Multi-party session key agreement method
12034839 ยท 2024-07-09
Assignee
Inventors
Cpc classification
H04L9/0838
ELECTRICITY
H04L2209/56
ELECTRICITY
H04L2209/46
ELECTRICITY
H04L9/0841
ELECTRICITY
International classification
Abstract
A multi-party session key agreement method includes: a test session for exchanging a short-term key between parties of 3 to n peers; and an original session for exchanging a long-term key between the parties who have exchanged the short-term key. Peer (n) that has conducted the test session and the original session has cluster (n) that manages the keys as a result of conducting the sessions, and cluster (n) agrees with a result of the session conducted in peer (n) by communicating with cluster (n+1) of another peer (n+1).
Claims
1. A multi-party session key agreement method comprising: a test session for exchanging a short-term key between parties of 3 to n peers; and an original session for exchanging a long-term key between the parties who have exchanged the short-term key, wherein ? possess a long-term key pair (a, A), {circumflex over (B)} possess a long-term key pair (b, B), and ? possess a long-term key pair (c, C), and the test session includes the sub-steps of: (a) activating session s=(?, i), selecting a short-term private key, calculating X=g.sup.fI(r?,a,?), and sending X to {circumflex over (B)} and ? by ?; (b) activating session s=({circumflex over (B)}, i), selecting a short-term private key, and calculating Y=g.sup.fR(r{circumflex over (B)},b,?) and K.sub.{circumflex over (B)}=F.sub.R(f.sub.R(r.sub.{circumflex over (B)},b,?),b,X,?) by {circumflex over (B)}; (c) activating session s=(?, i), selecting a short-term private key, and calculating Z=g.sup.fR(r?,c,?) and K.sub.?=F.sub.R(f.sub.R(r.sub.?,c,?),c,Y,?) by ?; (d) sending Y to ? by {circumflex over (B)}, and sending X and Y to ? by ?; (e) sending X and Z to {circumflex over (B)} by ?, and sending Y and Z to ? by {circumflex over (B)}; (f) completing the session using session key K.sub.{circumflex over (B)} by {circumflex over (B)} after confirming X; (g) completing the session using session key K.sub.? by ? after confirming Y; (h) calculating K.sub.?=F.sub.I(f.sub.I(r.sub.?,a,?),a,Y,?) by ? after confirming Y; (i) completing the session using session key K.sub.? by ? after confirming Z; and (j) confirming whether H(session key value+transaction session key tree root value)<TV (Target Value), and conducting the original session step if satisfied, and terminating the session if not satisfied, by ?, {circumflex over (B)}, and ?, respectively, where ?, {circumflex over (B)}, and ? are party A, B, C respectively, where X, Y, and Z are short-termed public keys of the party A, B, and C respectively, where r?, r{circumflex over (B)}, and r? are short-term private keys of party A, B, C and respectively, where K.sub.?, K.sub.{circumflex over (B)}, and K.sub.? are session keys of party A, B, and C respectively, where A, B, and C are long-term public keys of party A, B, and C(A=g.sup.a), (B=g.sup.b), and (C=g.sup.c) respectively, where a, b, are c are long-term private keys of party ?,{circumflex over (B)}, and ? (a?z.sub.p) respectively, where pK.sub.?, pK.sub.{circumflex over (B)}, and pK.sub.? are agreement public keys of party ?,{circumflex over (B)}, and ? respectively, where sK.sub.?, sK.sub.{circumflex over (B)}, and sK.sub.? are agreement private keys of party ?,{circumflex over (B)}, and ? respectively, and, where g is a generator.
2. The method according to claim 1, wherein ? possess an agreement key pair (pk?, sk?,), {circumflex over (B)} possess an agreement key pair (pk{circumflex over (B)}, sk{circumflex over (B)},), and ? possess an agreement key pair (pk?, sk?,), and the original session includes the sub-steps of: (a) sending X to {circumflex over (B)}{circumflex over (B)} and ? by ? after agreeing with X using sk?; (b) sending Y to ? and ? by {circumflex over (B)} after agreeing with Y using sk{circumflex over (B)}; and (c) sending Z to ? and {circumflex over (B)} by ? after agreeing with Z using sk?.
3. The method according to claim 1, wherein peer (n) that has conducted the test session and the original session has cluster (n) that manages the keys as a result of conducting the sessions, and cluster (n) agrees with a result of the session conducted in peer (n) by communicating with cluster (n+1) of another peer (n+1).
4. The method according to claim 3, wherein the agreement is performed based on the Federation Byzantine Agreement (FBA).
5. A security method of a cryptocurrency wallet when a cryptocurrency is traded using the multi-party session key agreement method of claim 1.
6. A cryptocurrency wallet security method in a blockchain game using the multi-party session key agreement method of claim 1.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
(1)
(2)
(3)
(4)
DETAILED DESCRIPTION
(5) Hereinafter, the present invention will be described in more detail with reference to the accompanying drawings. However, the accompanying drawings are only examples for easily describing the content and scope of the technical spirit of the present invention, and the technical scope of the present invention is not limited or changed thereby. It will be natural for those skilled in the art that various modifications and changes are possible within the scope of the technical spirit of the present invention based on these examples.
(6) The present invention is characterized in that the conventional key storage scheme is replaced with a session key agreement that follows a multilateral protocol, and the key exchange agreement among users is activated by the Federated Byzantine Agreement (FBA) protocol. Accordingly, the agreement method according to the present invention is a hybrid of the FBA and the forward secrecy.
(7) The present invention having these characteristics relates to a multi-party session key agreement method configured of a test session for exchanging a short-term key between parties of 3 to n peers; and an original session for exchanging a long-term key between the parties who have exchanged the short-term key. In the present invention, a session is divided into a test session and an original session to enhance security. The test session is performed using a short-term key for simple security, which is a process of confirming low-level security. The original session is a process of confirming high-level security using a long-term key and an agreement key, which is a session in which an agreement mechanism of nodes participating in a network is conducted.
(8) In a communication protocol, communication among three persons is interpreted as multi-party communication. Therefore, although the present invention describes a session between three or more parties, this will be simplified hereinafter to involve three parties in one peer since it will be very complicated when the present invention is explained for more than three parties. However, it will be natural that the multi-party session key agreement method of the present invention is possible even among four or more parties according to the concept and principles described in the present invention.
(9) In the present invention, the test session may include following sub-steps.
(10) That is, ? possess a long-term key pair (a, A), {circumflex over (B)} possess a long-term key pair (b, B), and ? possess a long-term key pair (c, C), and the test session may include the sub-steps of: (a) activating session s=(?, i), selecting a short-term private key, calculating X=g.sup.fI(r?,a,?), and sending X to {circumflex over (B)} and ? by ?; (b) activating session s=({circumflex over (B)}, i), selecting a short-term private key, and calculating Y=g.sup.fR(r{circumflex over (B)},b,?) and K.sub.{circumflex over (B)}=F.sub.R(f.sub.R(r.sub.{circumflex over (B)},b,?),b,X,?) by {circumflex over (B)}; (c) activating session s=(?, i), selecting a short-term private key, and calculating Z=g.sup.fR(r?,c,?) and K.sub.?=F.sub.R(f.sub.R(r?,c,?),c,Y,?) by ?; (d) sending Y to ? by {circumflex over (B)}, and sending X and Y to ? by ?; (e) sending X and Z to {circumflex over (B)} by ?, and sending Y and Z to ? by {circumflex over (B)}; (f) completing the session using session key K.sub.{circumflex over (B)} by {circumflex over (B)} after confirming X; (g) completing the session using session key K.sub.? by ? after confirming Y; (h) calculating K.sub.?=F.sub.I(f.sub.I(r?,a,?),a,Y,?) by ? after confirming Y; (i) completing the session using session key K.sub.? by ? after confirming Z; and (j) confirming whether H(session key value+transaction session key tree root value)<TV (Target Value), and conducting the original session step if satisfied, and terminating the session if not satisfied, by ?, {circumflex over (B)}, and ?, respectively.
(11) Here, the meaning of each abbreviation is summarized in Table 1, and i=1 . . . q is a query phase.
(12) In the test session, session activation of each party may be simultaneously conducted in two or more among ?, {circumflex over (B)}, and ?, or the sessions may be activated sequentially in order of ?, {circumflex over (B)}, and ??.
(13) TABLE-US-00001 TABLE 1 Abbreviations Descriptions ?, {circumflex over (B)}, ? Party A, B, C X, Y, Z Short-term public keys of party A, B, C r?, r{circumflex over (B)}, r? Short-term private keys of party A, B, C K.sub.?, K.sub.{circumflex over (B)}, K.sub.? Session keys of party A, B, C A, B, C Long-term public keys of party A, B, C (A = g.sup.a), (B = g.sup.b), (C = g.sup.c) a, b, c Long-term private keys of party ?, {circumflex over (B)}, ? (a ? z.sub.p) pK.sub.?, pK.sub.{circumflex over (B)}, pK.sub.? Agreement public keys of party ?, {circumflex over (B)}, ? sK.sub.?, sK.sub.{circumflex over (B)}, sK.sub.? Agreement private keys of party ?, {circumflex over (B)}, ? g Generator
(14) At sub-step (j) of the test session, when ?, {circumflex over (B)}, and ?? respectively satisfy H(session key value+transaction session key tree root)<TV (Target Value), the original session is conducted.
(15) In the present invention, the original session may include following sub-steps.
(16) That is, in the present invention, ? possess an agreement key pair (pk?, sk?,), {circumflex over (B)} possess an agreement key pair (pk{circumflex over (B)}, sk{circumflex over (B)},), and ? possess an agreement key pair (pk?, sk?,), and the original session may include the sub-steps of: (a) sending X to {circumflex over (B)}{circumflex over (B)} and ? by ? after agreeing with X using sk?; (b) sending Y to ? and ? by {circumflex over (B)} after agreeing with Y using sk{circumflex over (B)}; and (c) sending Z to ? and {circumflex over (B)} by ? after agreeing with Z using sk?. (The meaning of each abbreviation is as shown in Table 1)
(17) In the test session, when A arbitrarily sends X to potential parties in the peer, parties responding thereto are B and C, and at this point, a person responding first is B, and a person responding next is C. When the two persons respond at the same time, a person is selected based on a predetermined criterion. Of course, when three or more persons respond, it will be natural that the process may be performed in a method corresponding to the above steps.
(18) In the present invention, in order to further enhance security of the multi-party session key agreement method described above, it is preferable to encode the derived session keys in a blockchain data structure. For example, security information of a key protocol is added to the block body of the blockchain as a transaction session key tree root, and in one transaction, secret key information of a session is attached to the block body of the blockchain in correspondence to the Proof of Stake (PoS).
(19) In the present invention, peer (n) that has conducted the test session and the original session has cluster (n) that manages the keys as a result of conducting the sessions, and it is preferable for cluster (n) to go through a process of agreeing (exchanging, transmitting) a result of a session conducted in peer (n) by communicating with cluster (n+1) of another peer (n+1). At this point, the agreement may be performed based on the Federation Byzantine Agreement (FBA).
(20) According to the present invention as described above, since the session result of cluster (n), in which the session key agreement is preceded, affects the session key agreement process of another cluster (n), in which the session key agreement is followed, and an inverse affect does not occur, forward secrecy is guaranteed.
(21) When the multi-party session key agreement method according to the present invention is used, a method of enhancing security of a cryptocurrency wallet in a cryptocurrency transaction, a method of enhancing security of a cryptocurrency wallet in a blockchain game, or the like will be possible. For example, Play to Earn (P2E) is a concept that makes money while playing games, which is one of blockchain game methods that allows a user to exchange items acquired while playing games for cryptocurrencies, NFTs, or the like, and convert the items into cash through a virtual asset exchange. When the multi-party session key agreement method according to the present invention is introduced in a P2E game, legitimate ownership on the items, cryptocurrencies, NFTs, coins, and the like acquired by the user may be acknowledged, and although game developers disappear, the user may prove his or her ownership.
(22) The security and efficiency of the multi-party session key agreement method according to the present invention as described above has been analyzed.
1. Analysis of Security
(23) Security analysis assumes botnet attacks on peer-to-peer users. A botnet may be defined as a network of compromised computers that can be remotely controlled by an attacker. System simulation assumes that a system state is represented through the messages transmitted between processes, and only the interacting processes that generate global de-synchronization may use these messages.
(24) In the present invention, OverSim, which is an open-source overlay and P2P network simulation framework for the OMNeT++ simulation environment, is used to make understanding of the P2P protocol source code easy. In order to analyze the botnet behavior, a simulation obtained from OverSim according to the method disclosed in Reference 1 is used, and it is applied to the F-measure model. A graph showing a result of evaluating the F-measure model for the multi-party session key agreement method according to the present invention is attached in
(25) In the ROC curve of the drawing, values of Key Cluster Mode (KCM), Test Session Key Mode (TSM), and Original Session Key Mode (OSM) have a True Positive Ratio (TPR) of 0.5 or more and a False Positive Ratio (FPR) of 0.5 or less. Therefore, it is proved that the multi-party session key agreement method model according to the present invention secures optimal security.
2. Analysis of Computation Efficiency
(26) For comparison of computation cost, the experimental environment presented in Reference 1 is followed. 32 bits are used for the timestamp, arbitrary value, and sequence number, and 1024 bits are used for the session key.
(27) Table 2 shows a result of comparison with four prior technologies studied in relation to enhancement of computation efficiency.
(28) In the table, T.sub.h is a one-way hash function, T.sub.ecm is ECC point multiplication, T.sub.eca is ECC point addition, 5 T.sub.senc is symmetric encryption, T.sub.sdec is symmetric decryption, and T.sub.me is modular exponentiation.
(29) TABLE-US-00002 TABLE 2 Comparison group Computation cost Embodiment 9 T.sub.me + 4 T.sub.ecm + T.sub.eca + 9 T.sub.h + Comparative example 1 11 T.sub.me + 3 T.sub.ecm + 2 T.sub.eca + 5 T.sub.senc/T.sub.sdec Comparative example 2 12 T.sub.me + 4 T.sub.senc/T.sub.sdec Comparative example 3 13 T.sub.me + 6 T.sub.ecm + 2 T.sub.eca + 6 T.sub.senc/T.sub.sdec Comparative example 4 13 T.sub.h + 10 T.sub.me + 8 T.sub.senc/T.sub.sdec
(30) In Comparative Example 1, a digital signature key computation is required to verify only participating users. Since the key can be confirmed by the Diffie-Hellman calculation, it takes time longer than the mutual authentication using the Diffie-Hellman group key verification of Comparative Example 2.
(31) In Comparative Example 2, although the group key authentication cost is efficient, it is not suitable for a blockchain that stores transaction history and needs to prove works.
(32) Comparative Example 3 requires polynomial reduction of key size according to the number of mutual authentications of signers, and it is inefficient from the aspect of computation cost, as well as security, due to the combination of polynomial time and key size for a blind signature.
(33) In Comparative Example 4, although a key based on pairing is formed for efficiency of the public key, there is a limitation in a practical application as it is theoretical. In addition, a secrete key algorithm cannot be arbitrarily generated, and a public key cannot be processed. In addition, since an arbitrary private key generation algorithm is generally included in Comparative Example 4, there is a problem in that the backward operation is difficult.
(34) Although a specific computation cost is not compared in Table 2, a technique proposed in Comparative Example 5, which is another prior literature, has a small set and many parties from the aspect of a given runtime, so that the computation and communication complexity is linear to the number of elements in the largest set given by a fixed number of collusive parties. Although the protocol described above is a fast tool for personal computing, it does not desal with security proof in an extended distributed network as safety is proved in a semi-honest way by setting an intersection protocol at both regular and critical intersections. Contrarily, the protocol according to the present invention is a safe multilateral protocol and is effective for distributed networks that utilize a blockchain.
(35) According to the present invention as described above, primarily, low-level security is secured with a short-term key pair by the test session, and security unfiltered in the test session is conducted in the original session with an agreement key pair at a higher-level security of a long-term key pair. A key result processed in this way guarantees correct transaction records of participating parties through an agreement mechanism using the Federated Byzantine Agreement.
(36) Therefore, according to the present invention, as a session key protocol with excellent economic efficiency, as well as complete forward secrecy of a session key for enhancing security, is possible, security in normal communication can be secured, and as the key of a cryptocurrency wallet is protected and authenticity of cryptocurrency transaction records is guaranteed at the same time, it may greatly contribute to prevention of cryptocurrency hacking.
(37) In addition, the present invention can be widely used in other areas since it guarantees a safe distributed network, as well as cryptocurrency protection. For example, as the agreement method according to the present invention is applied to blockchain games and P2E (play to earn), security in the process of trading cryptocurrencies, NFTs, items, or the like among game users is enhanced, and thus reliability and safety can be guaranteed. (Reference 1) www.oversim.org/. (Comparative example 1) M. Just, S. Vaudenay, Authenticated multi-party key agreement, in: Proc. of Asiacrypt'96, in: LNCS 1163, Springer, 1997, pp. 36-49. (Comparative example 2) E. Bresson, O. Chevassut, D. Pointcheval, Provably authenticated group diffie-hellman key exchange-the dynamic case, in: Proc. of Asiacrypt'01, in: LNCS 2248, Springer, 2001, pp. 255-264. (Comparative example 3) D. Pointcheval, J. Stern, Security arguments for digital signaturesand blind signatures, J. Cryptol. 13 (3) (2000) 361-396. (Comparative example 4) H. Chen, L. Xie, Improved One-way Hash Chain and Revocation Polynomial-Based Self-Healing Group Key Distribution Schemes in Resource-Constrained Wireless Networks, Sensors 14 (12) (2014) 24358-24380. (Comparative example 5) Asli Bay et al., Practical Multi-Party Private Set Intersection Protocols, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 17, 2022