Authenticated Key Exchange and Key Encapsulation Without Random Oracles

Tatsuaki Okamoto

NTT, 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan December 26, 2007

Abstract. This paper1 presents a new paradigm to realize cryptographic primitives such as authenticated key exchange and key encapsulation without random oracles under three assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and a class of pseudo-random functions (PRFs), πPRFs, PRFs with pairwise-independent random sources. We propose a (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure without random oracles (under these assumptions). Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mityagin. We also show that a variant of the Kurosawa-Desmedt key encapsulation mechanism (KEM) using a πPRF is CCA-secure under the three assumptions. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security, with using a generalized TCR (GTCR) hash function in place of a TCR hash function. The proposed schemes in this paper are validity-check-free and the implication is that combining them with validity-check-free symmetric encryption (DEM) will yield validity-check-free (e.g., MAC-free) CCA-secure hybrid encryption.

1 Introduction

The most common paradigm to design practical public-key cryptosystems secure in the standard model is to combine a trapdoor function (e.g., Difﬁe-Hellman) and target collision resistance (TCR) hash functions, where the security is proven under a trapdoor function assumption (e.g., DDH) and the TCR hash function assumption [1, 3, 9]. This paper introduces a new paradigm to design practical public-key cryptosystems, where a class of pseudo-random functions (PRFs), πPRFs, PRFs with pairwise- independent random sources, is employed in addition to a trapdoor function (DH) and target collision resistant (TCR) hash function. The concept of a PRF was introduced by Goldreich, Goldwasser and Micali [5], and has been shown to exist if and only if a one-way function exists [5, 6]. Therefore, the existence of a pseudo-random function is one of the weakest assumptions, and it is one of the most fundamental primitives in cryptography.

1 This is a revised version of the extended abstract appeared in the proceedings of Asiacrypt 2007 [15]. Since a target collision resistant (TCR) hash function (and the slightly more general concept, a universal one-way hash function) have also been shown to exist if and only if a one-way function exists [14, 16], TCR hash function and PRF are the same level of (the most) fundamental primitives in cryptography. In practice, a well-designed efficient hash function can be assumed to be a TCR hash function, and such a hash function with a random seed as a part of the input (or a keyed hash function) can be assumed to be a PRF. Although the existence of a πPRF is a stronger assumption than that of a PRF, a well-designed efficient hash function with a random seed as a part of the input (or a keyed hash function) is also expected to be a πPRF (with an index). Authenticated key exchange (AKE) protocols have been extensively studied to en- hance the security of the Diffie-Hellman (DH) key exchange protocol, which was proposed in 1976, because the DH protocol is not secure against the man-in-the-middle attack [2, 8, 10–13, 17]. This paper presents a (PKI-based) two-pass AKE protocol that offers the following properties:

1. its efficiency is comparable to those of MQV [11], HMQV [8] and CMQV [17] (our scheme’s message size for one party is that of MQV plus the size of three group el- ements, and the computational complexity for a session of our scheme is around 4.3 group exponentiations, while that of MQV is around 2.2 group exponentiations), 2. the model for its security proof is not the random oracle model under the three assumptions (DDH, TCR hash function and πPRF), while the existing efficient two-pass AKE protocols such as HMQV, NAXOS and CMQV are secure in the random oracle model, 3. its underlying security definition is (currently) the strongest one, the extended Canetti- Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mitya- gin [10], 4. its security proof reduction efficiency is better than those of previous protocols in the random oracle model.

This paper also proposes a CCA-secure key encapsulation mechanism (KEM) under these assumptions (DDH, TCR hash function and πPRF), which is a variant of the Kurosawa-Desmedt KEM [9]. This scheme is secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security, with using a generalized TCR (GTCR) hash function in place of a TCR hash functions, where an adversary for the CPCA security, given a target public key pk∗ and ciphertext c∗, is allowed to query a pair of public key pk and ciphertext c to the decryption oracle, which answers the adversary with the decrypted result of c by the secret key of pk. The CPCA security seems closely related to the security notion, complete non-malleability, introduced by Fischlin [4]. The schemes presented in this paper are validity-check-free, which implies validity- check-free (e.g., MAC-free) CCA-secure hybrid encryption if they are combined with validity-check-free CCA-secure symmetric encryption (DEM).

2 2 Preliminaries

2.1 Notations N is the set of natural numbers and R is the set of real numbers. ⊥ denotes a null string. A function f : N → R is negligible in k, if for every constant c > 0, there exists integer n such that f(k) < k−c for all k > n. Hereafter, we often use f(k) < ǫ(k) to mean that f is negligible in k. When A is a probabilistic machine or algorithm, A(x) denotes the random variable R of A’s output on input x. Then, y ← A(x) denotes that y is randomly selected from A(x) according to its distribution. When a is a value, A(x) → a denotes the event that U A outputs a on input x. When A is a set, y ← A denotes that y is uniformly selected from A. When A is a value, y ← A denotes that y is set as A. In this paper, we consider that the underlying machines are uniform Turing machines. But it is easy to extend our results to non-uniform Turing machines.

2.2 The DDH Assumption Let k be a security parameter and G be a group with security parameter k, where the order of G is prime p and |p| = k. Let {G}k be the set of group G with security parameter k. For all k ∈ N we deﬁne the sets D and R as follows:

D G x x G U G U G2 U Z (k) ← {( , g1, g2, g1 , g2 ) | ← { }k, (g1, g2) ← ,x ← p} U U 4 R(k) ← {(G, g1, g2,y1,y2) | G ← {G}k, (g1, g2,y1,y2) ← G }.

Let A be a probabilistic polynomial-time machine. For all k ∈ N, we deﬁne the DDH advantage of A as

k U k U AdvDDHA(k) ← | Pr[A(1 , ρ) → 1 | ρ ← D(k)] − Pr[A(1 , ρ) → 1 | ρ ← R(k)] |.

The DDH assumption for {G}k∈N is: For any probabilistic polynomial-time adversary A, AdvDDHA(k) is negligible in k.

2.3 Pseudo-Random Function (PRF) The concept of a pseudo-random function (PRF) is deﬁned in [5] by Goldreich, Gold- wasser and Micali. Let k ∈ N be a security parameter. A pseudo-random function (PRF) family F associated with {Seedk}k∈N, {Domk}k∈N and {Rngk}k∈N speciﬁes two items:

– A family of random seeds {Seedk}k∈N. R U R – A family of pseudo-random functions indexed by k, Σ ← Seedk, σ ← Σ, D ← R k,Σ,D,R Domk, and R ← Rngk, where each such function Fσ maps an element of D to an element of R. There must exist a deterministic polynomial-time algorithm k k,Σ,D,R that on input 1 , σ ∈ Σ and ρ ∈D, outputs Fσ (ρ).

3 Let AO be a probabilistic polynomial-time machine with oracle access to O. For all k, we deﬁne

F k RF k AdvPRFF,A(k) ← | Pr[A (1 , D, R) → 1] − Pr[A (1 , D, R) → 1]|,

R U R R k,Σ,D,R where Σ ← Seedk, σ ← Σ, D ← Domk, R ← Rngk, F ← Fσ , and RF : D → U R is a truly random function (∀ρ ∈D RF (ρ) ← R). F is a pseudo-random function (PRF) family if for any probabilistic polynomial- time adversary A, AdvPRFF,A(k) is negligible in k.

2.4 Pseudo-Random Function with Pairwise-Independent Random Sources (πPRF)

Here, we introduce a speciﬁc class of PRFs, πPRFs.

Let k ∈ N be a security parameter and F be a PRF family associated with {Seedk}k∈N, {Domk}k∈N and {Rngk}k∈N. We then deﬁne a πPRF family for F. R R R Let Σ ← Seedk, D ← Domk, R ← Rngk, and RF : D → R is a truly random U function (∀ρ ∈D RF (ρ) ← R).

Let XΣ be a set of random variables (distributions) over Σ, and IΣ be a set of indices regarding Σ such that there exists a deterministic polynomial-time algorithm, fΣ : IΣ → XΣ, that on input i ∈ IΣ, outputs σi ∈ XΣ.

Let (σi0 ,σi1 ,...,σit(k) ) be random variables indexed by (IΣ, fΣ), where ij ∈ IΣ

(j = 0, 1,...,t(k)) and t(k) is a polynomial of k. Let σi0 be pairwisely independent from other variables, σi1 ,...,σit(k) , and each variable be uniformly distributed over Σ. 2 That is, for any pair of (σi0 ,σij ) (j = 1,...,t(k)), for any (x,y) ∈ Σ , Pr[σi0 → 2 x ∧ σij → y] = Pr[σi0 → x] · Pr[σij → y] = 1/|Σ| . F,IΣ Let A be a probabilistic polynomial-time machine A that queries qj ∈ D along with to oracle and is replied with Fk,Σ,D,R for each ij ∈ IΣ (F,IΣ) σj (qj ) j = R 0, 1,...,t(k), where (σ0,..., σt(k)) ← (σi0 ,...,σit(k) ) in oracle (F,IΣ). k,Σ, , Let ARF,IΣ be the same as AF,IΣ except F D R(q ) is replaced by RF (q ). σ0 0 0 For all k, we deﬁne

F,IΣ k RF,IΣ k AdvπPRFF,IΣ ,A(k) ← | Pr[A (1 , D, R) → 1] − Pr[A (1 , D, R) → 1]|.

F is a πPRF family with index {(IΣ, fΣ)}Σ∈Seedk,k∈N if for any probabilistic polynomial- time adversary A, AdvπPRFF,IΣ ,A(k) is negligible in k.

Remark: Here, we introduce an example of index (IΣ, fΣ) for pairwisely independent random variables, which is used in the proposed schemes.

4 Let k be a security parameter and G be a group with security parameter k, where the order of G is prime p and |p| = k. Let Σ ← G. Then (IG, fG) is speciﬁed by

2 IG ← {(V, W, d) | (V, W, d) ∈ G × Zp}, U r1+dr2 G2 Z Z2 XG ← {σ(V,W,d) | σ(V,W,d) ← V W ∧ (V, W, d) ∈ × p ∧ (r1, r2) ← p},

fG : IG → XG and fG : (V, W, d) 7→ σ(V,W,d).

′ ′ If d 6= d , V 6= 1 and V 6= 1, then two random variables, σ(V,W,d) ∈ XG and σ(V ′,W ′,d′) ∈ XG, are pairwisely independent, and each one is uniformly distributed over G, whereas three random variables, σ(V,W,d) ∈ XG, σ(V ′,W ′,d′) ∈ XG and σ(V ′′,W ′′,d′′) ∈ XG, are not independent. F,IG In the experiment of deﬁning AdvπPRFF,IG,A(k), A queries qj ∈ D along k,Σ,D,R with G to oracle G and is replied with F for each (Vj, Wj , dj ) ∈ I (F,I ) σj (qj ) R j = 0, 1,...,t(k), where (σ0,..., σt(k)) ← (σ(V0,W0,d0),...,σ(Vt(k),Wt(k),dt(k))) and U Z2 the random selection of (σ0,..., σt(k)) is due to the uniform selection of (r1, r2) ← p in oracle (F,IG). Hereafter, this index, (IG, fG), is shortly expressed by IG ← {(V, W, d) | (V, W, d) ∈ U G2 Z r1+dr2 Z2 × p} and fG : (V, W, d) 7→ V W with (r1, r2) ← p.

2.5 Target Collision Resistant (TCR) Hash Function

Let k ∈ N be a security parameter. A target collision resistant (TCR) hash function family H associated with {Domk}k∈N and {Rngk}k∈N speciﬁes two items: – A family of key spaces indexed by k. Each such key space is a probability space on bit strings denoted by KHk. There must exist a probabilistic polynomial-time k algorithm whose output distribution on input 1 is equal to KHk. R R – A family of hash functions indexed by k, h ← KHk, (D1, D2) ← D ← Domk, R k,D,R and R ← Rngk, where each such function Hh maps an element of D1 to an R element of R, where D1 ← {ρ | ρ ← D1}. There must exist a deterministic k k,D,R polynomial-time algorithm that on input 1 , h and ρ ∈ D1, outputs Hh (ρ). Let A be a probabilistic polynomial-time machine. For all k, we deﬁne

AdvTCRH,A(k) ← ∗ k,D,R k,D,R ∗ R k ∗ ∗ Pr[ρ ∈ D1 ∧ ρ 6= ρ ∧ Hh (ρ) = Hh (ρ ) | ρ ←A(1 , ρ , δ , h, D, R)],

R R R R ∗ ∗ where (D1, D2) ← D ← Domk, R ← Rngk, (ρ , δ ) ← (D1, D2) and h ← KHk. H is a target collision resistance (TCR) hash function family if for any probabilistic polynomial-time adversary A, AdvTCRH,A(k) is negligible in k. Note that this definition is a variant of the standard definition of TCR hash functions, where an extra input, δ∗, is given to adversary A in addition to the target input, ρ∗. A special case of this definition, when δ∗ is the null string, is the standard one.

5 k,DH ,RH Remark: An example of a TCR hash function, Hh , to be employed in Section R U G4 Z4 Z 4.1 is: h ← KHk, DH ← (D1, D2), D1 ← , D2 ← p, RH ← p, (z,w,C1, C2) ← R U R x1 x2 y1 y2 D1(←D1), (x1,x2,y1,y2) ← D2 (←D2) with z ← g1 g2 and w ← g1 g2 .

2.6 PKI-Based Authenticated Key Exchange (AKE) and the Extended Canetti-Krawczyk (eCK) Security Deﬁnition

This section outlines the extended Canetti-Krawczyk (eCK) security definition for two pass PKI-based authenticated key exchange (AKE) protocols that was introduced by LaMacchia, Lauter and Mityagin [10], and follows the description in [17]. In the eCK definition, we suppose there are n parties which are modeled as probabilistic polynomial-time Turing machines. We assume that some agreement on the common parameters in the AKE protocol has been made among the parties before starting the protocol. The mechanism by which these parameters are selected is out of scope of the AKE protocol and the (eCK) security model. Each party has a static public-private key pair together with a certificate that binds the public key to that party. Aˆ (Bˆ) denotes the static public key A (B) of party A (B) together with a certificate. We do not assume that the certifying authority (CA) requires parties to prove possession of their static private keys, but we require that the CA verifies that the static public key of a party belongs to the domain of public keys. Here, two parties exchange static public keys A, B and ephemeral public keys X,Y ; the session key is obtained by combining A,B,X,Y and possibly session identities. A party A can be activated to execute an instance of the protocol called a session. Activation is made via an incoming message that has one of the following forms: (A,ˆ Bˆ) or (B,ˆ A,ˆ X). If A was activated with (A,ˆ Bˆ), then A is called the session initiator, otherwise the session responder. Session initiator A creates ephemeral public-private key pair, (X,x) and sends (B,ˆ A,ˆ X) to session responder B. B then creates ephemeral public-private key pair, (Y,y) and sends (A,ˆ B,X,Yˆ ) to A. The session of initiator A with responder B is identified via session identifier (A,ˆ B,X,Yˆ ), where A is said the owner of the session, and B the peer of the session. The session of responder B with initiator A is identified as (B,ˆ A,Y,Xˆ ), where B is the owner, and A is the peer. Session (B,ˆ A,Y,Xˆ ) is said a matching session of (A,ˆ B,X,Yˆ ). We say that a session is completed if its owner computes a session key. The adversary M is modeled as a probabilistic polynomial-time Turing machine and controls all communications. Parties submit outgoing messages to the adversary, who makes decisions about their delivery. The adversary presents parties with incoming messages via Send(message), thereby controlling the activation of sessions. In order to capture possible leakage of private information, adversary M is allowed the following queries:

– EphemeralKeyReveal(sid) The adversary obtains the ephemeral private key associated with session sid. – SessionKeyReveal(sid) The adversary obtains the session key for session sid, provided that the session holds a session key. – StaticKeyReveal(pid) The adversary learns the static private key of party pid.

6 – EstablishParty(pid) This query allows the adversary to register a static public key on behalf of a party. In this way the adversary totally controls that party.

If a party pid is established by EstablishParty(pid) query issued by adversary M, then we call the party dishonest. If a party is not dishonest, we call the party honest. The aim of adversary M is to distinguish a session key from a random key. For- mally, the adversary is allowed to make a special query Test(sid∗), where sid∗ is called the target session. The adversary is then given with equal probability either the session U ∗ key, K∗, held by sid∗ or a random key, R∗ ← {0, 1}|K |. The adversary wins the game if he guesses correctly whether the key is random or not. To deﬁne the game, we need the notion of fresh session as follows:

Definition 1. (fresh session) Let sid be the session identifier of a completed session, owned by an honest party A with peer B, who is also honest. Let sid be the session identifier of the matching session of sid, if it exists. Define session sid to be “fresh” if none of the following conditions hold:

– M issues a SessionKeyReveal(sid) query or a SessionKeyReveal(sid) query (if sid exists), – sid exists and M makes either of the following queries: both StaticKeyReveal(A) and EphemeralKeyReveal(sid), or both StaticKeyReveal(B) and EphemeralKeyReveal(sid), – sid does not exist and M makes either of the following queries: both StaticKeyReveal(A) and EphemeralKeyReveal(sid), or StaticKeyReveal(B).

We are now ready to present the eCK security notion.

Deﬁnition 2. (eCK security) Let K∗ be a session key of the target session sid∗ that U ∗ U should be “fresh”, R∗ ← {0, 1}|K |, and b∗ ← {0, 1}. As a reply to Test(sid∗) query by M, K∗ is given to M if b∗ = 0; R∗ is given otherwise. Finally M outputs b ∈ {0, 1}. We deﬁne

∗ AdvAKEM(k) ← | Pr[b = b ] − 1/2|.

A key exchange protocol is secure if the following conditions hold:

– If two honest parties complete matching sessions, then they both compute the same session key (or both output indication of protocol failure). – For any probabilistic polynomial-time adversary M, AdvAKEM(k) is negligible in k.

This security deﬁnition is stronger than CK-security [2] and it simultaneously cap- tures all the known desirable security properties for authenticated key exchange including resistance to key-compromise impersonation attacks, weak perfect forward secrecy, and resilience to the leakage of ephemeral private keys.

7 2.7 Key-Encapsulation Mechanism (KEM) A key encapsulation mechanism (KEM) scheme is the triple of algorithms, Σ = (K, E, D), where 1. K, the key generation algorithm, is a probabilistic polynomial time (PPT) algorithm that takes a security parameter k ∈ N (provided in unary) and returns a pair (pk,sk) of matching public and secret keys. 2. E, the key encryption algorithm, is a PPT algorithm that takes as input public key pk and outputs a key/ciphertext pair (K∗, C∗). 3. D, the decryption algorithm, is a deterministic polynomial time algorithm that takes as input secret key sk and ciphertext C∗, and outputs key K∗ or ⊥ (⊥ means that the ciphertext is invalid). We require that for all (pk,sk) output by key generation algorithm K and for all (K∗, C∗) output by key encryption algorithm E(pk), D(sk,C∗) = K∗ holds. Here, the length of the key, |K∗|, is specified by l(k), where k is the security parameter. Let A be an adversary. The attack game is defined in terms of an interactive computation between adversary A and its challenger, C. The challenger C responds to the oracle queries made by A. We now describe the attack game (IND-CCA2 game) used to define security against adaptive chosen ciphertext attacks (IND-CCA2). R 1. The challenger C generates a pair of keys, (pk,sk) ← K(1k) and gives pk to adversary A. 2. Repeat the following procedure q1(k) times, for i = 1,...,q1(k), where q1(·) is a polynomial. A submits string Ci to a decryption oracle, DO (in C), and DO returns Dsk(Ci) to A. U 3. A submits the encryption query to C. The encryption oracle, EO, in C selects b∗ ← {0, 1} and computes (C∗, K∗) ← E(pk) and returns (C∗, K∗) to A if b∗ = 0 and U ∗ (C∗,R∗) if b∗ = 1, where R∗ ← {0, 1}|K | (C∗ is called “target ciphertext”). 4. Repeat the following procedure q2(k) times, for j = q1(k) + 1,...,q1(k) + q2(k), where q2(·) is a polynomial. A submits string Cj to a decryption oracle, DO (in C), ∗ subject only to the restriction that a submitted text Cj is not identical to C . DO returns Dsk(Cj ) to A. 5. A outputs b ∈ {0, 1}. IND-CCA2 ∗ We define the IND-CCA2 advantage of A, AdvKEMA (k) ← | Pr[b = b ] − 1/2| in the above attack game. We say that a KEM scheme is IND-CCA2-secure (secure against adaptive chosen ciphertext attacks) if for any probabilistic polynomial-time (PPT) adversary A, IND-CCA2 AdvKEMA (k) is negligible in k.

3 The Proposed AKE Protocol

3.1 Protocol U Let k ∈ N be a security parameter, G ← {G}k be a group with security parameter U 2 k, and (g1, g2) ← G , where the order of G is prime p and |p| = k. Let H be a

8 TCR hash function family, Fˆ and F˜ be PRF families, and F be a πPRF family with G2 Z index {(IG, fG)}G∈{G}k,k∈N, where IG ← {(V, W, d) | (V, W, d) ∈ × p} and U r1+dr2 Z2 fG : (V, W, d) 7→ V W with (r1, r2) ← p. (G, g1, g2), H, F, F˜ and Fˆ are the system parameters common among all users of the proposed AKE protocol (although F˜ and Fˆ can be set privately by each party). We assume that the system parameters are selected by a trusted third party. U 5 Party A’s static private key is (a0, a1, a2, a3, a4) ← (Zp) and A’s static public key R a1 a2 a3 a4 is A1 ← g1 g2 , A2 ← g1 g2 , and hA ← KHk that indexes a TCR hash function H ← Hk,DH ,RH , A hA U 5 Similarly, Party B’s static private key is (b0, b1, b2, b3, b4) ← (Zp) and B’s static R b1 b2 b3 b4 public key is B1 ← g1 g2 , B2 ← g1 g2 , and hB ← KHk that indexes a TCR hash function H ← Hk,DH ,RH . B hB As for Hk,DH ,RH , D ← (D , D ), D ← (Π )2 × G7, D ← Z9, R ← Z hB H 1 2 1 k 2 p H p R and (certA, A1, A2, certB,B1,B2,Y1,Y2,Y3) ← D1, where Πk denotes the space of possible certiﬁcates, certA (resp., certB) are certiﬁcates of (A1, A2) (resp., (B1,B2)), U U G7 Z9 and (A1, A2,B1,B2,Y1,Y2,Y3) ← . And, (a1, a2, a3, a4, b1, b2, b3, b4,y3) ← p R a1 a2 a3 a4 b1 b2 b3 b4 (← D2), where A1 ← g1 g2 , A2 ← g1 g2 , B1 ← g1 g2 ,B2 ← g1 g2 and Y3 ← y3 g1 . A and B set πPRF and PRFs F ← Fk,ΣF,DF,RF , F˜ ← F˜k,Σ˜F,D˜F,R˜F and Fˆ ← k,Σˆ,Dˆ,Rˆ 2 10 k Fˆ F F F , where ΣF ← G, DF ← (Πk) × G , RF ← {0, 1} , ΣF˜ ← Zp, DF˜ ← k 2 k k 2 {0, 1} , RF˜ ← (Zp) , ΣFˆ ← {0, 1} , DFˆ ← {0, 1} , and RFˆ ← (Zp) . To establish a session key with party B, party A performs the following procedure.

U k k 1. Select an ephemeral private key (˜x1, x˜2) ← {0, 1} × {0, 1} . 4 ˆ k ˜ 2. Compute a˜ ← i=0 ai mod p, (x,x3) ← Fx˜1 (1 ) + Fa˜(˜x2) mod p (as two- P x x dimensional vectors) and the ephemeral public key (X1 ← g1 , X2 ← g2 , X3 ← x3 g1 ). Note that the value of (x,x3) (and a˜) is only computed in a computation process of the ephemeral public key from ephemeral and static private keys. 3. Erase (x,x3) and the whole computation history of the ephemeral public key. 4. Send (B,ˆ A,ˆ X1, X2, X3) to B.

3 Upon receiving (B,ˆ A,ˆ X1, X2, X3), party B veriﬁes that (X1, X2, X3) ∈ G . If so, perform the following procedure.

U k k 1. Select an ephemeral private key (˜y1, y˜2) ← {0, 1} × {0, 1} . ˜ 4 ˆ k ˜ 2. Compute b ← i=0 bi mod p, (y,y3) ← Fy˜1 (1 ) + F˜b(˜y2) mod p (as two- P y y dimensional vectors) and the ephemeral public key (Y1 ← g1 ,Y2 ← g2 ,Y3 ← y3 g1 ). 3. Erase (y,y3) and the whole computation history of the ephemeral public key. 4. Send (A,ˆ B,ˆ X1, X2, X3,Y1,Y2,Y3) to A.

Upon receiving (A,ˆ B,ˆ X1, X2, X3,Y1,Y2,Y3), party A checks if he sent (B,ˆ A,ˆ X1, X2, X3) 3 to B. If so, A veriﬁes that (Y1,Y2,Y3) ∈ G .

9 a1+ca3 a2+ca4 x3 x dx To compute the session key, A computes σA ← Y1 Y2 Y3 B1 B2 , and b1+db3 b2+db4 y3 y cy ˆ ˆ B computes σB ← X1 X2 X3 A1A2 , where c ← HA(A, B,Y1,Y2,Y3) and d ← HB(B,ˆ A,ˆ X1, X2, X3).

If they are correctly computed, σ ← σA(= σB). The session key is K ← Fσ(sid), where sid ← (A,ˆ B,ˆ X1, X2, X3,Y1,Y2,Y3).

A B U U 5 5 (a0, a1, a2, a3, a4) ← (Zp) (b0, b1, b2, b3, b4) ← (Zp) a1 a2 a3 a4 b1 b2 b3 b4 A1 ← g1 g2 , A2 ← g1 g2 , B1 ← g1 g2 ,B2 ← g1 g2 , hA hB

U k k (˜x1, x˜2) ← {0, 1} × {0, 1} ˆ k (x,x3) ← Fx˜1 (1 ) +F˜a˜(˜x2) mod p 4 (˜a ← i=0 ai mod p) Px x X1 ← g1 , X2 ← g2 , x3 X3 ← g1 ˆ ˆ (B,A,X1,X2,X3) 3 −−−−−−−−−→ (X1, X2, X3) ∈ G ? U k k (˜y1, y˜2) ← {0, 1} × {0, 1} ˆ k (y,y3) ← Fy˜1 (1 ) ˜ +F˜b(˜y2) mod p ˜ 4 (b ← i=0 bi mod p) Py y Y1 ← g1 ,Y2 ← g2 , y3 ˆ ˆ Y3 ← g1 3 (A,B,X1,X2,X3,Y1,Y2,Y3) (Y1,Y2,Y3) ∈ G ? ←−−−−−−−−−−−−−−− c ← HA(A,ˆ B,Yˆ 1,Y2,Y3) c ← HA(A,ˆ B,Yˆ 1,Y2,Y3) d ← HB(B,ˆ A,ˆ X1, X2, X3) d ← HB(B,ˆ A,ˆ X1, X2, X3) a1+ca3 a2+ca4 b1+db3 b2+db4 σ ← Y1 Y2 · σ ← X1 X2 · x3 x dx y3 y cy Y3 B1 B2 X3 A1A2 K ← Fσ(sid) K ← Fσ(sid)

4 Here, sid ← (A,ˆ B,ˆ X1, X2, X3,Y1,Y2,Y3), and (A1, A2,B1,B2) ∈ G is conﬁrmed indirectly through the certiﬁcates.

Fig. 1. The Proposed AKE

10 3.2 Security

Theorem 1. The proposed AKE protocol is secure (in the sense of Deﬁnition 2) if the DDH assumption holds for {G}k∈N, H is a TCR hash function family, F˜ and Fˆ are

PRF families, and F is a πPRF family with index {(IG, fG)}G∈{G}k,k∈N, where IG ← U 2 r1+dr2 {(V, W, d) | (V, W, d) ∈ G × Zp} and fG : (V, W, d) 7→ V W with (r1, r2) ← Z2 p.

Proof. It is obvious that the first condition of Definition 2 holds. We will prove that the second condition of Definition 2 holds under the assumptions. Let sid∗ be the target session chosen by adversary M, A be the owner of the session sid∗ and B be the peer. Let sid∗ be (A,ˆ B,ˆ X∗, X∗, X∗,Y ∗,Y ∗,Y ∗), where Aˆ includes ∗ 1 ∗ 2 3 1 ∗ 2∗ 3 ∗ ∗ a a a a b b ˆ 1 2 3 4 1 2 (A1,A2), B includes (B1,,B2), A1 ← g1 g2 , A2 ← g1 g2 , B1 ← g1 g2 , B2 ← ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ b3 b4 ∗ x ∗ x ∗ x3 ∗ y ∗ y ∗ y3 g1 g2 , X1 ← g1 , X2 ← g2 , X3 ← g1 Y1 ← g1 ,Y2 ← g2 ,Y3 ← g1 . We will evaluate the advantage, AdvAKEM(k), in the following two disjoint cases (which cover the whole):

– Case 1: there exists a matching session, sid∗, of target session sid∗, – Case 2: there exists no matching session of target session sid∗.

Case 1: [1] To evaluate AdvAKE [1] (k) in Case 1, where M0 is an adversary in Case 1, we M0 G[1] G[1] G[1] G[1] G[1] consider ﬁve games, 0 , 1 , 2 , 3 , 4 as follows:

G[1] [1] Game 0 . This is the original eCK game with adversary M0 in Case 1 to deﬁne AdvAKE [1] (k). M0 G[1] [1] Game 1 . This is a local eCK game with an adversary M1 that is is reduced from G[1] [1] [1] game 0 with adversary M0 . In the local eCK game in Case 1, M1 activates only two parties (say A and B) (except dishonest parties) and only two sessions, ˆ ˆ ∗ ∗ ∗ ∗ ∗ ∗ the target session and the matching session (say (A, B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 ) ˆ ˆ ∗ ∗ ∗ ∗ ∗ ∗ and (B, A,Y1 ,Y2 ,Y3 , X1 , X2 , X3 ) ) (except sessions with dishonest parties). [1] [1] [1] Game G . We modify game G to game G by changing PRFs ˜ ∗ , ˜ ∗ , ˆ ∗ and 2 1 2 Fa˜ F˜b Fx˜1 ˆ ∗ of the target and matching sessions to random functions. Fy˜1 [1] [1] [1] ∗ G G G ∗ x3 Game 3 . We modify game 2 to game 3 by changing the value of (Y3 ) = ∗ U ∗ y3 G (X3 ) to a random element δ ← . [1] [1] [1] G G G ∗ Game 4 . We modify game 3 to game 4 by changing PRF Fσ to a random function. Note that the requirement of PRF for Fσ∗ is sufﬁcient here (πPRF is not necessary).

[1] [1] G[1] Let Adv0 be the eCK advantage of M0 in game 0 (i.e., AdvAKEM(k) in Case [1] [1] G[1] 1). Let Advi (i = 1, 2, 3, 4) be the eCK advantage of M1 in game i . We will then evaluate the relations between pairs of the advantages.

11 [1] G[1] Claim 1. For any adversary M0 in game 0 and any (correctly set-up) local eCK G[1] [1] game 1 , there exists an adversary, M1 , for the local eCK game, and a machine [1] [1] M2 whose running times are at most that of M0 , such that

[1] 2 [1] Adv0 < 4n(k) s(k) · Adv1 + s(k) · AdvPRFF˜ [1] (k) ,M2

[1] where M0 activates at most s(k) sessions.

[1] Proof. Let’s suppose that M0 activates at most n(k) honest parties. Given an adver- [1] G[1] sary M0 in game 0 and a (correctly set-up) local eCK game with two parties, (A [1] [1] and B), we construct M1 as follows: First, M1 randomly establishes (n(k)−2) hon- [1] est parties correctly in addition to A and B. M1 then simulates the eCK game for the [1] [1] n(k) honest parties (including A and B) with M0 . M1 randomly guesses the target session whose owner and peer are A and B. [1] M1 ’s simulation is executed as follows: U [1] 2 [1] 1. M1 selects α ← (α1, α2) ← {0, 1} . Intuitively, α1 = ‘0’ means M1 ’s guess [1] that M0 issues no ephemeral key reveal query on A for the guessed target session, [1] [1] and α1 = ‘1’ means the opposite. α2 = ‘0’ means M1 ’s guess that M0 issues no ephemeral key reveal query on B for the matching session of the guessed target session, and α2 = ‘1’ means the opposite. Due to the conditions of a target ses- [1] sion (or a fresh session), if M0 issues an ephemeral key reveal query for a target [1] session, M0 cannot issue the static key reveal query on the owner of the target session. [1] 2. If α is ‘00’, M1 issues static key reveal queries on A and B in the beginning of [1] the game, and then starts the simulation of the eCK game with M0 . In the simulation, [1] (a) M1 simulates the sessions of the established (n(k) − 2) honest parties correctly. (b) Ifasessionof A or B is not the guessed target session nor the matching session, [1] M1 correctly simulates the session (i.e. selects an ephemeral private key and computes ephemeral public key correctly by using the static and ephemeral private keys). (c) If a session of A or B is the guessed target session or the matching session, execute the local eCK game. [1] [1] If M1 ’s guess is incorrect (i.e., M0 does not select the guessed target session [1] as the target session or M0 issues an ephemeral key reveal query for the guessed [1] G[1] target or the matching session), M1 aborts this game (game 1 ). [1] 3. If α is ‘01’, M1 issues a static key reveal query on A in the beginning of the game, [1] and then starts the simulation of the eCK game with M0 . In the simulation, [1] (a) M1 simulates the sessions of the established (n(k) − 2) honest parties correctly.

12 [1] (b) If a session of A is not the guessed target session, M1 correctly simulates the session (i.e. selects an ephemeral private key and computes ephemeral public key correctly by using the static and ephemeral private keys). [1] (c) If a session of B is not the matching session of the guessed target session, M1 U Z2 y y y3 selects (y,y3) ← p and computes Y1 ← g1 , Y2 ← g2 and Y3 ← g1 . (d) If a session of A or B is the guessed target session or the matching session, execute the local eCK game. [1] [1] If M1 ’s guess is incorrect (i.e., M0 does not select the guessed target session [1] or M0 does not issue an ephemeral key reveal query for the matching session or [1] issues an ephemeral key reveal query for the guessed target session), M1 aborts this game. [1] 4. If α is ‘10’, M1 issues a static key reveal query on B in the beginning of the game, [1] and then starts the simulation of the eCK game with M0 . In the simulation, [1] (a) M1 simulates the sessions of the established (n(k) − 2) honest parties correctly. (b) If a session of B is not the matching session of the guessed target session, [1] M1 correctly simulates the session (i.e. selects an ephemeral private key and computes ephemeral public key correctly by using the static and ephemeral private keys). U [1] Z2 (c) If a session of A is not the guessed target session, M1 selects (x,x3) ← p x x x3 and computes X1 ← g1 , X2 ← g2 and X3 ← g1 . (d) If a session of A or B is the guessed target session or the matching session, execute the local eCK game. [1] [1] If M1 ’s guess is incorrect (i.e., M0 does not select the guessed target session or [1] M0 does not issue an ephemeral key reveal query for the guessed target session [1] or issues an ephemeral key reveal query for the matching session), M1 aborts this game. [1] [1] 5. If α is ‘11’, M1 starts the simulation of the eCK game with M0 . In the simulation, [1] (a) M1 simulates the sessions of the established (n(k) − 2) honest parties correctly. (b) Ifasessionof A or B is not the guessed target session nor the matching session, U [1] Z2 x x x3 M1 selects (x,x3) ← p and computes X1 ← g1 , X2 ← g2 and X3 ← g1 U Z2 y y y3 (or selects (y,y3) ← p and computes Y1 ← g1 , Y2 ← g2 and Y3 ← g1 ). (c) If a session of A or B is the guessed target session or the matching session, execute the local eCK game. [1] [1] [1] 6. M1 ﬁnally outputs the output of M0 , unless M1 aborts the game. [1] [1] If M1 ’s guess (on the target session and α) is correct and α = 00, M1 ’s advan- [1] G[1] tage in this simulation is exactly equivalent to M0 ’s advantage in game 0 . [1] If M1 ’s guess (on the target session and α) is correct and α ∈ {01, 10, 11}, the [1] [1] difference between M1 ’s advantage in this simulation and M0 ’s advantage in game G[1] 0 can be evaluated as follows:

13 ˜ [1] We now assume a PRF security test environment for F, where adversary M2 is U ˜ ˜ Z2 allowed to access to two oracles, which are (Fδ1 , Fδ2 ) ((δ1, δ2) ← p) or two random functions (RF1,RF2). [1] [1] We then construct M2 as follows: M2 simulates the sessions of A and B cor- ˜ ˜ [1] rectly except the computation of Fa˜ and F˜b of A and B, where in place of M1 ’s U U Z2 Z2 [1] selecting (x,x3) ← p and/or (y,y3) ← p (in cases of α ∈ {01, 10, 11}), M2 sends [1] [1] ∗ the related queries to the oracles. Finally M2 outputs 1 iff M1 correctly guesses b [1] ∗ G[1] (i.e., M1 ’s output b is equivalent to b in (Deﬁnition 2 of) game 0 ). ˜ ˜ If the oracles are (Fδ1 , Fδ2 ), then the simulation with the oracle queries is equivalent G[1] ∗ ˜∗ Z to game 0 , since the distribution of a˜ and b are independent and uniform over p. [1] Otherwise, it is equivalent to M1 ’s simulation described above under the condition [1] that M1 ’s guess is correct. The number of calls to the oracles is bounded by s(k) in [1] all cases of α ∈ {01, 10, 11}, So, applying the hybrid argument, (where M2 sets up the i-th step of the hybrid argument for i = 1,...,s(k)), we obtain

[1] [1] |Adv0 − Adv1 [CorrGuess]|

[1] [1] [1] where Adv1 [CorrGuess] is the advantage Adv1 under the condition that M1 ’s guess is correct. [1] Since the probability that M1 ’s guess on the target session is correct is at least 2 [1] 1/(n(k) s(k)) and the probability that M1 ’s guess is correct on α is 1/4,

2 [1] [1] 1/(4n(k) s(k)) · (Adv0 − s(k) · AdvPRFF˜ [1] (k)) < Adv1 . ,M2

[1] Claim 2. There exists a probabilistic machine M3 , whose running time is at most [1] that of M0 , such that

[1] [1] |Adv1 − Adv2 | ≤ 2 · max{AdvPRFF˜ [1] (k), AdvPRFFˆ [1] (k)}. ,M3 ,M3

Proof. We now assume PRF security test environments for F˜ and Fˆ, where adversary U [1] ˜ ˜ ˆ ˆ Z2 M3 is allowed to access to four oracles, which are (Fδ1 , Fδ2 , Fξ1 , Fξ2 ) ((δ1, δ2) ← p, U 2k (ξ1, ξ2) ← {0, 1} ) or four random functions (RF1,RF2,RF3,RF4). [1] [1] G[1] We construct M3 as follows: M3 sets up the parameters of game 1 for two parties, A and B, and the target and matching sessions correctly and simulates the game [1] ∗ ∗ k k with adversary except the computation of F˜ ∗ , F˜ ∗ , Fˆ ∗ and Fˆ ∗ , M1 a˜ (˜x2) ˜b (˜y2 ) x˜1 (1 ) y˜1 (1 ) [1] where M3 accesses to the oracles and sets the returned values as the function values. [1] [1] ∗ [1] Finally M3 outputs 1 iff M1 correctly guesses b (i.e., M1 ’s output b is equivalent ∗ G[1] to b in (Deﬁnition 2 of) game 1 ).

14 ˜ ˆ G[1] If the oracle is F and F, the simulation is equivalent to game 1 . Otherwise, the G[1] simulation is equivalent to game 2 . Since both the static and ephemeral keys of the target (matching) session are not revealed at the same time, we obtain

[1] [1] |Adv1 − Adv2 | ≤ 2 · max{AdvPRFF˜ [1] (k), AdvPRFFˆ [1] (k)}. ,M3 ,M3

[1] Claim 3. There exists a probabilistic machine M4 , whose running time is at most [1] that of M0 , such that

[1] [1] |Adv2 − Adv3 | = AdvDDH [1] (k). M4

U U Proof. Given a DDH problem ρ ← (G,U,V,W,Z), where ρ ← D(k) or ρ ← R(k), [1] [1] G[1] we construct its adversary M4 using M1 in game 2 as follows: [1] G[1] M4 sets up the parameters of game 2 for two parties, A and B, correctly and simulates the game with adversary M[1] except the computation of g , X∗,Y ∗ and ∗ ∗ 1 1 3 3 ∗ x3 ∗ y3 (Y3 ) (= (X3 ) ). For the computation, M[1] sets g ← U, X∗ ← V , Y ∗ ← W , and sets Z as the ∗ 4 ∗ 1 3 3 x y speciﬁed value of (Y ∗) 3 (= (X∗) 3 ). (Note that the simulation of the other values can 3 3 ∗ ∗ ∗ ∗ ∗ x3 ∗ y3 be perfectly executed with using g1, X3 ,Y3 and (Y3 ) (= (X3 ) ).) [1] [1] ∗ [1] Finally M4 outputs 1 iff M1 correctly guesses b (i.e., M1 ’s output b is equiv- ∗ G[1] alent to b in (Deﬁnition 2 of) game 2 ). U D [1] If ρ ← (k), the advantage of M1 in this simulation is equivalent to that in game G[1] [1] [1] 2 , Adv2 . Otherwise, the advantage of M1 in this simulation is equivalent to that G[1] [1] in game 3 , Adv3 . [1] [1] Therefore, |Adv2 − Adv3 | = AdvDDH [1] (k). M4

[1] Claim 4. There exists a probabilistic machine M5 , whose running time is at most [1] that of M0 , such that

[1] [1] |Adv3 − Adv4 | ≤ AdvPRFF [1] (k). ,M5

Proof. Given a PRF security test environment for F , where an adversary is allowed to U access an oracle, Fγ (γ ← G) or a random function RF , and tries to distinguish them, [1] [1] G[1] we construct its adversary M5 using M1 in game 3 as follows: [1] G[1] M5 sets up the parameters of game 3 for two parties, A and B, correctly and [1] ∗ ∗ simulates the game with adversary M1 except the computation of K ← Fσ (sid ),

15 [1] ∗ where M5 sends sid to the oracle and sets the value returned from the oracle as K. [1] [1] ∗ [1] Finally M5 outputs 1 iff M1 correctly guesses b (i.e., M1 ’s output b is equivalent ∗ G[1] to b in (Deﬁnition 2 of) game 3 ). If the oracle is Fγ , the returned value from the oracle is perfectly indistinguishable [1] ∗ ∗ G from that of Fσ (sid), since the value of σ in game 3 is uniform and independent. [1] G[1] [1] Then, the advantage of M1 in this simulation is equivalent to that in game 3 , Adv3 . [1] G[1] Otherwise, the advantage of M1 in this simulation is equivalent to that in game 4 , [1] Adv4 . [1] [1] Therefore, |Adv3 − Adv4 | ≤ AdvPRFF [1] (k). ,M5 [1] Summing up Claims 1 to 4 and from the fact that Adv4 = 0, we obtain the following claim, [1] Claim 5. Let’s suppose Case 1 occurs. For any adversary M0 in the eCK game [1] [1] [1] [1] (Deﬁnition 2), there exist probabilistic machines, M2 , M3 , M4 and M5 , whose [1] running times are at most that of M0 , such that

2 AdvAKE [1] (k) < 4n(k) s(k) · (2 · max{AdvPRFF˜ [1] (k), AdvPRFFˆ [1] (k)} M0 ,M3 ,M3

+AdvDDH [1] (k) + AdvPRFF [1] (k)) + s(k) · AdvPRFF˜ [1] (k). M4 ,M5 ,M2

Case 2: [2] Next, we will evaluate AdvAKE [2] (k) in Case 2, where M0 is an adversary in M0 ∗ [2] Case 2. Recall that sid is the target session chosen by adversary M0 , A is the owner ∗ ∗ ˆ ˆ ∗ ∗ ∗ ∗ ∗ ∗ of the session sid and B is the peer. Let sid be (A, B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 ). In Case 2, B is a honest party, but does not own a session that is matching to session ∗ ∗ [2] sid . Due to the conditions of a fresh session (i.e., restrictions on sid ), M0 cannot [2] issue a static key reveal query on B, but M0 (or a dishonest party) can establish a ses- ˆ(i) ˆ (i) (i) (i) (i) (i) (i) sion, sidi ← (C , B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 ), with B that is not equivalent ∗ ˆ ˆ ∗ ∗ ∗ ∗ ∗ ∗ ˆ(i) ˆ (i) (i) (i) (i) to session sid (i.e., (A, B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 ) 6= (C , B, X1 , X2 , X3 ,Y1 , (i) (i) Y2 ,Y3 )) and can issue a session key reveal query on session sidi, for i = 1,...,t(k). Here we have the following two disjoint cases: ˆ ˆ ∗ ∗ ∗ ˆ(i) ˆ (i) (i) (i) (a) (A, B, X1 , X2 , X3 ) 6= (C , B, X1 , X2 , X3 ), ˆ ˆ ∗ ∗ ∗ ˆ(i) ˆ (i) (i) (i) ∗ ∗ ∗ (i) (i) (i) (b) (A, B, X1 , X2 , X3 ) = (C , B, X1 , X2 , X3 ) and (Y1 ,Y2 ,Y3 ) 6= (Y1 ,Y2 ,Y3 ). We will then give the proof (of Case 2) in case (a), but omit that in case (b), since if case (b) occurs, we can apply the same argument (to prove the pairwise-independence ∗ (i) (i) [2] of σ and σi) in case (b) for (A1, A2), (honestly generated) (Y1 ,Y2 ),(M0 ’s out- ∗ ∗ ˆ ˆ (i) (i) (i) ˆ ˆ ∗ ∗ ∗ put) (Y1 ,Y2 ) and HA(A, B,Y1 ,Y2 ,Y3 ) 6= HA(A, B,Y1 ,Y2 ,Y3 ) as that in ∗ ∗ [2] (i) (i) case (a) for (B1,B2), (honestly generated) (X1 , X2 ),(M0 ’s output) (X1 , X2 ) and ˆ ˆ ∗ ∗ ∗ ˆ ˆ(i) (i) (i) (i) HB(B, A, X1 , X2 , X3 ) 6= HB(B, C , X1 , X2 , X3 ), that will be described be- low.

16 G[2] G[2] G[2] G[2] G[2] G[2] G[2] We consider seven games, 0 , 1 , 2 , 3 , 4 , 5 and 6 , as follows: G[2] [2] Game 0 . This is the original eCK game with adversary M0 to deﬁne AdvAKE [2] (k) M0 in Case 2. G[2] [2] Game 1 . This is a local eCK game with adversary M1 that is reduced from the [2] [2] original eCK game with adversary M0 . In the local eCK game in Case 2, M1 activates only two parties (e.g., A and B) (except dishonest parties) and the tar- ˆ ˆ ∗ ∗ ∗ ∗ ∗ ∗ get session (e.g., (A, B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 )) (except the other sessions with dishonest parties). [2] [2] [2] Game G . We modify game G to game G by changing PRFs ˜ ∗ , ˜ ∗ , ˆ ∗ and 2 1 2 Fa˜ F˜b Fx˜1 Fˆ (i) (i = 1,...,t(k)) to random functions. y˜1 ∗ ∗ ∗ Game G[2]. We modify game G[2] to game G[2] by changing the value of Bx Bd x 3 2 3∗ ∗ ∗ ∗ ∗ ∗ ∗ 1∗ 2∗ ∗ a c a a c a x x d x (in the computation process of σ∗ ← (Y ∗) 1 + 3 (Y ∗) 2 + 4 (Y ∗) 3 B B ) ∗ ∗ ∗ ∗ ∗ ∗ 1 2 3 1 2 ∗ b1 +d b3 ∗ b2 +d b4 to (X1 ) (X2 ) . This change is purely conceptual. G[2] G[2] G[2] G Game 4 . We modify game 3 to game 4 by changing DH tuple ( , g1, g2, U U ∗ ∗ D G ∗ ∗ R X1 , X2 ) ← (k) to a random tuple ( , g1, g2, X1 , X2 ) ← (k). G[2] G[2] G[2] Game 5 . We modify game 4 to game 5 by adding a special rejection rule G[2] G[2] [2] in game 5 , such that game 5 aborts if M1 (dishonest party C) establishes ˆ(i) ˆ (i) (i) (i) (i) (i) (i) a session with B, sidi ← (C , B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 ), issues a ˆ ˆ ∗ ∗ ∗ ˆ ˆ(i) (i) session key query on the session, HB(B, A, X1 , X2 , X3 ) = HB(B, C , X1 , (i) (i) ˆ ˆ ∗ ∗ ∗ ˆ ˆ(i) (i) (i) (i) X2 , X3 ) and (B, A, X1 , X2 , X3 ) 6= (B, C , X1 , X2 , X3 ) occur. As men- ˆ ˆ ∗ ∗ ∗ ˆ ˆ(i) (i) (i) (i) tioned above, we assume that (B, A, X1 , X2 , X3 ) 6= (B, C , X1 , X2 , X3 ) occurs (case (a)). G[2] G[2] G[2] Game 6 . We modify game 5 to game 6 by changing a πPRF of the target session, Fσ∗ , to a random function. [2] [2] G[2] Let Adv0 be the eCK advantage of M0 in game 0 (i.e., AdvAKEM[2] (k) in [2] [2] G[2] Case 2). Let Advi (i = 1, 2, 3, 4, 5, 6) be the eCK advantage of M1 in game i . We now proceed to evaluate the differences between pairs of the advantages. [2] G[2] Claim 6. For an adversary M0 in game 0 and a (correctly set-up) local eCK [2] [2] game, there exists an adversary, M1 , for the local eCK game, and a machine M2 [2] whose running times are at most that of M0 , such that

[2] 2 [2] Adv0 < 2n(k) s(k) · Adv1 + s(k) · AdvPRFF˜ [2] (k) ,M2

[2] where M0 activates at most s(k) sessions. Proof. The proof of this claim is similar to that of Claim 1. The only difference is for [2] [1] M1 ’s (and M1 ’s) guess on α. In Case 1, B owns the matching session of the target session, while B owns no matching session in Case 2, but has a restriction on key reveals [2] such that B’s static key cannot be revealed. Therefore, M1 only needs to make a one- bit guess on A’s key reveal (static or ephemeral key reveal) to complete the simulation.

17 We then obtain

2 [2] [2] 1/(2n(k) s(k)) · (Adv0 − s(k) · AdvPRFF˜ [2] (k)) < Adv1 . ,M2

The proof of the following claim is also similar to that of Claim 2.

[2] Claim 7. There exists a probabilistic machine M3 , whose running time is at most [2] that of M0 , such that

[2] [2] |Adv1 − Adv2 | ≤ 2s(k) · max{AdvPRFF˜ [2] (k), AdvPRFFˆ [2] (k)}. ,M3 ,M3

Claim 8. [2] [2] Adv2 = Adv3

This is clear since the change is purely conceptual.

[2] Claim 9. There exists a probabilistic machine M4 , whose running time is at most [2] that of M0 , such that

[2] [2] |Adv3 − Adv4 | = AdvDDH [2] (k). M4

U U Proof. Given a DDH problem ρ ← (G,U,V,W,Z), where ρ ← D(k) or ρ ← R(k), [2] [2] G[2] we construct its adversary M4 using M1 in game 3 as follows: [2] G[2] M4 sets up the parameters of game 3 for two parties, A and B, correctly and [2] ∗ ∗ simulates the game with adversary M1 except the computation of g1, g2, X1 , X2 . [2] ∗ ∗ For the computation, M4 sets g1 ← U, g2 ← V , X1 ← W , and X2 ← Z. (Note that the simulation of the other values can be perfectly executed with using ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ a1 +c a3 ∗ a2 +c a4 ∗ x3 ∗ b1 +d b3 ∗ b2 +d b4 g1, g2, X1 , X2 . Especially, σ ← (Y1 ) (Y2 ) (Y3 ) (X1 ) (X2 ) [2] ∗ ∗ ∗ ∗ ∗ can be computed from the private keys that M4 sets up, (a1, a2, a3, a4), x3 and ∗ ∗ ∗ ∗ [2] ∗ ∗ ∗ (b1, b2, b3, b4), as well as adversary M1 ’s ephemeral public key, (Y1 ,Y2 ,Y3 ), and ∗ ∗ (X1 , X2 ).) [2] [2] ∗ [2] Finally M4 outputs 1 iff M1 correctly guesses b (i.e., M1 ’s output b is equiv- ∗ G[2] alent to b in (Deﬁnition 2 of) game 3 ). U D [2] If ρ ← (k), the advantage of M1 in this simulation is equivalent to that in game G[2] [2] [2] 3 , Adv3 . Otherwise, the advantage of M1 in this simulation is equivalent to that G[2] [2] in game 4 , Adv4 . [2] [2] Therefore, |Adv3 − Adv4 | = AdvDDH [2] (k). M4

18 [2] Claim 10. There exists a probabilistic machine M5 , whose running time is at most [2] that of M0 , such that

[2] [2] |Adv4 − Adv5 | ≤ AdvTCR [2] (k). M5

R 2 G7 Z9 Z Proof. Let hB ← KHk, DH ← (D1, D2), D1 ← (Πk) × , D2 ← p, RH ← p, R ∗ ∗ ∗ ˆ ˆ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ (ρ , δ ) ← DH , ρ ← (B, A, X1 , X2 , X3 ), δ ← (b1, b2, b3, b4, a1, a2, a3, a4,x3). ∗ ∗ Given a TCR hash function problem (ρ , δ ,hB, DH , RH ), we construct its adversary [2] [2] G[2] M5 using M1 in game 4 as follows: [2] G[2] [2] M5 simulates game 4 with adversary M1 with setting (B1,B2, A1, A2) as ∗ ∗ ∗ the static public key of B and A of the target session and setting (X1 , X2 , X3 ) as the ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ephemeral public key of A, where the related private keys, (b1, b2, b3, b4, a1, a2, a3, a4,x3) [2] are employed by M5 in the simulation. ∗ ∗ G[2] Since the distribution of (X1 , X2 ) is equivalent to those of game 4 (e.g., the ∗ ∗ G2 ephemeral public key of the target session, (X1 , X2 ), is uniformly distributed on in G[2] G[2] [2] game 4 ). Therefore simulation of game 4 by M5 is perfect. [2] ˆ(i) ˆ (i) (i) (i) (i) If M1 issues a session key query on session sidi ← (C , B, X1 , X2 , X3 ,Y1 , (i) (i) ˆ ˆ ∗ ∗ ∗ ˆ ˆ(i) (i) (i) (i) Y2 ,Y3 ) with HB(B, A, X1 , X2 , X3 ) = HB(B, C , X1 , X2 , X3 ) in this sim- [2] ˆ ˆ(i) (i) (i) (i) [2] ulation, M5 outputs (B, C , X1 , X2 , X3 ). Thus, M5 breaks the TCR hash G[2] function associated with {DH }k∈N and {RH }k∈N, if game 5 applies the special rejection rule and aborts. We then obtain [2] [2] |Adv4 − Adv5 | ≤ AdvTCR [2] (k). M5

[2] Claim 11. There exists a probabilistic machine M6 , whose running time is at most [2] that of M0 , such that

[2] [2] | Adv6 − Adv5 | < AdvπPRFF [2] (k) + 4/p. ,IG,M6

ˆ(i) ˆ (i) (i) (i) (i) (i) (i) Proof. Let sidi ← (C , B, X1 , X2 , X3 ,Y1 ,Y2 ,Y3 ) (i = 1,...,t(k)) be [2] (i) sessions with B on which M1 issues session key queries, where C is a dishonest [2] (i) ∗ ∗ (i) ∗ ∗ b1 +dib3 b2 +dib4 party established by M1 . Let Ki ← Fσi (sidi), where σi ← (X1 ) (X2 ) (i) (i) (i) (i) (i) (i) (i) y3 y ciy (X3 ) (C1 ) (C2 ) , ci ← HC (sidi) and di ← HB(sidi). Let the target session of game G[2] be sid∗ ← (A,ˆ B,ˆ X∗, X∗, X∗,Y ∗,Y ∗,Y ∗) and 5 1 2 ∗3 ∗1 ∗ 2 3∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ b +d b ∗ b +d b the session key of sid be K ← F ∗ (sid ), where σ ← (X ) 1 3 (X ) 2 4 ∗ ∗ ∗ ∗ ∗ ∗ ∗ σ 1 2 ∗ x3 ∗ a1 +c a3 ∗ a2 +c a4 ∗ ∗ ∗ ∗ (Y3 ) (Y1 ) (Y2 ) , c ← HA(sid ) and d ← HB(sid ). We now consider two cases for each session sidi (i = 1, 2,...,t(k)), Case (i) and Case (ii).

19 G (i) (i) D Z (i) Case (i): ( , g1, g2, X1 , X2 ) ∈ (k). That is, there exists x ∈ p such that X1 = x (i) x g1 , X2 = g2 . G (i) (i) D Case (ii): ( , g1, g2, X1 , X2 ) 6∈ (k).

G ∗ ∗ G ∗ ∗ D We say ( , g1, g2, X1 , X2 ) ∈ GoodKey, if ( , g1, g2, X1 , X2 ) 6∈ (k) and g1 6= R G[2] 1, g2 6= 1, g1 6= g2. Since the parameter is uniformly selected from (k) in game 5 , G ∗ ∗ it occurs with probability at least (1−4/p). Hereafter, we assume that ( , g1, g2, X1 , X2 ) ∈ G[2] GoodKey occurs in game 5 . Note that all games to be investigated here are modiﬁed G[2] G ∗ ∗ from game 5 with preserving the distribution of ( , g1, g2, X1 , X2 ). ∗ (B1,B2,σ ,σi) are expressed by the following equations:

∗ ∗ logg1 B1 ≡ b1 + ηb2 (mod p) ∗ ∗ logg1 B2 ≡ b3 + ηb4 (mod p) ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ logg1 σ ≡ x1(b1 + d b3) + ηx2(b2 + d b4) + δ (mod p) ∗ ∗ ∗ ∗ logg1 σi ≡ x(b1 + dib3) + ηx(b2 + dib4) + γ (mod p).

∗ ∗ η x x ∗ ∗ ∗ ∗ ∗ ∗ ∗ (i) ∗ 1 ∗ 2 ∗ x3 ∗ a1 +c a3 ∗ a2 +c a4 δ where g2 = g1 , X1 = g1 , X2 = g1 , (Y3 ) (Y1 ) (Y2 ) = g1 X1 = (i) (i) (i) (i) (i) (i) (i) γ x x y3 y ciy g1 , X2 = g1 and (X3 ) (C1 ) (C2 ) = g1 . If Case (i) occurs, the value of σi is (information theoretically) independent from σ∗ for any i = 1,...,t(k), since

∗ ∗ ∗ ∗ logg1 σi − γ ≡ x(b1 + ηb2) + xdi(b3 + ηb4) (mod p) is linearly dependent to and , while ∗ is linearly independent logg1 B1 logg1 B2 logg1 σ from and . (Actually, given sid , the value of is uniquely deter- logg1 B1 logg1 B2 i σi U ∗ ∗ G ∗ ∗ mined, but, given sid , the value of σ is still uniformly distributed in if (b2, b4) ← Z2 p.) Hence, hereafter we consider the case that Case (ii) occurs for all i = 1,...,t(k). Then, we will show the following proposition: G ∗ ∗ ∗ Proposition 1. Let assume that ( , g1, g2, X1 , X2 ) ∈ GoodKey. Then, given (sid , sid1, ∗ ..., sidt(k)), σ and σi are pairwisely independent for any i = 1,...,t(k), and each U G ∗ ∗ Z2 one is uniformly distributed over , when (b2, b4) ← p.

∗ Proof. First, we consider the relation between sid and sidi (i = 1,...,t(k)). So we investigate the following matrix:

1 η 0 0  0 0 1 η  , (1)  x∗ ηx∗ d∗x∗ ηd∗x∗   1 2 1 2   x1 ηx2 dix1 ηdix2 

(i) x1 (i) x2 where X1 = g1 and X2 = g1 .

20 This matrix (1) is regular if and only if

2 ∗ ∗ ∗ η (x2 − x1)(x2 − x1)(d − di) 6≡ 0 (mod p). (2)

∗ ∗ G ∗ ∗ η 6= 0 and x2 − x1 6= 0, since we assume that ( , g1, g2, X1 , X2 ) ∈ GoodKey, i.e., G ∗ ∗ D G[2] ∗ ( , g1, g2, X1 , X2 ) 6∈ (k) and g1 6= 1, g2 6= 1, g1 6= g2. In game 5 , d − di 6= 0 by the special rejection rule, and x2 − x1 6= 0 in Case (ii).

∗ ∗ Therefore, this matrix (1) is regular. Then, given (sid ,sidi), the value of (σi,σ ) is U G2 ∗ ∗ Z2 uniformly distributed over when (b2, b4) ← p.

[2] G G We can then construct an adversary M6 for πPRF F with index {(I , f )}G∈{G}k,k∈N, [2] G[2] G2 Z by using M1 in game 5 as follows, where IG ← {(V, W, d) | (V, W, d) ∈ × p} U r1+dr2 Z2 and fG : (V, W, d) 7→ V W with (r1, r2) ← p:

[2] Given the πPRF security experiment for F , M6 sets up the parameters of game G[2] 5 such that

G U G U G U Z η ← { }k, g1 ← , η ← p, g2 ← g1 , ∗ ∗ ∗ ∗ U a a a a ∗ ∗ ∗ ∗ Z 4 1 2 3 4 (a1, a2, a3, a4) ← ( p) , A1 ← g1 g2 , A2 ← g1 g2 , U Z 2 β1 β2 (β1, β2) ← ( p) , B1 ← g1 , B2 ← g1 , ∗ ∗ ∗ U x x x ∗ ∗ ∗ Z 2 ∗ ∗ ∗ 1 ∗ 2 ∗ 3 (x1,x2,x3) ← ( p) (x1 6= x2), X1 ← g1 , X2 ← g2 , X3 ← g2 i i U i (i) i (i) i y( ) (i) ( ) Z ( ) y ( ) y ( ) 3 (y ,y3 ) ← ( p), Y1 = g1 , Y2 = g2 ,Y3 = g1 ∗ ˆ ∗ ∗ ∗ ˆ ∗ ∗ c ← HA(A,Y1 ,Y2 ), d ← HB(B, X1 , X2 ) ˆ(i) (i) (i) ˆ (i) (i) ci ← HC (C ,Y1 ,Y2 ), di ← HB(B, X1 , X2 ), ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ η ∗ ∗ β1+d β2 ∗ x3 ∗ a1 +c a3 ∗ a2 +c a4 V ← X2 /(X1 ) , W ← (X1 ) (Y3 ) (Y1 ) (Y2 ) , (i) (i) (i) (i) (i) (i) (i) (i) (i) η β1+diβ2 y3 y ciy Vi ← X2 /(X1 ) , Wi ← (X1 ) (X3 ) (C1 ) (C2 ) (i = 1,...,t(k)).

[2] ∗ Under this setting of the parameters, M6 can perfectly simulate the sessions, sid [2] ∗ and sidi, with M1 except the computation of σ and σi, for i = 1,...,t(k).

∗ ∗ We now set (r1, r2) ← (b2, b4), and apply the index, IG ← {(V, W, d) | (V, W, d) ∈ G2 Z r1+dr2 ∗ ∗ ∗ ∗ × p} and fG : (V, W, d) 7→ V W . Then, σ(V ,W ,d ) = σ and σ(Vi,Wi,di) =

21 σi for i = 1,...,t(k), because

∗ ∗ r1+d r2 ∗ σ(V ∗,W ∗,d∗) = (V ) W ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ b2 ∗ ηb2 ∗ d b4 ∗ ηd b4 ∗ β1+d β2 ∗ x3 ∗ a1 +c a3 ∗ a2 +c a4 = (X2 ) /(X1 ) · (X2 ) /(X1 ) · (X1 ) · (Y3 ) (Y1 ) (Y2 ) ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ b1 +d b3 ∗ b2 +d b4 ∗ x3 ∗ a1 +c a3 ∗ a2 +c a4 = (X1 ) (X2 ) · (Y3 ) (Y1 ) (Y2 ) = σ∗,

r1+dir2 σ(Vi,Wi,di) = Vi Wi (i) ∗ (i) ∗ (i) ∗ (i) ∗ (i) (i) (i) (i) (i) (i) (i) b2 ηb2 dib4 ηdib4 β1+diβ2 y3 y ciy = (X2 ) /(X1 ) · (X2 ) /(X1 ) · (X1 ) (X3 ) (C1 ) (C2 ) (i) ∗ ∗ (i) ∗ ∗ (i) (i) (i) (i) (i) (i) b1 +dib3 b2 +dib4 y3 y ciy = (X1 ) (X2 ) · (X3 ) (C1 ) (C2 ) , = σi,

∗ ∗ ∗ ∗ where b1 ≡ β1−ηb2 (mod p), and b3 ≡ β2−ηb4 (mod p). Here note that σ(V ∗,W ∗,d∗) = ∗ σ and σ(Vi,Wi,di) = σi for i = 1,...,t(k) hold simultaneously for any selected value ∗ ∗ Z2 of (b2, b4)in p. [2] G[2] [2] ∗ M6 simulates game 5 with adversary M1 except the computation of K ← [2] ∗ ∗ ∗ ∗ ∗ Fσ (sid ) and Ki ← Fσi (sidi) (i = 1,...,t(k)), where M6 gives index (V , W , d ) and (Vi, Wi, di) (i = 1,...,t(k)) to the oracle (F,IG) in the experiment of the πPRF security deﬁnition (in Section 2.4) and sets the values returned from the oracle as K∗ [2] [2] ∗ and Ki (i = 1,...,t(k)). Finally M6 outputs 1 iff M1 correctly guesses b (i.e., [2] ∗ G[2] M1 ’s output b is equivalent to b in (Deﬁnition 2 of) game 5 ). F,IG G[2] If the oracle is for A , the above-mentioned simulation is the same as game 5 [2] G[2] [2] and the advantage of M1 in this simulation is equivalent to that in game 5 , Adv5 . [2] RF,IΣ G If the oracle is for A , the simulation is the same as game 6 , and the advantage [2] G[2] [2] of M1 in this simulation is equivalent to that in game 6 , Adv6 . ∗ From Proposition 1, if GoodCoin occurs, (σ ,σi) are pairwisely independent for i = 1,...,t(k). Since Pr[¬GoodCoin] < 4/p, we then obtain

[2] [2] | Adv6 − Adv5 | < AdvπPRFF [2] (k) + 4/p. (3) ,IG,M6

[2] Since Adv6 = 0, by summing up Claims 6 to 11, we obtain the following claim, [2] Claim 12. Let’s suppose Case 2 occurs. For any adversary M0 in the eCK game [2] [2] [2] [2] [2] (Deﬁnition 2), there exist probabilistic machines, M2 , M3 , M4 , M5 and M6 , [2] whose running times are at most that of M0 , such that

2 AdvAKE [2] (k) < 2n(k) s(k) · (2s(k) · max{AdvPRFF˜ [2] (k), AdvPRFFˆ [2] (k)} + M0 ,M3 ,M3

AdvDDH [2] (k) + AdvTCR [2] (k) + AdvπPRFF [2] (k) + 4/p) + M4 M5 ,IG,M6

s(k) · AdvPRFF˜ [2] (k). ,M2

4 The Proposed KEM Scheme

4.1 Scheme In this section, we present a CCA secure KEM scheme. U Let k ∈ N be a security parameter, and let G ← {G}k be a group with security parameter k, where the order of G is prime p and |p| = k.

Let H be a TCR hash function family, and F be a πPRF family with index {(IG, fG)}G∈{G}k,k∈N, 2 r +dr where IG ← {(V, W, d) | (V, W, d) ∈ G × Zp} and fG : (V, W, d) 7→ V 1 2 W U Z2 with (r1, r2) ← p.

U Z4 Secret Key: The secret key is sk ← (x1,x2,y1,y2) ← p. U U G G x1 x2 y1 y2 k,DH ,RH Public Key: g1 ← , g2 ← , z ← g1 g2 , w ← g1 g2 , H ← Hh and F ← Fk,ΣF,DF,RF . R U G4 Z4 Z Here, h ← KHk, DH ← (D1, D2), D1 ← , D2 ← p, RH ← p, (z,w,C1, C2) ← R U R x1 x2 y1 y2 D1(← D1), (x1,x2,y1,y2) ← D2 (← D2) with z ← g1 g2 and w ← g1 g2 , 2 k ΣF ← G, DF ← {pk} × G (pk is a possible public-key value) and RF ← {0, 1} . The public key is pk ← (G, g1, g2,z,w,H,F ). U Encryption: Choose r ← Zp and compute

r C1 ← g1, r C2 ← g2,

d ← H(z,w,C1, C2) σ ← zrwrd

K ← Fσ(pk,C1, C2).

(C1, C2) is a ciphertext, and K is the secret key to be shared. Decryption: Given (z,w,C1, C2), check whether

4 (z,w,C1, C2) ∈ G .

If it holds, compute

d ← H(z,w,C1, C2)

x1+dy1 x2+dy2 σ ← C1 C2 K ← Fσ(pk,C1, C2).

Remark: Even if d ← H(z,w,C1, C2) is replaced by d ← H(C1, C2), the CCA security of the proposed KEM is preserved, and then the underlying TCR hash function R k,DH ,RH Hh can be the standard one (with no extra input, (x1,x2,y1,y2) ← D2, to an adversary). However, to guarantee its CPCA security, d should be H(z,w,C1, C2).

23 4.2 CCA Security

Theorem 2. The proposed KEM scheme is IND-CCA2 secure, if the DDH assumption holds for {G}k∈N, H is a TCR hash function family, and F is a πPRF family with G2 Z index {(IG, fG)}G∈{G}k,k∈N, where IG ← {(V, W, d) | (V, W, d) ∈ × p} and U r1+dr2 Z2 fG : (V, W, d) 7→ V W with (r1, r2) ← p.

Proof. The proof is similar to the proof of the security of the proposed AKE in Case 2. ∗ ∗ First let us review some notation of the IND-CCA2 game of our scheme. Let (C1 , C2 ), ∗ G ∗ ∗ ∗ ∗ ∗ ∗ pk ← ( , g1, g2,z , w ,H,F ) and (x1,x2,y1 ,y2 ) be the target ciphertext, public ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ key and secret key, and K ← Fσ (pk , C1 , C2 ), where d ← H(z , w , C1 , C2 ) ∗ ∗ ∗ ∗ ∗ r ∗r d (i) (i) and σ ← (z ) w . When adversary A sends (C1 , C2 ) to the decryption ∗ (i) (i) oracle DO (i = 1,...,t(k)), the oracle returns K ← Fσ(pk , C1 , C2 ), where (i) (i) (i) ∗ ∗ (i) ∗ ∗ ∗ ∗ x1 +dy1 x2 +dy2 d ← H(z , w , C1 , C2 ) and σ ← (C1 ) (C2 ) . In this proof, we consider ﬁve games, G0, G1, G2, G3 and G4 as follows:

G IND-CCA2 Game 0. This is the original IND-CCA2 game with adversary A to deﬁne AdvKEMA (k). ∗ ∗ ∗ ∗ ∗ r ∗r d Game G1. We modify game G0 to game G1 by changing σ ← (z ) w (in ∗ the computation∗ ∗ ∗ process of the target ciphertext K in the encryption oracle) to x d y ∗ ∗ ∗ ∗ ∗ 1 + 1 ∗ x2 +d y2 σ ← C1 (C2 ) . This change is purely conceptual. U G G G G ∗ ∗ Game 2. We modify game 1 to game 2 by changing DH tuple ( , g1, g2, C1 , C2 ) ← U D G ∗ ∗ R (k) to a random tuple ( , g1, g2, C1 , C2 ) ← (k). Game G3. We modify game G2 to game G3 by adding a special rejection rule to G G (i) (i) game 2, such that, game 3 aborts if A sends (C1 , C2 ) to the decryption ∗ ∗ ∗ ∗ ∗ ∗ (i) (i) ∗ ∗ ∗ ∗ oracle and H(z , w , C1 , C2 ) = H(z , w , C1 , C2 ) and (z , w , C1 , C2 ) 6= ∗ ∗ (i) (i) (z , w , C1 , C2 ) occur. Game G4. We modify game G3 to game G4 by changing πPRF Fσ∗ in the the encryption oracle to a random function.

G IND-CCA2 Let Adv0 be the IND-CCA2 advantage of A in game 0 (i.e., AdvKEMA (k)). Let Advi (i = 1, 2, 3, 4) be the IND-CCA2 advantage of A in game Gi. We can obtain the following claims, whose proofs are essentially the same as those of Claims 8, 9, 10 and 11. So we omit them here.

Claim 13. Adv0 = Adv1

Claim 14. There exists a probabilistic machine A1, whose running time is at most that of A, such that |Adv1 − Adv2| = AdvDDHA1 (k).

Claim 15. There exists a probabilistic machine A2, whose running time is at most that of A, such that |Adv2 − Adv3| ≤ AdvTCRA2 (k).

Claim 16. There exists a probabilistic machine A3, whose running time is at most that of A, such that |Adv3 − Adv4| < AdvπPRFF,IG,A3 (k) + 4/p. Since Adv4 = 0, by summing up Claims 13 to 16, we obtain the following claim,

24 Claim 17. For any adversary A in the IND-CCA2 game there exist probabilistic machines, A1, A2 and A3 whose running times are at most that of A, such that

IND-CCA2 AdvKEMA (k) ≤

AdvDDHA1 (k) + AdvTCRA2 (k) + AdvπPRFF,IG,A3 (k) + 4/p.

4.3 CPCA Security In this paper, we define a stronger security notion than the CCA security on KEM and PKE. Here, we consider a trapdoor commitment, where committer (sender) S commits to x by sending C ← Epk(x) to receiver R, then S opens x by sending sk to R, where (pk,sk) is a pair of public key and secret key, and x = Dsk(C). Using a trapdoor commitment, several committers, S1, . . ., Sn, commits to x1,...,xn respectively by sending C1 ← Epk(x1), . . ., Cn ← Epk(xn) to receiver R. Another party can open them simultaneously by sending sk to receiver R. A possible malleable attack is as follows: after looking at pk and C ← Epk(x) sent to receiver R, adversary A computes pk′, C′, algorithm Conv and non-trivial relation Rel. A registers pk′ and sends C′ to R as a commitment to x′ such that Rel(x,x′). When sk is opened, A computes sk′ ← ′ ′ ′ Conv(sk) and sends sk to R such that x = Dsk′ (C ). To capture the security against such malleable attacks, we now define the CPCA (Chosen Public-key and Ciphertext Attacks) security for KEM schemes. Definition 3. (CPCA security) Let Σ = (K, E, D) be a KEM scheme. Let C∗, pk∗ and sk∗ be the target ciphertext, public key and secret key of KEM scheme Σ. In the CPCA security, an adversary A, given pk∗ and C∗, is allowed to submit a ciphertext C along with polynomial-time algorithm, Conv ← (Conv1, Conv2), to the decryption oracle ∗ ∗ ∗ ∗ DO (with sk ) under the condition that (Conv1(pk ), C) 6= (pk , C ), where Conv1 ∗ and Conv2 uniquely compute the public-key pk ← Conv1(pk ) and the corresponding ∗ ∗ secret key sk ← Conv2(sk , pk ), respectively. Here there exists a polynomial-time ∗ k algorithm of verifying the validity of Conv such that for all (c, k) ← EConv1(pk )(1 ) ∗ ∗ ∗ ∗ k = DConv2(sk ,pk )(c). If Conv is valid, DO computes sk ← Conv2(sk , pk ) and returns Dsk(C) to A. IND-CPCA We can define the advantage of A for the IND-CPCA game, AdvKEMA (k). We say that a KEM scheme is IND-CPCA-secure if for any probabilistic polynomial- IND-CPCA time (PPT) adversary A, AdvKEMA (k) is negligible in k. This notion is considered to be closely related to the notion, complete non-malleability, introduced by Fischlin [4]. We now show that the proposed KEM scheme is CPCA secure. To prove the security, we need a new requirement for a hash function family, the generalized TCR (GTCR) hash function family. Definition 4. (GTCR hash function family) Let k ∈ N be a security parameter. Let H be a hash function family associated with Domk, Rngk and KHk, which are the same as those shown in Section 2.5.

25 Let Conv and Rel be function and relation families with parameter space Paramk. Let τ ∈ Paramk, then function Convτ : Xk → Xk maps e1 ∈ Xk to e2 ∈ Xk. Given R R ← Rngk of hash function family H, Relτ ⊂R×R is an associated relation of H, where, for any d1 ∈ R, d2 ∈ R is uniquely determined with Relτ (d1, d2). Let A be a probabilistic polynomial-time machine. For all k, we deﬁne

Conv,Rel k,D,R ∗ ∗ k,D,R ∗ AdvGTCRH,A (k) ← Pr[ Relτ (Hh (ρ ,φ ), Hh (Convτ (ρ ),φ)) ∧ ∗ ∗ ∗ R k ∗ ∗ ∗ (ρ ,φ ) 6= (Convτ (ρ ),φ) | (τ,φ) ←A(1 , ρ ,φ , δ , h, D, R)],

R R R R ∗ ∗ ∗ where (D1, D2) ← D ← Domk, R ← Rngk, ((ρ ,φ ), δ ) ← (D1, D2) and h ← KHk. Hash function family H is a generalized target collision resistant (GTCR) hash function family associated with (Conv, Rel) if for any probabilistic polynomial-time adver- Conv,Rel sary A, AdvGTCRH,A (k) is negligible in k. If Convτ is a constant function to τ and Relτ (d1, d1) ⇔ d1 = d2, then the GTCR hash function family associated with (Conv, Rel) is a TCR hash function family. Theorem 3. The proposed KEM scheme is IND-CPCA secure, if the DDH assumption holds for {G}k∈N, H is a GTCR hash function family associated with (Conv, Rel), and

F is a πPRF family with index {(IG, fG)}G∈{G}k,k∈N, where ∗ ∗ G2 ∗ u1 ∗ u2 – (z, w) ← Conv(u1,u2,v1,v2)(z , w ) ∈ is defined by z ← (z ) (w ) and ∗ v1 ∗ v2 w ← (z ) (w ) , and Rel(u1,u2,v1,v2)(d1, d2) ⇔ d2(d1v1 −v2)+(d1u1 −u2) ≡ Z4 0 (mod p), where (u1,u2,v1,v2) ∈ p, and 2 r +dr – IG ← {(V, W, d) | (V, W, d) ∈ G × Zp} and fG : (V, W, d) 7→ V 1 2 W with U Z2 (r1, r2) ← p. G G G G′ G′ Proof. We define five games, 0, 1, 2, 3 and 4, that are equivalent to the games G′ G′ defined in the proof of Theorem 2 except game 3 and game 4. G′ G G′ Game 3. We modify game 2 to game 3 by adding a special rejection rule to G G′ (i) (i) (i) (i) (i) (i) game 2, such that, game 3 aborts if A sends ((u1 ,u2 ,v1 ,v2 ), (C1 , C2 )) ∈ Z4 G2 ∗ (i) (i) ∗ (i) (i) p × to the decryption oracle, the relation, di(d v1 − v2 ) + (d u1 − u2 ) ≡ 0 ∗ ∗ ∗ ∗ ∗ (i) (i) (mod p), holds for d ← H(z , w , C1 , C2 ) and di ← H(zi, wi, C1 , C2 ), and (i) (i) (i) (i) (i) (i) ∗ ∗ ∗ ∗ ∗ u1 ∗ u2 ∗ v1 ∗ v2 (z , w , C1 , C2 ) 6= (zi, wi, C1 , C2 ), where zi ← (z ) (w ) and wi ← (z ) (w ) , for i = 1,...,t(k). G′ G′ G The difference of game 3 and game 4 is the same as that of game 3 and game G4. ′ G IND-CPCA Let Adv0 be the IND-CPCA advantage of A in game 0 (i.e., AdvKEMA (k)). ′ G Let Advi (i = 1, 2, 3, 4) be the IND-CPCA advantage of A in game i (i = 1, 2) and G′ i (i = 3, 4). Claims 13 and 14 hold for this proof, and the following claim can be proven in a manner similar to Claim 15 (Claim 10). ′ ′ Conv,Rel Claim 18. |Adv2 − Adv3| ≤ AdvGTCRH ′ (k). ,A2 In a manner similar to Claim 16 (Claim 11), we can show the following claim: ′ Claim 19. There exists a probabilistic machine A3, whose running time is at most that

26 ′ ′ of A, such that |Adv3 − Adv4| < AdvπPRFF,IG,A3 (k) + 4/p. (i) (i) (i) (i) (i) (i) Proof. For any ((u1 ,u2 ,v1 ,v2 ), (C1 , C2 )) queried to the decryption oracle, if (i) (i) (i.e, G D ), then it is the same logg1 C1 ≡ logg2 C2 (mod p) ( , g1, g2, C1, C2) ∈ (k) as Case (i) in Claim 11. So, we now only consider Case (ii) in Claim 11, (i) (i) . logg1 C1 6≡ logg2 C2 (mod p) ∗ ∗ ∗ ∗ Since the values of (x1,x2) and (y1 ,y2 ) are information theoretically undeter- mined, only way for A to specify Conv to generate the secret key, (x1,x2,y1,y2), of from ∗ ∗ ∗ ∗ is to use a linear relation over of G. That is, the most (z, w) (x1,x2,y1 ,y2 ) logg1 ∗ ∗ ∗ u1 ∗ u2 s1 s2 general form of the conversion of (z, w) from (z , w ) is z ← (z ) (w ) g1 g2 and ∗ v1 ∗ v2 t1 t2 ∗ ∗ ∗ ∗ w ← (z ) (w ) g1 g2 , and (x1,x2) ← (u1x1 + u2y1 + s1,u1x2 + u2y2 + s2) and ∗ ∗ ∗ ∗ (y1,y2) ← (v1x1 +v2y1 +t1,v1x2 +v2y2 +t2), where (u1,u2,v1,v2,s1,s2,t1,t2) ∈ Z8 p. In our security analysis, the part of the conversion regarding (s1,s2,t1,t2) is independent. So, for simplicity of description, we ignore the part in the following security ∗ u(i) ∗ u(i) ∗ v(i) ∗ v(i) proof. That is, zi ← (z ) 1 (w ) 2 and wi ← (z ) 1 (w ) 2 . ∗ ∗ ∗ Then (z , w ,σ ,σi) are expressed by the following equations:

∗ ∗ ∗ logg1 z ≡ x1 + ηx2 (mod p) ∗ ∗ ∗ logg1 w ≡ y1 + ηy2 (mod p) ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ logg1 σ ≡ r1(x1 + d y1 ) + ηr2(x2 + d y2 ) (mod p) (i) (i) (i) ∗ (i) (i) ∗ logg1 σi ≡ r1 ((u1 + v1 di)x1 + (u2 + v2 di)y1 ) + (i) (i) (i) ∗ (i) (i) ∗ ηr2 ((u1 + v1 di)x2 + (u2 + v2 di)y2 ) (mod p).

∗ ∗ (i) (i) η ∗ r1 ∗ r2 (i) r1 (i) r2 where g2 = g1 , C1 = g1 , C2 = g1 , C1 = g1 , C2 = g1 .

1 η 0 0  0 0 1 η  ∗ ∗ ∗ ∗ ∗ ∗ .(4)  r1 ηr2 d r1 ηd r2   (i) (i) (i) (i) (i) (i) (i) (i) (i) (i) (i) (i)   r1 (u1 + v1 di) ηr2 (u1 + v1 di) r1 (u2 + v2 di) ηr2 (u2 + v2 di)  This matrix (4) is regular if and only if

2 ∗ ∗ (i) (i) ∗ (i) (i) ∗ (i) (i) η (r2 − r1)(r2 − r1 )(di(d v1 − v2 ) + (d u1 − u2 )) 6≡ 0 (mod p). (5) ∗ ∗ G ∗ ∗ D η 6= 0 and r2 − r1 6= 0, since we assume that ( , g1, g2, X1 , X2 ) 6∈ (k) and (i) (i) g1 6= 1, g2 6= 1, g1 6= g2. Since we are now considering Case (ii), r2 − r1 6= 0, and ∗ (i) (i) ∗ (i) (i) di(d v1 − v2 ) + (d u1 − u2 ) 6≡ 0 (mod p) by the special rejection rule in game G′ 3. Hence, this matrix (4) is regular. So, the remaining part of the proof is exactly the same as that of Claim 16 (Claim 11). Summing up Claims 13, 14, 18 and 19, we obtain the following claim,

27 Claim 20. For any adversary A in the IND-CPCA game there exist probabilistic ′ ′ ′ machines, A1, A2 and A3 whose running times are at most that of A, such that

IND-CPCA AdvKEMA (k) ≤ Conv,Rel ′ ′ AdvDDHA (k) + AdvGTCRH ′ (k) + AdvπPRFF,IG,A (k) + 4/p. 1 ,A2 3

5 Conclusion and Open Problems

This paper presented a paradigm to design cryptographic primitives without random oracles under three assumptions: the decisional Difﬁe-Hellman (DDH) assumption, target collision resistant (TCR) hash function family (or GTCR hash function family) and a class of pseudo-random function (PRF) family, πPRF family. An important open problem in this paradigm is how to construct a πPRF family from a fundamental cryptographic primitive like a one-way function or (trapdoor) one- way permutation. Another important open problem is to clarify the relationship (or equivalence) between the CPCA-security and complete non-malleability [4].

Acknowledgments

The author would like to thank Dennis Hofheinz and Eike Kiltz for giving me insightful comments on PRFs and πPRFs, especially a result that proves the impossibility of our solution with using a plain PRF in a blackbox manner [7]. I would like to thank Masayuki Abe for his invaluable discussions and suggestions on the proposed paradigm, KEM and validity-check-free hybrid encryption. I also thank Alfred Menezes for his lectures on the AKE protocols and security models as well as insightful discussions and comments. I am also grateful to Michel Abdalla, Goichiro Hanaoka, Ran Canetti and David Pointcheval for their valuable comments and suggestions on a preliminary version of this manuscript. I would like to express my appreciation of Kaoru Kurosawa, the PC chair of Asiacrypt 2007, for giving me an opportunity to present this (preliminary) result at Asiacrypt 2007 as an invited talk.

References

1. Abe, M., Gennaro, R., Kurosawa, K. and Shoup, V., Tag-KEM/DEM: A New Framework for Hybrid Encryption and New Analysis of Kurosawa-Desmedt KEM, Adv. in Cryptology – Eurocrypt 2005, LNCS 3494, pp. 128-146 (2005). 2. Canetti, R. and Krawczyk, H., Analysis of key-exchange protocols and their use for build- ing secure channels, Advances in Cryptology, EUROCRYPT 2001, LNCS 2045 (2001), http://eprint.iacr.org/2001/040. 3. Cramer, R. and Shoup, V., Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing, 33(1), 167- 226, (2003).

28 4. Fischlin, M., Completely Non-Malleable Schemes, Proceedings of ICALP 2005, LNCS 3580, Springer-Verlag, pp. 779-790 (2005). 5. Goldreich, O. , Goldwasser, S. and Micali, S.. How to Construct Random Functions. In Journal of the ACM, vol.33, no.4, pp.792-807 (1986). 6. Hastad, J. , Impagliazzo, R., Levin, L. and Luby, M., A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing, v28 n4, pp.-1364-1396 (1999). 7. Hofheinz, D., private communication (2007). 8. Krawczyk, H., HMQV: A high-performance secure Diffie-Hellman protocol, Advances in Cryptology, CRYPTO 2005, LNCS 3621 (2005), http://eprint.iacr.org/2005/176. 9. Kurosawa, K. and Desmedt, Y., A New Paradigm of Hybrid Encryption Scheme, Advances in Cryptology- CRYPTO 2004, LNCS 3152, Springer-Verlag, pp. 426-442 (2004). 10. LaMacchia, B., Lauter, K. and Mityagin, A., Stronger security of authenticated key exchange, Cryptology ePrint Archive, Report 2006/073, 2006, http://eprint.iacr.org/2006/073. 11. Law, L., Menezes, A., Qu, M., Solinas, J. and Vanstone, S., An efficient protocol for authenticated key agreement, Designs, Codes and Cryptography 28, pp.119–134 (2003), 12. Menezes, A., Another look at HMQV, Journal of Mathematical Cryptology 1, pp.148–175 (2007), 13. Matsumoto, T., Takashima, Y. and Imai, H., On Seeking Smart Public-key Distribution Sys- tems. Transactions of the IECE of Japan, E69:99-106 (1986). 14. Naor, M. and Yung, M., Universal one-way hash functions and their cryptographic applica- tions. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp.33- 43 (1989.) 15. Okamoto, T., Authenticated Key Exchange and Key Encapsulation in the Standard Model, Advances in Cryptology- Asiacrypt 2007, LNCS, Springer-Verlag (2007). 16. Rompel, J., One-way functions are necessary and sufficient for secure signatures. In Proceed- ings of the 22nd Annual ACM Symposium on Theory of Computing, pp.387-394 (1990) 17. Ustaoglu, B., Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS, Cryptology ePrint Archive, Report 2006/073, 2006, http://eprint.iacr.org/2007/123.