Abstract
We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK\(^{w}\) and eCK-PFS. The eCK\(^{w}\) model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCK\(^{w}\) adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCK\(^{w}\) to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCK\(^{w}\), which we call eCK\(^{\text {passive}}\). We show that, given a two-message Diffie–Hellman type protocol secure in eCK\(^{\text {passive}}\), our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.
Similar content being viewed by others
Notes
No collision in the ephemeral secret keys occurs for \({\mathrm{SIG}} (\pi )\) (where \(\pi \in \,\mathcal{DH \text {-2}} \)) since otherwise Game 1 would have caused the game to abort.
We do not need to keep consistency with \(H_{1}\) queries via lookup in table \(J\) since the probability that the adversary guesses the random data of a session is negligible.
Note that, if the group check fails, the session is aborted.
References
Basin D., Cremers C.: Degrees of security: protocol guarantees in the face of compromising adversaries. In: Computer Science Logic, 24th International Workshop, CSL 2010, 19th Annual Conference of the EACSL. Lecture Notes in Computer Science, vol. 6247, pp. 1–18. Springer, Berlin (2010).
Bellare M., Rogaway P.: Entity authentication and key distribution. In: 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, pp. 232–249. Springer, New York (1994).
Bellare M., Rogaway P.: Provably secure session key distribution: the three party case. In: 27th Annual ACM Symposium on Theory of Computing, STOC ’95, pp. 57–66. ACM, New York (1995).
Bellare M., Pointcheval D., Rogaway P.: Authenticated key exchange secure against dictionary attacks. In: 19th International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT’00, pp. 139–155. Springer, New York (2000).
Blake-Wilson S., Menezes A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai H., Zheng Y. (eds.) PKC ’99 Proceedings of the Second International Workshop on Practice and Theory in Public Key Cryptography. Lecture Notes in Computer Science, vol. 1560, pp. 154–170. Springer, Berlin (1999).
Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. In: ASIACRYPT’01, pp. 514–532. Springer, Berlin (2001).
Boneh D., Shen E., Waters B.: Strongly unforgeable signatures based on computational Diffie–Hellman. In: Yung M., Dodis Y., Kiayias A., Malkin T. (eds.) PKC’06. Lecture Notes in Computer Science, vol. 3958, pp. 229–240. Springer, Berlin (2006).
Boyd C., González Nieto J.: On forward secrecy in one-round key exchange. In: 13th IMA International Conference, IMACC 2011. Lecture Notes in Computer Science, vol. 7089, pp. 451–468. Springer, Berlin (2011).
Boyd C., Cliff Y., González Nieto J.M., Paterson K.G.: One-round key exchange in the standard model. Int. J. Appl. Cryptogr. 1, 181–199 (2009).
Bresson E., Manulis M., Schwenk J.: On security models and compilers for group key exchange protocols. Cryptology ePrint Archive, Report 2006/385. http://eprint.iacr.org/ (2006).
Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B. (ed.) EUROCRYPT’01. Lecture Notes in Computer Science, vol. 2045, pp. 453–474. Springer, London (2001). Full version on eprint.
Cheng Q., Ma C., Hu X.: A new strongly secure authenticated key exchange protocol. In: Park J.H., Chen H-H., Atiquzzaman M., Lee C., Kim T-H., Yeo S.-S. (eds.) ISA ’09. Lecture Notes in Computer Science, vol. 5576, pp. 135–144. Springer, Berlin (2009).
Choo K-K.R., Boyd C., Hitchcock Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Proceedings of the 11th International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT’05, pp. 585–604. Springer, Berlin (2005).
Chow S.S.M., Choo K-K.R.: Strongly-secure identity-based key agreement and anonymous extension. In: Garay J.A., Lenstra A.K., Mambo M., Peralta R. (eds.) Information Security, ISC’07. Lecture Notes in Computer Science, vol. 4779, pp. 203–220. Springer, Berlin (2007).
Cremers C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, pp. 80–91. ACM, New York (2011).
Cremers C., Feltz M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. Cryptology ePrint Archive, Report 2011/300. http://eprint.iacr.org/ (2011).
Cremers C., Feltz M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Proceedings of the 17th European Conference on Research in Computer Security, ESORICS. Springer, Berlin (2012).
Dagdelen O., Fischlin M.: Security analysis of the extended access control protocol for machine readable travel documents. In: Proceedings of the 13th International Conference on Information security, ISC’10, pp. 54–68. Springer, Berlin (2011).
Dent A.W.: A note on game-hopping proofs. Cryptology ePrint Archive, Report 2006/260. http://eprint.iacr.org/2006/260 (2006).
Gennaro R., Krawczyk H., Rabin T.: Okamoto–Tanaka revisited: fully authenticated Diffie–Hellman with minimal overhead. In: Zhou J., Yung M. (eds.) ACNS’10, pp. 309–328. Springer, Berlin (2010).
Jeong I.R., Katz J., Lee D.H.: One-round protocols for two-party authenticated key exchange. http://www.cs.umd.edu/~jkatz/papers/1round_AKE.pdf (2008).
Katz J., Lindell Y.: Introduction to Modern Cryptography. Chapman Hall/CRC, Boca Raton (2008).
Katz J., Yung M.: Scalable protocols for authenticated group key exchange. In: Boneh D. (ed.) Advances in Cryptology—CRYPTO 2003, vol. 2729, pp. 110–125. Springer, Berlin (2003).
Kim M., Fujioka A., Ustaoglu B.: Strongly secure authenticated key exchange without naxos’ approach. In: IWSEC’09, Toyama, pp. 174–191 (2009).
Krawczyk H.: HMQV: a high-performance secure Diffie–Hellman protocol. Cryptology ePrint Archive, Report 2005/176. http://eprint.iacr.org/ (2005).
Krawczyk H.: HMQV: a high-performance secure Diffie–Hellman protocol. In: Shoup V. (ed.) Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621, pp. 546–566. Springer, Berlin (2005).
LaMacchia B.A., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073. http://eprint.iacr.org/ (2006).
LaMacchia B.A., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: Susilo W., Liu J.K., Mu Y. (eds.) ProvSec’07. Lecture Notes in Computer Science, vol. 4784, pp. 1–16. Springer, Berlin (2007).
Lauter K., Mityagin A.: Security analysis of KEA authenticated key exchange protocol. In: Public Key Cryptography—Proceedings of the 9th International Conference on Theory and Practice in Public-Key Cryptography (PKC 2006), New York, April 24–26, 2006. Lecture Notes in Computer Science, vol. 3958, pp. 378–394. Springer, Berlin (2006).
Lee J., Park C.S.: An efficient authenticated key exchange protocol with a tight security reduction. Cryptology ePrint Archive, Report 2008/345. http://eprint.iacr.org/ (2008).
Lee J., Park J.H.: Authenticated key exchange secure under the computational Diffie–Hellman assumption. Cryptology ePrint Archive, Report 2008/344. http://eprint.iacr.org/ (2008).
Maurer U.: Abstract models of computation in cryptography. In: Smart N. (ed.) Cryptography and Coding 2005. Lecture Notes in Computer Science, vol. 3796, pp. 1–12. Springer, Berlin (2005).
Menezes A.: Another look at HMQV. J. Math. Cryptol. 1, 47–64 (2008).
Menezes A., van Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996).
Okamoto T., Pointcheval D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim K. (ed.) PKC’2001. Lecture Notes in Computer Science, vol. 1992, pp. 104–118. Springer, Berlin (2001).
Shoup V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332. http://eprint.iacr.org/ (2006).
Ustaoglu B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Cryptology ePrint Archive, Report 2007/123 (2007). Version June 22 (2009).
Acknowledgments
This work was supported by ETH Research Grant ETH-30 09-3. We thank Colin Boyd and the anonymous reviewers for constructive comments on earlier versions of this work.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Boyd.
Appendix
Appendix
1.1 1. On the eCK model [28]
There are two main aspects in which the eCK model is underspecified.
First, the eCK model specifies that in the setup phase of the security experiment, the adversary may register arbitrary public keys [28, p. 8]. This can be interpreted in at least two ways: (a) the adversary may register arbitrary valid public keys (e. g., elements of a given group \(G\)), or (b) the adversary may register arbitrary bit strings (e. g., elements that do not belong to a given group \(G\)). As the security proof of NAXOS in the eCK model [28, pp. 12-16] is incomplete, it is unclear whether the result of LaMacchia et al. [28, Theorem 1] holds under the second interpretation. In addition, LaMacchia et al. [28, Fig. 1] state that the HMQV protocol achieves CK-security under arbitrary key registration, (the same key registration as in the eCK model). This statement is only correct under interpretation (a), because HMQV is vulnerable to small-subgroup attacks as described in [33, p. 53], a reference cited in [28]. We therefore assume the literal interpretation (a), i. e., the adversary may register arbitrary valid public keys from the key space. This is also in line with the descriptions in [18, 24, 37].
Second, the eCK model puts no explicit restrictions on the \(\mathsf{corrupt } \) query. For honest parties the intent of the query is clear. However, it is unclear in [28] whether the query is allowed on adversary-controlled parties on behalf of those the adversary registered a public key. Consider the following two cases for adversary-controlled parties. On the one hand, if the adversary already knows the secret key corresponding to the valid public key he registered, then the \(\mathsf{corrupt } \) query is redundant. On the other hand, if the adversary were allowed to perform this query when he does not know the secret key of the corresponding valid public key, then no protocol would be secure in the eCK model: the adversary would be able to obtain the secret key of any honest party by simply re-registering the public key for an adversary-controlled party, and then corrupting the latter party. In particular, this gives the adversary access to the secret keys of honest parties without performing a \(\mathsf{corrupt } \) on these honest parties, which can then be combined with an ephemeral-key query to compute the session key of the test session. The previous observations lead us to the conclusion that the query \(\mathsf{corrupt } ({\hat{P}})\) should be defined in such a way that it returns the secret keys of party \({\hat{P}}\) if \({\hat{P}}\) is honest, and \(\bot \) otherwise.
We show in Proposition 8 that our eCK\(^{w}\) model is stronger than the eCK model with respect to \(\varPi \).
Proposition 8
Let \(\varPi \) be the class of two-message KE protocols. The eCK\(^{w}\) model is stronger than the eCK model with respect to \(\varPi \).
Proof
The first condition of Definition 6 is satisfied since matching is defined in the same way for both models eCK\(^{w}\) and eCK. Let \(\pi \in \varPi \). To show that the second condition of Definition 6 holds, we construct an adversary \(E^{\prime }\) attacking protocol \(\pi \) in model eCK\(^{w}\) using an adversary \(E\) attacking \(\pi \) in eCK. In the setup phase of the eCK experiment, the adversary selects \(N\) distinct binary strings \({\hat{P_{1}}},{\hat{P_{2}}},\ldots ,{\hat{P}_{N}}\) for \(N\) honest parties. Define \(\mathcal{P }=\{{\hat{P_{1}}},{\hat{P_{2}}},\ldots ,{\hat{P}_{N}}\}\) for the eCK\(^{w}\) experiment. During the registration phase at the onset of the experiment, in case \(E\) registers valid public keys on behalf of adversary-controlled parties \({\hat{L}}\notin \mathcal{P }\), \(E^{\prime }\) proceeds with the same registration of keys. Whenever \(E\) issues a query send, corrupt, ephemeral-key, session-key or test-session, adversary \(E^{\prime }\) issues the same query and forwards the answer received to \(E\). At the end of \(E\)’s execution, i. e. after it has output its guess bit \(b\), \(E^{\prime }\) outputs \(b\) as well. Note that if \({\text {eCK}}_{\text {fresh}}\) holds for the test session, then by definition \({\text {eCK}^{\mathrm{w}}}_{\mathrm{fresh}}\) also holds. In particular, if there is no matching session, then the last condition in the freshness definition of the eCK model [28, p. 9] requires that there is no corrupt of the peer, which implies the sixth condition of \({\text {eCK}^{\mathrm{w}}}_{\mathrm{fresh}}\). Hence, it holds that \(Adv_{E}^{\pi }(k)\le Adv_{E^{\prime }}^{\pi }(k)\), where \(k\) denotes the security parameter. Since by assumption protocol \(\pi \) is secure in eCK\(^{w}\), there is a negligible function \(g\) such that \(Adv_{E^{\prime }}^{\pi }(k)\le g(k)\). It follows that protocol \(\pi \) is secure in eCK. \(\square \)
1.2 2. Proof of Proposition 6
Proposition 6 Under the GAP-CDH assumption in the cyclic group \(G\) of prime order \(p\), the NAXOS protocol is satisfies eCK\(^{w}\) security, when \(H_{1},H_{2}\) are modeled as independent random oracles.
Proof
Here we show that NAXOS is secure in eCK\(^{w}\). We use the structure of the security proof of the CMQV protocol in [37] as it is more detailed than the proof of NAXOS in [28].
Let the test session \(s^{*}\) be given by \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X,Y)\). We first consider event \(K^{c}\) where the adversary \(M\) wins the security experiment against NAXOS (with non-negligible advantage) and does not query \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},{\hat{A}},{\hat{B}})\), where \(\sigma _{1}=\text {CDH}(Y,A),\sigma _{2}=\text {CDH}(B,X)\) and \(\sigma _{3}=\text {CDH}(X,Y)\).
Event \(K^{c}\)
If event \(K^{c}\) occurs, then the adversary \(M\) must have issued a session-key query to some session \(s\) such that \(K_{s}=K_{s^{*}}\) (where \(K_{s}\) and \(K_{s^{*}}\) denote the session-keys computed in sessions \(s\) and \(s^{*}\), respectively) and \(s\) does not match \(s^{*}\). We consider the following four events:
-
1.
\(A_{1}:\) there exist two sessions \(s_{1},s_{2}\) such that \(r_{s_{1}}=r_{s_{2}}\) (where \(r_{s_{1}}\) and \(r_{s_{2}}\) denote the random coins drawn in sessions \(s_{1}\) and \(s_{2}\), respectively).
-
2.
\(A_{2}:\) there exists a session \(s\) such that \(H_{1}(r_{s},sk_{{ actor},s})=H_{1}(r_{s^{*}},sk_{{ actor},s^{*}})\) and \(r_{s}\ne r_{s^{*}}\).
-
3.
\(A_{3}:\) there exists a session \(s^{\prime }\) such that \(H_{2}(\mathrm input _{s^{\prime }})=H_{2}(\mathrm input _{s^{*}})\) with \(\mathrm input _{s^{\prime }}\ne \mathrm input _{s^{*}}\).
-
4.
\(A_{4}:\) there exists an adversarial query \(\mathrm input _{M}\) to the oracle \(H_{2}\) such that \(H_{2}(\mathrm input _{M})=H_{2}(\mathrm input _{s^{*}})\) with \(\mathrm input _{M}\ne \mathrm input _{s^{*}}\).
Analysis of event \(K^{c}\)
We denote by \(q_{s}\) an upper bound on the number of activated sessions by the adversary and by \(q_\mathrm{ro 2}\) an upper bound on the number of queries to the random oracle \(H_{2}\). We have that
which is a negligible function of the security parameter \(k\).
In the subsequent events (and their analyses) we assume that no collisions in the queries to the oracle \(H_{1}\) occur and that none of the events \(A_{1},\ldots ,A_{4}\) occurs. Similar to [28, 37], we next consider the following three events:
-
1.
\(DL \wedge K\),
-
2.
\(T_{O}\wedge DL^{c} \wedge K\), and
-
3.
\((T_{O})^{c} \wedge DL^{c} \wedge K\), where
\(T_{O}\) denotes the event that there exists an origin-session for the test session, \(DL\) denotes the event where there exists a party \({\hat{C}}\in \mathcal{P }\) such that the adversary \(M\), during its execution, queries \(H_{1}\) with \((*,{c})\) before issuing a \(\mathsf{corrupt } ({\hat{C}})\) query and \(K\) denotes the event that \(M\) wins the security experiment against NAXOS by querying \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},{\hat{A}},{\hat{B}})\), where \(\sigma _{1}=\text {CDH}(Y,A),\sigma _{2}=\text {CDH}(B,X)\) and \(\sigma _{3}=\text {CDH}(X,Y)\).
Note that we analyze the security of the NAXOS protocol in case the messages only contain the Diffie–Hellman exponentials.
Event \(DL\wedge K\)
This event is independent of the event that there exists an origin-session for the test session.
Let the input to the \({\mathrm{GAP\text {-}DLog}} \) challenge be \(C\). Suppose that event \(DL\wedge K\) occurs with non-negligible probability. In this case, the simulator \(S\) chooses one party \({\hat{C}}\in \mathcal{P }\) at random and sets its long-term public key to \(C\). \(S\) chooses long-term secret/public key pairs for the remaining honest parties and stores the associated long-term secret keys. Additionally \(S\) chooses a random value \(m\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the \(m\)’th activated session by adversary \(M\) by \(s^{*}\). Suppose further that \(s^{*}_{ actor}={\hat{A}}, s^{*}_{ peer}={\hat{B}}\) and \(s^{*}_{ role}=\mathcal I \), w. l. o. g.. The simulation of \(M^{\prime }\)s environment proceeds as follows:
-
1.
send queries are answered in the usual way. In case a session \(s\) is activated via a send query, \(S\) stores an entry of the form \(\left( s,r_{s},sk_{s_{{ actor}}},\kappa \right) \in (\mathcal{P }\times \mathbb N )\times \left\{ 0,1\right\} ^{k}\times (\mathbb Z _{p}\cup \left\{ *\right\} )\times \mathbb Z _{p}\) in a table \(Q\), initially empty, (unless ephemeral public key validation on the received element fails in which case the session is aborted). When computing the (outgoing) Diffie–Hellman exponential of session \(s\), \(S\) does the following:
-
\(S\) chooses \(r_{s}\in _{R} \left\{ 0,1\right\} ^{k}\) (i. e. the randomness of session \(s\)),
-
\(S\) chooses \(\kappa \in _{R}\mathbb Z _{p}\),
-
if \(s_{ actor}\ne {\hat{C}}\), then \(S\) stores the entry \(\left( s,r_{s},sk_{s_{ actor}},\kappa \right) \) in \(Q\), else \(S\) stores the entry \(\left( s,r_{s},*,\kappa \right) \) in \(Q\),Footnote 2 and
-
\(S\) returns the Diffie–Hellman exponential \(g^{\kappa }\) to \(M\).
-
-
2.
\(S\) stores entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*} \times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G \times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(S\) does the following:
-
If there exists an entry \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), then \(S\) stores \(\big ({\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \big )\) in table \(T\).
-
Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(U,Q_{j},\sigma _{2})=1\) and
-
\(V^{sk_{{\hat{Q}_{i}}}}=\sigma _{1}\) (in case \({\hat{Q}_{i}}\ne {\hat{C}}\)) or \(\text {DDH}(V,Q_{i},\sigma _{1})=1\) (in case \({\hat{Q}_{i}}={\hat{C}}\)),
then \(S\) stores \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) in table \(T\).
-
-
Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\mu \right) \) in \(T\).
The session-key of a completed session \(s\) with \(T_{s}=\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U\right) \) is determined and stored similarly.
-
-
3.
\(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way.
-
4.
\(\mathsf{session\text{- }key } (s)\): \(S\) answers this query by look-up in table \(T\).
-
5.
\(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\), then \(S\) aborts; otherwise \(S\) answers the query in the appropriate way.
-
6.
\(\mathsf{corrupt } ({\hat{P}})\): \(S\) answers this query in the appropriate way, except if \({\hat{P}}={\hat{C}}\) in which case \(S\) aborts with failure.
-
7.
\(S\) stores entries of the form \(\left( r,h,\kappa \right) \in \left\{ 0,1\right\} ^{k}\times \mathbb Z _{p}\times \mathbb Z _{p}\) in a table \(J\), initially empty. When \(M\) makes a query of the form \(\left( r,h\right) \) to the random oracle for \(H_{1}\), answer it as follows:
-
If \(C=g^{h}\), then \(S\) aborts \(M\) and is successful by outputting \({ DLog}(C)=h\).
-
Else if \(\left( r,h,\kappa \right) \in J\) for some \(\kappa \in \mathbb Z _{p}\), then \(S\) returns \(\kappa \) to \(M\).
-
Else if there exists an entry \(\left( s,r_{s},sk_{s_{ actor}},\kappa \right) \) in \(Q\), for some \(s\in \mathcal{P }\times \mathbb N ,r_{s}\in \left\{ 0,1\right\} ^{k},sk_{s_{ actor}}\in \mathbb Z _{p}\) and \(\kappa \in \mathbb Z _{p}\), such that \(r_{s}=r\) and \(sk_{s_{ actor}}=h\), then \(S\) returns \(\kappa \) to \(M\) and stores the entry \(\left( r,h,\kappa \right) \) in table \(J\).
-
Else, \(S\) chooses \(\kappa \in _{R} \mathbb Z _{p}\), returns it to \(M\) and stores the entry \(\left( r,h,\kappa \right) \) in \(J\).
-
-
8.
\(S\) stores entries of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in G\times G\times G\times \{0,1\}^{*}\times \{0,1\}^{*} \times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(M\) makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}}\right) \) to the random oracle for \(H_{2}\), answer it as follows:
-
If \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(S\) returns \(\lambda \) to \(M\).
-
Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,Q_{i},\sigma _{1})=1\) and \(\text {DDH}(U,Q_{j},\sigma _{2})=1\), then \(S\) returns \(\lambda \) to \(M\) and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\).
-
Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(M\) and stores the entry \(\Big (\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\mu \Big )\) in \(L\).
-
-
9.
\(M\) outputs a guess: \(S\) aborts with failure.
Analysis of event \(DL\wedge K\)
\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session is at least \(\frac{1}{q_{s}}\). Assuming that this is indeed the case, \(S\) does not abort in Step 5. With probability at least \(\frac{1}{N}\), \(S\) assigns the public key \(C\) to a party \({\hat{C}}\) for whom \(M\) queries \(H_{1}\) with \((*,h)\) such that \(C=g^{h}\) before issuing a \(\mathsf{corrupt } ({\hat{C}})\) query. In this case, \(S\) is successful as described in Step 7 and does not abort in Steps 6 and 9. Hence, if event \(DL\wedge K\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{Nq_{s}} P(DL\wedge K)\).
Event \(T_{O}\wedge DL^{c}\wedge K\)
Let \(s^{*}\) and \(s^{\prime }\) denote the test session and the origin-session for the test session, respectively. We split event \({\mathrm{Ev}}:=T_{O}\wedge DL^{c}\wedge K\) into the following events \(B_{1},\ldots ,B_{3}\) so that \({\mathrm{Ev}} =B_{1}\vee B_{2}\vee B_{3}\):
-
1.
\(B_{1}:\) Ev occurs and \(s^{*}_{ peer}=s^{\prime }_{ actor}\).
-
2.
\(B_{2}:\) Ev occurs and \(s^{*}_{ peer}\ne s^{\prime }_{ actor}\) and \(M\) does not issue an \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) query to the origin-session \(s^{\prime }\) of \(s^{*}\), but may issue a \(\mathsf{corrupt } (s^{*}_{ peer})\) query.
-
3.
\(B_{3}:\) Ev occurs and \(s^{*}_{ peer}\ne s^{\prime }_{ actor}\) and \(M\) does not issue a \(\mathsf{corrupt } (s^{*}_{ peer})\) query, but may issue an \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) query to the origin-session \(s^{\prime }\) of \(s^{*}\).
Event \(B_{1}\)
Let the input to the \(GDH\) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{1}\) occurs with non-negligible probability. In this case \(S\) chooses long-term secret/public key pairs for all the honest parties and stores the associated long-term secret keys. Additionally \(S\) chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). The \(m\)’th activated session by adversary \(M\) will be called \(s^{*}\) and the \(n\)’th activated session will be called \(s^{\prime }\). The ephemeral secret key of session \(s^{*}\) is denoted by \(\tilde{x}_{0}\) and the ephemeral secret key of session \(s^{\prime }\) is denoted by \(\tilde{y}_{0}\). Suppose further that \(s^{*}_{ actor}={\hat{A}}, s^{*}_{ peer}={\hat{B}}\) and \(s^{*}_{ role}=\mathcal I \), w. l. o. g.. The simulation of \(M^{\prime }\)s environment proceeds as follows:
-
1.
\(\mathsf{send } (s^{*},{\hat{B}})\): \(S\) sets the ephemeral public key \(X\) to \(X_{0}\) and answers the query with message \(X_{0}\).
-
2.
\(\mathsf{send } (s^{*},Y_{0})\): \(S\) proceeds with Step 7.
-
3.
\(\mathsf{send } (s^{\prime },{\hat{P}})\): \(S\) sets the ephemeral public key \(Y\) to \(Y_{0}\) and answers the query with message \(Y_{0}\).
-
4.
\(\mathsf{send } (s^{\prime },{\hat{P}},Z)\): \(S\) checks whether \(Z\in G\), sets the ephemeral public key \(Y\) to \(Y_{0}\), answers the query with message \(Y_{0}\) and proceeds with Step 7. If the check fails, session \(s^{\prime }\) is aborted.
-
5.
\(\mathsf{send } (s^{\prime },Z)\): \(S\) proceeds with Step 7.
-
6.
Other send queries are answered in the usual way.Footnote 3
-
7.
\(S\) stores entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*}\times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G \times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(S\) does the following:
-
If there exists an entry \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), then \(S\) stores \(\big ({\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \big )\) in table \(T\).
-
Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(V^{sk_{{\hat{Q}_{i}}}}=\sigma _{1}\), \(\text {DDH}(U,Q_{j},\sigma _{2})=1\) and \(\text {DDH}(V,U,\sigma _{3})=1\), then \(S\) stores \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) in table \(T\).
-
Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\mu \right) \) in \(T\).
The session-key of a completed session \(s\) with \(T_{s}=\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U\right) \) is determined and stored similarly.
-
-
8.
\(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way.
-
9.
\(\mathsf{session\text{- }key } (s)\): \(S\) answers this query by look-up in table \(T\).
-
10.
\(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\) or if \(s^{\prime }\) is not the origin-session for session \(s^{*}\), then \(S\) aborts; otherwise \(S\) answers the query in the appropriate way.
-
11.
\(H_{1}(r_{\!{\hat{C}}},{c})\): \(S\) simulates a random oracle in the usual way except if \({\hat{C}}={\hat{A}}\) (i.e. \({c}={a}\)) and \(r_{\!{\hat{C}}}=\tilde{x}_{0}\) or if \({\hat{C}}={\hat{B}}\) (i.e. \({c}={b}\)) and \(r_{\!{\hat{C}}}=\tilde{y}_{0}\), in which case \(S\) aborts with failure.
-
12.
\(\mathsf{corrupt } ({\hat{P}})\): \(S\) answers this query in the appropriate way.
-
13.
\(S\) stores entries of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in G\times G\times G \times \{0,1\}^{*}\times \{0,1\}^{*} \times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(M\) makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}}\right) \) to the random oracle for \(H_{2}\), answer it as follows:
-
If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(\sigma _{1}=Y_{0}^{a}\), \(\sigma _{2}=X_{0}^{b}\) and \(\text {DDH}(X_{0},Y_{0},\sigma _{3})=1\), then \(S\) aborts \(M\) and is successful by outputting \(\text {CDH}(X_{0},Y_{0})=\sigma _{3}\).
-
Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(S\) returns \(\lambda \) to \(M\).
-
Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,Q_{i},\sigma _{1})=1\), \(\text {DDH}(U,Q_{j},\sigma _{2})=1\) and \(\text {DDH}(V,U,\sigma _{3})=1\) in table \(T\), then \(S\) returns \(\lambda \) to \(M\) and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3}, {\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\).
-
Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(M\) and stores the entry \(\big (\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\mu \big )\) in \(L\).
-
-
14.
\(M\) outputs a guess: \(S\) aborts with failure.
Analysis of event \(B_{1}\)
\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as the origin-session for the test session is at least \(\frac{1}{q^{2}_{s}}\). Assuming that this is indeed the case, \(S\) does not abort in Step 10. Recall that \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X_{0},Y_{0})\). Since \(\tilde{x}_{0}\) is used only in the test session, \(M\) can only obtain it via an \(\mathsf{ephemeral\text{- }key } (s^{*})\) query before making an \(H_{1}\) query that includes \(\tilde{x}_{0}\). Similarly, \(M\) can only obtain \(\tilde{y}_{0}\) via an \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) query on the origin-session \(s^{\prime }\) before making an \(H_{1}\) query that includes \(\tilde{y}_{0}\). Under event \(DL^{c}\), the adversary first issues a \(\mathsf{corrupt } ({\hat{P}})\) query to party \({\hat{P}}\) before making an \(H_{1}\) query that involves the long-term secret key of party \({\hat{P}}\). Freshness of the test session guarantees that the adversary can reveal at most one value in each of the pairs \((\tilde{x}_{0},a)\) and \((\tilde{y}_{0},b)\); hence \(S\) does not abort in Step 11. Under event \(K\), except with negligible probability of guessing \(\text {CDH}(X_{0},Y_{0})\), \(S\) is successful as described in the first case of Step 13 and does not abort as in Step 14. Hence, if event \(B_{1}\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{q^{2}_{s}} P(B_{1})\).
Event \(B_{2}\)
Let the input to the \(GDH\) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{2}\) occurs with non-negligible probability. The simulation of \(S\) proceeds in a similar way as for event \(B_{1}\). Steps 8 and 11 need to be replaced by the following:
-
\(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way, except if \(s=s^{\prime }\) in which case \(S\) aborts with failure.
-
\(H_{1}(r_{\!{\hat{C}}},{c})\): \(S\) simulates a random oracle in the usual way except if \({\hat{C}}={\hat{A}}\) (i.e. \({c}={a}\)) and \(r_{\!{\hat{C}}}=\tilde{x}_{0}\), in which case \(S\) aborts with failure.
Analysis of event \(B_{2}\)
\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as the origin-session for the test session is \(\frac{1}{q^{2}_{s}}\). Recall that \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X_{0},Y_{0})\). Since \(\tilde{x}_{0}\) is used only in the test session, \(M\) can only obtain it via an \(\mathsf{ephemeral\text{- }key } (s^{*})\) query before making an \(H_{1}\) query that includes \(\tilde{x}_{0}\). Under event \(DL^{c}\), the adversary first issues a \(\mathsf{corrupt } ({\hat{P}})\) query to party \({\hat{P}}\) before making an \(H_{1}\) query that involves the long-term secret key of party \({\hat{P}}\). Freshness of the test session guarantees that the adversary can reveal at most one value of the pair \((\tilde{x}_{0},a)\). Under event \(B_{2}\) the simulation does not fail as in Step 8. Under event \(K\), except with negligible probability of guessing \(\text {CDH}(X_{0},Y_{0})\), \(S\) is successful as described in the first case of Step 13 and does not abort as in Step 14. Hence, if event \(B_{2}\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{q^{2}_{s}} P(B_{2})\).
Event \(B_{3}\)
Let the input to the \(GDH\) challenge be \((X_{0},B)\). Suppose that event \(B_{3}\) occurs with non-negligible probability. In this case, \(S\) chooses one party \({\hat{B}}\in \mathcal{P }\) at random and sets its long-term public key to \(B\). \(S\) chooses long-term secret/public key pairs for the remaining parties in \(\mathcal{P }\) and stores the associated long-term secret keys. Additionally \(S\) chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the \(m\)’th activated session by adversary \(M\) by \(s^{*}\) and the \(n\)’th activated session by \(s^{\prime }\). The ephemeral secret key of session \(s^{*}\) is denoted by \(\tilde{x}_{0}\). Suppose further that \(s^{*}_{ actor}={\hat{A}}, s^{*}_{ peer}={\hat{B}}\) and \(s^{*}_{ role}=\mathcal I \), w. l. o. g.. The simulation of \(M^{\prime }\)s environment proceeds as follows:
-
1.
\(\mathsf{send } (s^{*},{\hat{B}})\): \(S\) sets the ephemeral public key \(X\) to \(X_{0}\) and answers the query with message \(X_{0}\).
-
2.
\(\mathsf{send } (s^{*}, Z)\): \(S\) proceeds with Step 4.
-
3.
Other send queries are answered as for event \(DL\wedge K\).
-
4.
\(S\) stores entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*} \times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(S\) proceeds as for event \(DL\wedge K\) (see above).
-
5.
\(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way.
-
6.
\(\mathsf{session\text{- }key } (s)\): \(S\) answers this query by look-up in table \(T\).
-
7.
\(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\) or if \(s^{\prime }\) is not the origin-session for session \(s^{*}\), then \(S\) aborts; otherwise \(S\) answers the query in the appropriate way.
-
8.
\(H_{1}(r_{\!{\hat{C}}},{c})\): \(S\) simulates a random oracle in the usual way except if \({\hat{C}}={\hat{A}}\) (i.e. \({c}={a}\)) and \(r_{\!{\hat{C}}}=\tilde{x}_{0}\), in which case \(S\) aborts with failure.
-
9.
\(\mathsf{corrupt } ({\hat{P}})\): \(S\) answers this query in the appropriate way, except if \({\hat{P}}={\hat{B}}\) in which case \(S\) aborts with failure.
-
10.
\(S\) stores entries of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in G\times G\times G \times \mathcal{P }\times \mathcal{P }\times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(M\) makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}}\right) \) to the random oracle for \(H_{2}\), answer it as follows:
-
If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(\sigma _{1}=A^{H_{1}(r_{s^{\prime }},sk_{s^{\prime }_{ actor}})}\), \(\text {DDH}(X_{0},B,\sigma _{2})=1\), and \(\sigma _{3}=X_{0}^{H_{1}(r_{s^{\prime }},sk_{s^{\prime }_{ actor}})}\), then \(S\) aborts \(M\) and is successful by outputting \(\text {CDH}(X_{0},B)=\sigma _{2}\).
-
Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(S\) returns \(\lambda \) to \(M\).
-
Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,Q_{i},\sigma _{1})=1\) and \(\text {DDH}(U,Q_{j},\sigma _{2})=1\), then \(S\) returns \(\lambda \) to \(M\) and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\).
-
Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(M\) and stores the entry \(\big (\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\mu \big )\) in \(L\).
-
-
11.
\(M\) outputs a guess: \(S\) aborts with failure.
Analysis of event \(B_{3}\)
\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as its origin-session is at least \(\frac{1}{q^{2}_{s}}\). Assuming that this is indeed the case, \(S\) does not abort in Step 7. With probability \(\frac{1}{N}\), \(S\) assigns the public key \(B\) to the peer of the test session \({\hat{B}}\). Under event \(B_{3}\), \(M\) does not issue a \(\mathsf{corrupt } ({\hat{B}})\) query, and so \(S\) does not abort in Step 9. Similarly, \(S\) does not abort in Step 11 and is successful as described in Step 10. Hence, if event \(B_{3}\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{Nq^{2}_{s}} P(B_{3})\).
Event \((T_{O})^{c}\wedge DL^{c}\wedge K\)
If there is no origin-session for the test session, then there is also no matching session for the test session. Hence \(((T_{O})^{c}\wedge DL^{c}\wedge K)\subseteq ((T_{M})^{c}\wedge DL^{c} \wedge K)\) (where \(T_{M}\) denotes the event that there exists a matching session for the test session) which implies that event \((T_{O})^{c}\wedge DL^{c}\wedge K\) is covered in the analysis of event \((T_{M})^{c}\wedge DL^{c}\wedge K\) for which we refer the reader to [27, 28]. Note that, similar to the simulation related to Event \(B_{3}\),
-
\(S\) checks whether there is a query \((\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}})\) by \(M\) to \(H_{2}\) such that \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(\text {DDH}(A,Y,\sigma _{1})=1, \text {DDH}(X_{0},B,\sigma _{2})=1\) and \(\text {DDH}(X_{0},Y,\sigma _{3})=1\) (assuming that the test session \(s^{*}\) is given by \(T_{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X_{0},Y)\) to solve the \(GDH\) instance \((X_{0},B)\), and
-
\(S\) keeps consistency between session-key and \(H_{2}\) queries as well as between send and \(H_{1}\) queries. \(\square \)
1.3 3. Proof of Proposition 7
Proposition 7 Under the GAP-CDH assumption in the cyclic group \(G\) of prime order \(p\), the protocol \(\pi _{1}\)-\({core}\) satisfies eCK\(^{\text {passive}}\) security, when \({ KDF}\) is modeled as a random oracle.
Proof
Let the test session \(s^{*}\) be given by \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X,Y)\). We first consider event \(K^{c}\) where the adversary \(M\) wins the security experiment against \(\pi _{1}\text {-core}\) (with non-negligible advantage) and does not query \({ KDF}\) with \(({\hat{A}},{\hat{B}},\sigma ,X)\), where \(\sigma =\text {CDH}(YB,XA)\).
Event \(K^{c}\)
If event \(K^{c}\) occurs, then the adversary \(M\) must have issued a session-key query to some session \(s\) such that \(K_{s}=K_{s^{*}}\) (where \(K_{s}\) and \(K_{s^{*}}\) denote the session-keys computed in sessions \(s\) and \(s^{*}\), respectively) and \(s\) does not match \(s^{*}\). We consider the following three events:
-
1.
\(A_{1}:\) there exist two sessions \(s_{1},s_{2}\) such that \(r_{s_{1}}=r_{s_{2}}\) (where \(r_{s_{1}}\) and \(r_{s_{2}}\) denote the random coins drawn in sessions \(s_{1}\) and \(s_{2}\), respectively). Note that \(A_{1}\) includes the event where there exists a session \(s\) with \({T} _{s}={T} _{s^{*}}\) as well as the event where two sessions use the same random coins (possibly leading to ephemeral-key queries).
-
2.
\(A_{2}:\) there exists a session \(s\) such that \({ KDF}(\mathrm input _{s})={ KDF}(\mathrm input _{s^{*}})\) with \(\mathrm input _{s}\ne \mathrm input _{s^{*}}\).
-
3.
\(A_{3}:\) there exists an adversarial query \(\mathrm input _{M}\) to the oracle \({ KDF}\) such that \({ KDF}(\mathrm input _{M})={ KDF}(\mathrm input _{s^{*}})\) with \(\mathrm input _{M}\ne \mathrm input _{s^{*}}\).
Analysis of event \(K^{c}\)
We denote by \(q_{s}\) an upper bound on the number of activated sessions by the adversary and by \(q_\mathrm{ro }\) an upper bound on the number of queries to the random oracle \({ KDF}\). We have that
which is a negligible function of the security parameter \(k\).
In the subsequent events (and their analyses) we assume that none of the events \(A_{1},\ldots ,A_{3}\) occurs. We consider the following event:
\(T_{O}\) denotes the event that there exists an origin-session for the test session, and \(K\) denotes the event that \(M\) wins the security experiment against \(\pi _{1}\text {-core}\) by querying \({ KDF}\) with \(({\hat{A}},{\hat{B}},\sigma ,X)\), where \(\sigma =\text {CDH}(YB,XA)\). Recall that in case there is no origin-session for the test session, the test session is not \({\text {eCK}^{\mathrm{passive}}}_{\mathrm{fresh}}\).
Event \(T_{O}\wedge K\)
Let \(s^{*}\) and \(s^{\prime }\) denote the test session and the origin-session for the test session, respectively. We split event \({\mathrm{Ev}}:=T_{O}\wedge K\) into the following events \(B_{1},\ldots ,B_{4}\) so that \({\mathrm{Ev}} =B_{1}\vee B_{2}\vee B_{3}\vee B_{4}\):
-
1.
\(B_{1}:\) Ev occurs and the adversary does issue neither \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) nor \(\mathsf{ephemeral\text{- }key } (s^{*})\), but may issue the queries \(\mathsf{corrupt } (s^{*}_{ actor})\) and \(\mathsf{corrupt } (s^{*}_{ peer})\).
-
2.
\(B_{2}:\) Ev occurs and the adversary does issue neither \(\mathsf{ephemeral\text{- }key } (s^{*})\) nor \(\mathsf{corrupt } (s^{*}_{ peer})\), but may issue the queries \(\mathsf{corrupt } (s^{*}_{ actor})\) and \(\mathsf{ephemeral\text{- }key } (s^{\prime })\).
-
3.
\(B_{3}:\) Ev occurs and the adversary does issue neither \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) nor \(\mathsf{corrupt } (s^{*}_{ actor})\), but may issue the queries \(\mathsf{corrupt } (s^{*}_{ peer})\) and \(\mathsf{ephemeral\text{- }key } (s^{*})\).
-
4.
\(B_{4}:\) Ev occurs and the adversary does issue neither \(\mathsf{corrupt } (s^{*}_{ actor})\) nor \(\mathsf{corrupt } (s^{*}_{ peer})\), but may issue the queries \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) and \(\mathsf{ephemeral\text{- }key } (s^{*})\).
Event \(B_{1}\)
We denote by \(X,Y\) the ephemeral public keys sent, received during the test session \(s^{*}\). Revealing the long-term secret keys of both \(s^{*}_{ actor}\) and \(s^{*}_{ peer}\), the adversary \(E\) could distinguish the session-key of the test session from a random key by computing \(\text {CDH}(X,Y)=g^{xy}\) (where \(X=g^{x}\) and \(Y=g^{y}\)) since
We solve the GAP-CDH problem with probability \(\frac{1}{(q_{s})^{2}}P(Q)\) where \(P(Q)\) must be negligible since the GAP-CDH problem is hard in \(G\).
Consider the following algorithm \(C\) which uses adversary \(E\) as a subroutine.
ALGORITHM \(C\): The algorithm is given a pair \((X,Y)\) of elements from \(G\) as an instance of the GAP-CDH problem. The algorithm randomly selects a session number \(n\) from \(\left\{ 1,\ldots ,q_{s}\right\} \) which reflects the guess that the \(n\)-th activated session, say session \(s^{\prime }\), is the origin-session for session \(s^{*}\). \(C\) chooses long-term public keys for all parties and stores the associated secret keys.
-
1.
Run \(E\) on input \(1^{k}\) and the public keys for all of the \(N\) parties.
-
2.
\(\mathsf{send } (s^{*},{\hat{B}})\): \(C\) sets the ephemeral public key to \(X\) and answers the query with the message \(X\).
-
3.
\(\mathsf{send } (s^{\prime },{\hat{P}})\) or \(\mathsf{send } (s^{\prime },{\hat{P}},Z)\): \(C\) sets the ephemeral public key to \(Y\) and answers the query with the message \(Y\).
-
4.
Other \(\mathsf{send } \) queries are answered in the usual way (note that, if the group check fails, the session is aborted).
-
5.
\(\mathsf{ephemeral\text{- }key } (s)\): \(C\) answers in the appropriate way, except if \(s=s^{\prime }\) or \(s=s^{*}\) in which cases \(C\) aborts with failure.
-
6.
\(\mathsf{corrupt } ({\hat{P}})\): \(C\) answers in the appropriate way.
-
7.
\(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\) or if \(s^{\prime }\) is not the origin-session for session \(s^{*}\), then \(C\) aborts; otherwise \(C\) answers the query in the appropriate way.
-
8.
Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \in \{0,1\}^{*}\times \{0,1\}^{*}\times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(E\) makes a query of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U\right) \) to the random oracle for \({ KDF}\), answer it as follows:
-
If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(U=X\) and \(\text {DDH}(XA,YB,Z)=1\), then \(C\) aborts \(E\) and is successful by outputting \(\text {CDH}(X,Y)=ZY^{-a}X^{-b}B^{-a}\).
-
Else if \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(C\) returns \(\lambda \) to \(E\).
-
Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(V\in G\), such that \(\text {DDH}(VP_{j},UP_{i},Z)=1\) in table \(T\), then \(C\) returns \(\lambda \) to \(E\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \) in table \(L\).
-
Else, \(C\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(E\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\mu \right) \) in \(L\).
-
-
9.
Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*}\times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(C\) proceeds as follows:
-
If there exists an entry \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), then \(C\) stores \(\big ({\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \big )\) in table \(T\).
-
Else if there exists an entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \) in table \(L\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(UP_{i},VP_{j},Z)=1\), then \(C\) stores \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) in table \(T\).
-
Else, \(C\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\mu \right) \) in \(T\).
The session-key of a completed session \(s\) with \(T_{s}=\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U\right) \) is determined and stored similarly.
-
-
10.
\(\mathsf{session\text{- }key } (s)\): \(C\) answers this query by look-up in table \(T\).
-
11.
\(E\) outputs a guess: \(C\) aborts with failure.
Analysis of event \(B_{1}\)
The probability that \(E\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as the origin-session for the test session is at least \(\frac{1}{(q_{s})^{2}}\). Assume that this is indeed the case. Then \(C\) does not abort as in Step 7. Under event \(B_{1}\) the simulation does not fail as in Step 5. Under event \(Q\), \(C\) is successful as described in the first case of Step 8 and does not abort as in Step 11. \(C\) correctly computes the GAP-CDH instance with probability at least \(\frac{1}{(q_{s})^{2}}P(Q)\) which implies that \(P(Q)\le (q_{s})^{2} Adv_{C}^{\text {GAP-CDH}}(k)\).
Event \(B_{2}\)
We denote by \(X=g^{x},Y=g^{y}\) the ephemeral public keys sent, received during the test session \(s^{*}\). Revealing the long-term secret key of the actor \({\hat{A}}\) of the test session and the ephemeral key of the origin-session \(s^{\prime }\) for session \(s^{*}\), the adversary \(E\) could distinguish the session-key of the test session from a random key by computing \(DH_{g}(X,B)=g^{xb}\) where \(B=g^{b}\) denotes the public key of \(s^{*}_{ peer}={\hat{B}}\), since
We solve the GAP-CDH problem with probability \(\frac{1}{q_{s}N}P(Q)\) where \(P(Q)\) must be negligible since GAP-CDH problem is hard in \(G\).
Consider the following algorithm \(C^{\prime }\) which uses adversary \(E\) as a subroutine.
ALGORITHM \(C^{\prime }\): The algorithm is given a pair \((X,B)\) of elements from \(G\) as an instance of the GAP-CDH problem. \(C^{\prime }\) selects one party \({\hat{B}}\) (uniformly at random from the set \(\mathcal{P }\)) and sets its long-term public key to \(B\). \(C^{\prime }\) chooses long-term public keys for the remaining parties and stores the associated secret keys. Let us denote the ephemeral public key sent by the origin-session (and received by the test session) by \(Y\).
-
1.
Run \(E\) on input \(1^{k}\) and the public keys for all of the \(N\) parties.
-
2.
\(\mathsf{send } (s^{*},{\hat{P}})\): If \({\hat{P}}\ne {\hat{B}}\), then \(C^{\prime }\) aborts; otherwise \(C^{\prime }\) sets the ephemeral public key to \(X\) and answers the query with the message \(X\).
-
3.
Other \(\mathsf{send } \) queries are answered in the usual way, e. g. if \(E\) issues a \(\mathsf{send } (s,{\hat{P}}, V)\) query to session \(s\), then check whether \(V\in G\). If yes, choose \(w\in _{R} \mathbb Z _{p}\), compute \(W=g^{w}\,(\in G)\) and return \(W\) to E. If no, then abort session \(s\).
-
4.
\(\mathsf{ephemeral\text{- }key } (s)\): \(C^{\prime }\) answers in the appropriate way, except if \(s=s^{*}\) in which case \(C^{\prime }\) aborts with failure.
-
5.
\(\mathsf{corrupt } ({\hat{P}})\): \(C^{\prime }\) answers in the appropriate way, except if \({\hat{P}}={\hat{B}}\) in which case \(C^{\prime }\) aborts with failure.
-
6.
\(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\), then \(C^{\prime }\) aborts; otherwise \(C^{\prime }\) answers the query appropriately.
-
7.
Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \in \{0,1\}^{*}\times \{0,1\}^{*}\times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(E\) makes a query of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U\right) \) to the random oracle for \({ KDF}\), answer it as follows:
-
If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(U=X\) and \(\text {DDH}(XA,YB,Z)=1\), then \(C^{\prime }\) aborts \(E\) and is successful by outputting \(\text {CDH}(X,B)=ZY^{-a}X^{-y}B^{-a}\) (this computation requires the knowledge of \(a\), therefore we must require that \({\hat{A}}\ne {\hat{B}}\)).
-
Else, proceed as in Step 8 of the simulation related to event \(B_{1}\).
-
-
8.
Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*}\times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty, as in the previous simulation related to event \(B_{1}\).
-
9.
\(\mathsf{session\text{- }key } (s)\): \(C^{\prime }\) answers this query by look-up in table \(T\).
-
10.
\(E\) outputs a guess: \(C^{\prime }\) aborts with failure.
Analysis of event \(B_{2}\)
The probability that \(E\) selects \(s^{*}\) as the test session and \({\hat{B}}\) as the peer for the test session is at least \(\frac{1}{q_{s}N}\). Assume that this is indeed the case. Then \(C^{\prime }\) does not abort as in Step 2 or Step 6. Under event \(B_{2}\) the simulation does not fail as in steps 4, 5. Under event \(Q\), \(C^{\prime }\) is successful as described in the first case of Step 7 and does not abort as in Step 10. \(C^{\prime }\) correctly computes the GAP-CDH instance with probability at least \(\frac{1}{q_{s}N}P(Q)\) which implies that \(P(Q)\le q_{s}N Adv_{C^{\prime }}^{\text {GAP-CDH}}(k)\).
The analyses of events \(B_{3}\) and \(B_{4}\) are similar to the previous analyses. \(\square \)
Rights and permissions
About this article
Cite this article
Cremers, C., Feltz, M. Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. Des. Codes Cryptogr. 74, 183–218 (2015). https://doi.org/10.1007/s10623-013-9852-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-013-9852-1
Keywords
- Key exchange
- Security models
- Protocol transformations
- Perfect forward secrecy
- Ephemeral-key reveal
- Actor compromise