Design Secure Authenticated Key Exchange (AKE) protocol without NAXOS approach is remaining as an open problem. NAXOS approach [4] is used to hide the ephemeral secret key from an adversary even if the adversary in somehow may obtain the ephemeral secret key. Using NAXOS approach will cause two main drawbacks: (i) leaking of the static secret key which will be utilized in computing the exponent of the ephemeral public key; (ii) maximization of using random oracle when applying to the exponent of the ephemeral public key and session key derivation. In this paper, we present another AKE-secure without NAXOS approach based on decision linear assumption in the random oracle model. We fasten our security using games sequences tool which gives tight security for our protocol.
An Authenticated Key Exchange protocol (AKE) allows two parties to end up with a shared secret key in secure and authenticated manner. The authentication problem deals with restraining adversary that actively controls the communication links used by legitimated parties. They may modify and delete messages in transit, and even inject false one or may control the delays of messages.
In 1993, Bellare and Rogaway [
To acquire eCK security, NAXOS needs that the ephemeral public key X be computed from an exponent result from hashing an ephemeral private key x and the static private key a, more precisely
Motivating Problem. (1) Design AKE-secure protocol without NAXOS trick to achieve two goals: (i) To reduce the risk of leaking the static private key, since the derivation of the ephemeral public key is independent of the static private key. This method is in contrast to protocols that use the NAXOS' approach. (ii) Minimize the utilization of the random oracle, by applying it only to the session key derivation. Kim, Minkyu, Atsushi Fujioka, and Berkant Ustaolu [
Contributions. We present a concrete and practical AKE protocol that is eCK secure under Decisional Linear assumption in the random oracle model. Our protocol does not rely on any NAXOS trick that yields a more efficient solution when it is implement- ed with secure device. We give tight proof reducing eCK security of our protocol to break the used cryptographic primitives under random oracle. In our protocol, the ephemeral public key is containing each peers generator, which results in two different discrete logarithm problems with two different generators, which increase hardness for DL’s solver.
In the derivation of the session key, each party will compete shared secret from ephemeral keys and static keys. We fasten the security of this protocol using games sequences tool which gives tight security.
Organization. Section 2 reviews security definitions and states the hard problem. Section 3 gives brief for the eCK model. Section 4 proposes AKE-secure protocol with its security results. Section 5 compares our protocol with other related AKE protocols and shows its efficiency. And finally, we draw the conclusion in Section 6.
In this section, we review security definitions we will use to construct our protocol.
Let G be a cyclic group of prime order p and along with arbitrary generators
consider the following problem:
Decision Linear Problem in G [
One can easily show that an algorithm for solving Decision Linear in G gives an algorithm for solving DDH in G. The converse is believed to be false. That is, it is believed that Decision Linear is a hard problem even in bilinear groups where DDH is easy. More precisely, we define the advantage of an algorithm
The probability is over the uniform random choice of the parameters to
Definition 2.1. We say that the
Let
or in input
In this section, eCK model is outlined [
Sessions: A party is activated by an outside call or an incoming message to execute the protocol
Adversaries: The adversary
Establish Party (
Send (
Ephemeral Key Reveal (sid):
Static Key Reveal (
Session Key Reveal (sid):
Experiment
Definition 3.1 (Fresh session). Let sid be a complete session, owned by honest
1.
2. If
(a) Both Static Key Reveal (
(b) Both Static Key Reveal (
3. If
(a) Both Static Key Reveal (
(b) Static Key Reveal (
The eCK security notion can be described now.
Definition 3.2 (eCK security). The advantage of the adversary
The protocol
1) If two honest parties complete matching sessions, then they will both compute the same session key, except with a negligible probability.
2) The advantage
Parameters. Let k be the security parameter and G be a cyclic group with generator g and order a k-bit prime p. Let user’s public key is a triple of generators
As following description,
1)
2) Upon receiving
3) Upon receiving
Both parties compute the shared secret
Theorem 4.1. If the DLIN assumption holds in G and H is a random oracle, then the Protocol
Let
is the peer. Let
this proof. Let
-case 1: Existence of a matching session
-case 2: No existence of a matching session for the target session
Case 1. To analyze this event, Adversary
-
Claim. let
Proof. It’s easy to derive the proof from definition 3.2
-
Claim. let
Proof. In this game, it obvious that this game is similar to game
In another hand, the adversary should success in guessing target session and its matching session. Let
thus
From these two probabilities, we can derive the whole probability that adversary success in guessing parties
-
where
Claim. let
Proof. We transform game
where
-
Claim. let
which
Proof. We will prove here using the same idea in the previous game. In this game we transformed from
Moreover, as h act as a one-time pad in game
Combining (8), (9), (10), (11) and (12), we obtain
Case 2. To analyze this event, Adversary
-
Claim. let
Proof. That proof can be derived from
-
Claim. let
Proof. In this game, it is obvious that this game is similar to game
In another hand, the adversary should success in guessing target session and its matching session. Let Pr[sidA;B], denote the probability that adversary successfully guess the target session from
From these two probabilities, we can derive the whole probability that adversary success in guessing parties and with target session and its matching session with the form:
-
Claim. let
Proof. We transform game
There for, we obtain:
-
Claim. let
which
Proof. We will prove here using the same idea in the previous game. In this game we transformed from
The difference between
Moreover, as h act as a one-time pad in game
Combining (14), (15), (16), (17) and (18), we obtain
From the sequence of preceding claims, we can conclude that since the
In this section, we compare our protocols with other related AKE protocols in terms of based assumption, computational efficiency and security model. In
It clear that our protocol has same security model with NETS, CMQV, and KFU-P1, but it differs from them in base assumption and computation.
Protocol | Computation | Security Model | Assumption | NAXOS Approch | SPK/EPK |
---|---|---|---|---|---|
Okamoto [ | 8E | eCK | Standard | Yes | 2/3 |
HMQV [ | 2.5E | CK, wPFS, KCI, LEP | KEA1, GDH, RO | No | 1/1 |
CMQV [ | 3E | eCK | GDH, RO | Yes | 1/1 |
NAXOS [ | 4E | eCK | GDH, RO | Yes | 1/1 |
NETS [ | 3E | eCK | GDH, RO | Yes | 1/1 |
SMEN [ | 6E | eCK | GDH, RO | No | 2/2 |
KFU [ | 3E | eCK | GDH, RO | No | 2/1 |
Our | 3E | eCK | GDH, RO | No | 2/2 |
We showed that it is possible to construct eCK-secure AKE protocols without using NAXOS’ approach, so our protocol is secure even when the discrete logarithm of the ephemeral public key is revealed and decrease the risk of leaking the static private key which makes our protocol more practical.
Moreover, One of the advantages of our protocols is the use of single random oracle as opposed to two for HMQV and CMQV. The random oracle is merely needed for the session key derivation, which is typical way to attain indistinguishability in random oracle model.
Also, our protocol uses decision linear assumption with a tight security proof.
In this paper, we present AKE protocol secure in the eCK model under Decision Linear assumption(DLIN) without using NAXOS trick with a fastened reduction, which reduces the risk of leaking the static private key, that because of the derivation of the ephemeral public key is independent of the static private key. This is in contrast to protocols that use the NAXOS’ approach, and minimize the use of the random oracle, by applying it only to the session key derivation. We gave tightly security proof for our protocol based on games. In this paper, how to preserve the security of to this protocol without using random oracle remains as an open problem.
Mohamed, M., Wang, X.F. and Zhang, X.S. (2016) Tightly- Secure Authenticated Key Exchange without NAXOS’ Approach Based on Decision Linear Problem. Open Access Library Journal, 3: e3033. http://dx.doi.org/10.4236/oalib.1103033
A.1
A.2
A.3
A.4
A.5
A.6
A.7
A.8
Submit or recommend next manuscript to OALib Journal and we will provide best service for you:
Publication frequency: Monthly
9 subject areas of science, technology and medicine
Fair and rigorous peer-review system
Fast publication process
Article promotion in various social networking sites (LinkedIn, Facebook, Twitter, etc.)
Maximum dissemination of your research work
Submit Your Paper Online: Click Here to Submit
Or Contact service@oalib.com