Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security

Liu, Xiangyu; Liu, Shengli; Gu, Dawu; Weng, Jian

doi:10.1007/978-3-030-64834-3_27

Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security

Xiangyu Liu^10,11,
Shengli Liu^10,11,12,
Dawu Gu¹⁰ &
…
Jian Weng¹³

Conference paper
First Online: 05 December 2020

1971 Accesses
15 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12492))

Abstract

We propose a generic construction of 2-pass authenticated key exchange (AKE) scheme with explicit authentication from key encapsulation mechanism (KEM) and signature (SIG) schemes. We improve the security model due to Gjøsteen and Jager [Crypto2018] to a stronger one. In the strong model, if a replayed message is accepted by some user, the authentication of AKE is broken. We define a new security notion named “IND-mCPA with adaptive reveals” for KEM. When the underlying KEM has such a security and SIG has unforgeability with adaptive corruptions, our construction of AKE equipped with counters as states is secure in the strong model, and stateless AKE without counter is secure in the traditional model. We also present a KEM possessing tight “IND-mCPA security with adaptive reveals” from the Computation Diffie-Hellman assumption in the random oracle model. When the generic construction of AKE is instantiated with the KEM and the available SIG by Gjøsteen and Jager [Crypto2018], we obtain the first practical 2-pass AKE with tight security and explicit authentication. In addition, the integration of the tightly IND-mCCA secure KEM (derived from PKE by Han et al. [Crypto2019]) and the tightly secure SIG by Bader et al. [TCC2015] results in the first tightly secure 2-pass AKE with explicit authentication in the standard model.

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

Among the primitives, algorithms and protocols in public key cryptography, authenticated key exchange (AKE) [1, 4, 6,7,8, 11, 15, 20, 22] is by far the most widely deployed one in the real world. For example, TLS [21] implements AKE to compute shared session keys for peer communication parties. There are several billions of active users in Facebook, Instagram, Wechat, etc., which lead to more than $2^{30}$ TLS handshakes daily [11]. AKE allows two communication parties to share a session key, which is then used to provide security for the later communications of the two parties. The wide deployment of AKE pushes its security to paramount importance. The security of AKE consists of two aspects. One aspect considers passive adversaries, and it requires the pseudorandomness of the shared session key. The other considers authentication to detect active adversaries. The authentication functionality of AKE guarantees the identification of the parties and the integrity of the messages transmitted during AKE, by detecting message modification, discard, insertion, etc., from adversaries. There are two types of authentication, explicit authentication [1, 4, 7, 11, 20] and implicit authentication [6, 8, 15, 16, 22]. Implicit authentication detects active attacks in the later communication (after the completion of key exchange), while explicit authentication detects active attacks during the execution of AKE. Explicit authentication enjoys its own advantages. Once the authentication fails, the protocol execution stops and no subsequent messages follow any more, avoiding unnecessary computation and communication.

The security of AKE (also other cryptographic primitives) is achieved by a security reduction under proper security model. Security reduction transforms the ability of a successful adversary $\mathcal {A}$ to an algorithm $\mathcal {B}$ solving a well-known hard problem. If $\mathcal {A}$ wins with probability $\epsilon $, then $\mathcal {B}$ solves the problem with probability $\epsilon /L$. The parameter L is called the security loss factor. If L is a constant (or $O(\lambda )$ with $\lambda $ security parameter), the security reduction is tight (almost tight). The loose factor L is generally a polynomial of $\mu $, the number of users, and $\ell $, the number of executions per user. Given a loose security reduction, the deployment of AKE has to choose a larger security parameter to compensate the loss factor L, resulting in larger elements and slower computations in the execution of AKE. Taking $\mu \approx 2^{30}$ into account, this will lead to a great efficiency loss of AKE. Therefore, pursuing tight security of AKE is not only of theoretical value but also of practical significance.

1.1 Tightly Secure Authenticated Key Exchange

AKE is generally implemented in the multi-user setting, and it is quite possible for an adversary $\mathcal {A}$ to adaptively obtain session keys of some protocol instances and/or long-term secret keys of corrupted users. This is formalized by the reveal and corruption queries of $\mathcal {A}$ in the security model. The security of AKE asks authentication and indistinguishability. Roughly speaking, authentication requires that if a party $P_i$ uses received messages to compute a session key and accepts it, then the messages must be sent from another (unique) party $P_j$, instead of $\mathcal {A}$. Indistinguishability characterizes the pseudorandomness of the session key, which is successfully generated and accepted by two parties.

A good choice for AKE is the 2-pass signed Diffie-Hellman protocol [7]. It uses a signature (SIG) scheme to provide authentication and a DH-like key encapsulation mechanism (KEM) to provide indistinguishability, where $P_i$ contributes $pk=g^a$, $P_j$ contributes $C=g^b$ and the session key is $K=g^{ab}$. However, as shown by Gjøsteen and Jager [11], it is hard to achieve tight security due to the following “commitment problem”: in the reduction, if the DDH challenge $(g^x,g^y,g^z)$ is embedded in the challenge session, then it can not be revealed, and vice verse. Hence, the reduction algorithm has to guess the challenge session (from $\mu \ell $ sessions) and embed the DDH problem into it. That is reason why many protocols [7, 16, 18] have a loose factor $L=\mu \ell $ (or quadratic factor $L=\mu ^2 \ell ^2$).

To deal with the “commitment problem”, Gjøsteen and Jager [11] suggested to add an extra hash commitment $G(g^a)$ as the first message, resulting in a 3-pass signed DH protocol with tight security.

Up to now, there are only two constructions of AKE [1, 11] with tight security and explicit authentication, and both need three passes. One is the 3-pass signed DH protocol in the random oracle model [11], as mentioned above. The other is a 3-pass AKE in the standard model by Bader et al. [1]. This AKE is constructed from a SIG scheme secure against adaptive corruptions (MU-EUF-CMA$^\textsf {corr}$ security), a strongly secure one-time SIG and a KEM scheme secure against adaptive corruptions (MU-IND-CPA$^\textsf {corr}$ security). The KEM is constructed from two public key encryption schemes, where the ciphertext is two encryptions of the same random encapsulated key. Note that such a KEM is not a good choice for AKE, since the session key is completely determined by the responder.

Over these years, reducing the round complexity and pursuing low-latency key exchange have become a major design criteria [10, 13, 17, 21] by both researchers and practitioners. Compared with 3-pass protocols, 2-pass protocols are clearly more efficient, especially when the transmission time is high. Furthermore, in a 2-pass AKE, any modification of the last (2nd) message can be detected immediately, and no payloads from the initiator follow, which saves computation and communication resources. Hence, a natural question is:

Is it possible to construct 2-pass AKE with explicit authentication and tight security?

1.2 Our Approach

We answer the above question in the affirmative.

Achieving Tight Security. Our generic construction of AKE consists of two building blocks, KEM and SIG. KEM is used to generate the session key, where initiator $P_i$ contributes pk and responder $P_j$ contributes ciphertext C under pk. We rely on KEM’s security to guarantee the pseudorandomness of the session key. Meanwhile, every party has a signing key as its long-term secret key, and every transmitted message is signed by SIG, which provides authentication to resist active attacks. See Fig. 1 (a) for the construction.

We solve the “commitment problem” with a tightly IND-mCPA$^\textsf {reveal}$ secure KEM. The IND-mCPA$^\textsf {reveal}$ security is a new notion, which allows the adversary to reveal the encapsulated keys from the challenge ciphertexts. With such a KEM, the reduction algorithm $\mathcal {B}$ can embed challenge ciphertexts to every session of AKE, while keeping the ability of answering reveal queries from $\mathcal {A}$. We also ask KEM to have diverse property (Subsect. 2.3) to make sure that both initiator and responder contribute to the session key. Meanwhile, SIG is required to have tight MU-EUF-CMA$^\textsf {corr}$ security, where the adversary can corrupt some users to get their signing keys.

Currently, tight MU-EUF-CMA$^\textsf {corr}$ secure SIGs are available [1, 11]. To achieve tight security for AKE, the difficulty is constructing KEM with tight IND-mCPA$^\textsf {reveal}$ security. As discussed above, it is hard for the traditional DH-like KEM to achieve tight IND-mCPA$^\textsf {reveal}$ security, due to the “commitment problem” in the security reduction.

In this paper, we present two KEM schemes that achieve tight IND-mCPA$^\textsf {reveal}$ security. Our first proposal is $pk=(g^{x_1},g^{x_2}), C=g^y, K=H(g^{x_1 y},g^{x_2 y})$ in the random oracle model^{Footnote 1}, which is derived from twin ElGamal PKE [5], and based on the strong twin Diffie-Hellman (st2DH) assumption (which in turn on CDH). Here we explain why tight IND-mCPA$^\textsf {reveal}$ security can be achieved in the single user setting. It can be easily extended to the multi-user setting, since $\mathcal {B}$ can embed the 2DH problem into multiple (pk, C) pairs with the help of the random self-reducibility of DDH [9]. In the reduction, given a 2DH challenge tuple $(g^{x_1},g^{x_2},g^y)$, $\mathcal {B}$ sets $pk=(g^{x_1},g^{x_2})$, generates a randomization b and computes the challenge ciphertext as $C=g^{y+b}$. The “commitment problem” is circumvented by $\mathcal {B}$’s simulation of random oracle $H(\cdot )$ and the decision oracle 2DH, which checks whether the inputs are two DDH tuples. If $\mathcal {A}$ has not asked $H(C^{x_1},C^{x_2})$ before, then the encapsulated key is random to $\mathcal {A}$, and $\mathcal {B}$ just samples a random key k and implicitly set $H(C^{x_1},C^{x_2})=k$. If $\mathcal {A}$ has asked $H(C^{x_1},C^{x_2})$, then $\mathcal {B}$ must have stored item $(C^{x_1},C^{x_2}, k=H(C^{x_1},C^{x_2}))$ in the hash list. Hence $\mathcal {B}$ can always resort to the decision oracle $\textsc {2DH}(g^{x_1},g^{x_2},C,C^{x_1},C^{x_2}) =1$ to locate this item, and return the corresponding k to $\mathcal {A}$. In this way, $\mathcal {B}$ can answer reveal queries from $\mathcal {A}$ correctly, and tight IND-mCPA$^\textsf {reveal}$ security follows.

Our second proposal of KEM is derived from the tightly IND-mCCA secure PKE scheme in [14], which has tight IND-mCCA security in the standard model. We prove that IND-mCCA security implies IND-mCPA$^\textsf {reveal}$ security with a tight reduction. Note that the two notions are defined in different styles, e.g., the decapsulation oracle in IND-mCCA security cannot decapsulate the challenge ciphertext, while IND-mCPA$^\textsf {reveal}$ security allows the challenge encapsulated key to be revealed. Hence, the tight security proof of implication is non-trivial (see Subsect. 2.2 for details).

Perfect Forward Security and KCI Resistance. Our generic construction provides perfect forward security (PFS, a.k.a. perfect forward secrecy [12, 16]) and KCI resistance (security against key-compromise impersonation attacks [16]). PFS means that once a party has been corrupted at some moment, then the exchanged session keys completed before the corruption remain hidden from $\mathcal {A}$. KCI resistance assures that sessions, which are established by honest $P_i$ but not controlled by $\mathcal {A}$, remain secure after corruption. In our construction, the long-term secret key is used to sign messages and provide authentication. Hence, the exposure of long-term secret key does not give $\mathcal {A}$ any advantages to break the pseudorandomness of the session key. The same analysis applies to KCI resistance.

Dealing with Replay Attacks. Compared with multi-pass AKE, 2-pass AKE inherently open to replay attacks [13]. In a 2-pass AKE protocol, when $P_i$ sends a message $\mathsf {msg}$ to $P_j$, there are only two choices for $P_j$: compute a session key & accept or reject. If $P_j$ accepts, the message $\mathsf {msg}$ can always be replayed to $P_j$ by an adversary (see Fig. 1 (b)). This replay attack contradicts neither the explicit authentication defined by [11], nor the implicit authentication, since $\mathsf {msg}$ does originate from $P_i$ and the session key keeps pseudorandom to the adversary. However, it does exhaust the computing & memory resources of $P_j$ and waste bandwidth of the network.

The essence of explicit authentication is to detect active attacks in real time. In this paper, we formalize a stronger security of AKE, by including replay attacks in the active attacks. Meanwhile, we choose an efficient and practical way to prevent replay attacks, by adding counters to identify the freshness of messages, as advised in [13]. Roughly speaking, each party maintains a local counter $\textsf {ctr}$. Initiator $P_i$ increases its counter $\textsf {ctr}_i$ before it sends $(\mathsf {msg},\textsf {ctr}_i)$ to $P_j$. Responder $P_j$ recognizes the freshness of $(\mathsf {msg},\textsf {ctr}_i)$ by checking whether $\textsf {ctr}_i > \textsf {ctr}_j$. To respond fresh $\mathsf {msg}$, $P_j$ will synchronize its counter $\textsf {ctr}_j:=\textsf {ctr}_i$ and send $(\mathsf {msg}', \textsf {ctr}_j)$ to $P_i$. The freshness of $(\mathsf {msg}', \textsf {ctr}_j)$ is recognized by $P_i$’s checking of the synchronization $\textsf {ctr}_i = \textsf {ctr}_j$. In this way, any replayed message contradicts either $\textsf {ctr}_i > \textsf {ctr}_j$ or $\textsf {ctr}_i = \textsf {ctr}_j$, and replay attacks can be detected immediately in our 2-pass AKE (see Fig. 1 (c)).

1.3 Our Contribution

We present a security model which is stronger than that in [11]. In our strong model, the adversary breaks authentication as long as a party accepts a replayed message. To detect replay attacks, we introduce counters for each party as its state. The counter will increase after execution of AKE, thus a replayed message will be rejected due to its old counter.

We propose a generic construction of 2-pass AKE from KEM and SIG schemes. We formalize a new security notion, named IND-mCPA$^\textsf {reveal}$, for KEM and show that IND-mCCA security of KEM implies IND-mCPA$^\textsf {reveal}$ security. The strong security of our 2-pass AKE (equipped with counter) can be tightly reduced to the IND-mCPA$^\textsf {reveal}$ security of KEM and the MU-EUF-CMA$^\textsf {corr}$ security of SIG. Taking off counters from AKE results in a stateless AKE, which is tightly secure in the original model of [11].

We give two instantiations of tightly secure 2-pass AKE.

We present an instantiation of KEM and proved its tight IND-mCPA$^\textsf {reveal}$ security based on the CDH assumption in the random oracle model. Together with the signature scheme in [11], we obtain the first practical 2-pass AKE scheme with strong and tight security (and a 2-pass stateless AKE scheme with tight security) from the DDH assumption in the random oracle model.
When instantiating KEM with the tightly IND-mCCA secure KEM derived from [14] and SIG with the signature scheme in [1], we obtain the first 2-pass AKE scheme with strong and tight security (also a 2-pass stateless AKE scheme with tight security) based on the Matrix-DDH assumption in the standard model.

The comparison of our AKE schemes with other tightly secure AKE schemes with explicit authentication^{Footnote 2} is shown in Table 1.

Table 1. Comparison among tightly secure AKE schemes with explicit authentication. Here “Comp.” denotes computation complexity in terms of exponentiations or pairing operations, “Comm.” denotes communication complexity in terms of the number of group elements/exponents (identities of users excluded). “I” denotes the initiator, “R” the responder, “Sec. Loss” the security loss factor, “$\sharp $Pass.” the number of passes in AKE, “RO” the random oracle model, and “Std” the standard model. Note: in [BHJ+15]’s AKE, the session key is determined only by the responder.

Full size table

2 Preliminaries

Let $\lambda \in \mathbb {N}$ denote the security parameter. For $\mu \in \mathbb {N}$, define $[\mu ]:=\{1,2,...,\mu \}$. Denote by $x:=y$ the operation of assigning y to x. Denote by $x \xleftarrow {\$} \mathcal {X}$ the operation of sampling x uniformly at random from a set $\mathcal {X}$. For a distribution $\mathcal {D}$, denote by $x\leftarrow \mathcal {D}$ the operation of sampling x according to $\mathcal {D}$. For an algorithm $\mathcal {A}$, denote by $y \leftarrow \mathcal {A}(x; r)$, or simply $y \leftarrow \mathcal {A}(x)$, the operation of running $\mathcal {A}$ with input x and randomness r and assigning the output to y. “PPT” is short for probabilistic polynomial-time, and $\emptyset $ an empty string.

2.1 Digital Signature with Adaptive Corruptions

Definition 1 (SIG)

A signature (SIG) scheme SIG = (Setup,Gen,Sign,Ver) consists of four algorithms.

$\textsf {Setup}(1^\lambda )$: The setup algorithm takes as input the security parameter $1^\lambda $ and outputs the public parameter $\textsf {pp}_\textsf {SIG}$, which determines the message space $\mathcal {M}$, the signature space $\varSigma $, and the key space $\mathcal {VK}\times \mathcal {SK}$.
$\textsf {Gen}(\textsf {pp}_\textsf {SIG})$: The key generation algorithm takes as input $\textsf {pp}_\textsf {SIG}$ and outputs a pair of keys $(vk,sk)\in \mathcal {VK}\times \mathcal {SK}$.
$\textsf {Sign}(sk,m)$: The signing algorithm takes as input a signing key sk and a message $m\in \mathcal {M}$, and outputs a signature $\sigma \in \varSigma $.
$\textsf {Ver}(vk,m,\sigma )$: The verification algorithm takes as input a verification key vk, a message m and a signature $\sigma $, and outputs a binary bit 0/1, indicating whether $(m,\sigma )$ is valid or not.

Correctness of SIG. For all $\textsf {pp}_\textsf {SIG}\leftarrow \textsf {Setup}(1^\lambda )$, $(vk,sk)\leftarrow \textsf {Gen}(\textsf {pp}_\textsf {SIG})$, $\sigma \leftarrow \textsf {Sign}(sk,m)$, it holds that $\textsf {Ver}(vk,m,\sigma )=1$.

We recall the security notion existential unforgeability with adaptive corruptions (MU-EUF-CMA$^\textsf {corr}$) by Bader et al. in [1].

Definition 2

A signature scheme SIG is MU-EUF-CMA$^{\mathsf {corr}}$ secure if for all PPT adversary $\mathcal {A}$, is negligible (Fig. 2).

2.2 KEM and Its Security in the Multi-user Setting

We review the syntax of KEM and its multi-challenge CCA (IND-mCCA) security. We also define a new security notion, namely IND-mCPA$^\textsf {reveal}$, which will serve our generic construction of AKE. Then we show that IND-mCCA security of KEM implies IND-mCPA$^\textsf {reveal}$ security.

Definition 3 (KEM)

A key encapsulation mechanism (KEM) scheme KEM = (Setup, Gen, Encap, Decap) consists of four algorithms:

$\textsf {Setup}(1^\lambda )$: The set up algorithm takes as input $1^\lambda $ and outputs the public parameter $\textsf {pp}_\textsf {KEM}$, which determines the encapsulation key space $\mathcal {K}$, the key space $\mathcal {PK}\times \mathcal {SK}$, and the ciphertext space $\mathcal {CT}$.
$\textsf {Gen}(\textsf {pp}_\textsf {KEM})$: The key generation algorithm takes as input $\textsf {pp}_\textsf {KEM}$ and outputs a pair of keys $(pk,sk)\in \mathcal {PK}\times \mathcal {SK}$.
$\textsf {Encap}(pk)$: The encapsulation algorithm takes as input pk and outputs an encapsulated key $K\in \mathcal {K}$ along with a ciphertext $C\in \mathcal {CT}$.
$\textsf {Decap}(sk,C)$: The decapsulation algorithm takes as input sk and a ciphertext C, and outputs $K'$ with $K'\in \mathcal {K}\cup \{\perp \}$.

Correctness of KEM. For all ${\textsf {pp}_\textsf {KEM}\leftarrow \textsf {Setup}(1^\lambda )}$, (pk, sk) ${\leftarrow \textsf {Gen}(\textsf {pp}_\textsf {KEM})}$, ${(K,C) \leftarrow \textsf {Encap}(pk)}$, it holds that ${\textsf {Decap}(sk,C)=K}$.

Definition 4 (IND-mCCA security)

A KEM scheme KEM is IND-mCCA secure if for all PPT adversary $\mathcal {A}$, is negligible (Fig. 3).

The IND-mCPA security of KEM considers the pseudorandomness of multiple encapsulated keys $\{K~|~(K,C)\leftarrow \textsf {Encap}(pk_i)\}$, where $\{(pk_i, C)\}$ are the corresponding public keys and challenge ciphertexts. Now consider a stronger attack which allows the adversary to choose any $(pk_i, C)$, even if $(pk_i, C)$ is one of the challenges, and see the (revealed) key K decapsulated from C and $sk_i$. This defines a stronger security notion IND-mCPA$^\textsf {reveal}$, which asks the pseudorandomness of unrevealed keys. KEM with this security notion fits our AKE protocol.

Definition 5

A KEM scheme KEM is IND-mCPA$^{\mathsf {reveal}}$ secure if for all PPT adversary $\mathcal {A}$, is negligible (Fig. 4).

Note that in $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$, the encapsulation oracle generates tuples $\{(pk_i, C)\}$ as challenges. However, keys decapsulated from $\{(pk_i, C)\}$ can also be revealed. Upon revealed, $\{(pk_i, C)\}$ cannot serve as challenges any more. Meanwhile, each challenge $(pk_i, C)$ will be associated with an independently chosen random bit $\beta $. Therefore, IND-mCPA$^\textsf {reveal}$ is different from IND-mCCA.

We prove that IND-mCCA security implies IND-mCPA$^\textsf {reveal}$ security with a tight reduction.

Theorem 1

If a KEM KEM is IND-mCCA secure, it is also IND-mCPA$^{\mathsf {reveal}}$ secure. More precisely, for any PPT adversary $\mathcal {A}$ of advantage $\mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$ in $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$, there exists a PPT algorithm $\mathcal {B}$ which has advantage $\mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {B}}^\textsf {m-cca}(\lambda )$ in $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {B}}^\textsf {m-cca}(\lambda )$ such that $\mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )\le 2\mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {B}}^{\textsf {m-cca}}(\lambda )$.

Proof

Given a PPT $\mathcal {A}$ in $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$, we construct a PPT algorithm $\mathcal {B}$ in $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {B}}^\textsf {m-cca}(\lambda )$. Let $\mathcal {C}$ be $\mathcal {B}$’s challenger. Then $\mathcal {C}$ provides two oracles, $\mathcal {O}_\textsc {Enc}^\beta (\cdot )$ and $\mathcal {O}_\textsc {Dec}(\cdot ,\cdot )$ to $\mathcal {B}$. $\mathcal {B}$ simulates $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$ for $\mathcal {A}$ as follows.

1.
First $\mathcal {B}$ gets $\textsf {pp}_\textsf {KEM}$ and a set of public keys $\{pk_i\}_{i\in [\theta ]}$ from its own challenger $\mathcal {C}$. Then it sends $\textsf {pp}_\textsf {KEM}$ and $\textsf {PKList}:=\{pk_i\}_{i\in [\theta ]}$ to $\mathcal {A}$. $\mathcal {B}$ also prepares two lists $\textsf {CList}:=\varnothing $ and $\textsf {RList}:=\varnothing $.
2.
There are two kinds of oracle queries from $\mathcal {A}$, and $\mathcal {B}$ answers them as follows.
- $\mathcal {O}_\textsc {Encap}(i)$: $\mathcal {B}$ asks its own oracle $\mathcal {O}_\textsc {Enc}^\beta (i)$ and obtains $(K,C) \leftarrow \mathcal {O}_\textsc {Enc}^\beta (i)$. Then it sets $k_0:=K$, samples $k_1\leftarrow \mathcal {K}$, throws a coin $b \xleftarrow {\$} \{0,1\}$, appends $(pk_i, C, K, b)$ into $\textsf {CList}$ and returns $(k_b,C)$ to $\mathcal {A}$.
- $\mathcal {O}_\textsc {Reveal}(i, C')$: $\mathcal {B}$ checks whether $(pk_i, C', \cdot , \cdot )\in \textsf {CList}$. If yes, $\mathcal {B}$ parses the tuple as $(pk_i, C', K, b)$ and returns K to $\mathcal {A}$. Otherwise, $\mathcal {B}$ asks its own oracle $\mathcal {O}_\textsc {Dec}(i,C')$. Let $K' \leftarrow \mathcal {O}_\textsc {Dec}(i,C')$, then $\mathcal {B}$ updates $\textsf {RList}:=\textsf {RList} ~ \cup ~ \{(pk_i,C')\}$ and returns $K'$ to $\mathcal {A}$.
3.
If $\mathcal {A}$ aborts, $\mathcal {B}$ outputs a random bit. Otherwise, $\mathcal {A}$ outputs $(pk_{i^*},C^*,b')$. If $\exists (pk_{i^*},C^*,\cdot ,b)\in \textsf {CList}$ s.t. $(pk_{i^*},C^*)\notin \textsf {RList}$ $\wedge $ $b'=b$, $\mathcal {B}$ outputs $\beta '=0$. Otherwise, it outputs 1.

Let $\beta $ be the random bit generated by $\mathcal {B}$’s challenger $\mathcal {C}$, then $\mathcal {B}$ wins in $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {B}}^\textsf {m-cca}(\lambda )$ if $\beta '=\beta $. Recall that $\mathcal {O}_\textsc {Enc}^\beta (\cdot )$ will always return real keys if $\beta =0$ and random keys if $\beta =1$.

Case 1: $\beta =0$. In this case, the output (K, C) of $\mathcal {O}_\textsc {Enc}^0(i)$ is a real encapsulation pair. $\mathcal {B}$ simulates $\mathcal {O}_\textsc {Encap}(i)$ by outputting $(k_b,C)$, where $k_b$ is either a real or a random key with 1/2 probability. Furthermore, for each $(pk_i,C',K,b)\in \textsf {CList}$, it holds that $\textsf {Decap}(sk_i,C')=K$. For simulation of $\mathcal {O}_\textsc {Reveal}(i,C')$, if there exists $(pk_i,C',K,b)\in \textsf {CList}$, $\mathcal {B}$ returns K; otherwise $\mathcal {B}$ asks its own oracle $\mathcal {O}_\textsc {Dec}(i,C')$ and returns the output of $\mathcal {O}_\textsc {Dec}(i,C')$ to $\mathcal {A}$. Thus, $\mathcal {B}$ perfectly simulates $\textsf {Exp}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$ for $\mathcal {A}$.
Case 2: $\beta =1$. In this case, the output (K, C) of $\mathcal {O}_\textsc {Enc}^1(i)$ contains a random key K, which is independent of C. In $\mathcal {B}$’s answer $(k_b,C)$ to $\mathcal {O}_\textsc {Encap}(i)$, $k_b$ is a random key, independent from b. Moreover, $\mathcal {B}$ ’s answer to $\mathcal {O}_\textsc {Reveal}(i,C')$ does not use b at all. Hence $\mathcal {A}$ learns nothing about b from $\mathcal {O}_\textsc {Encap}(i)$ and $\mathcal {O}_\textsc {Reveal}(i,C')$. Thus, $\Pr [b'=b]=1/2$ and $\Pr [\beta '=\beta ]=1/2$.

$$\begin{aligned} \begin{aligned} \mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {B}}^{\textsf {m-cca}}(\lambda )&=|\Pr [\beta '=\beta ]-1/2|\\&=|\Pr [\beta '=\beta |\beta =0]\Pr [\beta =0] + \Pr [\beta '=\beta |\beta =1]\Pr [\beta =1]-1/2|\\&= |\frac{1}{2} (\frac{1}{2}+\mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )) + \frac{1}{2} \cdot \frac{1}{2} - \frac{1}{2}|=\frac{1}{2} \mathsf {Adv}_{\textsf {KEM},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda ).~~~~~~~~\square \end{aligned} \end{aligned}$$

2.3 Diverse Property of KEM

We define a property called diverse property for KEM, which is useful in the security proof of our AKE.

Definition 6 (Diverse Property)

A KEM scheme $\textsf {KEM}=(\textsf {Setup},\textsf {Gen},\textsf {Encap},$ $\textsf {Decap})$ has diverse property if for all $\textsf {pp}_\textsf {KEM}\leftarrow \textsf {Setup}(1^\lambda )$, it holds that:

where $\tilde{\mathcal {R}}$, $\mathcal {R}$ are the randomness spaces in Gen and Encap respectively.

2.4 The Strong Twin Diffie-Hellman Assumption

Let $\textsf {GGen}$ be a group generation algorithm such that $\mathcal {G}:=(\mathbb {G},q,g)\leftarrow \textsf {GGen}(1^\lambda )$, where $\mathbb {G}$ is a cyclic group of prime order q with generator g.

Definition 7

For any adversary $\mathcal {A}$, the advantage of $\mathcal {A}$ in solving the Computational Diffie-Hellman (CDH) problem is defined as

$$\mathsf {Adv}_{\mathbb {G},\mathcal {A}}^{\textsf {CDH}}(\lambda ):=\Pr [(\mathbb {G},q,g)\leftarrow \textsf {GGen}(1^\lambda ); x,y\xleftarrow {\$} \mathbb {Z}_q : \mathcal {A}(\mathbb {G},q,g,g^x,g^y)=g^{xy}].$$

Definition 8

For any adversary $\mathcal {A}$, the advantage of $\mathcal {A}$ in solving the Decisional Diffie-Hellman (DDH) problem is defined as

In [5], Cash et al. proposed the Strong Twin Diffie-Hellman (strong 2DH or st2DH) problem, and proved that it is as hard as the CDH problem.

Definition 9

[5] For any adversary $\mathcal {A}$, its advantage in solving the strong twin Diffie-Hellman problem is defined as $\mathsf {Adv}_{\mathbb {G},\mathcal {A}}^{\textsf {st2DH}}(\lambda ):=$

where the decision oracle $\textsc {2DH}(g^{x_1},g^{x_2},\cdot ,\cdot ,\cdot )$ takes as input $(g^y,g^{z_1},g^{z_2})$ and outputs 1 if $(x_1 y=z_1)\wedge (x_2 y=z_2)$ and 0 otherwise.

Theorem 2

[5] For any PPT adversary $\mathcal {A}$ against the strong 2DH problem, there exists a PPT algorithm $\mathcal {B}$ against the CDH problem such that $\mathsf {Adv}_{\mathbb {G},\mathcal {A}}^{\textsf {st2DH}}(\lambda ) \le \mathsf {Adv}_{\mathbb {G},\mathcal {B}}^{\textsf {CDH}}(\lambda )+Q/q,$ where Q is the maximum number of decision oracle queries.

3 Authenticated Key Exchange Scheme

3.1 Definition of Authenticated Key Exchange

We consider a generic AKE scheme, in which each party maintains a state $\textsf {st}_{i}$. If $\textsf {st}_{i}=\perp $, the AKE scheme is stateless.

Definition 10 (AKE)

An authenticated key exchange (AKE) scheme $\textsf {AKE}=(\textsf {AKE.Setup},$ $\textsf {AKE.Gen}, \textsf {AKE.Protocol})$ consists of two probabilistic algorithms and an interactive protocol.

$\textsf {AKE.Setup}(1^\lambda )$: The setup algorithm takes as input the security parameter $1^\lambda $, and outputs the public parameter $\textsf {pp}_\textsf {AKE}$.
$\textsf {AKE.Gen}(\textsf {pp}_\textsf {AKE},P_i)$: The generation algorithm takes as input $\textsf {pp}_\textsf {AKE}$ and a party $P_i$, and outputs a key pair $(pk_i,sk_i)$ and an initial state $\textsf {st}_i$.
$\textsf {AKE.Protocol}(P_i (\textsf {res}_i) \rightleftharpoons P_j(\textsf {res}_j))$: The protocol involves two parties $P_i$ and $P_j$, who have access to their own resources, ${\textsf {res}_i:=}$ ${ (sk_i,\textsf {st}_i,\textsf {pp}_\textsf {AKE}, \{pk_u\}_{u\in [\mu ]})}$ and ${\textsf {res}_j:=(sk_j,\textsf {st}_j,\textsf {pp}_\textsf {AKE}, \{pk_u\}_{u\in [\mu ]})}$, respectively. Here $\mu $ is the total number of users. After execution, $P_i$ outputs a flag $\varPsi _i\in \{\emptyset ,\mathbf{accept} ,\mathbf{reject} \}$, and a session key $k_i$ ($k_i$ might be empty string $\emptyset $), and $P_j$ outputs $(\varPsi _j,k_j)$ similarly. Note that every execution of protocol may lead to update of $\textsf {st}_i, \textsf {st}_j$.

Correctness of AKE. For any distinct and honest parties $P_i$ and $P_j$, they share the same session key after the execution $\textsf {AKE.Protocol}(P_i (\textsf {res}_i) \rightleftharpoons P_j(\textsf {res}_j))$, i.e., $\varPsi _i=\varPsi _j=\mathbf{accept} , k_i=k_j\ne \emptyset $.

Definition 11 (Stateless AKE)

In Definition 10, if $\textsf {st}_i$ is set to $\perp $ (i.e., no state involved) for each party $P_i$, then the AKE becomes a stateless AKE.

3.2 Security Model of AKE

We will adapt the security model formalized by [1, 11, 19], which in turn followed the model proposed by Bellare and Rogaway [2]. We also include replay attacks in the security model, leading to a stronger model than those in [1, 2, 11].

First we will define oracles and their static variables in the model. Then we describe the security experiment and the corresponding security notions.

Oracles. Suppose there are at most $\mu $ users $P_1,P_2,...,P_\mu $, and each user will involve at most $\ell $ instances. $P_i$ is formalized by a series of oracles, $\pi _i^1,\pi _i^2,...,\pi _i^\ell $. Oracle $\pi _i^s$ formalizes $P_i$’s execution of the s-th protocol instance. Since we consider stateful $P_i$, we have two requirements.

(1) The very first queries to oracles $\pi _i^1,\pi _i^2,...,\pi _i^\ell $ by the adversary $\mathcal {A}$ must be in chronological order $1,2,...,\ell $. That is, for $1 \le s < \ell $, $\pi _i^{s+1}$ is inaccessible to $\mathcal {A}$ before $\pi _i^s$ is invoked. However, we stress that it does not eliminate the possibility that $\mathcal {A}$ queries $\pi _i^s$, then $\pi _i^{s+1}$, and back to $\pi _i^{s}, \pi _i^{s-1},... $ again.
(2) There is a state $\textsf {st}_i$ shared and maintained by $\pi _i^1, \pi _i^2,..., \pi _i^\ell $.

Each oracle $\pi _i^s$ has access to $P_i$’s resource $\textsf {res}_i:= (sk_i,\textsf {st}_i,\textsf {pp}_\textsf {AKE},\textsf {PKList}:=\{pk_u\}_{u \in [\mu ]})$, where $\textsf {st}_i$ is the state of the time being. $\pi _i^s$ also has its own variables $\textsf {var}_i^s:=(\mathsf {Pid}_i^s, k_i^s, \varPsi _i^s)$.

$\mathsf {Pid}_i^s$: The intended communication peer’s identity.
$k_i^s\in \mathcal {K}$: The session key computed by $\pi _i^s$. Here $\mathcal {K}$ is the session key space. We assume that $\emptyset \in \mathcal {K}$.
$\varPsi _i^s\in \{\emptyset ,\mathbf{accept} ,\mathbf{reject} \}$: $\varPsi _i^s$ indicates whether $\pi _i^s$ has completed the protocol execution and accepted $k_i^s$.

At the beginning, $(\mathsf {Pid}_i^s,k_i^s,\varPsi _i^s)$ are initialized to $(\emptyset ,\emptyset ,\emptyset )$. We declare that $k_i^s\ne \emptyset $ if and only if $\varPsi _i^s=\mathbf{accept} $.

Security Experiment. To define the security notion of AKE, we first formalize the security experiment $\textsf {Exp}_{\mu ,\ell , \mathcal {A}}^{\textsf {AKE}}(\lambda )$ with the help of the oracles defined above. $\textsf {Exp}_{\mu ,\ell , \mathcal {A}}^{\textsf {AKE}}(\lambda )$ is a game played between an AKE challenger $\mathcal {C}$ and an adversary $\mathcal {A}$. $\mathcal {C}$ will simulate the executions of the $\ell $ protocol instances for each of the $\mu $ users with oracles $\pi _i^s$. See Fig. 5 for the formal description of $\textsf {Exp}_{\mu ,\ell , \mathcal {A}}^{\textsf {AKE}}(\lambda )$.

Adversary $\mathcal {A}$ may copy, delay, erase, replay, and interpolate the messages transmitted in the network. This is formalized by the query $\textsf {Send}$ to oracle $\pi _i^s$. With Send, $\mathcal {A}$ could send arbitrary message to any oracle $\pi _i^s$. Then $\pi _i^s$ will execute the AKE protocol according to the protocol specification for $P_i$.

We also allow the adversary to observe session keys of its choices. This can be reflected by the Reveal query to oracle $\pi _i^s$.

$\textsf {Corrupt}$ query allows $\mathcal {A}$ to corrupt a party $P_i$ and get its long-term secret key $sk_i$. With RegisterCorrupt query, $\mathcal {A}$ can register a new party without public key certification. The public key is then known to all other users.

We introduce $\textsf {Test}$ query to formalize the pseudorandomness of $k_i^s$. For a $\textsf {Test}$ query to $\pi _i^s$, the oracle will return $\bot $ if the session key $k_i^s$ is not generated yet. Otherwise, $\pi _i^s$ will return $k_i^s$ or a truly random key with half probability. The task of $\mathcal {A}$ is to tell whether the key is the true session key or a random key.

Formally, the queries by $\mathcal {A}$ are described as follows.

$\textsf {Send}(i,s,j, \mathsf {msg})$: If $\mathsf {msg}=\top $, it means that $\mathcal {A}$ asks oracle $\pi _i^s$ to send the first protocol message to $P_j$. Otherwise, $\mathcal {A}$ impersonates $P_j$ to send message $\mathsf {msg}$ to $\pi _i^s$. Then $\pi _i^s$ executes the AKE protocol with $\mathsf {msg}$ as $P_i$ does, outputs a message $\mathsf {msg}'$, and updates the state $\textsf {st}_i$ and its own variables $\textsf {var}_i^s$. In formula, $(\mathsf {msg}',\textsf {st}_i', \mathsf {Pid}_i^s, k_i^s, \varPsi _i^s) \leftarrow \pi _i^s(\mathsf {msg}, \textsf {res}_i, \textsf {var}_i^s)$. Only the output message $\mathsf {msg}'$ is returned to $\mathcal {A}$.

If $\textsf {Send}(i,s,j,\mathsf {msg})$ is the $\tau $-th query asked by $\mathcal {A}$ and $\pi _i^s$ changes $\varPsi _i^s$ to $\mathbf{accept} $ after that, then we say that $\pi _i^s$ is $\tau $-accepted.
$\textsf {Corrupt}(i)$: $\mathcal {C}$ reveals to $\mathcal {A}$ party $P_i$’s long-term secret key $sk_i$. After corruption, $\pi _i^1,...,\pi _i^\ell $ will stop answering any query from $\mathcal {A}$.

If $\textsf {Corrupt}(i)$ is the $\tau $-th query asked by $\mathcal {A}$, we say that $P_i$ is $\tau $-corrupted.

If $\mathcal {A}$ has never asked $\textsf {Corrupt}(i)$, we say that $P_i$ is $\infty $-corrupted.
$\textsf {RegisterCorrupt}(i,pk_i)$: It means that $\mathcal {A}$ registers a new party $P_i$ $(i>\mu )$. $\mathcal {C}$ distributes $(P_i, pk_i)$ to all users. In this case, we say that $P_i$ is 0-corrupted.
$\textsf {Reveal}(i,s)$: The query means that $\mathcal {A}$ asks $\mathcal {C}$ to reveal $\pi _i^s$’s session key. If $\varPsi _i^s\ne \mathbf{accept} $, $\mathcal {C}$ returns $\perp $. Otherwise, $\mathcal {C}$ returns the session key $k_i^s$ of $\pi _i^s$.

If $\textsf {Reveal}(i,s)$ is the $\tau $-th query asked by $\mathcal {A}$, we say that $\pi _i^s$ is $\tau $-revealed.

If $\mathcal {A}$ has never asked $\textsf {Reveal}(i,s)$, we say that $\pi _i^s$ is $\infty $-revealed.
$\textsf {Test}(i,s)$: If $\varPsi _i^s\ne \mathbf{accept} $, $\mathcal {C}$ returns $\perp $. Otherwise, $\mathcal {C}$ throws a coin $b_i^s\xleftarrow {\$} \{0,1\}$, sets $k_0=k_i^s$, samples , and returns $k_{b_i^s}$ to $\mathcal {A}$. We require that $\mathcal {A}$ could ask $\textsf {Test}(i,s)$ to each oracle $\pi _i^s$ only once.

If $\textsf {Test}(i,s)$ is the $\tau $-th query asked by $\mathcal {A}$ and $\varPsi _i^s= \mathbf{accept} $, we say that $\pi _i^s$ is $\tau $-tested.

If $\mathcal {A}$ has never asked $\textsf {Test}(i,s)$, we say that $\pi _i^s$ is $\infty $-tested.

Informally, the pseudorandomness of $k_i^s$ asks that any PPT adversary $\mathcal {A}$, access to $\textsf {Test}(i,s)$, could guess $b_i^s$ with probability no better than $1/2+\textsf {negl}$. Yet, we have to exclude some trivial attacks: (1) $\mathcal {A}$ asks $\textsf {Reveal}(i,s)$; (2) $\mathcal {A}$ asked $\textsf {Corrupt}(j)$ before $\varPsi _i^s=\mathbf{accept} $; (3) $\mathcal {A}$ asks $\textsf {Reveal}(j,t)$; (4) $\mathcal {A}$ asks $\textsf {Test}(j,t)$, given that $\pi _i^s$ and $\pi _j^t$ have a successful protocol execution with each other.

Definition 12

(Original Key [19]). For two oracles $\pi _i^s$ and $\pi _j^t$, the original key, denoted as $\textsf {K}(\pi _i^s,\pi _j^t)$, is the session key computed by the two peers of the protocol under a passive adversary only, where $\pi _i^s$ is the initiator.

Remark 1

We note that $\textsf {K}(\pi _i^s,\pi _j^t)$ is determined by the identities of $P_i$ and $P_j$, the internal randomness and the states $\textsf {st}_i^s$ and $\textsf {st}_j^t$, where $\textsf {st}_i^s$ and $\textsf {st}_j^t$ denote the states when $\pi _i^s$ and $\pi _j^t$ are invoked respectively.

Definition 13

(Partner [19]). Let $\textsf {K}(\cdot ,\cdot )$ denote the original key function. We say that an oracle $\pi _i^s$ is partnered to $\pi _j^t$, denoted as $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$^{Footnote 3}, if one of the following requirements holds:

$\pi _i^s$ is the initiator and $k_i^s=\textsf {K}(\pi _i^s,\pi _j^t) \ne \emptyset $, or
$\pi _i^s$ is the responder and $k_i^s=\textsf {K}(\pi _j^t,\pi _i^s) \ne \emptyset $.

For 2-pass AKE, the security model of [11] cannot cover replay attacks. Given $\textsf {Partner}(\pi _{i'}^{s'} \leftarrow \pi _j^t)$, a successful replay attack means that $\mathcal {A}$ resends to $\pi _i^s$ the messages, which were sent from $\pi _j^t$ to $\pi _{i'}^{s'}$, and $\pi _i^s$ is fooled to compute a session key, i.e., $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$. Now, we add the formalization of replay attacks (see (3.3) in Fig. 5) in the security model of [11] and define a stronger security notion.

Definition 14 (Strong Security of AKE)

Let $\mu $ be the number of users and $\ell $ the maximum number of protocol executions per user. The strong security experiment $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$ (see Fig. 5) is played between the challenger $\mathcal {C}$ and the adversary $\mathcal {A}$.

1.
$\mathcal {C}$ runs $\textsf {AKE.Setup}(1^\lambda )$ to get AKE public parameter $\textsf {pp}_\textsf {AKE}$.
2.
For each party $P_i$, $\mathcal {C}$ runs $\textsf {AKE.Gen}(\textsf {pp}_\textsf {AKE},P_i)$ to get the long-term key pair $(pk_i,sk_i)$ and $P_i$’s initial state $\textsf {st}_i$. Then it provides $\mathcal {A}$ with the public parameter $\textsf {pp}_\textsf {AKE}$ and public key list $\textsf {PKList}:=\{pk_i\}_{i \in [\mu ]}$.
3.
$\mathcal {A}$ asks $\mathcal {C}$ Send, Corrupt, RegisterCorrupt, Reveal, and Test queries adaptively.
4.
At the end of the experiment, $\mathcal {A}$ terminates with an output $(i^*,s^*,b^*)$, where $b^*$ is a guess for $b_{i^*}^{s^*}$ of oracle $\pi _{i^*}^{s^*}$.

Strong Authentication. Let $\textsf {Win}_\textsf {Auth}$ denote the event that $\mathcal {A}$ breaks authentication in the security experiment. $\textsf {Win}_\textsf {Auth}$ happens iff $\exists (i,s)\in [\mu ] \times [\ell ]$ s.t.

(1) $\pi _i^s$ is $\tau $-accepted.
(2) $P_j$ is $\hat{\tau }$-corrupted with $j:=\mathsf {Pid}_i^s$ and $\hat{\tau } > \tau $.
(3) Either (3.1) or (3.2) or (3.3) happens. Let $j:=\mathsf {Pid}_i^s$.
- (3.1) There is no oracle $\pi _j^t$ that $\pi _i^s$ is partnered to.
- (3.2) There exist two distinct oracles $\pi _j^t$ and $\pi _{j'}^{t'}$, to which $\pi _i^s$ is partnered.
- (3.3) There exist two oracles $\pi _{i'}^{s'}$ and $\pi _j^t$ with $(i',s')\ne (i,s)$, such that both $\pi _i^s$ and $\pi _{i'}^{s'}$ are partnered to $\pi _j^t$.

Remark 2

Given $(1) \wedge (2)$, (3.1) indicates a successful impersonation of $P_j$, (3.2) suggests one instance of $P_i$ has multiple partners, and (3.3) corresponds to a successful replay attack.

Indistinguishability. Let $\textsf {Win}_\textsf {Ind}$ denote the event that $\mathcal {A}$ breaks indistinguishability in $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$ above. For simplicity, let $(i,s,b^*):=(i^*,s^*,b^*)$ be $\mathcal {A}$’s output. $\textsf {Win}_\textsf {Ind}$ happens iff $b^*=b_i^s$, and the following conditions are satisfied.

$\mathbf {(1')}$ $\pi _i^s$ is $\tau $-tested and $\mathsf {Pid}_i^s$ is $\tilde{\tau }$-corrupt with $\tilde{\tau } > \tau $.
$\mathbf {(2')}$ $\pi _i^s$ is $\infty $-revealed.
$\mathbf {(3')}$ If $\pi _i^s$ is partnered to $\pi _j^t$ ($j=\mathsf {Pid}_i^s$), then $\pi _j^t$ is $\infty $-revealed and $\infty $-tested.

Note that iff $\textsf {Win}_\textsf {Ind}$ happens. Hence, the advantage of $\mathcal {A}$ is defined as

An AKE scheme AKE has strong security if for any PPT adversary $\mathcal {A}$, it holds that $\textsf {Adv}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$ is negligible.

Remark 3

Indisitinguishability asks the pseudorandomness of the session key shared between $P_i$ and $P_j$, excluding trivial attacks such like $P_j$ is corrupted, or the session key is tested in $P_j$, or it is revealed.

Definition 15 (Security of AKE)

The security experiment $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}(\lambda )$ (see Fig. 5) is defined like $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$ except that (3.3) is eliminated from $\textsf {Win}_\textsf {Auth}$. Similarly, an AKE scheme AKE has security if for any PPT adversary $\mathcal {A}$, the following advantage is negligible:

Remark 4 (Perfect Forward Security and KCI Resistance)

The security model of AKE supports (perfect) forward security (a.k.a. forward secrecy [12]) (characterized by “$\pi _i^s$ is $\tau $-tested and $\mathsf {Pid}_i^s$ is $\tilde{\tau }$-corrupt with $\tilde{\tau } > \tau $” in $\textsf {Win}_\textsf {Ind}$). That is, if $P_i$ or its partner $P_j$ has been corrupted at some moment, then the exchanged session keys completed before the corruption remain hidden from the adversary. Meanwhile, $\pi _i^s$ may be corrupted before $\textsf {Test}(i,s)$, which provides resistance to key-compromise impersonation (KCI) attacks [16].

4 Generic Construction of AKE and Its Security Proof

4.1 Construction

There are two building blocks in our AKE scheme, namely a MU-EUF-CMA$^\textsf {corr}$ secure signature scheme $\textsf {SIG}=(\textsf {SIG.Setup}, \textsf {SIG.Gen}, \textsf {SIG.Sign}, \textsf {SIG.Ver})$ and an IND-mCPA$^\textsf {reveal}$ secure KEM scheme $\textsf {KEM}=(\textsf {KEM.Setup}, \textsf {KEM.Gen}, \textsf {KEM.}\textsf {Encap}, $ $\textsf {KEM.Decap})$ with diverse property. Our AKE scheme is shown in Fig. 6.

In our AKE scheme $\textsf {AKE}$, every party $P_i$ will keep two arrays of static counters as its state, i.e., $\textsf {st}_i=\{\textsf {sctr}_{i,0}[j],\textsf {sctr}_{i,1}[j]\}_{j\in [\mu ]}$. Static counters $\textsf {sctr}_{i,b}[j]$ are initialized to 0s and will record the serial number of protocol instances. Counter $\textsf {sctr}_{i,0}[j]$ implies that $P_i$ is the initiator and $P_j$ is the responder, while $\textsf {sctr}_{i,1}[j]$ implies $P_j$ the initiator and $P_i$ the responder. For example, $\textsf {sctr}_{i,0}[j]=3$ denotes that $P_i$ has initialized 3 protocol instances with $P_j$, while $\textsf {sctr}_{j,1}[i]=5$ denotes that $P_j$, as a responder, has 5 protocol instances with $P_i$.

. $\textsf {pp}_\textsf {SIG}\leftarrow \textsf {SIG.Setup}(1^\lambda )$, $\textsf {pp}_\textsf {KEM}\leftarrow \textsf {KEM.Setup}(1^\lambda )$. Return $\textsf {pp}_\textsf {AKE}$ $:=(\textsf {pp}_\textsf {SIG},\textsf {pp}_\textsf {KEM})$.
. $(vk_i,sk_i)\leftarrow \textsf {SIG.Gen}(\textsf {pp}_\textsf {SIG})$, $\textsf {sctr}_{i,0}[u]:=0$; $\textsf {sctr}_{i,1}[u]:=0$ for $u\in [\mu ]$, $\textsf {st}_i:=\{\textsf {sctr}_{i,0}[u],\textsf {sctr}_{i,1}[u]\}_{u\in [\mu ]}$. Return $((vk_i,sk_i),\textsf {st}_i)$.
. $P_i$ has access to $\textsf {res}_i=(sk_i,\textsf {st}_i,\textsf {pp}_\textsf {AKE},\textsf {PKList}=\{vk_u\}_{u\in [\mu ]})$ and $P_j$ has access to $\textsf {res}_j=(sk_j,\textsf {st}_j,\textsf {pp}_\textsf {AKE},\textsf {PKList}=\{vk_u\}_{u\in [\mu ]})$. As an initiator, $P_i$ invokes $(pk_\textsf {KEM},sk_\textsf {KEM})\leftarrow \textsf {KEM.Gen}(\textsf {pp}_\textsf {KEM})$, increases its counter with $\textsf {sctr}_{i,0}[j]:= \textsf {sctr}_{i,0}[j]+1$, and uses $sk_i$ to sign a signature $\sigma _1$ of message $m_1:=(P_i,P_j,\textsf {sctr}_{i,0}[j],pk_\textsf {KEM})$. Then $P_i$ sends $(m_1, \sigma _1)$ to $P_j$.

After $P_j$ obtains $(m_1, \sigma _1)$, it will verify $\sigma _1$ with $vk_i$ and check whether its own counter $\textsf {sctr}_{j,1}[i]$ is less than $\textsf {ctr}$ contained in $m_1=(P_i,P_j, $ $\textsf {ctr}, pk_\textsf {KEM})$. If everything goes well, then $P_j$ takes $m_1$ as a valid message; otherwise $P_j$ returns $(\mathbf{reject} ,\emptyset )$. If $m_1$ is valid, $P_j$ stores $(m_1, \sigma _1)$, encapsulates a key K via $(K,C)\leftarrow \textsf {KEM.Encap}(pk_\textsf {KEM})$ and synchronizes $\textsf {sctr}_{j,1}[i]:=\textsf {ctr}$. Then $P_j$ signs $m_1||m_2$ with $m_2:=(P_i,P_j,\textsf {sctr}_{j,1}[i],C)$ via $\sigma _2 \leftarrow \textsf {SIG.Sign}(sk_j,m_1||m_2)$ and sends $(m_2, \sigma _2)$ to $P_i$. $P_j$ will accept K as the session key with $P_i$ by returning $(\mathbf{accept}, K)$.

After $P_i$ obtains $(m_2, \sigma _2)$, it will verify whether $(m_1||m_2,\sigma _2)$ is a valid message-signature pair w.r.t. $vk_j$. It also checks synchronization of its own counter $\textsf {sctr}_{i,0}[j]$ and the counter $\textsf {ctr}'$ in $m_2=(P_i, P_j, \textsf {ctr}', C)$, i.e., whether $\textsf {sctr}_{i,0}[j]=\textsf {ctr}'$. If everything goes well, $P_i$ will take $m_2$ as a valid message and decapsulate the ciphertext C in $m_2$ to obtain $K'\leftarrow \textsf {KEM.Decap}(sk_\textsf {KEM},C)$. $P_i$ will accept $K'$ as the session key with $P_j$ by returning $(\mathbf{accept}, K')$. If $m_2$ is invalid, $P_i$ returns $(\mathbf{reject} ,\emptyset )$.

Correctness. The correctness of AKE follows from the correctness of $\textsf {SIG}$ & $\textsf {KEM}$ and the fact of $\textsf {sctr}_{i,0}[j] \ge \textsf {sctr}_{j,1}[i]$. The increasing mode of counters in our AKE is as follows: the initiator $P_i$ always increases the counter $\textsf {sctr}_{i,0}[j]$, while the responder $P_j$ synchronizes its counter $\textsf {sctr}_{j,1}[i]:=\textsf {sctr}_{i,0}[j]$ only if the received message $m_1$ is valid. If $m_1$ is invalid, $\textsf {sctr}_{j,1}[i]$ stays the same, so $\textsf {sctr}_{i,0}[j] > \textsf {sctr}_{j,1}[i]$. Consequently, $\textsf {sctr}_{i,0}[j] \ge \textsf {sctr}_{j,1}[i]$ holds in either case.

We can also construct a stateless AKE scheme $\textsf {AKE}^{\textsf {stateless}}$, where all states are removed from the $\textsf {AKE}$ scheme. See Fig. 6.

Remark 5 (Synchronization)

A failed execution of AKE does not lead to desynchronization. If $m_1$ or $m_2$ is lost (due to the network) or modified by active attacks, then the underlying session fails (i.e., $P_i$ does not accept). In this scenario, it keeps that $\textsf {sctr}_{i,0}[j] \ge \textsf {sctr}_{j,1}[i]$, and $P_i$ can launch a new session as the initiator latter and correctness (synchronization) still holds.

Remark 6 (PKI Setting)

Our security model simply assumes that each party has access to the public key list. In practice, the users’ public keys are registered via certificates from PKI. In some real-world protocols (like TLS [21]), public keys and certificates are also exchanged through the protocol (by sending $(m_1,vk_i,cert_i,\sigma _1)$ and $(m_2,vk_j,cert_j,\sigma _2)$). In this case, $\sigma _1$ is a signature of $(m_1,vk_i,cert_i)$, and so is $\sigma _2$. (Identities are suggested to be included in the signature to prevent unknown key-share (UKS) attacks [3].)

4.2 Security Proof

Before the proof, we define two sets $\textsf {Sent}_i^s$ and $\textsf {Recv}_i^s$ for $\pi _i^s$ and event (4) for each $(i,s)\in [\mu ]\times [\ell ]$ in $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$.

$\textsf {Sent}_i^s$: The set collecting messages sent by $\pi _i^s$.
$\textsf {Recv}_i^s$: The set collecting valid messages received and stored by $\pi _i^s$. We stress that invalid messages will be discarded and do not appear in $\textsf {Recv}_i^s$.

Message Consistency. $\pi _i^s$ is message-consistent with $\pi _j^t$ as a responder, if $\pi _i^s$ is a responder with $\textsf {Recv}_i^s=\{(m_1, \cdot )\}\ne \varnothing $ and $\pi _j^t$ is an initiator with $\textsf {Sent}_j^t=\{(m_1,\cdot )\}\ne \varnothing $. $\pi _i^s$ is message-consistent with $\pi _j^t$ as an initiator, if $\pi _i^s$ is an initiator with $\textsf {Sent}_i^s=\{(m_1, \cdot )\}\ne \varnothing $, $\textsf {Recv}_i^s=\{(m_2, \cdot )\}\ne \varnothing $ and $\pi _j^t$ is a responder with $\textsf {Recv}_j^t=\{(m_1, \cdot )\}\ne \varnothing $, $\textsf {Sent}_j^t=\{(m_2, \cdot )\}\ne \varnothing $.

Define Event (4) for (i, s): Let $j:=\mathsf {Pid}_i^s$. If $\pi _i^s$ is responder, then $\not \exists t\in [\ell ]$ such that $\pi _i^s$ is message-consistent with $\pi _j^t$ as a responder; if $\pi _i^s$ is an initiator, then $\not \exists t\in [\ell ]$ such that $\pi _i^s$ is message-consistent with $\pi _j^t$ as an initiator.

Claim 1

For a specific pair (i, s) with $j:=\mathsf {Pid}_i^s$, if $\lnot (4)$ happens, there exists $t\in [\ell ]$ such that $\pi _i^s$ is not only message-consistent with $\pi _j^t$ either as a responder or as an initiator, but also $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$.

Proof of Claim 1. If $\lnot (4)$ happens, then $\pi _i^s$ must be message-consistent with some $\pi _j^t$. Hence $\pi _i^s$ and $\pi _j^t$ are executing the protocol following the specification of AKE, and $\pi _i^s$ must be accepted with $k_i^s$ ($\ne \emptyset $). According to the correctness of $\textsf {AKE}$, $k_i^s$ must be the original key, so $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$.

Claim 2

For a specific pair (i, s), if (1) $\pi _i^s$ is accepted; (2) $P_j$ with $j=\mathsf {Pid}_i^s$ is uncorrupted; and (4) happens, then $\pi _i^s$ can always collect a valid message-signature pair $(m,\sigma )$ from $\textsf {Sent}_i^s$ and $\textsf {Recv}_i^s$, such that $\textsf {SIG.Ver}(vk_j,m,\sigma )=1$ with $j:=\mathsf {Pid}_i^s$. Meanwhile, m must be different from any message $m'$ signed by $\pi _j^t$ for all $t\in [\ell ]$.

Proof of Claim 2. (1) means $\pi _i^s$ is accepted, so $\textsf {Recv}_i^s \ne \varnothing $ and $\textsf {Sent}_i^s \ne \varnothing $. (2) says $P_j$ is not corrupted yet, so $\pi _j^t$ is accessible.

Case 1: Responder $\pi _i^s$. Let $\textsf {Recv}_i^s=\{(m_1,\sigma _1)\}$, we have $\textsf {SIG.Ver}(vk_j,m_1,\sigma _1)=1$ since $m_1$ is valid. And for any $\pi _j^t$ with $\textsf {Sent}_j^t = \{(m_1', \sigma _1')\} \ne \varnothing $, we know that $\sigma _1'$ is a signature of $m_1'$ signed with $sk_j$. Meanwhile, (4) implies $m_1\ne m_1'$.
Case 2: Initiator $\pi _i^s$. Let $\textsf {Sent}_i^s=\{(m_1,\sigma _1)\}$ and $\textsf {Recv}_i^s=\{(m_2,\sigma _2)\}$, we have $\textsf {SIG.Ver}(vk_j,m_1||m_2,\sigma _2)=1$ since $m_2$ is valid. And for any $\pi _j^t$ with $\textsf {Recv}_j^t\ne \varnothing $ and $\textsf {Sent}_j^t\ne \varnothing $, let $\textsf {Recv}_j^t=\{(m_1', \sigma _1')\}$ and $\textsf {Sent}_j^t=\{(m_2', \sigma _2')\}$, then $\sigma _2'$ is a signature of $m_1'||m_2'$ signed with $sk_j$. Similarly, $m_1||m_2 \ne m_1'||m_2'$ by (4).

We analyse $\textsf {Win}_\textsf {Auth}$ first in the proof of $\textsf {AKE}$’s strong security.

Theorem 3

Suppose that SIG is MU-EUF-CMA$^{\mathsf {corr}}$ secure, KEM is IND-mCPA$^{\mathsf {reveal}}$ secure and has diverse property, then AKE has strong authentication. More precisely, for any PPT adversary $\mathcal {A}$ against AKE, there exists a PPT adversary $\mathcal {B}_\textsf {SIG}$ such that .

Proof. In $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$, $\mathcal {A}$ is allowed to ask Send, Corrupt, RegisterCorrupt, Reveal, and Test queries adaptively. According to the definition, $\textsf {Win}_{\textsf {Auth}}$ happens iff $\exists (i,s)$ such that $(1)\wedge (2) \wedge ((3.1)\vee (3.2)\vee (3.3))$ holds, where

(1) $\pi _i^s$ is $\tau $-accepted;
(2) $P_j$ is $\hat{\tau }$-corrupted with $j:=\mathsf {Pid}_i^s$ and $\hat{\tau }>\tau $;
(3.1) $\not \exists t\in [\ell ]$ s.t. $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$, where $j:=\mathsf {Pid}_i^s$;
(3.2) $\exists ~t\in [\ell ], (j',t')\in [\mu ]\times [\ell ]$ with $(j,t)\ne (j',t')$ s.t. $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t) \wedge \textsf {Partner}(\pi _{i}^{s} \leftarrow \pi _{j'}^{t'})$, where $j:=\mathsf {Pid}_i^s$;
(3.3) $\exists ~t\in [\ell ], (i',s')\in [\mu ]\times [\ell ]$ with $(i,s)\ne (i',s')$ s.t. $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t) \wedge \textsf {Partner}(\pi _{i'}^{s'} \leftarrow \pi _j^t)$, where $j:=\mathsf {Pid}_i^s$;
(1)

Lemma 1

There exists a PPT algorithm $\mathcal {B}_\textsf {SIG}$ such that

Proof of Lemma 1. First we prove $\Pr _{\exists (i,s)}[(1)\wedge (2)\wedge (3.1)] \le \Pr _{\exists (i,s)}[(1)\wedge (2)\wedge (4)]$. This can be done by a proof of $\Pr _{\exists (i,s)}[(1)\wedge (2)\wedge \lnot (3.1)] \ge \Pr _{\exists (i,s)}[(1)\wedge (2)\wedge \lnot (4)]$. For a specific pair (i, s), if $(1)\wedge (2)\wedge \lnot (4)$ happens, according to Claim 1, there exists $t\in [\ell ]$ such that $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$, hence $(1)\wedge (2)\wedge \lnot (3.1)$ must happen.

Next we prove that $\Pr _{\exists (i,s)}[(1)\wedge (2)\wedge (4)] \le \textsf {Adv}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )$.

To this end, we construct a PPT algorithm $\mathcal {B}_\textsf {SIG}$ against the MU-EUF-CMA$^{\textsf {corr}}$ security of SIG. Let $\mathcal {C}_\textsf {SIG}$ be the challenger of $\mathcal {B}_\textsf {SIG}$ in $\textsf {Exp}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )$. $\mathcal {B}_\textsf {SIG}$ gets a list of verification keys $\{vk_i\}_{i\in [\mu ]}$ from $\mathcal {C}_\textsf {SIG}$. $\mathcal {C}_\textsf {SIG}$ also provides $\mathcal {B}_\textsf {SIG}$ with $\textsf {pp}_\textsf {SIG}$, oracles $\mathcal {O}_\textsc {Sign}(\cdot ,\cdot )$ and $\mathcal {O}_\textsc {Corr}(\cdot )$, where $\mathcal {O}_\textsc {Sign}(i,m)$ returns a signature with ${\sigma \leftarrow \textsf {SIG.Sign}(sk_i, m)}$, and $\mathcal {O}_\textsc {Corr}(i)$ returns the signing key $sk_i$.

$\mathcal {B}_\textsf {SIG}$ simulates the strong security experiment of AKE for $\mathcal {A}$. First $\mathcal {B}_\textsf {SIG}$ invokes $\textsf {pp}_\textsf {KEM}\leftarrow \textsf {KEM.Setup}(1^\lambda )$, sets $\textsf {pp}_\textsf {AKE}:=(\textsf {pp}_\textsf {SIG},\textsf {pp}_\textsf {KEM})$, and sends $\textsf {pp}_\textsf {AKE}$ and $\textsf {PKList}:=\{vk_i\}_{i\in [\mu ]}$ to $\mathcal {A}$. Then $\mathcal {B}_\textsf {SIG}$ answers the queries of $\mathcal {A}$ as follows.

$\textsf {Send}(i,s,j,\mathsf {msg})$: $\mathcal {B}_\textsf {SIG}$ answers just like the challenger in $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$. Whenever there is a message m to be signed with $sk_i$, $\mathcal {B}_\textsf {SIG}$ asks its own oracle $\mathcal {O}_{\textsc {Sign}}(i,m)$ to get the corresponding signature. In this way, $\mathcal {B}_\textsf {SIG}$ answers the Send query perfectly.
$\textsf {Corrupt}(i)$: Given i, $\mathcal {B}_\textsf {SIG}$ asks its own oracle $\mathcal {O}_\textsc {Corr}(i)$ to get $sk_i$. Then it returns $sk_i$ to $\mathcal {A}$.
$\textsf {RegisterCorrupt}(u,vk_u)$: $\mathcal {B}_\textsf {SIG}$ registers a new party $P_u$ (0-corrupted) and adds $vk_u$ to $\textsf {PKList}$. Then $\mathcal {B}_\textsf {SIG}$ returns PKList.
$\textsf {Reveal}(i,s)$: $\mathcal {B}_\textsf {SIG}$ answers just like the challenger in the experiment.
$\textsf {Test}(i,s)$: $\mathcal {B}_\textsf {SIG}$ answers just like the challenger in the experiment.

In the simulation, $\mathcal {B}_\textsf {SIG}$ checks whether $\exists (i,s)$ such that $(1)\wedge (2) \wedge (4)$ happens. If yes, there exists a $\tau $-accepted oracle $\pi _i^s$ with $j:=\mathsf {Pid}_i^s$. Claim 2 tells us that a valid message-signature pair $(m,\sigma )$ can be derived from $\textsf {Sent}_i^s\cup \textsf {Recv}_i^s=\{(m_1, \sigma _1), (m_2, \sigma _2)\}$, such that $\textsf {SIG.Ver}(vk_j,m,\sigma )=1$. $\mathcal {B}_\textsf {SIG}$ then outputs $(j,m,\sigma )$ as its forgery.

Now $\mathcal {B}_\textsf {SIG}$ simulates the experiment perfectly. Event (2) implies that $P_j$ is not corrupted yet, so $\mathcal {B}_{\textsf {SIG}}$ never queries $\mathcal {O}_{\textsc {Corr}}(j)$. And by Claim 2, m must be different from any message signed by $\pi _j^t$ for all $t\in [\ell ]$. Therefore, $\mathcal {B}_{\textsf {SIG}}$ never queries $\mathcal {O}_{\textsc {Sign}}(j,m)$ and m is a fresh message. So if $(1)\wedge (2)\wedge (4)$ happens, $\mathcal {B}_{\textsf {SIG}}$ wins in $\textsf {Exp}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )$, thus $\Pr [(1)\wedge (2)\wedge (4)] \le \textsf {Adv}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )$.

Lemma 2

$ \Pr _{\exists (i,s)}[(1)\wedge (2)\wedge (3.2)] =2^{-\varOmega (\lambda )}.$

Proof of Lemma 2. For a specific pair (i, s), if event $(1)\wedge (2)\wedge (3.2)$ happens, then there exist at least two oracles to which $\pi _i^s$ is partnered. Suppose $\pi _i^s$ is partnered to two distinct oracles $\pi _j^t$ and $\pi _{j'}^{t'}$.

Case 1: Responder $\pi _i^s$. Let $pk_{\textsf {KEM}}$, $pk_{\textsf {KEM}}'$ be the public keys of KEM determined by the internal randomness of $\pi _j^t$ and $\pi _{j'}^{t'}$. On the one hand, $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$ means $k_i^s=K$, and the original key K is derived from $(K,C) \leftarrow \textsf {KEM.Encap}(pk_{\textsf {KEM}}; r)$; on the other hand, $\textsf {Partner}(\pi _i^s \leftarrow \pi _{j'}^{t'})$ means $k_i^s=K'$ and $K'$ is derived from $(K',C') \leftarrow \textsf {KEM.Encap}(pk_{\textsf {KEM}}'; r)$. Here r is the internal randomness chosen by $\pi _i^s$. This suggests $K=K'$. According to the diverse property of $\textsf {KEM}$, this occurs with probability $2^{-\varOmega (\lambda )}$.
Case 2: Initiator $\pi _i^s$. Let $pk_{\textsf {KEM}}$ be the public key of KEM determined by the internal randomness of $\pi _i^s$, and r, $r'$ be the randomness chosen by $\pi _j^t$ and $\pi _{j'}^{t'}$, respectively. Let $(K,C) \leftarrow \textsf {KEM.Encap}(pk_{\textsf {KEM}}; r)$ and $(K',C') \leftarrow \textsf {KEM.Encap}(pk_{\textsf {KEM}}; r')$. Since $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$ and $\pi _i^s$ is the initiator, we have $k_i^s = \textsf {KEM.Decap}(sk_\textsf {KEM},C)$. Similarly $\textsf {Partner}(\pi _i^s \leftarrow \pi _{j'}^{t'})$ implies $k_i^s=\textsf {KEM.Decap}(sk_\textsf {KEM},C')$. By the correctness of KEM, we have $K = k_i^s = K'$, which occurs with probability $2^{-\varOmega (\lambda )}$ by the diverse property of $\textsf {KEM}$.

There are $\mu \ell $ choices for (i, s) and $C_{\mu \ell }^2$ choices for (j, t) and $(j',t')$. By a union bound, $ \Pr _{\exists (i,s)}[(1)\wedge (2)\wedge (3.2)] =\mu \ell \cdot C_{\mu \ell }^2\cdot 2^{-\varOmega (\lambda )}=2^{-\varOmega (\lambda )}.$

Lemma 3

If there exists an accepted $\pi _i^s$ with $j:=\mathsf {Pid}_i^s$, and $P_j$ is uncorrupted when $\pi _i^s$ accepts, then there exists a unique $\pi _j^t$, which $\pi _i^s$ is partnered to and message-consistent with, except with probability $\textsf {Adv}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )+2^{-\varOmega (\lambda )}$, i.e., $\Pr _{\exists (i,s)}[(1)\wedge (2)] - \Pr _{\exists (i,s)}[(1)\wedge (2)\wedge \lnot (4)\wedge \lnot (3.2)] \le \textsf {Adv}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )+2^{-\varOmega (\lambda )}$.

Proof of Lemma 3. This is done by the total probability rule, Lemmas 1 and 2.

Lemma 4

$\Pr _{\exists (i,s)}[(1)\wedge (2)\wedge (3.3)] \le \textsf {Adv}_{\textsf {SIG}, \mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda ) +2^{-\varOmega (\lambda )}.$

Proof of Lemma 4. Suppose that there exists (i, s) such that $(1)\wedge (2)\wedge (3.3)$ holds. That is to say, $\exists ~(i,s), (i',s'), t$ with $(i,s) \ne (i',s')$ and $j:=\mathsf {Pid}_i^s$, such that $P_j$ is uncorrupted, $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$ and $\textsf {Partner}(\pi _{i'}^{s'} \leftarrow \pi _j^t)$.

According to Lemma 3, except with probability $\textsf {Adv}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )+2^{-\varOmega (\lambda )}$, both $\pi _i^s$ and $\pi _{i'}^{s'}$ must be uniquely partnered to and message-consistent with $\pi _j^t$. In this case, $\mathsf {Pid}_i^s=\mathsf {Pid}_{i'}^{s'}=j$. Meanwhile, the message sent by $\pi _j^t$ contains a unique identity indicating its peer, so $i=i'$.

Given $i=i'$, we have the following fact. Suppose $s'<s$.

Fact 1

Let $\textsf {st}_i^s=\{\textsf {sctr}_{i,0}^s[u],\textsf {sctr}_{i,1}^s[u]\}_{u\in [\mu ]}$ and $\textsf {st}_{i}^{s'}=\{\textsf {sctr}_{i,0}^{s'}[u],\textsf {sctr}_{i,1}^{s'}[u]\}_{u\in [\mu ]}$ be the current states when $\pi _i^s$ and $\pi _{i'}^{s'}$ are invoked. If $\varPsi _i^{s'}=\mathbf{accept} $ and $\mathsf {Pid}_i^{s'}=j$, then $\textsf {sctr}_{i,0}^{s'}[j] < \textsf {sctr}_{i,0}^{s}[j]$ and $\textsf {sctr}_{i,1}^{s'}[j] \le \textsf {sctr}_{i,1}^{s}[j]$.

We then show that the counters in states will make $(1)\wedge (2)\wedge (3.3)$ impossible.

Case 1: Responder $\pi _i^s$. Suppose that $((m_2,\sigma _2), \overline{\textsf {st}}_i^{s'},...) \leftarrow \pi _{i}^{s'}((m_1,\sigma _1),...)$, where $\overline{\textsf {st}}_{i}^{s'}=\{\overline{\textsf {sctr}}_{i,0}^{s'}[u],\overline{\textsf {sctr}}_{i,1}^{s'}[u]\}_{u\in [\mu ]}$. Let $\textsf {ctr}$ be the counter contained in $m_1$, then ${\textsf {sctr}_{i,1}^{s'}[j]<\textsf {ctr}= \overline{\textsf {sctr}}_{i,1}^{s'}[j]}$. By Fact 1 we have ${\overline{\textsf {sctr}}_{i,1}^{s'}[j]\le \textsf {sctr}_{i,1}^{s}[j]}$. Consequently ${\textsf {ctr}\le \textsf {sctr}_{i,1}^{s}[j]}$, which means ${\varPsi _{i}^{s}=\mathbf{reject} }$. This contradicts to ${\varPsi _i^s=\mathbf{accept} }$.
Case 2: Initiator $\pi _i^s$. Let $(m_2,\sigma _2)$ be the message sent by $\pi _j^t$. Message $m_2$ contains a counter $\textsf {ctr}$ and defines a unique partner. $\varPsi _i^{s'}=\varPsi _{i}^{s}=\mathbf{accept} $ means $\textsf {sctr}_{i,0}^{s'}[j]+1=\textsf {sctr}_{i,0}^{s}[j]+1=\textsf {ctr}$. By Fact 1 we have $\textsf {sctr}_{i,0}^{s'}[j]<\textsf {sctr}_{i,0}^{s}[j]$, and this leads to a contradiction.

Theorem 3 follows from Eq. (1), Lemmas 1, 2 and 4. $\square $

Theorem 4

Suppose that $\textsf {SIG}$ is MU-EUF-CMA$^{\mathsf {corr}}$ secure, $\textsf {KEM}$ is IND-mCPA$^{\mathsf {reveal}}$ secure and has diverse property, then AKE is strongly secure. More precisely, for any PPT adversary $\mathcal {A}$ against AKE, there exist PPT adversaries $\mathcal {B}_\textsf {SIG}$ and $\mathcal {B}_\textsf {KEM}$ such that .

Proof. We prove it by three games, Game 0, Game 1 and Game 2.

Game 0. Game 0 is the original game. Thus

(2)

Game 1. Game 1 is the same as Game 0 except that the experiment will abort if bad happens, where $\textsf {bad}:=\exists (i,s)$ $((1)\wedge (2)\wedge (4))$. In words, $\textsf {bad}$ means there exists an accepted $\pi _i^s$ such that $\pi _i^s$ is not message-consistent with any oracle $\pi _j^t$. If bad does not happen, Game 0 is identical to Game 1. By the difference lemma and Lemma 1, we have

$$\begin{aligned} |\Pr [\mathbf{Game} 1 \Rightarrow 1]-\Pr [\mathbf{Game} 0 \Rightarrow 1]|\le \Pr [\textsf {bad}]\le \mathsf {Adv}_{\textsf {SIG},\mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda ). \end{aligned}$$

(3)

Game 2. Game 2 is the same as Game 1 except that $\textsf {D-Partner}(\pi _i^s,\pi _j^t)$ in the experiment is changed to a new one, where $\textsf {D-Partner}(\pi _i^s,\pi _j^t)$ is the algorithm to check whether $\pi _i^s$ is partnered to $\pi _j^t$.

In Game 2, deciding $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$ is implemented by simply checking the message consistency between $\pi _i^s$ and $\pi _j^t$. It gets rid of computation of original keys as in Game 1, and this is a preparation for the proof of Lemma 5.

We then prove that the new algorithm $\textsf {D-Partner}(\pi _i^s, \pi _j^t)$ has the same functionality as the old one except with probability $2^{-\varOmega (\lambda )}$.

Note that $\textsf {D-Partner}(\pi _i^s, \pi _j^t)$ is only invoked in testing $(1')\wedge (2')\wedge (3')$. $(1')$ implies the existence of an accepted $\pi _i^s$ with $j:=\mathsf {Pid}_i^s$ and $P_j$ uncorrupted. If bad does not happens, according to Claim 1, there exists $t\in [\ell ]$ s.t. $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$ and $\pi _i^s$ is message-consistent with $\pi _j^t$. So, if $\pi _i^s$ is uniquely partnered, then $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$ if and only if $\pi _i^s$ is message-consistent with $\pi _j^t$. Hence, Game 1 and Game 2 are the same unless $\pi _i^s$ is partnered to multiple oracles, which happens with probability no more than $2^{-\varOmega (\lambda )}$ by Lemma 2. Thus,

$$\begin{aligned} |\Pr [\mathbf{Game} \,\mathbf{2} \Rightarrow 1]-\Pr [\mathbf{Game} \, \mathbf{1} \Rightarrow 1]| \le 2^{-\varOmega (\lambda )}. \end{aligned}$$

(4)

Lemma 5

There exists a PPT algorithm $\mathcal {B}_\textsf {KEM}$ such that

(5)

Proof of Lemma 5. Let $(i^*,s^*,b^*)$ be the output of $\mathcal {A}$. For simplicity, define $(i,s,b^*):=(i^*,s^*,b^*)$ and $j:=\mathsf {Pid}_i^s$. Recall that $\textsf {Exp}_{\textsf {AKE},\mu ,\ell ,\mathcal {A}}^{\textsf {strong}}(\lambda )$ outputs 1 iff $b^*=b_i^s$ under the following conditions.

$(1')$ $\pi _i^s$ is $\tau $-tested and $\mathsf {Pid}_i^s$ is $\tilde{\tau }$-corrupt with $\tilde{\tau } > \tau $.
$(2')$ $\pi _i^s$ is $\infty $-revealed.
$(3')$ If $\exists t\in [\ell ]$ s.t. $\pi _i^s$ is partnered to $\pi _j^t$, then $\pi _j^t$ is $\infty $-revealed and $\infty $-tested.

Now we construct a PPT algorithm $\mathcal {B}_\textsf {KEM}$ to break $\textsf {KEM}$’s IND-mCPA$^\textsf {reveal}$ security (Definition 5) by simulating Game 2 for $\mathcal {A}$. $\mathcal {B}_\textsf {KEM}$ first obtains from its challenger $\mathcal {C}_\textsf {KEM}$ the public parameter $\textsf {pp}_\textsf {KEM}$ of $ \textsf {KEM}$ and a list of $\mu \ell $ public keys $\textsf {PKList}_{\textsf {KEM}}:=\{pk_1,pk_2,...,pk_{\mu \ell }\}$. Meanwhile, $\mathcal {B}_\textsf {KEM}$ has access to two oracles $\mathcal {O}_{\textsc {Encap}}(\cdot )$ and $\mathcal {O}_{\textsc {Reveal}}(\cdot ,\cdot )$. See Fig. 7 for $\mathcal {B}_\textsf {KEM}$’s simulation of Game 2.

In the simulation, to send the first message $(m_1, \sigma _1)$ for $\pi _i^s$, $\mathcal {B}_\textsf {KEM}$ can always use public key $pk_{(i-1)\mu +s}\in \textsf {PKList}_{\textsf {KEM}}$ as $pk_{\textsf {KEM}}$ in $m_1$ and sign $m_1$ with $sk_i$. Hence $\mathcal {B}_\textsf {KEM}$’s simulation of $(m_1, \sigma _1)$ is perfect. After receiving a message $(m_1, \sigma _1)$, to generate $(m_2, \sigma _2)$ for $\pi _j^t$, $\mathcal {B}_\textsf {KEM}$ invokes its oracle $\mathcal {O}_{\textsc {Encap}}(\cdot )$ to generate (K, C) if $pk_{\textsf {KEM}}\in \textsf {PKList}_{\textsf {KEM}}$ ($pk_\textsf {KEM}$ is in $m_1$). In this case, $\mathcal {B}_\textsf {KEM}$ stores $(pk_\textsf {KEM},K,C)$ into $\overline{\textsf {CList}}$, but $\mathcal {B}_\textsf {KEM}$ cannot determine the session key $k_j^t$, since K might be random with half probability. So $\mathcal {B}_\textsf {KEM}$ sets $k_j^t:=*$. If $pk_{\textsf {KEM}}\notin \textsf {PKList}_{\textsf {KEM}}$, then $m_1$ must be forged by $\mathcal {A}$. In this case, $\mathcal {B}_\textsf {KEM}$ can invoke $(K,C)\leftarrow \textsf {KEM.Encap}(pk_\textsf {KEM})$ and set $k_j^t:=K$. Thus in either case, $\mathcal {B}_{\textsf {KEM}}$’s simulation of $(m_2,\sigma _2)$ for $\pi _j^t$ is perfect, just like Game 2 does.

After receiving the last message $(m_2, \sigma _2)$ for $\pi _i^s$, $\mathcal {B}_\textsf {KEM}$ retrieves $pk_{\textsf {KEM}}$ from $m_1$ and C from $m_2$ ($pk_\textsf {KEM}\in \textsf {PKList}_{\textsf {KEM}}$ since $m_1$ is generated by $\mathcal {B}_{\textsf {KEM}}$). If $(pk_{\textsf {KEM}}, C, K)\in \overline{\textsf {CList}}$ for some K, then $\mathcal {B}_\textsf {KEM}$ has asked $\mathcal {O}_{\textsc {Encap}}(\cdot )$ to generate (K, C) w.r.t $pk_{\textsf {KEM}}$, so $\mathcal {B}_\textsf {KEM}$ sets $k_i^s:=*$. Otherwise, C is forged by $\mathcal {A}$. In this case, $\mathcal {B}_\textsf {KEM}$ uses its oracle $\mathcal {O}_{\textsc {Reveal}}(\cdot ,\cdot )$ to reveal the real key $K'$, and sets $k_i^s:=K'$. At last, $\mathcal {B}_\textsf {KEM}$ returns $\emptyset $ to $\mathcal {A}$ as Game 2 does.

$\mathcal {B}_\textsf {KEM}$’s simulation makes sure that if $\varPsi _i^s=\mathbf{accept} $ and $k_i^s\ne *$, then $k_i^s$ must be the real session key. Hence, upon a $\textsf {Reveal}(i,s)$ query, $\mathcal {B}_\textsf {KEM}$ will return $k_i^s$ if $k_i^s\ne *$. Otherwise, it will ask $\mathcal {O}_\textsc {Reveal}(\cdot ,\cdot )$ to get the real key and return it to $\mathcal {A}$. Therefore, $\mathcal {B}_\textsf {KEM}$’s answers to $\textsf {Reveal}$ queries are perfect.

Upon a $\textsf {Test}(i,s)$ query, if $k_i^s\ne *$, then $k_i^s$ is the real session key. If $k_i^s =*$ and $\mathcal {A}$ has asked $\textsf {Test}(j,t)$, where $\textsf {Partner}(\pi _i^s \leftarrow \pi _j^t)$, then $\mathcal {B}_\textsf {KEM}$ asks $\mathcal {O}_\textsc {Reveal}(\cdot ,\cdot )$ to get the real session key. In either case, $\mathcal {B}_{\textsf {KEM}}$ can answer $\textsf {Test}$ queries with the help of the real session key, exactly like Game 2 does. We stress that $\mathcal {B}_\textsf {KEM}$ checks partnership with message consistency, instead of computing the original key. If $k_i^s =*$ and there is no such a partner which has been tested, $\mathcal {B}_\textsf {KEM}$ retrieves $\overline{\textsf {CList}}[i,s]=(pk_{\textsf {KEM}}, C, K)$ associated with $\pi _i^s$, and returns K to $\mathcal {A}$. This simulation is also perfect, since K is either a real key or a random key with half probability.

Given $\mathcal {A}$’s outputs $(i^*,s^*,b^*)$, let $(i,s,b^*):=(i^*,s^*,b^*)$ and $j:=\mathsf {Pid}_i^s$. Condition $(1')$ implies that $P_j$ is uncorrupted when $\pi _i^s$ is tested (hence accepted). Thus there exists a unique $\pi _j^t$ to which $\pi _i^s$ is partnered, and this implies the existence of $\overline{\textsf {CList}}[i,s]=(pk_{\textsf {KEM}}, C, K)$. Conditions $(2') \wedge (3')$ said that $\pi _i^s$, $\pi _j^t$ are $\infty $-revealed, and $\pi _j^t$ is $\infty $-tested. Hence $\mathcal {B}_{\textsf {KEM}}$ has never asked $\mathcal {O}_\textsc {Reveal}(\cdot , \cdot )$ for $(pk_\textsf {KEM},C)$. Consequently, $\mathcal {B}_\textsf {KEM}$ implicitly sets $b_i^s=\beta $ where $\beta $ is the random coin chosen by $\mathcal {C}_{\textsf {KEM}}$. Thus $\mathcal {B}_\textsf {KEM}$ wins as long as $b^*=b_i^s$, and Lemma 5 follows.

By Eqs. (2), (3), (4), (5), we have

Note that in the strong security of $\textsf {AKE}$, only the proof of $\Pr [(1)\wedge (2)\wedge (3.3)] \le \textsf {Adv}_{\textsf {SIG}, \mu ,\mathcal {B}_\textsf {SIG}}^{\textsf {m-corr}}(\lambda )+2^{-\varOmega (\lambda )}$ in Lemma 4 makes use of the non-decreasing property of counters in states. For our stateless AKE scheme $\textsf {AKE}^{\textsf {stateless}}$, the normal (not strong) security requirement (see Fig. 5) does not need $(1)\wedge (2)\wedge (3.3)$. Therefore, $\textsf {AKE}^{\textsf {stateless}}$ can be proved to be secure, and the security proof almost verbatim follows that of Theorems 3 and 4. Hence we have the following corollary.

Corollary 1

Suppose that $\textsf {SIG}$ is MU-EUF-CMA$^{\mathsf {corr}}$ secure, $\textsf {KEM}$ is IND-mCPA$^{\mathsf {reveal}}$ secure and has diverse property, then our stateless AKE scheme $\textsf {AKE}^{\textsf {stateless}}$ is secure. More precisely, for any PPT adversary $\mathcal {A}$ against $\textsf {AKE}^{\textsf {stateless}}$, there exist PPT adversaries $\mathcal {B}_\textsf {SIG}$ and $\mathcal {B}_\textsf {KEM}$ such that

5 Instantiations of AKE with Tight Security

In this section, we present specific constructions of AKE by instantiating the two building blocks KEM and SIG, where KEM has tight IND-mCPA$^{\textsf {reveal}}$ security and diverse property, and SIG has tight MU-EUF-CMA$^\textsf {corr}$ security.

5.1 Instantiations of KEM with Tight IND-mCPA$^{\textsf {reveal}}$ Security

We present two KEM schemes. The first one is derived from the twin ElGamal encryption [5] based on the CDH assumption in the RO model. The other is derived from [14] and based on the MDDH assumption in the standard model.

Now we present $\textsf {KEM}_{\textsf {st2DH}}$, and prove that its IND-mCPA$^{\textsf {reveal}}$ security can be tightly reduced to the st2DH assumption [5], which is in turn to the CDH assumption by Theorem 2, in the random oracle model. See Fig. 8

Correctness. Correctness is due to $((g^{x_1})^y,(g^{x_2})^y)=((g^y)^{x_1},(g^y)^{x_2})$.

Theorem 5

The KEM scheme $\textsf {KEM}_{\textsf {st2DH}}$ is IND-mCPA$^{\mathsf {reveal}}$ secure in the random oracle model. More precisely, for any PPT adversary $\mathcal {A}$ against the IND-mCPA$^{\mathsf {reveal}}$ security, there exists a PPT adversary $\mathcal {B}$ solving the st2DH problem such that $\mathsf {Adv}_{\textsf {KEM}_\textsf {st2DH},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda ) \le \mathsf {Adv}_{\mathbb {G},\mathcal {B}}^{\textsf {st2DH}}(\lambda )\le \mathsf {Adv}_{\mathbb {G}}^{\textsf {CDH}}(\lambda )+2^{-\varOmega {(\lambda )}}.$

Proof Sketch. We construct a PPT algorithm $\mathcal {B}$ that simulates $\textsf {Exp}_{\textsf {KEM}_\textsf {st2DH},\theta ,\mathcal {A}}^{\textsf {r-m-cpa}}(\lambda )$ to the KEM adversary $\mathcal {A}$, and uses $\mathcal {A}$’s ability to solve the st2DH problem. Due to the space limitation, we sketch the high-level idea of the proof in the single user setting. The formal proof can be found in our full version in ePrint.

Let $(g^{x_1},g^{x_2},g^y)$ be the tuple needed to be solved. Intuitively $\mathcal {B}$ will embed $(g^{x_1},g^{x_2})$ to the public key, and embed $g^y$ to the challenge ciphertext $C=g^{y+b}$. If $\mathcal {A}$ never asked $H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})$, then $k=H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})$ is truly random and $\mathcal {A}$ has no advantage at all. If $\mathcal {A}$ ever asked $H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})$, then $\mathcal {B}$ can find the answer $(C^{x_1}/g^b,C^{x_2}/g^b)$ to the st2DH problem. The difficult part of $\mathcal {B}$’s simulation is the reveal of encapsulated key $k=H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})$ to $\mathcal {A}$, when the secret key $(x_1,x_2)$ and $\log _g C$ are unknown. This difficulty is circumvented by $\mathcal {B}$’s simulation of random oracle $H(\cdot )$ and the decision oracle 2DH. If $\mathcal {A}$ has not asked $H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})$ before, $\mathcal {B}$ samples a random key k and implicitly set $H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})=k$. If $\mathcal {A}$ has asked $H(g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2})$, $\mathcal {B}$ must have stored item $((g^{x_1}, g^{x_2}, C, C^{x_1},C^{x_2}), k)$ in the hash list. Then $\mathcal {B}$ can resort to the decision oracle $\textsc {2DH}(g^{x_1},g^{x_2},C,C^{x_1},C^{x_2})$ $=1$ to locate this item, and return k to $\mathcal {A}$. In this way, $\mathcal {B}$ successfully simulates the reveal oracle to $\mathcal {A}$.

The diverse property of $\textsf {KEM}_\textsf {st2DH}$ is proved in our full version.

In [14], Han et al. proposed a public key encryption (PKE) scheme based on the MDDH assumption over bilinear groups. The PKE scheme has almost tight IND-mCCA security. In the encryption, the plaintext is masked by K, which can be regarded as an encapsulated key. As a result, from the PKE we can derive an IND-mCCA secure KEM $\textsf {KEM}_\textsf {MDDH}$. The definition of the MDDH assumption and the scheme $\textsf {KEM}_\textsf {MDDH}$ appear in the full version (see ePrint).

Theorem 6

(IND-mCCA Security of $\mathsf {KEM}_\mathsf {MDDH}$). Let $\ell ' \ge 2k+1$. If (i) the $\mathcal {D}_{\ell ', k}$-MDDH assumption holds over both $\mathbb {G}_1$ and $\mathbb {G}_2$, (ii) $\mathcal {H}$ is a collision-resistant function family, then $\textsf {KEM}_\textsf {MDDH}$ is IND-mCCA secure. More precisely, for any PPT adversary $\mathcal {A}$ who makes at most $Q_e$ times of $\textsc {Enc}$ queries and $Q_d$ times of $\textsc {Dec}$ queries, there exist PPT adversaries $\mathcal {B}_1$, $\mathcal {B}_2$ and $\mathcal {B}_3$, such that

The diverse property of $\textsf {KEM}_\textsf {MDDH}$ can also be easily tested.

5.2 Instantiations of SIG with Tight MU-EUF-CMA$^\textsf {corr}$ Security

We review two signature schemes. The first one $\textsf {SIG}_\textsf {DDH}$ was proposed by Gjøsteen and Jager [11] and its MU-EUF-CMA$^\textsf {corr}$ security was based on the DDH assumption in the random oracle model. The other one $\textsf {SIG}_\textsf {MDDH}$ was proposed by Bader et al. [1] and its MU-EUF-CMA$^\textsf {corr}$ security was based one the MDDH assumption over bilinear group but in the standard model.

The DDH-based signature scheme $\textsf {SIG}_\textsf {DDH}$ in [11] is shown in our full version, and its MU-EUF-CMA$^\textsf {corr}$ security can be tightly reduced to the DDH & CDH assumptions in the random oracle model. See Theorem 7.

Theorem 7

[11] For any PPT adversary $\mathcal {A}$ against $\textsf {SIG}_{\textsf {\textsf {DDH}}}$, there exist PPT adversaries $\mathcal {B}_\textsf {DDH}$ and $\mathcal {B}_\textsf {CDH}$ against the DDH and CDH problems such that

The MDDH-based signature scheme $\textsf {SIG}_\textsf {MDDH}$ in [1] is shown in our full version, and its MU-EUF-CMA$^\textsf {corr}$ security can be tightly reduced to the MDDH assumption. See Theorem 8.

Theorem 8

[1] For any PPT adversary $\mathcal {A}$ against $\textsf {SIG}_\textsf {MDDH}$, there exist PPT adversaries $\mathcal {B}_1$ and $\mathcal {B}_2$ against $\mathcal {D}_k$-MDDH in $\mathbb {G}_1$ and $\mathbb {G}_2$ such that

5.3 Instantiations of AKE

Following the generic construction of AKE in Fig. 6, if we instantiate the KEM and SIG schemes with $\textsf {KEM}_\textsf {st2DH}$ and $\textsf {SIG}_\textsf {DDH}$, then we obtain a practical 2-pass AKE scheme $\textsf {AKE}_\textsf {DDH}$ ($\textsf {AKE}_\textsf {DDH}^\textsf {stateless}$) with tight security in the random oracle model.

By Theorems 2, 4, 5, 7, we have the following corollary.

Corollary 2

$\textsf {AKE}_\textsf {DDH}$ is strongly secure ($\textsf {AKE}_\textsf {DDH}^\textsf {stateless}$ is secure) in the random oracle model. More precisely, for any PPT adversary $\mathcal {A}$ against $\textsf {AKE}_\textsf {DDH}$ ($\textsf {AKE}_\textsf {DDH}^\textsf {stateless}$), there exist PPT adversaries $\mathcal {B}_\textsf {DDH}$ and $\mathcal {B}_\textsf {CDH}$ against the DDH and CDH problems such that

Similarly, if we instantiate the KEM and SIG schemes with $\textsf {KEM}_\textsf {MDDH}$ and $\textsf {SIG}_\textsf {MDDH}$, then we obtain another 2-pass AKE scheme $\textsf {AKE}_\textsf {MDDH}$ ($\textsf {AKE}_\textsf {MDDH}^\textsf {stateless}$) with tight security in the standard model.

We refer the reader to our full version for the $\textsf {AKE}_\textsf {DDH}$ and $\textsf {AKE}_\textsf {MDDH}$ schemes.

By Theorems 1, 4, 6, 8, we have the following corollary.

Corollary 3

$\textsf {AKE}_\textsf {MDDH}$ is strongly secure ($\textsf {AKE}_\textsf {MDDH}^\textsf {stateless}$ is secure) in the standard model. More precisely, for any PPT adversary $\mathcal {A}$ against $\textsf {AKE}_\textsf {MDDH}$ ($\textsf {AKE}_\textsf {MDDH}^\textsf {stateless}$), there exist PPT adversaries $\mathcal {B}_1$, $\mathcal {B}_2$, $\mathcal {B}_1'$, $\mathcal {B}_2'$ and $\mathcal {B}_3$ such that

Notes

1.
To simplify the description, the hash input does not include pk and C.
2.
Some AKE protocols, like [6] and [22], consider tight security and implicit authentication. In the security model of implicit authentication, $\mathcal {A}$’s advantage is defined by the ability of breaking indistinguishability (with no authentication requirement). Most AKE protocols with implicit authentication are 2-pass. They can be extended to provide explicit authentication via the key confirmation method [16], but with the price of an extra pass and the addition computation of MAC.
3.
The arrow notion $\pi _i^s \leftarrow \pi _j^t$ means $\pi _i^s$ (not necessarily $\pi _j^t$) has computed and accepted the original key.

References

Bader, C., Hofheinz, D., Jager, T., Kiltz, E., Li, Y.: Tightly-secure authenticated key exchange. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 629–658. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_26
Chapter Google Scholar
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Chapter Google Scholar
Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_12
Chapter MATH Google Scholar
Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_10
Chapter Google Scholar
Cash, D., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_8
Chapter Google Scholar
Cohn-Gordon, K., Cremers, C., Gjøsteen, K., Jacobsen, H., Jager, T.: Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 767–797. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_25
Chapter Google Scholar
Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734–751. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_42
Chapter Google Scholar
Ding, J., Branco, P., Schmitt, K.: Key exchange and authenticated key exchange with reusable keys based on RLWE assumption. IACR Cryptology ePrint Archive 2019, 665 (2019)
Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Chapter Google Scholar
Fischlin, M., Günther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 60–75 (2017)
Google Scholar
Gjøsteen, K., Jager, T.: Practical and tightly-secure digital signatures and authenticated key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 95–125. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_4
Chapter Google Scholar
Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_5
Chapter Google Scholar
Halevi, S., Krawczyk, H.: One-pass HMQV and asymmetric key-wrapping. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 317–334. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_20
Chapter MATH Google Scholar
Han, S., Liu, S., Lyu, L., Gu, D.: Tight leakage-resilient CCA-security from quasi-adaptive hash proof system. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 417–447. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_15
Chapter Google Scholar
Jin, Z., Zhao, Y.: Generic and practical key establishment from lattice. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 302–322. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_15
Chapter Google Scholar
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
Chapter Google Scholar
Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, 21–24 March 2016, pp. 81–96 (2016)
Google Scholar
LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75670-5_1
Chapter MATH Google Scholar
Li, Y., Schäge, S.: No-match attacks and robust partnering definitions: defining trivial attacks for security protocols is not trivial. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 1343–1360 (2017)
Google Scholar
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Chapter MATH Google Scholar
Rescorla, E.: The transport layer security (TLS) protocol version 1.3. RFC 8446, pp. 1–160 (2018)
Google Scholar
Xiao, Y., Zhang, R., Ma, H.: Tightly secure two-pass authenticated key exchange protocol in the CK model. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 171–198. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_9
Chapter Google Scholar

Download references

Acknowledgments

This work is supported by National Natural Science Foundation of China (61925207, 61672346, 61932014, 61825203, U1736203, 61732021), Guangdong Major Project of Basic and Applied Basic Research (2019B030302008), and the Guangdong Provincal Science and Technology Project (2017B010111005).

Author information

Authors and Affiliations

Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China
Xiangyu Liu, Shengli Liu & Dawu Gu
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Xiangyu Liu & Shengli Liu
Westone Cryptologic Research Center, Beijing, 100070, China
Shengli Liu
College of Cyber Security, Jinan University, Guangzhou, 510632, China
Jian Weng

Authors

Xiangyu Liu
View author publications
You can also search for this author in PubMed Google Scholar
Shengli Liu
View author publications
You can also search for this author in PubMed Google Scholar
Dawu Gu
View author publications
You can also search for this author in PubMed Google Scholar
Jian Weng
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shengli Liu .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Liu, X., Liu, S., Gu, D., Weng, J. (2020). Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12492. Springer, Cham. https://doi.org/10.1007/978-3-030-64834-3_27

Download citation

DOI: https://doi.org/10.1007/978-3-030-64834-3_27
Published: 05 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64833-6
Online ISBN: 978-3-030-64834-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)