2009 Fifth International Conference on Networking and Services

SKIP: A Secure Key Issuing Scheme for Peer-to-Peer Networks

Cong Tang, Ruichuan Chen, Zhuhua Cai, Anming Xie, Jianbin Hu∗ , Liyong Tang, Zhong Chen
Institute of Software, School of EECS, Peking University, China
Key Lab of High Confidence Software Technologies, Ministry of Education, China
{tangcong, chenrc, caizh, xieam, hjbin, tly, chen}@infosec.pku.edu.cn

Abstract Compared with the PKI technique, identity based cryp-

tography (IBC) can simplify the key management process
Identity based cryptography (IBC) was introduced into in P2P networks significantly. The identity of a peer (e.g.,
peer-to-peer (P2P) networks recently for identity verification peer identifier or peer geometric coordinate) in P2P overlay
and authentication purposes. However, current IBC-based networks is used to create its public key, thus avoiding
solutions could not address the problem of secure private key the use of any certificates. These IBC-based systems are
issuing. In this paper we propose SKIP: a novel secure key scalable, simple to administer, and each user can carry
issuing scheme for P2P networks using IBC. We present an out anytime/anywhere encryption, establish secure commu-
IBC infrastructure setup phase, a peer registration solution nication channels, prove its identity to other nodes, verify
using Shamir’s (k, n) secret sharing scheme, and a secure protected messages and produce a form of signature with
key issuing scheme, which adopts key generate center (KGC) non-repudiation property.
and key privacy authorities (KPAs) to issue private keys to
peers securely in order to enable the IBC systems to be 2. Introduction
more acceptable and applicable in real-world P2P networks.
Furthermore, to maintain the security of KPAs, we develop a
scheme to authenticate KPAs using Byzantine fault tolerance 2.1. Related Work
protocol. The theoretical analysis and experimental results
show that SKIP performs effectively and efficiently, and is IBC uses the user’s identity as his public key. The private
able to support large scale networks. keys of the users are issued by a key generate center (KGC)
after verifying the user’s credentials. IBC was introduced in
1. Background 1984 by Shamir [2]; however, the first practical encryption
scheme (IBE) was not available until 2001 which was
developed by Boneh and Franklin [3].
With its distributed, self-organization and self-
maintenance nature, P2P networks are extremely vulnerable Though IBC overcomes the problems of the traditional
to a large spectrum of attacks [1], mainly due to the lack PKI, it suffers from some inherent problems, one of which
of a certification service responsible for peers identity is the secure channel requirement: key issuing requires
verification and for authentication purposes. secure channel to avoid eavesdropping. In 2001, Boneh
Traditional certificate-based public key infrastructure and Franklin [3] addressed secure key issuing problem
(PKI) can be used here to solve some of the problems by using multiple key issuing authorities. After that, many key
verifying the authenticity of nodes’ identities and issuing issuing protocols [4], [5], [6] without secure channels were
public key certificate to each node. However, as the node proposed.
churn is highly frequent in the P2P network, many nodes So far, several studies have been focused on introduc-
that stored certificates may quickly become invalid, hence ing IBC into P2P security applications. Lu et al. in [7]
PKI based security protocol is difficult to be deployed. combined distributed hash tables (DHTs [8]) and identity
Besides, each node requires large amounts of space to store based encryption (IBE) to defend against man-in-the-middle
public key certificates, which can be difficult to implement in attacks, however, the scheme assumed that each node has
practice. Furthermore, secured P2P overlay communication had a pre-assigned unique identifier, and has obtained the
is efficient if the overlay nodes have a common, shared key corresponding private key through a secure offline channel.
for securing the communication. This is difficult to achieve This is expensive and difficult to achieve in a large scale
in dynamic P2P overlay networks, as a new key must be P2P overlay network.
generated every time a overlay node membership change In [9], Lua proposed a hybrid security protocol using IBE
occurs in order to preserve forward secrecy. to resist the Sybil attacks, Ryu et al. in [10] proposed ID
assignment protocols based on IBC to permit the acquisition
* Corresponding author. of node IDs to be tightly regulated in order to mitigate the

978-0-7695-3586-9/09 $25.00 © 2009 IEEE 301

296
DOI 10.1109/ICNS.2009.64

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.
Sybil attacks, but these two schemes still suffered from the Table 1. Notation
attack against key issuing phase. IDA : Peer A’s identity (ID)
Likir [11] presented by Aiello et al. signs messages with KA : Peer A’s private key
IBS in Kademlia-based P2P networks, however the authors P roofA : Peer A’s proof of the registration
supposed every system user had already obtained a private · Concatenation
key and did not consider the key issuing problem. SS(x, k) Secret share of secret x in Shamir’s (k, n)
In real-world P2P networks, it is important to have a key threshold secret sharing scheme
issuing scheme in order to keep in secret whether the private M AC(x, K) Keyed message authentication code of data
key corresponding to a certain identity has been requested. x and key K
In our paper, we present SKIP, a secure key issuing scheme {X}KA A string X signed by peer A
for P2P networks, which addresses the shortcomings of [7], T hresKP A Minimum number of KPAs system pos-
[9], [10], [11], and makes IBC more applicable in the real sesses
world.
P KA (ID) Partial key of peer ID issued by A
P zl(x) A puzzle generated using Seed x
2.2. Contribution Sln(x) Solution of Puzzle x

In this paper we propose SKIP, a novel secure key

issuing scheme for P2P networks. We present the setup 3.1. Terminology and assumptions
scheme of IBC infrastructure (Section 3.2). We introduce a
peer registration protocol which can register peers adopting 3.1.1. Entities and assumptions. We present the entities
Shamir’s secret sharing scheme [12] (Section 3.3). We then involved and the security assumptions for the proposed
propose a secure key issuing protocol which can issue private scheme in this section.
keys securely without the requirement of secure channels. KGC: There is a trusted core node which acts as KGC
The protocol enables IBC more acceptable and applicable in at the center of the system, which provides peer registration
real-world P2P networks (Section 3.4). Further, we propose and key issuing service. We assume that it has been highly
an algorithm to authenticate key privacy authorities (KPAs) fault tolerant and always available.
using BFT protocol, which can remove the malicious KPAs KPA: n nodes are selected as Key Privacy Authorities
and find out newly substitutional KPAs (Section 3.5). After- (KPAs) in order to provide the key privacy service in the
wards, we analyze how to adjust the threshold of Shamir’s key issuing phase, which are not required to be as reliable
secret sharing scheme in our proposed peer registration as KGC. In addition, malicious attackers can potentially
protocol to prevent the system from collusion attacks and compromise some of these nodes to perform insider attacks.
denial-of-service (DoS) attacks (Section 4.3.1). Finally, we Peer: A peer is an ordinary node in P2P networks, which
theoretically compute the number of users our scheme can is vulnerable to all kinds of attacks.
support within a specified response time (Section 4.3.2) and
explain that the resilience of our KPA maintenance algorithm 3.1.2. Requirements. There are three requirements for
is optimal (Section 4.3.3). SKIP:
Secure peer registration: It must provide a method to
mitigate attacks such as man-in-the-middle attacks, collusion
3. Design of SKIP attacks and DoS attacks during the peer registration phase.
Secure key issuing: It must provide a method to issue
We state the assumptions and requirements firstly, then keys securely without secure channels during the key issuing
we propose SKIP in the following four sections: system phase, and defend against replay attacks, man-in-the-middle
setup, peer registration, secure key issuing and system attacks and insider attacks.
maintenance. System setup section describes how KGC and Robust system maintenance: It must provide an online
KPAs work at the beginning of the system. Peer registration method to identify malicious KPAs, remove them and add
section and secure key issuing section describe how a peer new substitutional ones.
joins in the system. We adopt the threshold cryptography to
register users, and use secure key issuing scheme to issue 3.1.3. Attack models. There are three kind of attacks we
private keys. System maintenance section describes the main- design the security scheme to defend against:
tenance mechanisms of KPAs, we utilize the BFT protocol Insider attack: In real-world P2P networks, KPAs may
to remove malicious KPAs and add new substitutional KPAs. also be malicious with relatively low probability. The frame-
The remainder of this section adopts the notation de- work must be able to withstand insider attacks, in which a
scribed in Table 1. minority of KPAs have been compromised by attackers.

297
302

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.
 Collusion attack: An adversary can launch a collusion Distribution: After KGC receives the request, it generates
attack by compromising many paths between KPAs and the IDA and P roofA for A. In particular, P roofA can be a
requesting peer, then compute peer’s ID and the proof of keyed message authentication code of IDA , i.e., P roofA =
registration. M AC(IDA , KKGC ).
DoS attack: Malicious peers in P2P network can simply After that, KGC divides IDA and P roofA into n se-
drop the messages between KPAs and the requesting peer, cret shares using Shamir’s (k, n) threshold secret sharing
which makes the requesting peer difficult to collect sufficient scheme, and then KGC distributes those n secret shares to
secret shares. n KPAs respectively. KGC can divide IDA and P roofA into
n pieces, IDA and P roofA are easily reconstructable from
3.2. System setup any k pieces, but even complete knowledge of k − 1 pieces
reveals absolutely no information about IDA and P roofA .
There are one KGC node and n bootstrap KPA nodes at Thus, it is very difficult for the adversary to obtain sufficient
the setup phase. First, KGC selects a master key, publishes secret shares in a P2P network if we divide the registration
its identity (ID) and specifies the system parameters; Sec- data and set an appropriate threshold k.
ondly, KGC assigns to each bootstrap KPA node an ID and a Reconstruction: After receiving the secret share from
corresponding private key based on IBC scheme via a secure KGC, KPAs send them to A. Upon receiving the messages
offline channel. from a KPA, A first checks the nonce N , if N is different
Note that, the secure offline channel is only required in the from the one in its original request, it just ignores the
system bootstrap phase, since with its ID and private key, message. Then A waits for collecting k secret shares from
a KPA can communicate with the KGC through a secure different KPAs within a predefined time window. After the
channel established based on IBC. peer A gets at least k different secret shares, IDA and
P roofA can be reconstructed. A detailed description of
3.3. Peer registration reconstruction process can be found in [12]. If the peer
does not get sufficient secret shares, it may run the peer
Before joining the network, a peer A should get registered registration protocol again later.
to the KGC at first. Since in real-world P2P networks, it is difficult to have
A simple protocol is as following. The peer A generates all those paths node-disjoint, here KPAs can use approaches
a request with a random nonce and sends it to KGC. After (such as [13]) to avoid paths between KPAs and A from
KGC receives the request, KGC issues (IDA ,P roofA ) for node-joint, in order to mitigate eavesdropping and DoS
A. The proof of registration P roofA is a message that can attacks. In practice, many ISPs have a single connection to
prove whether a peer has been registered. Assigning ID by the Internet and if an eavesdropper is listening at that point,
KGC can prevent a peer from choosing its own ID, and it will hear all of the n shares being transmitted. We assume
mitigate the Sybil attack in the system. this kind of attack is a rare situation.
However, the communication between KGC and A may
be intercepted or modified by malicious peers in real-world 3.4. Secure key issuing
P2P networks. We adopt Shamir’s (k, n) threshold secret
sharing scheme [12] to secure this process. To protect the
registration data (IDA ,P roofA ), we divide it into many After registration phase, a peer obtains its ID. We now
secret shares, so that if some of the secret shares have been describe how KGC issues a private key to a peer securely
intercepted, A can eventually recover the registration data if without the requirement of secure channels, and how a peer
at least k secret shares are collected. On the other side, if the constructs its private key securely from the KGC and KPAs.
adversary also want to recover the registration data, it has Shamir’s secret sharing scheme we used in Section 3.3 can
to get sufficient secret shares, which is difficult to achieve also be utilized here, however, with KGC and KPAs in the
if the threshold k is appropriately configured. system, we can make the key issuing phase more secure.
The protocol is described as follows: We present a protocol which utilizes IBC secure key
Step1: A → KGC: N issuing schemes [4], [5], [6] below. Those schemes use one
Step2: KGC → KP A : SS(IDA · P roofA , k), N KGC and multiple KPAs for issuing the private keys to the
Step3: KP A → A : SS(IDA · P roofA , k), N users. KPAs participate in the key generation phrase, they
Request: When the peer A wishes to join the network, it assign the joining peer partial private keys. A registered
must first get registered from KGC. Finding the KGC can peer can obtain its private key securely by collecting partial
be accomplished by consulting a bootstrap node or using private key from KGC and KPAs. Those schemes avoid the
an automatic service discovery mechanism. Then A sends need for secure channels, and the adversary who wants to
a request to KGC. In order to avoid the replay attacks, A obtain the private key must compromise not only KGC but
couples the request with a nonce N . also many KPAs. In our scheme, we utilize Saxena’s scheme

298
303

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.
[6] and our scheme can easily be extended to other schemes authentication queries should be anonymous. To achieve this
[4], [5]. Our scheme is described as follows: goal, we adopt the relay scheme [15] in our design.
Step1: A → KGC: Request, IDA , P roofA , N Before initiating an authentication query, KGC chooses
Step2: KGC → A : Partial key from KGC, N some relay peers randomly from the system and sends the
Step3: A → KP A : Request, IDA , P roofA , N authentication query to them. Upon receiving such query,
Step4: KP A → A : Partial key from KPA, N a relay peer R forwards the query to B according to the
System setup: KGC selects its private key and specifies routing mechanism of the overlay. Once receiving the answer
the system parameters. KPAs collaboratively run a key from B, R forwards it to KGC directly. Nevertheless, in
generation and distribution protocol [6], and share a secret s real-world P2P networks, faulty relay peers may perform
such that any k KPAs can construct it with their own secret man-in-the-middle attacks.
shares. KGC dynamically maintains a relay group (RG) to
Peer registration: As the system setup process is updated, perform distributed challenge-response authentication. RG
in the peer registration process, IDA and P roofA are members are randomly selected in the setup phase. Since
generated in a new way, but we can still utilize the protocol RG consists of sufficient randomly selected peers, only a
described in Section 3.3 to secure this process. limited number of RG members can, with high probability,
Request: A sends a request with its proof of registration be compromised by man-in-the-middle attacks.
as well as a nonce to KGC to obtain the partial private key; Our KPA authentication scheme, as described
KGC response: On receiving A’s request, KGC checks formally below, can be executed in three
the proof to verify whether A has been registered or not, if stages. For the sake of clarity, we omit the
the result is positive, KGC responses with a partial private timestamp information contained in the messages.
key; Stage1: KGC → Pi : {IDi , P KKGC (IDi )}KKGC
Blind KPA request: After receiving the partial private key Stage2.1: Pi → KP A : IDi , P KKGC (IDi )
from KGC, A randomly selects some KPAs and requests Stage2.2: KP A → Pi : {P KKP A (IDi )}KKP A
them in parallel to provide key privacy service by sending Stage3: Pi → KGC : {P KKP A (IDi )}KPi
a request; 1) Claim announcement: When the authentication pro-
KPA response: Each KPA authenticates A and issues a cess begins, KGC announces the claim to all its RG
partial private key to it; members and asks them to verify if KP Ai indeed
Key retrieval: On receiving at least k partial private keys possesses the secret si , which is generated in the
from different KPAs, A combines them and then unblinds system setup phase as described in section 3.4. KGC
the resulting value to produce the private key; sends to RG member Pi a randomly selected peer’s
The scheme above is secure against replay attacks, man- ID IDi and its partial key from KGC.
in-the-middle attacks and insider attacks, and more details 2) Distributed authentication: According to the re-
can be found in [6]. Our scheme can easily incorporate with ceived peer’s ID IDi , each RG member Pi indepen-
other secure key issuing schemes such as [4], [5] that use dently challenges KP Ai by sending a request that
KPAs to protect the private key. simulates the peer registration phase as described in
Section 3.3. KP Ai has the capacity of generating the
corresponding partial key if and only if it holds the
3.5. System Maintenance corresponding secret si . Afterwards, KP Ai returns
the partial key to Pi . At the end of this stage, each
In previous sections, we just assume that KPAs are always RG member Pi obtains a partial key from KP Ai .
trusted, but in real-world P2P networks, KPAs may also 3) Result generation: Each RG member Pi responds to
be malicious with relatively low probability and may be KGCs authentication request (issued in the stage of
potentially compromised to perform insider attacks. There- claim announcement) with its partial key from KP Ai .
fore, it is very important to authenticate KPAs, remove Afterwards, KGC can verify these received partial
malicious ones and find out new substitutional KPAs to join keys by checking the equation described in [6]. If at
in the system. We adopt a scalable Byzantine fault tolerant least  N 3−1  + 1 partial keys can be successfully veri-
authentication scheme [14] to address this problem. fied, KP Ai indeed possesses the secret si ; otherwise,
However, we face a challenge in designing the authen- KP Ai is not the genuine owner of si , and should be
tication protocol. Suppose KGC wants to monitor a peer removed from the set of KPAs. Here, N denotes the
B, it sends an authentication query to B. For guaranteeing total number of peers contained in KGC’s RG.
the effect of authentication, B must not be able to identify After these authentication and removing operations, the
the query initiator is the KGC. Otherwise, B can tailor number of KPAs may fall below a threshold T hresKP A ,
its response based on the originator, e.g. B temporarily thus we should utilize KGC’s RG to find new authenticated
behaves well to conceal its malicious behavior. Thus, the KPAs until the threshold T hresKP A is satisfied.

299
304

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.
 We utilize client puzzle [16] to verify KPA candidates via scheme. Our prototype of IBC benchmark is written in C
client puzzles. A peer wishing to be a KPA is challenged by based on the Boneh-Franklin IBE (BF-IBE) library, and is
the RG members. KPA candidates completing the puzzles evaluated in a local testbed which is an Intel Core Duo 2
of all RG members are accepted as a new KPA. 1.66GHz PC equipped with 1GB RAM.
The KPA addition scheme can also be executed in three
stages: 4.2. Performance Metrics
Stage1: KGC → Pi : {IDA , Seedi }KKGC
Stage2.1: Pi → KP A : {P zl(Seedi )}KPi In the following experiments, we characterize the system
Stage2.2: KP A → Pi : {Sln(P zl(Seedi ))}KKP A security and performance by using two primary performance
Stage3: Pi → KGC : {Sln(P zl(Seedi ))}KPi metrics:
1) Claim announcement: KGC randomly chooses a Threshold of the peer registration scheme is defined as the
normal peer A as a KPA candidate, announces the minimum number of secret shares a peer needs to collect
claim to all its RG members and asks them to verify from KPAs. This metric reflects the system’s effectiveness
the authenticity of A. KGC sends to each RG member under collusion attacks and DoS attacks.
Pi a seed Seedi which can used to generate a puzzle Maximum number of peers that system can support is
[16]. the number of peers a KGC or KPA can support within
2) Distributed authentication: According to the re- 1 second response time period. This metric indicates the
ceived Seedi , each RG member Pi independently systems efficiency and scalability.
challenge A by sending a puzzle generated using
Seedi . A must solve this puzzle to prove its work, 4.3. Experiments and Analysis
and return the solution to Pi .
3) Result generation: Each RG member Pi responds to 4.3.1. Peer Registration. We now evaluate the performance
KGCs authentication request with the solution of the of our system in registering peers. We will consider several
puzzle from A. Afterwards, KGC can verify these strategies of malicious peers to cause unauthentic registra-
solution. If at least  N 3−1  + 1 solutions can be tions or DoS even when our scheme is activated.
successfully verified, the KPA candidate A has proved We propose our scheme to address the inside attacks in
its work and should be accepted as a new KPA; Section 3.5, in this section, we show how to adjust the
otherwise, A should not be accepted as a new KPA. threshold of the peer registration scheme to prevent the
Here, N denotes the total number of peers contained system from collusion attacks and DoS attacks.
in KGC’s RG. We first give a theoretical discussion of how to resist those
Further, to guarantee the authentication correctness, we attacks, then we describe the details of our experiments,
integrate a complementary relay group maintenance scheme, afterwards, we discuss the results of experiments.
more details can be found in [14]. We have Theorem 4.1 to show how to adjust the threshold
of the peer registration scheme to prevent the system from
4. Experimental Evaluation collusion attacks and DoS attacks.
Theorem 4.1. In a P2P network with n KPAs and average
In this section, we first describe the simulation setup
lookup path length L, let p denotes the fraction of malicious
of our experiments, and then we present the performance
peers, k denotes the threshold of the peer registration
metrics, finally we discuss the parameters in the peer reg-
scheme, to protect SKIP against the collusion attacks and
istration phase, evaluate the performance of KGC and KPA
DoS attacks, the value of k should satisfy the inequation
in key issuing phase and analyze the performance of KPA
n(1 − (1 − p)L ) < k < n(1 − p)L .
authentication protocols.
Proof:
4.1. Simulation Setup Let α denotes the probability of bad paths, where a bad
path is a path contains at least one malicious peer. As the
The peer registration simulation is conducted to evaluate probability of not all the peers in a path are malicious is
effectiveness of our scheme in the peer registration phase. (1 − p)L , we have α = 1 − (1 − p)L .
Our simulation is based upon a 10000-peer system organized To protect the scheme against the collusion attacks, we
by the Kademlia [17] overlay, and our scheme can easily be should ensure that not all the paths between KPAs and the
extended to other DHTs. We randomly choose peers that registering peer are compromised, i.e., k should be greater
need to get registered, and change the fraction of malicious than the number of possible bad paths in all of the paths, so
peers in the system. we have k > nα.
The key issuing simulation is an experiment that evaluates To defend against the DoS attack, we should ensure a peer
the performance of KGC and KPAs in the secure key issuing can receive enough secret shares to compute the secret sent

300
305

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.
 50
Threshold of the peer registration scheme (k)
90
Theorical result
Experimental result 40 Upper bound of k
80
Lower bound of k

30
70
50
Probability of bad paths(%)

60
20 40
50
30
10
40 20

30
0 10

20
0

10

0
5 10 15 20 25 30 35 40 45 50 10 0.5
15 20 0.4
Fraction of malicious peers(%) 25 30 0.3
Number of KPAs (n) 35 0.2
Fraction of malicious peers(p)
40 45 0.1
50 0

Figure 1. Probability of a path being bad between Figure 2. Threshold of the peer registration scheme.
KPAs and the registering peer.

from KGC, thus k must be less than the number of normal Table 2. Computation cost of BF-IBE operations on
paths in the system, i.e., k < n − nα. Intel core duo 2 1.66GHz
Combining two inequalities above, we obtain nα < k < BF-IBE Ops Pairing H1 H2 Multi Exp
n(1 − α), then we have Theorem 4.1 proved. Time(ms) 15 0.007 0.006 1.2 0.012
We simulate a network consisting of 10000 peers. In the
experiment, we add a number of malicious peers to the
network such that malicious peers make up between 0%
by CKGC and CKP A , we obtain CKGC ≈ 19ms,CKP A ≈
and 50% of all peers in the network. Considering the worst
21ms.
case, we assume each malicious peer can compromise all the
We have Theorem 4.2 to figure out maximum number of
paths between the registering peer and the KPA it is evolved
peers that our scheme can support.
into. For each fraction of malicious peers in steps of 1%,
we run experiments and depict the results in Figure 1 and Theorem 4.2. Let q denote the maximum CPU utilization
2. of a node in a P2P network that it is considered as busy, f
From Theorem 4.1 and [17], we have a path being bad denotes the frequency of a peer request for its private key,
log n
with a probability of α = 1 − (1 − p) b , where b = 5 in and p denotes the probability of a KPA was chosen by a peer,
the current implementation of Kademlia protocol [17]. The SKGC is the maximum number of peers that a busy KGC
experimental result shows that Theorem 4.1 is quite fairly in can respond in a time period t, and SKP A is the number of
agreement with the experimental data, as shown in Figure peers that a KPA can respond in a time period t.
1. tq
The threshold of the peer registration scheme k increases SKGC = (1)
f CKGC
with the growth of the fraction of malicious peers p, as tq
shown in Figure 2. Figure 2 also provides the system SKP A = (2)
pf CKP A
administrators with a good reference for configuring system
parameters. Proof: As the maximum CPU time of a busy KGC in
a time period t is tq, and the computation cost of KGC in
4.3.2. Secure Key Issuing. Now we evaluate the perfor- 1 unit time is f CKGC , we have Equation 1; Similarly, we
mance of KGC and KPAs in the secure key issuing scheme. can prove Equation 2.
We present some results from a prototype implementation As we can see from Table 3, the number of peers that a
of our scheme first, afterwards, we discuss the number of KGC or a KPA can maintain decreases with the growth of
peers that system can support in a given time period. the frequency of register requests of a peer. From the table
We evaluate the computation cost of IBE operations. Table we found that the user scale of our scheme can be very large.
2 shows the computational cost for each IBE operation. A KGC can provide services that respond to each request
From Section 3.4 and the study in [6] we learn that there in 1 second to about 106 peers if each peer request for its
are 1 pairing operation, 3 multiply operations and 1 exponent private key once per hour under a uniform distribution. In
operation for KGC response phase, and 1 pairing operation, practice, the frequency of a peer request for its private key
5 multiply operations and 1 exponent operation for KPA is much lower, so the KGC is able to support larger scale
response phase, thus we can compute the computation cost peers.
of the KGC and the KPA for a key issue request, denoted Since the computation time that KGC and KPAs cost is

301
306

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.
 Table 3. The number of peers a KGC or a KPA can show that SKIP performs effectively and efficiently, and is
support within 1 second response time period. able to support large scale networks.
1/f number of peers for a number of peers for a
References
KGC (q=50%) KPA (q=50%, p=0.8)
1 min 1579 1785 [1] E. Sit and R. Morris, “Security considerations for peer-to-peer
15 min 23684 26785 distributed hash tables,” in IPTPS, 2002, pp. 261–269.
0.5 hour 47368 53571
[2] A. Shamir, “Identity-based cryptosystems and signature
1 hour 94736 107142 schemes,” in CRYPTO, 1984, pp. 47–53.
0.5 day 1.13 × 106 1.29 × 106
1 day 2.27 × 106 2.57 × 106 [3] D. Boneh and M. K. Franklin, “Identity-based encryption
from the weil pairing,” in CRYPTO, 2001, pp. 213–229.

[4] B. Lee, C. Boyd, E. Dawson, K. Kim, J. Yang, and S. Yoo,

short in a key issuing process, and a peer can communicate “Secure key issuing in id-based cryptography,” in ACSW
with KPAs in parallel, our key issuing scheme is effective Frontiers, 2004, pp. 69–74.
and efficient. Furthermore, the study in [10] supports our [5] R. Gangishetti, M. C. Gorantla, M. L. Das, A. Saxena, and
conclusion. V. P. Gulati, “An efficient secure key issuing protocol in id-
based cryptosystems,” in ITCC (1), 2005, pp. 674–678.
4.3.3. Discussion of KPA Authentication. We evaluate
[6] A. Saxena, “Threshold ski protocol for id-based cryptosys-
the KPA authentication scheme by examine its resilience, tems,” in IAS, 2007, pp. 65–70.
i.e., the scheme should work properly while the RG is
partly compromised. We have Theorem 4.3 to show that [7] Z.-L. Lu, G.-H.; Zhang, “Wheel of trust: A secure framework
the authentication is eventually correct if at least  N 3−1  + 1 for overlay-based services,” ICC, pp. 1148–1153, 2007.
partial keys responded from total N RG members indicate [8] I. Stoica, R. Morris, D. R. Karger, M. F. Kaashoek, and
the same result, which means the resilience of our KPA H. Balakrishnan, “Chord: A scalable peer-to-peer lookup
authentication scheme is optimal. service for internet applications,” in SIGCOMM, 2001, pp.
149–160.
Theorem 4.3. KPA authentication is eventually correct if at
least  N 3−1  + 1 partial keys indicate the same result. [9] E. K. Lua, “Securing peer-to-peer overlay networks from sybil
attack,” in ISCIT’07, Sydney, Australia, 2007.
Proof: Without loss of generality, we assume that there
are f faulty members existing in the RG. Besides, due to [10] S. Ryu, K. R. B. Butler, P. Traynor, and P. D. McDaniel,
“Leveraging identity-based cryptography for node id assign-
various attacks, t honest RG members may be compromised ment in structured p2p systems,” in AINA Workshops (1),
by faulty members. That is, f + t members are actually 2007, pp. 519–524.
faulty and exhibit Byzantine behaviors. Naturally, these f +
t members may not respond. However, it is possible that [11] L. M. Aiello, M. Milanesio, G. Ruffo, and R. Schifanella,
“Tempering kademlia with a robust identity based system,”
the f + t members that do not respond are not faulty and, in Peer-to-Peer Computing, 2008, pp. 30–39.
therefore, f + t of those that respond may be faulty. Even
so, the honest responses must still be sufficient to outnumber [12] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22,
those faulty ones, i.e., N − 2(f + t) > f + t. Hence, N > no. 11, pp. 612–613, 1979.
3(f + t) and the authentication is eventually correct if at [13] I. Baumgart and S. Mies, “S/kademlia: A practicable approach
least  N 3−1  + 1(> f + t) partial keys indicate the same towards secure key-based routing,” in ICPADS, 2007, pp. 1–8.
result, we have Theorem 4.3 proved.
[14] R. Chen, W. Guo, L. Tang, J. Hu, and Z. Chen, “Scalable
byzantine fault tolerant public key authentication for peer-to-
5. Conclusion peer networks,” in Euro-Par, 2008.

In this paper we have proposed a secure key issuing [15] M. J. Freedman and R. Morris, “Tarzan: a peer-to-peer
anonymizing network layer,” in CCS, 2002, pp. 193–206.
scheme for P2P networks using IBC, SKIP. SKIP provides
a peer registration service using Shamir’s (k, n) secret [16] B. Parno, D. Wendlandt, E. Shi, A. Perrig, B. M. Maggs,
sharing scheme. We develop a secure key issuing protocol, and Y.-C. Hu, “Portcullis: protecting connection setup from
which adopts KGC and KPAs to issue private keys to peers denial-of-capability attacks,” in SIGCOMM, 2007, pp. 289–
300.
securely. To maintain the security of KPAs, we develop a
scheme to authenticate KPAs, remove malicious ones and [17] P. Maymounkov and D. Mazières, “Kademlia: A peer-to-peer
find out alternate ones to join in the system using the BFT information system based on the xor metric,” in IPTPS, 2002,
protocol. The theoretical analysis and experimental results pp. 53–65.

302
307

Authorized licensed use limited to: Green Hills Engineering College. Downloaded on August 4, 2009 at 03:28 from IEEE Xplore. Restrictions apply.