# Authenticated Key Exchange Protocol in the Standard Model under Weaker Assumptions

^{1}

^{2}

## Abstract

**:**

## 1. Introduction

**Implicit Key Authentication:**If a key exchange protocol provides a guarantee that no party apart from the protocol participants can compute the session key, the key exchange protocol is said to provide implicit key authentication. If a key exchange protocol provides implicit key authentication, it is said to be an authenticated key exchange (AKE) protocol.**Key Confirmation:**If a key exchange protocol provides a guarantee that each party is assured that all other participants possess the same session key, the key exchange protocol is said to provide key confirmation.**Known Key Security:**The knowledge of a session key should not allow the adversary to learn the session keys in other sessions; all session keys should not depend on the session keys of the other sessions.**Security against Unknown Key Share (UKS) Attacks:**Party A should not share a session key with party B, believing that it is sharing the session key with party C. The public keys and identities of the parties should be certified and confirmed or incorporated into protocol execution.**Security against Key Compromise Impersonation (KCI) Attacks:**Knowledge of the long-term secret key of party A should not enable the adversary to impersonate the other honest parties to the party A.**(weak) Forward Secrecy:**A (passive) adversary who knows the long-term secret keys of any two parties should not be able to compute the past session keys of the two parties.

#### Our Contribution

## 2. Preliminaries

#### 2.1. Pseudorandom Functions

**Definition**

**1**

**.**Let $F:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\{0,1\}}^{*}$ be an efficient, length-preserving, keyed function. We say F is a pseudorandom function if for all probabilistic polynomial-time adversaries $\mathcal{A}$, there exists a negligible function ${\u03f5}_{\mathrm{PRF}}$ in the security parameter k such that

#### 2.2. Existential Unforgeablity against Adaptive Chosen Message Attacks ($\mathrm{EUF}-\mathrm{CMA}$)

**Definition**

**2**

**.**Let $k\in N$ be the security parameter. For a signature scheme $\mathrm{Sig}=(\mathrm{KeyGen},\mathrm{Sign},\mathrm{Vfy})$, we define ${\mathrm{Adv}}^{\mathrm{EUF}-\mathrm{CMA}}\left(\mathcal{B}\right)$ as the advantage of a probabilistic polynomial-time adversary $\mathcal{B}$, winning the following game:

- 1.
- $(sk,vk)\leftarrow \mathrm{KeyGen}\left({1}^{k}\right)$
- 2.
- $({m}^{*},{\sigma}^{*})\leftarrow {\mathcal{B}}^{\mathcal{O}(\xb7)}\left(vk\right)$
- 3.
- If $\mathrm{Vfy}(vk,{m}^{*},{\sigma}^{*})=$ “true” and ${m}^{*}$ is not been previously signed, then $\mathcal{B}$ wins.

- 1.
- $\sigma \leftarrow (sk,m)$
- 2.
- Return σ

#### 2.3. Decisional Bilinear Diffie–Hellman (DBDH) Assumption

**Definition**

**3**

**.**Let k be the security parameter and $\mathcal{G}$ be a group generation algorithm. Let $(\mathbb{G},{\mathbb{G}}_{T},q,e)\leftarrow \mathcal{G}\left({1}^{k}\right)$, where q is a prime number, the description of two groups $\mathbb{G},{\mathbb{G}}_{T}$ of order q, and the description of an admissible bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{T}$. Let $g,{g}_{1}$ be two arbitrary generators of $\mathbb{G}$.

## 3. Extended Canetti-Krawczyk Model

#### 3.1. Parties and Long-Term Keys

#### 3.2. Sessions

#### 3.3. Partnering

- Both ${\mathrm{\Pi}}_{U,V}^{s}$ and ${\mathrm{\Pi}}_{{U}^{\prime},{V}^{\prime}}^{{s}^{\prime}}$ have computed session keys;
- The messages sent from ${\mathrm{\Pi}}_{U,V}^{s}$ and the messages received by ${\mathrm{\Pi}}_{{U}^{\prime},{V}^{\prime}}^{{s}^{\prime}}$ are identical;
- The messages sent from ${\mathrm{\Pi}}_{{U}^{\prime},{V}^{\prime}}^{{s}^{\prime}}$ and the messages received by ${\mathrm{\Pi}}_{U,V}^{s}$ are identical;
- ${U}^{\prime}=V$ and ${V}^{\prime}=U$;
- Exactly one of U and V is the initiator, and the other is the responder.

#### 3.4. Adversarial Powers

`Send $(U,V,s,m)$`query: This query allows $\mathcal{A}$ to run the protocol. It sends the message m to the session ${\prod}_{U,V}^{s}$ as coming from the session ${\prod}_{V,U}^{{s}^{\prime}}$. ${\prod}_{U,V}^{s}$ will return the next message to $\mathcal{A}$ according to the protocol conversation so far or make a decision on whether to accept or reject the session. $\mathcal{A}$ can also use this query to initiate a new protocol instance with blank m. This query captures the capabilities of an active adversary, who can initiate sessions and modify or delay protocol messages.`SessionKeyReveal $(U,V,s)$`query: If a session ${\prod}_{U,V}^{s}$ has accepted and holds a session key, $\mathcal{A}$ obtains the session key of ${\prod}_{U,V}^{s}$. A session can only accept a session key once. This query captures the known key attacks.`EphemeralKeyReveal $(U,V,s)$`query: This gives all the ephemeral keys (per session randomness) of the session ${\prod}_{U,V}^{s}$ to $\mathcal{A}$.`Corrupt $\left(U\right)$`query: $\mathcal{A}$ obtains all the long-term secrets of the principal U. Then, $\mathcal{A}$ may set up long-term secrets at principal U at will. However, this query does not reveal any session keys to $\mathcal{A}$. This query captures the KCI attacks, UKS attacks and (weak) forward secrecy.`Test $(U,s)$`query: Once a session ${\prod}_{U,V}^{s}$ has accepted and holds a session key, $\mathcal{A}$ can attempt to distinguish it from a random key. When $\mathcal{A}$ asks the`Test`query, the session ${\prod}_{U,V}^{s}$ first chooses a random bit $b\in \{0,1\}$, and if $b=1$, the actual session key is returned to $\mathcal{A}$; otherwise, a random session key is chosen uniformly at random from the same session key distribution and is returned to $\mathcal{A}$. This query is only allowed to be asked once.

#### 3.5. Freshness

- The session ${\prod}_{U,V}^{s}$ and its partner (if it exists), ${\prod}_{V,U}^{{s}^{\prime}}$, have not been asked the
`Session- Key reveal`query. - If the partner ${\prod}_{V,U}^{{s}^{\prime}}$ exists, none of the following combinations have been asked:
- (a)
`Corrupt$\left(U\right)$`and`EphemeralKeyReveal$(U,V,s)$`;- (b)
`Corrupt$\left(V\right)$`and`EphemeralKeyReveal$(V,U,{s}^{\prime})$`.

- If partner ${\prod}_{V,U}^{{s}^{\prime}}$ does not exist, none of the following combinations have been asked:
- (a)
`Corrupt$\left(V\right)$`;- (b)
`Corrupt$\left(U\right)$`and`EphemeralKeyReveal$(U,V,s)$`.

#### 3.6. $\mathrm{eCK}$ Security Game

- Stage 0: The challenger generates the keys by using the security parameter k.
- Stage 1: $\mathcal{A}$ is executed and may ask any of the
`Send`,`SessionKeyReveal`,`EphemeralKeyReveal`,`Corrupt`queries to any session at will. - Stage 2: At some point, $\mathcal{A}$ chooses a fresh session and asks the
`Test`query. - Stage 3: $\mathcal{A}$ continues asking
`Send`,`SessionKeyReveal`,`EphemeralKeyReveal`,`Corrupt`queries. The only condition is that $\mathcal{A}$ cannot violate the freshness of the test session. - Stage 4: At some point, $\mathcal{A}$ outputs the bit ${b}^{\prime}\in \{0,1\}$, which is its guess of the value b in the test session. $\mathcal{A}$ wins if ${b}^{\prime}=b$.

#### 3.7. Definition of Security

**Definition**

**4**

**.**A protocol π is said to be secure in the $\mathrm{eCK}$ model if there is no probabilistic polynomial-time adversary $\mathcal{A}$ who can win the $\mathrm{eCK}$ game with a non-negligible advantage in the security parameter k. The advantage of an adversary $\mathcal{A}$ is defined as:

## 4. Construction of the Pairing-Based AKE Protocol

#### 4.1. Protocol Design

#### 4.1.1. Parameters and Underlying Building blocks

#### 4.1.2. Initial Setup

#### 4.1.3. Protocol Execution

#### 4.2. Security Analysis of the Protocol EC-P1

**Theorem**

**1.**

**Proof.**

- A partner to the test session exists.
- (a)
- The adversary corrupts both the owner and the partner principals to the test session—Case $\mathbf{1}\mathbf{a}$;
- (b)
- The adversary corrupts neither the owner nor the partner principal to the test session—Case $\mathbf{1}\mathbf{b}$;
- (c)
- The adversary corrupts the owner to the test session but does not corrupt the partner to the test session—Case $\mathbf{1}\mathbf{c}$;
- (d)
- The adversary corrupts the partner to the test session but does not corrupt the owner to the test session—Case $\mathbf{1}\mathbf{d}$;

- A partner to the test session does not exist: the adversary is not allowed to corrupt the peer to the target session—Case $\mathbf{2}$.

`Test`query is asked, the game 1 challenger will choose a random bit $b\leftarrow \{0,1\}$. If $b=1$, the real session key is given to $\mathcal{A}$; otherwise, a random value chosen from the same session-key space is given. Hence,

#### 4.3. Computational Costs

## 5. Conclusions and Future Works

## Funding

## Data Availability Statement

## Conflicts of Interest

## References

- Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef][Green Version] - Bellare, M.; Rogaway, P. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the CCS’93, 1st ACM Conference on Computer and Communications Security, Fairfax, VA, USA, 3–5 November 1993; pp. 62–73. [Google Scholar]
- Bellare, M.; Rogaway, P. Provably secure session key distribution: The three party case. In Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, Las Vegas, NV, USA, 29 May–1 June 1995; pp. 57–66. [Google Scholar]
- Canetti, R. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In Proceedings of the FOCS, Las Vegas, NV, USA, 14–17 October 2001; pp. 136–145. [Google Scholar]
- LaMacchia, B.; Lauter, K.; Mityagin, A. Stronger Security of Authenticated Key Exchange. In Proceedings of the ProvSec, Wollongong, Australia, 1–2 November 2007; pp. 1–16. [Google Scholar]
- Kim, M.; Fujioka, A.; Ustaoglu, B. Strongly Secure Authenticated Key Exchange without NAXOS’ Approach. In Proceedings of the Advances in Information and Computer Security, 4th International Workshop on Security, IWSEC 2009, Toyama, Japan, 28–30 October 2009; pp. 174–191. [Google Scholar] [CrossRef][Green Version]
- Moriyama, D.; Okamoto, T. An eCK-Secure Authenticated Key Exchange Protocol without Random Oracles. In Proceedings of the Provable Security, Third International Conference, ProvSec 2009, Guangzhou, China, 11–13 November 2009; pp. 154–167. [Google Scholar] [CrossRef]
- Ustaoglu, B. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptogr.
**2008**, 46, 329–342. [Google Scholar] [CrossRef][Green Version] - Yang, Z. Efficient eCK-Secure Authenticated Key Exchange Protocols in the Standard Model. In Proceedings of the Information and Communications Security—15th International Conference, ICICS 2013, Beijing, China, 20–22 November 2013; pp. 185–193. [Google Scholar] [CrossRef][Green Version]
- Alawatugoda, J.; Stebila, D.; Boyd, C. Continuous After-the-Fact Leakage-Resilient eCK-Secure Key Exchange. In Proceedings of the Cryptography and Coding—15th IMA International Conference, IMACC 2015, Oxford, UK, 15–17 December 2015; pp. 277–294. [Google Scholar] [CrossRef][Green Version]
- Alawatugoda, J. Generic construction of an eCK -secure key exchange protocol in the standard model. Int. J. Inf. Sec.
**2017**, 16, 541–557. [Google Scholar] [CrossRef] - Tomida, J.; Fujioka, A.; Nagai, A.; Suzuki, K. Strongly Secure Identity-Based Key Exchange with Single Pairing Operation. In Proceedings of the Computer Security—ESORICS 2019—24th European Symposium on Research in Computer Security, Luxembourg, 23–27 September 2019, Proceedings, Part II; Sako, K., Schneider, S.A., Ryan, P.Y.A., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2019; Volume 11736, pp. 484–503. [Google Scholar] [CrossRef]
- Daniel, R.M.; Rajsingh, E.B.; Silas, S. An efficient eCK secure certificateless authenticated key agreement scheme with security against public key replacement attacks. J. Inf. Secur. Appl.
**2019**, 47, 156–172. [Google Scholar] [CrossRef] - Xie, Y.; Wu, L.; Shen, J.; Li, L. Efficient two-party certificateless authenticated key agreement protocol under GDH assumption. Int. J. Ad Hoc Ubiquitous Comput.
**2019**, 30, 11–25. [Google Scholar] [CrossRef] - Lian, H.; Pan, T.; Wang, H.; Zhao, Y. Identity-Based Identity-Concealed Authenticated Key Exchange. In Proceedings of the Computer Security—ESORICS 2021—26th European Symposium on Research in Computer Security, Darmstadt, Germany, 4–8 October 2021, Proceedings, Part II; Bertino, E., Shulman, H., Waidner, M., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2021; Volume 12973, pp. 651–675. [Google Scholar] [CrossRef]
- Katz, J.; Lindell, Y. Introduction to Modern Cryptography; Chapman and Hall/CRC Press: Boca Raton, FL, USA, 2007. [Google Scholar]
- Boneh, D.; Franklin, M.K. Identity-Based Encryption from the Weil Pairing. SIAM J. Comput.
**2003**, 32, 586–615. [Google Scholar] [CrossRef][Green Version] - Rouselakis, Y.; Waters, B. Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption. In Proceedings of the Financial Cryptography and Data Security—19th International Conference, FC 2015, San Juan, Puerto Rico, 26–30 January 2015, Revised Selected Papers; Böhme, R., Okamoto, T., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2015; Volume 8975, pp. 315–332. [Google Scholar] [CrossRef][Green Version]
- Boneh, D.; Boyen, X. Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In Proceedings of the Advances in Cryptology—EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004, Proceedings; Cachin, C., Camenisch, J., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3027, pp. 223–238. [Google Scholar] [CrossRef][Green Version]
- Bergsma, F.; Jager, T.; Schwenk, J. One-Round Key Exchange with Strong Security: An Efficient and Generic Construction in the Standard Model. In Proceedings of the Public-Key Cryptography—PKC 2015—18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, MD, USA, 30 March–1 April 2015, Proceedings; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9020, pp. 477–494. [Google Scholar] [CrossRef][Green Version]
- Dutta, R.; Barua, R.; Sarkar, P. Pairing-Based Cryptographic Protocols: A Survey. IACR Cryptol. ePrint Arch.
**2004**, 64. Available online: https://eprint.iacr.org/2004/064 (accessed on 16 December 2022). - Boneh, D.; Boyen, X. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. J. Cryptol.
**2008**, 21, 149–177. [Google Scholar] [CrossRef]

$\mathit{A}\mathit{l}\mathit{i}\mathit{c}\mathit{e}$ (Initiator) | $\mathbb{G},{\mathbb{G}}_{\mathit{T}},\mathit{q},\mathit{e},\mathit{g},{\mathit{g}}_{1}\leftarrow \mathcal{G}\left({1}^{\mathit{k}}\right)$ | $\mathit{B}\mathit{o}\mathit{b}$ (Responder) |

$\mathrm{Sig}=(\mathrm{KeyGen},\mathrm{Sign},\mathrm{Vfy})$ | ||

Initial Setup | ||

$a\leftarrow {\mathbb{Z}}_{q},A\leftarrow {g}^{a}$ | $b\leftarrow {\mathbb{Z}}_{q},B\leftarrow {g}^{b}$ | |

$(s{k}_{A},v{k}_{A})\leftarrow \mathrm{KeyGen}\left({1}^{k}\right)$ | $(s{k}_{B},v{k}_{B})\leftarrow \mathrm{KeyGen}\left({1}^{k}\right)$ | |

Protocol Execution | ||

$x\leftarrow {\mathbb{Z}}_{q}$, ${W}_{1}\leftarrow e(A,{g}_{1}^{x})$ | $y\leftarrow {\mathbb{Z}}_{q}$, ${W}_{2}\leftarrow e(B,{g}_{1}^{y})$ | |

${\sigma}_{A}\leftarrow \mathrm{Sig}\left(s{k}_{A},(\mathrm{Alice},\mathrm{Bob},{W}_{1})\right)$ | ${\sigma}_{B}\leftarrow \mathrm{Sig}\left(s{k}_{B},(\mathrm{Bob},\mathrm{Alice},{W}_{2})\right)$ | |

$\stackrel{\mathrm{Alice},\mathrm{Bob},{W}_{1},{\sigma}_{A}}{\to}$ | ||

$\stackrel{\mathrm{Bob},\mathrm{Alice},{W}_{2},{\sigma}_{B}}{\leftarrow}$ | ||

If$\mathrm{Vfy}\left(v{k}_{B},(\mathrm{Bob},\mathrm{Alice},{W}_{2}),{\sigma}_{B}\right)=\u201c\mathrm{true}\u201d\{$ | If$\mathrm{Vfy}\left(v{k}_{A},(\mathrm{Alice},\mathrm{Bob},{W}_{1}),{\sigma}_{A}\right)=\u201c\mathrm{true}\u201d\{$ | |

${Z}_{1}\leftarrow {\left({W}_{2}\right)}^{xa}$ | ${Z}_{2}\leftarrow {\left({W}_{1}\right)}^{yb}$ | |

$K\leftarrow \mathrm{PRF}({Z}_{1},\mathrm{Alice}|\left|{W}_{1}\right|\left|{\sigma}_{A}\right|\left|\mathrm{Bob}\right|\left|{W}_{2}\right|\left|{\sigma}_{B}\right)$ | $K\leftarrow \mathrm{PRF}({Z}_{2},\mathrm{Alice}|\left|{W}_{1}\right|\left|{\sigma}_{A}\right|\left|\mathrm{Bob}\right|\left|{W}_{2}\right|\left|{\sigma}_{B}\right)$ | |

} | } | |

else abort | else abort | |

K is the session key |

Operation | Computational Cost | |
---|---|---|

At the Initiator or the Responder | ||

Initial setup | Computation of A or B | 1E |

Signature key generation | $\mathrm{KeyGen}$ | |

Protocol execution | Computation of the protocol message | 1Pair, 1E, $\mathrm{Sign}$ |

Computation of ${Z}_{1}$ or ${Z}_{2}$ | $\mathrm{Vfy}$, 1E, 1Pair | |

Computation of K | 1$\mathrm{PRF}$ |

Protocol | Proof Model | Hardness Assumptions | Overall Computational Cost |
---|---|---|---|

At a Protocol Principal | |||

NAXOS [5] | ROM | GDH | 4E |

CMQV [8] | ROM | GDH | 3E |

KFU P1 [6] | ROM | GDH | 3E |

KFU P2 [6] | ROM | CDH | 5E |

ASB [10] | ROM | GDH | 6E |

TFNS19 [12] | ROM | XDH, q-gap | 5H, 1Pair, 6E |

Daniel et al. [13] | ROM | GDH | 5PM |

Xie et al. [14] | ROM | GDH | 4PM |

Lian et al. Type-II [15] | ROM | Gap-BDH | 4CR, 1Pair, 4E, $1\mathrm{KeyGen}$, 1Enc, 1Dec, 1KDF |

Lian et al. Type-III [15] | ROM | Gap-BDH | 5CR, 1Pair, 5E, $1\mathrm{KeyGen}$, 1Enc, 1Dec, 1KDF |

MO [7] | Standard | DDH, CR, $\pi $PRF | 3E, 2CR, 1ME, 1$\pi $PRF |

Yang P1 [9] | Standard | DBDH, PRF, TCR | 2E, 4ME, 4Pair, 2TCR, 1PRF |

Yang GC-KKN [9] | Standard | DDH, TCR, PRF, FAC, EXT | 7E, 2ME, 2TCR, 3PRF |

Bergsma et al. Protocol II [20] | Standard | PRF | 16E, 12Pair, 4PRF, $1\mathrm{KeyGen}$, $1\mathrm{Sign}$, $1\mathrm{Vfy}$, 1NIKEgen, 4NIKEkey |

EC-P1 (this paper) | Standard | DBDH, PRF | 3E, 2Pair, 1PRF, $1\mathrm{KeyGen}$, $1\mathrm{Sign}$, $1\mathrm{Vfy}$ |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Alawatugoda, J.
Authenticated Key Exchange Protocol in the Standard Model under Weaker Assumptions. *Cryptography* **2023**, *7*, 1.
https://doi.org/10.3390/cryptography7010001

**AMA Style**

Alawatugoda J.
Authenticated Key Exchange Protocol in the Standard Model under Weaker Assumptions. *Cryptography*. 2023; 7(1):1.
https://doi.org/10.3390/cryptography7010001

**Chicago/Turabian Style**

Alawatugoda, Janaka.
2023. "Authenticated Key Exchange Protocol in the Standard Model under Weaker Assumptions" *Cryptography* 7, no. 1: 1.
https://doi.org/10.3390/cryptography7010001