Ephemeral Key Leakage Resilient and Efficient ID-AKEs That Can Share Identities, Private and Master Keys

  • Atsushi Fujioka
  • Koutarou Suzuki
  • Berkant Ustaoğlu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6487)


One advantage of identity-based (ID-based) primitives is the reduced overhead of maintaining multiple static key pairs and the corresponding certificates. However, should a party wish to participate in more than one protocol with the same identity (ID), say email address, the party has to share a state between distinct primitives which is contrary to the conventional key separation principle. Thus it is desirable to consider security of protocols when a public identity and a corresponding private key are utilized in different protocols.

We focus on authenticated key exchange (AKE) and propose a pair of two-party ID-based authenticate key exchange protocols (ID-AKE) that are secure even if parties use the same IDs, private keys and master keys to engage in either protocol. To our knowledge the only ID-AKE protocol formally resilient to ephemeral key leakage is due to Huang and Cao (the HC protocol), where a party’s static key consists of two group elements. Our proposed protocols provide similar assurances and require a single group element both for static and ephemeral keys, and in that sense are optimal. From an efficiency perspective, they have the same number of pairing computations as the HC protocol. The security of all these protocols is established in the random oracle.


ID-based AKE shared keys combined keys pairings 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994); Full version available at Google Scholar
  2. 2.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Boyd, C., Choo, K.-K.R.: Security of two-party identity-based key agreement. In: Dawson, E., Vaudenay, S. (eds.) MYCRYPT 2005. LNCS, vol. 3715, pp. 229–243. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Boyd, C., Cliff, Y., González Nieto, J.M., Paterson, K.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008); Full version available at CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001); Full version available at CrossRefGoogle Scholar
  7. 7.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Chatterjee, S., Hankerson, D., Knapp, E., Menezes, A.: Comparing two pairing-based aggregate signature schemes. Designs, Codes and Cryptography 55(2), 141–167 (2010)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Chatterjee, S., Menezes, A., Ustaoğlu, B.: Reusing static keys in key agreement protocols. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 39–56. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. International Journal of Information Security 6(4), 213–241 (2007)CrossRefGoogle Scholar
  11. 11.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  12. 12.
    González Vasco, M.I., Hess, F., Steinwandt, R.: Combined (identity-based) public key schemes. Cryptology ePrint Archive, Report 2008/466 (2008),
  13. 13.
    Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. In: Joye, M., Neven, G. (eds.) Identity-Based Cryptography. Cryptology and Information Security, vol. 2, ch. XII, pp. 188–206. IOS Press, Amsterdam (2008)Google Scholar
  14. 14.
    Huang, H., Cao, Z.: An id-based authenticated key exchange protocol based on bilinear diffie-hellman problem. In: Safavi-Naini, R., Varadharajan, V. (eds.) ASIACCS 2009: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, pp. 333–342 (2009)Google Scholar
  15. 15.
    Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocol attack. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) SP 1997. LNCS, vol. 1361, pp. 91–104. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Cramer, R. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Menezes, A., Ustaoğlu, B.: Comparing the pre- and post-specified peer models for key agreement. International Journal of Applied Cryptography (IJACT) 1(3), 236–250 (2009)zbMATHCrossRefGoogle Scholar
  19. 19.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39(5), 1639–1646 (1993)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    NIST National Institute of Standards and Technology. Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (March 2007),
  21. 21.
    Okamoto, E., Tanaka, K.: Key distribution system based on identification information. IEEE Journal on Selected Arean in Communications 7(4), 481–485 (1989)CrossRefGoogle Scholar
  22. 22.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairings. In: The 2000 Symposium on Cryptography and Information Security (2000)Google Scholar
  23. 23.
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1984)CrossRefGoogle Scholar
  24. 24.
    Smart, N.P.: Identity-based authenticated key agreement protocol based on weil pairing. Electronic Letters 38(13), 630–632 (2002)zbMATHCrossRefGoogle Scholar
  25. 25.
    Ustaoğlu, B.: Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 183–197. Springer, Heidelberg (2009)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Atsushi Fujioka
    • 1
  • Koutarou Suzuki
    • 1
  • Berkant Ustaoğlu
    • 1
  1. 1.NTT Information Sharing Platform LaboratoriesMusashino-shiJapan

Personalised recommendations