Strongly secure authenticated key exchange from factoring, codes, and lattices

Abstract

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security proposed by Krawczyk (we call it the \({\mathrm {CK}}^+\) model), which includes resistance to advanced attacks. However, the security proof is given under the random oracle model. We propose a generic construction of AKE from a key encapsulation mechanism (KEM). The construction is based on a chosen-ciphertext secure KEM, and the resultant AKE protocol is \({\mathrm {CK}}^+\) secure in the standard model. The construction gives the first \({\mathrm {CK}}^+\) secure AKE protocols based on the hardness of integer factorization problem, code-based problems, or learning problems with errors. In addition, instantiations under the Diffie–Hellman assumption or its variant can be proved to have strong security without non-standard assumptions such as \(\pi \)PRF and KEA1. Furthermore, we extend the \({\mathrm {CK}}^+\) model to identity-based (called the \({\hbox {id-CK}^+}\) model), and propose a generic construction of identity-based AKE (ID-AKE) based on identity-based KEM, which satisfies \({\hbox {id-CK}^+}\) security. The construction leads first strongly secure ID-AKE protocols under the hardness of integer factorization problem, or learning problems with errors.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2

Notes

  1. 1.

    HMQV does not provide full perfect forward secrecy (fPFS), which is the same as wPFS except that the adversary can modify messages of the target session. Some schemes [14, 25, 26, 32, 40, 63] have achieved fPFS. However, the schemes [32, 40] are clearly vulnerable to MEX; that is, the session key is computable if an adversary obtains an ephemeral secret key of parties in the target session. The schemes [14, 25, 26] is resilient to MEX, but security is proved in the random oracle model. The other scheme [63] limits instantiations to DH-based. Upgrading wPFS to fPFS is not that difficult; it can be done by simply adding MAC or a signature of ephemeral public keys. Thus, we do not discuss fPFS in this paper.

  2. 2.

    Static public keys must be known to both parties in advance. They can be obtained by exchanging them before starting the protocol or by receiving them from a certificate authority. This situation is common for all PKI-based AKE schemes.

  3. 3.

    A similar trick is used in the Okamoto AKE scheme [56].

  4. 4.

    Actually, \(F_{{\sigma _A}}(r_{A}) \oplus F_{r'_{A}}'(\sigma _A')\) can be replaced with \(F_{{\sigma _A}}(r_{A}) \oplus F_{r'_{A}}'(1^\kappa )\). This modification has no influence to the security proof.

  5. 5.

    The BCGNP construction with an additional exchange of a DH value (called Protocol 2 in [12, 13]) can be proved in the CK model, and it satisfies wPFS and resistance to KCI. We can extend the security of Protocol 2 to the \({\mathrm {CK}}^+\) security with the twisted PRF trick. If IND-CPA KEM in \({\mathsf {GC}}\) is instantiated with the ElGamal KEM, our scheme is the same as Protocol 2 with the twisted PRF trick. Thus, our scheme can also be seen as a generalization of the BCGNP construction.

  6. 6.

    The hardness of the (ring-)LWE problems are reduced to the worst-case hardness of the (ideal) lattice problems.

References

  1. 1.

    Agrawal S., Boneh D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: EUROCRYPT 2010, pp. 553–572 (2010).

  2. 2.

    Agrawal S., Boneh D., Boyen X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: CRYPTO 2010, pp. 98–115 (2010).

  3. 3.

    Ajtai M.: Generating hard instances of lattice problems (extended abstract). In: STOC 1996, pp. 99–108 (1996).

  4. 4.

    Banerjee A., Peikert C., Rosen A.: Pseudorandom functions and lattices. In: EUROCRYPT 2012, pp. 719–737 (2012).

  5. 5.

    Bellare M., Rogaway P.: Entity authentication and key distribution. In: CRYPTO 1993, pp. 232–249 (1993).

  6. 6.

    Bernstein D.J., Lange T., Peters C.: Wild McEliece. In: SAC 2010, pp. 143–158 (2010).

  7. 7.

    Bernstein D.J., Lange T., Peters C.: Smaller decoding exponents: ball-collision decoding. In: CRYPTO 2011, pp. 743–760 (2011).

  8. 8.

    Boneh D., Boyen X.: Efficient selective-ID secure identity-based encryption without random oracles. In: EUROCRYPT 2004, pp. 223–238 (2004). See also Cryptology ePrint Archive-2004/172.

  9. 9.

    Boneh D., Boyen X., Shacham H.: Short group signatures. In: CRYPTO 2004, pp. 41–55 (2004).

  10. 10.

    Boneh D., Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007).

    Google Scholar 

  11. 11.

    Boneh D., Franklin M.K.: Identity-based encryption from the weil pairing. In: CRYPTO 2001, pp. 213–229 (2001).

  12. 12.

    Boyd C., Cliff Y., González Nieto J.M., Paterson K.G.: Efficient one-round key exchange in the standard model. In: ACISP 2008, pp. 69–83 (2008).

  13. 13.

    Boyd C., Cliff Y., González Nieto J.M., Paterson K.G.: One-round key exchange in the standard model. In: IJACT 1(3), pp. 181–199 (2009).

  14. 14.

    Boyd C., González Nieto J.M.: On forward secrecy in one-round key exchange. In: IMA Int. Conf. 2011, pp. 451–468 (2011).

  15. 15.

    Boyen X., Mei Q., Waters B.: Direct chosen ciphertext security from identity-based techniques. In: ACM Conference on Computer and Communications Security 2005, pp. 320–329 (2005).

  16. 16.

    Canetti R., Goldreich O., Halevi S.: The random oracle methodology, revisited (preliminary version). In: STOC 1998, pp. 131–140 (1998).

  17. 17.

    Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: EUROCRYPT 2001, pp. 453–474 (2001).

  18. 18.

    Cash D., Hofheinz D., Kiltz E., Peikert C.: Bonsai trees, or how to delegate a lattice basis. In: EUROCRYPT 2010, pp. 523–552 (2010).

  19. 19.

    Chen L., Cheng Z., Smart N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Secur. 6(4), 213–241 (2007).

    Google Scholar 

  20. 20.

    Chevallier-Mames B., Joye M.: Chosen-ciphertext secure RSA-type cryptosystems. In: ProvSec 2009, pp. 32–46 (2009).

  21. 21.

    Cramer R., Shoup V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: CRYPTO 1998, pp. 13–25 (1998).

  22. 22.

    Cramer R., Shoup V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2004).

    Google Scholar 

  23. 23.

    Cremers C.J.F.: Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol. In: ACNS 2009, pp. 20–33 (2009).

  24. 24.

    Cremers C.J.F.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: ASIACCS 2011, pp. 80–91 (2011).

  25. 25.

    Cremers C.J.F., Feltz M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. In: Cryptology ePrint Archive: 2011/300 (2011).

  26. 26.

    Cremers C.J.F., Feltz M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: ESORICS 2012, pp. 734–751 (2012).

  27. 27.

    Dachman-Soled D., Gennaro R., Krawczyk H., Malkin T.: Computational extractors and pseudorandomness. In: TCC 2012, pp. 383–403 (2012).

  28. 28.

    Damgård I.: Towards practical public key systems secure against chosen ciphertext attacks. In: CRYPTO 1991, pp. 445–456 (1991).

  29. 29.

    Dowsley R., Müller-Quade J., Nascimento A.C.A.: A CCA2 secure public key encryption scheme based on the McEliece assumptions in the standard model. In: CT-RSA 2009, pp. 240–251 (2009).

  30. 30.

    Fiore D., Gennaro R.: Making the Diffie–Hellman protocol identity-based. In: CT-RSA 2010, pp. 165–178 (2010).

  31. 31.

    Fujioka A., Suzuki K., Ustaoglu B.: Ephemeral key leakage resilient and efficient ID-AKEs that can share identities, private and master keys. In: Pairing 2010, pp. 187–205 (2010).

  32. 32.

    Gennaro R., Krawczyk H., Rabin T.: Okamoto-Tanaka revisited: fully authenticated Diffie–Hellman with minimal overhead. In: ACNS 2010, pp. 309–328 (2010).

  33. 33.

    Gennaro R., Shoup V.: A note on an encryption scheme of Kurosawa and Desmedt. In: Cryptology ePrint Archive: 2004/194 (2004).

  34. 34.

    Gorantla M.C., Boyd C., González Nieto J.M., Manulis M.: Generic one round group key exchange in the standard model. In: ICISC 2009, pp. 1–15 (2009).

  35. 35.

    Hanaoka G., Kurosawa K.: Efficient chosen ciphertext secure public key encryption under the computational Diffie–Hellman assumption. In: ASIACRYPT 2008, pp. 308–325 (2008).

  36. 36.

    Haralambiev K., Jager T., Kiltz E., Shoup V.: Simple and efficient public-key encryption from computational Diffie–Hellman in the standard model. In: Public Key Cryptography 2010, pp. 1–18 (2010).

  37. 37.

    Hofheinz D., Kiltz E.: Practical chosen ciphertext secure encryption from factoring. In: EUROCRYPT 2009, pp. 313–332 (2009).

  38. 38.

    Hofheinz D., Kiltz E.: The group of signed quadratic residues and applications. In: CRYPTO 2009, pp. 637–653 (2009).

  39. 39.

    Huang H., Cao Z.: An ID-based authenticated key exchange protocol based on bilinear Diffie–Hellman problem. In: ASIACCS 2009, pp. 333–342 (2009).

  40. 40.

    Jeong I.R., Katz J., Lee D.H.: One-round protocols for two-party authenticated key exchange. In: ACNS 2004, pp. 220–232 (2004).

  41. 41.

    Kiltz E.: Chosen-ciphertext secure key-encapsulation based on gap hashed Diffie–Hellman. In: Public Key Cryptography 2007, pp. 282–297 (2007).

  42. 42.

    Kiltz E., Mohassel P., O’Neill A.: Adaptive trapdoor functions and chosen-ciphertext security. In: EUROCRYPT 2010, pp. 673–692 (2010).

  43. 43.

    Krawczyk H.: HMQV: A high-performance secure Diffie–Hellman protocol. In: CRYPTO 2005, pp. 546–566 (2005).

  44. 44.

    Krawczyk H.: Cryptographic extraction and key derivation: The HKDF Scheme. In: CRYPTO 2010, pp. 631–648 (2010).

  45. 45.

    Kurosawa K., Desmedt Y.: A new paradigm of hybrid encryption scheme. In: CRYPTO 2004, pp. 426–442 (2004).

  46. 46.

    LaMacchia B.A., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: ProvSec 2007, pp. 1–16 (2007).

  47. 47.

    Langlois A., Stehle D.: Hardness of decision (R)LWE for any modulus. In: Cryptology ePrint Archive: 2012/091 (2012).

  48. 48.

    Lyubashevsky V., Micciancio D.: Generalized compact knapsacks are collision resistant. In: ICALP (2) 2006, pp. 144–155 (2006).

  49. 49.

    Lyubashevsky V., Peikert C., Regev O.: On Ideal lattices and learning with errors over rings. In: EUROCRYPT 2010, pp. 1–23 (2010).

  50. 50.

    McEliece R.J.: A public-key cryptosystem based on algebraic coding theory. In: Deep Space Network progress Report (1978).

  51. 51.

    Mei Q., Li B., Lu X., Jia D.: Chosen ciphertext secure encryption under factoring assumption revisited. In: Public Key Cryptography 2011, pp. 210–227 (2011).

  52. 52.

    Micciancio D., Peikert C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: EUROCRYPT 2012, pp. 700–718 (2012).

  53. 53.

    Micciancio D., Regev O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007).

    Google Scholar 

  54. 54.

    Naor M.: On cryptographic assumptions and challenges. In: CRYPTO 2003, pp. 96–109 (2003).

  55. 55.

    Nojima R., Imai H., Kobara K., Morozov K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008).

    Google Scholar 

  56. 56.

    Okamoto T.: Authenticated key exchange and key encapsulation in the standard model. In: ASIACRYPT 2007, pp. 474–484 (2007).

  57. 57.

    Peikert C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: STOC 2009, pp. 333–342 (2009).

  58. 58.

    Peikert C., Rosen A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: TCC 2006, pp. 145–166 (2006).

  59. 59.

    Peikert C., Waters B.: Lossy trapdoor functions and their applications. In: STOC 2008, pp. 187–196 (2008).

  60. 60.

    Regev O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 139–160 (2009).

    Google Scholar 

  61. 61.

    Sarr A.P., Elbaz-Vincent P., Bajard J.C.: A new security model for authenticated key agreement. In: SCN 2010, pp. 219–234 (2010).

  62. 62.

    Stehlé D., Steinfeld R., Tanaka K., Xagawa K.: Efficient public key encryption based on ideal lattices. In: ASIACRYPT 2009, pp. 617–635 (2009).

  63. 63.

    Yoneyama K.: One-round authenticated key exchange with strong forward secrecy in the standard model against constrained adversary. In: IWSEC 2012, pp. 69–86 (2012).

  64. 64.

    Yoneyama K.: Generic construction of two-party round-optimal attribute-based authenticated key exchange without random oracles. IEICE Trans. 96A(6), 1112–1123 (2013).

    Google Scholar 

  65. 65.

    Yoneyama K.: One-round authenticated key exchange with strong forward secrecy in the standard model against constrained adversary. IEICE Trans. 96A(6), 1124–1138 (2013).

    Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Kazuki Yoneyama.

Additional information

Communicated by K. Matsuura.

Appendices

Appendix 1: Proof of Theorem 1

In the experiment of \({\mathrm {CK}}^+\) security, we suppose that \(\mathsf {sid}^*\) is the session identity for the test session, and that there are \(N\) users and at most \(\ell \) sessions are activated. Let \(\kappa \) be the security parameter, and let \(\mathcal {A}\) be a PPT (in \(\kappa \)) bounded adversary. \(Suc\) denotes the event that \(\mathcal {A}\) wins. We consider the following events that cover all cases of the behavior of \(\mathcal {A}\).

  • Let \(E_1\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the static secret key of the initiator is given to \(\mathcal {A}\).

  • Let \(E_2\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

  • Let \(E_3\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the static secret key of the responder is given to \(\mathcal {A}\).

  • Let \(E_4\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

  • Let \(E_5\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both static secret keys of the initiator and the responder are given to \(\mathcal {A}\).

  • Let \(E_6\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both ephemeral secret keys of \(\mathsf {sid}^*\hbox { and }\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

  • Let \(E_7\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the static secret key of the owner of \(\mathsf {sid}^*\) and the ephemeral secret key of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

  • Let \(E_8\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the ephemeral secret key of \(\mathsf {sid}^*\) and the static secret key of the owner of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

To finish the proof, we investigate events \(E_{i} \wedge Suc\,(i=1,\dots ,8)\) that cover all cases of event \(Suc\).

Appendix 1.1: Event \(E_{1} \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over seven hybrid experiments, depending on specific sub-cases. In the last hybrid experiment, the session key in the test session does not contain information of the bit \(b\). Thus, the adversary clearly only output a random guess. We denote these hybrid experiments by \(\mathbf{H}_0, \dots , \mathbf{H}_6\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(\mathbf{H}_i\) by \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_i)\).

Hybrid experiment \(\mathbf{H}_0\): This experiment denotes the real experiment for \({\mathrm {CK}}^+\) security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)\) is the same as the advantage of the real experiment.

Hybrid experiment \(\mathbf{H}_1\): In this experiment, if session identities in two sessions are identical, the experiment halts.

When two ciphertexts from different randomness are identical and two public keys from different randomness are identical, session identities in two sessions are also identical. In the IND-CCA secure KEM, such an event occurs with negligible probability. Thus, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)| \le negl\).

Hybrid experiment \(\mathbf{H}_2\): In this experiment, the experiment selects a party \(U_A\) and integer \(i \in [1,\ell ]\) randomly in advance. If \(\mathcal {A}\) poses \(\mathsf {Test}\) query to a session except \(i\)-th session of \(U_A\), the experiment halts.

Since guess of the test session matches with \(\mathcal {A}\)’s choice with probability \(1/N^2\ell ,\,{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)\,\ge 1/N^2\ell \cdot {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) \).

Hybrid experiment \(\mathbf{H}_3\): In this experiment, the computation of \((CT^*_{A},K^*_{A})\) in the test session is changed. Instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_2\) or \(\mathbf{H}_3\). \(\mathcal {D}\) performs the following steps.

Setup \(\mathcal {D}\) chooses PRF \(F : \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\hbox { and }G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). Also, \(\mathcal {D}\) embeds \(F^*\) into \(F'\). These are provided as a part of the public parameters. Also, \(\mathcal {D}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {D}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\) is given to \(\mathcal {A}\).

Next, \({\mathcal {D}}\) sets the ephemeral public key of \(i\)-th session of \(U_A\) (i.e., the test session) as follows: \(\mathcal {D}\) selects ephemeral secret keys \(r^*_{A} \in \{0,1\}^\kappa ,\,r_{A}'^* \in \mathcal {FS}\hbox { and }r^*_{TA} \in \mathcal {RS}_G\) randomly. Then, \(\mathcal {D}\) poses \(\sigma _A'\) to his oracle (i.e., \(F^*\) or a random function \(RF\)) and obtains \(x \in \mathcal {RS}_E\). \(\mathcal {D}\) computes \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r^*_{A}) \oplus x)\) and \((dk^*_{T},ek^*_{T}) \leftarrow \mathsf {KeyGen}(r^*_{TA})\), and sets the ephemeral public key \((CT^*_{A},ek^*_{T})\) of \(i\)-th session of \(U_A\).

Simulation \(\mathcal {D}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D}\) returns the ephemeral public key \((CT^*_{A},ek^*_{T})\) computed in the setup. Otherwise, \(\mathcal {D}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): \(\mathcal {D}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}}, CT_{T}))\) is not recorded, \(\mathcal {D}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Otherwise, \(\mathcal {D}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {D}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D}\) is same as the experiment \(\mathbf{H}_2\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D}\) is same as the experiment \(\mathbf{H}_3\). Thus, if the advantage of \(\mathcal {D}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)| \le negl\).

Hybrid experiment \(\mathbf{H}_4\): In this experiment, the computation of \(K^*_{A}\) in the test session is changed again. Instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), it is changed as choosing \(K^*_{A} \leftarrow \mathcal {KS}\) randomly, where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct an IND-CCA adversary \(\mathcal {S}\) from \(\mathcal {A}\) in \(\mathbf{H}_3\) or \(\mathbf{H}_4\). \(\mathcal {S}\) performs the following steps.

Init \(\mathcal {S}\) receives the public key \(ek^*\) as a challenge.

Setup \(\mathcal {S}\) chooses PRF \(F, F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and \(G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets all \(N\) users’ static secret and public keys except \(U_B\). \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\) is given to \(\mathcal {A}\).

Next, \(\mathcal {S}\) sets \(ek^*\) as the static public key of \(U_B\). Also, \(\mathcal {S}\) receives the challenge \((K^*, CT^*)\) from the challenger.

Simulation \(\mathcal {S}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes \(ek_{T}\) obeying the protocol and returns the ephemeral public key \((CT^*, ek_{T})\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(\bar{P} = B\hbox { and }CT_{P} \not = CT^*,\,\mathcal {S}\) poses \(CT_{P}\) to the decryption oracle, obtains \(K_{P}\), computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Else if \(\bar{P} = B\hbox { and }CT_{P} = CT^*,\,\mathcal {S}\) sets \(K_{P} = K^*\), computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi ,\,U_P,\,U_{\bar{P}},\,(CT_{P},\,ek_{T}),\,(CT_{\bar{P}},\,CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {S}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes the session key \(SK\) obeying the protocol except that \(K^*_{A} = K^*\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {S}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {S}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {S}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. If the owner of \(\mathsf {sid}\) is \(U_B,\,\mathcal {S}\) poses ciphertexts received by \(U_B\) to the decryption oracle and can simulate all intermediate computation results. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {S}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {S}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b',\,\mathcal {S}\) outputs \(b'\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_3\) if the challenge is \((K^*_1, CT^*_0)\). Otherwise, the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_4\). Also, both \(K^*_{A}\) in two experiments have \(\kappa \)-min-entropy because \((\mathsf {KeyGen}, \mathsf {EnCap}, \mathsf {DeCap})\) is \(\kappa \)-min-entropy KEM. Thus, if the advantage of \(\mathcal {S}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3)| \le negl\).

Hybrid experiment \(\mathbf{H}_5\): In this experiment, the computation of \(K'^*_{1}\) in the test session is changed. Instead of computing \(K'^*_{1} \leftarrow KDF(s, K^*_{A})\), it is changed as choosing \(K'^*_{1} \in \mathcal {FS}\) randomly.

Since \(K^*_{A}\) is randomly chosen in \(\mathbf{H}_4\), it has sufficient min-entropy. Thus, by the definition of the KDF, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4)| \le negl\).

Hybrid experiment \(\mathbf{H}_6\): In this experiment, the computation of \(SK\) in the test session is changed. Instead of computing \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), it is changed as \(SK = x\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\) where \(x \in \{0,1\}^\kappa \) is chosen randomly and we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D'}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_5\) or \(\mathbf{H}_6\). \(\mathcal {D'}\) performs the following steps.

Setup \(\mathcal {D'}\) chooses PRF \(F: \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E,\,F' : \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), sets \(G = F^*\), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {D'}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {D'}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\) is given to \(\mathcal {A}\).

Simulation \(\mathcal {D'}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D'}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi ,\,U_P,\,U_{\bar{P}},\,(CT_{P},\,ek_{T}),\,(CT_{\bar{P}},\,CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {D'}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = x\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D'}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {D'}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D'}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D'}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D'}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D'}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D'}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_5\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_6\). Thus, if the advantage of \(\mathcal {D'}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_6) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5)| \le negl\).

In \(\mathbf{H}_6\), the session key in the test session is perfectly randomized. Thus, \(\mathcal {A}\) cannot obtain any advantage from \(\mathsf {Test}\) query.

Therefore, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_6) = 0\hbox { and }\Pr [E_{1} \wedge Suc]\) is negligible.

Appendix 1.2: Event \(E_{2} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{1} \wedge Suc\). There is a difference in the experiment \(\mathbf{H}_3\). In the event \(E_{1} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session. In the event \(E_{2} \wedge Suc\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(RF(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\). Since \(\mathcal {A}\) cannot obtain \(\sigma _A\) by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_{1} \wedge Suc\).

Appendix 1.3: Event \(E_{3} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{1} \wedge Suc\). There is differences in experiments \(\mathbf{H}_3\hbox { and }\mathbf{H}_4\). In \(\mathbf{H}_3\) of the event \(E_{1} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session. In \(\mathbf{H}_3\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\), it is changed as \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus RF(\sigma _B'))\). In \(\mathbf{H}_4\) of the event \(E_{1} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), it is changed as choosing \(K^*_{A} \leftarrow \mathcal {KS}\) randomly. In \(\mathbf{H}_4\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus RF(\sigma _B'))\), it is changed as choosing \(K^*_{B} \leftarrow \mathcal {KS}\) randomly. Since \(\mathcal {A}\) cannot obtain \(\sigma _B\) by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_{1} \wedge Suc\).

Appendix 1.4: Event \(E_{4} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{2} \wedge Suc\). There is differences in experiments \(\mathbf{H}_3\hbox { and }\mathbf{H}_4\). In \(\mathbf{H}_3\) of the event \(E_{2} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(RF(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session. In \(\mathbf{H}_3\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\), it is changed as \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(RF(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\). In \(\mathbf{H}_4\) of the event \(E_{2} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(RF(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as choosing \(K^*_{A} \leftarrow \mathcal {KS}\) randomly. In \(\mathbf{H}_4\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(RF(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\), it is changed as choosing \(K^*_{B} \leftarrow \mathcal {KS}\) randomly. Since \(\mathcal {A}\) cannot obtain \(\sigma _B\) by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_{1} \wedge Suc\).

Appendix 1.5: Event \(E_{5} \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over six hybrid experiments, depending on specific sub-cases. In the last hybrid experiment, the session key in the test session does not contain information of the bit \(b\). Thus, the adversary clearly only output a random guess. We denote these hybrid experiments by \(\mathbf{H}_0, \dots , \mathbf{H}_5\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(\mathbf{H}_i\) by \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_i)\).

Hybrid experiment \(\mathbf{H}_0\): This experiment denotes the real experiment for \({\mathrm {CK}}^+\) security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)\) is the same as the advantage of the real experiment.

Hybrid experiment \(\mathbf{H}_1\): In this experiment, if session identities in two sessions are identical, the experiment halts.

By the same as the event \(E_{1} \wedge Suc,\,|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)| \le negl\).

Hybrid experiment \(\mathbf{H}_2\): In this experiment, the experiment selects a party \(U_A\) and integer \(i \in [1,\ell ]\) randomly in advance. If \(\mathcal {A}\) poses \(\mathsf {Test}\) query to a session except \(i\)-th session of \(U_A\), the experiment halts.

By the same as the event \(E_{1} \wedge Suc,\,{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2) \ge 1/N^2\ell \cdot {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) \).

Hybrid experiment \(\mathbf{H}_3\): In this experiment, the computation of \(K^*_{T}\) in the test session is changed. Instead of computing \((CT^*_{T},K^*_{T}) \leftarrow \mathsf {wEnCap}_{ek_{T}}(r_{TB})\), it is changed as choosing \(K^*_{T} \leftarrow \mathcal {KS}\) randomly, where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct an IND-CPA adversary \(\mathcal {S}\) from \(\mathcal {A}\) in \(\mathbf{H}_2\) or \(\mathbf{H}_3\). \(\mathcal {S}\) performs the following steps.

Init \(\mathcal {S}\) receives the public key \(ek^*\) as a challenge.

Setup \(\mathcal {S}\) chooses PRF \(F, F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and \(G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\hbox { and }U_B\)’s static key \((dk_{B}, \sigma _B, \sigma _B')\) are given to \(\mathcal {A}\).

Next, \(\mathcal {S}\) receives the challenge \((K^*, CT^*)\) from the challenger.

Simulation \(\mathcal {S}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes \(CT_{A}\) obeying the protocol and returns the ephemeral public key \((CT_{A}, ek^*)\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(\bar{P} = B,\,\mathcal {S}\) computes \(CT_{\bar{P}}\) and the session key \(SK\) obeying the protocol except that \(K_{T} = K^*\), returns the ephemeral public key \((CT_{\bar{P}},CT^*)\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {S}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes the session key \(SK\) obeying the protocol except that \(K^*_{T} = K^*\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {S}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {S}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {S}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {S}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {S}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b',\,\mathcal {S}\) outputs \(b'\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_2\) if the challenge is \((K^*_1, CT^*_0)\). Otherwise, the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_3\). Also, both \(K^*_{T}\) in two experiments have \(\kappa \)-min-entropy because \((\mathsf {wKeyGen}, \mathsf {wEnCap}, \mathsf {wDeCap})\) is \(\kappa \)-min-entropy KEM. Thus, if the advantage of \(\mathcal {S}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)| \le negl\).

Hybrid experiment \(\mathbf{H}_4\): In this experiment, the computation of \(K'^*_{3}\) in the test session is changed. Instead of computing \(K'^*_{3} \leftarrow KDF(s, K^*_{T})\), it is changed as choosing \(K'^*_{3} \in \mathcal {FS}\) randomly.

Since \(K^*_{T}\) is randomly chosen in \(\mathbf{H}_3\), it has sufficient min-entropy. Thus, by the definition of the KDF, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3)| \le negl\).

Hybrid experiment \(\mathbf{H}_5\): In this experiment, the computation of \(SK\) in the test session is changed. Instead of computing \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), it is changed as \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\) where \(x \in \{0,1\}^\kappa \) is chosen randomly and we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D'}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_4\) or \(\mathbf{H}_5\). \(\mathcal {D'}\) performs the following steps.

Setup \(\mathcal {D'}\) chooses PRF \(F,F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and sets \(G = F^*\), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {D'}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {D'}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\hbox { and }U_B\)’s static key \((dk_{B}, \sigma _B, \sigma _B')\) are given to \(\mathcal {A}\).

Simulation \(\mathcal {D'}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D'}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(P = A\) and the session is partnered with \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {D'}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D'}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {D'}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D'}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D'}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D'}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D'}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D'}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_4\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_5\). Thus, if the advantage of \(\mathcal {D'}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4)| \le negl\).

In \(\mathbf{H}_5\), the session key in the test session is perfectly randomized. Thus, \(\mathcal {A}\) cannot obtain any advantage from \(\mathsf {Test}\) query.

Therefore, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) = 0\hbox { and }\Pr [E_{5} \wedge Suc]\) is negligible.

Appendix 1.6: Event \(E_{6} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{2} \wedge Suc\). The situation that the ephemeral secret key of \(\overline{\mathsf {sid}}^*\) is given to \(\mathcal {A}\) is the same as \(\mathsf {sid}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_{2} \wedge Suc\).

Appendix 1.7: Event \(E_{7} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{1} \wedge Suc\). The situation that the ephemeral secret key of \(\overline{\mathsf {sid}}^*\) is given to \(\mathcal {A}\) is the same as \(\mathsf {sid}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_{1} \wedge Suc\).

Appendix 1.8: Event \(E_{8} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{4} \wedge Suc\). The situation that the ephemeral secret key of \(\overline{\mathsf {sid}}^*\) is given to \(\mathcal {A}\) is the same as \(\overline{\mathsf {sid}}^*\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_{4} \wedge Suc\).

Appendix 2: Proof of Theorem 2

In the experiment of \({\hbox {id-CK}^+}\) security, we suppose that \(\mathsf {sid}^*\) is the session identity for the test session, and that there are \(N\) users and at most \(\ell \) sessions are activated. Let \(\kappa \) be the security parameter, and let \(\mathcal {A}\) be a PPT (in \(\kappa \)) bounded adversary. \(Suc\) denotes the event that \(\mathcal {A}\) wins. We consider the following events that cover all cases of the behavior of \(\mathcal {A}\).

  • Let \(E_1\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the static secret key of the initiator is given to \(\mathcal {A}\).

  • Let \(E_2\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

  • Let \(E_3\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the static secret key of the responder is given to \(\mathcal {A}\).

  • Let \(E_4\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

  • Let \(E_5\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both static secret keys of the initiator and the responder are given to \(\mathcal {A}\).

  • Let \(E_6\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both ephemeral secret keys of \(\mathsf {sid}^*\hbox { and }\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

  • Let \(E_7\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the static secret key of the owner of \(\mathsf {sid}^*\) and the ephemeral secret key of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

  • Let \(E_8\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the ephemeral secret key of \(\mathsf {sid}^*\) and the static secret key of the owner of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

  • Let \(E_9\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and master secret key is given to \(\mathcal {A}\).

To finish the proof, we investigate events \(E_{i} \wedge Suc\,(i=1,\dots ,9)\) that cover all cases of event \(Suc\). Though proofs of events are essentially same as the case of Theorem 1, \(E_{9} \wedge Suc\) is the characteristic event for Theorem 2. Thus, we only show the proof of event \(E_{9} \wedge Suc\).

Appendix 2.1: Event \(E_{9} \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over six hybrid experiments, depending on specific sub-cases. In the last hybrid experiment, the session key in the test session does not contain information of the bit \(b\). Thus, the adversary clearly only output a random guess. We denote these hybrid experiments by \(\mathbf{H}_0, \dots , \mathbf{H}_5\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(\mathbf{H}_i\) by \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_i)\).

Hybrid experiment \(\mathbf{H}_0\): This experiment denotes the real experiment for \({\hbox {id-CK}^+}\) security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)\) is the same as the advantage of the real experiment.

Hybrid experiment \(\mathbf{H}_1\): In this experiment, if session identities in two sessions are identical, the experiment halts.

When two ciphertexts from different randomness are identical, session identities in two sessions are also identical. In the IND-sID-CCA secure IB-KEM, such an event occurs with negligible probability. Thus, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)| \le negl\).

Hybrid experiment \(\mathbf{H}_2\): In this experiment, the experiment selects a party \(U_A\) and integer \(i \in [1,\ell ]\) randomly in advance. If \(\mathcal {A}\) poses \(\mathsf {Test}\) query to a session except \(i\)-th session of \(U_A\), the experiment halts.

Since guess of the test session matches with \(\mathcal {A}\)’s choice with probability \(1/N^2\ell ,\,{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)\,\ge 1/N^2\ell \cdot {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) \).

Hybrid experiment \(\mathbf{H}_3\): In this experiment, the computation of \(K^*_{T}\) in the test session is changed. Instead of computing \((CT^*_{T},K^*_{T}) \leftarrow \mathsf {wEnCap}_{ek_{T}}(r_{TB})\), it is changed as choosing \(K^*_{T} \leftarrow \mathcal {KS}\) randomly, where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct an IND-CPA adversary \(\mathcal {S}\) from \(\mathcal {A}\) in \(\mathbf{H}_2\) or \(\mathbf{H}_3\). \(\mathcal {S}\) performs the following steps.

Init \(\mathcal {S}\) receives the public key \(ek^*\) as a challenge.

Setup \(\mathcal {S}\) chooses PRF \(F, F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and \(G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets the master public and secret key, and all \(N\) users’ static secret keys. \(\mathcal {S}\) selects \(r \in \mathcal {RS}_G\), and generates master public and secret keys \((mpk,msk) \leftarrow \mathsf{MKeyGen}(1^\kappa , r)\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf{MKeyGen}\). Then, \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r' \in \mathcal {RS}_G\), and runs the key derivation algorithm \(dk_{P} \leftarrow \mathsf {KeyDer}(mpk,msk,U_P,r')\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf {KeyDer}\). Party \(U_P\)’s static secret key is \((dk_{P},\sigma _P, \sigma _P')\). The master key \(msk\) is given to \(\mathcal {A}\).

Next, \(\mathcal {S}\) receives the challenge \((K^*, CT^*)\) from the challenger.

Simulation \(\mathcal {S}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes \(CT_{A}\) obeying the protocol and returns the ephemeral public key \((CT_{A}, ek^*)\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(\bar{P} = B,\,\mathcal {S}\) computes \(CT_{\bar{P}}\) and the session key \(SK\) obeying the protocol except that \(K_{T} = K^*\), returns the ephemeral public key \((CT_{\bar{P}},CT^*)\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {S}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes the session key \(SK\) obeying the protocol except that \(K^*_{T} = K^*\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {S}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {S}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {S}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {S}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {S}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b',\,\mathcal {S}\) outputs \(b'\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_2\) if the challenge is \((K^*_1, CT^*_0)\). Otherwise, the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_3\). Also, both \(K^*_{T}\) in two experiments have \(\kappa \)-min-entropy because \((\mathsf {wKeyGen}, \mathsf {wEnCap}, \mathsf {wDeCap})\) is \(\kappa \)-min-entropy KEM. Thus, if the advantage of \(\mathcal {S}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)| \le negl\).

Hybrid experiment \(\mathbf{H}_4\): In this experiment, the computation of \(K'^*_{3}\) in the test session is changed. Instead of computing \(K'^*_{3} \leftarrow KDF(s, K^*_{T})\), it is changed as choosing \(K'^*_{3} \in \mathcal {FS}\) randomly.

Since \(K^*_{T}\) is randomly chosen in \(\mathbf{H}_3\), it has sufficient min-entropy. Thus, by the definition of the KDF, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3)| \le negl\).

Hybrid experiment \(\mathbf{H}_5\): In this experiment, the computation of \(SK\) in the test session is changed. Instead of computing \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), it is changed as \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\) where \(x \in \{0,1\}^\kappa \) is chosen randomly and we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D'}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_4\) or \(\mathbf{H}_5\). \(\mathcal {D'}\) performs the following steps.

Setup \(\mathcal {D'}\) chooses PRF \(F,F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and sets \(G = F^*\), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets the master public and secret key, and all \(N\) users’ static secret keys. \(\mathcal {S}\) selects \(r \in \mathcal {RS}_G\), and generates master public and secret keys \((mpk,msk) \leftarrow \mathsf{MKeyGen}(1^\kappa , r)\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf{MKeyGen}\). Then, \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r' \in \mathcal {RS}_G\), and runs the key derivation algorithm \(dk_{P} \leftarrow \mathsf {KeyDer}(mpk,msk,U_P,r')\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf {KeyDer}\). Party \(U_P\)’s static secret key is \((dk_{P},\sigma _P, \sigma _P')\). The master key \(msk\) is given to \(\mathcal {A}\).

Simulation \(\mathcal {D'}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D'}\) simulates oracle queries by \(\mathcal {A}\) as follows.

  1. 1.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

  2. 2.

    \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(P = A\) and the session is partnered with \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  3. 3.

    \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {D'}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

  4. 4.

    \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

    1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D'}\) returns an error message.

    2. (b)

      Otherwise, \(\mathcal {D'}\) returns the recorded value \(SK\).

  5. 5.

    \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D'}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

  6. 6.

    \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D'}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

  7. 7.

    \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D'}\) responds to the query as the definition.

  8. 8.

    If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D'}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D'}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_4\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_5\). Thus, if the advantage of \(\mathcal {D'}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4)| \le negl\).

In \(\mathbf{H}_5\), the session key in the test session is perfectly randomized. Thus, \(\mathcal {A}\) cannot obtain any advantage from \(\mathsf {Test}\) query.

Therefore, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) = 0\hbox { and }\Pr [E_{5} \wedge Suc]\) is negligible.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Fujioka, A., Suzuki, K., Xagawa, K. et al. Strongly secure authenticated key exchange from factoring, codes, and lattices. Des. Codes Cryptogr. 76, 469–504 (2015). https://doi.org/10.1007/s10623-014-9972-2

Download citation

Keywords

  • Authenticated key exchange
  • \({\mathrm {CK}}^+\) model
  • Key encapsulation mechanism
  • Identity-based authenticated key exchange

Mathematics Subject Classification

  • 94A60 Cryptography