications. The calculations are effected over a finite group of points. A preferred method for this purpose is the subject of copending Israeli Patent Application No. 125222, filed July 6, 1998 by the same applicants hereof, the entire specification of which is incorporated herein by reference. Other methods can also be employed, as will be apparent to the skilled person. IL 125222 describes and claims a key issuing method comprising the steps of:

(1) permitting a Certifying Authority to select a generating group-point (G) whose multiplication by various scalars generate various group-points;

(2) permitting said Certifying Authority to generate a random Certifying Authority private key (d);

(3) permitting said Certifying Authority to generate a Certifying Authority public key (PS) by multiplying said Certifying Authority private key by said generating group-point (PS = d*G); (4) permitting said member (Useri) to generate a first member's random value

(xi) and calculate a first intermediate member's public key (xi*G) by multiplying said first member's random value by said generating group-point;

(5) permitting said member (Useri) to submit said first intermediate member's public key (xi*G) and the member's identification details (IDi) of said member to said Certifying Authority;

(6) permitting said Certifying Authority to calculate said member's public key

(PUi) and member's intermediate private key (pi), wherein:

- a second member's random value (yi) is generated and a second intermediate member's public key (yi*G) is calculated by multiplying said second member's random value by said generating group-point;

- said member's public key (PUi) is calculated by adding said first intermediate member's public key and said second intermediate member's public key (PUi = xi*G + yi*G) ;

- a member's temporary value (H(IDi,PUi)) is calculated by operating with a hash transformation (H) which converts a scalar and a group-point into a scalar on said member's identification details (IDi) and said member's public key (PUi);

- said member's intermediate private key (pi) is calculated by multiplying said member's temporary value by said Certifying Authority private key (d) and adding said second member's random value (yi) to the product obtained by said multiplication (pi = H(IDi,PUi)*d + yi). (7) permitting said Certifying Authority to submit said member's public key

(PUi) and said member's intermediate private key (pi) to said member; and

(8) permitting said member to generate said member's private key (si) by adding said first member's random value (xi) to said member's intermediate private key (si = pi + xi).

As said, the private key of said CA according to the first embodiment of the invention is a scalar d. The public key of said CA is a group-point PS where PS - d*G, for a generating group-point G.

Said Useri generates a random xi and submits xi*G and IDi to said CA, where G is said generating group-point and IDi denotes the identification details representatives or, generally, claimed attributes, of said Useri. Said CA generates a random yi, calculates PUi = xi*G + yi*G and submits said PUi to said Useri, together with pi = H(IDi,PUi)*yi + d, where H denotes a hash transformation which converts a scalar and a group-point into a scalar.

Said Useri generates his private key si = pi + H(IDi,PUi)*xi = H(IDi,PUi)*(xi+yi) + d.

The public key of said Useri is said PUi.

It is noted that H(IDi,PUi)*PUi + PS = si*G.

After generating said private key si, said Useri generates a group-point PRi = si* PS which is to be kept secret by said Useri. The calculation of said group-point PRi is done once, for all public key cryptographic procedures in which said Useri participates. Therefore, when considering next the computations effected by a user during the generation of an ephemeral key, the computational efforts involved in the calculation of said group-point PRi are not taken into consideration. According to another preferred embodiment of the invention there is provided a fixed-key-agreement system, wherein Userj and Userk, each being provided with personal keys sj, PUj, PRj and sk, PUk, PRk according to said preferred first embodiment of this invention (said index i is general and is replaced by j or k to denote specific users), generate a joint session key.

Said Userj and Userk exchange their identification details representatives, or claimed attributes IDj and IDk and their public keys PUj and PUk.

Userk and Userj respectively generate the group-point values

Kk = [sk*H(IDj,PUj)]*PUj + PRk and Kj = [sj*H(IDk,PUk)]*PUk + PRj.

Said group-point values Kk and Kj are the generated session key, joint to said Userk and Userj.

A key confirmation now follows. Here, said users Userj and Userk use the said generated session keys Kj and Kk in order to encrypt and decrypt a selected random value, thereby establishing that they share the same session key. That is, they verify that Kj = Kk.

The validity of the system according to the aforesaid second preferred embodiment of this invention can be easily appreciated by the skilled person by noting that

Kk = [sk*H(IDj,PUj)]*PUj + PRk = [sk*H(IDj,PUj)]*PUj + sk*PS = sk*(H(IDj,PUj)*PUj + PS) = sk*sj*G which is symmetric in j and k.

The fixed-key-agreement system according to the aforesaid second preferred embodiment of the invention is effected by one exponentiation, as opposed to three exponentiation operations executed when implementing the prior art DH key- agreement system. According to a third preferred embodiment of the invention there is provided an ephemeral-key-agreement system, wherein Userj and Userk, each being provided with personal keys sj, PUj, PRj and sk, PUk, PRk according to said first preferred embodiment of the invention, generate a joint ephemeral session key.

Userj generates a random rj, calculates an ephemeral group-point EVj = rj*G and sends to said Userk: IDj, PUj, EVj.

Userk generates a random rk, calculates an ephemeral group-point EVk = rk*G and sends to said Userj: IDk, PUk, EVk.

Userj calculates Kj = [rj*H(IDk,PUk)]*PUk + (rj+sj)*(EVk + PS) - PRj.

Userk calculates Kk = [rk*H(IDj,PUj)]*PUj + (rk+sk)*(EVj + PS) - PRk.

Said group-point values Kj and Kk are the generated session key, joint to said Userj and Userk.

A key confirmation now follows.

The validity of the system according to the aforesaid third preferred embodiment of this invention can be easily appreciated by the skilled person by noting that

Kk = [rk*H(IDj,PUj)]*PUj + (rk+sk)*(EVj + PS) - PRk = [rk*H(IDj,PUj)]*PUj + (rk+sk)*EVj + rk*PS = rk*(H(IDj,PUj)*PUj + PS) + (sk+rk)*EVj = rk*sj*G + sk*rj*G + rk*rj*G which is symmetric in j and k.

The ephemeral-key-agreement system according to the aforesaid third preferred embodiment of the invention is effected by three exponentiation operations, as opposed to seven exponentiations associated with ephemeral DH key-agreement system and five exponentiations associated with the MQV system.

According to a fourth preferred embodiment of the invention there is provided an ephemeral-key-agreement system which is a modification of the ephemeral-key-agreement system according to said third preferred embodiment of the invention. Let ETj = EVj + PS and ETk = EVk + PS. In the system according to the fourth preferred embodiment of this invention, any of said Userj or Userk submits, respectively, ETj or ETk instead of submitting, respectively, EVj or EVk.

Proof of the validity of the ephemeral-key-agreement system according to said fourth preferred embodiment of the invention follows the lines of the proof of the validity of the ephemeral-key-agreement system according to said third preferred embodiment of the invention.

The session key generated by said Userj according to said fourth preferred embodiment of the invention is Kj = [rj*H(IDk,PUk)]*PUk + (rj+sj)*ETk - PRj. Said Userj does not refer, during the generation of the session key Kj, to any public key of the the Certifying Authority CA. This same principle applies to the fixed-key-agreement system according to said second embodiment of this invention. The only reference to such a public key of CA was made during the stage when the personal keys sj, PUj and PRj were provided to Userj.

This reference to the public key of CA was effected prior to the communication of Userj with said Userk. However, after a successful key confirmation, Userj, who knows that his own personal keys are valid, is assured that Userk has also used valid personal keys during the key agreement process, where valid keys are defined as keys provided to a user by the said Certifying Authority CA.

This clarifies the existence of a principle termed as 'you are OK if I am OK' certification, where Userj, whose own personal keys are valid, can effect a key agreement process with another party by referring only to the personal keys of Userj and to ephemeral values submitted by the other party, and without referring during the key agreement process to any public key of the Certifying Authority. This ephemeral-key-agreement system without on-line reference to a Certifying Authority public key forms a fifth preferred embodiment of the present invention. The last step in the fixed-key-agreement system according to the aforesaid second preferred embodiment of the invention, and the last step in the ephemeral-key-agreement system according to the aforesaid third preferred embodiment of this invention, concerns a key confirmation, wherein said users Userj and Userk use the said generated session keys Kj and Kk in order to encrypt and decrypt a selected random value, thereby establishing that they share the same session key. Let rn denote the said selected random value, where said ra is transmitted from said Userj to said Userk and where said Userk encrypts rn, using said key Kk, into a value denoted as Kk(rn). Said value Kk(rn) is then transmitted back from said Userk to said Userj, where said Userj decrypts said Kk(rn), using said key Kj. The decrypted value is then compared by said Userj to the value of said rn.

In a key-agreement method, according to a sixth preferred embodiment of the invention, said value rn is transmitted from said Userj to said Userk together with said values IDj and PUj. Said Userk then generates said key Kk, according to the aforesaid second preferred embodiment of the, invention or according to the aforesaid third preferred embodiment of the invention. Said Userk then generates said encrypted value Kk(rn) which is transmitted from said Userk to said Userj, together with said values IDk and PUk. Said Userj then generates said key Kj and decrypts said Kk(rn), using said key Kj. The decrypted value is then compared by said Userj to the value of said rn. The key confirmation in the key-agreement method according to said sixth preferred embodiment of the present invention does not involve a dedicated communication session established between said Userk and said Userj for the purpose of exchanging the values rn and Kk(rn).

In a key-agreement method, according to seventh preferred embodiment of the present invention, the value Kk(rn) is calculated by operating on said rn and said Kk by a hash transformation HI. Said Userj also operates with the said hash transformation HI on said rn and said Kj, and compares the result to the received Kk(rn). In the case in which said two compared values are equal, said Userj decides that said Kk and said Kj are equal, where Userj was able to arrive at this decision without him or Userk using any transformation that involves encryption and decryption operations. Key-agreement methods can be used in user identification or attribute verification, where Userk proves to Userj that said Userk legally possesses claimed identification details or attributes IDk. (Said attributes can be, for example, access rights or the rights to receive services.) User identification or attribute verification is established by generating a session key, joint to said Userk and Userj, where a key confirmation, which assures said Userj that he and said Userk share the same session key, implicitly assures said Userj of the validity of the value IDk.

All the aforesaid description of preferred embodiments has been provided for the purpose of illustration, and is not intended to limit the invention in any way, except as defined in the claims to follow.