An efficient certificateless authenticated key agreement scheme

(1)

An efficient certificateless two-party

authenticated key agreement protocol

Debiao He 1 Sahadeo Padhye 2, Jianhua Chen 1, * 1

School of Mathematics and Statistics, Wuhan University, Wuhan, China 2

Motilal Nehru NAtional Institute of Technology, Allahabad, India *Email: [email protected]

Abstract: Due to avoiding the key escrow problem in the identity-based cryptosystem, certificateless public key cryptosystem (CLPKC) has received a significant attention. As an important part of the CLPKC, the certificateless authenticated key agreement (CLAKA) protocol also received considerable attention. Most CLAKA protocols are built from bilinear mappings on elliptic curves which need costly operations. To improve the performance, several pairing-free CLAKA protocols have been proposed. In this paper we propose a new pairing-free CLAKA protocol. Compared with the related protocols our protocol has better performance. We also show our protocol is provably secure in a very strong security model, i.e. the extended Canetti-Krawczyk (eCK) model.

Key words: Certificateless cryptography; Authenticated key agreement; Provable

security; Bilinear pairings; Elliptic curve

Classification Codes: 11T71, 94A60

1. Introduction

(2)

After Al-Riyami et al.’s work [3], numerous certificateless authenticated key agreement (CLAKA) protocols, using bilinear mappings on elliptic curves, have been proposed, e.g., [4–10]. However, the relative computation cost of a pairing is approximately twenty times higher than that of the scalar multiplication over elliptic curve group [11]. Therefore, CLAKA protocols without bilinear pairings would be more appealing in terms of efficiency. Recently, several CLAKA protocols without pairing have been proposed in [12-15]. Yang et al. [14] pointed out that neither Geng et al.’s protocol [14], nor Hou et al.’s protocol [13] is secure. He et al. [15] also proposed a CLAKA protocol without pairing. However, He et al.’s protocol is vulnerable to the type 1 adversary [16]. Although the latest CLAKA protocol [16] is more efficient than other protocols [12-15], it is provably secure under the mBR model [17], which is a very weak model. Yang et al. have shown that their scheme is provably secure in a very strong model-the extended Canetti-Krawczyk (eCK) model [18]. However, the user in Yang et al.’ protocol needs nine elliptic curve scalar multiplications to finish the key agreement. Moreover, the user has to verify the validity of public keys. This not only increases the burden of the user, but also reverses the thought of CLPKC. In this paper, we will propose a new pairing-free CLAKA protocol, which is provably secure in the eCK model. Besides, our protocol has better performance than the related protocols.

The remainder of this paper is organized as follows. Section 2 describes some preliminaries. In Section 3, we propose our CLAKA protocol. The security analysis of the proposed protocol is presented in Section 4. In Section 5, performance analysis is presented. Finally, in Section 6 we conclude the paper.

2. Preliminaries

2.2. Notations

In this subsection, we first introduce some notations as follows, which are used in this paper.

z p n, : two large prime numbers;

z Fp: a finite field;

z E F/ _p: an elliptic curve defined on F_p;

(3)

z P: a generator of G;

z H₁( )⋅ : a secure one-way hash function, where H₁: {0,1}*× →G Z_n*;

z H2( )⋅ : a secure one-way hash function, where

* * *

2:{0,1} {0,1} p

H × × × × × × →G G G G G Z ;

z ID_i: the identity of user i;

z ( ,x P_pub): the KGC’s private/public key pair, where P_pub=xP;

z ( ,x P_i _i): the user i’s secret value/public key pair, where P_i = ⋅x P_i ;

z ( ,r Ri i): a random point generated by KGC, where Ri = ⋅r Pi ;

z ( ,s R_i _i): the user i ’s partial private key, where s_i = +r_i h x_i modn, 1( , )

i i i

h =H ID R ;

z ( ,t T_i _i): the user i’s ephemeral private/public key pair, where T_i = ⋅t P_i ;

2.1. Background of elliptic curve group

Let the symbol E F/ p denote an elliptic curve E over a prime finite field p

F , defined by an equation

b ax x

y2 = 3+ + ，a,b∈Fp (1) and with the discriminant

3 2 4a 27b 0

Δ = + ≠ . (2) The points on E F/ _p together with an extra point O called the point at infinity form a group

{( , ) : , _p, ( , ) 0} { }

G= x y x y∈F E x y = ∪ O . (3)

G is a cyclic additive group in the point addition “+” defined as follows: Let ,

P Q∈G, l be the line containing P and Q (tangent line to E F/ _p if P =

Q), and R, the third point of intersection of l with E F/ p. Let l′ be the line connecting R and O. Then P “+” Q is the point such that l′ intersects

/ _p

E F at R and O. Scalar multiplication over E F/ _p can be computed as follows:

( )

(4)

Computational Diffie-Hellman (CDH) problem: Given a generator P of G and (aP bP, ) for unknown *

, _R _n

a b∈ Z , the task of CDH problem is to compute abP.

For convenience, we define the function cdh as cdh(aP,bP)=abP

Decisional Diffie-Hellman (DDH) problem: Given a generator P of G and (aP bP cP, , ) for unknown a b c, , ∈_R Z_n*, the task of DDH problem is to decide whether the equation abP=cP holds.

Gap Diffie-Hellman (GDH) problem: Given a generator P of G , (aP bP, ) for unknown a b, ∈_R Z_n* and an oracle O_ddhp , the task of GDH problem is to compute abP, where O_ddhp is a decision oracle that on input (aP,bP,

cP), answers 1 if cdh aP bP( , )=cP; answers 0, otherwise.

The GDH assumption states that the probability of any polynomial-time algorithm to solve the GDH problem is negligible.

2.2. CLAKA protocol

A CLAKA protocol consists of six polynomial-time algorithms [2, 8]:Setup,

Partial - Private - Key - Extract , Set−Secret Value− , Set - Private - Key ,

Set−Public−Key and Key−Agreement . These algorithms are defined as

follows.

Setup: This algorithm takes security parameter k as input and returns the

system parameters paramsand master key.

Partial - Private - Key - Extract: This algorithm takes params, master key,

a user's identity ID_i as inputs and returns a partial private key.

Set−Secret Value− : This algorithm takes params and a user's identity i

ID as inputs, and generates a secret value.

Set - Private - Key: This algorithm takes params, a user's partial private

key and his secret value as inputs, and outputs the full private key.

Set−Public−Key: This algorithm takes paramsand a user's secret value as

inputs, and generates a public key for the user.

Key−Agreement : This is a probabilistic polynomial-time interactive

algorithm which involves two entities A and B, if the protocol does not fail,

(5)

2.3. Security model for CLAKA protocols

In CLAKA scheme, there are two types of adversaries with different capabilities [9, 14]. The type 1 adversary _A1 acts as a dishonest user while the type 2 adversary A2 acts as a malicious key generation center (KGC). A1

does not know the master key, but A1 can replace the public keys of any entity with a value of his choice. A2 knows the master key, but he cannot replace any user's public key.

Let , s i j

∏ represents the sth session which runs at party i with intended partner party j. A session ∏_{i j}s_, enters an accepted state when it computes a session key s_,

i j

SK . Two sessions s_, i j

∏ and t_, j i

∏ are called matching if they have the same session identity.

Lippold et al. [9] transformed original eCK model [18] from the traditional PKI-based setting to the CLPKC setting. The eCK model in the CLPKC setting is defined by the following game between a challenger C and an adversary

{ 1, 2} ∈

A A A . The game runs in two phases. During the first phase, the adversary A is allowed to issue the following queries in any order:

( )

Create i : On receiving such a query, _C generates the public/private key

pair for participant i with identity ID_i.

RevealMasterKey: _C gives the master secret key to _A .

,

( i js )

RevealSessionKey ∏ : If the session has not been accepted, C returns

⊥ to A . Otherwise C reveals the accepted session key to A . ( )

RevealPartialPrivateKey i : _C returns participant i’s partial private key

to A .

( )

RevealSecretValue i : C returns participant i’s secret value to A .

( , )

ReplacePublicKey i pk : C replaces participant i’s public key with the

value chose by A .

,

( s_{i j})

RevealEphemeralKey ∏ : C returns participant i’s ephemeral private key to A .

,

( _{i j}s , )

(6)

Once the adversary A decides that the first phase is over, it starts the second phase by choosing a fresh session ∏s_{i j}_, and issuing a Test(∏_{i j}s_, ) query, where the fresh session and test query are defined later.

The type 1 adversary A1 could get any user’s secret value, since he can replace the public key of any entity with a value of his choice. The type 2 adversary _A2 could get any user’s partial private key since he has access to the master key. Then several cases do not exist in Lippold et al.’s model [9]. To get better performance, we define the definition of freshness for CLAKA scheme against two type of adversary as follows.

Definition 1 (Freshness for CLAKA Scheme against Type 1 Adversary). Let instance ∏_{i j}s_, be a completed session, which is executed by an honest party i

with another honest party j. We define ∏s_{i j}_, to be fresh if none of the following three conditions hold:

z The adversary A1 reveals the session key of , s i j

∏ or of its matching session (if the latter exists).

z j is engaged in ∏t_{j i}_, the session matching to ∏_{i j}s_, and A1 either reveals both of i’s partial private key and s_,

i j

∏ ’s ephemeral private key or both of j’s partial private key and ∏t_{j i}_, ’s ephemeral private key.

z No sessions matching to ∏_{i j}s_, exist and A1 either reveals both of i’s partial private key and s_,

i j

∏ ’s ephemeral private key or j’s partial private key.

Definition 2 (Freshness for CLAKA Scheme against Type 2 Adversary). Let instance ∏_{i j}s_, be a completed session, which is executed by an honest party i

with another honest party j. We define ∏s_{i j}_, to be fresh if none of the following three conditions hold:

z The adversary _A2 reveals the session key of s_, i j

∏ or of its matching session (if the latter exists).

z j is engaged in ∏t_{j i}_, the session matching to ∏s_{i j}_, and A2 either reveals both of i’s secret value and ∏s_{i j}_, ’s ephemeral private key or both of j’s secret value and t_,

j i

(7)

z No sessions matching to , s i j

∏ exist and A2 either reveals both of i’s secret value and ∏s_{i j}_, ’s ephemeral private key or j’s partial private key.

,

( s )

i j

Test ∏ : At some point, A may choose one of the oracles, say s_, i j

∏ , to ask a single Test query. This oracle must be fresh. To answer the query, the oracle flips a fair coin b∈{0,1}, and returns the session key held by ∏s_{i j}_, if b=0, or a random sample from the distribution of the session key if b=1.

At the end of the game, A must output a guess bit b′. A wins if and only if b′ =b. A ’s advantage to win the above game, denoted by Adv_A( )k , is defined as: ( ) Pr[ ] 1

2

Adv_A k = b′= −b , where k is a security parameter. Definition 3. A CLAKA scheme is said to be secure if:

(1) In the presence of a benign adversary on ∏s_{i j}_, and ∏t_{j i}_, , both oracles always agree on the same session key, and this key is distributed uniformly at random.

(2) For any adversary A∈{ 1,A A2}, ( )Adv_A k is negligible.

3. Our protocol

In this section, we will propose a new CLAKA protocol based on previous works [9, 14, 16]. Our protocol consists of six polynomial-time algorithms. They are described as follows.

Setup : This algorithm takes a security parameter k as an input, returns

system parameters and a master key. Given k, KGC does the following steps. 1) KGC chooses a k -bit prime p and determines the tuple {F E F G P_p, / _p, , } as defined in Section 2.1.

2) KGC chooses the master private key x∈Z*n and computes the master public key P_pub=xP.

3) KGC chooses two cryptographic secure hash functions

* *

1:{0,1} n

H × →G Z and H₂:{0,1}*×{0,1}*× × × × × × →G G G G G G Z*_n.

(8)

Partial - Private - Key - Extract: This algorithm takes master key, a user’s identifier, system parameters as inputs, and returns the user’s ID-based private key. KGC works as follows.

1) KGC chooses a random number r_i∈Z_n* , computes R_i = ⋅r P_i and 1( , )

i i i

h =H ID R .

2) KGC computes s_i = +r_i h x_i modn and issues ( ,s R_i _i) to the users through secret channel.

Set−Secret Value− : The user picks randomly x_i∈Z_n*, computes P_i = ⋅x P_i

and sets x_i as his secret value.

Set - Private - Key: The user with identity ID_i takes the pair sk_i =( , )x s_i _i

as its private key.

Set−Public−Key : The user with identity ID_i takes pk_i =( )P_i as its

public key.

Key−Agreement: Assume that an entity A with identity ID_A has private

key (sk_A = x s_A, _A) and public key pk_A =(P_A) and an entity B with identity B

ID has private key sk_B =(x s_B, _B) and public key pk_B =(P_B) want to establish a session key, they can do, as shown in Fig.1, as follows.

1) A chooses a random number tA∈Zn* and computes TA = ⋅tA P, then A sends M₁ ={ID R T_A, _A, _A} to B.

2) After receiving M₁ , B chooses a random number t_B∈Z_n* and computes T_B = ⋅t_B P, then B sends M₂ ={ID R T_B, _B, _B} to A.

Then both A and B can compute the shared secrets as follows:

A computes 1

1

( )( ( , ) )

AB A A B B B B pub

K = t +s T +R +H ID R P (5) 2

( )( )

AB A A B B

K = t +x T +P (6) and

3

AB A B

K = ⋅t T (7)

B computes 1

1

( )( ( , ) )

BA B B A A A A pub

K = t +s T +R +H ID R P (8) 2

( )( )

BA B B A A

(9)

and

3

BA B A

K = ⋅t T (10) Thus the agreed session key for A and B can be computed as:

1 2 3 2

( || || || || || || ) ( || || || || || || )

A B A B AB AB AB

A B A B BA BA BA

sk H ID ID T T K K K

H ID ID T T K K K

=

= (11)

Fig. 1. Key agreement of our protocol

Since T_A = ⋅t_A P, P_A =x_A⋅P, s P_A =R_A+H ID R P₁( _A, _A) _pub, T_B = ⋅t_B P, B B

P =x ⋅P and s P_B =R_B +H ID R P₁( _B, _B) _pub, then we have 1

1

1 1

( )( ( , ) )

( )( ) ( )( )

( )( ( , ) )

AB A A B B B B pub

A A B B B B A A

B B A A A A pub BA

K t s T R H ID R P

t s t s P t s t s P

t s T R H ID R P K

= + + +

= + + = + +

= + + + =

(12)

2

( )( )

( )( ) ( )( )

( )( )

AB A A B B

A A B B B B A A

B B A A BA

K t x T P

t x t x P t x t x P

t x T P K

= + +

= + + = + +

= + + =

(13)

and

3 3

AB A B B A BA

K =t t P=t t P=K (14) Thus, the correctness of the protocol is proved.

4. Security Analysis

In this section, we will show our scheme is provably secure in eCK model. We treat H₁ and H₂ as two random oracles [19]. For the security, the following lemmas and theorems are provided.

(10)

Proof. From the correction analysis of our protocol in Section 3, we know if two oracles are matching, then both of them are accepted and have the same session key. The session keys are distributed uniformly since t_A and t_B are selected uniformly during the execution.

Lemma 2. Assuming that the GDH problem is intractable, the advantage of a type 1 adversary against our protocol is negligible.

Proof. Suppose that there is a type 1 adversary _A1 who can win the game

defined in subsection 2.3 with a non-negligible advantage Adv_A₁( )k in polynomial-time t. Then, we will show how to use the ability of A1 to construct an algorithm C to solve the GDH problem.

Let n₀ be the maximum number of sessions that any one party may have. Assume that the adversary _A1 activates at most n₁ distinctive honest parties. Assume that the adversary A1 activates at most n₂ distinctive hash queries. Assume also that Adv_A₁( )k is non-negligible. Before the game starts, C tries to guess the test session and the strategy that the adversary A1 will adopt. C randomly selects two indexes I J, ∈{1,…, }n₁：I ≠J, which represent the I th and the Jth distinct honest party that the adversary initially chooses. Also, C chooses S∈{1,…,n0} and determines the Test session ,

S I J

∏ , which is correct

with probability larger than ₂ 0 1 1

n n . Let ,

T J I

∏ be the matching session of ∏S_{I J}_, .

Since H₁ and H₂ are modeled as random oracles, after the adversary issues the test query, it has only three possible ways to distinguish the tested session key from a random string:

CASE 1: Forging attack: Assume that , S I J

∏ is the test session. At some point in its run, the adversary _A1 queries H₂ on the value (ID ID T T K_I, _J, _I, _J, _IJ1 ,K_IJ2,K_IJ3 ) in the test session owned by I

communicating with J . Clearly, in this case A1 computes the values K1_IJ, 2

IJ

K and K3_IJ itself.

CASE 2: Guessing attack: A1 correctly guesses the session key.

(11)

the adversary A1 can simply learn the session key by querying the non-matching session.

Since H2 is a random oracle, the probability of guessing the output of H2 is (1 / 2 )k

O , which is negligible. The input to the key derivation function H₂

includes all information that can uniquely identify the matching sessions. Since two non-matching sessions can not have the same identities and the same ephemeral public keys and H₂ is modeled as a random oracle, the success probability of Key-replication attack is also negligible. Thus Guessing attack and Key-replication attack can be ruled out, and the rest of the proof is mainly devoted to the analysis of Forging attack. As the attack that the adversary A1

mounts is Forging attack, A1 can not get an advantage in winning the game against the protocol unless it queries the H₂ oracle on the session key.

The rest of this section is mainly devoted to the analysis of the Forging attack. To relate the advantage of the adversary A1 against our protocol to the GDH assumption, we use a classical reduction approach. In the following, a challenger _C is interested to use the adversary _A1 to turn _A1’s advantage in distinguishing the tested session key from a random string into an advantage in solving the GDH problem. The following two sub-cases should be considered.

CASE 1.1: No honest party owns a matching session to the Test session. CASE 1.2: The Test session has a matching session owned by another honest party.

¾ The analysis of CASE 1.1:

Since _A1 is strong type 1 adversary, then he can get any users’ secret key i

x value through ReplacePublicKey query. According to Definition 1, C has the following two choices for _A1’s strategy:

CASE 1.1.1: At some point, the partial private key of party I has been revealed by the adversary A1. According to Definition 1, A1 is not permitted to reveal the ephemeral private key of the Test session.

CASE 1.1.2: The partial private key of party I has never been revealed by the adversary A1. According to Definition 1, A1 may reveal the ephemeral private key of the Test session.

(12)

Let Adv_CGDH( )k be the advantage that the challenger _C gets in solving the GDH problem given the security parameter k . Given a GDH problem instance(U =uP,V =vP,O_ddhp) and _C’s task is to compute cdh U V( , )=uvP, where O_ddhp is a decision oracle that on input (aP bP cP, , ), answers 1 if

( , )

cdh aP bP =cP; answers 0, otherwise. C first chooses P₀∈G at random,

sets P₀ as the system public key P_pub , selects the system parameter 1 2

{ _p, / _p, , , _pub, , }

params= F E F G P P H H , and sends params to _A1. Then, C

simulates the game outlined in Section 2.3 as follows. ( )

Create i : C maintains an initially empty list L_C consisting of tuples of

the form ( ID s R x Pi, ,i i, ,i i ). If i=J , C chooses two random numbers *

, i i n

h x ∈Z , computes R_i = −U h P_i ₀, P_i =x P_i , sets H ID R₁( _i, _i)←h_i and stores (ID_i, ,⊥ R x P_i, ,_i _i) and (ID R h_i, _i, )_i in L_C and

1 H

L separately. Otherwise, C chooses three random numberss h x_i, ,_i _i∈Z_n*, computesR_i =s P_i −h P_i _pub, P_i =x P_i , sets H ID R₁( _i, _i)←h_i and stores (ID s R x P_i, ,_i _i, ,_i _i) and (ID R h_i, _i, )_i in L_C and

1 H

L separately. 1( i, i)

H ID R : C maintains an initially empty list

1 H

L which contains tuples of the form (ID R h_i, _i, _i). If (ID R_i, _i) is on the list

1 H

L , C returns h_i. Otherwise,

C chooses a random number h_i, stores (ID R h_i, _i, _i) in 1 H

L and returns h_i. 2( i, j, ,i j, 1, 2, 3, )

H ID ID T T Z Z Z sk : C maintains an initially empty list

2 H

L

with entries of the form (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ). If the tuple is in the list

2 H

L , C responds with sk. Otherwise, C responds to these queries in the following way:

z If ID_i =ID_J,

_C looks the list L_S for entry (ID ID T Ti, j, ,i j,*). If C finds the

entry, he computes 1 ₁ _i( _j _j ₁( _j, _j)) _j( _i ₁( _i, _i))

Z =Z −t T +R +H ID R −s R +H ID R .

(13)

inputted.C also checks whether Z₂ and Z₃ are equal by checking if the equations Z₂ =(t_i+x T_i)( _j+P_j) and Z₃ =t T_i _j hold separately. If Z₁ , Z₂ and Z₃ are correct, C stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L , where the value sk comes from L_S. Otherwise, C chooses a random number sk∈{0,1}k and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L .

z Otherwise,

_C looks up the list L_S for entry (ID ID T T_i, _j, ,_i _j,*). If C finds the entry, he stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L ,

where the value sk comes from L_S.

Otherwise, C chooses a random number sk∈{0,1}k and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L .

( )

RevealPartialPrivateKey i : C answers A1’s queries as follows.

z If ID_i =ID_J then C stops the simulation.

z Otherwise, C looks up the list L_E and returns the corresponding partial private key si to the adversary A1.

( )

RevealSecretValue i : C looks up the table L_C for entry (ID_i,*,*,*,*). If

C finds the entry, he returns x_i . Otherwise, C carries out the query ( )

Create i and returns the corresponding xi.

( , )

ReplacePublicKey i pk : Upon receiving the query, C looks up the table

C

L for entry (IDi,*,*,*,*). If C finds the entry, he replaces xi and Pi with i

x′ and P_i′ separately, where pk=( )P_i′ and P_i′=x P_i′ . Otherwise, C carries out Create i( ) and replaces x_i and P_i with x_i′ and P_i′ separately.

,

( _{i j}s )

RevealEphemeralKey ∏ : C answers A1’s queries as follows.

z If s_, S_, i j I J

∏ = ∏ , then _C stops the simulation.

z Otherwise, C returns the stored ephemeral private key to A1.

RevealMasterKey: C stops the simulation.

,

( _{i j}s )

(14)

z If s_, S_, i j I J

∏ = ∏ or s_, T_,

i j J I

z Otherwise, if C returns the session key sk to A1. ,

( t , )

i j

Send ∏ m :_C maintains an initially empty list L_S with entries of the form (ID ID T T sk_i, _j, ,_i _j, ) and answers _A1’s queries as follows.

z If , ,

t S

i j I J

∏ = ∏ , then C returns T_i =V to A1.

z Otherwise, if ID_i =ID_J , he generates a random t_i∈Z_n , computes 1 ₁ _i( _j _j ₁( _j, _j)) _j( _i ₁( _i, _i))

Z =Z −t T +R +H ID R −s R +H ID R . Then C checks

whether Z1 is correct by checking whether the oracle Oddhp outputs 1 when the tuple (R_i+H ID R P₁( _i, _i) _pub,T Z_j, 2) is inputted.C also checks whether Z₂ and Z₃ are equal by checking whether the equations

2 (i i)( j j)

Z = t +x T +P and Z₃=t T_i _j hold separately. If Z₁, Z₂ and Z₃

are correct, _C stores the tuple (ID ID T T ski, j, ,i j, ) into LS, where the value sk comes from

2 H

L . Otherwise, _C chooses a random number {0,1}k

sk∈ and stores the tuple (ID ID T T sk_i, _j, ,_i _j, ) into L_S.

z Otherwise, C replies according to the specification of the protocol. ,

( t_{i j})

Test ∏ :C answers A1’s queries as follows.

z If s_, S_, i j I J

∏ ≠ ∏ , then _C stops the simulation.

z Otherwise, C generates a random number ξ∈{0,1}k and returns it to

1

A .

As the adversary A1 mounts the forging attack, if A1 succeeds, it must

have queried oracle H₂ on the form

1 ( I I)( J J 1( J, J) pub) ( I I)( J )

Z = t +s T +R +H ID R P = t +s T +U ,

2 ( I I)( J J)

Z = t +x T +P and Z₃=t T_I _J, where T_I =V is the outgoing message of Test session by the simulator and T_J is the incoming message from the adversary A1. To solve cdh U V( , ), for all entries in

2 H

L , C randomly chooses one entry with the probability

2 1

n and computes

1 ₁ ₁ ₁

1

( ( , )) ( ( , )) ( ( , )) ( , )

J I I I I I J J J

I J J J

Z Z t T R H ID R s R H ID R

t R H ID R cdh U V

= − + + − +

(15)

The advantage of C solving GDH problem with the advantage 1

2 0 1 2

1

( ) ( )

GDH

Adv k Adv k

n n n

≥

C A . (17)

Then ( )Adv_CGDH k is non-negligible since we assume that Adv_A₁( )k is non-negligible. This contradicts the GDH assumption.

CASE 1.1.2:

Let ( )Adv_CGDH k be the advantage that the challenger C gets in solving the GDH problem given the security parameter k . Given a GDH problem instance(U =uP,V =vP,O_ddhp) and C’s task is to compute cdh U V( , )=uvP, where O_ddhp is a decision oracle that on input (aP bP cP, , ), answers 1 if

( , )

cdh aP bP =cP; answers 0, otherwise. _C first chooses P₀∈G at random,

sets P₀ as the system public key P_pub , selects the system parameter 1 2

{ p, / p, , , pub, , }

params= F E F G P P H H , and sends params to A1. Then, C

simulates the game outlined in Section 2.3 as follows. Then, C simulates the game outlined in Section 2.3. During the game, C simulates A1 ’s

1( i, i)

H ID R , RevealMasterKey , ( )RevealSecretValue i ,

( , )

ReplacePublicKey i pk , ( , )

s i j

RevealSessionKey ∏ and ( , ) s i j

Test ∏ queries as that of CASE 1.1.1. C simulates other oracles as follows.

( )

Create i : C simulates the oracle in the same way as that of CASE 1.1

except for i=I . If i=I , C chooses two random numbers h xi, i∈Zn* , computes R_i = −V h P_i ₀ , P_i =x P_i , sets H ID R₁( _i, _i)←h_i and stores (ID_i, ,⊥ R x P_i, ,_i _i) and (ID R h_i, _i, )_i in L_C and

1 H

L separately. 2( i, j, ,i j, 1, 2, 3, )

H ID ID T T Z Z Z h : C simulates the oracle in the same way as

that of CASE 1.1.1 except for the form ( ID ID T T Z Z Z_I, _J, _I, _J, ₁, ₂, ₃ ) and (ID ID T T Z Z Z_J, _I, _J, _I, ₁, ₂, ₃).C responds to these queries in the following way:

z If (ID ID T T Z Z Z hI, J, I, J, 1, 2, 3, ) or (ID ID T T Z Z Z hJ, I, J, I, 1, 2, 3, ) is in

2 H

L , C responds with the stored value h.

(16)

stores the new entry (ID ID T T Z Z Z h_i, _j, ,_i _j, ₁, ₂, ₃, ) in 2 H

L . Otherwise, C compute Z1 =Z₁−t T_i( _j +R_j +H ID R₁( _j, _j))−t R_j( _i +H ID R₁( _i, _i)). Then

C checks whether Z₁ is correct by checking whether the oracle O_ddhp outputs 1 when the tuple (R_i +H ID R P₁( _i, _i) _pub,R_j +H ID R P₁( _j, _j) _pub,Z1) is inputted._C also checks whether Z₂ and Z₃ are equal by checking if the equations Z₂ =(t_i+x T_i)( _j +P_j) and Z₃=t T_i _j hold separately. If

1

Z , Z₂ and Z₃ are correct, _C stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L , where the value sk comes from S

L . Otherwise, C chooses a random number sk∈{0,1}k and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L .

( )

RevealPartialPrivateKey i : C answers A1’s queries as follows.

z If i=I or i= J, C stops the simulation.

z Otherwise, C looks up the list L_C and returns the corresponding partial private key D_i to the adversary A1.

,

( _{i j}s )

RevealEphemeralKey ∏ : Creturns the stored ephemeral private key to

1

A .

,

( s_{i j}, )

Send ∏ m : C simulates the oracle in the same way as that of CASE 1.1 except for the following queries:

z If ∏ = ∏s_{i j}_, S_{I J}_, , C chooses t_i∈Z_n and returns T_i =t P_i to A1.

z If i=I and j= J(the case that i= J and j=I could be deal with similarly).

_C chooses t_i∈Z_n and returns T_i =t P_i to A1.

C looks up the list 2 H

L for entry (ID ID T T_i, _j, ,_i _j,*,*,*,*) (If ∏s_{i j}_, is responder session, C will look up for (ID ID T T_j, _i, _j, ,*,*,*,*_i )). If there is no such entry, C choose a random number sk∈{0,1}k and stores the new entry ( ID ID T T sk_i, _j, ,_i _j, ) in L_S . Otherwise, C computes

1 ₁ _i( _j _j ₁( _j, _j)) _j( _i ₁( _i, _i))

Z =Z −t T +R +H ID R −t R +H ID R . Then C

(17)

outputs 1 when the tuple (R_i +H ID R P₁( _i, _i) _pub,R_j +H ID R P₁( _j, _j) _pub,Z1) is inputted.C also checks whether Z₂ and Z₃ are equal by checking if the equations Z₂ =(t_i+x T_i)( _j+P_j) and Z₃ =t T_i _j hold separately. If all of the equations are equal, C stores (ID ID T T h_i, _j, ,_i _j, ) into L_S, where

h comes from 2 H

L . Otherwise, C chooses a random number sk and stores (ID ID T T sk_i, _j, ,_i _j, ) into L_S.

As the adversary _A1 mounts the forging attack, if _A1 succeeds, it must

have queried oracle H₂ on the form

1 ( I I)( J J 1( J, J) pub) ( I I)( J )

Z = t +s T +R +H ID R P = t +s T +U Z₂ =(t_I +x_I)(T_J +P_J)

and Z₃ =t T_I _J where T_I =t P_I is the outgoing message of Test session by the simulator A1. To solve cdh U V( , ), for all entries in

2 H

2 1

n and computes

1 ₁ ₁ ₁

1

( ( , )) ( ( , )) ( ( , )) ( , )

I J J J J J I I I

I J J J I

Z Z t T R H ID R t R H ID R

s R H ID R s U cdh U V

= − + + − +

= + = = . (18)

We can conclude that

1 2

0 1 2 1

( ) ( )

GBCDH

Adv k Adv k

n n n

≥

C A . (19)

Then ( )Adv_CGBCDH k is non-negligible since we assume that Adv_A₁( )k is non-negligible. This contradicts the GCDH assumption.

In this case, the Test session ∏S_{I J}_, has a matching session owned by another honest party J. According to Definition 1, the adversary A1 has four ways to mount the attacks.

CASE 1.2.1. The adversary _A1 makes ephemeral key query to both the Test session and the matching session of the Test session (The adversary does not reveal their corresponding partial private key). In this case, the proof is identical to that of CASE 1.1.2. To save space, we omit the details.

(18)

CASE 1.2.3. The adversary A1 makes queries to the ephemeral private key of the owner of Test session and its peer's partial private key. In this case, the proof is identical to that of CASE 1.1.1. To save space, we omit the details.

CASE 1.2.4. The adversary A1 learns the partial private key of both the owner of Test session and its peer. (The adversary does not reveal their corresponding ephemeral private key).

C answers H ID R1( i, i), ReplacePublicKey i pk( , ) ,RevealSecretValue i( ),

RevealMasterKey ( t_, )

i j

RevealSessionKey ∏ and ( t_, )

i j

Test ∏ as he does in the above case. He also answers other queries as follows.

( )

the form ( ID s R x P_i, ,_i _i, ,_i _i ).C chooses three random numbers s h x_i, ,_i _i∈Z*_n, computes R_i =s P_i −h P_i _pub , P_i =x P_i , sets H ID R₁( _i, _i)←h_i and stores (ID s R x P_i, ,_i _i, ,_i _i) and (ID R h_i, _i, )_i in L_C and

1 H

L separately. 2( i, j, ,i j, 1, 2, 3, )

2 H

L

with entries of the form (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ). If the tuple is in the list 2

H

z _C looks the list L_S for entry (ID ID T T_i, _j, ,_i _j,*). If C finds the entry, he computes

1 ₁ _i( _j _j ₁( _j, _j)) _{j i}

Z =Z −s T +R +H ID R −s T (20)

2 ₂

Z =Z (21) and

2 ₂ _i( _j _j) _{j i}

Z =Z −x T +P −x T (21)

Then C checks whether Zi is correct by checking whether the oracle

ddhp

O outputs 1 when the tuple ( ,T T Z_i _j, i) is inputted, where i=1, 2, 3. If

1

Z , Z₂ and Z₃ are correct, C stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L , where the value sk comes from S

L . Otherwise, _C chooses a random number {0,1}k

sk∈ and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

(19)

z Otherwise, _C chooses a random number {0,1}k

sk∈ and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L .

( )

RevealPartialPrivateKey i : C looks up the list L_C and returns the

corresponding partial private key s_i to the adversary _A1. ,

( s )

i j

RevealEphemeralKey ∏ : _C answers _A1’s queries as follows.

z If ∏ = ∏s_{i j}_, S_{I J}_, or ∏ = ∏_{i j}s_, T_{J I}_, , then C stops the simulation.

z Otherwise, C returns the stored ephemeral private key to _A1. ,

( s_{i j}, )

Send ∏ m :C maintains an initially empty list L_S with entries of the form (ID ID T T sk_i, _j, ,_i _j, ) and answers _A1’s queries as follows.

z If ∏ = ∏s_{i j}_, T_{I J}_, , C returns T_i =U to A1.

z Otherwise, if ∏ = ∏s_{i j}_, T_{I J}_, , C returns T_i =V to A1.

z Otherwise, C replies according to the specification of the protocol. As the attack that adversary A1 mounts the forging attack, if A1

succeeds, it must have queried oracle H₂ on the form 1 ( I I)( J J 1( J, J) pub)

Z = t +s T +R +H ID R P , Z₂ =(t_I +x_I)(T_J +P_J) and

3 I J

Z =t T , where T_I =U is the outgoing message of Test session by the simulator and T_J =V is the incoming message from the adversary A1. To solve ( , )cdh U V , for all entries in

2 H

2 1

n and returns Z3 as the solution to cdh U V( , ).

The advantage of _C solving GDH problem with the advantage 1

2 0 1 2

1

( ) ( )

GDH

Adv k Adv k

n n n

≥

C A . (22)

Then ( )Adv_CGDH k is non-negligible since we assume that Adv_A1( )k is non-negligible. This contradicts the GDH assumption.

We could conclude that the advantage of a type 1 adversary against our protocol is negligible if the GCDH problem is intractable.

(20)

Proof. Suppose that there is a type 2 adversary A2 who can win the game defined in subsection 2.3 with a non-negligible advantage Adv_A2( )k in

polynomial-time t. Then, we will show how to use the ability of A2 to construct an algorithm C to solve the GDH problem.

Let n0 be the maximum number of sessions that any one party may have. Assume that the adversary A2 activates at most n₁ distinctive honest parties. Assume that the adversary _A2 activates at most n₂ distinctive hash queries. Assume also that Adv_A2( )k is non-negligible. Before the game starts, C tries to guess the test session and the strategy that the adversary A2 will adopt. C randomly selects two indexes I J, ∈{1,…, }n1：I ≠J, which represent the I th and the Jth distinct honest party that the adversary initially chooses. Also, C chooses S∈{1,…,n₀} and determines the Test session ∏S_{I J}_, , which is correct with probability larger than ₂

0 1 1

n n . Let ,

T J I

∏ be the matching session of S_, I J

∏ .

Since H₁ and H₂ are modeled as random oracles, after the adversary issues the test query, it has only three possible ways to distinguish the tested session key from a random string:

CASE 1: Forging attack: Assume that ∏S_{I J}_, is the test session. At some point in its run, the adversary A1 queriesH₂ on the

value(ID ID T T K_I, _J, _I, _J, 1_IJ,K_IJ2,K_IJ3 ) in the test session owned by I

communicating with J. Clearly, in this case A2 computes the values K1_IJ, 2

IJ

K and 3 IJ

K itself.

CASE 2: Guessing attack: A2 correctly guesses the session key. CASE 3: Key-replication attack: The adversary _A2 forces a non-matching session to have the same session key with the test session. In this case, the adversary A2 can simply learn the session key by querying the non-matching session.

Through the same analysis, we know the success probability of

(21)

2

A mounts is Forging attack, A2 can not get an advantage in winning the game against the protocol unless it queries the H2 oracle on the session key.

In the following, a challenger C is interested to use the adversary A2 to turn A2’s advantage in distinguishing the tested session key from a random string into an advantage in solving the GDH problem. The following two sub-cases should be considered.

CASE 1.1: No honest party owns a matching session to the Test session. CASE 1.2: The Test session has a matching session owned by another honest party.

Since _A2 is strong type 2 adversary, then he can get any users’ partial private key since he is a malicious KGC. According to Definition 2, C has the following two choices for A2’s strategy:

CASE 1.1.1: At some point, the secret value of party I has been revealed by the adversary A2. According to Definition 2, A2 is not permitted to reveal the ephemeral private key of the Test session.

CASE 1.1.2: The secret value of party I has never been revealed by the adversary _A2. According to Definition 2, _A2 may reveal the ephemeral private key of the Test session.

CASE 1.1.1:

Let Adv_CGDH( )k be the advantage that the challenger C gets in solving the GDH problem given the security parameter k. Given a GDH problem instance (U =uP,V =vP,O_ddhp) and C’s task is to compute cdh U V( , )=uvP, where

ddhp

O is a decision oracle that on input (aP bP cP, , ), answers 1 if ( , )

cdh aP bP =cP; answers 0, otherwise. C first chooses a random number

* n

x∈Z , sets xP as the system public key Ppub, selects the system parameter 1 2

{ _p, / _p, , , _pub, , }

params= F E F G P P H H , and sends params to _A2. Then, _C

simulates the game outlined in Section 2.3 as follows. ( )

the form (ID s R x P_i, ,_i _i, ,_i _i). If i=J, C chooses two random numbers r_i∈Z_n*, computes R_i =r P_i , h_i =H ID R₁( _i, _i), s_i = +r_i h x_i , P_i =U and stores

(22)

computes R_i =r P_i , h_i =H ID R₁( _i, _i), s_i = +r_i h x_i , P_i =x P_i and stores (ID s R x P_i, ,_i _i, ,_i _i) in L_C.

1( i, i)

H ID R : C maintains an initially empty list

1 H

L which contains tuples of the form (ID R h_i, _i, _i). If (ID R_i, _i) is on the list

1 H

L , _C returns h_i. Otherwise,

C chooses a random number h_i, stores (ID R h_i, _i, _i) in 1 H

L and returns h_i. 2( i, j, ,i j, 1, 2, 3, )

2 H

L

with entries of the form (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ). If the tuple is in the list 2

H

z If ID_i =ID_J,

_C looks the list L_S for entry (ID ID T T_i, _j, ,_i _j,*). If C finds the entry, he computes Z2 =Z₂−t T_i( _j+P_j)−x P_j _i.

Then C checks whether Z₂ is correct by checking whether the oracle O_ddhp outputs 1 when the tuple (P T Z_i, _j, 2) is inputted.C also checks whether Z₁ and Z₃ are equal by checking whether the equations Z₁=(t_i+s T_i)( _j+R_j+H ID R₁( _j, _j)) and Z₃=t T_i _j hold separately. If Z₁, Z₂ and Z₃ are correct, C stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L , where the value sk comes from L_S. Otherwise, C chooses a random number sk∈{0,1}k and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L .

z Otherwise,

_C looks the list L_S for entry (ID ID T T_i, _j, ,_i _j,*). If C finds the entry, he stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L ,

where the value sk comes from L_S.

Otherwise, C chooses a random number sk∈{0,1}k and stores the tuple (ID ID T T Z Z Z sk_i, _j, ,_i _j, ₁, ₂, ₃, ) into

2 H

L .

( )

RevealPartialPrivateKey i : C looks up the list L_E and returns the

(23)

( )

RevealSecretValue i : C answers A2’s queries as follows.

z If IDi =IDJ, then C stops the simulation.

z Otherwise, C looks up the table L_C for entry (ID_i,*,*,*,*) and returns x_i.

,

( t_{i j})

RevealEphemeralKey ∏ : C answers A2’s queries as follows.

z If s_, S_, i j I J

z Otherwise, C returns the stored ephemeral private key to A2.

RevealMasterKey: C returns the master key x to A2.

,

( t_{i j})

RevealSessionKey ∏ : C answers A2’s queries as follows.

z If s_, S_, i j I J

∏ = ∏ or s_, T_,

i j I J

z Otherwise, if C returns the session key sk to A2. ,

( s , )

i j

Send ∏ m :_C maintains an initially empty list L_S with entries of the form (ID ID T T sk_i, _j, ,_i _j, ) and answers A2’s queries as follows.

z If , ,

s S

i j I J

∏ = ∏ , then C returns Ti =V to A2.

z Otherwise, if ID_i =ID_J , he generates a random t_i∈Z_n , computes 2 ₂ _i( _j _j) _j _i

Z =Z −t T +P −x P. Then C checks whether Z₂ is correct by checking whether the oracle O_ddhp outputs 1 when the tuple (P T Z_i, _j, 2) is inputted._C also checks whether Z₁ and Z₃ are equal by checking whether the equations Z₁=(t_i+s T_i)( _j+R_j+H ID R₁( _j, _j)) and Z₃ =t T_i _j

hold separately. If Z1, Z2 and Z3 are correct, C stores the tuple (ID ID T T sk_i, _j, ,_i _j, ) into L_S , where the value sk comes from

2 H

L .

Otherwise, _C chooses a random number sk∈{0,1}k and stores the tuple (ID ID T T sk_i, _j, ,_i _j, ) into L_S.

z Otherwise, C replies according to the specification of the protocol. ,

( ti j)

Test ∏ :C answers A2’s queries as follows.

z If ∏ ≠ ∏t_{i j}_, S_{I J}_, , then C stops the simulation.

z Otherwise, C generates a random number ξ∈{0,1}k and returns it to 2

(24)

As the adversary A2 mounts the forging attack, if A2 succeeds, it must have queried oracle H₂ on the form Z₁=(t_I +s_I)(T_J +R_J+H ID R P₁( _J, _J) _pub) ,

2 ( I I)( J )

Z = t +x T +U and Z₃ =t TI J, where TI =V is the outgoing message of Test session by the simulator and T_J is the incoming message from the adversary 2_A . To solve GDH U V( , ), for all entries in

2 H

L , _C randomly chooses one entry with the probability

2 1

n and computes

2 ₂ _I( _J )) ₃

Z =Z −x T +U −Z (23) It is easy to verify that the equation Z2 =cdh U V( , ) holds. The advantage of

C solving GDH problem with the advantage

2 2

0 1 2 1

( ) ( )

GDH

Adv k Adv k

n n n

≥

C A . (24)

Then Adv_CGDH( )k is non-negligible since we assume that Adv_A2( )k is non-negligible. This contradicts the GDH assumption.

CASE 1.1.2:

C answers H ID R₁( _i, _i), ( )RevealPartialPrivateKey i , ,

( t_{i j})

RevealEphemeralKey ∏ , RevealMasterKey, RevealSessionKey(∏t_{i j}_, ) and ,

( t_{i j})

Test ∏ as he does in CASE 3.1.3 of Lemma 3. He also answers other queries as follows.

( )

Create i : C simulates the oracle in the same way as that of CASE 1.1.1

except for i=I . If i=I, C chooses two random numbers r_i∈Z*_n, computes i i

R =r P, h_i =H ID R₁( _i, _i), s_i = +r_i h x_i , P_i =V and stores (ID s R_i, ,_i _i, ,⊥ P_i)in C

L . Otherwise, C chooses two random numbers r x_i, _i∈Z_n*, computes i i

R =r P, hi =H ID R₁( i, i), si = +ri h xi , Pi =x Pi and stores (ID s R x Pi, ,i i, ,i i) in C

L .

2( i, j, ,i j, 1, 2, 3, )

H ID ID T T Z Z Z h : _C simulates the oracle in the same way as

that of CASE 1.1.1 except for the form (ID ID T T Z Z Z_I, _J, _I, _J, ₁, ₂, ₃) and