Modelling Simultaneous Mutual Authentication for Authenticated Key Exchange

Abstract

Most recent security models for authenticated key exchange (AKE) do not explicitly model the entity authentication, which enables a party to identify its communication peer in specific session. However, it is quite necessary in many real-world applications and is a general way to enhance the security of AKE protocols. Despite much work on AKE, we notice that there is no good definition of entity authentication security involving simultaneous protocol execution that would improve the bandwidth efficiency in practice. Based on eCK model, we define a security model called eCK-A that deals with simultaneous mutual authentication. Besides the eCK-A model particularly formulates the security properties regarding resilience to the leakage of various combinations of long-term key and ephemeral session state, and provision of perfect forward secrecy in a single model. We present a generic protocol compiler to achieve the eCK-A security based on any eCK secure protocols.

Proof of Theorem 1

We prove Theorem 1 in two stages. First, we show that the AKE protocol is a secure authentication protocol except for probability \(\epsilon _{auth}\), that is, the protocol fulfils security property 1.) of the AKE definition. In the next step, we show that the session key of the AKE protocol is secure except for probability \(\epsilon _{ind}\) in the sense of the Property 2.) of the AKE definition. Then we have the overall probability \(\epsilon \) that adversary breaking the protocol is at most \(\epsilon \le \epsilon _{auth} +\epsilon _{ind}\).

Lemma 1

If the protocol \(\varPi \) is \((t,\epsilon _{\mathsf {eCK}})\)-eCK-secure, the pseudo-random function family \(\mathsf {PRF}\) is \((q_{prf},t,\epsilon _{\mathsf {PRF}})\)-secure and the MAC scheme is (\(q_{mac},t,\epsilon _{\mathsf {MAC}}\))-secure, then the above protocol meets the security Property 1.) of the eCK-A security definition except for probability with

$$\begin{aligned} \epsilon _{auth} \le \epsilon _{\mathsf {eCK}} + d\ell \cdot (\epsilon _{\mathsf {eCK}}+ \epsilon _{\mathsf {MAC}}), \end{aligned}$$

where all quantities are as the same as stated in the Theorem 1.

Proof

Let \(\mathsf {S}^{1}_\delta \) be the event that (i) there exists oracle \(\pi ^{s^*}_i\) reaches internal state \(\varPhi ^{s^*}_i= \mathtt {accept} \) with intended communication partner \(\mathsf {ID}_j\), but (ii) there is no oracle \(\pi ^t_j\) such that \(\pi ^{s^*}_i\) has a matching session to \(\pi ^t_j\), in Game \(\delta \).

Game 0. This is the original security game. We have that

$$\begin{aligned} \Pr [\mathsf {S}^{1}_0]= \epsilon _{auth}. \end{aligned}$$

Game 1. In this game, the challenger proceeds exactly like previous game, except that we add a abortion rule. The challenger raises event \(\mathsf {abort}_\mathsf {trans} \) and aborts, if during the simulation either the message \(m_{\mathsf {ID}}\) replied by an oracle \(\pi ^s_i\) but it has been sample by another oracle \(\pi ^w_u\) or sent by adversary before. Since there are \(d\ell \) such values would be sampled randomly. We claim that the event \(\mathsf {abort}_\mathsf {trans} \) occurs with probability \(\Pr [\mathsf {abort}_\mathsf {trans} ] \le \epsilon _{\mathsf {eCK}}\). We elaborate the proof as follows. Please first recall that if the under-attacked oracle \(\pi ^{s^*}_i\) (generating message \(m^{s^*}_{\mathsf {ID}_i}\)) is fresh then the adversary is not allowed to issue both \(\mathsf {Corrupt}(\mathsf {ID}_i)\) and \(\mathsf {RevealState}(\pi ^{s^*}_i)\), as otherwise the security is trivially broken. However, consider the case that there is another oracle \(\pi ^v_w\) generate the same message as \(\pi ^{s^*}_i\) then the adversary can issue \(\mathsf {RevealState}(\pi ^v_w)\) to learn the states of \(\pi ^{s^*}_i\). At the same time that the adversary can ask \(\mathsf {Corrupt}(\mathsf {ID}_i)\) to learn \(sk_{\mathsf {ID}_i}\). Then the adversary to compute the session key of \(\pi ^{s^*}_i\) with both ephemeral and long-term secrets of test session. Furthermore, the probability that the collisions among the messages generated by \(\mathsf {TMAKE.MF}\) in either protocol \(\varPi \) or \(\mathsf {MAC} (\varPi )\) is the same. The security of \(\varPi \) in the eCK model, implies the collision probability among outgoing messages is negligible. We therefore have that

$$ \mathsf {Adv}_{0} \le \mathsf {Adv}_{1} + \epsilon _{\mathsf {eCK}}. $$

Game 2. This game proceeds exactly as the previous game but the challenger aborts if it fails to guess the under attacked oracle \(\pi ^{s^*}_i\). Since there are \(\ell \) honest parties and \(d\) oracles for each party, the probability that the adversary guesses correctly is at least \(1/(d\ell )\). Thus we have that

$$\begin{aligned} \mathsf {Adv}_{1} \le d\ell \cdot \mathsf {Adv}_{2}. \end{aligned}$$

Game 3. In this game, the challenger proceeds exactly like previous game, except that we replace the intermediate key \(K^*\) of oracle \(\pi ^{s^*}_i\) with a random value \(\widetilde{K^*}\). If the adversary can distinguish this game from previous game, then it must be able to break the eCK security of protocol \(\varPi \). We therefore have that

$$ \mathsf {Adv}_{2} \le \mathsf {Adv}_{3} + \epsilon _{\mathsf {eCK}}. $$

Game 4. In this game, we change function \(\mathsf {PRF}(K^*,\)“SKeys”\()\) for the test oracle and its partner oracle with a truly random function. We make use of the fact, that the secret seed of the \(\mathsf {PRF}\)s of test oracle is a truly random value due to the modification in previous game. If there exists a polynomial time adversary \(\mathcal {A} \) can distinguish the Game \(4\) from Game \(3\). Then we can construct an algorithm \(\mathcal {B}\) using \(\mathcal {A} \) to break the security of \(\mathsf {PRF}\). Exploiting the security of \(\mathsf {PRF}\), we have that

$$\begin{aligned} \mathsf {Adv}_{3} \le \mathsf {Adv}_{4} + \epsilon _{\mathsf {PRF}}. \end{aligned}$$

Game 5. This game proceeds exactly like the previous game except that the challenger aborts if the eCK-A-fresh oracle \(\pi ^{s^*}_i\) accepts a confirmation message \(KC^{s^*}_j\) but it has not been sent by any oracle of its intended partner \(\mathsf {ID}_j\). In this game, the eCK-A-fresh \(\pi ^{s^*}_i\) accepts if and only if it has a unique partner oracle. Thus no adversary can break authentication property, and we have \(\Pr [\mathsf {S}^{1}_{5}] = 0\). Applying the security of \(\mathsf {MAC} \) we have that

$$ \Pr [\mathsf {S}^{1}_{4}]\le \Pr [\mathsf {S}^{1}_{5}] + \epsilon _{\mathsf {MAC}}. $$

Put altogether advantages of adversary in each game, we proved this lemma.

Lemma 2

If the protocol \(\varPi \) is \((t,\epsilon _{\mathsf {eCK}})\)-eCK-secure, the pseudo-random function family \(\mathsf {PRF}\) is \((q_{prf},t,\epsilon _{\mathsf {PRF}})\)-secure and the MAC scheme is (\(q_{mac},t,\epsilon _{\mathsf {MAC}}\))-secure, then the above protocol meets the security Property 2.) of the eCK-A security definition except for probability with

$$\begin{aligned} \epsilon _{ke} \le 2 \cdot \epsilon _{\mathsf {eCK}} + d\ell \cdot (\epsilon _{\mathsf {eCK}}+ \epsilon _{\mathsf {PRF}} + \epsilon _{\mathsf {MAC}}), \end{aligned}$$

where all quantities are as the same as stated in the Theorem 1.

Proof

It is straightforward to verify that two accepted oracles (of considered protocol) having matching sessions would generate the same session key. Since a correct eCK protocol must also be eCK-A protocol. In the sequel, we wish to show that the adversary is unable to distinguish random value from the session key of any \(\mathsf {eCK\text {-}A\text {-}fresh}\) oracle. In the following, we use the superscript \(`\)*’ to highlight corresponding values processed in test oracle \(\pi ^{s^*}_{i}\) which has intended communication partner \(\mathsf {ID}_j\).

Let \(\pi ^s_i\) be an accepted oracle with intended partner \(\mathsf {ID}_j\). Let \(\pi ^t_j\) be an oracle (if it exists) with intended partner \(\mathsf {ID}_i\), such that \(\pi ^s_i\) has a matching session to \(\pi ^t_j\). Let \(\pi ^t_j\) be an oracle (if it exists), such that \(\pi ^t_j\) has a origin session to \(\pi ^s_i\). Besides the freshness restrictions of test oracle concerning \(\mathsf {RevealKey}\) and \(\mathsf {RegisterDishonest}\) queries, if the adversary breaks the indistinguishability security property of considered protocol, then at least one of the fresh cases related to \(\mathsf {RevealState}\) query and \(\mathsf {Corrupt}\) query in the following might occur in terms of the Definition 3: (i) if \(\pi ^t_j\) exists, \(\mathcal {A} \) did not query \(\mathsf {RevealState}(\pi ^{s}_{i})\) nor \(\mathsf {RevealState}(\pi ^t_j)\); (ii) if \(\pi ^t_j\) exists, \(\mathcal {A} \) did not query \(\mathsf {Corrupt}(\mathsf {ID}_i)\) nor \(\mathsf {RevealState}(\pi ^t_j)\); (iii) if \(\pi ^t_j\) exists, \(\mathcal {A} \) did not query \(\mathsf {Corrupt}(\mathsf {ID}_i)\) nor \(\mathsf {Corrupt}(\mathsf {ID}_j)\); (iv) if \(\pi ^t_j\) exists, \(\mathcal {A} \) did not query \(\mathsf {RevealState}(\pi ^{s}_{i})\) nor \(\mathsf {Corrupt}(\mathsf {ID}_j)\); (v) if \(\pi ^t_j\) does not exist, \(\mathcal {A} \) did not query \(\mathsf {Corrupt}(\mathsf {ID}_i)\) nor \(\mathsf {Corrupt}(\mathsf {ID}_j)\) prior to \(\varPhi ^s_i = \mathtt {accept} \); (vi) if \(\pi ^t_j\) does not exist, \(\mathcal {A} \) did not query \(\mathsf {RevealState}(\pi ^{s}_{i})\) nor \(\mathsf {Corrupt}(\mathsf {ID}_j)\) prior to \(\varPhi ^s_i = \mathtt {accept} \).

Let \(\mathsf {S}^{}_{\delta }\) be the event that the adversary wins the security experiment under the Game \(\delta \) and one of the above freshness cases. Let \(\mathsf {Adv}_\delta := \Pr [\mathsf {S}^{}_{\delta }] - 1/2\) denote the advantage of \(\mathcal {A} \) in Game \({\delta }\). We consider the following sequence of games.

Game 0. This is the original eCK-A security game with adversary \(\mathcal {A} \). Thus we have that

$$ \Pr [S_0] = 1/2+\epsilon _{ke} =1/2 + \mathsf {Adv}_0. $$

Game 1. The challenger in this game proceeds as before, but it aborts if the test oracle accepts without unique partner oracle. Thus we have

$$ \mathsf {Adv}_0 \le \mathsf {Adv}_1+ \epsilon _\mathsf {auth} \le \epsilon _{\mathsf {eCK}} + d\ell \cdot (\epsilon _{\mathsf {eCK}}+ \epsilon _{\mathsf {PRF}} + \epsilon _{\mathsf {MAC}}), $$

where \(\epsilon _\mathsf {auth}\) is an upper bound on the probability that there exists an oracle that accepts without unique partner oracle in the sense of Definition 4 (cf. Lemma 1). We have now excluded active adversaries between test oracle and its partner oracle.

Game 2. This game is similar to the previous game. However, the challenger \(\mathcal {C}\) now guesses the test oracle \(\pi ^{s^*}_i\). \(\mathcal {C}\) aborts if its guess is not correct. Thus we have that

$$\begin{aligned} \mathsf {Adv}_1 \le d\ell \cdot \mathsf {Adv}_2. \end{aligned}$$

We are now in a game where both oracles accept and the adversary cannot make active attacks.

Game 3. This game is proceeded as previous game, but the challenger \({\mathcal {C}}\) replaces the session key of test oracle and its partner oracle with a uniform random value. If there exists an adversary \(\mathcal {A} \) can distinguish the Game \({3}\) from Game \({2}\) then we can use it to construct an adversary \({\mathcal {B}}\) to break the eCK-security of \(\varPi \).

Intuitively, the security reduction from eCK-A to eCK is possible in this game, since both \(\mathsf {eCK\text {-}A\text {-}fresh}\) and \(\mathsf {eCK\text {-}fresh}\) encompass freshness cases when the test oracle has matching session. Let \({\mathcal {B}}\) be an adversary which interacts with an eCK-challenger \({\mathcal {C}}\) and tries to breaks the eCK security of \(\varPi \) in the eCK security game. \({\mathcal {B}}\) runs \({\mathcal {A}}\) (who is a successful eCK-A attacker) as subroutine and simulates the challenger for \({\mathcal {A}}\) as previous game. For every oracle \(\{\pi ^s_i: i\in [\ell ],s \in [d]\}\) simulated by \({\mathcal {C}}\), \({\mathcal {B}}\) keeps a corresponding dummy oracle \(\pi ^{s'}_i\) and the adversary \(\mathcal {A} \) is able to interacts with those dummy oracles simulated by \({\mathcal {B}}\). Specifically, a dummy oracle proceeds as following:

• For any \(\mathsf {Send}(\pi ^{s'}_i,m)\) query from \(\mathcal {A} \), if \(m\) belongs to original \(\varPi \) then \({\mathcal {B}}\) then \({\mathcal {B}}\) just issues \(m^* \leftarrow \mathsf {Send}(\pi ^s_i,m)\) and return \(m^*\) to \(\mathcal {A} \). Meanwhile if \(\pi ^s_i\) terminate with acceptance and \(\pi ^s_i\) is not guessed as under attacked oracle or its partner oracle, then \({\mathcal {B}}\) asks \(\mathsf {RevealKey}(\pi ^s_i)\) to learn corresponding key material to generate the MAC key and corresponding key confirmation message. If \(\pi ^s_i\) is guessed under attacked oracle or its partner oracle, then \(\mathcal {B}\) just uses a random key material to compute MAC key and corresponding key confirmation message. All generated key confirmation messages are returned to adversary.

• For any \(\mathsf {Corrupt}(\mathsf {ID}_i)\) (\(i \in [\ell ]\)) query, \({\mathcal {B}}\) asks \(\mathsf {Corrupt}(\mathsf {ID}_i)\) to \({\mathcal {C}}\) to obtain \(sk_{\mathsf {ID}_i}\) and returns it to \(\mathcal {A} \).

• For any other oracles queries on \(\pi ^{s'}_i\) (including \(\mathsf {Test}\) query), \({\mathcal {B}}\) just asks corresponding oracles queries on \(\pi ^s_i\) to \({\mathcal {C}}\) and returns the results to \({\mathcal {A}}\).

So that \({\mathcal {B}}\) is able to perfectly simulate the environment for \(\mathcal {A} \). If the session key returned by \(\mathsf {Test}\) query is a true key, then the simulation is exactly the same as previous game, otherwise it is equivalent to this game. Finally, \({\mathcal {B}}\) returns what \(\mathcal {A} \) returns to \(\mathcal {C}\). If \(\mathcal {A} \) wins the game with non-negligible probability, so does \({\mathcal {B}}\). Thus we have that

$$ \Pr [\mathsf {S}^{1}_2] \le \Pr [\mathsf {S}^{1}_3] + \epsilon _{\mathsf {eCK}}. $$

Game 4. In this game, we change function \(\mathsf {PRF}(K^*,\)“SKeys”\()\) for the test oracle and its partner oracle with a truly random function. We make use of the fact, that the secret seed of the \(\mathsf {PRF}\)s of test oracle is a truly random value due to the modification in previous game. So the security of \(\mathsf {PRF}\) ensures that

$$\begin{aligned} \mathsf {Adv}_{3} \le \mathsf {Adv}_{4} + \epsilon _{\mathsf {PRF}}. \end{aligned}$$

Note that in this game the session key returned by \(\mathsf {Test}\)-query is totally a truly random value which is independent to the bit \(b\) and any messages. Thus the advantage that the adversary wins this game is \(\mathsf {Adv}_4 = 0\).

In this game, the session key given to adversary is independent of the bit \(b\) of \(\mathsf {Test}\) query, thus \(\Pr [\mathsf {S}^{1}_4] =0\). Sum up the probabilities from Game 0 to Game 4, we proved this lemma.