ˆ

= H (A||B||TA ||e(QA , QB )s(a+b) ),

ˆ

SKBA = H (KBA ) = H (A||B||TB ||e(WA + bQA , SB )

ˆ

= H (A||B||TB ||e(QA , QB )s(a+b) ) = SKAB

ˆ

instead. The attack outlined in Attack 9.1 will no longer work since a non-matching

conversation (i.e., TA = TB ) will also mean that the session key is different, as

shown below:

SKAB = H (KAB ) = H (A||B||aQA ||(b + c)QB ||e(SA ,WB + aQB )),

ˆ

SKBA = H (KBA ) = H (A||B||(a + c)QA ||bQB ||e(WA + bQA , SB )) = SKAB .

ˆ

Similarly, a re¬‚ection attack or an unknown key share attack would not work against

the protocol since the construction of the session key introduces role asymmetry and

the identities of the participants. Session keys will be different when the roles of the

same principal switch. A , therefore, appears to be unable to gain information about

such fresh session key(s).

9.1 Chen“Kudla ID-Based Protocol 151

9.1.4 Security Proof for Improved Chen“Kudla Protocol

At ¬rst glance, it would seem that by ¬xing the attack outlined in Chapter 9.1.2,

we have addressed the reasons why no Reveal query was allowed that was outlined

in the existing proofs. We would, therefore, be able to prove the improved protocol

secure in the unrestricted BR93 model. We demonstrate, however, that this is not

possible unless we restrict the adversary from asking any Reveal queries to the part-

ner of the Test session, as explained in Figure 9.1. By allowing the adversary to ask

Reveal queries directed at the owner of the Test session (in our proof), however, we

effectively prove the improved protocol secure against re¬‚ection attacks.

Recall that the general notion of the proof is to assume that there exists an ad-

versary, A , who can gain a non-negligible advantage in distinguishing the test key

in the game described in Figure 2.1, and use A to break the underlying BDH prob-

lem described in De¬nition 2.1.7. We build an adversary, ABDH , against the BDH

problem using A . The objective of ABDH is to compute and output the value

e(P, P)xyz ∈ G2 when given a bilinear map e, a generator of P of G1 , and a triple of

elements xP, yP, zP ∈ G1 with x, y, z ∈ Z— , where q is the prime order of the distinct

q

groups G1 and G2 .

u

Let oracle ΠA,B be the initiator associated with the target Test session, and oracle

v u

ΠB,A be the responder partner to ΠA,B . ABDH needs to simulate all responses to

queries from A , including the random oracle, H . The proof speci¬es that ABDH

can create all public/private key pairs for all players, except a randomly chosen

player J. Let (QU , SU ) denote the public/private keys of players U other than J

where SU = xQU . ABDH is unable to compute the private key of J because ABDH

is trying to solve the BDH problem, which is embedded in the public key of J.

Figure 9.1 shows a possible sequence of adversary actions and the responses gener-

ated by ABDH . It can be seen that A will be able to distinguish between the sim-

ulation provided by ABDH and the actual protocol if it carries out this sequence of

actions, since with overwhelming probability, v = SKBC (recall that v is randomly

chosen). Hence, ABDH cannot answer any Reveal directed at the partner of the

target Test session.

Theorem 9.1.1 The improved Chen“Kudla protocol 2 is a secure authenticated key

establishment protocol in the sense of De¬nition 2.3.3 if the Bilinear Dif¬e-Hellman

(BDH) problem is hard, the hash function, H , is a random oracle, and the adver-

sary A does not ask any Reveal queries to any sessions owned by the partner player

associated with the Test session.

The proof for Theorem 9.1.1 generally follows that of Chen and Kudla [4, Proof of

Theorem 1], except that we allow A to ask Reveal queries (but not to the partner

player of the Test session). The details of the game simulation remain unchanged to

that presented by Chen and Kudla [4, Proof of Theorem 1], except that we allow A

152 9 On Session Key Construction

ABDH A

Send(B,C, j, cQC )

b ∈R Z— c ∈R Z—

←’ ’ ’

’ ’ ’’

r r

bQB

’’ ’ ’

’ ’ ’’

Reveal(B,C, j)

←’ ’ ’

’ ’ ’’

ABDH is supposed to respond with H (B||C|| j||e(cQ C + bQC , SB )), but ABDH does not know SB ,

and thus cannot know the input for its simulation of H .

v

v ∈R {0, 1}k ’’ ’ ’

’ ’ ’’

Corrupt(C)

←’ ’ ’

’ ’ ’’

ABDH returns all internal states of C, including SC = sQC .

S

’ ’C’ ’

’’ ’ ’

Compute SKBC = H (C||B||i||e(SC , bQB + cQB ))

?

Verify whether v = SKBC

Fig. 9.1 An example simulation of Protocol 9.1

to ask Reveal queries (but not to the partner player of the Test session), as given in

Table 9.1.

Queries Actions

Send(U1 ,U2 , i) ABDH answers all Send queries in the same fashion as the proof simulation

presented by Chen and Kudla.

ABDH answers all Corrupt queries in the same fashion as the proof simu-

Corrupt(U, K)

lation presented by Chen and Kudla.

Test(U1 ,U2 , i) ABDH answers the Test query in the same fashion as the proof simulation

presented by Chen and Kudla.

H (U1 ||U2 ||i||te(m)) ABDH returns a random value, v ∈R {0, 1}k where k is the security parame-

ter, and stores m in a list of tuples.

i

If oracle ΠU1 ,U2 is not an oracle associated with the test session (or partner

Reveal(U1 ,U2 , i)

of such an oracle), and U1 is not player J where ABDH did not generate the

i

contents of the Send query to ΠU1 ,U2 , then ABDH returns the associated ses-

sion key. Otherwise ABDH terminates and halts the simulation. We observe

that if ABDH halts because U1 = J, the Test session chosen by A must be

different to that desired by ABDH , so even if the simulation had not halted

here, it would have halted later.

Table 9.1 ABDH simulating the view of A

ABDH is able to simulate the view of A perfectly by answering all oracle queries

of A . Upon the conclusion of the game (i.e., A is done), ABDH chooses a random

element in the list of tuples and outputs it. The probability that ABDH did not

abort at some stage and produces the correct output remains non-negligible. This

concludes the proof of the theorem.

9.2 McCullagh“Barreto 2P-IDAKA Protocol 153

9.2 McCullagh“Barreto 2P-IDAKA Protocol

In this section, we revisit the McCullagh“Barreto protocol 2P-IDAKA [13]. Sim-

ilarly to Chapter 9.1, we present the arguments of the existing proof on why the

Reveal query is not allowed. We also identify some errors in the existing proof of