Practical and Exposure-resilient Hierarchical ID-based Authenticated
Key Exchange without Random Oracles
Kazuki Yoneyama
NTT Secure Platform Laboratories, 3-9-11 Midori-cho Musashino-shi Tokyo 180-8585, Japan
Keywords:
Authenticated Key Exchange, Hierarchical ID-based Authenticated Key Exchange, Exposure-resilience.
Abstract:
ID-based authenticated key exchange (ID-AKE) is a cryptographic tool to establish a common session key
between parties with authentication based on their IDs. If IDs contain some hierarchical structure such as an e-
mail address, hierarchical ID-AKE (HID-AKE) is especially suitable because of scalability. However, most of
existing HID-AKE schemes do not satisfy advanced security properties such as forward secrecy, and the only
known strongly secure HID-AKE scheme is inefficient. In this paper, we propose a new HID-AKE scheme
which achieves both strong security and efficiency. We prove that our scheme is eCK-secure (which ensures
maximal-exposure-resilience including forward secrecy) without random oracles, while existing schemes is
proved in the random oracle model. Moreover, the number of messages and pairing operations are independent
of the hierarchy depth; that is, really scalable and practical for a large-system.
1 INTRODUCTION
Authenticated Key Exchange (AKE) is a crypto-
graphic primitive to share a common session key
among multiple parties through unauthenticated net-
works such as the Internet. In the ordinary PKI-based
setting, each party locally keeps his own static secret
key (SSK) and publish a static public key (SPK) corre-
sponding to the SSK. Validity of SPKs is guaranteed
by a certificate authority. In a key exchange session,
each party generates an ephemeral secret key (ESK)
and sends an ephemeral public key (EPK) correspond-
ing to the ESK. A session key is derived from these
keys with a key derivation function.
ID-based AKE (ID-AKE) is a variant of AKE, and
the purpose is to remove the management of certifi-
cates. Similar to the basic scenario of ID-based en-
cryption (IBE) such as (Boneh and Franklin, 2001;
Boneh and Boyen, 2004; Waters, 2005), a trusted
key generation center (KGC) generates a master key
(MSK), and SSKs of all parties with the MSK accord-
ing to their IDs. Various ID-AKE schemes have been
studied (Chen et al., 2007; Huang and Cao, 2009;
Fiore and Gennaro, 2010). ID-AKE enjoys the same
merit as IBE: no need of PKI, and using IDs instead of
SPKs. However, at the same time, a problem of scal-
ability is inherited: the workload for a KGC becomes
burdensome when running on a large system.
To resolve the scalability problem, hierarchical
ID-AKE (HID-AKE) is useful. In HID-AKE, the key
generation can be decentralized through a hierarchy
where intermediate nodes in the hierarchy can de-
rive the SSKs for each of its children. For exam-
ple, the ID of a party U at level t is represented as
(ID
1
,ID
2
,...,ID
t
), and the party can generate the
SSK of the party which ID is (ID
1
,ID
2
,...,ID
t
,∗),
where ∗ means a wild-card. Thus, it is enough that
KGC just generates a MSK and the SSK of the first
level party. The situation is very close to the motiva-
tion of hierarchical IBE (HIBE) such as (Horwitz and
Lynn, 2002; Gentry and Silverberg, 2002; Boneh and
Boyen, 2004; Boneh et al., 2005; Gentry and Halevi,
2009). Various typical IDs contain hierarchical struc-
tures such as an e-mail address.
There are existing non-interactive HID-AKE
schemes (Blundo et al., 1998; Eschenauer and Gligor,
2002; Ramkumar et al., 2005; Gennaro et al., 2008).
Since these schemes can establish a session key with-
out any interaction, efficiency in communication is
optimal. However, non-interactive setting cannot
avoid abandoning several important security proper-
ties such as forward secrecy. Forward secrecy means
that an adversary cannot recover a session key even if
the SSKs are compromised after the completion of the
session. Also, in contrast with the ID-AKE setting,
we have to consider collusion resistance in the HID-
AKE setting. Collusion resistance means that disclo-
sure of a party’s SSK does not compromise SSKs of
518
Yoneyama K..
Practical and Exposure-resilient Hierarchical ID-based Authenticated Key Exchange without Random Oracles.
DOI: 10.5220/0004525705180523
In Proceedings of the 10th International Conference on Security and Cryptography (SECRYPT-2013), pages 518-523
ISBN: 978-989-8565-73-0
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
higher-level parties. Unfortunately, above schemes
only partially satisfy collusion resistance; that is, if
greater numbers of SSKs in a level than a threshold
are compromised, a SSK of higher-level party is also
compromised.
There is the only existing HID-AKE scheme (Fu-
jioka et al., 2010) which satisfies both forward se-
crecy and collusion resistance. They formulate a
security model by extending the extended Canetti-
Krawzcyk (eCK) security model (LaMacchia et al.,
2007). We refer to their model as the HID-eCK
model. The HID-eCK model captures maximal-
exposure-resilience which means that an adversary
is allowed to obtain any non-trivial
1
combination of
MSK, SSKs, and ESKs individually. Thus, maximal-
exposure-resilience implies forward secrecy and col-
lusion resistance. Exposure of such secret keys may
be usually caused in real-world applications. A MSK
is exposed when the KGC is corrupted. A SSK
is revealed if an implementer is pretend to generate
SSKs in an insecure host machine in order to prevent
the randomness generation mechanisms in a tamper-
proof module such as a smart card. Also, if a pseudo-
random number generator implemented in a system is
poor, ESKs will be known to the adversary. There-
fore, to consider such a fail-safe security is very im-
portant to apply a cryptographic scheme to practical
systems.
Though the scheme (Fujioka et al., 2010) satisfies
strong security, there are two drawbacks. One is the
assumption. The security proof is given in the random
oracle (RO) model. A strong negative result (Canetti
et al., 1998; Canetti et al., 2004) is known for realiz-
ability of the RO. The other is efficiency. The number
of messages and pairing operations increases with de-
pending on the hierarchy depth. If we want to apply
this scheme in a large system, it will be impractical.
1.1 Our Contribution
In this paper, we propose the first HID-AKE scheme
resolving all problems of existing schemes. Our
scheme has several advantages compared with exist-
ing schemes. We show a comparison in Table 1.
Constant-size Overhead in Communication and
Computation. We construct our HID-AKE scheme
to use HIBE as a main building block. Though
the previous scheme (Fujioka et al., 2010) is also
1
If both the SSK and the ESK of a party in the target
session are revealed, the adversary trivially obtains the ses-
sion key for any scheme. Similarly, if both the MSK and
an ESK in the target session are revealed, the adversary also
trivially wins. This condition is defined as freshness.
constructed from an HIBE scheme (Gentry and Sil-
verberg, 2002), it inherits inefficiency of the HIBE
scheme; that is, the number of messages and pair-
ing operations depends on the hierarchy depth. On
the other hand, we use another HIBE scheme (Boneh
et al., 2005; Park and Lee, 2007) whose the number
of messages and pairing operations are constant-size.
Specifically, total messages sent by a party in a ses-
sion are only two group elements, and a signature and
a verification key of one-time signature. Total pair-
ing operations are only four times. Amazingly, our
scheme is more efficient in computation than (Fujioka
et al., 2010) when the hierarchy depth is higher than
2, while (Fujioka et al., 2010) is proved in the RO
model but our scheme can be proved without ROs.
Moreover, our scheme also becomes more efficient in
communication than (Fujioka et al., 2010) when the
hierarchy depth is higher than 7.
Maximal-Exposure-Resilience. We prove the se-
curity of our scheme in the HID-eCK model (Fu-
jioka et al., 2010). Since the HID-eCK model en-
sures maximal-exposure-resilience, our scheme satis-
fies such a strong security. A key technique to achieve
the HID-eCK security is the twisted pseudo-random
function (PRF) trick (Fujioka et al., 2012). This trick
can neutralize the effect of exposure of ESKs if SSKs
are not revealed. We can prevent an adversary to
obtain any information about a session key from re-
vealed ESKs with this trick. Moreover, we devise the
session key derivation procedure to include a shared
secret computed only from ESKs in the session as a
countermeasure to exposure of the MSK or SSKs. If
the MSK or all SSKs are exposed, the adversary can-
not know such a shared secret because she does not
know ESKs. For detailed discussion, please see Sec-
tion 3.1.
Security Proof without Random Oracles. All
(provably secure) existing schemes (Blundo et al.,
1998; Eschenauer and Gligor, 2002; Ramkumar et al.,
2005; Gennaro et al., 2008; Fujioka et al., 2010) use
ROs for deriving a session key. It makes security
proofs easy to understand because a simulator can ar-
bitrarily manage the value of session keys thanks to
the programmability of ROs in security reductions.
Conversely, without ROs, we must exactly simulate
session keys according to the protocol. Our solution
is applying a technique to simulate decryption queries
from the HIBE scheme (Park and Lee, 2007) with
the decisional bilinear Diffie-Hellman exponent (q-
DBDHE) assumption. We can manage session keys
correctly with this technique.
PracticalandExposure-resilientHierarchicalID-basedAuthenticatedKeyExchangewithoutRandomOracles
519
Table 1: Comparison of existing HID-AKE schemes and our scheme.
Exposure Model Assumption Computation Communication
Resilient? [#parings+#regular-exp] complexity
(Gennaro et al., 2008) no ROM DBDH [1,ℓ] none 0
(Fujioka et al., 2010) yes ROM GBDH [3ℓ − 1,ℓ + 2] 2ℓκ 256ℓ
Ours yes StdM (q+ 1)-DBDHE [4,ℓ + 14] 13κ 1664
DBDH means the Decisional Bilinear Diffie-Hellman assumption. GBDH means the gap Bilinear Diffie-Hellman assumption. We
show an instantiation by the Mohassel signature (Mohassel, 2010) as a strongly unforgeable signature in our scheme. For con-
creteness the expected ciphertext overhead for a 128-bit implementation is also given. Note that computational costs are estimated
without any pre-computation technique and any multi-exponentiation technique.
2 PRELIMINARIES
In this section, we recall definitions of building
blocks. The HID-eCK security model is given in (Fu-
jioka et al., 2010).
Throughout this paper we use the following nota-
tions. If M is a set, then by m ∈
R
M we denote that m
is sampled uniformly from M. If R is an algorithm,
then by y ← R (x;r) we denote that y is output by R
on input x and randomness r (if R is deterministic, r
is empty).
2.1 Bilinear Group
Let G and G
T
be cyclic groups of prime order p where
g is a generator of G. We say that e : G × G → G
T
is a bilinear map if for all X,Y ∈ G and a, b ∈ Z
p
,
e(X
a
,Y
b
) = e(X,Y)
ab
, and e(g,g) = g
T
6= 1. We say
that G is a bilinear group if map e, and group opera-
tions in G and G
T
can be computed efficiently.
2.2 Decisional Bilinear Diffie-Hellman
Exponent Assumption
The q-DBDHE problem is as follows. A
distinguisher D is given a (2q + 2)-tuple
(g,h,g
x
,...,g
x
q
,g
x
q+2
,...,g
x
2q
,T), where h ∈
R
G
and x ∈
R
Z
p
. Let ~g
x,q
= (g
x
,...,g
x
q
,g
x
q+2
,...,g
x
2q
).
For distinguisher D, we define advantage
Adv
DBDHE
(D) = |Pr[D(g,h,~g
x,q
,T = e(g,h)
x
q+1
) = 1]
− Pr[D(g,h,~g
x,q
,T = R) = 1]|,
where R ∈
R
G
T
, and the probability is taken over the
choices of (x,h,R) and the random tape of D.
Definition 2.1 (Decisional Bilinear Diffie-Hellman
Exponent Assumption). We say that the q-DBDHE
assumption in G and G
T
holds if for all PPT distin-
guisher D, the advantage Adv
DBDHE
(D) is negligible
in security parameter κ.
The validity of the DBDHE assumption is proved
in the generic group model in (Boneh et al., 2005).
3 EXPOSURE-RESILIENT
HIERARCHICAL ID-BASED
AKE WITHOUT ROs
We construct a HID-AKE scheme based on HIBE
schemes (Boneh et al., 2005; Park and Lee, 2007). By
applying the twisted PRF trick (Fujioka et al., 2012),
the proposed scheme can satisfy the HID-eCK secu-
rity.
3.1 Design Principle
Problems to be solved are roughly classified into two.
One is to resist exposure of ESKs, and the other is to
resist exposure of the MSK and SSKs. We must solve
these problems without the help of ROs.
For the first problem, we use the twisted PRF trick
as described in Section 1.1. The twisted PRF means
that two PRFs (F,F
′
) with reversing keys are used;
that is, we choose two ESKs (esk, esk
′
) and com-
pute F(esk,ssk) ⊕ F
′
(ssk,esk
′
), where ssk is a part
of the SSK. It is especially effective in the follow-
ing two scenarios: exposure of both ESKs of parties
in a session, and exposure of the SSK of the session
owner and the ESK of the session peer. If (esk,esk
′
)
are revealed, F(esk,ssk) cannot be computed without
knowingssk. Similarly, if ssk is revealed, F
′
(ssk,esk
′
)
cannot be computed without knowing esk
′
. In the
construction, the outputs of the twisted PRF are used
as randomness to generate EPKs. Therefore, we can
prevent the adversary to obtain any information about
randomness because both the SSK and the ESK of a
party cannot be revealed according to the freshness
definition.
For the second problem, we add a shared secret
to derive a session key. The shared secret has the
form e(g,h)
s
A
s
B
, where g and h are a part of the pub-
lic parameter, s
A
and s
B
are a part of the outputs of
the twisted PRF generated by U
A
and U
B
respectively.
Since EPSs include g
s
A
and g
s
B
, e(g,h)
s
A
s
B
can be
computed if s
A
or s
B
is known. On the other hand,
SECRYPT2013-InternationalConferenceonSecurityandCryptography
520
the adversary which does not know both s
A
and s
B
cannot be compute e(g,h)
s
A
s
B
even if she can obtain
the MSK and all SSKs. Note that the adversary can-
not reveal both the SSK (the MSK) and the ESK of a
party.
3.2 Construction
Parameters. Let κ be the security parameter. Let
G,G
T
be bilinear groups with pairing e : G× G → G
T
of order κ-bit prime p with generators g,g
T
= e(g,g),
respectively. Let ℓ be maximum depth of the hier-
archy in the system. Let (Gen,Sign,Ver) be a one-
time signature scheme such that a verification key is
an element of Z
p
. Let F
ke
: {0,1}
∗
× FS → Z
∗
p
, F
gen
:
{0,1}
∗
×FS → RS
gen
, F
sig
: {0, 1}
∗
×FS → RS
sig
, and
F
kd f
: {0, 1}
∗
×FS → {0,1}
κ
be pseudo-randomfunc-
tions, where FS is the key space of PRFs (the length of
keys is larger than κ), RS
gen
is the randomness space
of Gen, and RS
sig
is the randomness space of Sign.
Public parameter Params is
(F
ke
,F
gen
,F
sig
,F
kd f
,G,G
T
,g,g
T
,g
1
,g
2
,g
3
,g
4
,h
1
,...,
h
ℓ
), where g
1
= g
z
for z ∈
R
Z
∗
p
, and
g
2
,g
3
,g
4
,h
1
,...,h
ℓ
∈
R
G. Master secret key
MSK is g
z
2
.
Key Generation. There are two ways to gen-
erate a static secret key: from MSK, and from
higher-level SSK. Static secret key SSK
ID
for ID = (ID
1
, ..., ID
i
) (i ≤ ℓ) is generated
from MSK as SSK
ID
=
MSK · (h
ID
1
1
···h
ID
i
i
·
g
3
)
r
,g
r
,g
r
4
,h
r
i+1
,...,h
r
ℓ
,w
1
,w
2
,w
3
,w
4
,w
5
,w
6
, where
r ∈
R
Z
P
and w
1
,w
2
,w
3
,w
4
,w
5
,w
6
∈
R
FS. Also,
static secret key SSK
ID
for ID = (ID
1
,...,ID
i
)
(i ≤ ℓ) can be generated from SSK
ID
′
=
(u
0
,u
1
,u
2
,v
i
,...,v
ℓ
,w
1
,w
2
,w
3
,w
4
,w
5
,w
6
) for
ID
′
= (ID
1
,...,ID
i−1
) as SSK
ID
=
u
0
· v
ID
i
i
·
(h
ID
1
1
···h
ID
i
i
· g
3
)
r
′
,u
1
· g
r
′
,u
2
· g
r
′
4
,v
i+1
· h
r
′
i+1
,
...,v
ℓ
· h
r
′
ℓ
,w
1
⊕ w
′
1
,w
2
⊕ w
′
2
,w
3
⊕ w
′
3
,w
4
⊕
w
′
4
,w
5
⊕ w
′
5
,w
6
⊕ w
′
6
, where r
′
∈
R
Z
P
and
w
′
1
,w
′
2
,w
′
3
,w
′
4
,w
′
5
,w
′
6
∈
R
FS.
Key Exchange. In the following descrip-
tion, user U
A
has static secret key SSK
ID
A
=
(u
A,0
,u
A,1
,u
A,2
,v
A,α+1
,...,v
A,ℓ
,w
A,1
,w
A,2
,w
A,3
,w
A,4
,
w
A,5
,w
A,6
) corresponding to ID
A
= (ID
A,1
,...,ID
A,α
)
and user U
B
has static secret key SSK
ID
B
=
(u
B,0
,u
B,1
,u
B,2
,v
B,β+1
,...,v
B,ℓ
,w
B,1
,w
B,2
,w
B,3
,w
B,4
,
w
B,5
,w
B,6
) corresponding to ID
B
= (ID
B,1
,...,ID
B,β
).
• U
A
chooses ephemeral secret key ESK
A
=
(esk
A,ke
,esk
′
A,ke
,esk
A,gen
,esk
′
A,gen
,esk
A,sig
,esk
′
A,sig
)
∈
R
FS
6
, and computes ephemeral public key
EPK
A
as follows:
1. compute s
A
= F
ke
(w
A
1
,esk
A,ke
) ⊕
F
ke
(esk
′
A,ke
,w
A
2
), rand
A,gen
=
F
gen
(w
A
3
,esk
A,gen
) ⊕ F
gen
(esk
′
A,gen
,w
A
4
),
and rand
A,sig
= F
sig
(w
A
5
,esk
A,sig
) ⊕
F
sig
(esk
′
A,sig
,w
A
6
).
2. run Gen(1
κ
;rand
A,gen
), and obtain signing key
sk
A
and verification key vk
A
.
3. computeC
A,1
= g
s
A
andC
A,2
= (h
ID
B,1
1
···h
ID
B,β
β
·
g
vk
A
4
· g
3
)
s
A
.
4. run Sign
sk
A
(C
A,1
,C
A,2
;rand
A,sig
), and obtains
signature σ
A
.
5. send ephemeral public key EPK
A
=
(C
A,1
,C
A,2
,σ
A
,vk
A
), ID
A
and ID
B
to user
U
B
.
• U
B
chooses ephemeral secret key ESK
B
=
(esk
B,ke
,esk
′
B,ke
,esk
B,gen
,esk
′
B,gen
,esk
B,sig
,esk
′
B,sig
)
∈
R
FS
6
, and computes ephemeral public key
EPK
B
as follows:
1. compute s
B
= F
ke
(w
B
1
,esk
B,ke
) ⊕
F
ke
(esk
′
B,ke
,w
B
2
), rand
B,gen
=
F
gen
(w
B
3
,esk
B,gen
) ⊕ F
gen
(esk
′
B,gen
,w
B
4
),
and rand
B,sig
= F
sig
(w
B
5
,esk
B,sig
) ⊕
F
sig
(esk
′
B,sig
,w
B
6
).
2. run Gen(1
κ
;rand
B,gen
), and obtain signing key
sk
B
and verification key vk
B
.
3. compute C
B,1
= g
s
B
, and C
B,2
=
(h
ID
A,1
1
···h
ID
A,α
α
· g
vk
B
4
· g
3
)
s
B
.
4. run Sign
sk
B
(C
B,1
,C
B,2
;rand
B,sig
), and obtains
signature σ
B
.
5. send ephemeral public key EPK
B
=
(C
B,1
,C
B,2
,σ
B
,vk
B
), ID
B
and ID
A
to user
U
A
.
• Upon receiving EPK
B
, U
A
checks whether 1 ←
Ver
vk
B
((C
B,1
,C
B,2
),σ
B
), and aborts if not. Other-
wise, U
A
derives session key SK as follows:
1. compute s
A
= F
ke
(w
A
,esk
A,ke
) ⊕
F
ke
(esk
′
A,ke
,w
A
), and shared secrets
σ
1
= e(g
1
,g
2
)
s
A
,
σ
2
= e(C
B,1
,u
A,0
· u
vk
B
A,2
)/e(C
B,2
,u
A,1
),
σ
3
= e(C
B,1
,g
3
)
s
A
.
2. set session transcript ST =
(ID
A
,ID
B
,EPK
A
,EPK
B
), and compute session
key SK = F
kd f
(ST,σ
1
) ⊕ F
kd f
(ST,σ
2
) ⊕
F
kd f
(ST,σ
3
).
PracticalandExposure-resilientHierarchicalID-basedAuthenticatedKeyExchangewithoutRandomOracles
521
• Upon receiving EPK
A
, U
B
checks whether 1 ←
Ver
vk
A
((C
A,1
,C
A,2
),σ
A
), and aborts if not. Other-
wise, U
B
derives session key SK as follows:
1. compute s
B
= F
ke
(w
B
,esk
B,ke
) ⊕
F
ke
(esk
′
B,ke
,w
B
), and shared secrets
σ
1
= e(C
A,1
,u
B,0
· u
vk
A
B,2
)/e(C
A,2
,u
B,1
),
σ
2
= e(g
1
,g
2
)
s
B
,
σ
3
= e(C
A,1
,g
3
)
s
B
.
2. set session transcript ST =
(ID
A
,ID
B
,EPK
A
,EPK
B
), and compute session
key SK = F
kd f
(ST,σ
1
) ⊕ F
kd f
(ST,σ
2
) ⊕
F
kd f
(ST,σ
3
).
Correctness. The shared secrets that both parties
compute are
σ
1
= e(g
s
A
,g
z
2
· (h
ID
B,1
1
···h
ID
B,β
β
· g
3
)
r
B
· g
r
B
vk
A
4
)
/e((h
ID
B,1
1
···h
ID
B,β
β
· g
vk
A
4
· g
3
)
s
A
,g
r
B
)
= e(g
s
A
,g
z
2
) = e(g
1
,g
2
)
s
A
,
σ
2
= e(g
s
B
,g
z
2
· (h
ID
A,1
1
···h
ID
A,α
β
· g
3
)
r
A
· g
r
A
vk
B
4
)
/e((h
ID
A,1
1
···h
ID
A,α
α
· g
vk
B
4
· g
3
)
s
B
,g
r
A
)
= e(g
s
B
,g
z
2
) = e(g
1
,g
2
)
s
B
,
σ
3
= e(g
s
B
,g
3
)
s
A
= e(g,g
3
)
s
A
s
B
= e(g
s
A
,g
3
)
s
B
.
Therefore, they can compute the same session key SK.
4 SECURITY
The proposed HID-AKE scheme is selective ID se-
cure in the HID-eCK security model under the (q +
1)-DBDHE assumption.
Theorem 4.1. If the (q+1)-DBDHE assumption in G
and G
T
holds, and (Gen,sig,ver) is strongly unforge-
able, then the proposed HID-AKE scheme is selective
ID secure in the HID-eCK model.
Proof of Theorem 4.1 will be given in the full
version. Here, we provide an intuitive sketch of the
proof.
Proof (Sketch). We have to consider the following
four maximal exposure patterns in the HID-eCK
model (matching cases):
(a) the SSK of U
A
and the ESK of U
B
(b) the SSK of U
B
and the ESK of U
A
(c) both ESKs
(d) both SSKs
In case (a), σ
1
is protected by the security of C
A,1
and C
A,2
because esk
′
A,ke
, esk
′
A,gen
and esk
′
A,sig
are not
exposed; thus, F
ke
(esk
′
A,ke
,w
A
2
), F
gen
(esk
′
A,gen
,w
A
4
)
and F
sig
(esk
′
A,sig
,w
A
6
) are hidden from the property
of PRF, and SSK
ID
B
is not also exposed. In case
(b), σ
2
is protected by the security of C
B,1
and
C
B,2
because esk
′
B,ke
, esk
′
B,gen
and esk
′
B,sig
are not
exposed; thus, F
ke
(esk
′
B,ke
,w
B
2
), F
gen
(esk
′
B,gen
,w
B
4
)
and F
sig
(esk
′
B,sig
,w
B
6
) are hidden from the property
of PRF, and SSK
ID
A
is not also exposed. In case
(c), σ
3
is protected because w
A
1
, w
A
3
, w
A
5
, w
B
1
, w
B
3
and w
B
5
are not exposed; thus, F
ke
(w
A
1
,esk
A,ke
),
F
gen
(w
A
3
,esk
A,gen
), F
sig
(w
A
5
,esk
A,sig
),
F
ke
(w
B
1
,esk
B,ke
), F
gen
(w
B
3
,esk
B,gen
) and
F
sig
(w
B
5
,esk
B,sig
) are hidden from the property
of PRF. In case (d), σ
3
is protected because
esk
′
A,ke
, esk
′
A,gen
, esk
′
A,sig
, esk
′
B,ke
, esk
′
B,gen
and
esk
′
B,sig
are not exposed; thus, F
ke
(esk
′
A,ke
,w
A
2
),
F
gen
(esk
′
A,gen
,w
A
4
), F
sig
(esk
′
A,sig
,w
A
6
),
F
ke
(esk
′
B,ke
,w
B
2
), F
gen
(esk
′
B,gen
,w
B
4
) and
F
sig
(esk
′
B,sig
,w
B
6
) are hidden from the property
of PRF.
Then, we transform the HID-eCK security game
as the session key in the test session is randomly dis-
tributed. First, we change part of the twisted PRF in
the test session into a random function because the
key of part of the twisted PRF is hidden from the
adversary; therefore, the randomness for generating
ciphertexts, the signature key pair and the signature
can be randomly distributed. Next, we change shared
information σ into a random value for each pattern;
therefore, the input of a PRF is randomly distributed
and has sufficient min-entropy. Finally, we change
one of the PRFs (correspondingto the replaced σ) into
a random function. Therefore, the session key in the
test session is randomly distributed; thus, there is no
advantage to the adversary. We can show a similar
proof in non-matching cases.
REFERENCES
Blundo, C., Santis, A. D., Herzberg, A., Kutten, S., Vac-
caro, U., and Yung, M. (1998). Perfectly Secure Key
Distribution for Dynamic Conferences. In Inf. Com-
put. 146(1), pages 1–23.
Boneh, D. and Boyen, X. (2004). Efficient Selective-ID Se-
cure Identity-Based Encryption Without Random Or-
acles. In EUROCRYPT 2004, pages 223–238.
Boneh, D., Boyen, X., and Goh, E.-J. (2005). Hierarchical
Identity Based Encryption with Constant Size Cipher-
text. In EUROCRYPT 2005, pages 440–456.
Boneh, D. and Franklin, M. K. (2001). Identity-Based En-
SECRYPT2013-InternationalConferenceonSecurityandCryptography
522
cryption from the Weil Pairing. In CRYPTO
2001, pages 213–229.
Canetti, R., Goldreich, O., and Halevi, S. (1998). The Ran-
dom Oracle Methodology, Revisited (Preliminary Ver-
sion). In STOC 1998, pages 209–218.
Canetti, R., Goldreich, O., and Halevi, S. (2004). The Ran-
dom Oracle Methodology, Revisited. In J. ACM 51(4),
pages 557–594.
Chen, L., Cheng, Z., and Smart, N. P. (2007). Identity-based
Key Agreement Protocols From Pairings. In Int. J. Inf.
Sec. 6(4), pages 213–241.
Eschenauer, L. and Gligor, V. D. (2002). A key-
management scheme for distributed sensor networks.
In ACM Conference on Computer and Communica-
tions Security 2002, pages 41–47.
Fiore, D. and Gennaro, R. (2010). Making the Diffie-
Hellman Protocol Identity-Based. In CT-RSA 2010,
pages 165–178.
Fujioka, A., Suzuki, K., Xagawa, K., and Yoneyama, K.
(2012). Strongly Secure Authenticated Key Exchange
from Factoring, Codes, and Lattices. In Public Key
Cryptography 2012, pages 467–484.
Fujioka, A., Suzuki, K., and Yoneyama, K. (2010). Hier-
archical ID-Based Authenticated Key Exchange Re-
silient to Ephemeral Key Leakage. In IWSEC 2010,
pages 164–180.
Gennaro, R., Halevi, S., Krawczyk, H., Rabin, T., Reidt,
S., and Wolthusen, S. D. (2008). Strongly-Resilient
and Non-interactive Hierarchical Key-Agreement in
MANETs. In ESORICS 2008, pages 49–65.
Gentry, C. and Halevi, S. (2009). Hierarchical Identity
Based Encryption with Polynomially Many Levels. In
TCC 2009, pages 437–456.
Gentry, C. and Silverberg, A. (2002). Hierarchical ID-
Based Cryptography. In ASIACRYPT 2002, pages
548–566.
Horwitz, J. and Lynn, B. (2002). Toward Hierarchical
Identity-Based Encryption. In EUROCRYPT 2002,
pages 466–481.
Huang, H. and Cao, Z. (2009). An ID-based Authenticated
Key Exchange Protocol Based on Bilinear Diffie-
Hellman Problem. In ASIACCS 2009, pages 333–342.
LaMacchia, B., Lauter, K., and Mityagin, A. (2007).
Stronger Security of Authenticated Key Exchange. In
ProvSec 2007, pages 1–16.
Mohassel, P. (2010). One-Time Signatures and Chameleon
Hash Functions. In Selected Areas in Cryptography
2010, pages 302–319.
Park, J. H. and Lee, D. H. (2007). Direct Chosen-Ciphertext
Secure Hierarchical ID-Based Encryption Schemes.
In EuroPKI 2007, pages 94–109.
Ramkumar, M., Memon, N. D., and Simha, R. (2005). A
hierarchical key pre-distribution scheme. In IEEE EIT
2005.
Waters, B. (2005). Efficient Identity-Based Encryption
Without Random Oracles. In EUROCRYPT 2005,
pages 114–127.
PracticalandExposure-resilientHierarchicalID-basedAuthenticatedKeyExchangewithoutRandomOracles
523
