Cryptanalysis and Improvement of Several Identity-Based Authenticated and Pairing-Free Key Agreement Protocols for IoT Applications

Abstract

Internet of Things (IoT) applications have been increasingly developed. Authenticated key agreement (AKA) plays an essential role in secure communication in IoT applications. Without the PKI certificate and high time-complexity bilinear pairing operations, identity-based AKA (ID-AKA) protocols without pairings are more suitable for protecting the keys in IoT applications. In recent years, many pairing-free ID-AKA protocols have been proposed. Moreover, these protocols have some security flaws or relatively extensive computation and communication efficiency. Focusing on these problems, the security analyses of some recently proposed protocols have been provided first. We then proposed a family of eCK secure ID-AKA protocols without pairings to solve these security problems, which can be applied in IoT applications to guarantee communication security. Meanwhile, the security proofs of these proposed ID-AKA protocols are provided, which show they can hold provable eCK security. Some more efficient instantiations have been provided, which show the efficient performance of these proposed ID-AKA protocols. Moreover, comparisons with similar schemes have shown that these protocols have the least computation and communication efficiency at the same time.

1. Introduction

Internet of Things (IoT) applications have been increasingly exploited as information technology, operational technology, communication technology, and electronic technology develop. Examples include Smart Grid, Internet of Vehicles, Industrial IoT, and Agriculture IoT, which have enhanced living conditions greatly. With the development of 5G, secure and efficient communication demands have become huge as massive IoT devices are participating in these IoT applications. In general, IoT end devices and IoT servers play important roles in IoT applications. IoT end devices, mounted with sensors, collect useful information and transmit data to the IoT servers over the open network. When these IoT data are transmitted among different IoT devices, the sensitive information inserted in these IoT data needs more secure cryptographic algorithms to protect IoT user privacy and data security.

To protect the security of data transmission, cryptographic means that require secret keys are presented. For IoT user identity authentication, the shared key, public key certificate, and zero-knowledge proof are some common cryptographic methods [1]. For secure IoT data transmission, the digital signature can help confirm data ownership [2], the key agreement can help establish a secure session key [3], and the public key encryption can guarantee IoT data security with ciphertext in the public Internet environment [4]. For IoT data with fine-grained access control, attribute-based encryption can help establish a secure access control strategy with the attributes of IoT users and data [5], and security policy protocol can solve Internet control message protocol (ICMP) attacks [6]. Many cryptographic algorithms guarantee secure and efficient communication among different IoT applications—there are too many to mention one by one. However, these cryptographic algorithms are public; therefore, the keys are essential for secure data transmission. Moreover, blockchain technology has been applied to IoT applications to solve the centralized management problem [7].

Key agreement (KA) is an important method to protect keys, which supports building a common session key between no less than two different users for subsequent communications. Authenticated key agreement (AKA) not only generates a common session key, but also prevents active attacks and implicitly authenticates the participants simultaneously. In the public-key infrastructure (PKI) setting, the user’s long-term public key is matched with the corresponding identity in a certificate, which is derived by a trusted certificate authority. However, managing and transmitting these certificates results in heavy computation and storage costs. Considering IoT end-devices are usually resource-constrained and have limited memory, computation power, storage, and battery life, PKI-based AKA protocols (e.g., [3,8]) are not suitable for IoT applications. Therefore, to avoid the PKI certificate problem, AKA (ID-AKA) protocols with identity are proposed [9]. In ID-AKA protocols, every user owns a unique identity, the long-term public key is constructed by the user’s personal identity, and the private key is composed of the identity and a master key, which is created by the trusted key generation center (KGC). Since the introduction of the first ID-AKA protocol in [10], many ID-AKA protocols have been introduced based on bilinear pairings [11,12,13,14,15,16,17,18], which is a high time-complexity operation. Because of the resource restriction of IoT end devices, ID-AKA protocols without pairings are more suitable for IoT applications.

Currently, the modified Bellare and Rogaway (mBR) model [12], the Canetti–Krawczyk (CK) model [19], and the extended Canetti–Krawczyk (eCK) model [20] are some famous security models for AKA protocols. In particular, the eCK model can achieve the most security properties [13]. Meanwhile, to satisfy the communication demands of the high speed, low latency, and large connections in IoT applications, a more secure and efficient AKA protocol is needed. Thus, designing efficient ID-AKA protocols without pairings while maintaining eCK security would be more suitable for IoT applications.

Motivation and Our Contribution

Aiming at considering the aforementioned problems, this paper presents some efficient ID-AKA protocols while holding the eCK security for IoT applications.

• We provide the preliminaries of some Diffie–Hellman assumptions and the forking lemma, provide a detailed description of the eCK-security model for two-party ID-AKA protocols, and draw a figure to show the network model for these protocols.
• We analyze three recently proposed ID-AKA protocols without pairings [21,22,23], and point out the security flaws against some known attacks.
• We propose a family of pairing-free ID-AKA protocols in the eCK security model. The security proof also considers the case where the public key materials related to the long-term private key can be altered by an active adversary. Furthermore, events in our security proof are complementary.
• We provide some more efficient protocols that need four elliptic curve point multiplication operations. Protocol comparison shows that our efficient protocols have the advantage over similar protocols with the items of security, computation, and communication efficiency.

The paper is organized as follows: Section 2 provides some related work, Section 3 presents the cryptanalysis of several ID-AKA protocols, Section 4 proposes a family of pairing-free ID-AKA protocols, Section 5 shows some more efficient instantiations, Section 6 presents the performance and comparison, and Section 7 gives the conclusion.

2. Related Work

Some related works about the cryptographic methods for IoT applications and developments of KA protocols are provided in the following two subsections.

2.1. Cryptographic Methods for IoT Applications

In IoT applications, the IoT data generally contain plenty of sensitive information about the system users, such as their personal identity, location, and production data. When these IoT data are transmitted among different IoT devices and applications, cryptographic technologies play an essential role in the processes of user identity authentication, IoT data transmission, IoT data fine-grained access control, and so on. Jayabalasamy et al. [2] proposed an aggregate signature scheme to solve the nonrepudiation problem in blockchain ecosystems, which could also confirm the data ownership in the untrusted IoT environment. Li et al. [3] designed a KA protocol based on the SM2 algorithm, which could help establish a secure session key between different system users in smart grid communications. Pu et al. [4] introduced a public key authentication encryption scheme, and added the function of keyword search into this scheme to guarantee IoT data security in industrial IoT applications. Rasori et al. [5] provided a survey of the attributed-based encryption protocols in recent years, and figured out the problems and challenges of IoT data fine-grained access control in most current IoT applications. Onyema et al. [6] presented a security policy protocol for the detection and prevention of Internet control message protocol (ICMP) attacks in software-defined networks. For these different cryptographic algorithms, the key is an essential part of secure IoT communication. Therefore, establishing a secure session key is the first issue that should be taken into consideration for secure communication in IoT applications.

2.2. Developments of KA Protocols

Numerous interesting pairing-free ID-AKA protocols have been introduced in recent years. In 2010, Cao et al. [24] provided a one-round ID-AKA protocol without pairing and presented the security proof in the mBR model. Then, two pairing-free ID-AKA protocols were proposed in [25,26], which utilized the CK model to prove its security. In 2016, Ni et al. [27] showed that the security proof of Sun et al.’s protocol neglected the case where the public key materials related to the long-term private key could be altered by an active adversary, and proposed two eCK-secure ID-AKA protocols without pairings. However, events in the security proof of their protocols were not complementary, which resulted in a mismatch in the freshness definition. Moreover, KGC needed to generate one extra long-term private key, which increased the storage, computation, and communication costs with the increase in the number of users. Bala et al. [21] presented an ID-AKA scheme without pairing for wireless sensor networks and claimed it was secure in the eCK security model. But Dang et al. [28] showed that its security proof had the same problem. Furthermore, the eCK security model was not secure as it suffered from an ephemeral key reveal attack.

In 2018, Dang et al. [28] provided a pairing-free ID-AKA protocol that could achieve eCK security in vehicular ad hoc networks. However, in 2021, Deng et al. [29] showed that it was not eCK-secure and put forward a new scheme that required only four scale multiplication operations. However, we found that the security proof had some flaws, for example, it was inappropriate that the challenger grasped the private key of KGC in the proof Cases CA2, CA3, CA4, and CA6. Mohammadali et al. [22] proposed the NIKE protocol, an ID-AKA protocol without pairing. However, there were still some drawbacks to it. Firstly, we found this scheme had a design flaw, i.e., if an individual was to learn about the long-term private keys of two parties (say $A\left(Meter\right)$ and $B\left(AHE\right)$), they could easily obtain KGC’s master key. Secondly, it could not resist a KCI attack. Thirdly, although the NIKE protocol only needed, at most, three elliptic curve point multiplication operations, it needed three hash-to-point operations, which was a more time-consuming operation than the point multiplication operation. In 2019, Zhang et al. [23] gave two pairing-free and unbalanced ID-AKA protocols for disaster scenarios. Their protocols were actually unbalanced versions of the protocol in [24]. Their protocols reduced one elliptic curve point multiplication operation for the limited party. However, Zhang et al.’s protocols did not have ephemeral key reveal resistance. In 2020, Daniel et al. [30] pointed out that Bala et al.’s protocol [21] could not resist an ephemeral key reveal attack. They also provided an ID-AKA protocol and presented its security proof in the eCK model [27]. However, its computational cost was still higher, which needed five-point multiplication operations in the elliptic curve. Furthermore, they pointed out that protocol [27] suffered from key offset attacks; however, key offset attacks could be simply avoided by adding a message authentication code using the same method in [30].

In 2021, Kumar and Chand [31] presented an ID-AKA protocol with cloud for the wireless body area network for anonymous health data authentication. However, Rakeei and Moazami [32] pointed out that this protocol could not resist a man-in-the-middle attack and achieve perfect forward secrecy. In 2022, Pu et al. [33] provided a mutual authentication and KA protocol for data privacy preserving in unmanned aerial vehicles (UAVs). Zhang et al. [34] designed a group key agreement (GKA) protocol for user privacy protection and data resource secure sharing in an intelligent IoT system. In 2023, Zhou et al. [35] presented an AGKA protocol for an AI-based automation system, which utilized a semi-trusted authority to perform precomputation operations. Pan et al. [36] focused on the communication security of UAVs to introduce a heterogeneous AKA protocol. Zhang et al. [37] provided a symmetric-key AKA protocol for edge-cloud IIoT, which could achieve perfect forward secrecy based on both authentication and derivation master keys. Abdussami et al. [38] proposed an AKA protocol for secure patient health-related data sharing in IoMT.

The security comparisons of these ID-AKA protocols are shown in

Table 1. Security comparisons.

Protocols	Security Model	wPFS	KCIR	ESRR	MSS	AS
CKD [24]	mBR*	Yes	Yes	No	Yes	GDH
FG-I [25]	CK	Yes	Yes	No	Yes	GDH
XW [26]	CK	Yes	Yes	No	Yes	GDH
PF-ID-2PAKA [21]	eCK* (flawed)	Yes	Yes	No	Yes	GDH
DXCLCZF-18 [28]	eCK (flawed)	Yes	No	No	Yes	GDH
ZHWY-19 [23]	mBR* (flawed)	No	No	No	Yes	GDH
NIKE [22]	– (flawed)	Yes	No	Yes	No	–
NCL-16-II [27]	eCK@	Yes	Yes	Yes	Yes	GDH
DRS-20 [30]	eCK	Yes	Yes	Yes	Yes	GDH
DSH-21 [29]	eCK*	Yes	Yes	Yes	Yes	GDH
PWCAS-22 [33]	eCK*	Yes	Yes	Yes	Yes	PUF
ZHVLH-23 [37]	eCK*	Yes	Yes	Yes	Yes	PRF

eCK* and mBR* are without the case where an active adversary may alter all public key materials not only the temporary public key. “–” denotes that there is no formal security proof for the protocol. eCK@ denotes that events in the proof are not complementary.

, and the security items of the KGC’s master key (MSS), weak perfect forward secrecy (wPFS), key compromise impersonation resilience (KCIR), ephemeral secrets reveal resistance (ESRR), and assumption (AS) were compared. Facing these problems and secure IoT communication demands, a secure ID-AKA protocol is needed to strengthen the security of session keys between different IoT users. The next sections will present the cryptanalysis of several ID-AKA protocols [21,22,23] first, and then provide the proposed ID-AKA protocols.

3. Preliminaries

Some basic concepts including complexity assumptions and the eCK security model for two-party ID-AKA protocols are reviewed in this section.

3.1. Complexity Assumptions

Let $\mathbb{G}$ be an elliptic curve additive group with a large prime order q, and P is a generator of $\mathbb{G}$. Some Diffie–Hellman assumptions over $\mathbb{G}$ are recalled as follows.

• Computational Diffie–Hellman (CDH) Assumption: Given three points, $P,aP,$ and $bP$, where $a,b\in {\mathbb{Z}}_q^{*}$, the advantage $Ad{v}_{\mathcal{M}}^{CDH}$ to compute $abP$ is negligible for any probabilistic polynomial time (PPT) adversary $\mathcal{M}$.
• Decision Diffie–Hellman (DDH) Assumption: Given four points $P,aP,bP,$ and $cP$, where $a,b,c\in {\mathbb{Z}}_q^{*}$, the advantage $Ad{v}_{\mathcal{M}}^{DDH}$ to decide whether $c\equiv ab$ mod q is negligible for any PPT adversary $\mathcal{M}$.
• Gap Diffie–Hellman (GDH) Assumption: Given four points $P,aP,bP,$ and $cP$, where $a,b,c\in {\mathbb{Z}}_q^{*}$, the advantage $Ad{v}_{\mathcal{M}}^{GDH}$ to compute $abP$ by accessing a DDH oracle is negligible for any PPT adversary $\mathcal{M}$.

3.2. The Forking Lemma

The forking lemma is applied in the security proof of our proposed protocols. Here, we recall it described in [27].

Let ${\Theta }_S$ be a generic digital signature scheme. Given an input message m, ${\Theta }_S$ produces a triple $(K,h,v)$, where K is a randomly selected value in a large set, h is the hash value of $(m,K)$, and v is only dependent on K, m, and h. Assume that a PPT algorithm $\mathcal{M}$ can produce a valid signature $(K,h,v)$ on the message m with non-negligible probability. Then, with non-negligible probability, a replay of this algorithm can output two valid signatures $(K,h,v)$ and $(K,\overline{h},\overline{v})$ on the same message m, such that $h\ne \overline{h}$.

3.3. eCK-Security Model for Two-Party ID-AKA Protocols

We now recall the eCK-security model for two-party ID-AKA protocols in [13,27].

• Participants. Let $\mathcal{U}=\{I{D}_1,\cdots ,I{D}_L\}$ be a finite set of L honest parties. Each participant $I{D}_i\in \mathcal{U}$ is modeled as a PPT Turing machine. Any two parties can be involved in a protocol execution. Each party may execute multiple instances (sessions) in parallel. Let ${\prod }_{i,j}^m$ denote the mth protocol session, which runs at party $I{D}_i$ (the owner) with intended partner party $I{D}_j$. Every session ${\prod }_{i,j}^m$ has internal state variables $Stat{e}_{i,j}^m$ and $tra{n}_{i,j}^m$ to record the state of ${\prod }_{i,j}^m$, and the transcript of messages sent and received by ${\prod }_{i,j}^m$, respectively. If ${\prod }_{i,j}^m$ can compute a session key $S{K}_{i,j}^m$, $Stat{e}_{i,j}^m=completed$. The messages in $tra{n}_{i,j}^m$ are ordered according to the protocol specification.
• Adversary Model. The adversary $\mathcal{M}$ is modeled as a PPT Turing machine and has full control of the communication network. Active attacks are formulated by allowing the adversary $\mathcal{M}$ to perform the following queries:

  –

  EphemeralKeyReveal (${\prod }_{i,j}^m$). The adversary $\mathcal{M}$ is provided the ephemeral private key of ${\prod }_{i,j}^m$.

  –

  SessionKeyReveal (${\prod }_{i,j}^m$). The session key held by a completed session ${\prod }_{i,j}^m$ is returned to $\mathcal{M}$.

  –

  Corrupt ($I{D}_i$). The long-term private key of $I{D}_i$ is returned to the adversary $\mathcal{M}$.

  –

  KGCStaticKeyReveal. The adversary $\mathcal{M}$ obtains the master key of KGC. This query is used to model master key forward secrecy.

  –

  RegCT ($I{D}_i$). Via this query, the adversary $\mathcal{M}$ is able to register a dishonest party with identity $I{D}_i$. Meanwhile, $\mathcal{M}$ obtains $I{D}_i$’s long-term private key and totally controls $I{D}_i$.

  –

  Send (${\prod }_{i,j}^m,M$). Via this query, the adversary $\mathcal{M}$ can send any message M to party $I{D}_i$ in session ${\prod }_{i,j}^m$ on behalf of party $I{D}_j$. The adversary $\mathcal{M}$ is responded to according to the protocol specification. ${\prod }_{i,j}^m$ can be initiated by $I{D}_i$ when $M=\lambda$. In general, for simplicity $I{D}_i\ne I{D}_j$ is required, i.e., two identical participants will not run a session. Internal states of ${\prod }_{i,j}^m$ should be maintained accordingly.

  –

  Test (${\prod }_{i,j}^m$). The input session ${\prod }_{i,j}^m$ must be fresh. In response to this query, ${\prod }_{i,j}^m$ flips a fair coin $b\in \{0,1\}$, and returns the real session key if $b=0$, or a random sample from the distribution of the session key if $b=1$.

• Security Experiment. The security experiment between the adversary $\mathcal{M}$ and the challenger $\mathcal{CH}$ consists of the following phases.

  –

  Setup. The challenger $\mathcal{CH}$ generates the system parameters along with the master private key and valid long-term secret keys for each party. The adversary $\mathcal{M}$ is then provided all public data, including the identities of all the honest parties.

  –

  The first phase of the game. Adversary $\mathcal{M}$ is allowed to issue a polynomial number of EphemeralKeyReveal, SessionKeyReveal, Corrupt, KGCStaticKeyReveal, RegCT, and Send queries in any order.

  –

  The second phase of the game. At some point, adversary $\mathcal{M}$ chooses a fresh session ${\prod }_{i,j}^m$ (see Definition 2) and issues a Test(${\prod }_{i,j}^m$) query at most once. After this, adversary $\mathcal{M}$ can keep asking other queries under the condition that the test session must remain fresh.

  –

  The end of the game.$\mathcal{M}$ makes a guess $b^{\prime }$ for b.

• Advantage.$\mathcal{M}$ wins the above security experiment if the test session ${\prod }_{i,j}^m$ is still fresh and $b^{\prime }=b$. The advantage of $\mathcal{M}$ in winning the above security experiment is defined as $Ad{v}^{AKE}\left(\mathcal{M}\right)=|2Pr\left[\mathcal{M}wins\right]-1|$, where $\mathcal{M}$ wins refers to $\mathcal{M}$ can distinguish the tested session key from a random string.

In the following, we introduce definitions for Matching Session, Freshness, and eCK Security.

Definition 1

(Matching Session). If two completed sessions ${\prod }_{i,j}^m$ and ${\prod }_{j,i}^n$ have the same message transcript, they are said to be matching.

Definition 2

(Freshness). Let ${\prod }_{i,j}^m$ be a completed session between honest party $I{D}_i$ and $I{D}_j$, ${\prod }_{i,j}^m$ is said to be fresh if none of the following three conditions hold:

(1) 

The adversary $\mathcal{M}$ knows the session key of ${\prod }_{i,j}^m$ or its matching session ${\prod }_{j,i}^n$ (if ${\prod }_{j,i}^n$ exists);

(2) 

${\prod }_{i,j}^m$ has a matching session ${\prod }_{j,i}^n$, and the adversary $\mathcal{M}$ knows both the long-term private key of participant $I{D}_i$ and the ephemeral private key of ${\prod }_{i,j}^m$, or both the long-term private key of participant $I{D}_j$ and the ephemeral private key of ${\prod }_{j,i}^n$.

(3) 

${\prod }_{i,j}^m$ has no matching session, and the adversary $\mathcal{M}$ knows both the long-term private key of participant $I{D}_i$ and the ephemeral private key of ${\prod }_{i,j}^m$, or the long-term private key of participant $I{D}_j$.

Remark 1.

The first condition in Definition 2 is to exclude the trivial attack that $\mathcal{M}$ obtains the session key directly. The second and third conditions in Definition 2 are to exclude the trivial attack that $\mathcal{M}$ obtains the long-term private key and the ephemeral private key of one party simultaneously. If ${\prod }_{i,j}^m$ has no matching session, it means that $\mathcal{M}$ has obtained the ephemeral private key of participant $I{D}_j$; therefore, $\mathcal{M}$ cannot obtain the long-term private key of $I{D}_j$.

Definition 3

(eCK Security). We say that an ID-AKA protocol is secure in the eCK model if the following conditions hold:

(1) 

If two honest parties successfully complete matching sessions, they both compute the same session key.

(2) 

For any PPT adversary,$\mathcal{M}$,$Ad{v}^{AKE}\left(\mathcal{M}\right)$is negligible in security parameter k.

Remark 2.

If a protocol is secure under Definition 3, then it achieves implicit mutual key authentication and the basic security properties, including weak perfect forward secrecy (wPFS), key compromise impersonation resilience (KCIR), ephemeral secrets reveal resistance (ESRR), known key security, no key control, resistance to basic impersonation attack, replay attack resilience, resistance to man-in-the-middle attack, and unknown key share resilience.

4. Cryptanalysis of Several ID-AKA Protocols

Figure 1 shows the network model for ID-AKA protocols considered in our paper. Here, user A, user B, and trusted authority (acts as KGC) are the three main parties of an ID-AKA protocol. A and B obtain their long-term private keys in the extract phase and use them to reach AKA each other. Next, this section provides the cryptanalysis of several ID-AKA protocols.

4.1. The PF-ID-2PAKA Protocol

PF-ID-2PAKA [21] is also composed of three stages, i.e., setup, extract, and key agreement. The former two stages are the same as those of the DXCLCZF-18 protocol [28]. Here, we only describe the key agreement stage in Figure 2.

4.1.1. Ephemeral Key Reveal Attack

Suppose that A’s ephemeral key $e_A$ is compromised by an adversary. Next, we show that the PF-ID-2PAKA protocol suffers from an ephemeral key reveal attack.

(1)

The adversary $\mathcal{M}$ initializes a session ${\prod }_{A,B}^{\ell }$ through the query Send(${\prod }_{A,B}^{\ell },\perp$), and then obtains the message $M_1=\{I{D}_A,R_A,T_A\}$, where $T_A=e_{A}P$ with a random element $e_A\in {\mathbb{Z}}_q^{*}$.

(2)

Upon receiving the message, $M_1$, $\mathcal{M}$ randomly picks an ephemeral private key $e_B^{\mathcal{M}}\in {\mathbb{Z}}_q^{*}$, calculates $T_B^{\mathcal{M}}=e_B^{\mathcal{M}}P-R_B-H_1(I{D}_B,R_B)P_{pub}$, and returns $M_2=\{I{D}_B,R_B,T_B^{\mathcal{M}}\}$ to ${\prod }_{A,B}^{\ell }$ impersonating B via the query Send(${\prod }_{A,B}^{\ell },M_2$). Note that B’s identity $I{D}_B$ and correct public key material $R_B$ can be obtained from the response of the query Send(${\prod }_{B,U}^t,\perp$).

(3)

Upon the receipt of $M_2$, A calculates the shared session key and completes this session. Specifically, A calculates $sk=H_2(I{D}_A\left|\right|$$I{D}_B\left|\right|T_A\left|\right|T_B^{\mathcal{M}}\left|\right|K_{AB}^1\left|\right|K_{AB}^2)$, where $K_{AB}^1=(s_A+e_A)(R_B+H_1(I{D}_B,R_B)P_{pub}+T_B^{\mathcal{M}})$ and $K_{AB}^2=e_A{T}_B^{\mathcal{M}}.$

(4)

Now, $\mathcal{M}$ performs the query EphemeralKeyReveal(${\prod }_{A,B}^{\ell }$) to reveal an ephemeral private key $e_A$. With the knowledge of $e_B^{\mathcal{M}}$ and $e_A$, $\mathcal{M}$ computes $K_{BA}^{1\mathcal{M}}=e_B^{\mathcal{M}}(R_A+H_1(I{D}_A,R_A)P_{pub}+T_A)$, $K_{BA}^{2\mathcal{M}}=e_A{T}_B^{\mathcal{M}}$, and $sk=H_2(I{D}_A\left|\right|$$I{D}_B\left|\right|T_A\left|\right|T_B^{\mathcal{M}}\left|\right|K_{BA}^{1\mathcal{M}}\left|\right|K_{BA}^{2\mathcal{M}})$.

Correctness. The following provides the correctness of the attack process.

As a result of $T_B^{\mathcal{M}}=e_B^{\mathcal{M}}P-R_B-H_1(I{D}_B,R_B)P_{pub}$, we can obtain

$$\begin{array}{cc}\hfill K_{AB}^1& =(s_A+e_A)(R_B+H_1(I{D}_B,R_B)P_{pub}+T_B^{\mathcal{M}})\hfill \\ \hfill & =(s_A+e_A)e_B^{\mathcal{M}}P\hfill \\ \hfill & =e_B^{\mathcal{M}}(s_{A}P+e_{A}P)\hfill \\ \hfill & =e_B^{\mathcal{M}}(R_A+H_1(I{D}_A,R_A)P_{pub}+T_A)\hfill \\ \hfill & =K_{BA}^{1\mathcal{M}}.\hfill \end{array}$$

Thus, A and $\mathcal{M}$ receive the same session key, which means that the PF-ID-2PAKA protocol suffers from an ephemeral key reveal attack. Note that our construction cannot suffer from the above attack as both of the two shared secrets not only depend on the ephemeral private key, but also depend on the long-term private key, and they are linearly independent. Therefore, it is impossible to remove the long-term private key from the two shared secrets simultaneously.

4.1.2. Flaws in the Security Proof

The PF-ID-2PAKA protocol can not be proved secure under the hardness of the GDH problem in Case 3 (i.e., $\mathcal{M}$ can neither obtain the long-term private key of $I{D}_A$ nor that of $I{D}_B$). Meanwhile, the ephemeral key $t_B$ of $I{D}_B$ may be created by $\mathcal{M}$, then $\mathcal{CH}$ cannot know $t_B$. In ignorance of $t_B$, $\mathcal{CH}$ does not calculate CDH$(U,V)=K_1-t_A(T_B+V)-t_{B}U$. Therefore, the challenger $\mathcal{CH}$ cannot solve the GDH instance.

4.2. The ZHWY-19 Protocol

Here, we only describe the key agreement stage of the ZHWY-19-I protocol [23] in Figure 3. For more details, one can refer to [23]. Note that Cheng et al. [39] pointed out that the ZHWY-19-I protocol [23] cannot achieve forward security and resist the key compromise impersonation attack. Here, we point out that this protocol is weak against the ephemeral key reveal attack and flaws in the security proof.

4.2.1. Ephemeral Key Reveal Attack

If $e_A$ and $e_B$ in a past session have been compromised by the adversary $\mathcal{M}$, $\mathcal{M}$ can compute the session key $sk$.

(1)

$\mathcal{M}$ accesses to $M_1=\{R_A,V_A,u_A\}$ and $M_2=\{R_B,V_B,T_B,T_A,ma{c}_B\}$ of the session.

(2)

Given {$I{D}_A,e_A,R_A$} and {$I{D}_B,e_B,R_B$}, $\mathcal{M}$ calculates the keys of $P{K}_A=R_A+H_1(I{D}_A\left|\right|$$R_A)P_{pub},P{K}_B=R_B+H_1(I{D}_B\left|\right|R_B)P_{pub}$, $K_1=e_{A}P{K}_B+e_{B}P{K}_A$, $K_2=e_A{e}_{B}P$, and $sk=H_2(I{D}_A\left|\right|I{D}_B\left|\right|T_A\left|\right|T_B\left|\right|K_1\left|\right|K_2)$ as the shared session key.

Thus, the ZHWY-19-I protocol is weak against the ephemeral secret key leakage. Note that they did not claim their protocol holds ephemeral key reveal resistance.

4.2.2. Flaws in the Security Proof

In the ZHWY-19-I protocol, the answer to oracle Corrupt($I{D}_i$) is improper. Actually, Corrupt($I{D}_i$) should return the long-term private key $(s_i,R_i,v_i,V_i)$ rather than $s_i$ to the adversary.

4.3. Mohammadali et al.’s Protocols

Mohammadali et al. [22] proposed two protocols, the NIKE protocol and the NIKE${}^{+}$ protocol. These two protocols contain three stages, namely setup, extract, and key agreement. The NIKE protocol is briefly shown in Figure 4. Note that, here, we did not analyze the flaws in the security proof as there was no security proof in [22].

4.3.1. The Insecurity of the KGC’s Master Key

If the user $A\left(Meter\right)$ and the user $B\left(AHE\right)$ launch collusion attacks, they can know the KGC’s master key s. As $y_A=H_2(I{D}_B,Y_B)s$, they can obtain $s=H_2{(I{D}_B,Y_B)}^{-1}{y}_A$ with the knowledge of $y_A$ and $Y_B$.

4.3.2. Key Compromise Impersonation (KCI) Attack

The NIKE protocol suffers from a key compromise impersonation (KCI) attack, i.e., if the user $B\left(AHE\right)$’s long-term private key $Y_B$ is compromised by $\mathcal{M}$, $\mathcal{M}$ can impersonate any user (say $A\left(Meter\right)$ ) with $B\left(AHE\right)$’s long-term private key $Y_B$ to communicate with $B\left(AHE\right)$. The details are as follows. Note that they did not claim their protocol held KCI resistance.

(1)

$\mathcal{M}$ obtains $I{D}_A,R_A$ by eavesdropping on a connection between $A\left(Meter\right)$ and any user. Then, $\mathcal{M}$ picks $e_A^{\mathcal{M}}\in {\mathbb{Z}}_q^{*}$ at random, calculates $T_A^{\mathcal{M}}=e_A^{\mathcal{M}}P-H_2(I{D}_B,Y_B)P_{pub}-R_A$, and sends $\{I{D}_A,T_A^{\mathcal{M}},R_A\}$ to $B\left(AHE\right)$.

(2)

Upon the receipt of $\{I{D}_A,T_A^{\mathcal{M}},R_A\}$, $B\left(AHE\right)$ generates $t_B,T_B,K_{BA},m_B$ according to the protocol.

(3)

Upon receiving $\{I{D}_B,T_B,m_B\}$, $\mathcal{M}$ calculates $K_{AB}^{\mathcal{M}}=e_A^{\mathcal{M}}{T}_B$, $m_A^{\mathcal{M}}=H_1(1,K_{AB}^{\mathcal{M}})$ and $SK=H_1(I{D}_A\left|\right|$$I{D}_B\left|\right|,K_{AB}^{\mathcal{M}})$, and finally sends $m_A^{\mathcal{M}}$ to $B\left(AHE\right)$.

(4)

Upon receiving $m_A^{\mathcal{M}}$, $B\left(AHE\right)$ verifies $m_A^{\mathcal{M}}$ is correct and computes the session key according to the protocol.

Correctness. The following provides the correctness of the attack process.

As $T_A^{\mathcal{M}}=e_A^{\mathcal{M}}P-H_2(I{D}_B,y_B)P_{pub}-R_A$ and $T_B=t_{B}P$, we can obtain

$$\begin{array}{cc}\hfill K_{BA}& =t_B(R_A+H_2(I{D}_A,Y_B)P_{pub}+T_A^{\mathcal{M}})\hfill \\ \hfill & =t_B(R_A+H_2(I{D}_A,Y_B)P_{pub}+e_A^{\mathcal{M}}P\hfill \\ \hfill & -H_2(I{D}_B,Y_B)P_{pub}-R_A)\hfill \\ \hfill & =t_B{e}_A^{\mathcal{M}}P\hfill \\ \hfill & =e_A^{\mathcal{M}}{T}_B\hfill \\ \hfill & =K_{AB}^{\mathcal{M}}.\hfill \end{array}$$

Thus, A and $\mathcal{M}$ obtain the same session key, which means that the NIKE protocol suffers from a KCI attack. The KCI attack on the NIKE${}^{+}$ protocol is the same as above.

5. Our General Construction

This section firstly provides the construction ${\sum }_{C_1,C_2,C_3,C_4}$, secondly show the construction ${\sum }_{C_1,C_2,C_3,C_4}$ is correct, and thirdly provides the security proof.

5.1. Construction Description

The ${\sum }_{C_1,C_2,C_3,C_4}$ is composed of three stages, i.e., setup, extract, and key agreement.

• Setup: Select security parameter k, KGC performs as follows:

  (1)

  Pick an elliptic curve $E/{\mathbb{F}}_p$, where ${\mathbb{F}}_p$ is a finite filed, and p is a prime number with k bits.

  (2)

  Create a cyclic additive group $\mathbb{G}$ with the order q, which is generated by a base point P over $E/{\mathbb{F}}_p$.

  (3)

  Choose $s\in {\mathbb{Z}}_q^{*}$ randomly, and then set the master private key s and the system public key $P_{pub}=sP$.

  (4)

  Pick $H_1:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^k$.

  (5)

  Expose $\langle E/{\mathbb{F}}_p,\mathbb{G},q,P,P_{pub},H_1,$$H_2\rangle$, and meanwhile retain s unrevealed.

• Extract: KGC derives the long-term private key for user $I{D}_i\in {\{0,1\}}^{*}$ as below.

  (1)

  KGC randomly selects $r_i\in {\mathbb{Z}}_q^{*}$, and calculates $R_i=r_{i}P$ and $h_i=H_1(I{D}_i\left|\right|R_i)$.

  (2)

  KGC computes $s_i=r_i+h_{i}s$ mod q and derives $(s_i,R_i)$ as the user’s long-term private key.

  (3)

  KGC sends $(s_i,R_i)$ to the user securely.

  Upon receiving $(s_i,R_i)$, the user can verify $s_{i}P\stackrel{?}{=}{R}_i+H_1(I{D}_i\left|\right|R_i)P_{pub}$. If this verification succeeds, the key pair $(s_i,R_i)$ is correct and valid. $s_{i}P$ serves as the real public key in relation to $I{D}_i$.
• Key Agreement: Assume that user A with identity $I{D}_A$ hopes to compute a key with user B with identity $I{D}_B$.

  (1)

  A randomly picks an ephemeral secret key $e_A\in {\mathbb{Z}}_q^{*}$, calculates $T_A=e_{A}P$, and returns $M_1=\{I{D}_A,R_A,T_A\}$ to B. The agreement process in Figure 5.

  (2)

  When $\{I{D}_A,R_A,T_A\}$ is received, B picks an ephemeral secret key $e_B\in {\mathbb{Z}}_q^{*}$, calculates $T_B=e_{B}P$, and returns $\{I{D}_B,R_B,T_B\}$ to A. Next, B calculates $s{k}_{BA}=H_2(I{D}_A\left|\right|I{D}_B\left|\right|R_A\left|\right|R_B\left|\right|T_A\left|\right|T_B\left|\right|K_{BA}^1\left|\right|K_{BA}^2)$ as the shared session key, where $K_{BA}^1=(s_B+C_2{e}_B)(P{K}_A+C_1{T}_A)$, $K_{BA}^2=(s_B+C_4{e}_B)(P{K}_A+C_3{T}_A)$, $P{K}_A=R_A+H_1(I{D}_A\left|\right|R_A)P_{pub}$, $C_i(i=1,2,3,4)\in {\mathbb{Z}}_q^{*}$ and $C_1\ne C_3,C_2\ne C_4$. Finally, B sends $M_2=\{I{D}_B,R_B,T_B\}$ to A.

  (3)

  When $M_2=\{I{D}_B,R_B,T_B\}$ is received, A calculates $P{K}_B=R_B+H_1(I{D}_B\left|\right|R_B)P_{pub}$, and two shared secrets $K_{AB}^1=(s_A+C_1{e}_A)(P{K}_B+C_2{T}_B)$ and $K_{AB}^2=(s_A+C_3{e}_A)(P{K}_B+C_4{T}_B),$ where $C_i(i=1,2,3,4)\in {\mathbb{Z}}_q^{*}$ and $C_1\ne C_3,C_2\ne C_4$. Finally, A calculates the shared session key $s{k}_{AB}=H_2(I{D}_A\left|\right|I{D}_B\left|\right|R_A\left|\right|R_B\left|\right|T_A\left|\right|T_B\left|\right|$$K_{AB}^1\left|\right|K_{AB}^2)$.

Note that our construction provides a method to construct eCK secure ID-AKA protocols; however, parameters $C_1,C_2,C_3$, and $C_4$ should be fixed in the real execution environment. One can choose a concrete and efficient protocol derived from our construction to execute in the real environment, e.g., protocol ${\sum }_{1,1,-1,-1}$, protocol ${\sum }_{1,-1,-1,1}$ and protocol ${\sum }_{1,1,2,2}$ described in Section 6.

5.2. Construction Correctness

The following provides the correctness of our construction. As $P{K}_B=R_B+H_1(I{D}_B\left|\right|R_B)$$P_{pub}=s_{B}P$, $P{K}_A=R_A+H_1(I{D}_A\left|\right|R_A)P_{pub}=s_{A}P$, $T_A=e_{A}P$ and $T_B=e_{B}P$, we can obtain:

$$\begin{array}{cc}\hfill K_{AB}^1& =(s_A+C_1{e}_A)(P{K}_B+C_2{T}_B)\hfill \\ \hfill & =(s_A+C_1{e}_A)(s_{B}P+C_2{e}_{B}P)\hfill \\ \hfill & =(s_A+C_1{e}_A)(s_B+C_2{e}_B)P\hfill \\ \hfill & =(s_B+C_2{e}_B)(s_A+C_1{e}_A)P\hfill \\ \hfill & =(s_B+C_2{e}_B)(P{K}_A+C_1{T}_A)=K_{BA}^1=K_1;\hfill \end{array}$$

$$\begin{array}{cc}\hfill K_{AB}^2& =(s_A+C_3{e}_A)(P{K}_B+C_4{T}_B)\hfill \\ \hfill & =(s_A+C_3{e}_A)(s_{B}P+C_4{e}_{B}P)\hfill \\ \hfill & =(s_A+C_3{e}_A)(s_B+C_4{e}_B)P\hfill \\ \hfill & =(s_B+C_4{e}_B)(s_A+C_3{e}_A)P\hfill \\ \hfill & =(s_B+C_4{e}_B)(P{K}_A+C_3{T}_A)=K_{BA}^2=K_2.\hfill \end{array}$$

Thus both A and B compute $s{k}_{AB}=s{k}_{BA}=sk=H_2(I{D}_A\left|\right|I{D}_B\left|\right|R_A\left|\right|R_B\left|\right|T_A\left|\right|T_B\left|\right|K_1\left|\right|$$K_2)$ as their session key. Hence the correctness holds.

5.3. Security Proof

Here, the events in our security proof are complementary, while they are not complementary in [27], and the security proof can be reduced to the following theorems.

Theorem 1.

Provide two random oracles, $H_1$ and $H_2$, the proposed ID-AKA protocol is secure in the eCK model based on the GDH assumption over the elliptic curve group.

Proof. 

This theorem is under the condition that the two conditions shown in Definition 3 hold. The correctness analysis shows that the first condition stands. The second condition would be proven by contradiction, i.e., there is an adversary who can execute a PPT algorithm to win the game with non-negligible probability, we can use $\mathcal{M}$ to create a GDH solver $\mathcal{CH}$ who can find a solution for the GDH instance. □

Assume $\mathcal{M}$ is a polynomially (in security parameter k) bounded adversary whose advantage is $Ad{v}_{\mathcal{M}}\left(k\right)$. Suppose that $\mathcal{M}$ activates no more than $n_p\left(k\right)$ different honest parties, and each party can take part in no more than $n_s\left(k\right)$ sessions. Suppose that $\mathcal{M}$ chooses ${\prod }_{a,b}^n$, the nth protocol session which executes between party $I{D}_a$ (the owner) and the target party $I{D}_b$ (the peer) as the test session. Assume that $\mathcal{M}$ performs, at most, $n_h\left(k\right)$$H_2$ queries.

According to $Ad{v}^{AKE}\left(\mathcal{M}\right)=|2Pr\left[\mathcal{M}wins\right]-1|$, we can derive that $Pr\left[\mathcal{M}wins\right]$ is non-negligible as $Ad{v}^{AKE}\left(\mathcal{M}\right)$ is non-negligible. As $H_2$ is modeled as a random oracle, $\mathcal{M}$ can make a clear distinction between a random string and the tested session key in the following three ways:

A1.

Guessing attack: $\mathcal{M}$ directly guesses the correct session key.

A2.

Key replication attack: $\mathcal{M}$ successfully creates a session that cannot match the test session while holding the same session key. Here, $\mathcal{M}$ can obtain the test session key by querying the non-matching session key.

A3.

Forging attack: Sometimes, $\mathcal{M}$ makes $H_2$ queries on $(I{D}_a,I{D}_b,R_a,R_b,$$T_a,T_b,K_1,K_2)$ in the test session. Here, $\mathcal{M}$ calculates $K_1$ and $K_2$ itself.

The guessing of $H_2$’s output is with the negligible probability $\mathcal{O}(1/2^k)$. If two sessions are different, $H_2$ has the same input by probability $\mathcal{O}(n_s{\left(k\right)}^2/2^k)$, which is also negligible. Then, $\mathcal{M}$ can provide the difference between a random string and the tested session key only by forging attack.

Next, a reduction approach is applied to analyze the forging attack. This approach reduces the protocol security to the hardness of mathematical problems in the GDH assumption. By making assumptions about the adversary, a challenger can solve a GDH instance with the queried data and forged session key derived by a query-respond game between them. As the GDH instance cannot be solved with the current computation ability in polynomial time, the assumptions about the adversary are invalid, and the proposed ID-AKA protocols are secure.

Now, the detailed descriptions of the reduction proofs are as follows.

If $\mathcal{M}$ can successfully execute forging attack with non-negligible probability $Ad{v}_{\mathcal{M}}^F\left(k\right)$, we will use $\mathcal{M}$ to create a GDH solver $\mathcal{CH}$ to find a solution for the GDH instance with $Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)$. Here, GDH instance is $(U=uP,V=vP)$, and $u,v\in {\mathbb{Z}}_q^{*},P\in \mathbb{G}$, $\mathcal{CH}$ plans to calculate GDH$(U,V)=uvP$ performing the DDH oracle. $\mathcal{CH}$ acts as a challenger that performs the eCK game with $\mathcal{M}$ and makes response for $\mathcal{M}$’s queries.

Before the game starts, $\mathcal{CH}$ guesses the test session that $\mathcal{M}$’s choices is ${\prod }_{a,b}^n$ with a correct probability at least $1/n_p{\left(k\right)}^2{n}_s\left(k\right)$. Next, $\mathcal{CH}$ needs to guess the strategy that $\mathcal{M}$ adopts. Then, according to Definition 2, test session ${\prod }_{a,b}^n$ has the matching session ${\prod }_{b,a}^l$, then $\mathcal{M}$ can only passively forward messages between participant $I{D}_a$ and participant $I{D}_b$, i.e., messages including public key materials and ephemeral keys of ${\prod }_{a,b}^n$ and ${\prod }_{b,a}^l$ are selected by $\mathcal{CH}$. Test session ${\prod }_{a,b}^n$ has no matching session, then $\mathcal{M}$ alters some messages at its own will, i.e., messages including the public key material and the ephemeral key of ${\prod }_{a,b}^n$ are chosen by $\mathcal{CH}$, and another one of $I{D}_b$ is chosen by $\mathcal{M}$, and, thus, for $I{D}_b$, $\mathcal{CH}$ can only consider the long-term private key of $I{D}_b$. With the former analysis and the freeness definition, $\mathcal{CH}$ guesses the operation that $\mathcal{M}$ selects one of the following six complementary choices. Note that, strictly speaking, the ephemeral private key of $I{D}_a$ refers to ${\prod }_{a,b}^n$’s ephemeral private key, and the ephemeral private key of $I{D}_b$ refers to the matching session ${\prod }_{b,a}^l$’s ephemeral private key.

S1:

${\prod }_{a,b}^n$ has ${\prod }_{b,a}^l$, and $\mathcal{M}$ obtains neither the long-term private key of $I{D}_a$ nor the ephemeral private key of $I{D}_b$.

S2:

${\prod }_{a,b}^n$ has ${\prod }_{b,a}^l$, and $\mathcal{M}$ cannot obtain any information about the ephemeral private keys of $I{D}_a$ and $I{D}_b$.

S3:

${\prod }_{a,b}^n$ has ${\prod }_{b,a}^l$, and $\mathcal{M}$ knows neither the ephemeral private key of $I{D}_a$ nor the long-term private key of $I{D}_b$.

S4:

${\prod }_{a,b}^n$ has ${\prod }_{b,a}^l$, and $\mathcal{M}$ cannot obtain any information about the long-term private keys of $I{D}_a$ and $I{D}_b$.

S5:

${\prod }_{a,b}^n$ does not have a matching session, and $\mathcal{M}$ knows neither the ephemeral private key of $I{D}_a$ nor the long-term private key of $I{D}_b$.

S6:

${\prod }_{a,b}^n$ does not have a matching session, and $\mathcal{M}$ does not know any information about the long-term private keys of $I{D}_a$ and $I{D}_b$.

One of the former operation successes is if $\mathcal{M}$ succeeds in a forging attack with non-negligible probability. Therefore, the assumption about adversary $\mathcal{M}$ is invalid, and the proposed ID-AKA protocol is secure in the eCK model.

5.3.1. The Analysis of Strategy S1

In this subsection, we analyze strategy S1.

• Setup: $\mathcal{CH}$ initializes a list ${Setup}^{list}$ with entries of $(I{D}_i,(d_i,R_i),P{K}_i)$. $\mathcal{CH}$ creates the system parameters and long-term private keys of all parties as follows.

  –

  $\mathcal{CH}$ picks $P_{pub}\in \mathbb{G}$ at random, and exposes $\langle E/{\mathbb{F}}_p,\mathbb{G},q,P,P_{pub},H_1,$$H_2\rangle$. Thus, $\mathcal{CH}$ cannot obtain any information about KGC’s master key.

  –

  For $I{D}_a$, $\mathcal{CH}$ sets the long-term private key $(\perp ,R_a)$, where $h_a{\in }_R{\mathbb{Z}}_q^{*}$, $R_a=U-h_a{P}_{pub}$. Thus, $P{K}_a=R_a+h_a{P}_{pub}=U$.

  –

  For $I{D}_i(i\ne a)$, $\mathcal{CH}$ sets the long-term private key $(s_i,R_i)$, where $h_i,s_i{\in }_R{\mathbb{Z}}_q^{*}$, $R_i=s_{i}P-h_i{P}_{pub}$. Thus, $P{K}_i=R_i+h_i{P}_{pub}=s_{i}P$.

  –

  For every participant, $\mathcal{CH}$ transfers $(I{D}_i,R_i)$ to $\mathcal{M}$, and stores the tuple $(I{D}_i,(d_i,R_i),$$P{K}_i)$ and $(I{D}_i,R_i,h_i)$ in ${Setup}^{list}$ and ${H_1}^{list}$ (described later), respectively.

• Queries: $\mathcal{CH}$ maintains four lists, ${H_1}^{list}$, ${H_2}^{list}$, ${Send}^{list}$, and $R^{list}$, which are initially empty and used to record $H_1$, $H_2$, Send, and SessionKeyReveal oracles, respectively. $\mathcal{CH}$ starts $\mathcal{M}$ by answering $\mathcal{M}$’s queries, as follows.

  –

  $H_1(I{D}_i,R_i)$: If an entry $(I{D}_i,R_i,h_i)$ is recorded in ${H_1}^{list}$, $\mathcal{CH}$ responds with $h_i$. Then, $\mathcal{CH}$ randomly selects $h_i\in {\mathbb{Z}}_q^{*}$, appends $(I{D}_i,R_i,h_i)$ to ${H_1}^{list}$, and sends $h_i$ back to $\mathcal{M}$.

  –

  $H_2(I{D}_i,I{D}_j,R_i,R_j,T_i,T_j,K_1,K_2)$: List ${H_2}^{list}$ is with $(I{D}_i,I{D}_j,$$R_i,R_j,T_i,T_j,K_1,K_2,h_2)$.

  *

  If a matching entry $(I{D}_i,I{D}_j,R_i,R_j,$$T_i,T_j,K_1,K_2,h_2)$ is stored in ${H_2}^{list}$, $\mathcal{CH}$ replies with $h_2$.

  *

  Else, $\mathcal{CH}$ seeks $(*,I{D}_i,I{D}_j,$$R_i,R_j,T_i,T_j,*)$ in $R^{list}$. Then, if such an entry exists, $\mathcal{CH}$ sees if $K_1$ and $K_2$ are produced correctly by validating DDH($P{K}_i+C_1{T}_i,P{K}_j+C_2{T}_j,K_1)\stackrel{?}{=}1$ and DDH($P{K}_i+C_3{T}_i,P{K}_j+C_4{T}_j,K_2)\stackrel{?}{=}1$, respectively, where $P{K}_i=R_i+H_1(I{D}_i,R_i)P_{pub}$ and $P{K}_j=R_j+H_1(I{D}_j,R_j)P_{pub}$. If both verifications pass, $\mathcal{CH}$ receives the corresponding $S{K}_{i,j}^m$ and sets $h_2\leftarrow S{K}_{i,j}^m$. Otherwise (at least one verification fails or none), $\mathcal{CH}$ picks $h_2\in {\{0,1\}}^k$ at random. Finally, $\mathcal{CH}$ inserts the tuple $(I{D}_i,I{D}_j,T_i,T_j,K_1,K_2,h_2)$ into ${H_2}^{list}$ and provides $h_2$ as the answer.

  –

  Corrupt($I{D}_i$): If $I{D}_i=I{D}_a$, $\mathcal{CH}$ discontinues. Otherwise, $\mathcal{CH}$ responds with $s_i$.

  –

  KGCStaticKeyReveal: $\mathcal{CH}$ discontinues.

  –

  EphemeralKeyReveal(${\prod }_{i,j}^m$): If ${\prod }_{i,j}^m={\prod }_{b,a}^l$, $\mathcal{CH}$ discontinues. Otherwise, $\mathcal{CH}$ provides the stored ephemeral key $r_{i,j}^m$ as the answer.

  –

  Send(${\prod }_{i,j}^m$,M): List ${Send}^{list}$ is with $({\prod }_{i,j}^m,tra{n}_{i,j}^m,r_{i,j}^m,Stat{e}_{i,j}^m)$, where $tra{n}_{i,j}^m$, $r_{i,j}^m$ and $Stat{e}_{i,j}^m$ are the transcript by now, the ephemeral secret key, and the state by now, respectively.

  *

  If M is the second message on the transcript, $\mathcal{CH}$ sets $Stat{e}_{i,j}^m=completed$ and updates ${Send}^{list}$.

  *

  Else $\mathcal{CH}$ executes as follows.

  ·

  If ${\prod }_{i,j}^m={\prod }_{b,a}^l$, $\mathcal{CH}$ sets $r_{i,j}^m=\perp$, gets $R_b$ from ${Setup}^{list}$ and replies with $\{I{D}_b,R_b,V\}$.

  ·

  Else $\mathcal{CH}$ randomly chooses $r_{i,j}^m\in {\mathbb{Z}}_q^{*}$, obtains $R_i$ from ${Setup}^{list}$ and replies with $\{I{D}_i,R_i,r_{i,j}^{m}P\}$.

  ·

  Finally, $\mathcal{CH}$ updates ${Send}^{list}$, and updates $Stat{e}_{i,j}^m$ to $completed$ if the newly generated message is the second message on the transcript.

  –

  SessionKeyReveal(${\prod }_{i,j}^m$): List $R^{list}$ is of the form $({\prod }_{i,j}^m,I{D}_{ini},I{D}_{resp},R_{ini},R_{resp},T_{ini},$$T_{resp},S{K}_{i,j}^m)$, where $ini\in \{i,j\}$ and $resp\in \{i,j\}$ denote the initiator and the responder of ${\prod }_{i,j}^m$, respectively.

  *

  $\mathcal{CH}$ receives $Stat{e}_{i,j}^m$ from ${Send}^{list}$. If $Stat{e}_{i,j}^m\ne completed$, $\mathcal{CH}$ returns ⊥.

  *

  Else if ${\prod }_{i,j}^m={\prod }_{a,b}^n$ or ${\prod }_{i,j}^m={\prod }_{b,a}^l$, $\mathcal{CH}$ aborts.

  *

  Else if the session key $S{K}_{i,j}^m$ already exists, $\mathcal{CH}$ responds with $S{K}_{i,j}^m$.

  *

  Else $\mathcal{CH}$ obtains $\{I{D}_{ini},R_{ini},T_{ini}\}$ and $\{I{D}_{resp},R_{resp},T_{resp}\}$ from ${Send}^{list}$, and looks up ${H_2}^{list}$ to see if there is a tuple $(*,I{D}_{ini},I{D}_{resp},$$R_{ini},R_{resp},T_{ini},T_{resp},*)$. Then, if it exists, $\mathcal{CH}$ sees if $K_1$ and $K_2$ are produced correctly by validating DDH($P{K}_{ini}+C_1{T}_{ini},P{K}_{resp}+C_3{T}_{resp},K_1)\stackrel{?}{=}1$ and DDH($P{K}_{ini}+C_3{T}_{ini},P{K}_{resp}$$+C_4{T}_{resp},K_2)\stackrel{?}{=}1$, respectively, where $P{K}_{ini}=R_{ini}+H_1(I{D}_{ini},R_{ini})P_{pub}$ and $P{K}_{resp}=R_{resp}+H_1(I{D}_{resp},R_{resp})P_{pub}$. If both verifications pass, $\mathcal{CH}$ receives the corresponding $h_2$ and sets $S{K}_{i,j}^m\leftarrow h_2$. Otherwise (at least one verification fails or no such a tuple exists), $\mathcal{CH}$ picks $S{K}_{i,j}^m\in {\{0,1\}}^k$ at random. Finally, $\mathcal{CH}$ inserts the tuple $({\prod }_{i,j}^m,I{D}_{ini},I{D}_{resp},R_{ini},R_{resp},T_{ini},T_{resp},$$S{K}_{i,j}^m)$ into $R^{list}$ and returns $S{K}_{i,j}^m$.

  –

  Test(${\prod }_{i,j}^m$): If ${\prod }_{i,j}^m={\prod }_{a,b}^n$, $\mathcal{CH}$ picks $\xi \in {\{0,1\}}^k$ at random and sends $\xi$ back to $\mathcal{M}$. Otherwise, $\mathcal{CH}$ aborts.

• Analysis: If $\mathcal{M}$ can successfully execute a forging attack in Strategy S1 with non-negligible probability, the following conditions should be met.

  (1)

  $\mathcal{CH}$ continues following the above simulation. If $\mathcal{M}$ chooses Strategy S1, with ${\prod }_{a,b}^n$ and ${\prod }_{b,a}^l$ as the test session and its corresponding matching session, respectively, this condition can be met.

  (2)

  For the test session ${\prod }_{a,b}^n$, adversary $\mathcal{M}$ must have conducted $H_2$ queries on the values $\{I{D}_a,I{D}_b,R_a,R_b,T_a,$$V,K_1,K_2\}$, where $R_a$ and $R_b$ are the public key materials of $I{D}_a$ and $I{D}_b$ picked by the challenger $\mathcal{CH}$, respectively, $T_a$ and V are the outgoing messages of $I{D}_a$ and $I{D}_b$ picked by the challenger $\mathcal{CH}$, respectively, and $K_1$ and $K_2$ are correctly formed.

  *

  If ${\prod }_{a,b}^n$ is an initiator, the correct input of $H_2$ should be $(I{D}_a,I{D}_b,R_a,R_b,T_a,V,$$K_1,K_2)$, where $K_1=(DLOG\left(U\right)+C_1{r}_{a,b}^n)(R_b+h_b{P}_{pub}+C_{2}V)$, $K_2=(DLOG$$\left(U\right)+C_3{r}_{a,b}^n)(R_b+h_b{P}_{pub}+C_{4}V)$, and $h_b=H_1(I{D}_b,R_b)$.

  *

  If ${\prod }_{a,b}^n$ is a responder, the correct input of $H_2$ should be $(I{D}_b,I{D}_a,R_b,R_a,V,T_a,$$K_1,K_2)$, where $K_1=(DLOG\left(U\right)+C_2{r}_{a,b}^n)(R_b+h_b{P}_{pub}+C_{1}V)$, $K_2=(DLOG$$\left(U\right)+C_4{r}_{a,b}^n)(R_b+h_b{P}_{pub}+C_{3}V)$, and $h_b=H_1(I{D}_b,R_b)$.

  Finally, $\mathcal{CH}$ receives the item in ${H_2}^{list}$ and outputs GDH$(U,V)={(C_2-C_4)}^{-1}(K_1-K_2+r_{a,b}^n(C_3-C_1)(R_b+h_b{P}_{pub})$$+r_{a,b}^n(C_3{C}_4-C_1{C}_2)V)$ if ${\prod }_{a,b}^n$ is an initiator or GDH$(U,V)={(C_1-C_3)}^{-1}(K_1-K_2+r_{a,b}^n(C_4-C_2)(R_b+h_b{P}_{pub})$$+r_{a,b}^n(C_3{C}_4-C_1{C}_2)V)$ if ${\prod }_{a,b}^n$ is a responder by the knowledge of $r_{a,b}^n$. Note that since $C_i(i=1,2,3,4)\in {\mathbb{Z}}_q^{*}$ and $C_1\ne C_3,C_2\ne C_4$, the solution of GDH$(U,V)$ is correct. The $\mathcal{CH}$ success rate is at least

  $$Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)>=\frac{Ad{v}_{\mathcal{M}}^F\left(k\right)}{6n_h\left(k\right)n_p{\left(k\right)}^2{n}_s{\left(k\right)}^2}.$$
  As $Ad{v}_{\mathcal{M}}^F\left(k\right)$ is non-negligible, $Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)$ can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.

5.3.2. The Analysis of Strategy S2

In this subsection, we analyze strategy S2.

• Setup: ${Setup}^{list}$ is an initially empty list with $(I{D}_i,(d_i,R_i),$$P{K}_i)$. $\mathcal{CH}$ creates the system parameters and all parties’ long-term private keys as follows.

  –

  $\mathcal{CH}$ picks $s\in {\mathbb{Z}}_q^{*}$ at random, computes $P_{pub}=sP$, and exposes system parameters $\langle E/{\mathbb{F}}_p,\mathbb{G},q,P,P_{pub},$$H_1,H_2\rangle$. Thus, $\mathcal{CH}$ cannot obtain any information about KGC’s master key.

  –

  For $I{D}_i$, $\mathcal{CH}$ sets the long-term private key $(s_i,R_i)$, where $h_i,s_i{\in }_R{\mathbb{Z}}_q^{*}$, $R_i=s_{i}P-h_i{P}_{pub}$. Thus, $P{K}_i=R_i+h_i{P}_{pub}=s_{i}P$.

  –

  For every participant, $\mathcal{CH}$ transfers $(I{D}_i,R_i)$ to $\mathcal{M}$, and stores the tuple $(I{D}_i,(d_i,R_i),$$P{K}_i)$ and $(I{D}_i,R_i,h_i)$ in ${Setup}^{list}$ and ${H_1}^{list}$ (described later), respectively.

• Queries: $\mathcal{CH}$ maintains four lists ${H_1}^{list}$, ${H_2}^{list}$, ${Send}^{list}$, and $R^{list}$ to store $H_1$, $H_2$, Send, and SessionKeyReveal oracles, respectively. $\mathcal{CH}$ performs the queries game with $\mathcal{M}$ as follows:

  –

  $H_1(I{D}_i,R_i)$, SessionKeyReveal(${\prod }_{i,j}^m$), Test(${\prod }_{i,j}^m$), and $H_2(I{D}_i,I{D}_j,R_i,R_j,T_i,T_j,K_1,$$K_2)$: These four queries are described in the same as those in Strategy S1.

  –

  Corrupt($I{D}_i$): $\mathcal{CH}$ responds with $(s_i,R_i)$.

  –

  KGCStaticKeyReveal: $\mathcal{CH}$ responds with s to $\mathcal{M}$.

  –

  EphemeralKeyReveal(${\prod }_{i,j}^m$): If ${\prod }_{i,j}^m={\prod }_{a,b}^n$ or ${\prod }_{i,j}^m={\prod }_{b,a}^l$, $\mathcal{CH}$ discontinues. Otherwise, $\mathcal{CH}$ provides the stored ephemeral key $r_{i,j}^m$ as the answer.

  –

  Send(${\prod }_{i,j}^m$,M): List ${Send}^{list}$ has $({\prod }_{i,j}^m,tra{n}_{i,j}^m,r_{i,j}^m,Stat{e}_{i,j}^m)$, where $tra{n}_{i,j}^m$, $r_{i,j}^m$ and $Stat{e}_{i,j}^m$ are the transcript by now, the ephemeral secret key, and the state by now, respectively.

  *

  If M is the second message on the transcript, $\mathcal{CH}$ sets $Stat{e}_{i,j}^m=completed$ and updates ${Send}^{list}$.

  *

  Else $\mathcal{CH}$ performs the following steps.

  ·

  If ${\prod }_{i,j}^m={\prod }_{a,b}^n$, $\mathcal{CH}$ sets $r_{i,j}^m=\perp$, receives $R_a$ from ${Setup}^{list}$, and replies with $\{I{D}_a,R_a,U\}$.

  ·

  Else If ${\prod }_{i,j}^m={\prod }_{b,a}^l$, $\mathcal{CH}$ sets $r_{i,j}^m=\perp$, receives $R_b$ from ${Setup}^{list}$, and replies with $\{I{D}_b,R_b,V\}$.

  ·

  Else $\mathcal{CH}$ randomly chooses $r_{i,j}^m\in {\mathbb{Z}}_q^{*}$, obtains $R_i$ from ${Setup}^{list}$, and replies with $\{I{D}_i,R_i,r_{i,j}^{m}P\}$.

  ·

  Finally, $\mathcal{CH}$ updates ${Send}^{list}$, and updates $Stat{e}_{i,j}^m$ to $completed$ if the newly generated message is the second message on the transcript.

• Analysis: Here, we assume that ${\prod }_{a,b}^n$ is an initiator here. If $\mathcal{M}$ indeed chooses Strategy S2, ${\prod }_{a,b}^n$ and ${\prod }_{b,a}^l$ as the test session and its matching session, respectively, then $\mathcal{CH}$ continues this simulation. If $\mathcal{M}$ successfully executes the forging attack, it must have queried oracle $H_2(I{D}_a,I{D}_b,R_a,R_b,U,$$V,K_1,K_2)$, where $R_a,R_b,U$, and V are all picked by the challenger $\mathcal{CH}$, $K_1=(s_a+C_{1}DLOG\left(U\right))(R_b+h_b{P}_{pub}+C_{2}V)$, $K_2=(s_a+C_{3}DLOG\left(U\right))(R_b+h_b{P}_{pub}+C_{4}V)$, and $h_b=H_1(I{D}_b,R_b)$.
  Finally, $\mathcal{CH}$ receives the item in ${H_2}^{list}$, and outputs GDH$(U,V)={\left(C_1{C}_3(C_2-C_4)\right)}^{-1}(C_3{K}_1$$-C_1{K}_2+s_a(C_1-C_3)(R_b+h_b{P}_{pub})+s_a(C_1{C}_4-C_2{C}_3)V)$ by the knowledge of $s_a$. Note that as $C_i(i=1,2,3,4)\in {\mathbb{Z}}_q^{*}$ and $C_1\ne C_3,C_2\ne C_4$, the solution of GDH$(U,V)$ is correct. $\mathcal{CH}$’s success probability is at least

  $$Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)>=\frac{Ad{v}_{\mathcal{M}}^F\left(k\right)}{6n_h\left(k\right)n_p{\left(k\right)}^2{n}_s{\left(k\right)}^2}.$$
  As $Ad{v}_{\mathcal{M}}^F\left(k\right)$ is non-negligible, $Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)$ can also be seen as also non-negligible. Now, it derives the contradiction of the GDH assumption.

5.3.3. The Analysis of Strategy S3

Here, we omit the detailed analysis of Strategy S3 as the analysis is almost the same as that for Strategy S1.

5.3.4. The Analysis of Strategy S4

In this subsection, we analyze strategy S4.

• Setup: $\mathcal{CH}$ initializes a list ${Setup}^{list}$ with $(I{D}_i,(d_i,R_i),$$P{K}_i)$. $\mathcal{CH}$ creates the system parameters and all parties’ long-term private keys.

  –

  $\mathcal{CH}$ picks $P_{pub}\in \mathbb{G}$ at random, and exposes $\langle E/{\mathbb{F}}_p,\mathbb{G},$$q,P,P_{pub},H_1,$$H_2\rangle$. Thus, $\mathcal{CH}$ does not obtain any information about KGC’s master key.

  –

  For $I{D}_a$, $\mathcal{CH}$ sets the long-term private key $(\perp ,R_a)$, where $h_a{\in }_R{\mathbb{Z}}_q^{*}$, $R_a=U-h_a{P}_{pub}$. Thus, $P{K}_a=R_a+h_a{P}_{pub}=U$.

  –

  For $I{D}_b$, $\mathcal{CH}$ sets the long-term private key $(\perp ,R_b)$, where $h_b{\in }_R{\mathbb{Z}}_q^{*}$, $R_b=V-h_b{P}_{pub}$. Thus, $P{K}_b=R_b+h_b{P}_{pub}=V$.

  –

  For $I{D}_i(i\ne a,i\ne b)$, $\mathcal{CH}$ sets the long-term private key $(s_i,R_i)$, where $h_i,s_i{\in }_R{\mathbb{Z}}_q^{*}$, $R_i=s_{i}P-h_i{P}_{pub}$. Thus, $P{K}_i=R_i+h_i{P}_{pub}=s_{i}P$.

  –

  For every participant, $\mathcal{CH}$ transfers $(I{D}_i,R_i)$ to $\mathcal{M}$, and stores $(I{D}_i,(d_i,R_i),P{K}_i)$ and $(I{D}_i,R_i,h_i)$ in ${Setup}^{list}$ and ${H_1}^{list}$ (described later), respectively.

• Queries: $\mathcal{CH}$ maintains four lists ${H_1}^{list}$, ${H_2}^{list}$, ${Send}^{list}$, and $R^{list}$, which are initially empty and used for recording $H_1$, $H_2$, Send, and SessionKeyReveal oracles, respectively. $\mathcal{CH}$ performs the queries game with $\mathcal{M}$ as follows:

  –

  $H_1(I{D}_i,R_i)$, SessionKeyReveal(${\prod }_{i,j}^m$), Test(${\prod }_{i,j}^m$), $H_2(I{D}_i,I{D}_j,R_i,R_j,$$T_i,T_j,K_1,K_2)$, and KGCStaticKeyReveal: These five queries are described in the same way as those in Strategy S1.

  –

  Corrupt($I{D}_i$): If $I{D}_i=I{D}_a$ or $I{D}_i=I{D}_b$, $\mathcal{CH}$ discontinues. Otherwise, $\mathcal{CH}$ responds with $(s_i,R_i)$.

  –

  EphemeralKeyReveal(${\prod }_{i,j}^m$): $\mathcal{CH}$ responses with $r_{i,j}^m$.

  –

  Send(${\prod }_{i,j}^m$,M): List ${Send}^{list}$ is of the form $({\prod }_{i,j}^m,tra{n}_{i,j}^m,r_{i,j}^m,Stat{e}_{i,j}^m)$, where $tra{n}_{i,j}^m$, $r_{i,j}^m$, and $Stat{e}_{i,j}^m$ are the transcript by now, the ephemeral secret key, and the state by now, respectively.

  *

  If M is the second message on the transcript, $\mathcal{CH}$ sets $Stat{e}_{i,j}^m=completed$ and updates ${Send}^{list}$.

  *

  Else $\mathcal{CH}$ randomly chooses $r_{i,j}^m\in {\mathbb{Z}}_q^{*}$, obtains $R_i$ from ${Setup}^{list}$, and replies with $\{I{D}_i,R_i,r_{i,j}^{m}P\}$. Then, $\mathcal{CH}$ updates ${Send}^{list}$, and updates $Stat{e}_{i,j}^m$ to $completed$ if the newly generated message is the second message on the transcript.

• Analysis: Here, we assume that ${\prod }_{a,b}^n$ is an initiator. If $\mathcal{M}$ selects Strategy S4, ${\prod }_{a,b}^n$ and ${\prod }_{b,a}^l$ as the test session and its matching session, then $\mathcal{CH}$ does not abort in the simulation. If $\mathcal{M}$ successfully performs the forging attack, it must have queried oracle $H_2(I{D}_a,I{D}_b,U-h_a{P}_{pub},V-h_b{P}_{pub},T_a,T_b,K_1,K_2)$, where $T_a,T_b,U$, and V are all picked by the challenger $\mathcal{CH}$, $K_1=(DLOG\left(U\right)+C_1{r}_{a,b}^n)(V+C_2{T}_b)$, $K_2=(DLOG\left(U\right)+C_3{r}_{a,b}^n)(V+C_4{T}_b)$, $h_a=H_1(I{D}_a,R_a)$, and $h_b=H_1(I{D}_b,R_b)$.
  Finally, $\mathcal{CH}$ receives the item in ${H_2}^{list}$, and outputs GDH$(U,V)={(C_4-C_2)}^{-1}(C_4{K}_1-C_2{K}_2+r_{a,b}^n(C_2{C}_3-C_{1}C4)V$$+r_{a,b}^n{C}_2{C}_4(C_3-C_1)T_b)$ by the knowledge of $r_{a,b}^n$. Note that as $C_i(i=1,2,3,4)\in {\mathbb{Z}}_q^{*}$ and $C_1\ne C_3,C_2\ne C_4$, the solution of GDH$(U,V)$ is correct. $\mathcal{CH}$’s success probability is at least

  $$Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)>=\frac{Ad{v}_{\mathcal{M}}^F\left(k\right)}{6n_h\left(k\right)n_p{\left(k\right)}^2{n}_s{\left(k\right)}^2}.$$
  As $Ad{v}_{\mathcal{M}}^F\left(k\right)$ is non-negligible, $Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)$ can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.

5.3.5. The Analysis of Strategy S5

${\prod }_{a,b}^n$ has no matching session in strategy S5, thus at least one of $I{D}_b$’s public key material $R_b$ and $I{D}_b$’s ephemeral private key is chosen by $\mathcal{M}$. If the adversary selects $R_b$ themselves, then the change in $R_b$ means the change in the $I{D}_b$’s long-term private key $s_b$. Hence, a GDH instance cannot be embedded in the long-term private key in strategy S5.

• Setup: ${Setup}^{list}$ is an initially empty list and $(I{D}_i,(d_i,R_i),$$P{K}_i)$ is needed in this phase. $\mathcal{CH}$ creates the system parameters and all parties’ long-term private keys.

  –

  $\mathcal{CH}$ sets V as the system public key $P_{pub}$ and exposes the system parameters $\langle E/{\mathbb{F}}_p,\mathbb{G},$$q,P,P_{pub},H_1,H_2\rangle$. Thus $\mathcal{CH}$ cannot know KGC’s master key.

  –

  For $I{D}_i$, $\mathcal{CH}$ sets the long-term private key $(s_i,R_i)$, where $h_i,s_i{\in }_R{\mathbb{Z}}_q^{*}$, $R_i=s_{i}P-h_i{P}_{pub}$. Thus, $P{K}_i=R_i+h_i{P}_{pub}=s_{i}P$.

  –

  For every participant, $\mathcal{CH}$ transfers $(I{D}_i,R_i)$ to $\mathcal{M}$, and stores $(I{D}_i,$$(d_i,R_i),P{K}_i)$ and $(I{D}_i,R_i,h_i)$ in ${Setup}^{list}$ and ${H_1}^{list}$ (described later), respectively.

• Queries: $\mathcal{CH}$ maintains four lists, ${H_1}^{list}$, ${H_2}^{list}$, ${Send}^{list}$, and $R^{list}$ to store $H_1$, $H_2$, Send, and SessionKeyReveal oracles, respectively. $\mathcal{CH}$ performs the queries game with $\mathcal{M}$ as follows:

  –

  $H_1(I{D}_i,R_i)$, KGCStaticKeyReveal, Test(${\prod }_{i,j}^m$), and $H_2(I{D}_i,I{D}_j,R_i,$$R_j,T_i,T_j,K_1,K_2)$ are described the same as those in Strategy S1.

  –

  Corrupt($I{D}_i$): If $I{D}_i=I{D}_b$, $\mathcal{CH}$ discontinues. Otherwise, $\mathcal{CH}$ responds with $(s_i,R_i)$.

  –

  EphemeralKeyReveal(${\prod }_{i,j}^m$): If ${\prod }_{i,j}^m={\prod }_{a,b}^n$, $\mathcal{CH}$ discontinues. Otherwise, $\mathcal{CH}$ provides the stored ephemeral key $r_{i,j}^m$ as the answer.

  –

  Send(${\prod }_{i,j}^m$,M): List ${Send}^{list}$ is with $({\prod }_{i,j}^m,tra{n}_{i,j}^m,r_{i,j}^m,Stat{e}_{i,j}^m)$, where $tra{n}_{i,j}^m$, $r_{i,j}^m$, and $Stat{e}_{i,j}^m$ are the transcript by now, the ephemeral secret key, and the state by now, respectively.

  *

  If M is the second message on the transcript, $\mathcal{CH}$ sets $Stat{e}_{i,j}^m=completed$ and updates ${Send}^{list}$.

  *

  Else $\mathcal{CH}$ performs the following steps.

  ·

  If ${\prod }_{i,j}^m={\prod }_{a,b}^n$, $\mathcal{CH}$ sets $r_{i,j}^m=\perp$, receives $R_a$ from ${Setup}^{list}$, and replies with $\{I{D}_a,R_a,U\}$.

  ·

  Else $\mathcal{CH}$ randomly chooses $r_{i,j}^m\in {\mathbb{Z}}_q^{*}$, obtains $R_i$ from ${Setup}^{list}$, and replies with $\{I{D}_i,R_i,r_{i,j}^{m}P\}$.

  ·

  Finally, $\mathcal{CH}$ updates ${Send}^{list}$, and updates $Stat{e}_{i,j}^m$ to $completed$ if the newly generated message is the second message on the transcript.

  –

  SessionKeyReveal(${\prod }_{i,j}^m$): This query is the same as that in Strategy S1, except that “Else if ${\prod }_{i,j}^m={\prod }_{a,b}^n$ or ${\prod }_{i,j}^m={\prod }_{b,a}^l$” is modified to “Else if ${\prod }_{i,j}^m={\prod }_{a,b}^n$”. This is because the matching session ${\prod }_{b,a}^l$ certainly exists in Strategy S1, while ${\prod }_{b,a}^l$ does not exist in Strategy S5.

• Analysis: Here, we assume that ${\prod }_{a,b}^n$ is an initiator. If $\mathcal{M}$ selects Strategy S5 and ${\prod }_{a,b}^n$ as the test session, then $\mathcal{CH}$ continues using the above simulation. If $\mathcal{M}$ successfully performs the forging attack with non-negligible probability, it should execute the $H_2$ query on $(I{D}_a,I{D}_b,R_a,R_b,U,T_b,K_1,K_2)$, where $K_1=(s_a+C_{1}DLOG\left(U\right))(R_b+h_{b}V+C_2{T}_b)$, $K_2=(s_a+C_{3}DLOG\left(U\right))(R_b+h_{b}V+C_4{T}_b)$, and $h_b=H_1(I{D}_b,R_b)$. Note that $I{D}_a$’s public key material $R_a$ and outgoing message U are both picked by the challenger $\mathcal{CH}$, and at least one of $I{D}_b$’s public key material $R_b$ and outgoing message $T_b$ is chosen by $\mathcal{M}$.
  By the forking lemma [27], $\mathcal{CH}$ replays $\mathcal{M}$ with the same input and tossing coins. Here, $\mathcal{CH}$ only changes the query results of $H_1(I{D}_b,R_b)$, i.e., $\mathcal{CH}$ sets $H_1(I{D}_b,R_b)$ to $\overline{h_b}$, where $\overline{h_b}\in {\mathbb{Z}}_q^{*}$ and $\overline{h_b}\ne h_b$. Then, if $\mathcal{M}$ succeeds, it should perform a query on $H_2$ with $(I{D}_a,I{D}_b,R_a,R_b,U,T_b,\overline{K_1},\overline{K_2})$, where $\overline{K_1}=(s_a+C_{1}DLOG\left(U\right))(R_b+\overline{h_b}V+C_2{T}_b)$, $\overline{K_2}=(s_a+C_{3}DLOG\left(U\right))$$(R_b+\overline{h_b}V+C_4{T}_b)$.
  Finally, $\mathcal{CH}$ receives the item in ${H_2}^{list}$, and outputs GDH$(U,V)=C_1^{-1}\left({(h_b-\overline{h_b})}^{-1}(K_1-\overline{K_1})-s_{a}V\right)$ using the knowledge of $s_a$. Note that as $C_1\in {\mathbb{Z}}_q^{*}$, the solution of GDH$(U,V)$ is correct. Let $\lambda$ be a factor from the forking lemma for Strategy S5. $\mathcal{CH}$’s success probability is at least

  $$Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)>=\frac{\lambda Ad{v}_{\mathcal{M}}^F\left(k\right)}{6n_h{\left(k\right)}^2{n}_p{\left(k\right)}^2{n}_s\left(k\right)}.$$
  As $Ad{v}_{\mathcal{M}}^F\left(k\right)$ is non-negligible, $Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)$ can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.

5.3.6. The Analysis of Strategy S6

In this subsection, we will analyze strategy S6. A GDH instance cannot be embedded in the long-term private key in Strategy S6.

• Setup: ${Setup}^{list}$ is an initially empty list, and $(I{D}_i,(d_i,R_i),$$P{K}_i)$ is needed in this phase. $\mathcal{CH}$ creates the system parameters and all parties’ long-term private keys.

  –

  $\mathcal{CH}$ sets V as the system public key $P_{pub}$ and exposes $\langle E/{\mathbb{F}}_p,\mathbb{G},q,P,P_{pub},$$H_1,H_2\rangle$. Thus, $\mathcal{CH}$ does not obtain any information about KGC’s master key.

  –

  For $I{D}_a$, $\mathcal{CH}$ sets the long-term private key $(\perp ,R_a)$, where $h_a{\in }_R{\mathbb{Z}}_q^{*}$, $R_a=U-h_a{P}_{pub}$. Thus, $P{K}_a=R_a+h_a{P}_{pub}=U$.

  –

  For $I{D}_i(i\ne a)$, $\mathcal{CH}$ sets $(s_i,R_i)$ as the long-term private key, where $h_i,s_i{\in }_R{\mathbb{Z}}_q^{*}$, $R_i=s_{i}P-h_i{P}_{pub}$. Thus, $P{K}_i=R_i+h_i{P}_{pub}=s_{i}P$.

  –

  For every participant, $\mathcal{CH}$ transfers $(I{D}_i,R_i)$ to $\mathcal{M}$, and stores $(I{D}_i,$$(d_i,R_i),P{K}_i)$ and $(I{D}_i,R_i,h_i)$ in ${Setup}^{list}$ and ${H_1}^{list}$ (described later), respectively.

• Queries: $\mathcal{CH}$ maintains four lists, ${H_1}^{list}$, ${H_2}^{list}$, ${Send}^{list}$, and $R^{list}$, which are initially empty and used for recording $H_1$, $H_2$, Send, and SessionKeyReveal oracles, respectively. $\mathcal{CH}$ starts $\mathcal{M}$ by answering $\mathcal{M}$’s queries as follows:

  –

  The five queries $H_1(I{D}_i,R_i)$, SessionKeyReveal(${\prod }_{i,j}^m$), Test(${\prod }_{i,j}^m$), KGCStaticKeyRevea, and $H_2(I{D}_i,I{D}_j,R_i,R_j,T_i,T_j,K_1,K_2)$ are described in the same way as those in Strategy S5.

  –

  Corrupt($I{D}_i$), EphemeralKeyReveal(${\prod }_{i,j}^m$) and Send(${\prod }_{i,j}^m$,M): These three queries are described to be the same as those in Strategy S4.

• Analysis: Here, we assume that ${\prod }_{a,b}^n$ is an initiator. If $\mathcal{M}$ selects Strategy S6 and ${\prod }_{a,b}^n$ as the test session, then $\mathcal{CH}$ continues this simulation. If $\mathcal{M}$ successfully performs the forging attack, it should execute $H_2$ query on $(I{D}_a,I{D}_b,R_a,R_b,T_a,T_b,K_1,K_2)$, where $K_1=(DLOG\left(U\right)+C_1{r}_{a,b}^n)(R_b+h_{b}V+C_2{T}_b)$,$K_2=(DLOG\left(U\right)+C_3{r}_{a,b}^n)(R_b+h_{b}V+C_4{T}_b)$, and $h_b=H_1(I{D}_b,R_b)$. Note that $I{D}_a$’s public key material $R_a$ and outgoing message $T_a$ are both picked by the challenger $\mathcal{CH}$, and at least one of $I{D}_b$’s public key material $R_b$ and outgoing message $T_b$ is chosen by $\mathcal{M}$.
  By the forking lemma [27], $\mathcal{CH}$ replays $\mathcal{M}$ with the same input and tossing coins. Here, $\mathcal{CH}$ only changes the query results of $H_1(I{D}_b,R_b)$, i.e., $\mathcal{CH}$ sets $H_1(I{D}_b,R_b)$ to $\overline{h_b}$, where $\overline{h_b}\in {\mathbb{Z}}_q^{*}$ and $\overline{h_b}\ne h_b$. Then, if $\mathcal{M}$ succeeds, it should perform a query on $H_2$ with $(I{D}_a,I{D}_b,R_a,R_b,T_a,T_b,\overline{K_1},\overline{K_2})$, where $\overline{K_1}=(DLOG\left(U\right)+C_1{r}_{a,b}^n)(R_b+\overline{h_b}V+C_2{T}_b)$, $\overline{K_2}=(DLOG\left(U\right)+C_3{r}_{a,b}^n)$$(R_b+\overline{h_b}V+C_4{T}_b)$.
  Here, $\mathcal{CH}$ receives the item in ${H_2}^{list}$, and outputs GDH$(U,V)={(h_b-\overline{h_b})}^{-1}(K_1-\overline{K_1})-C_1{r}_{a,b}^{n}V$ using the knowledge of $r_{a,b}^n$. Note that as $\overline{h_b}\ne h_b$, the solution of GDH$(U,V)$ is correct. Let $\lambda$ be a factor from the forking lemma in Strategy S6. $\mathcal{CH}$’s success probability is at least

  $$Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)>=\frac{\lambda Ad{v}_{\mathcal{M}}^F\left(k\right)}{6n_h{\left(k\right)}^2{n}_p{\left(k\right)}^2{n}_s\left(k\right)}.$$
  As $Ad{v}_{\mathcal{M}}^F\left(k\right)$ is non-negligible, $Ad{v}_{\mathcal{S}}^{GDH}\left(k\right)$ can also be seen as non-negligible. Now, it derives the contradiction of the GDH assumption.

The former formal security proof has proven that the proposed ID-AKA protocol ${\sum }_{C_1,C_2,C_3,C_4}$ is secure against some comment attacks of guessing attacks, key replication attacks, and forging attacks. Its security can be reduced to the hardness of GDH assumption over the elliptic curve group in the eCK model.

6. More Efficient Instantiations

As $C_i(i=1,2,3,4)\in {\mathbb{Z}}_q^{*}$, our construction needs six scalar multiplications (here, we ignore less time-consuming point additions and general hash function outputs), which is a bit higher than the NCL-16-II protocol [27] at the same security level. However, the NCL-16-II protocol is only a special protocol, while our construction will result in different special protocols with different $C_i$ values, for example, protocol ${\sum }_{1,1,-1,-1}$ and protocol ${\sum }_{1,1,H_1(R_A\left|\right|R_B\left|\right|T_A\left|\right|T_B),H_1(R_B\left|\right|R_A\left|\right|T_B\left|\right|T_A)}$. How should the values of $C_1,C_2,C_3$, and $C_4$ be chosen in the real execution environment? It would be better to select values that result in more efficient instantiation as different protocols have different computation costs. The following provides some efficient instantiations of our construction.

Protocol 1

(${\sum }_{1,1,-1,-1}$). In this protocol, $C_1=C_2=1,C_3=C_4=-1$. A computes the shared secrets $K_{AB}^1=(s_A+e_A)(P{K}_B+T_B)$ and $K_{AB}^2=(s_A-e_A)(P{K}_B-T_B)$. B compute the shared secrets $K_{BA}^1=(s_B+e_B)(P{K}_A+T_A)$ and $K_{BA}^2=(s_B-e_B)(P{K}_A-T_A)$. This protocol reduces two scalar multiplications compared with the general construction.

Protocol 2

(${\sum }_{1,-1,-1,1}$). In this protocol, $C_1=C_4=1,C_2=C_3=-1$. A computes the shared secrets $K_{AB}^1=(s_A+e_A)(P{K}_B-T_B)$ and $K_{AB}^2=(s_A-e_A)(P{K}_B+T_B)$. B computes the shared secrets $K_{BA}^1=(s_B-e_B)(P{K}_A+T_A)$ and $K_{BA}^2=(s_B+e_B)(P{K}_A-T_A)$. This protocol has the same efficiency as ${\sum }_{1,1,-1,-1}$.

Protocol 3

(${\sum }_{1,1,2,2}$). In this protocol, $C_1=C_2=1,C_3=C_4=2$. A computes the shared secrets $K_{AB}^1=(s_A+e_A)(P{K}_B+T_B)$ and $K_{AB}^2=(s_A+2e_A)(P{K}_B+2T_B)$. B computes the shared secrets $K_{BA}^1=(s_B+e_B)(P{K}_A+T_A)$ and $K_{BA}^2=(s_B+2e_B)(P{K}_A+2T_A)$. This protocol only adds a point addition operation compared with the protocol of ${\sum }_{1,1,-1,-1}$.

7. Performance and Comparison

This section presents the efficiency and security comparison between our Protocols 1 and 2 with other competitive ID-AKA protocols. Note that only the HC protocols [13] were pairings-based ID-AKA protocols, the other ID-AKA protocols [21,22,23,24,25,26,27,28] and ours were all pairing-free.

7.1. Comparison of Computation Overheads

To evaluate the computational overhead,

Table 2. Execution time on a Samsung Galaxy S5.

Notation	Explanation (The Execution Time of)	Time (ms)
$T_p$	A bilinear pairing e: ${\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$	32.713
$T_{psm}$	A pairing-based scalar multiplication in ${\mathbb{G}}_1$	13.405
$T_{ppa}$	A pairing-based point addition in ${\mathbb{G}}_1$	0.056
$T_{pexp}$	An exponentiation operation in ${\mathbb{G}}_2$	2.249
$T_{mtph}$	A hash-to-point in ${\mathbb{G}}_1$	33.582
$T_{esm}$	An ECC-based scalar multiplication in $\mathbb{G}$	3.350
$T_{epa}$	An ECC-based point addition in $\mathbb{G}$	0.014
$T_{emtph}$	A hash-to-point in $\mathbb{G}$	8.250
$T_h$	A general hash function	0.006

lists the same execution time of different cryptographic operations, reported in [40]. The execution time was calculated using the MIRACL library on a Samsung Galaxy S5 smartphone, equipped with a 2.5 GHz ARM Krait processor with 2GB RAM memory running the Android 4.4.2 operating system.

Next, the total execution times of these two protocols and the competitive ID-AKA protocols [13,21,22,23,24,25,26,27,28] were computed, which are shown in

Table 3. Comparative computation overheads.

Protocols	Computations	Computation Cost (ms)	Energy Consumption (mj)
PF-ID-2PAKA [21]	$4T_{esm}+2T_{epa}+2T_h$	13.44	322.56
DXCLCZF-18 [28]	$4T_{esm}+2T_{epa}+2T_h$	13.44	322.56
NIKE [22]	$2T_{esm}+3T_{emtph}$	31.45	754.8
ZHWY-19 [23]	$4T_{esm}+3T_{epa}+3T_h$	13.46	323.04
NCL-16-II [27]	$5T_{esm}+4T_{epa}+3T_h$	16.824	403.776
DRS-20 [30]	$5T_{esm}+3T_{epa}+5T_h$	16.822	403.728
DSH-21 [29]	$4T_{esm}+3T_{epa}+3T_h$	13.460	323.04
PWCAS-22 [33]	$4T_{esm}+6T_{epa}+5T_h$	13.514	324.336
ZHVLH-23 [37]	$5T_{esm}+T_{epa}+16T_h$	16.860	404.64
Our protocols	$4T_{esm}+3T_{epa}+2T_h$	13.454	322.896

. In our Protocols 1 and 2, to agree on a session key, each party needed to compute four ECC-based scalar multiplications, three ECC-based point additions, and two general hash function outputs. Therefore, the total computation time at each party was about $4T_{esm}+3T_{epa}+2T_h\approx 13.454$ ms. Similarly, the communication costs of protocols in [13,21,24,25,26,27,28] were computed. In protocols ZHWY-19 [23] and NIKE [22], two parties had unbalanced computation costs, i.e., one party had a lower computation cost than the other party. Here, we adopted the lower computation cost of one party. According to Table 2, our Protocols 1 and 2 were nearly 80% of protocols NCL-16-II [27] and CKD [24], 100% of protocols [25] and [21,23,28], 72% of protocol XW [26], and 8% of the HC protocol [13] with relation to the computation cost. That is to say, our Protocols 1 and 2 almost had the lowest computation cost. The comparison results are shown in Figure 6.

Energy consumption is one essential item for IoT communication, and the energy consumption of ID-AKA protocol decides the energy efficiency of IoT communication as it is executed by the IoT device. As shown in the former comparative computation overheads in Table 3, the computation costs were calculated. To compute the energy consumption of these key agreement algorithms, the IoT devices equipped with 3.0 V and 8.0 mA were selected. This parameter was set according to the power level of MICA 2 [41]. For the proposed ID-AKA protocol, the energy consumption was 3.0 ∗ 8.0 ∗ 13.454 = 322.896 mj, and the comparison results with similar protocols are shown in Figure 7. Therefore, the low computation overheads led to low energy consumption, and the proposed ID-AKA protocol had more advantages than similar protocols in relation to the costs of computation and energy.

7.2. Comparison of Communication Overheads

Let $|{\mathbb{G}}_1|$, $|{\mathbb{G}}_2|$, $\left|\mathbb{G}\right|$, and $|{\mathbb{Z}}_q^{*}|$ represent elements sizes of ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, $\mathbb{G}$, and ${\mathbb{Z}}_q^{*}$, respectively. Furthermore, assume $\left|ID\right|$ and $\left|H\right|$ represent the length of an identifier and a general hash output, respectively. Considering the Ate pairing and elliptic curves, $|{\mathbb{G}}_1|$, $|{\mathbb{G}}_2|$, $\left|\mathbb{G}\right|$, $|{\mathbb{Z}}_q^{*}|$, and $\left|H\right|$ are 1024, 1024, 320, 160, and 160 bits, respectively. We assumed $\left|ID\right|$ is 32 bits in length.

Table 4. Comparative communication overheads.

Protocols	Messages No.	Communication Cost	Cost (bits)
PF-ID-2PAKA [21]	2	$2\left|ID\right|+4\left|\mathbb{G}\right|$	1344
DXCLCZF-18 [28]	2	$2\left|ID\right|+6\left|\mathbb{G}\right|$	1984
ZHWY-19 [23]	3	$6\left|\mathbb{G}\right|+|{\mathbb{Z}}_q^{*}|+2|H|$	2400
NIKE [22]	3	$2\left|ID\right|+5\left|\mathbb{G}\right|$	1664
NCL-16-II [27]	2	$2\left|ID\right|+6\left|\mathbb{G}\right|$	1984
DRS-20 [30]	2	$2\left|ID\right|+4\left|\mathbb{G}\right|+\left|H\right|$	1504
DSH-21 [29]	2	$2\left|ID\right|+4\left|\mathbb{G}\right|$	1344
PWCAS-22 [33]	2	$2\left|ID\right|+4\left|\mathbb{G}\right|+2\left|H\right|$	1664
ZHVLH-23 [37]	2	$3\ast \left(2\right|ID|+|\mathbb{G}|+|H\left|\right)$	1632
Our protocols	2	$2\left|ID\right|+4\left|\mathbb{G}\right|$	1344

demonstrates the communication cost comparison of the key agreement phase. Note that in our Protocol 1 (Protocol 2), party A sends $\{I{D}_A,R_A,T_A\}$ to party B, where $R_A,T_A\in \mathbb{G}$ and $I{D}_A$ is the identity of A. Party B symmetrically sends $\{I{D}_B,R_B,T_B\}$ to party A, where $R_B,T_B\in \mathbb{G}$ and $I{D}_B$ is the identity of B. Therefore, the communication cost of our protocol 1 (protocol 2) is $2\ast \left(\right|ID|$+2$\left|\mathbb{G}\right|)=2\ast (32+2\ast 320)=1344$ bits. The results show that Protocols 1 and 2 have the lowest communication cost.

7.3. Security Comparisons

As shown in Table 1, some related ID-AKA protocols can capture other security attributes, including known key security, no key control, resistance to basic impersonation attacks, replay attack resilience, resistance to man-in-the-middle attacks, and unknown key share resilience. But, for the proposed IA-AKA protocols, we did not consider explicit mutual authentication, as it can be easily achieved for all one-round protocols [13,21,24,25,26,27,28] by adding a key confirmation. Here, the protocol PWCAS-22 [33] is based on physical unclonable function (PUF), and ZHVLH-23 [37] is based on pseudo-random permutation (PRF). The HC protocol [13], the NCL-16-II protocol [27], the DRS-20 protocol [30], and our protocols are provably secure in the eCK security model. But events in the security proof of NCL-16-II [27] are not complementary, which mismatches the freshness definition. Table 3 shows that our Protocols 1 and 2 can reach the best computation efficiency.

Compared with similar ID-AKA protocols, the proposed Protocols 1 and 2 presented the lowest computation and communication overheads, which could improve IoT communication efficiency in IoT applications. Meanwhile, with the increase in the number of devices, these ID-AKA protocols could also maintain high efficiency, as the key agreement process was executed between two different IoT users. The key agreement between the two parties was less affected by the number of devices in IoT applications and only affected by the hardware, software, and communication protocol in the public internet environment. Although the key agreement times will increase more, this can be ignored with the increasing IoT computation ability.

8. Conclusions

This paper first reviews several ID-AKA protocols without pairings in terms of security and efficiency. We carefully studied them and pointed out the security weaknesses against the ephemeral key reveal attack, key compromise impersonation attack, and launch collusion attack. We also proposed a family of ID-AKA protocols without pairings and proven the security in the eCK security model, a widely accepted security model for AKA protocols. Six strategy analyses were provided, and these ID-AKA protocols were proven to be secure in the eCK model based on the GDH assumption over the elliptic curve group. Then, the instantiations, performance and comparison were presented, and the results show that the proposed ID-AKA protocols were more efficient than other protocols in similar literature. In addition, these ID-AKA protocols no only improved communication security and efficiency in IoT applications, but also saved energy consumption for the communication process.

In the future, with the increasing amount of IoT devices, some security issues of identity authentication, data fine-grained access control, and user privacy protection should still be taken into consideration. Especially with the development of quantum computers and quantum computation, the anti-quantum attack security ID-AKA protocol will be a hot research direction. Meanwhile, many customized ID-AKA schemes should be designed to meet the special requirements of future IoT applications.