Deniability and forward secrecy of one-round authenticated key exchange

Abstract

Deniability and forward secrecy are two properties of authenticated key exchange (AKE) protocols. Considering one-round AKE, Cremers and Feltz at ESORICS 2012 defined a security model with perfect forward secrecy. Based on their model, we consider different levels of deniability, and reveal some relationships of the session-key security and the deniability properties. The observations result in a simple method to give a deniable protocol with forward secrecy.

Appendices

Appendix A: SUEF signature

Definition 3

A selectively unforgeable but existentially forgeable (SUEF) signature scheme consists of five efficient algorithms (PG,KG,SG,SV,EF):

• System Parameters Generation PG: A probabilistic polynomial time algorithm, on inputting a security parameter k, outputs the system parameters SP.

• Key Generation KG: A probabilistic polynomial time algorithm, on inputting the system parameters, SP, outputs a key pair (pk,sk).

• Signature Generation SG: A probabilistic polynomial time algorithm, on inputting the private key sk, and a message m from a message space \(\mathbb{M}\), outputs a signature δ.

• Signature Verification SV: A deterministic polynomial time algorithm, on inputting the public key pk, a message m, and a signature δ, outputs a verification decision b∈{True,False}.

• Existential Forgery EF: A probabilistic polynomial time algorithm, on inputting the public key pk and a possible formatted message m _nr , outputs a message signature pair (m _F ,δ _F ) s.t. SV _pk (m _F ,δ _F )=True, \(m_{F} \in\mathbb{M}\), and m _nr is part of the m _F when both are encoded as binary strings.

Comparatively, a common signature scheme consists of four algorithms (PG, KG, SG, SV) where symbols have the same meaning. A designated verifier signature includes a simulation procedure which needs the verifier’s private key as an input. An SUEF secure scheme includes an existential forgery procedure which can be executed publicly. Note that the m _nr in the definition may be just empty.

An SUEF attack game is as follows:

Setup :

The challenger runs PG to generate system parameters SP, and runs KG with input SP to obtain a pair of keys (pk,sk), and gives the public key pk to the forger.

Queries :

The forger \(\mathcal{F}\) adaptively requests at most q _s messages \(\{m_{1},\ldots, m_{q_{s}}\}\) in \(\mathbb{M}\). The challenger responds to the ith query with a valid signature δ _i where i∈{1,…,q _s }.

Test :

After the jth query j∈ _R {1,…,q _s }, the forger \(\mathcal{F}\) queries a test. The challenger replies with a new random message \(m^{*} \in\mathbb{M}\) which is not signed before. After the test event, the challenger will check m _i ≠m ^∗ when it produces new responses.

Output :

Finally, the forger \(\mathcal{F}\) outputs a signature δ ^∗ for m ^∗ and wins the game if SV _pk (m ^∗,δ ^∗)=True

The advantage of the forger \(\mathcal{F}\) is defined as

$$\mathop{\mathrm{Adv}}\nolimits_\mathcal{F}^\mathrm{suef\mbox{-}cma} = \mathop{\mathrm{Pr}}\left[ \begin{array}{c} \mathit{SP} \leftarrow \mathit{PG} ({1^k});\\(pk,sk) \leftarrow \mathit{KG}(\mathit{SP}); \\(\delta^* ) \leftarrow{\mathcal{F}^{S{G_\mathit{sk}}( \cdot)}} (pk,m^*): \\S{V_\mathit{pk}}(m^*,\delta^* ) = \mathit{True} \\\end{array} \right] $$

which takes over the coin tosses of the PG,KG,SG and of \(\mathcal{F}\).

The notion of SUEF-CMA can be defined as follows:

Definition 4

(SUEF-CMA)

A forger \(\mathcal{F}\) (t,q _s ,q _h ,ϵ)-breaks a signature scheme if \(\mathcal{F}\) runs in time at most t, makes at most q _s signature queries and at most q _h hash queries, and \(\mathop{\mathrm{Adv}}_{\mathcal{F}}^{\mathit{suef}\mbox{-}\mathit{cma}} \geq \epsilon\). A signature scheme is (t,q _s ,q _h ,ϵ) SUEF-CMA secure if no forger (t,q _s ,q _h ,ϵ)-breaks it.

Tian et al. showed that an SUEF-CMA signature can be generally constructed from a kind of EUF-CMA secure schemes. A requirement of the EUF-CMA secure scheme is that it is from a three-round (a,c,z) zero-knowledge-protocol by a Fiat–Shamir heuristic. Given such a scheme (PG ^euf, KG ^euf, SG ^euf, SV ^euf), a general construction can be described as follows:

• System Parameters Generation PG: It is the same as PG ^euf to generate SP. The message space \(\mathbb{M}\) is {0,1}^∗×{0,1}^k.

• Key Generation KG: It is the same as KG ^euf to generate key pairs (pk,sk) with input SP.

• Signature Generation SG: On inputting the private key sk, and a message m=(m _nr ,m _r ), the signer computes (a,z) using the algorithm SG ^euf but sets c=H(m _nr ||a)⊕m _r where the symbol “||” denotes bit concatenation. The signature is (c,z).

• Signature Verification SV: On inputting the public key pk, a message m=(m _nr ,m _r ), and a signature (c,z), a verifier computes a using the SV ^euf algorithm and checks whether c=H(m _nr ||a)⊕m _r . If it is valid, the verifier outputs b=True.

• Existential Forgery EF: On inputting the public key pk, and a formatted message m _nr , a forger outputs a triple (a,c,z) using the simulation algorithm of the signature schemes’s corresponding zero-knowledge protocol. Then the forger computes m _r =H(m _nr ||a)⊕c. Finally, the forged message-signature pair is ((m _nr ,m _r ),(c,z)).

Lemma 5

Assume that a hash function is a random oracle. Then an SUEF-CMA signature scheme is (t,q _s ,q _h ,ϵ) secure if an EUF-CMA signature scheme is \((t, q'_{s}, q'_{h}, \epsilon^{\mathit{euf}})\) secure, where ϵ ^euf≥ϵ/q _h , and \(q'_{h} - 1 = q'_{s} \leq q_{s}+q_{h}\).

Appendix B: Proof of Proposition 1

Proof

We consider a sequence of security games: Game₀ to Game₄. Denote by S _i the event that an attacker \(\mathcal{A}\) against Game _i succeeds.

• Game ₀: This is the KE game. The advantage of \(\mathcal{A}\) is

  $$\mathop{\mathrm{Adv}}\nolimits_\mathcal{A}^{\varPi}(k) = \biggl \vert \mathop{\mathrm{Pr}}(S_0)-\frac{1}{2}\biggr \vert . $$

• Game ₁: This game is the same as Game₀ except that the game aborts if an event Neq=Neq ₁∨Neq ₂∨Neg ₃ happens. Neg _i , i∈{1,2,3} is as follows:

  1. 1.

     Neg ₁: The KDF function produces collisions;

  2. 2.

     Neg ₂: Two distinct sessions produce the same ephemeral value;

  3. 3.

     Neg ₃: A session produces an ephemeral value that happens to be a private key of an entity.

  Then

  $$\bigl \vert \mathop{\mathrm{Pr}}(S_1) - \mathop{\mathrm{Pr}}(S_0)\bigr \vert \leq \mathop{\mathrm{Pr}}(\mathit{Neg}). $$

  According to a probability analysis by Cremers and Feltz in [6],

  $$\mathop{\mathrm{Pr}}(\mathit{Neg}) \leq\frac{(q_\mathit{se}+q_{k})^2}{2^{k+1}} + \frac {q_\mathit{se}^2}{2q}+\frac{nq_\mathit{se}}{q}. $$

• Game ₂: This game is the same as Game₁ except that the game stops if an event Trap does not happen. The Trap event is that a challenger \(\mathcal{B}\) chooses at random a session s ^∗ from q _se sessions, and an attacker \(\mathcal{A}\) issues test(s ^∗).

  Then

  $$\mathop{\mathrm{Pr}}(S_2) = 1/q_\mathit{se}\mathop{\mathrm{Pr}}(S_1)+(1-1/q_\mathit{se})1/2. $$

• Game ₃: This game is the same as Game₂ except that the game stops if an event Catch happens. The Catch event is that an attacker \(\mathcal{A}\) issues an query \((s^{*}_{a}||s^{*}_{p}||Z||X)\) to a random oracle for KDF. When \(s^{*}_{o} = \underline{i}\), it is \(Z = ({x+\mathit{sk}_{s^{*}_{a}}})(Y+\mathit{pk}_{s^{*}_{p}})\) for X=xP, and \(X \subset s^{*}_{s}\) and \(Y \subset s^{*}_{r}\). The case for \(s^{*}_{o} = \underline{r}\) is similar.

  If the Catch event does not happen, Game₃ is identical to Game ₂. Then

  $$\bigl \vert \mathop{\mathrm{Pr}}(S_3) - \mathop{\mathrm{Pr}}(S_2)\bigr \vert \leq \mathop{\mathrm{Pr}}(\mathit{Catch}). $$

  The probability of the Catch event should be negligible. It is analyzed as follows.

  Suppose an origin-session for s ^∗ is s′. We only consider the case \(s^{*}_{o} = \underline{i}\). There are four scenarios in the eCK-PFS model:

  1. 1.

     The attacker \(\mathcal{A}\) issued the queries \(\mathit{corrupt}(s^{*}_{a})\) and \(\mathit{corrupt}(s^{*}_{p})\) and has not issued eph-key(s′) for any origin-session s′ such that \(s'_{a} = s^{*}_{p}\).

  2. 2.

     The attacker \(\mathcal{A}\) issued the queries \(\mathit{corrupt}(s^{*}_{a})\) and eph-key(s′) if possible.

  3. 3.

     The attacker \(\mathcal{A}\) issued the queries \(\mathit{corrupt}(s^{*}_{p})\) and eph-key(s ^∗).

  4. 4.

     The attacker \(\mathcal{A}\) issued the queries eph-key(s ^∗) and eph-key(s′) if possible.

Analysis of scenario 1: There are two cases according to the existence of a potential s′ session.

1. 1.

   If there is an origin-session s′ for s ^∗, Cremers and Feltz have analyzed the probability of the event Catch. It is

   $$\mathop{\mathrm{Pr}}(\mathit{Catch}) \leq q_\mathit{se}q_k\epsilon', $$

   where q _k is the number of random oracle queries for a KDF function.

2. 2.

   If there is no origin-session for s ^∗, the proof idea is to construct an algorithm \(\mathcal{M}\). It takes as input a value xP. It is expected to output (yP,xyP). Then according to KEAv1, we can construct another algorithm \(\mathcal{M}^{*}\) that produces an output (y,yP,xyP). However, \(\mathcal{A}\)’s knowledge of y leads to an ECDLP problem solver, which is a contradiction.

The algorithm \(\mathcal{M}\) runs as follows.

1. 1.

   \(\mathcal{M}\) distributes keys for all entities and stores the associated secret keys. It selects a random tape for \(\mathcal{A}\), and gives all public data to \(\mathcal{A}\). It also chooses a session as s ^∗ similarly to the Game₂.

2. 2.

   When the test session s ^∗ is initiated, \(\mathcal{M}\) sets the ephemeral Diffie–Hellman value of session s ^∗ to xP, and answers the query with the message \((s^{*}_{a}||xP, \mathit{SG}_{\mathit{sk}_{s^{*}_{a}}}(s^{*}_{a}||xP))\). Note that \(\mathcal{M}\) knows private keys of each entity.

3. 3.

   When \(\mathcal{A}\) issues a query q _i to the random oracle KDF, \(\mathcal{M}\) uses a table H _k to answer it.

   • Initially, H _k is empty.

   • If the query is not in H _k , \(\mathcal{M}\) selects at random h _i ∈{0,1}^k that is not in H _k , stores (q _i ;h _i ) in the table H _k , and returns h _i .

   • If the query is in H _k , \(\mathcal{M}\) returns the value h _i in the matching entry directly.

4. 4.

   When \(\mathcal{A}\) issues a test(s ^∗) query, \(\mathcal {M}\) returns a random value.

5. 5.

   Queries about corrupt, session-key, eph-key, and send can be answered correctly since \(\mathcal{M}\) knows all private keys and ephemeral keys of all entities except the ephemeral key in the test session.

6. 6.

   After \(\mathcal{A}\) produces an output, \(\mathcal{M}\) finds all KDF queries of the form \((s^{*}_{a}||s^{*}_{p}||Z||xP)\). It chooses at random one of the queries, sets Y as the second element in \(s^{*}_{r}\), and computes

   $$R = Z-({\mathit{sk}_{s^*_a}})Y-({\mathit{sk}_{s^*_p}})X-({\mathit{sk}_{s^*_a}})\mathit{pk}_{s^*_p}. $$
7. 7.

   Finally, \(\mathcal{M}\) produces an output (Y,R).

When R=xY, according to the KEAv1, there is an algorithm \(\mathcal {M}^{*}\) that takes as input xP, uses the same coins as \(\mathcal{M}\), and produces an output (y,Y,R), where Y=yP. It is clear that \(\mathcal{M}\) does not contribute to the value y except that it chooses a random tape for \(\mathcal{A}\). Then it should be \(\mathcal {A}\) that produces y.

Since \(\mathcal{A}\) does not know the private key of \(s^{*}_{p}\) before the completion of session s ^∗, its knowledge of y leads to the following observation about the EC-based SUEF signature:

Although an attacker \(\mathcal{A}\) knows no private keys of a signer, it may produce a valid message-signature pair (m,δ), where m=(m _nr ,m _r ) and \(m_{r} \in\mathbb{G}\) , and it can print the exponent of the value m _r with a non-negligible probability ϵ _f in polynomial time t _f .

However, for the EC-based SUEF signature with the special kind of random message, we have the following claim:

Claim

For the EC-based instance, if an ECDLP assumption (ϵ,t)-holds, and a hash function is modeled as a random oracle, if an attacker knows no private keys of a signer and it produces a valid message–signature pair (m,δ) where m=(m _nr ,m _r ) and \(m_{r} \in\mathbb{G}\), it can print the exponent of the value m _r with a probability ϵ _f in time t _f where \(\epsilon\geq\frac {\epsilon_{f}}{2}(\frac{\epsilon_{f}}{q_{h}}-\frac{1}{q})\) and t≤2t _f . The symbol q _h denotes the number of hashing queries.

The claim is proven as follows.

Proof

As we face a KE attacker \(\mathcal{A}\), we should provide an attack environment for the attacker. Suppose a simulator \(\mathcal{S}\) tries to solve an ECDLP problem. It is given a challenge αP. The simulator provides a hashing random oracle for \(\mathcal{A}\).

1. 1.

   \(\mathcal{S}\) distributes keys for all entities and stores the associated secret keys. It gives all public data to \(\mathcal{A}\).

2. 2.

   \(\mathcal{S}\) selects at random a session s ^∗ as the test session. When \(\mathcal{A}\) issues a query (X _i ||T) to the hashing random oracle, \(\mathcal{S}\) uses a table H _t to answer it.

   • Initially, H _t is empty.

   • If the query is not in H _t , \(\mathcal{S}\) selects at random \(C_{0} \in\mathbb{G}\) that is not in H _t , stores (X _i ,T;C ₀) in the table H _t , and returns C ₀.

   • If the query is in H _t , \(\mathcal{S}\) returns the value C ₀ in the matching entry directly.

3. 3.

   Queries about test, corrupt, session-key, eph-key, and send can be answered correctly since \(\mathcal{S}\) knows all private keys and ephemeral keys of all entities.

4. 4.

   After \(\mathcal{A}\) produces the exponent of Y in \(s^{*}_{r}\), \(\mathcal{S}\) rewinds the attacker to the point when it issued an query \((s^{*}_{p}||T)\) for \(T = {z}P+{c_{x}}\mathit{pk}_{s^{*}_{p}}\). Note that c _x is the x-coordinate of a point C, and (C,z) is part of \(s^{*}_{r}\). \(\mathcal{S}\) then runs \(\mathcal{A}\) again with a different response for the query. It returns C−αP or −C−αP with a probability 1/2. After the attacker gives the exponent of Y′ in \(s^{*}_{r}\), \(\mathcal{S}\) finds (C′,z′) in \(s^{*}_{r}\). If it is a valid signature with respect to \(\mathit{pk}_{s^{*}_{p}}\), there are two cases.

   1. (a)

      If \((c'_{x}, z') \neq(c_{x}, z)\), the attacker knows the private key of the \(s^{*}_{p}\). Note that the attacker can compute \(\frac {z-z'}{c_{x}-c'_{x}}\) as the private key of \(s^{*}_{p}\). This contradicts the premise of the attacker’s knowledge.

   2. (b)

      If \((c'_{x}, z') = (c_{x}, z)\), either C′=C or C′=−C. Since \(Y' = C' - H(s^{*}_{p}, T)\), the event Y′=αP happens with a probability 1/2. When the attacker produces the exponent of the value Y′, the simulator solves an ECDLP problem.

   According to a general forking lemma in [1], an attacker \(\mathcal{A}\) gives another signature (C′,z′) after a rewinding with a probability at least ϵ _f (ϵ _f /q _h −1/q). Then with a probability 1/2, the simulator solves an ECDLP problem. So the successful probability of the simulator is ϵ≥ϵ _f /2((ϵ _f /q _h −1/q)). We omit a negligible probability of an event that \(\mathcal{A}\) produces a hashing output by itself since we are in the random oracle model.

   The runtime of the simulator is less than two times the runtime of an attacker considering the rewinding. That is t≤2t _f .

The above claim falsifies the observation about the EC-based SUEF signature. Then the algorithm \(\mathcal{M}\) exists with a negligible probability. This leads to a negligible probability with which an event Catch may happen when an origin-session s′ does not exist. Next we analyze the probability of the event Catch when no origin-session exists.

The event R=xY happens when \(\mathcal{M}\) selects the right session s ^∗, and the right entry in H _k , and the Catch event happens. So the probability is at least \(\frac{\mathop{\mathrm{Pr}}(\mathit{Catch})}{q_{k}q_{\mathit{se}}}\). \(\mathcal {A}\) prints the exponent of Y according to the KEAv1. So the probability \(\epsilon_{f} \geq(1-\epsilon'')\frac {\mathop{\mathrm{Pr}}(\mathit{Catch})}{q_{k}q_{\mathit{se}}}\). Considering the probability analysis of the above Claim, we have

$$\epsilon\geq\frac{(1-\epsilon'')\mathop{\mathrm{Pr}}(\mathit{Catch})}{2q_kq_\mathit{se}}\biggl(\frac {(1-\epsilon'')\mathop{\mathrm{Pr}}(\mathit{Catch})}{q_kq_\mathit{se}q_h} - 1/q\biggr). $$

Then we have

$$\mathop{\mathrm{Pr}}(\mathit{Catch}) \leq\frac{q_kq_\mathit{se}q_h}{2q(1-\epsilon'')}\sqrt{1+\frac {8\epsilon{q}^2}{q_h}} $$

where \(q \geq\frac{q_{k}q_{\mathit{se}}q_{h}}{2(1-\epsilon'')}\sqrt{\frac{1}{1-\frac {2{\epsilon}q_{k}q_{h}q_{\mathit{se}}}{(1-\epsilon'')^{2}}}}\) and \(\epsilon< \frac {(1-\epsilon'')^{2}}{2q_{k}q_{h}q_{\mathit{se}}}\).

Finally, suppose an event happens with a probability ξ∈[0,1] that s ^∗ has an origin-session. Then

Analysis of scenario 2: :

If an origin-session s exists, the analysis is the same as that of Cremers and Feltz. Otherwise, the analysis is similar to that of the scenario 1.

Analysis of scenario 3: :

The above strategy for \(\mathcal{M}\)’s simulation does not work since the ephemeral key of the test session is to be revealed. That is, the value x for X=xP should be revealed. However, suppose \(\mathcal {M}\) takes a value αP. It can set a public key \(\mathit{pk}_{s^{*}_{a}} = \alpha{P}\). Then a signing oracle is given to \(\mathcal{M}\) that has a public verification key αP. \(\mathcal{M}\) tries to compute

$$R = Z-\bigl(x^*\bigr)Y-(\mathit{sk}_{s^*_p})X-(\mathit{sk}_{s^*_p})\mathit{pk}_{s^*_a}, $$

where x ^∗ is the value revealed by eph-key(s ^∗). When R=αY, the deduction in scenario 1 is reused.

Analysis of scenario 4: :

If an origin-session s exists, the analysis is the same as that of Cremers and Feltz. Otherwise, the analysis is similar to that of the scenario 3.

• Game ₄: The game is the same as Game₃ except that a challenger \(\mathcal{B}\) responds to a test query simply with a random value. Let Luck be a event that \(\mathcal{A}\) guessed a KDF output correctly. If this Luck event does not happen, Game ₄ is identical to Game ₃. Then

  $$\bigl \vert \mathop{\mathrm{Pr}}(S_4) - \mathop{\mathrm{Pr}}(S_3)\bigr \vert \leq \mathop{\mathrm{Pr}}(\mathit{Luck}). $$

  As the KDF is modeled as a random oracle, Pr(Luck)=1/2^k. As the test query always return a random value, the successful probability of \(\mathcal{A}\) is simply Pr(S ₄)=1/2.

In summary,

The runtime of each game is obviously in polynomial time. □

Appendix C: Proof of Proposition 2

Proof

As an entity produces a message in the same way as its peer in an SUEF-CF protocol, it is enough to prove a simulated message and a real one have the same distribution. Suppose an entity \(\hat{A}\) produces messages. According to the SUEF-CF protocol, a valid message consists of \((\hat{A}||X, (C, z))\). The private key of \(\hat{A}\) is a, and the public key is A.

If the message is really produced by \(\hat{A}\), the random part is

$$\left ( \begin{array}{c} {X} \\{C} \\{z} \\\end{array} \right ) = \left ( \begin{array}{c} xP \\H(\hat{A}||lP) + xP \\l + c_xa\\\end{array} \right ) $$

for randomly selected values \(x, l \in\mathbb{Z}_{q}\). So the message is produced by \(\hat{A}\) with a probability 1/q ².

If the message is simulated by an entity, the random part is

$$\left ( \begin{array}{c} {X} \\{C} \\{z} \\\end{array} \right ) = \left ( \begin{array}{c} C - H(\hat{A}||(zP+c_xA)) \\C \\z\\\end{array} \right ) $$

for randomly selected values \(z \in\mathbb{Z}_{q}\) and \(C \in\mathbb {G}\). So the message may be simulated with the same probability 1/q ².

Note that the first element of the forged signature is a group element since the hash function is to map arbitrary bit strings to a group element. □