Adaptive-ID Secure Hierarchical ID-Based Authenticated Key Exchange Under Standard Assumptions Without Random Oracles

Abstract

Hierarchical ID-based authenticated key exchange (HID-AKE) is a cryptographic protocol to establish a common session key between parties with authentication based on their IDs with the hierarchical delegation of key generation functionality. All existing HID-AKE schemes are selective ID secure, and the only known standard model scheme relies on a non-standard assumption such as the q-type assumption. In this paper, we propose a generic construction of HID-AKE that is adaptive ID secure in the HID-eCK model (maximal-exposure-resilient security model) without random oracles. One of the concrete instantiations of our generic construction achieves the first adaptive ID secure HID-AKE scheme under the (standard) k-lin assumption in the standard model. Furthermore, it has the advantage that the computational complexity of pairing and exponentiation operations and the communication complexity do not depend on the depth of the hierarchy. Also, the other concrete instantiation achieves the first HID-AKE scheme based on lattices (i.e., post-quantum).

A Proof of Other Events

1.1 A.1 Event \(E_2 \wedge Suc\)

The proof in this case is essentially the same as the event \(E_1 \wedge Suc\). There is a difference in the experiment \(H_3\). For the computation of \(s^*\) in the \(i^*\)-th session, in the event \(E_1 \wedge Suc\), instead of \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\), it is changed as \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {RF}(r^{'*})\). In the event \(E_2 \wedge Suc\), it is changed as \(s^* = \mathsf {RF}(esk^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\). Since \(\mathcal {A}\) cannot obtain \(r^{*}\) of the initiator by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_1 \wedge Suc\).

1.2 A.2 Event \(E_3 \wedge Suc\)

The proof in this case is essentially the same as the event \(E_1 \wedge Suc\). There is a difference in the experiment \(H_3\) and \(H_4\). For the computation of the initiator’s \(s^*\) in the \(i^*\)-th session, in \(H_3\) of the event \(E_1 \wedge Suc\), instead of \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\), it is changed as \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {RF}(r^{'*})\). In \(H_3\) of the event \(E_3 \wedge Suc\), it is changed as \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {RF}(r^{'*})\) for the computation of the responder’s \(s^*\) in the \(i^*\)-th session. For the computation of the initiator’s \(K^{*}\) in the \(i^*\)-th session, in \(H_4\) of the event \(E_1 \wedge Suc\), \((C^{*}, K^{*}) \leftarrow \mathsf {EnCap}(ID^*; s^{*})\), where \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {RF}(r^{'*})\), it is changed as choosing \(K^{*} \leftarrow \mathcal {KS}\) randomly. In \(H_4\) of the event \(E_3 \wedge Suc\), it is changed as choosing \(K^{*} \leftarrow \mathcal {KS}\) randomly for the computation of the responder’s \(K^{*}\) in the \(i^*\)-th session. Since \(\mathcal {A}\) cannot obtain \(esk^{'*}\) of the responder by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_1 \wedge Suc\).

1.3 A.3 Event \(E_4\wedge Suc\)

The proof in this case is essentially the same as the event \(E_2 \wedge Suc\). There is a difference in the experiment \(H_3\) and \(H_4\). For the computation of the initiator’s \(s^*\) in the \(i^*\)-th session, in \(H_3\) of the event \(E_2 \wedge Suc\), instead of \(s^* = \mathsf {F}(esk^*, r^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\), it is changed as \(s^* = \mathsf {RF}(esk^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\). In \(H_3\) of the event \(E_4 \wedge Suc\), it is changed as \(s^* = \mathsf {RF}(esk^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\) for the computation of the responder’s \(s^*\) in the \(i^*\)-th session. For the computation of the initiator’s \(K^{*}\) in the \(i^*\)-th session, in \(H_4\) of the event \(E_2 \wedge Suc\), \((C^{*}, K^{*}) \leftarrow \mathsf {EnCap}(ID^*; s^{*})\), where \(s^* = \mathsf {RF}(esk^*) \oplus \mathsf {F}^{'}(r^{'*}, esk^{'*})\), it is changed as choosing \(K^{*} \leftarrow \mathcal {KS}\) randomly. In \(H_4\) of the event \(E_4 \wedge Suc\), it is changed as choosing \(K^{*} \leftarrow \mathcal {KS}\) randomly for the computation of the responder’s \(K^{*}\) in the \(i^*\)-th session. Since \(\mathcal {A}\) cannot obtain \(r^{*}\) of the responder by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_2 \wedge Suc\).

1.4 A.4 Event \(E_5 \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over six hybrid experiments, depending on specific subcases. In the last hybrid experiment, the session key in the test session does not contain information of the bit b. Thus, the adversary clearly only outputs a random guess. We denote these hybrid experiments by \(H_0,\dots ,H_5\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(H_i\) by Adv(\(\mathcal {A}, H_i\)).

Hybrid Experiment \(H_0\): This experiment denotes the real experiment for HID-eCK security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, Adv(\(\mathcal {A}, H_0\)) is the same as the advantage of the real experiment.

Hybrid Experiment \(H_1\): This experiment aborts when sid is matched with multiple sessions.

By the decryption correctness of KEM, the probability of outputting the same ciphertext from different randomness in each session is negligible. Thus, \(|Adv(\mathcal {A}, H_1) - Adv(\mathcal {A}, H_0)| \le negl\).

Hybrid Experiment \(H_2\): This experiment chooses an integer \(i^* \in [1, \ell ]\) in advance and fixes the session to be the target of the \(\mathsf {Test}\) query as the \(i^{*}\)-th session. If \(\mathcal {A}\) queries a session other than the \(i^{*}\)-th in the \(\mathsf {Test}\) query, abort the experiment.

The probability that the guess of the test session is correct is \(1/\ell \), hence \(Adv(\mathcal {A}, H_2)\) \(\ge 1 / \ell \cdot Adv(\mathcal {A}, H_1)\).

Hybrid Experiment \(H_3\): This experiment changes the way of the computation of the \(K^{*}_{T}\) in the \(i^{*}\)-th session. Instead of computing \((C^{*}_{T}, K^{*}_{T}) \leftarrow \mathsf {wEnCap}(ek^{*}_{T},\) \(esk^{*}_{T})\), it is changed as \(K^{*}_{T} \leftarrow \mathcal {KS}\) randomly.

We construct a IND-CPA adversary \(\mathcal {S}\) in \(H_2\) or \(H_3\) from \(\mathcal {A}\). \(\mathcal {S}\) is performs the following steps.

[init]

\(\mathcal {S}\) receives \(ek^{*}_{T}\) as a challenge.

[setup]

\(\mathcal {S}\) chooses \(\mathsf {F}, \mathsf {F}^{'} : \{ 0,1 \}^* \times \mathcal {FS} \rightarrow \mathcal {RS_E}\), \(\mathsf {PRF} : \{ 0,1 \}^* \times \mathcal {KS} \rightarrow \{ 0,1 \}^{\kappa }\), and a KDF \(\mathsf {KDF} : Salt \times \mathcal {KS} \rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as the public parameters.

\(\mathcal {S}\) sets params as \((params, \mathsf {F}, \mathsf {F^{'}}, \mathsf {PRF}, \mathsf {KDF})\), MPK and MSK.

[simulation]

\(\mathcal {S}\) maintains the list \(L_{SK}\) that contains queries and answers to \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}\)(\(\varPi , \mathcal {I}, U_P, U_{\bar{P}}\)) : If the SSK of \(U_P\) is not set, \(\mathcal {S}\) generates and sets the SSK according to the protocol. If the session is the \(i^*\)-th session, \(\mathcal {S}\) receives \((C^{*}_{T}, K^{*}_{Tb})\) as a challenge from the challenger and computes \(C_{\bar{P}}\) according to the protocol. Also, \(\mathcal {S}\) sets \(EPK^{*}=(C_{\bar{P}}, ek^{*}_{T})\) and returns \(EPK^{*}\). Otherwise, \(\mathcal {S}\) computes and returns \(EPK=(C_{\bar{P}}, ek_T)\) according to the protocol and records \((\varPi , U_P, U_{\bar{P}}\), \((C_{\bar{P}}, ek_T))\) in \(L_{SK}\).

2. 2.

   \(\mathsf {Send}\)(\(\varPi , \mathcal {R}, U_{\bar{P}}, U_P, (C_{\bar{P}}, ek_T)\)) : If the SSK of \(U_{\bar{P}}\) is not set, \(\mathcal {S}\) generates and sets the SSK according to the protocol. If the session is the \(i^*\)-th session, \(\mathcal {S}\) sets \(K_T=K^{*}_{Tb}\), computes \(C_P\) and SK according to the protocol, and returns \(EPK=(C_P, C^{*}_{T})\). Also, \(\mathcal {S}\) records \((\varPi , U_P,U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C^{*}_T))\) as the completed session and SK in \(L_{SK}\). Otherwise, \(\mathcal {S}\) computes \(EPK=(C_P, C_T)\) and SK according to the protocol, returns EPK. Also, \(\mathcal {S}\) records \((\varPi , U_P,U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C_T))\) as the completed session and SK in \(L_{SK}\).

3. 3.

   \(\mathsf {Send}\)(\(\varPi , \mathcal {I}, U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C_T)\)) : If the SSK of \(U_P\) is not set, \(\mathcal {S}\) generates and sets the SSK according to the protocol. If \((\varPi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T))\) is not recorded in \(L_{SK}\), then \(\mathcal {S}\) records this sid as not completed. Also, if the session is the \(i^*\)-th session, \(\mathcal {S}\) computes SK according to the protocol, except \(K_{T} = K^{*}_{T}\), and records \((\varPi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C_T))\) as the completed session and SK in \(L_{SK}\). Otherwise, \(\mathcal {S}\) computes SK and records \((\varPi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C_T))\) as the completed session and SK in \(L_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}\)(sid) :

   1. (a)

      If sid is not completed, then \(\mathcal {S}\) returns error.

   2. (b)

      Otherwise, \(\mathcal {S}\) returns SK as recorded in \(L_{SK}\).

5. 5.

   \(\mathsf {EphemeralKeyReveal}\)(sid): \(\mathcal {S}\) returns ESK for sid as defined.

6. 6.

   \(\mathsf {StaticKeyReveal}\)(\(ID_i\)) : If the SSK for \(ID_i\) is not set, \(\mathcal {S}\) generates and sets the SSK according to the protocol. \(\mathcal {S}\) returns the SSK of \(ID_i\) as defined.

7. 7.

   \(\mathsf {MasterKeyReveal}\)(): \(\mathcal {S}\) returns MSK as defined.

8. 8.

   \(\mathsf {EstablishParty}\)(\(U_i, ID_i\)): \(\mathcal {S}\) generates and returns SSK for \(ID_i\) according to the protocol and marks \(U_i\) as dishonest.

9. 9.

   \(\mathsf {Test}\)(\(sid^{*}\)) : \(\mathcal {S}\) responds to the query as defined and gives the \(SSK^{*}\) of the owner and responder of \(sid^{*}\) to \(\mathcal {A}\).

10. 10.

    If \(\mathcal {A}\) outputs \(b^{'}\), then \(\mathcal {S}\) outputs \(b^{'}\).

[Analysis]

For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is the same as the experiment \(H_2\) if the challenge is \((C^{*}_{T}, K^{*}_{T0})\). Otherwise, the simulation by \(\mathcal {S}\) is the same as the experiment \(H_3\). Thus, since the advantage of \(\mathcal {S}\) is negligible due to the security of the IND-CPA secure KEM, \(|Adv(\mathcal {A}, H_3) - Adv(\mathcal {A}, H_2)| \le \) negl.

Hybrid Experiment \(H_4\): This experiment changes the way of the computation of the \(\sigma ^{*}_{3}\) in the \(i^{*}\)-th session. Instead of computing \(\sigma ^{*}_{3} \leftarrow \mathsf {KDF}(s,K^{*}_{T})\), it is changed as choosing \(\sigma ^{*}_{3} \in \mathcal {FS}\) randomly.

Since \(K^{*}_{T}\) is randomly chosen in \(H_3\), it has sufficient min-entropy because KEM is \(\delta \)-min-entropy KEM. Thus, by the definition of the KDF, \(|Adv(\mathcal {A}, H_4) - Adv(\mathcal {A}, H_3)| \le \) negl.

Hybrid Experiment \(H_5\): This experiment changes the way of the computation of SK in the \(i^{*}\)-th session. Instead of computing \(SK = \mathsf {PRF}(sid, \sigma _1) \oplus \mathsf {PRF}(sid, \sigma _2) \oplus \mathsf {PRF}(sid, \sigma _3)\), it is changed as \(SK = \mathsf {PRF}(sid, \sigma _1) \oplus \mathsf {PRF}(sid, \sigma _2) \oplus x\) where \(x \in _{R} \{ 0,1 \}^{\kappa }\).

We construct a distinguisher \(\mathcal {D}\) that distinguishes if \(\mathsf {F}^*\) is either a pseudo-random function \(\mathsf {PRF}\) and a random function \(\mathsf {RF}\) from \(\mathcal {A}\) in \(H_4\) or \(H_5\). The \(\mathcal {D}\) performs the following steps.

[setup]

\(\mathcal {D}\) chooses \(\mathsf {F},\mathsf {F}^{'} : \{ 0,1 \}^* \times \mathcal {FS} \rightarrow \mathcal {RS_E}\), \(\mathsf {PRF} : \{ 0,1 \}^* \times \mathcal {KS} \rightarrow \{ 0,1 \}^{\kappa }\), and a KDF \(\mathsf {KDF} : Salt \times \mathcal {KS} \rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as the public parameters. Also, \(\mathcal {D}\) embeds \(\mathsf {F}^{*}\) into \(\mathsf {PRF}\) of the \(i^*\)-th session.

\(\mathcal {D}\) sets MPK and MSK according to the protocol.

[simulation]

\(\mathcal {D}\) maintains the list \(L_{SK}\) that contains queries and answers to \(\mathsf {SessionKeyReveal}\). \(\mathcal {D}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}\)(\(\varPi , \mathcal {I}, U_P, U_{\bar{P}}\)) : If the SSK of \(U_P\) is not set, \(\mathcal {D}\) generates and sets the SSK according to the protocol. \(\mathcal {D}\) computes and returns \(EPK=(C_{\bar{P}}, ek_T)\) according to the protocol, and records \((\varPi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T))\) in \(L_{SK}\).

2. 2.

   \(\mathsf {Send}\)(\(\varPi , \mathcal {R}, U_{\bar{P}}, U_P, (C_{\bar{P}}, ek_T)\)) : If the SSK of \(U_{\bar{P}}\) is not set, \(\mathcal {D}\) generates and sets the SSK according to the protocol. \(\mathcal {D}\) computes \(EPK=(C_P, C_T)\) and SK according to the protocol, returns EPK, and records \((\Pi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C_T))\) as the completed session and SK in \(L_{SK}\).

3. 3.

   \(\mathsf {Send}\)(\(\varPi , \mathcal {I}, U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P, C_T)\)) : If the SSK of \(U_P\) is not set, \(\mathcal {D}\) generates and sets the SSK according to the protocol. If \((\varPi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T))\) is not recorded in \(L_{SK}\), then \(\mathcal {D}\) records this sid as not completed. Also, if the session is the \(i^*\)-th session, \(\mathcal {D}\) poses sid to oracle \(\mathsf {F^{*}}\) (\(\mathsf {PRF^{'}}\) or \(\mathsf {RF}\)) and obtains \(x \in \{ 0,1 \}^{\kappa }\), and computes \(SK^{*}=\mathsf {PRF}(sid, \sigma _1) \oplus \mathsf {PRF}(sid, \sigma _2) \oplus x\). Also \(\mathcal {D}\) records \((\Pi , U_A, U_B, (C ^{*}_{B}, ek^{*}_{T}), (C_A, C_T))\) as the completed session and SK in \(L_{SK}\). Otherwise, \(\mathcal {D^{'}}\) computes SK, and records \((\varPi , U_P, U_{\bar{P}}, (C_{\bar{P}}, ek_T), (C_P,\) \(C_T))\) as the completed session and SK in \(L_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}\)(sid) :

   1. (a)

      If sid is not completed, then \(\mathcal {D}\) returns error.

   2. (b)

      Otherwise, \(\mathcal {D}\) returns SK as recorded in \(L_{SK}\).

5. 5.

   \(\mathsf {EphemeralKeyReveal}\)(sid) : \(\mathcal {D}\) returns ESK for sid as defined.

6. 6.

   \(\mathsf {StaticKeyReveal}\)(\(ID_i\)) : If the SSK for \(ID_i\) is not set, \(\mathcal {D}\) generates and sets the SSK according to the protocol. \(\mathcal {D}\) returns the SSK as defined.

7. 7.

   \(\mathsf {MasterKeyReveal}\)(): \(\mathcal {D}\) returns MSK as defined.

8. 8.

   \(\mathsf {EstablishParty}\)(\(U_i, ID_i\)) : \(\mathcal {D}\) generates and returns SSK for \(ID_i\) according to the protocol and marks \(U_i\) as dishonest.

9. 9.

   \(\mathsf {Test}\)(\(sid^{*}\)) : \(\mathcal {D}\) responds to the query as defined and gives the \(SSK^{*}\) of the owner of \(sid^{*}\) to \(\mathcal {A}\).

10. 10.

    \(\mathcal {A}\) outputs a guess \(b^{'} \in \{ 0,1 \}\). If \(\mathcal {A}\) outputs \(b^{'} = 0\), then \(\mathcal {D}\) outputs that \(\mathsf {F}^{*}=\mathsf {PRF}\). Otherwise \(\mathcal {D}\) outputs that \(\mathsf {F}^{*}=\mathsf {RF}\).

[Analysis]

For \(\mathcal {A}\), the simulation by \(\mathcal {D}\) is the same as the experiment \(H_4\) if \(\mathsf {F}^{*}=\mathsf {PRF}\). Otherwise, the simulation by \(\mathcal {D}\) is the same as the experiment \(H_5\). Thus, since the advantage of \(\mathcal {D}\) is negligible due to the security of the PRF, \(|Adv(\mathcal {A}, H_5) - Adv(\mathcal {A}, H_4)| \le negl\).

In \(H_5\), the session key in the test session is perfectly randomized. This gives \(\mathcal {A}\) no information from the \(\mathsf {Test}\) query, therefore \(Adv(\mathcal {A}, H_5) = 0\) and \(\Pr [E_5 \wedge Sec] = negl\).

1.5 A.5 Event \(E_6 \wedge Suc\)

The proof in this case is essentially the same as the event \(E_2 \wedge Suc\). The situation that the ephemeral secret key of \(\overline{sid^*}\) is given to \(\mathcal {A}\) is the same as \(sid^{*}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_2 \wedge Suc\).

1.6 A.6 Event \(E_7 \wedge Suc\)

The proof in this case is essentially the same as the event \(E_1 \wedge Suc\). The situation that the ephemeral secret key of \(\overline{sid^*}\) is given to \(\mathcal {A}\) is the same as \(sid^{*}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_1 \wedge Suc\).

1.7 A.7 Event \(E_8 \wedge Suc\)

The proof in this case is essentially the same as the event \(E_3 \wedge Suc\). The situation that the ephemeral secret key of \(sid^*\) is given to \(\mathcal {A}\) is the same as \(sid^{*}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_3 \wedge Suc\).