Private and Mutual Authentication Protocols for Internet of Things

Abstract

The Internet of Things (IoT) consists of a range of devices that communicate with other devices that are surrounding them. Secure communications between IoT devices have been an essential requirement. However, most existing authentication protocols fail to provide privacy protection for devices such that sensitive information including device owner’s identity and device type can be leaked. In this paper, based on attribute-based encryption (ABE), we propose two private and mutual authentication protocols to protect the privacy of IoT devices. The first protocol is a three-message key exchange protocol, following the public-key encryption mode of the Internet Key Exchange (IKE). The second protocol is a one-round key exchange protocol, thereby providing simplicity and efficiency of messages communicated between the participants. Both of our protocols can be proved secure in the defined model. Finally, we implement the two protocols in an open source framework.

1. Introduction

In recent years, the application of the Internet of Things (IoT) [1,2] has become increasingly widespread, enabling objects (e.g., physical devices, vehicles, buildings, etc.) to be embedded with software, sensors and actuators to exchange data via the network connectivity. Take the smart house in Figure 1 as an instance, which is a house equipped with an alarm system, lighting and heating controller, health caring monitor, air conditioning manager, and other IoT devices. Since these devices might be operated by multiple individuals such as house owners, room renters, doctors, and repairmen, they should be easily authenticated by others who are entitled with access to them to provide good experiences. To support such a function, existing mechanisms (e.g., Apple Bonjour [3], Bluetooth Low Energy (BLE) [4]) require a broadcast communication channel between the IoT devices, where a device activates a communication request by broadcasting information about themselves in the cleartexts, and those who want to communicate with this device can easily do it by sending a responding message [5,6]. This, however, raises threats to user privacy, since the broadcasting information may contain sensitive information such as the device owner’s identity or host name. For example, adversaries may make use of the identity information obtained from a personal smart watch for user profiling, tracking, and launching other attacks. Therefore, it is important to build mutual authentication protocols that are privacy preserving. Wu et al. [5] elaborately discussed how to build private authentication protocols for the IoT devices, but their protocols have security limitations [5].

In this paper, we focus on designing mutual authentication protocols while protecting the privacy of the participants. Our goal is to make sure that the participant of the protocol can only learn that its peer satisfied some specified access policy but nothing else. Typically, the identification information of a participant can only be learned by a set of authorized parties.

1.1. Challenges and Contributions

The key challenge in designing private and mutual authentication protocols is how to achieve mutual authentication with privacy protection. Most existing mutual authentication protocols (e.g., SIGMA [7], JFK [8]) require that at least one party should disclose his/her identity to their peers before the other party, and thus, the identity of the participant is made public to any party in its communication. It becomes undesirable when both participants are IoT devices and unwilling to disclose his/her identity to his/her peers before starting a conversation. It would be desirable to hide the identity of the participant in an authentication protocol or make the identity of the participant only be known by the authorized entities.

Wu et al. [5] suggested the use of prefix encryption, derived from identity-based encryption (IBE), to protect the privacy of the participants in the private and mutual authentication protocol. Their protocol requires a certificate chain associated with each participant’s public key, and thus, it loses the advantages of IBE and causes certificate management issues such as certificate revocation, storage and distribution, and expensive costs in certificate validation, which is significantly unpleasant for applications with limited resources. Please refer to Section 4 for the detailed analysis.

In this paper, we consider the private and mutual authentication protocol one step further in terms of both performance and security. Different from that in [5], which is a signature-based protocol such that each participant is given a pair of signing (private) and verifying (public) keys and a readable name (in a hierarchical structure) tied to its public key through a certificate chain, our private and mutual authentication protocols are based on an encryption scheme in which each participant is assigned with a decryption key derived from their credentials to eliminate the need for certificates. To achieve the desired private authentication, we think of Attribute-Based Encryption (ABE) [9] as a building block. In an ABE scheme, users are identified by a set of attributes, and each ciphertext is generated over a message and an access policy. The original message can only be uncovered by those users whose attributes meet the access policy. Thanks to ABE, the proposed private and mutual authentication protocols protect the privacy of the participants, since the same attributes may be shared by multiple participants. For example, if a laptop with a decryption key over attributes “Brand: Apple”, “Type: Laptop”, would like to communicate with a device with attributes “Brand: Apple”, “Type: Phone”, it can send the ephemeral key encrypted under an access policy “Brand: Apple AND Type: Phone”. Thus, only phones produced by Apple can respond to its request and build a connection with this laptop successfully.

Our contributions in this paper are twofold. Firstly, on the basis of ABE, we present a private and mutual authentication protocol named ABEDH, following the public-key based key exchange protocol SKEME [10] which is the building block of the Internet Key Exchange (IKE)’s public key encryption mode [11]. Secondly, to simplify and improve the efficiency of messages exchanged between parties, we modify the ABEDH protocol to make it composed two messages, and call it one-round ABEDH (OR-ABEDH), using the technique introduced in [12].

1.2. Related Work

Authentication protocols can be divided into two categories: directory-free protocols and directory-based protocols [5]. For directory-based protocols (e.g., [13]), there is a central directory to maintain service information and control participants’ access rights. Parties query directories to discover other participants and participants register with the directory to announce their presence. Though directory-based protocols are computationally efficient, their security depend on an external service. If the directory service is compromised, the privacy of both the participants is in danger. Directory-free protocols (e.g., [14]) depend on shared keys created between devices in separate protocols. Those shared keys are used to encrypt private service advertisements to prevent unpaired devices from decrypting. Other protocols rely on public-key encryption (e.g., [15]) where each device keeps a public-key set for peers it intends to build communications with, and identity-based encryption (e.g., [5,16]), where key-management is simplified without maintaining long lists of symmetric or public keys.

Private authentication was introduced by Abadi [17], where the identity of each protocol participant will not be revealed to its peers unless authorized by the participant. There are several techniques that can be applied to achieve private authentication, e.g., secret handshakes [18], that allow members of a group to identify each other privately; hidden credentials [19] that enable the sender to send encrypted messages; mechanisms that ensure that only recipients who meet certain access policies can decrypt the message; and attribute-based encryption schemes [20] that support fine-grained access control over decryption capabilities.

However, it is not always straightforward to obtain secure key exchange protocols by combining these protocols with existing key exchange protocols [5] such as SIGMA [7], JFK [8]. Wu et al. [5] showed how private and authenticated key exchange can be very naturally completed by integrating prefix encryption with existing secure signature-based key exchange protocols to obtain private authentication between two entities. In this paper, we describe how to achieve private authentication from key exchange protocols based on attribute-based encryption.

1.3. Road-Map

The rest of this paper is structured as follows. In Section 2, we briefly revisit definitions relevant to this paper. In Section 3, we describe the security model for the private and mutual authentication protocol. In Section 4, we present two private and mutual authentication protocols and analyze their security. In Section 5, we show the experimental results of the proposed private and mutual authentication protocols. Finally, this paper is concluded in Section 6.

2. Preliminaries

In this section, we recall basic notions to be used in this paper.

2.1. Complexity Assumption

Decisional Diffie–Hellman Assumption [21]. For any probabilistic polynomial-time (PPT) algorithm, the Decisional Diffie–Hellman (DDH) problem means that it is difficult to distinguish between $(g$, $g^a$, $g^b$, $g^{ab})$ and $(g$, $g^a$, $g^b$, $Z)$, where g, $Z\in G$, a, $b\in Z_p$ are chosen independently and uniformly at random.

2.2. Attribute-Based Encryption

An attribute-based encryption (ABE) scheme $\mathcal{ABE}$ [9] is composed of four algorithms: a setup algorithm $\mathcal{ABE}$.Set$\left(1^{\lambda }\right)$ outputting the public parameter $par$ and the master private key $msk$ on input a security parameter $\lambda$; a key generation algorithm $\mathcal{ABE}$.KG$(par$, $msk$, $\mathbf{A})$ outputting a private attribute-key $s{k}_{\mathbf{A}}$ on input the public parameter $par$, the master private key $msk$, and an attribute set $\mathbf{A}$; an encryption algorithm $\mathcal{ABE}$.Enc$(par$, $\mathbb{A}$$m)$ outputting a ciphertext CT on input the public parameter $par$, an access policy $\mathbb{A}$, and a message m; and a decryption algorithm $\mathcal{ABE}$.Dec$(par$, $s{k}_{\mathbf{A}}$, CT) outputting a message m or a failure symbol ⊥ on input the public parameter $par$, a private key $s{k}_{\mathbf{A}}$ and a ciphertext CT.

An ABE scheme $\mathcal{ABE}$ is secure against chosen ciphertext attacks (IND-CCA secure) if for any PPT adversary $\mathcal{A}$ = $({\mathcal{A}}_1$, ${\mathcal{A}}_2)$, the advantage function

$$\begin{array}{cc}\hfill & {\mathbf{Adv}}_{\mathcal{ABE},\mathcal{A}}^{\mathrm{IND}-\mathrm{CCA}}\left(\lambda \right)\hfill \\ \hfill & =\mathrm{Pr}\left[b^{\prime }=b\left|\begin{array}{c}(par,msk)\hfill \\ \leftarrow \mathcal{ABE}.\mathrm{Set}\left(1^{\lambda }\right),b\leftarrow \{0,1\}\hfill \\ (m_0,m_1,{\mathbb{A}}^{*},state)\hfill \\ \leftarrow {\mathcal{A}}_1^{\mathcal{ABE}.\mathrm{KG}(msk,·),\mathcal{ABE}.\mathrm{Dec}(·,·)}\left(par\right)\hfill \\ {\mathrm{CT}}^{*}\leftarrow \mathcal{ABE}.\mathrm{Enc}(par,{\mathbb{A}}^{*},m_b)\hfill \\ b^{\prime }\leftarrow {\mathcal{A}}_2^{\mathcal{ABE}.\mathrm{KG}(msk,·),\mathcal{ABE}.\mathrm{Dec}(·,·)}(par,m_0,m_1,{\mathbb{A}}^{*},state,{\mathrm{CT}}^{*})\hfill \end{array}\right.\right]-1/2\hfill \end{array}$$

is negligible in the security parameter $\lambda$, where $|m_0|=|m_1|$, and adversary $\mathcal{A}$ is not allowed to make a decryption query on input CT${}^{*}$. In addition, adversary $\mathcal{A}$ is disallowed to make key generation queries on attributes satisfying the challenge access policy ${\mathbb{A}}^{*}$.

2.3. Message Authentication Code

Let $\mathcal{K}$ be the key space. A message authentication code scheme $\mathcal{MAC}$ is composed of two algorithms [22]: a message authentication algorithm $\mathcal{MAC}$.MAC$(K$, $m)$, which outputs an authentication tag $\tau$ by taking a key $K\in \mathcal{K}$ and a message m as the input, and a verification algorithm $\mathcal{MAC}$.MAV$(K$, m, $\tau )$, which outputs 1 or 0 by taking a key $K\in \mathcal{K}$, a message m and an authentication tag $\tau$ as the input.

A message authentication code scheme $\mathcal{MAC}$ is secure against chosen message attacks (CMA secure) if for any PPT adversary $\mathcal{A}$, the advantage function

$$\begin{array}{c}{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{A}}^{\mathrm{CMA}}\left(\lambda \right)\hfill \\ =\mathrm{Pr}\left[\begin{array}{c}\mathcal{MAC}.\mathrm{MAV}(K,m^{*},{\tau }^{*})=1\wedge \hfill \\ \mathcal{A}\mathrm{has}\mathrm{never}\mathrm{queried}\mathcal{MAC}.\mathrm{MAC}(K,m^{*})\hfill \end{array}\left|\begin{array}{c}K\leftarrow \mathcal{K}\hfill \\ (m^{*},{\tau }^{*})\leftarrow {\mathcal{A}}^{\mathcal{MAC}.{\mathrm{MAC}}_K(·)}\left(1^{\lambda }\right)\hfill \end{array}\right.\right]\hfill \end{array}$$

is negligible in the security parameter $\lambda$.

2.4. Pseudo-Random Functions

Let $\mathbb{H}:$ K${}_{\lambda }$× D${}_{\lambda }$→ R${}_{\lambda }$ be a pseudo-random function (PRF) [23] indexed by a security parameter $\lambda$, where K${}_{\lambda }$, D${}_{\lambda }$, and R${}_{\lambda }$ can be arbitrary finite sets. The advantage of a PRF adversary $\mathcal{A}$ against $\mathcal{F}$ is

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathbb{H},\mathcal{A}}^{\mathrm{PRF}}\left(\lambda \right)=\mathrm{Pr}[{\mathrm{REAL}}_{\mathbb{H}}^{\mathcal{A}}\Rightarrow 1]-\mathrm{Pr}[{\mathrm{RAND}}_{\mathbb{H}}^{\mathcal{A}}\Rightarrow 1],\end{array}$$

where the security games are shown in Figure 2.

We say $\mathbb{H}$ is a secure PRF if the advantage of any PPT adversary is negligible in the security parameter $\lambda$.

2.5. Strong Randomness Extractor

A efficiently computable function $H:$ K${}_{\lambda }$× D${}_{\lambda }$→ R${}_{\lambda }$ indexed by a security parameter $\lambda$ is called a strong $(m$, $ϵ)$-extractor (SRE) [24] if, for any random variable X over D${}_{\lambda }$ that has min-entropy m, if k is chosen uniformly at random from K${}_{\lambda }$ and R is chosen uniformly at random from R${}_{\lambda }$, then the statistical distance between the two distributions $<k$, $H_k\left(X\right)>$ and $<k$, $R>$ is at most $ϵ$. A strong extractor has a special property that the output is close to uniform distribution even when the key k is revealed. The advantage of an SRE adversary $\mathcal{A}$ against H is

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{H,\mathcal{A}}^{\mathrm{sre}}\left(\lambda \right)=\mathrm{Pr}[{\mathrm{REAL}}_H^{\mathcal{A}}\Rightarrow 1]-\mathrm{Pr}[{\mathrm{RAND}}_H^{\mathcal{A}}\Rightarrow 1],\end{array}$$

where the security games are shown in Figure 3.

We say H is a secure SRE if the advantage of any PPT adversary is negligible in the security parameter $\lambda$.

3. Protocol Description and Security Model

In this section, after presenting the framework of the private authentication and key exchange protocols, we describe its security model in detail.

3.1. Protocol Description

The private and mutual authentication protocol is run in a network of interconnected participants, and each participant can be invoked to run a session (a.k.a. an instance of the protocol). A partipant within a session can be invoked to start the session (initiator) or respond to an incoming message (responder). Based the specification of the protocol and as a result of these invocations, the participant will create and store a session state, yield outgoing messages, and lastly, finish the session by producing a session key and removing the session state. It is possible that a session is aborted without outputting any session key.

The private and mutual authentication protocol should meet the basic security requirements (e.g., secure against guessing attacks and impersonation attacks) for a mutual authentication protocol. In addition, it should provide forward secrecy to guarantee that the session-key cannot be learned by the adversary when a session key is wiped from its initiator’s memory, even if involving parties are subsequently corrupted; it should resist the following attacks that can be conducted by an adversary.

• Known-key attacks such that if one session key is learned by the adversary, nothing can be implied about the values of other session keys.
• Key escrow freeness in the identity-based or attribute-based setting to protect against the compromised Key Generation Centre (KGC), who may (passively) eavesdrop in the communications of any two entities as KGC knows all long-term keys of all the entities.
• Key compromise impersonation (KCI) attacks to prevent an honest party from accepting a session key in the belief that it is shared with another party as claimed, while in fact, the session key is shared with the adversary.

In addition, it should provide mutual privacy such that any identification information of the protocol participant (either the initiator or the responder) is only revealed to the authorized recipients.

3.2. Security Model

The security model for the private and mutual authentication protocol is similar to that for authenticated key exchange (KE) protocols defined by Canetti and Krawczyk [25] in the “post-specified” peer setting [26], which captures all adversarial capabilities in the real world, including accessing some secret information used or generated in the protocol and controlling communication links. Specifically, an active adversary is able to delay or prevent the delivery, inject messages, interleave messages from different sessions, intercept and modify messages sent over links, schedule all session invocations and session-message delivery, have access to secret information, and so on.

An entity in the post-specified model can be invoked to begin a session by a tuple $(P$, $sid$, $d)$, where P is the entity at which the session is invoked, $sid$ is a unique session identity, and d is a “destination address” only used for the messages delivery for the session identity $sid$; the session identity is only used as delivery information of messages related to this session and has no implications related to the peer’s identity behind this address. An entity can be invoked either as an initiator or a responder (to respond to an initializing message from another entity). The output of a completed session at an entity P can be described as a public tuple $(P$, $sid$, $Q)$, with $sid$ being the session identity and Q being the peer of the session and a secret session key $ssk$. Additionally, sessions could be aborted (or uncompleted) without outputting any session key, where the output can be denoted by a special symbol ⊥. When a session generates an output (as a result of aborting or completing), its local state will be wiped. At the conclusion of the session, only the tuple $(P$, $sid$, $Q)$ and the session key $ssk$ are maintained. Additional long-term state such as a private key may also be kept by each entity. However, these long-term secrets are shared across multiple sessions and are not considered as a part of an entity’s local session state. Sessions will be uniquely identified by a pair $(P$, $sid)$ (with P being the local party and $sid$ being the session identity) in the protocol analysis.

Definition 1.

Denote $(P$, $sid)$ as a completed session with the public output $(P$, $sid$, $Q)$. We say the session $(Q$, $sid)$ is the matching session of $(P$, $sid)$ if $(Q$, $sid)$ is completed and its public output is $(Q$, $sid$, $P)$.

Adversarial model. The adversary is modeled to capture realistic attack capabilities (e.g., key escrow, key compromise) in the real world, which is allowed access to some secrets used or generated by the private and mutual authentication protocol and has full control over the communication. The adversary can invoke participants (as an initiator or a responder) to initiate an execution of the private and mutual authentication protocol. In addition, the adversary is able to learn ephemeral and long-term secrets held by participants via issuing the following session queries.

• Corrupt $\left(P\right)$. The adversary learns the long-term private key of P with this query.
• Session-Key $(P$, $sid$, $Q)$. The session key (if any) accepted by P during a given session $sid$ with Q is returned by this query.
• Session-State $(P$, $sid$, $Q)$: All the internal state information of the participant P associated to a particular session $sid$ with Q, excluding the long-term private key of P, is returned by this query. This query is used for defining the strong corruption model. If the adversary is forbidden to issue the Session-State queries, then it is called the weak corruption model.
• Session-Expiration $(P$, $sid$, $Q)$. Forward secrecy and memory erasure of the session key on a completed (or expired) session are defined by this query.
• Test-Session $(P$, $sid$, $Q)$. A random bit b is chosen for replying to this query. If b = 1, the output is the session key. Otherwise, the output is a random key chosen from keys generated by the protocol. This query cannot be issued to an exposed session which is a session when the adversary performs any of the following actions: a Session-State or Session-Key query to this session or to the matching session OR a Corrupt query to either participant before the session expires at that participant.

The session-key (SK) security for a private and mutual authentication protocol is defined based on a game played by the adversary. In the game’s first stage, the adversary can invoke sessions and perform Session-State, Corrupt, Session-Key, and Session-Expiration queries as above. The adversary then selects a participant and a session to perform a Test-Session query. The adversary cannot expose the Test-Session. The adversary may then continue with its regular executions, with the exception that no more Test-Session queries can be issued. Finally, the adversary halts after outputting a bit $b^{\prime }$ as its guess on whether the Test-Session query’s returned value is a random value or the session key. If $b=b^{\prime }$, the adversary is the winner of the game.

Definition 2.

A private and mutual authentication protocol is session-key secure with perfect forward secrecy (PFS) in the strong (or weak) corruption model if for any PPT adversary, the following properties hold: (1) Assuming that a session $(P$, $sid)$ ends at an uncorrupted participant P with the output $(P$, $sid$, $Q)$ and the session key $ssk$, and then, with overwhelming probability, if Q ends the session $(Q$, $sid)$ with non-corrupted P and Q, the session key is $ssk$ and the output of $(Q$, $sid)$ is $(Q$, $sid$, $P)$; (2) The probability of the adversary guessing the correct bit b is negligibly close to $1/2$ in the security parameter. In addition, a private and mutual authentication protocol is session-key secure with weak forward secrecy (WFS) in the strong (or weak) corruption model if the adversary is disallowed to actively perform in the Test-Session.

4. Proposed Private Authentication Protocols

In this section, we present two private and mutual authentication protocols and analyze the security of them.

4.1. Analysis on an Existing Private Authentication Protocol

Wu et al. [5] proposed a private and mutual authentication protocol over a group G of a prime order p and a generator g, which is shown in Figure 4. Let $\mathcal{PE}$ be the prefix encryption scheme with $\mathcal{PE}$.Setup, $\mathcal{PE}$.KG, $\mathcal{PE}$.Enc and $\mathcal{PE}$.Dec being the corresponding setup, key generation, encryption, and decryption algorithms; $i{d}_P$ be a certificate chain to tie P’s public key to one of its identities of a participant P; and KDF$(·)$ be a key derivation function [5]. ${\mathrm{Sig}}_P\left(m\right)$ denotes P’s signature on a message m and ${\left\{m\right\}}_k$ an authentication encryption [5] of a message m under a key k.

However, the private and mutual authentication protocol in Figure 4 has several limitations.

• Firstly, in their protocol, certificates must be associated with the signatures generated by the parties. Otherwise, even though the party C does not satisfy the access policy defined by the party S, it can still build a session key with the party S. This is because there is no authentication process for the party S to check whether the party C satisfies the required access policy. The signature ${\sigma }_C$ can be generated by any party C, regardless of whether it can decrypt $C{T}_S$ or not, so the certificate of a party C must be associated with the signature.
• Secondly, a malicious party C can always know the identity of the party S it communicates with. Using anonymous prefix encryption can hide the access policy designated by the party S, but it cannot hide the identity of the party S. The identity information about the party S could be leaked to a malicious party C (a malicious C can simply activate a session; when any party S replies, it learns the identity of the party S) via the signature generated by the party S.
• Thirdly, in their protocol, the party S can specify what kind of party C it wants to communicate with, but the party C does not have such a capability to choose the party S it wants to communication with, as the party C is not required to generate an encryption on the policy that the party S should satisfy. We think that this is undesirable and unfair. It is better to allow the party C to specify some kind of access policy that the responding party S should have. Thus, the party C can filter some responding parties S as well.

4.2. Protocol Environment

In the proposed private and mutual authentication protocols, each participant is identified by a set of attributes (e.g., Owner: Alice, Type: Notebook, Brand: Apple, and so on). A trusted Key Generation Center (KGC) that keeps the master private key $msk$ and creates the common parameter $par$, issues a private attribute-key to each party in terms of the attributes possessed by this party. When a party intends to initiate a session, it sends an ephemeral key encrypted under some access policy over attributes which it would like the responder to satisfy.

In an ABE scheme, the access policy is sent along with the ciphertext in a cleartext form. Thus, it may leak the sensitive information of the participants if the access structure contains an attribute such as “Owner: Alice” or “Host Name: PC-JSH”. To prevent such information disclosure, we suggest to use an ABE scheme with partially hidden access policies [27], where each attribute has an attribute name and an attribute value but attribute values will not be given in the access policies. For example, if an access policy is “Owner: Alice AND Brand: Apple AND (Type: Phone OR Type: Laptop”, the attribute name “Owner”, “Brand”, and “Type” will be included in the access policy as a component of the ciphertext, but the attribute values “Alice”, “Apple”, “Phone”, and “Laptop” will be hidden from the ciphertext. Thereby, the access policy is Owner: ** AND Brand: ** AND Type: ** OR Type: **” appended to the ciphertext. Nevertheless, since “Apple”, “Phone”, and “Laptop” are not as sensitive as “Alice”, they can be shown in the access policy, but “Alice” must be hidden.

4.3. A Private and Mutual Authentication Protocol Based on Attribute-Based Encryption

Denote $\mathcal{K}$ by the key space. Let $\mathcal{ABE}$ = $(\mathcal{ABE}$.Set, $\mathcal{ABE}$.KG, $\mathcal{ABE}$.Enc, $\mathcal{ABE}$.Dec) be a ciphertext-policy attribute-based encryption (CP-ABE) scheme. Let $\mathcal{MAC}$ = $(\mathcal{MAC}$.MAC, $\mathcal{MAC}$.MAV) be a message authentication code (MAC) scheme. Let G be a group of a prime order p with a generator g. We present the private and mutual authentication protocol in Figure 5.

• To initiate a session with a session identity $sid$, a device C randomly chooses $x\in Z_p$ and computes X=$g^x$. Then, it randomly chooses a key $K_C\in \mathcal{K}$, and computes the ciphertext CT${}_C$ by running the $\mathcal{ABE}$.Enc algorithm under an access policy ${\mathbb{A}}_S$ that it wants the responding device S to satisfy. It sends $(sid$, X, CT${}_C)$ to a device S.
• Upon receiving an outgoing message $(sid$, X, CT${}_C)$ from a device C, the device S decrypts the ciphertext CT${}_C$ to obtain the underlying key $K_C$. If the decryption fails, it aborts the session. Otherwise, it runs as follows.
  • It randomly chooses a key $K_S\in \mathcal{K}$ and computes the ciphertext CT${}_S$ by running the $\mathcal{ABE}$.Enc algorithm under an access policy ${\mathbb{A}}_C$ that it wants the device C to satisfy.
  • It randomly chooses $y\in Z_p$ and computes Y = $g^y$. Then, it generates a tag ${\tau }_S$ by running the $\mathcal{MAC}$.MAC algorithm on a message $m_S$ = $(1$, $sid$, X, Y, C, $S)$ under $K_C$.
  • It sends $(sid$, Y, CT${}_S$, ${\sigma }_S)$ to the device C.
• When the device C receives an incoming message $(sid$, Y, CT${}_S$, ${\tau }_S)$, it decrypts the ciphertext CT${}_S$ to obtain the underlying key $K_S$. If the decryption succeeds, it checks the correctness of ${\tau }_S$. If the verification fails, it aborts the session. Otherwise, it generates a tag ${\tau }_C$ on a message $m_C$ = $(0$, $sid$, X, Y, C, $S)$ using the key $K_S$. It sends back $(sid$, ${\tau }_C)$ to the device S.
• After receiving the response $(sid$, ${\tau }_C)$ from the device C, the device S checks the validity of ${\tau }_C$. If ${\tau }_C$ is valid, it has a shared session key $ssk$ = $g^{xy}$. Otherwise, it aborts.

Theorem 1.

Assuming that DDH holds in the underlying group, $\mathcal{ABE}$ is IND-CCA secure, and $\mathcal{MAC}$ is CMA secure, the proposed private and mutual authentication protocol is session-key secure with PFS under the weak corruption model.

Proof. 

When an adversary outputs a session $(P^{*}$, $si{d}^{*})$ in the Test-Session query, there must be a partner instance $(Q^{*}$, $si{d}^{*})$. Otherwise, we can make use of the adversary to break the security of the attribute-based encryption scheme $\mathcal{ABE}$ or the message authentication code scheme $\mathcal{MAC}$.

We define a restricted adversary ${\mathcal{A}}_1$ such that in the Test-Session query ${\mathcal{A}}_1$ outputs a session $(P^{*}$, $si{d}^{*})$ which has a matching session $(Q^{*}$, $si{d}^{*})$. Given an adversary $\mathcal{A}$ against the ABEDH protocol in the SK security game, we build an adversary ${\mathcal{A}}_1$ as follows. Adversary ${\mathcal{A}}_1$ use its own oracles to answer all queries made by $\mathcal{A}$. If adversary $\mathcal{A}$ outputs an instance $(P^{*}$, $si{d}^{*})$ without any matching session, adversary ${\mathcal{A}}_1$ aborts without any output. Otherwise, adversary ${\mathcal{A}}_1$ outputs $(P^{*}$, $si{d}^{*})$ in the Test-Session query and returns the response it receives to adversary $\mathcal{A}$. When adversary $\mathcal{A}$ outputs a bit $b^{\prime }$ and aborts, adversary ${\mathcal{A}}_1$ also outputs $b^{\prime }$ and aborts.

Denote by E the event that the instance $(P^{*}$, $si{d}^{*})$ in the Test-Session query outputted by adversary $\mathcal{A}$ does not have a matching session. In the SK security game, if event E happens, we can construct a forger $\mathcal{B}$. On the other hand, if event E does not happen, then adversary ${\mathcal{A}}_1$ and adversary $\mathcal{A}$ are the same. Thus, we have

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathrm{ABEDH},\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{\mathrm{ABEDH},{\mathcal{A}}_1}^{\mathrm{SK}}\left(\lambda \right)\le \mathrm{Pr}\left[\mathrm{E}\right].\end{array}$$

Following the proof in [28], we define a forger $\mathcal{B}$. Let $(par$, $msk)$←$\mathcal{ABE}$.Set$\left(1^{\lambda }\right)$, $s{k}^{\mathbf{A}}$←$\mathcal{ABE}$.KG$(par$, $msk$, $\mathbf{A})$, and CT${}^{*}$←$\mathcal{ABE}$.Enc$(par$, ${\mathbb{A}}^{*}$, $(P^{*}$, $K^{*})$ with ${\mathbb{A}}^{*}$ being an access structure and $P^{*}$ being a party chosen by forger $\mathcal{B}$, and $K^{*}$ being a key randomly chosen from the key space of $\mathcal{MAC}$ and unknown to forger $\mathcal{B}$. Forger $\mathcal{B}$ is given $par$, CT${}^{*}$, and access to an oracle ${\mathcal{O}}_{msk}(·)$ which creates private attribute-keys on unauthorized sets $\mathbf{A}$ of ${\mathbb{A}}^{*}$, an oracle ${\mathcal{O}}_{s{k}^{\mathbf{A}}}(·)$ which decrypts ciphertexts which are not equal to CT${}^{*}$, and an oracle ${\mathcal{O}}_{K^{*}}(·)$ which returns $\mathcal{MAC}$.MAC$(K^{*}$, $m)$ on input m. Forger $\mathcal{B}$’s goal is to output $m^{*}$, $\mathcal{MAC}$.MAC$(K^{*}$, $m^{*})$, where $m^{*}$ has never been queried to oracle ${\mathcal{O}}_{K^{*}}(·)$ by forger $\mathcal{B}$.

Forger $\mathcal{B}$ randomly chooses two parties $P^{*}$, $Q^{*}$, and generates the private attribute-keys for them except for $Q^{*}$. Assume that adversary $\mathcal{A}$ performs at most $q_I$ activations of parties with an incoming message. Forger $\mathcal{B}$ randomly chooses l←$[1$, $q_I]$ and asks its challenger to return CT${}^{*}$ = $\mathcal{AKE}$.Enc$(par$, ${\mathbb{A}}^{*}$, $(P^{*}$, $K^{*}\left)\right)$ on input $P^{*}$ under ${\mathbb{A}}^{*}$. Forger $\mathcal{B}$ sets that ${\mathbb{A}}^{*}$ can be satisfied by the attributes of $Q^{*}$ and simulates the SK security game for adversary $\mathcal{A}$ except in the following cases.

• If adversary $\mathcal{A}$ does not make a Test-Session query with an activation of $P^{*}$, forger $\mathcal{B}$ aborts.
• If $Q^{*}$ is not the matching session of $P^{*}$, forger $\mathcal{B}$ aborts.
• If $(P^{*}$, $si{d}^{*})$ is not the l-th activation, forger $\mathcal{B}$ aborts.
• If adversary $\mathcal{A}$ issues a Corrupt query on input $Q^{*}$, forger $\mathcal{B}$ aborts.
• Forger $\mathcal{B}$, in the l-th activation, sets CT${}_{P^{*}}$= CT${}^{*}$, generates the ephemeral DH key for $(P^{*}$, $si{d}^{*})$, uses $s{k}_{P^{*}}^{\mathbf{A}}$ to obtain K←$\mathcal{AKE}$.Dec$(par$, $s{k}_{P^{*}}^{\mathbf{A}}$, CT${}_{Q^{*}})$, and creates the tag ${\tau }_{P^{*}}$ using K.
• If adversary $\mathcal{A}$ sends (CT, $\dots$) to $Q^{*}$ where CT ≠ CT${}^{*}$, forger $\mathcal{B}$ queries to its decryption oracle ${\mathcal{O}}_{s{k}^{\mathbf{A}}}(·)$ on the input CT. After getting the response from ${\mathcal{O}}_{s{k}^{\mathbf{A}}}(·)$, it proceeds as usual.
• Forger $\mathcal{B}$ queries to its oracle ${\mathcal{O}}_{K^{*}}$ to generate the tag ${\tau }^{*}$ if adversary $\mathcal{A}$ sends (CT${}^{*}$, $\dots$) to $Q^{*}$.
• Forger $\mathcal{B}$ outputs the tag ${\tau }^{*}$ and the corresponding message as its forgery and aborts if adversary $\mathcal{A}$ sends the tag ${\tau }^{*}$ to the l-th activation.

Therefore, we have

$$\begin{array}{c}\hfill ϵ=\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right]\ge \frac{1}{q_I}\mathrm{Pr}\left[\mathrm{E}\right].\end{array}$$

Considering an encryption forger $\mathcal{B}$, we can construct another adversary $\mathcal{D}$ against the attribute-based encryption scheme $\mathcal{ABE}$ in the IND-CCA security game. Adversary $\mathcal{D}$ is given the public parameter $par$ and has access to both key generation and decryption oracles. When asked for a challenge with input U by forger $\mathcal{B}$, adversary $\mathcal{D}$ randomly chooses two keys $K_0$ and $K_1$ and asks its challenger with inputs U, $K_0$ and U, $K_1$. After obtaining the challenge CT${}^{*}$, adversary $\mathcal{D}$ sets CT${}^{*}$ as forger $\mathcal{B}$’s challenge. When forger $\mathcal{B}$ makes an encryption query with a ciphertext CT ≠ CT${}^{*}$, adversary $\mathcal{D}$ makes a decryption query with input CT to its challenger. Adversary $\mathcal{D}$ returns $\mathcal{MAC}$.MAC$(K_0$, $m)$ to forger $\mathcal{B}$ when forger $\mathcal{B}$ makes an MAC query on a message m. Lastly, if forger $\mathcal{B}$ successfully makes a forgery $\mathcal{MAC}$.MAC$(K_0$, $m^{*})$, adversary $\mathcal{D}$ outputs 0, meaning that CT${}^{*}$ is an encryption of U, $K_0$. Otherwise, if forger $\mathcal{B}$ fails to make a forgery, adversary $\mathcal{D}$ outputs 1, meaning that CT${}^{*}$ is an encryption of U, $K_1$. Hence, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathcal{ABE},\mathcal{D}}^{\mathrm{IND}-\mathrm{CCA}}\left(\lambda \right)& =\mathrm{Pr}\left[\mathcal{D}\mathrm{outputs}0\right|b=0]\mathrm{Pr}[b=0]+\mathrm{Pr}\left[\mathcal{D}\mathrm{outputs}1\right|b=1]\mathrm{Pr}[b=1]-\frac{1}{2}\hfill \\ \hfill & =\frac{1}{2}\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=0]+\frac{1}{2}(1-\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=1])-\frac{1}{2}\hfill \\ \hfill & =\frac{1}{2}(\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=0]-\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=1])\hfill \\ \hfill & =\frac{1}{2}(ϵ-{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{B}}^{\mathrm{CMA}}\left(\lambda \right)).\hfill \end{array}$$

The last line of the above equation is concluded from forger $\mathcal{B}$ is in the encryption forger game when $b=0$, and $c^{*}$ is independent of $N_0$ when $b=1$ and forger $\mathcal{B}$ is in the chosen message attack game.

Combining all the results, we have

$$\begin{array}{c}\hfill \mathrm{Pr}\left[\mathrm{E}\right]\le q_I(2·{\mathbf{Adv}}_{\mathcal{ABE},\mathcal{D}}^{\mathrm{IND}-\mathrm{CCA}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{B}}^{\mathrm{CMA}}\left(\lambda \right)).\end{array}$$

Game${}_1$. We modify the SK security game to a game Game${}_1$ such that the simulator picks a random key from a underlying group and sets it as the session key of the l-th activation. Adversary ${\mathcal{A}}_1$ has similar advantages in the SK security game and the game Game${}_1$; we can also build an adversary $\mathcal{B}$ to break the security of the DDH assumption.

Adversary $\mathcal{B}$ is given a tuple $\{g$, $g^a$, $g^b$, $Z\}$, and its goal is to guess whether $Z=g^{ab}$ or Z is a random group element. Adversary $\mathcal{B}$ follows the procedure of the SK security game to simulate the game Game${}_1$ for adversary ${\mathcal{A}}_1$, except that adversary $\mathcal{B}$ sets X, Y in the l-th session as $X=g^a$ and $Y=g^b$ and sets the session key of the l-th session as Z. Then, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathcal{B}}^{\mathrm{DDH}}\left(\lambda \right)& =\mathrm{Pr}\left[{\mathcal{A}}_1\mathrm{wins}\mathrm{the}\mathrm{game}\right|Z=g^{ab}]-\mathrm{Pr}\left[{\mathcal{A}}_1\mathrm{wins}\mathrm{the}\mathrm{game}\right|Z=g^r]\hfill \\ \hfill & =\mathrm{Pr}[{\mathrm{AKE}}^{\mathrm{PKEDH},{\mathcal{A}}_1}\left(\lambda \right)\Rightarrow \mathrm{true}]-\mathrm{Pr}[{\mathrm{Game}}_1^{\mathrm{PKEDH},{\mathcal{A}}_1}\left(\lambda \right)\Rightarrow \mathrm{true}]\hfill \\ \hfill & ={\mathbf{Adv}}_{\mathrm{ABEDH},{\mathcal{A}}_1}^{\mathrm{AKE}}\left(\lambda \right)-{\mathbf{Adv}}_{\mathrm{ABEDH},{\mathcal{A}}_1}^{{\mathrm{Game}}_1}\left(\lambda \right).\hfill \end{array}$$

Finally, in the game Game${}_1$, the adversary ${\mathcal{A}}_1$ has no advantage in winning the game, and we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathrm{ABEDH},\mathcal{A}}^{\mathrm{KE}}\left(\lambda \right)& \le q_I(2·{\mathbf{Adv}}_{\mathcal{ABE},\mathcal{D}}^{\mathrm{IND}-\mathrm{CCA}}\left(k\right)+{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{B}}^{\mathrm{CMA}}\left(\lambda \right))+{\mathbf{Adv}}_{\mathcal{B}}^{\mathrm{DDH}}\left(\lambda \right).\hfill \end{array}$$

This completes the proof of Theorem 1.  □

4.4. A One-Round Private and Mutual Authentication Protocol Based on Attribute-Based Encryption

Denote $\mathcal{K}$ by the key space. Denote G as a group of a generator g with a prime order p. Let $\mathcal{ABE}$ = $(\mathcal{ABE}$.Set, $\mathcal{ABE}$.KG, $\mathcal{ABE}$.Enc, $\mathcal{ABE}$.Dec) be a ciphertext-policy attribute-based encryption (CP-ABE) scheme. Let $\mathcal{MAC}$ = $(\mathcal{MAC}$.MAC, $\mathcal{MAC}$.MAV) be a message authentication code (MAC) scheme. Let $H_k$ be a strong randomness extractor (SRE) and $\mathbb{H}$ be a pseudo-random function (PRF). We describe the one-round private and mutual authentication protocol in Figure 6.

• To begin a session $sid$, a device C randomly chooses $x\in Z_p$ and computes X = $g^x$. Then, it randomly chooses a key $K_C\in \mathcal{K}$ and computes the ciphertext CT${}_C$ by running the $\mathcal{ABE}$.Enc algorithm on $K_C$ under an access policy ${\mathbb{A}}_S$ that it wants the responding device S to satisfy. In addition, it generates a tag ${\tau }_C$ on a message $m_C$ = $(0$, $sid$, X, $C)$ using the key $K_S$. It sends $(sid$, X, CT${}_C$, ${\tau }_C)$ to a device S.
• Upon receiving an outgoing message $(sid$, X, CT${}_C$, ${\tau }_C)$ from a device C, the device S decrypts the ciphertext CT${}_C$ to obtain the underlying key $K_C$. If the decryption fails, it aborts the session. Otherwise, it checks the validity of ${\tau }_C$. If ${\tau }_C$ is valid, it runs as follows.
  • It randomly chooses a key $K_S\in \mathcal{K}$, and computes the ciphertext CT${}_S$ by running the $\mathcal{ABE}$.Enc algorithm on $K_S$ under an access policy ${\mathbb{A}}_C$ that it wants the device C to satisfy.
  • It randomly chooses $y\in Z_p$ and computes Y=$g^y$. Then, it generates a tag ${\tau }_S$ by running the $\mathcal{MAC}$.MAC algorithm on a message $m_S$ = $(1$, $sid$, Y, $S)$ under $K_S$.
  • It sends $(sid$, Y, CT${}_S$, ${\tau }_S)$ to the device C.
  The device S computes $K_{S,C}$ = $H_k\left(X^y\right)$ and outputs the session key $ssk$ = ${\mathbb{H}}_{K_{S,C}}(K_C$, $K_S$, $sid$, C, $S)$.
• When the device C receives an incoming message $(sid$, Y, CT${}_S$, ${\sigma }_S)$, it decrypts the ciphertext CT${}_S$ to obtain the underlying key $K_S$. If the decryption succeeds, it checks the correctness of ${\tau }_S$. If the verification fails, it aborts the session. Otherwise, it computes $K_{C,S}$ = $H_k\left(Y^x\right)$ and outputs the session key $ssk$ = ${\mathbb{H}}_{K_{C,S}}(K_C$, $K_S$, $sid$, C, $S)$.

Theorem 2.

Assuming that DDH holds in the underlying group, $\mathcal{ABE}$ is IND-CCA secure, $\mathcal{MAC}$ is CMA secure, $\mathbb{H}$ is a secure PRF, and $H_k$ is an SRE, the proposed OR-ABEDH protocol is session-key secure with WFS under the strong corruption model.

Proof. 

The proof is divided into two parts: one part proves the security of the OR-ABEDH protocol under the assumption that the partner of the Test-Session is not corrupted, and the other part proves the security of the OR-ABEDH protocol under the assumption the partner of the Test-Session is corrupted (in this case, the Test-Session has a matching session at the time the adversary $\mathcal{A}$ completes). Assume that $1/p$ is the maximum probability that the input and output messages from two different sessions are the same, $q_I$ is the number of all sessions activated by algorithm $\mathcal{A}$, and adversary $\mathcal{B}$ is against the IND-CCA security of $\mathcal{ABE}$, adversary $\mathcal{C}$ is against the MAC security of $\mathcal{MAC}$, adversary $\mathcal{D}$ is against the security of DDH problem, and adversaries ${\mathcal{F}}_0$, ${\mathcal{F}}_1$ are against the security of $H_k$, $\mathbb{H}$, respectively.

• Case 1. In this case, the Test-Session’s responder is not corrupted, but the initiator of the Test-Session may be.

  –

  Game${}_0$. This game is the same as a real interaction with the OR-ABEDH protocol. A random bit b is selected, and the real session key is returned in answer to the Test-Session query when $b=0$. Otherwise, a random key from the key space is returned as the session key.

  –

  Game${}_1$. This game is the same as Game${}_0$, except that if two different sessions generate exactly the same message and have the same partner, the protocol aborts. Hence, we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_0,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_1,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le {q_I}^2/p.\end{array}$$

  –

  Game${}_2$. This game is the same as Game${}_1$, except a random value l∈$[1,q_I]$ is chosen before adversary $\mathcal{A}$ starts. The protocol aborts, and adversary $\mathcal{A}$ fails and outputs a random bit if the l-th session is not the Test-Session. Denote $P^{*}$ by the initiator of the l-th session, $Q^{*}$ by the responder of the l-th session, CT${}_{P^{*}}$ by the input message of the l-th session, and CT${}_{Q^{*}}$ by the corresponding output message. Note that a matching Test-Session activated at $Q^{*}$ may not exist. Thus, we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_1,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)=q_I·{\mathbf{Adv}}_{{\mathrm{Game}}_2,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right).\end{array}$$

  –

  Game${}_3$. This game is the same as Game${}_2$, except a random value $K_{Q^{*}}$ is selected. Whenever CT${}_{Q^{*}}$ is used as the input message of $Q^{*}$, the computation of the key is modified so that $K_{Q^{*}}$ is used in place of the decryption result. The message generated by this session is computed as usual. Likewise, $K_{Q^{*}}$ is used to compute the session key by $P^{*}$. Therefore, we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_2,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_3,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{\mathcal{ABE},\mathcal{B}}^{\mathrm{IND}-\mathrm{CCA}}\left(\lambda \right).\end{array}$$

  –

  Game${}_4$. This game is the same as Game${}_3$, except the values X and Y will be replaced by $g^a$ and $g^b$, and the calculation of $Y^x$ will be replaced by Z. As a result, we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_3,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_4,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{\mathcal{D}}^{\mathrm{DDH}}\left(\lambda \right).\end{array}$$

  –

  Game${}_5$. This game is the same as Game${}_3$, except the calculation of the tag is replaced by a randomly chosen ${\tau }^{*}$, and we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_4,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_5,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{C}}^{\mathrm{MAC}}\left(\lambda \right).\end{array}$$

  –

  Game${}_6$. This game is the same as Game${}_5$, except the calculation of the $K_{P^{*},Q*}$ is replaced by a randomly chosen $K^{*}$, and we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_5,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_6,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{H_k,{\mathcal{F}}_0}^{\mathrm{SRE}}\left(\lambda \right).\end{array}$$

  –

  Game${}_7$. This game is the same as Game${}_6$, except the calculation of the session key is replaced by a randomly chosen $ss{k}^{*}$, and we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_6,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_7,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{\mathbb{H},{\mathcal{F}}_1}^{\mathrm{PRF}}\left(\lambda \right).\end{array}$$

  Combining the above results, we have

  $$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathrm{OR}-\mathrm{ABEDH},\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)& ={\mathbf{Adv}}_{{\mathrm{Game}}_0,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le {q_I}^2/p+2·q_I·({\mathbf{Adv}}_{\mathcal{ABE},\mathcal{B}}^{\mathrm{IND}-\mathrm{CCA}}\left(\lambda \right)\hfill \\ \hfill & +{\mathbf{Adv}}_{\mathcal{D}}^{\mathrm{DDH}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{C}}^{\mathrm{MAC}}\left(\lambda \right)+{\mathbf{Adv}}_{H_k,{\mathcal{F}}_0}^{\mathrm{SRE}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathbb{H},{\mathcal{F}}_1}^{\mathrm{PRF}}\left(\lambda \right)).\hfill \end{array}$$
• Case 2. In this case, both the initiator and the responder of the Test-Session are corrupted.

  –

  Game${}_0$. This game is the same as a real interaction with the OR-ABEDH protocol. When a random bit b is chosen and set as b = 0, the real session key is returned in answer to the Test-Session query. Otherwise, a random key from the key space is selected as the session key.

  –

  Game${}_1$. This game is the same as Game${}_0$, except that random values l, $l^{\prime }\in [1,q_I]$ are selected before adversary $\mathcal{A}$ initiates. Let $P^{*}$ and $Q^{*}$ be the participants of the l-th and $l^{\prime }$-th sessions, respectively. The protocol aborts, and algorithm $\mathcal{A}$ fails and outputs a random bit when the l-th session of $P^{*}$ is not the Test-Session or the output of the $l^{\prime }$-th session of $Q^{*}$ is not used as input to the Test-Session. In addition, the Test-Session’s session key is computed as usual, except a randomly chosen key K replaces $K_C$ or $K_S$. The Test-Session’s matching session has its key set to the same value (i.e., it always returns a random test session key without considering b’s value). Hence, we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_0,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)=2{q_I}^2·{\mathbf{Adv}}_{{\mathrm{Game}}_1,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right).\end{array}$$

  –

  Game${}_2$. This game is the same as Game${}_3$, except the values X and Y will be replaced by $g^a$ and $g^b$ and the calculation of $Y^x$ and $X^y$ will be replaced by Z. As a result, we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_1,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_2,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{\mathcal{D}}^{\mathrm{DDH}}\left(\lambda \right).\end{array}$$

  –

  Game${}_3$. This game is the same as Game${}_5$, except that the calculation of the $K_{P^{*},Q*}$ is replaced by a randomly chosen $K^{*}$, and we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_2,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_3,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{H_k,{\mathcal{F}}_0}^{\mathrm{SRE}}\left(\lambda \right).\end{array}$$

  –

  Game${}_4$. This game is the same as Game${}_6$, except the calculation of the session key is replaced by a randomly chosen $ss{k}^{*}$, and we have

  $$\begin{array}{c}\hfill {\mathbf{Adv}}_{{\mathrm{Game}}_3,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)-{\mathbf{Adv}}_{{\mathrm{Game}}_4,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2·{\mathbf{Adv}}_{\mathbb{H},{\mathcal{F}}_1}^{\mathrm{PRF}}\left(\lambda \right).\end{array}$$

  Combining the above results, we have

  $$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathrm{OR}-\mathrm{ABEDH},\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)& ={\mathbf{Adv}}_{{\mathrm{Game}}_0,\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)\le 2({q_I}^2·{\mathbf{Adv}}_{\mathcal{D}}^{\mathrm{DDH}}\left(\lambda \right)+{\mathbf{Adv}}_{H_k,{\mathcal{F}}_0}^{\mathrm{SRE}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathbb{H},{\mathcal{F}}_1}^{\mathrm{PRF}}\left(\lambda \right)).\hfill \end{array}$$

Finally, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathrm{OR}-\mathrm{ABEDH},\mathcal{A}}^{\mathrm{SK}}\left(\lambda \right)& \le {q_I}^2/p+2·q_I·({\mathbf{Adv}}_{\mathcal{ABE},\mathcal{B}}^{\mathrm{IND}-\mathrm{CCA}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathcal{D}}^{\mathrm{DDH}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{C}}^{\mathrm{MAC}}\left(\lambda \right)\hfill \\ \hfill & +{\mathbf{Adv}}_{H_k,{\mathcal{F}}_0}^{\mathrm{SRE}}\left(\lambda \right)+{\mathbf{Adv}}_{\mathbb{H},{\mathcal{F}}_1}^{\mathrm{PRF}}\left(\lambda \right)+2({q_I}^2·{\mathbf{Adv}}_{\mathcal{D}}^{\mathrm{DDH}}\left(\lambda \right)+{\mathbf{Adv}}_{H_k,{\mathcal{F}}_0}^{\mathrm{SRE}}\left(\lambda \right)\hfill \\ \hfill & +{\mathbf{Adv}}_{\mathbb{H},{\mathcal{F}}_1}^{\mathrm{PRF}}\left(\lambda \right)).\hfill \end{array}$$

This completes the proof of Theorem 2.  □

5. Discussion

In this section, we analyze the limitations and performance of the proposed private and mutual authentication protocols.

5.1. Protocol Analysis

Below, we analyze the limitations of the proposed private and mutual authentication protocols.

• Lightweight authentication protocols. An ABE scheme involves a number of exponentiation and pairing calculations which is not suitable for IoT devices with limited resources. It would be desirable to design private and mutual authentication protocols with lightweight computation. There exist several ABE schemes (e.g., [29]) which utilize a third party to reduce the computational overhead. Due to this observation, one possible solution to mitigate of computational cost is to use a third party to help with the calculation.
• Strong corruption model. The proposed private and mutual authentication protocol is only session-key secure in the weak corruption model. To our knowledge, there is no authentication protocol built from public-key encryption and message authentication code that is secure under the strong corruption model. One solution to this problem is to design private and mutual authentication protocols based on signature. To achieve the goal of privacy protection, attribute-based signature (ABS) [30] might be a promising building block.
• Perfect forward secrecy. The proposed one-round private and authentication protocol only achieves weak forward secrecy. It has been noted in [31] that PFS cannot be achieved by any one-round key exchange protocols as long as they are authenticated via public keys and do not have secure shared state previously built between participants.

5.2. Performance Analysis and Implementation

We implement the proposed private and mutual authentication protocols ABEDH and OR-ABEDH in Charm [32] (please refer to [32] for the more information about Charm). The Charm of version Charm-0.43, the PBC library (for the underlying cryptographic operations), and Python 3.4 are used in the implementation.

We choose the CP-ABE scheme (the most efficient one among all the CP-ABE schemes proposed in [33]) proposed by Waters [33] in the implementation and apply the Fujisaki–Okamoto transformation [34] to it to obtain the CCA-security. All the experiments are conducted over two elliptic curves SS512 and MNT159 to achieve the 80-bit security level. SS512 is a supersingular elliptic curve with the symmetric Type 1 pairing on it while the pairings on the MNT159 curve are asymmetric Type 3 pairings. The experiments are conducted via the 64-bit Ubuntu VM on a laptop with Intel Core i5-4210U CPU @ 1.70 GHz and 8.00 GB RAM. The computation time for the exponentiation and pairing calculation over the two curves are listed in

Table 1. Computation time (in ms) for the operation on the group and pairing over different elliptic curves on a laptop with the Intel Core i7-4785T CPU @ 1.70 GHz.

ECs	Exp. G	Exp. $\widehat{\mathit{G}}$	Exp. ${\mathit{G}}_1$	Pairing
SS512	0.231	0.229	0.032	1.178
MNT159	0.062	0.669	0.182	3.595

.

In our experiments, the access policy is composed of seven attributes in the form as “(** OR **) AND (** OR **) AND (** OR (** AND **))”, where each “**” represents a concrete attribute. In

Table 2. Computation time tested for the proposed authentication protocols and the underlying CP-ABE scheme.

Time (Seconds)	CP-ABE Encrypt	CP-ABE Decrypt	ABEDH	OR-ABEDH
SS512	0.078	0.021	0.102	0.101
MNT159	0.062	0.034	0.098	0.098

, we test the running time of the encryption and decryption algorithms in the underlying CP-ABE scheme [33] and the time of a party as a responder (or an initiator) in running the ABEDH and OR-ABEDH protocols. In addition, we test the computation time of the encryption and decryption algorithms in the CP-ABE scheme with partially hidden access structures (we modify the CP-ABE scheme in [33] to make it a CP-ABE scheme with partially hidden access structures using the technique in [35]) and the computation time of a party as a responder (or an initiator) in running the ABEDH and OR-ABEDH protocols, as shown in

Table 3. Computation time tested for the proposed authentication protocols and the underlying CP-ABE scheme with partially hidden access structures.

Time (Seconds)	CP-ABE Encrypt	CP-ABE Decrypt	ABEDH	OR-ABEDH
SS512	0.118	0.246			0.378	0.379
MNT159	0.165	0.066	0.234	0.232

.

6. Conclusions

In order to provide privacy for the devices located in the IoT, Wu et al. [5] proposed a private and authentication protocol for IoT. However, their protocol has several limitations in terms of security. Motivated by this, in this paper, we proposed two key exchange protocols with private authentication between the participants: one is composed of two messages and the other is composed of three messages. Both of our protocols are public-key based, and they use attribute-based encryption (ABE) as the building block to preserve privacy of parties. We proved that both of the private and mutual authentication protocols are secure in the standard model. We also implemented the proposed protocols using an open source framework.