Pairing-free Single Round Certificateless and Identity Based
Authenticated Key Exchange Protocols
Saikrishna Badrinarayanan and C. Pandu Rangan
Department of Computer Science and Engineering, Indian Institute of Technology Madras, Chennai, India
Keywords:
Certificateless Cryptography, Identity-based Cryptography, Key Exchange, Random Oracle.
Abstract:
Designing efficient key agreement protocols is a fundamental cryptographic problem. In this paper, we first
define a security model for key agreement in certificateless cryptography that is an extension of earlier models.
We note that the existing pairing free protocols are not secure in our model. We design an efficient pairing-free,
single round protocol that is secure in our model based on the hardness assumption of the Computational Diffie
Hellman (CDH) problem. We also observe that previously existing pairing-free protocols were secure based
on much stronger assumptions such as the hardness of the Gap Diffie Hellman problem. We use a restriction
of our scheme to design an efficient pairing-free single round identity based key agreement protocol that is
secure in the id-CK+ model based on the hardness assumption of the CDH problem. Additionally, both our
schemes satisfy several other security properties such as forward secrecy, resistance to reflection attacks etc.
1 INTRODUCTION
Symmetric key cryptography is a paradigm in which
both encryption and decryption is done using the
same key unlike asymmetric system in which each
user maintains a public key and a private key. Sym-
metric key cryptography is in general more efficient
than an asymmetric system. However, the main dis-
advantage of symmetric key cryptography is the es-
tablishment of the shared secret key between the en-
tities that want to communicate. A secure way of
setting up the shared secret key is mandatory. In
this work, we focus on key exchange protocols in
the identity based and certificateless paradigm. Sev-
eral key exchange protocols have been designed in
these paradigms(Lippold and Nieto, 2010)(Swanson
and Jao, 2009)(Viveket al., 2013)(Fiore and Gennaro,
2010).
2 PREVIOUS WORK AND OUR
CONTRIBUTION
2.1 Certificateless Cryptography
Several protocols and security models have been
proposed for certificateless authenticated key ex-
change(CLAKE). The strongest security model is the
one proposed by Lippold et.al(Lippold et al., 2009),
which is based on the Canetti Krawczyk model for
key agreement. In this paper, we propose a security
model that is an extension of the one proposed by Lip-
pold et.al. Our model considers an active adversary-
one who can tamper with any message that is being
exchanged within the network. In a real world sce-
nario, active adversaries are very much present and so
this is an important consideration towards the secu-
rity of protocols. Since pairing is an extremely costly
mathematical operation, it hampers the efficiency of
the system. Therefore, we focus only on schemes
which are pairing-free. Several pairing-free proto-
cols(Sun et al., 2013)(Yang and Tan, 2011)(Geng and
Zhang, 2009)(He et al., 2012) were proposed but most
of them are either based on a weaker security model
or have subsequently been broken. Two pairing-
free protocols proposed by Yang et.al(Yang and Tan,
2011) and Sun et.al(Sun et al., 2013) are based on
the Lippold et.al model. However, we observe that
both these protocols are not secure in our definition.
In particular, an active adversary can easily modify
the ephemeral components and prevent the users from
being able to compute the same shared secret with-
out them realising that they are indeed not computing
the same secret. The main advantage of our proposed
scheme is that we prove the security of our protocol
based on the hardness assumption of the Computa-
tional Diffie Hellman problem. We observe that all
67
Badrinarayanan S. and Pandu Rangan C..
Pairing-free Single Round Certificateless and Identity Based Authenticated Key Exchange Protocols.
DOI: 10.5220/0005043400670078
In Proceedings of the 11th International Conference on Security and Cryptography (SECRYPT-2014), pages 67-78
ISBN: 978-989-758-045-1
Copyright
c
2014 SCITEPRESS (Science and Technology Publications, Lda.)
previously existing pairing-free key agreement pro-
tocols are proven secure based on much stronger as-
sumptions like the Gap Diffie Hellman assumption.
Another important property is the number of rounds
in the protocol. Lesser the number of rounds, greater
the efficiency of the protocol. Our proposed scheme
is single round and hence can be implemented asyn-
chronously while multiple round protocols need to
be implemented synchronously and require both the
parties to be online throughout the run of the proto-
col. Several other security properties which are of
paramount importance are forward secrecy, resistance
to collusion attacks, resistance to key impersonation
attacks, etc. Our proposed scheme satisfies all these
properties. A comparison of our protocol and other
protocols is listed in the table below and this clearly
highlights the salient features of the proposed scheme.
Note that the Lippold et.al scheme was actually re-
duced to the Bilinear Computational Diffie Hellman
problem, which is probably the equivalent of the CDH
problem in the bilinear world.
Table 1: Comparison of certificateless key exchange proto-
cols.
Protocol Pairing-
Free
Reduced
to CDH
Active
Adver-
sary
Single
Round
Yang et.al ✓ ✗ ✗ ✓
Sun et.al ✓ ✗ ✗ ✓
Lippold
et.al
✗ ✓ ✗ ✓
Our
Scheme
✓ ✓ ✓ ✓
2.2 Identity based Cryptography
One of the strongest security models for identity
based key agreement (IBKE) is the id-CK+ model
proposed by Fujioka et.al(Fujioka et al., 2012) which
is based on the CK model(Krawczyk, 2005)(Canetti
and Krawczyk, 2001). Since pairing is an extremely
costly mathematical operation, we focus on schemes
that do not involve the use of pairing. There are four
schemes in the literature by Fiore et.al(Fiore and Gen-
naro, 2010), Gunther et.al(G¨unther, 1990), Saeed-
nia et.al(Saeednia, 2000) and Sree Vivek et.al(Vivek
et al., 2013) which are pairing free and secure in this
model. However, three of them are not secure in
the presence of an active adversary as demonstrated
in the paper by Sree Vivek et.al. Other proposed
schemes(Cao et al., 2010)(Islam and Biswas, 2012)
were either broken subsequently or involve an initial
agreement on who initiates the key agreement pro-
tocol. Therefore, we do not consider those schemes
for our comparison. We propose an efficient pairing
free scheme that is secure in this model and also in
the presence of active adversaries. Additionally, our
scheme is proven secure based on the hardness as-
sumption of the Computational Diffie Hellman prob-
lem. Once again, several other security properties
which our scheme satisfies are forward secrecy, resis-
tance to collusion attacks, resistance to key imperson-
ation attacks, etc. A comparison of our protocol and
other protocols is listed in the table below and this
clearly highlights the salient features of the proposed
scheme. Our scheme can also be proven secure ac-
cording to the CK and eCK models(LaMacchia et al.,
2007) which will be described in the full version of
the paper. We observe that while the id-CK+ model
is stronger than the CK model(Fujioka et al., 2012),
the eCK and CK models are incomparable(Cremers,
2011).
Table 2: Comparison of identity based key exchange proto-
cols.
Protocol Pairing-
Free
Reduced
to CDH
Active
Adver-
sary
Single
Round
Fiore
et.al
✓ ✓ ✗ ✓
Gunther
et.al
✓ ✗ ✗ ✗
Saeednia.
et.al
✓ ✗ ✗ ✓
Sree
Vivek
et.al
✓ ✗ ✓ ✓
Our
Scheme
✓ ✓ ✓ ✓
3 A CERTIFICATELESS
AUTHENTICATED KEY
EXCHANGE
PROTOCOL(CLAKE)
A certificateless key exchange protocol contains the
following six probabilistic polynomial time algo-
rithms - Setup, Partial Extract, Set Secret Value, Pub-
lic Key Generation, Private Key Generation, Key
Agreement.
Here, a particular user is denoted as U
A
and his
identity as ID
A
. Additionally, we use the following
naming scheme: UPK - User Public Key, FPK - Full
Public Key, PPK - Partial Public Key, USK - User Se-
cret Key, FSK - Full Secret Key, PSK - Partial Secret
Key.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
68
• Setup(K): This algorithm is run by the KGC. It
generates the master secret key(MSK) first and
then the public parameters(params), given a secu-
rity parameter K as the input. The KGC publishes
params and keeps the MSK secret.
• Partial Extract(params, ID
A
): This algorithm is
run by the KGC. Given params and user identity
ID
A
, this algorithm generates the Partial Secret
Key(PSK) and the Partial Public Key(PPK) of a
user U
A
and sends them to the user. This can be
sent over a public or private channel.
• Set Secret Value(params, K, ID
A
, PSK): This
algorithm is run by each user to generate his user
secret key. The input to this algorithm is params,
the security parameter K, the user’s identity ID
A
and the user’s partial secret key PSK
The user secret key is not revealed to anyone.
• Public Key Generation(params, ID
A
, USK,
PPK): This algorithm is performed by the user.
The input to this algorithm is params, the user
identity ID
A
correspondingto the userU
A
, his user
secret key and his partial public key. The output
of this algorithm is the user generated public key.
The full public key has two components - the par-
tial public key together with the user public key.
• Private Key Generation(params, ID
A
, PSK,
USK): This algorithm is run by each user to gen-
erate his full private key. The input to this algo-
rithm is params, the user identity ID
A
correspond-
ing to user U
A
, his partial secret key and his user
secret key. The output is his full secret key which
is a tuple consisting of both the partial secret key
and the user secret key. This is kept secret by the
user and even KGC does not have full knowledge
about it.
• Key Agreement(params, ID
A
, ID
B
): This algo-
rithm is run by two users A and B who wish to
compute a shared secret key. In order to do so,
they take part in a session by exchanging compo-
nents and eventually compute their shared secret
which is unknown to other parties. The protocol
could be initiated by either of the two users.
Key Sanity Check:
Key sanity check is done at two different places
• User Verification: Whenever the KGC gives the
user a PPK and PSK, he runs a key sanity check
to verify if the keys given by the KGC are valid.
• Public Verification: A different user(6= U
A
), who
intends to use the public key of user U
A
to take
part in a key exchange protocol with A must first
ensure that the public key he receives is valid.
This consists of two checks - one for the partial
public key and one for the user generated public
key.
4 SECURITY MODELS FOR
CLAKE
There have been several security models proposed for
certificateless key exchange protocols. The strongest
model is the one introduced by Lippold et.al which
is based on the Canetti-Krawczyk(CK) model for key
agreement. In this paper, we define a new security
model that is an improvisation of the Lippold et.al se-
curity model. The model considers an active adver-
sary who can tamper with and replace messages going
across the network. We propose a scheme that is pair-
ing free, highly efficient and is secure in this model.
Additionally, there are several other security features
like forward secrecy, resistance to reflection attacks,
security against collusion attack etc. Our scheme also
satisfies these properties and this is discussed in more
detail later on.
Let there be n parties in the network. The protocol
may be run between any of these parties. Each run of
the protocol is called as a session and the secret key
computed in that run is called as the session key of
the two parties involved. Each session can be initi-
ated by either of the two parties involved and the user
who initiates a session is called the initiator and the
other user is called as the peer. π
t
i, j
represents the t
th
session between parties i and j which is initiated by
party i with intended partner party j. The session state
of a user with identity ID
i
taking part in a session is
the set comprising of all the components he sends to
the other user in that session.
For any certificateless crypto system, there are two
types of adversaries A
I
and A
II
. A
I
denotes a dishonest
user who can replace other users’ public keys but has
no knowledge about the master secret key. A
II
repre-
sents the malicious KGC who has knowledge of MSK
but is trusted not to replace the public keys. However,
in this model we also allow A
II
to replace public keys.
The security game runs in two stages. During
the first stage, the adversary is allowed to make the
following queries in any order:
• Hash Queries: The adversary has access to all
the hash oracles.
• Reveal Partial Secret Key (ID
i
): The challenger
responds with the partial secret key of user with
identity ID
i
.
• Reveal User Secret Key (ID
i
): The challenger
responds with the user generated secret key of the
Pairing-freeSingleRoundCertificatelessandIdentityBasedAuthenticatedKeyExchangeProtocols
69
user with identity ID
i
• Replace Partial Public Key(ID
i
, pk): The chal-
lenger first checks that the giveninput pk is a valid
partial public key for user with identity ID
i
by
running the user verification test. If it is indeed
valid, party i’s partial public key is replaced with
pk chosen by the adversary. Party i will use the
new partial public key for all communication and
computation.
• Replace User Generated Public Key(ID
i
, pk):
The challenger first checks that the given input pk
is a valid user generated public key for user with
identity ID
i
by running the public verification test.
If it is indeed valid, party i’s user generated public
key is replaced with pk chosen by the adversary.
Party i will use the new public key for all commu-
nication and computation.
• Reveal Ephemeral Key(π
t
i, j
,i ): The challenger
responds with the ephemeral secret key used by
party with identity ID
i
in session π
t
i, j
.
• Session Simulation: The adversary is allowed
to ask shared secret key queries. The adversary
queries for a shared secret belonging to a session
established between two users i and j. The adver-
sary can also emulate as one of the users, either
i or j and present the challenger with the session
state corresponding to that user. The challenger
has to generate the session state for the other user
of the session and obtain the shared secret key cor-
responding to that session. The adversary can also
query for the session secret key between the two
parties i and j from the challenger, where the ad-
versary does not impersonate any of the users. In
this case, the challenger has to generate the ses-
sion state for both the users and obtain the shared
secret key corresponding to that session and pro-
vide it to the adversary.
The key reveal queries can be classified into three
categories :
• Reveal Partial Secret Key: Which compromises
the secret generated by the KGC and given to the
user.
• Reveal User Generated Secret Key: Which com-
promises the secret generated by the user as part
of the full secret key.
• Reveal Ephemeral Secret Key: Which compro-
mises the transient secret generated by the user
for that session alone.
A user is said to be fully corrupt with respect to a
session if the adversary knows all the three secrets as-
sociated with that user for that session. At the end of
the first stage, the adversary issues a test query as fol-
lows:
Test Session:
The adversary randomly chooses a session π
t
A,B
be-
tween two users A and B for which it has not already
queried the shared secret key and for which neither
party is fully corrupted.
The challenger will toss a random bit b ∈
R
{0,1}.
If b = 0, the challenger will give the adversary the ses-
sion key K
0
of the test session. If b= 1, the challenger
will take a random shared secret key K
1
and give it to
the adversary.
The adversary can continue to make queries as in
the first phase, subject to certain restrictions which
will be described later.
Guess:
The adversary makes a guess b
′
as to which key K
0
or
K
1
was given by the challenger. The adversary wins if
b
′
= b.. The certificateless key agreement protocol is
said to be secure if no polynomial- time adversary has
non-negligible advantage in winning the above game,
i.e., distinguishing K
0
from K
1
.
Note: There is no ’send’ query present in this
model as our protocol is single round and it is a 2-
party protocol, thereby invalidating the need for it.
Also, the adversary has access to the components ex-
changed and can modify them as per its wish as it is
an active adversary.
4.1 Strong Type I Secure Certificateless
Key Agreement Scheme
A certificateless key agreement scheme is Strong
Type I secure if every probabilistic, polynomial-time
adversary E has negligible advantage in winning the
game described above subject to the following con-
straints:
• E may corrupt at most two out of three types of
secrets per party involved in the test session.
• E is allowed to replace public keys of any party.
However, this counts as the corruption of one se-
cret. Replacing the partial public key and the user
generated public key each correspond to the cor-
ruption of one secret.
• E may not ask to reveal the secret value of any
identity for which it has replaced the correspond-
ing public key. That is, E cannot ask to reveal the
partial private key if it has already replaced the
partial public key, and similarly cannot ask to re-
veal the user generated secret keyif it has replaced
the user generated public key.
• E is allowed to ask session key reveal queries even
for session keys computed by identities where E
SECRYPT2014-InternationalConferenceonSecurityandCryptography
70
has replaced either of the identities’ public keys,
but not both. Also, E is not allowed to ask for ses-
sion keys where E has replaced the public keys of
one party, and impersonates the other party gener-
ating its own ephemeral components.
• E may not replace the public keys of either of the
identities that take part in the test query’s session
before the test query has been issued. However, it
can replace their public keys after the test query
subject to the fact that the test query’s computa-
tion is done with respect to the unchanged public
keys.
• E can tamper with any message that is exchanged
between any two users in the system, i.e the
ephemeral components. However, E cannot ask
for the ephemeral key of a user in a session where
it has tampered with the components that the user
sent. In other words, replacing the ephemeral
components is also counted as corruption of one
secret.
4.2 Strong Type II Secure Certificateless
Key Agreement Scheme
A certificateless key agreement scheme is Strong
Type II secure if every probabilistic, polynomial-time
adversary E has negligible advantage in winning the
game described above subject to the following con-
straints:
• E is given the master secret key at the start of the
game. Therefore, E has knowledge of the partial
secret keys of all the users in the network.
• The rest of the properties are same as a strong type
I adversary (from the second point onwards)
4.3 Why is This Model an Extension?
This has been discussed in Appendix A.0
5 CLAKE SCHEME
• Setup(K): Given K as security parameter, the key
generating center(KGC) chooses a group G of or-
der p and generator of this group P. Then, x is
chosen randomly from Z
∗
q
. KGC sets the master
secret key(MSK) as x and sets the master public
key as xP. The KGC chooses 5 hash functions
defined below:
– H
1
: {0,1}
∗
× G× → Z
∗
q
– H
2
: {0,1}
∗
× {0,1}
∗
× G
5
→ G
– H
3
: {0,1}
∗
× G × G → Z
∗
q
– H
4
: {0,1}
∗
× G × G → Z
∗
q
– H
5
: {0,1}
∗
× G × G → Z
∗
q
KGC keeps MSK secret and makes params public,
where params = (K,xP,H
1
,H
2
,H
3
, ,H
4
,H
5
).
Note: We use the following naming scheme:
UPK - User Public Key, FPK - Full Public Key,
PPK - Partial Public Key,
USK - User Secret Key, FSK - Full Secret Key,
PSK - Partial Secret Key.
• Partial Extract(params, ID
i
): Given an iden-
tity ID
i
, the KGC does the following to generate
the partial public key(PPK) and the partial secret
key(PSK).
– Choose randomly r
i
∈
R
Z
∗
q
. Compute R
i
= rP
– Compute h
i
= H
1
(ID
i
,R
i
) and s
i
= r
i
+ xh
i
Return PSK = < s
i
> and PPK = < R
i
,s
i
P >.
Key Sanity Check by User
Now, the user can verify whether the partial keys
received from the KGC were valid using the fol-
lowing check:
– s
i
P = R
i
+ H
1
(ID
i
,R
i
)xP
If the equality is satisfied, the keys given by the
KGC are valid.
• User Secret Key(params, ID
i
, PSK): After re-
ceiving the partial keys from the KGC, a user with
identity ID
i
does the following to generate the
user secret key(USK) and user public key (UPK).
– Choose randomly y
i
∈
R
Z
∗
q
– Compute x
i
= y
i
+ s
i
H
1
(ID
i
,y
i
P)
Set USK = < x
i
> and UPK = < x
i
P,y
i
P >.
• Full Private Key(params, ID
i
, PSK, USK): The
user with identity ID
i
runs this algorithm and sets
his full private key FSK as < x
i
,s
i
>
• Full Public Key(params, ID
i
, PSK, PPK, USK
, UPK): The user with identity ID
i
runs this al-
gorithm and sets his full public key FPK as <
x
i
P,y
i
P,s
i
P,R
i
>
Key Sanity Check For Public Verification
Anyone who intends to use the public key of a
user with identity ID
i
must first ensure that the
available public key is valid. This can be done by
the following two checks:
– s
i
P = R
i
+ H
1
(ID
i
,R
i
)xP
– x
i
P = y
i
P+ H
1
(ID
i
,y
i
P)s
i
P
If both the equalities are satified, the available
public key is valid.
Pairing-freeSingleRoundCertificatelessandIdentityBasedAuthenticatedKeyExchangeProtocols
71
• Key Agreement
Two users A and B with identities ID
A
and ID
B
who wish to agree upon a shared secret key
choose ephemeral secrets respectively and engage
in a session as described below. As it is a single
round protocol, without loss of generality, let’s as-
sume that the session is initiated by A.
User A: Chooses his ephemeral components as
follows:
– Choose z
A
∈
R
Z
∗
q
and compute t
A
= z
A
+
x
A
H
1
(ID
A
,z
A
P)
A sets his ephemeral key as t
A
.
Then, A sends the following to B: <
ID
A
,t
A
P,z
A
P >.
User B: First verifies that the components he re-
ceived from A were valid using the following
check:
t
A
P = z
A
P+ H
1
(ID
A
,z
A
P)x
A
P
If the equality is satisfied, the components sent by
A are valid. This helps to detect whether an active
adversary tampered with the message. Now, user
B chooses his ephemeral components as follows:
– Choose z
B
∈
R
Z
∗
q
and compute t
B
= z
B
+
x
B
H
1
(ID
B
,z
B
P)
B sets his ephemeral key as t
B
.
Then, B sends the following to A: <
ID
B
,t
B
P,z
B
P >.
Shared Secret Computation
– User A: First verifies that the components he
received from B were valid using the following
check:
t
B
P = z
B
P+ H
1
(ID
B
,z
B
P)x
B
P
If the equality is satisfied, the components sent
by B are valid. Then, A does the following to
compute the shared secret :
∗ K
1
= {s
A
+ t
A
H
3
(ID
A
,s
A
P,t
A
P)}
{s
B
P+ H
3
(ID
B
,s
B
P,t
B
P)t
B
P}
K
2
= {x
A
+ t
A
H
4
(ID
A
,x
A
P,t
A
P)}
{x
B
P+ H
4
(ID
B
,x
B
P,t
B
P)t
B
P}
K
3
= {s
A
+ x
A
H
5
(ID
A
,s
A
P,x
A
P)}
{s
B
P+ H
5
(ID
B
,s
B
P,x
B
P)x
B
P}
SK = H
2
(ID
A
,ID
B
,t
A
P,t
B
P,K
1
,K
2
,K
3
)
The shared secret is SK.
– User B: Does the following to compute the
shared secret :
∗ K
1
= {s
A
P + H
3
(ID
A
,s
A
P,t
A
P)t
A
P} {s
B
+
H
3
(ID
B
,s
B
P,t
B
P)t
B
}
K
2
= {x
A
P + H
4
(ID
A
,x
A
P,t
A
P)t
A
P} {x
B
+
H
4
(ID
B
,x
B
P,t
B
P)t
B
}
K
3
= {s
A
P + H
5
(ID
A
,s
A
P,x
A
P)x
A
P} {s
B
+
H
5
(ID
B
,s
B
P,x
B
P)x
B
}
SK = H
2
(ID
A
,ID
B
,t
A
P,t
B
P,K
1
,K
2
,K
3
)
The shared secret is SK.
It can be observed that the shared secret com-
puted by both of them is the same.
6 SECURITY PROOF
In the following proof, all the hash functions are mod-
eled as random oracles. A brief intuition is described
in appendix A.1
6.1 Proof for Type I Adversary
Theorem 1: If there exists an adversary A
I
that can
break the abovescheme with probability ε in time t
adv
,
then there exists a challenger C who can solve the
CDH problem with probability atleast ε
′
in time t
ch
, such that
ε
′
≥ ε{(1/9t∗ q
2
h
1
)(1−
1
q
)(1−
4
q
pkr
)(1−
2
q
ekq
)}
and ε
′
is a non-negligible quantity if ε is non-
negligible.
t
ch
= S + t
adv
+ (q
1
+ q
2
+ q
3
+ q
4
+ q
5
+ q
ekq
+
q
psq
+ q
usq
+ q
f pq
+ q
sq
+ q
pkr
)O(1) which is polyno-
mial if the time taken by the adversary is polynomial.
q
id
= number of distinct identities queried by the ad-
versary, q = order of the group G in which the hard
problem can be solved by adversary to break the sys-
tem. q
i
= number of queries to the H
i
hash ora-
cle(where i = 1,2..5). q
ekq
= number of ephemeral
key queries , q
psq
= number of partial extract queries,
q
usq
= number of user secret keyqueries, q
f pq
= num-
ber of full public key queries , q
sq
= number of sim-
ulation queries, q
pkr
= number of public key replace-
ments made and S represents the time taken for the
calculations performed by the challenger after the ad-
versary returns his guess.
Proof: Let C be given an instance of the CDH
problem (P,aP,bP). Suppose there exists a type
I adversary, who is capable of breaking the key
agreement scheme above, then C’s aim is to find the
value of abP.
Setup: The challenger C must set up the system
exactly as given in the scheme. C chooses a random
number x ∈ Z
∗
q
and sets the MSK as x and the master
public key as xP. The master public key is given
to the adversary while the master secret key is not
revealed. C then chooses five hash functions, H
i
,
where i = 1, 2..5 and models them as random oracles.
Also C maintains a list l
i
for each hash function to
maintain consistency. C also maintains a list l
id
for
storing all the keys. Each entry of l
id
is of the form
SECRYPT2014-InternationalConferenceonSecurityandCryptography
72
< ID, FPK, PSK,USK,FSK,PPK,UPK, X
i
,Y
i
>,
where the bits X
i
and Y
i
are used to determine whether
the partial and user generated public keys have been
replaced or not.
Training Phase: The adversary A
1
makes use of all
the oracles provided by C. The system is simulated
in such a way that A
1
cannot differentiate between a
real and a simulated system that is provided by C.
Choosing the Target Identities:
In the oracle O
H
1
(ID
i
,(R
j
))
, the adversary asks q
h
1
queries and expects a response from the challenger
for each of them. Since the adversary can query on
the same ID and different R
j
’s, the number of distinct
identities queried is different from q
h
1
. Let that num-
ber be q
id
. 1 ≤ q
id
≤ q
h
1
. The challenger randomly
chooses two queries with different identities ID
A
and ID
B
sets the target identities to be those. Also,
the challenger chooses a random number t such that
1 ≤ t ≤ q
h
1
and sets the test session to be π
t
A,B
. There
are six secrets corresponding to the identities taking
part in the test session. They are :
s
A
,x
A
,t
A
which are the partial secret key, user secret
key and ephemeral secret key of A respectively and
s
B
,x
B
,t
B
which are the partial secret key, user secret
key and ephemeral secret key of B respectively.
6.1.1 Case 1
The adversary doesn’t know the ephemeral keys t
A
and t
B
of the test session.
• Oracle O
H
1
(ID
i
,R
i
):
A list l
h
1
is maintained of the form < ID
i
,R
i
,h
i
>.
C responds as follows:
– If < ID
i
,R
i
,h
i
> already exists in the list then
respond with value h
i
from the list.
– Else, choose a h
i
∈
R
Z
∗
q
. Return h
i
and add the
tuple, < ID
i
,R
i
,h
i
> to the list.
The response to the other hash oracles is similar
to the first one and is not described here.
• Oracle Partial Extract: C responds as follows:
– If values corresponding to ID
i
already exists on
the list l
id
, then return s
i
as PSK and (R
i
,s
i
P) as
PPK from the list
– Else,
Choose r
i
∈
R
Z
∗
q
. Compute R
i
= r
i
P
Compute h
i
= H
1
(ID
i
,R
i
) and s
i
= r
i
+ xh
i
.
Output < s
i
> as the PSK and < s
i
P,R
i
> as
PPK. Add these values to the list l
id
in the entry
corresponding to ID
i
.
Lemma 1: The above oracle outputs valid PSK
and PPK
Proof: It can be seen that the outputs given by the
oracle satisfy the condition for a valid PPK, PSK.
• Oracle User Private Key: Challenger responds
as follows:
– If values corresponding to ID
i
already exists on
the list, then return < s
i
,x
i
> from the list.
– Else, if s
i
is already in the list l
id
, in the entry
corresponding to ID
i
, retrieve them.
Else run the partial key extract oracle and re-
trieve that value.
Choose y
i
∈
R
Z
∗
q
Compute h
i
= H
1
(ID
i
,y
i
P) and x
i
= y
i
+ s
i
h
i
.
Output < x
i
> as the user generated private key
and add it to the list l
id
. The corresponding user
public key is < x
i
P,y
i
P >
• Oracle Public Key Generation: Challenger re-
sponds as follows:
– If values corresponding to ID
i
already exists on
the list, then return < x
i
P,y
i
P,R
i
,s
i
P > from it.
– Else, if (R
i
,s
i
P) are already in the list l
id
, in the
entry corresponding to ID
i
, retrieve them. Else
run the partial key extract oracle and retrieve
those values.
If (y
i
P,x
i
P) are already in the list l
id
, in the en-
try corresponding to ID
i
, retrieve them. Else
run the user private key extract oracle and re-
trieve those values.
Output (R
i
,s
i
P,y
i
P,x
i
P) as the full public key.
Add these values to the list l
id
in the entry cor-
responding to ID
i
and set X
i
= 0,Y
i
= 0.
Lemma 2: The above oracle for public key gen-
eration outputs a valid full public key.
Proof: It can be observed that the output gener-
ated by the oracle passes the key sanity check for
public verification mentioned in the scheme.
• Oracle Partial Public Key Replace: If the ad-
versary tries to replace the partial public key for
the identities taking part in the key exchange be-
fore the test query has been issued, the challenger
will abort. Else, the adversary sends the values
< ID,R
i
,s
i
P> to the challenger C. The challenger
runs the key sanity check for verifying the partial
public key. If the test succeds it adds these values
to the list in the entry corresponding to ID and
sets X
i
= 1 to indicate that the partial public key
has been replaced. Further key exchanges for this
identity use this value of the partial public key.
• Oracle User Generated Public Key Replace:
If the adversary tries to replace the user gener-
ated public key for the identities taking part in
the key exchange before the test query has been
issued, the challenger will abort. Else, the adver-
sary sends the values < ID,y
i
P,x
i
P > to the chal-
lenger C. The challenger runs the public key veri-
Pairing-freeSingleRoundCertificatelessandIdentityBasedAuthenticatedKeyExchangeProtocols
73
fication test. If the test succeds it adds these values
to the list in the entry correspondingto ID and sets
Y
i
= 1 to indicate that the user public key has been
replaced. Further key exchanges for this identity
use this value of the user public key.
• Oracle Reveal Ephemeral Key: Challenger re-
sponds as follows:
– If the adversary asks to reveal the ephemeral
key for the identities taking part in the key ex-
change for the session corresponding to the test
session, the challenger will abort.
– If values corresponding to ID
i
for the session
π
t
ij
already exists, then return < t
i
>.
– Else, if x
i
is already in the list l
id
, in the entry
corresponding to ID
i
, retrieve them.
Else run the user private key oracle and retrieve
that value.
Choose z
i
∈
R
Z
∗
q
Compute h
i
= H
1
(ID
i
,z
i
P) and t
i
= z
i
+ x
i
h
i
.
Output < t
i
> as the ephemeral key and store
that value.
• Session Simulation:
The adversary asks for the shared secret between
two users i and j for a session t. The adversary
can also act as one of the users and present the
session state of that user and ask the challenger
to generate the session state of the other user and
compute the shared secret key.
Case1: The adversary does not act as either of the
users.
The challenger generates the ephemeral com-
ponents of both the parties and gives the fol-
lowing to the adversary: The session state of
i as (ID
i
,T
i
,z
i
P) and the session state of j as
(ID
j
,T
j
,z
j
P). Now, the adversary could have cor-
rupted two out of the three secrets of both the par-
ties i and j. Also, the adversary could have re-
placed the public keys of either user. Suppose
it was for user j. The challenger computes the
shared secret sk the same way user i would since
he knows the secret keys of i. The challenger
returns sk to the adversary as the shared secret.
Similarly, if the adversary had replaced i’s public
keys, the challenger would have computed sk the
same way j would have. The other cases where
the adversary didn’t replace the public keys of ei-
ther party but corrupted the parties by just learn-
ing the secrets are easily covered as the challenger
can compute the secret key the same way as either
party would. Also, cases where the adversary re-
placed only one of the two possible public keys of
one user are weaker cases than the above and can
be easily handled.
Case 2: The adversary acts as user j and sends
the session state to the challenger. The challenger
generates the ephemeral components of user i and
gives the following to the adversary: The session
state of i as (ID
i
,T
i
,z
i
P). Here, the challenger
may or may not know the ephemeral secret key of
j. The adversary could have corrupted two out of
the three secrets of both the parties i and j. Also,
the adversary could have replaced the public keys
of either user. Suppose it was for user j. Then, the
challenger computes the shared secret sk the same
way user i would as he knows the secret keys of i.
The challenger returns sk to the adversary as the
shared secret. If the adversary had replaced the
public keys of user i, then the challenger aborts as
this is not allowed as per the security model de-
scribed earlier.
• Test Session:
The adversary gives the following session id π
t
i, j
to the challenger. Since the adversary knows 4 of
the secrets s
A
,x
A
,s
B
,x
B
, the challenger injects the
hard problem instance in the ephemeral compo-
nents in the following way :
– Compute t
A
P = aP , t
B
P = bP, implicitly set-
ting t
A
= a,t
B
= b
– Choose two random values c,d
– Compute z
A
P = t
A
P− cx
A
P,z
B
P = t
B
P− dx
B
P
– Set H
1
(ID
A
,z
A
P) = c and H
1
(ID
B
,z
B
P) = d
The challenger sends the adversary the session
state of A as (ID
A
,t
A
P,z
A
P) and the session state
of B as (ID
B
,t
B
P,z
B
P).
Next, the challenger chooses a random group
element Z and sends that to the adversary as
the shared secret. This won’t be a valid shared
secret key. So, if the adversary breaks the
scheme, he would guess that this isn’t a valid
shared secret key and return the bit 1. But
in order to find that this is invalid the adver-
sary should have queried the H
2
oracle with
a valid tuple (ID
A
,ID
B
,t
A
P,t
B
P,k
1
AB
,k
2
AB
,k
3
AB
).
Using this query, the challenger can solve
the CDH problem by computing S =
k
1
AB
− (s
A
)(S
B
P) − s
A
(t
B
P)H
3
(ID
B
,s
B
P,t
B
P) −
(s
B
)(t
A
P)H
3
(ID
A
,s
A
P,t
A
P)
The challenger returns S as the solution to the
hard problem.
• Correctness:
– We know that k
1
AB
= (s
A
+t
A
H
3
(ID
A
,s
A
P,t
A
P))
(s
B
P+ t
B
PH
3
(ID
B
,s
B
P,t
B
P))
– This shows that S = t
A
t
B
P
– Since t
A
= a , t
B
= b implicitly, S is the solution
to the CDH problem.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
74
Probability Analysis:
The challenger fails only if any of the following
events occur:
– E
1
: The test session chosen by the adversary
is not the same as the one chosen by the chal-
lenger.
– E
2
: An invalid public key replacement by the
adversary was not detected.
– E
3
: The adversary tried to replace the partial
public key or the user generated public key for
one of the identities in the test session.
– E
4
: The adversary asked to reveal the
ephemeral key for one of the identities in the
test session for the session corresponding to the
test session.
Let t be the maximum number of sessions be-
tween any two parties.
Pr[E
1
] = (1− 1/(t ∗ q
2
h
1
)) ; Pr[E
2
] =
1
q
Pr[E
3
] =
4
q
pkr
; Pr[E
4
] =
2
q
ekq
Therefore, the probability of the challenger being
successful is atleast Pr[¬(E
1
∨E
2
∨E
3
∨E
4
)]. And
the advantage of the adversary is ε. Also,there
are 9 possible cases that could happen with equal
probability. Thus,
ε
′
≥ ε{(1/9t ∗ q
2
h
1
)(1−
1
q
)(1−
4
q
pkr
)(1−
2
q
ekq
)}
and ε
′
is non-negligible whenever ε is non-
negligible.
Also, it can be easily seen that t
ch
= S + t
adv
+
(q
1
+ q
2
+ q
3
+ q
4
+ q
5
+ q
ekq
+ q
psq
+ q
usq
+
q
f pq
+ q
sq
+ q
pkr
)O(1).
The other 8 cases are described in the below table:
Table 3: Security Proof for Type 1 adversary.
Case Unknown
to Adver-
sary
Hard problem
2 t
A
,s
B
t
A
P = aP, s
B
P = bP
3 t
A
,x
B
t
A
P = aP, x
B
P = bP
4 s
A
,s
B
s
A
P = aP, s
B
P = bP
5 s
A
,x
B
s
A
P = aP, x
B
P = bP
6 s
A
,t
B
s
A
P = aP, t
B
P = bP
7 x
A
,s
B
x
A
P = aP, s
B
P = bP
8 x
A
,x
B
x
A
P = aP, x
B
P = bP
9 x
A
,t
B
x
A
P = aP, t
B
P = bP
6.2 Proof for Type II Adversary
The proof is very similar to the proof in the case of
the type I adversary and will be described in the full
version of the paper.
7 ADDITIONAL SECURITY
PROPERTIES
Our proposed CLAKE scheme satisfies several addi-
tional security properties which are described in ap-
pendix A.2.
8 AN IDENTITY BASED KEY
EXCHANGE PROTOCOL(IBKE)
In IBKE protocols, the KGC maintains the master
public key and master secret key and generates the
private key s
i
for each user. An identity based key
exchange protocol contains the following three proba-
bilistic polynomial time algorithms - Setup, Key Gen-
eration, Key Agreement.
Here, a particular user is denoted as U
A
and his iden-
tity as ID
A
. Additionally, we use the following nam-
ing scheme: UPK - User Public Key. USK - User
Private Key.
• Setup(K): This algorithm is run by the KGC. It
generates the master secret key(MSK) first and
then the public parameters(params), given a secu-
rity parameter K as the input. Along with the other
information, params additionally contains α. The
KGC publishes params and keeps the MSK secret.
• Key Generation(params, ID
A
): This algorithm
is run by the KGC. Given params and user iden-
tity ID
A
, this algorithm generates the private key
of the user (USK) and the corresponding public
Key(UPK) and sends them to the user. This can
be sent over a public or private channel.
• Key Agreement(params,ID
A
, ID
B
): This algo-
rithm is run by two users A and B who wish to
compute a shared secret key. In order to do so,
they take part in a session by exchanging compo-
nents and eventually compute their shared secret
which is unknown to other parties. The protocol
could be initiated by either of the two users.
We follow the id-CK+ model used by Fujioka et.al
which is based on the Canetti-Krawczyk(CK) model
for key agreement. We describe it in more detail in
Appendix A.3
9 IDENTITY BASED SCHEME
• Setup(K): Given K as security parameter, the key
generating center(KGC) chooses a group G of or-
der p and generator of this group P. Then x is cho-
sen randomly from Z
∗
q
. The KGC sets the master
Pairing-freeSingleRoundCertificatelessandIdentityBasedAuthenticatedKeyExchangeProtocols
75
secret key(MSK) as x and sets the master public
key as xP. The KGC chooses 3 hash functions
defined below:
– H
1
: {0,1}
∗
× G× → Z
∗
q
– H
2
: {0,1}
∗
× { 0,1}
∗
× G
5
→ G
– H
3
: {0,1}
∗
× G × G → Z
∗
q
The KGC keeps the MSK secret and makes
params public, where params = (K,xP,H
1
,H
2
,H
3
,
,H
4
,H
5
).
Note: We use the following naming scheme:
UPK - User Public KeyUSK - User Private Key
• Key Generation(params, ID
i
): Given an identity
ID
i
, the KGC does the following to generate the
public key(UPK) and the private key(USK) of the
user.
– Choose randomly r
i
∈
R
Z
∗
q
. Compute R
i
= rP
– Compute h
i
= H
1
(ID
i
,R
i
), s
i
= r
i
+ xh
i
– Return USK = < s
i
> and UPK = R
i
,s
i
P.
Key Sanity Check by User
Same as in the CLAKE scheme where the user
verifies the partial keys received from the KGC.
• Key Agreement
The two users A and B with identities ID
A
and
ID
B
who wish to agree upon a shared secret key
choose ephemeral secret components respectively
and then engage in a session as described below.
Without loss of generality, let’s assume that the
session is initiated by A.
User A: Chooses his ephemeral components as
follows:
– Choose z
A
∈
R
Z
∗
q
and compute t
A
= z
A
+
s
A
H
1
(ID
A
,z
A
P)
A sets his ephemeral key as t
A
. Then, A sends the
following to B: < ID
A
,t
A
P,z
A
P >
User B: First verifies that the components he re-
ceived from A were valid using the following
check:
t
A
P = z
A
P+ H
1
(ID
A
,z
A
P)s
A
P
If the equality is satisfied, the components sent by
A are valid. Now, user B chooses his ephemeral
components as follows:
– Choose z
B
∈
R
Z
∗
q
and compute t
B
= z
B
+
s
B
H
1
(ID
B
,z
B
P)
B sets his ephemeral key as t
B
. Then, B sends the
following to A: < ID
B
,t
B
P,z
B
P >
Shared Secret Computation
– User A: First verifies that the components he
received from B were valid using the following
check:
t
B
P = z
B
P+ H
1
(ID
B
,z
B
P)s
B
P
If the equality is satisfied, the components sent
by B are valid. User A does the following to
compute the shared secret :
∗ K
1
= {s
A
+ t
A
H
3
(ID
A
,s
A
P,t
A
P)}
{s
B
P+ H
3
(ID
B
,s
B
P,t
B
P)t
B
P}
SK = H
2
(ID
A
,ID
B
,t
A
P,t
B
P,K
1
)
The shared secret is SK
– User B: Does the following to compute the
shared secret :
∗ K
1
= {s
A
P + H
3
(ID
A
,s
A
P,t
A
P)t
A
P} {s
B
+
H
3
(ID
B
,s
B
P,t
B
P)t
B
}
SK = H
2
(ID
A
,ID
B
,t
A
P,t
B
P,K
1
)
The shared secret is SK.
The shared secret computed by both of them is
the same.
The proof will be given in the full version of the
paper. Our proposed identity based key agreement
scheme satisfies all the additional security properties
described in section 7. A detailed proof of security
for all of them will be given in the full version of the
paper.
10 CONCLUSION
In this paper, we propose a security model for certifi-
cateless key exchange protocols that is an extension
of previously existing models. We note that previ-
ously existing pairing-free protocols are not secure in
this model and we design a highly efficient pairing-
free certificateless authenticated key exchange pro-
tocol that is secure in this model. Our scheme also
has the advantages of having a single round of com-
munication between the pair of users and there is no
predefined order in which messages are exchanged
between the users. Also, our scheme is the first
pairing-free certificateless key exchange protocol se-
cure based on the CDH assumption. The previously
existing schemes were secure based on much stronger
assumptions like the Gap-Diffie Hellman assumption.
Finally, we use a restriction of our scheme to design
an efficient pairing-free identity based key agreement
protocol that is secure in the id-CK+ security model
and we prove its security based on the hardness as-
sumption of the CDH problem. Our identity based
scheme is also a single round protocol. Addition-
ally, both our schemes satisfy several other security
properties such as resistance to collusion attacks, for-
ward secrecy etc. We prove the security of both our
schemes in the random oracle model. An open prob-
lem is to design schemes satisfying all these proper-
ties that is proven secure in the standard model.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
76
REFERENCES
Canetti, R. and Krawczyk, H. (2001). Analysis of key-
exchange protocols and their use for building secure
channels. In Advances in CryptologyEUROCRYPT
2001, pages 453–474. Springer.
Cao, X., Kou, W., and Du, X. (2010). A pairing-
free identity-based authenticated key agreement pro-
tocol with minimal message exchanges. Inf. Sci.,
180(15):2895–2903.
Cremers, C. (2011). Examining indistinguishability-based
security models for key exchange protocols: the case
of ck, ck-hmqv, and eck. In Proceedings of the
6th ACM Symposium on Information, Computer and
Communications Security, pages 80–91. ACM.
Fiore, D. and Gennaro, R. (2010). Making the diffie-
hellman protocol identity-based. In Topics in
Cryptology-CT-RSA 2010, pages 165–178. Springer.
Fujioka, A., Suzuki, K., Xagawa, K., and Yoneyama, K.
(2012). Strongly secure authenticated key exchange
from factoring, codes, and lattices. In Public Key
Cryptography–PKC 2012, pages 467–484. Springer.
Geng, M. and Zhang, F. (2009). Provably secure certificate-
less two-party authenticated key agreement protocol
without pairing. In Computational Intelligence and
Security, 2009. CIS’09. International Conference on,
volume 2, pages 208–212. IEEE.
G¨unther, C. G. (1990). An identity-based key-exchange
protocol. In Advances in CryptologyEurocrypt89,
pages 29–37. Springer.
He, D., Padhye, S., and Chen, J. (2012). An efficient certifi-
cateless two-party authenticated key agreement pro-
tocol. Computers & Mathematics with Applications,
64(6):1914–1926.
Islam, S. and Biswas, G. (2012). An improved pairing-free
identity-based authenticated key agreement protocol
based on ecc. Procedia Engineering, 30:499–507.
Krawczyk, H. (2005). Hmqv: A high-performance secure
diffie-hellman protocol. In Advances in Cryptology–
CRYPTO 2005, pages 546–566. Springer.
LaMacchia, B., Lauter, K., and Mityagin, A. (2007).
Stronger security of authenticated key exchange. In
Provable Security, pages 1–16. Springer.
Lippold, G., Boyd, C., and Nieto, J. G. (2009). Strongly
secure certificateless key agreement. In Pairing-
Based Cryptography–Pairing 2009, pages 206–230.
Springer.
Lippold, G. and Nieto, J. G. (2010). Certificateless key
agreement in the standard model. In Proceedings of
the Eighth Australasian Conference on Information
Security-Volume 105, pages 75–85. Australian Com-
puter Society, Inc.
Saeednia, S. (2000). Improvement of gunther’s identity-
based key exchange protocol. Electronics Letters,
36(18):1535–1536.
Sun, H., Wen, Q., Zhang, H., and Jin, Z. (2013). A novel
pairing-free certificateless authenticated key agree-
ment protocol with provable security. Frontiers of
Computer Science, 7(4):544–557.
Swanson, C. and Jao, D. (2009). A study of two-party
certificateless authenticated key-agreement protocols.
In Progress in Cryptology-INDOCRYPT 2009, pages
57–71. Springer.
Vivek, S. S., Selvi, S. S. D., Venkatesan, L. R., and Ran-
gan, C. P. (2013). Efficient, pairing-free, authenticated
identity based key agreement in a single round. In
Provable Security, pages 38–58. Springer.
Yang, G. and Tan, C.-H. (2011). Strongly secure certificate-
less key exchange without pairing. In Proceedings of
the 6th ACM Symposium on Information, Computer
and Communications Security, pages 71–79. ACM.
APPENDIX A.0 - EXTENSION
The model we have defined in this paper is an ex-
tension of the Lippold et.al model because we allow
the adversary to replace both the partial public keys
and user generated public keys. Furthermore, we give
the adversary the freedom to replace either of the two
alone and not necessarily both, and possibly have a
chance to get the other secret. For example, the ad-
versary could replace the partial public key and ask
for the user generated secret key of a user. In the
Lippold et.al model, the adversary was only given the
power to replace the user generated public key and
not the partial public key generated by the KGC (such
a notion was not present in the model). Also, in our
scheme, we provide a sanity check which helps a user
to determine whether the ephemeral messages he re-
ceived were infact sent by the intended party or were
modified by an active adversary. Note that in a single
round protocol only sanity checks and error detection
are possible and not error correction if the adversary
tampered with the message.
APPENDIX A.1 - INTUITION
Here is a brief intuition behind the security proof of
the scheme. Observe that there are totally six secret
components for the parties A and B taking part in the
test session. They are s
A
,x
A
,t
A
corresponding to the
secrets of party A and s
B
,x
B
,t
B
corresponding to the
secrets of party B. The adversary can access at most
four of the above six components and not more than
two out of the three secrets per party. As a result,
we will inject the hard problem instance in the other
two components which are not revealed to the adver-
sary. This explains the necessity for the three equa-
tions K
1
,K
2
and K
3
in the key agreement as each of
them contain a few components that would help to
compute the solution to the hard problem depending
on which of the secrets the adversary has queried. In
Pairing-freeSingleRoundCertificatelessandIdentityBasedAuthenticatedKeyExchangeProtocols
77
other words, in some situations we would use K
1
to
compute the solution to the hard problem and in other
cases K
2
or K
3
depending on the queries made by the
adversary.
APPENDIX A.2 - ADDITIONAL
SECURITY PROPERTIES
• Strong Forward Secrecy: Learning the private
keys of parties should not affect the security of
the shared secret key.
• Resistance to Reflection Attacks: Both parties
in the session have the same identity.
• Resistance to Collusion Attack: Several users
should not be able to collude and compute the se-
cret keys of some other user.
• Resistance to Key Compromise Impersonation
Attacks: The knowledge of a user’s full private
key should not allow the adversary to impersonate
another party to that user.
• Resistance to Ephemeral Key Compromise Im-
personation Attacks: The knowledge of a user’s
ephemeral key in one session should not allow
an adversary to impersonate another party to that
user.
• Known Session Key Security: A compromised
session key does not compromise past or future
sessions.
• Unknown Key Share: A user A cannot be co-
erced into sharing a key with C when infact A
thinks he is sharing a key with B.
A more detailed definition and the proof of security
for all these properties will be described in the full
version of the paper.
APPENDIX A.3 - SECURITY
MODEL FOR IBKE
There have been several security models proposed for
identity based key exchange protocols. We follow the
id-CK+ model used by Fujioko et.al which is based on
the Canetti-Krawczyk(CK) model for key agreement.
We propose a scheme that is pairing free, highly effi-
cient and is secure in this model. Additionally, there
are several security features that are still not covered
in the model like forward secrecy, resistance to reflec-
tion attacks, security against collusion attack etc. Our
scheme also satisfies these properties and this is dis-
cussed in more detail later on.
We consider an adversary who is given access to
the private keys of polynomial number of users. It
can also impersonate as any other user. This is the
strongest adversary and we prove our scheme secure
against this type of adversary.
Let there be n parties in the network. The protocol
may be run between any of these parties. Each run of
the protocol is called as a session and the secret key
computed in that run is called as the session key of the
two parties involved. Each session can be initiated by
either of the two parties involved and the user who
initiates a session is called the initiator and the other
user is called as the peer. π
t
i, j
represents the t
th
session
between parties i and j which is initiated by party i
with intended partner party j. The session state of a
user with identity ID
i
taking part in a session is the
set comprising all the components he sends the other
user in that session.
The security game runs in two stages. During the
first stage, the adversary is allowed to make the fol-
lowing queries in any order:
• Hash Queries: The adversary has access to all the
hash oracles.
• Party Corruption(ID
i
): The challenger responds
with the private key of the user with identity ID
i
• Reveal Ephemeral Key(π
t
i, j
,i ): The challenger
responds with the ephemeral secret key used by
party with identity ID
i
in session π
t
i, j
.
• Session Simulation: The adversary is allowed
to ask shared secret key queries. The adversary
queries for a shared secret belonging to a session
established between two users i and j. The adver-
sary can also emulate as one of the users, either
i or j and present the challenger with the session
state corresponding to that user. The challenger
has to generate the session state for the other user
of the session and obtain the shared secret key cor-
responding to that session. The adversary can also
query for the session secret key between the two
parties i and j from the challenger, where the ad-
versary does not impersonate any of the user. In
this case the challenger has to generate the session
state for both the users and obtain the shared se-
cret key corresponding to that session and provide
it to the adversary.
A party is said to be fully corrupted with respect
to a session if the adversary knows both the private
key and the ephemeral secret key. At the end of the
first stage, the adversary issues a test query as follows:
Test Session:
This is same as in the test session in the security
model for CLAKE.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
78
