Authenticated Key Exchange under Bad Randomness, Revisited

Abstract

A bad randomness may cause catastrophic results in security; thus, it is of importance to make cryptographic systems secure against bad randomness. In this paper, we focus on a practical situation where an adversary is able to force participants in an authenticated key exchange (AKE) system to reuse the random values and the functions of these values, called related randomness attack (RRA). Following the existing randomness resetting security model of AKE and the RRA security model of public-key encryption, we present a model of RRA security for authenticated key exchange, as well as the necessary restrictions on the related randomness functions used to obtain the security definition. Then we show how a related randomness attack adversary breaks the security of some existing AKE protocols, and propose some constructions of RRA-secure authenticated key exchange in the random oracle model and standard model, respectively.

1. Introduction

Cryptographic primitives are heavy users of randomness, but due to problems including insufficient estimation of system entropy, poor design of algorithms, bugs in software, and virtual machine randomness resetting, random number generators may fail to generate required randomness in practice [1]. This failure of randomness can cause catastrophic results: private signing keys of digital signatures could be exposed [2], low-entropy plaintexts in public-key encryption schemes might be recovered [3], the procedure of key generation would be severely weakened [4,5], ephemeral Diffie–Hellman keys may become predictable, resulting in the exposure of session keys [3], and electronic wallet security might be compromised [3]. Obviously, standard security notions of indistinguishability under chosen plaintext attacks or chosen ciphertext attacks [6] (IND-CPA or IND-CCA security) are not sufficient when these attacks on randomness are possible. This observation leads the research community to target effort into addressing this problem (e.g., [3,7,8,9]). However, it is unlikely that the failures of randomness can be completely eliminated [3]. A commonly adopted approach is to try to hedge against randomness failures, which can make cryptographic primitives offer some degree of security when encountering randomness failures.

1.1. Motivation and Contributions

An authenticated key exchange (AKE) protocol allows the communication of two parties to generate a common session key over an insecure network, which has been widely applied in real-world applications (e.g., online banking, virtual private networks (VPNs), wireless communication protocols such as Wi-Fi Protected Access (WPA), etc.) to secure network communications. An AKE protocol is composed of a tuple of randomized algorithms which take random coins produced by pseudorandom number generators (PRNGs) as the input and yield bit-strings computationally indistinguishable from truly random strings given the truly fresh and random seeds [10]. However, in practice, these seeds are constructed via data collection from an entropy pool which could be controlled by an adversary who might modify the random data, making the randomness become bad. In this context, Yang et al. [11] raised a natural question: would existing well-known AKE protocols still be secure under bad randomness? They defined two security models for reset attacks (RAs) as Reset-1 (where the random coins used by the algorithms are controlled the adversary) and Reset-2 (where a device can be reset by the adversary to force algorithms to reuse certain random coins) to capture such a security, and showed that some widely used AKE protocols become insecure when the randomness becomes bad.

Motivated by the challenge of protecting security in the case of randomness failures, we consider the security for AKE under the setting of related randomness attacks (RRAs) [3], where the adversary not only can force to reuse existing random values as in the RA setting, but also can force to use those random values’ functions, i.e., the random bits become predictable in such a way that the adversary is aware of the relations among the randomness in one session and its subsequent sessions. This capability is similar to the ability granted to the adversary in the setting of related-key attacks (RKAs) [6], under which an adversary is capable of tampering with the secret (or private) keys used in cryptographic computations. In actuality, the RA setting can be regarded as a special case of the RRA setting to allow the modelling of RAs such that the adversary cannot reset randomness, but the randomness used is in some way related to that used on previous sessions. These behaviours were discussed in the experimental work in [7], where the bad randomness was divided into reused randomness (the Reset-2 model), exposed randomness, predictable randomness (the RRA model), and chosen randomness (the Reset-1 model). Our RRA setting on authenticated key exchange builds on the bad randomness setting on AKE [11], and it also has interesting connections with related-key attacks for pseudorandom function (PRF) [12], and deterministic digital signature [11].

Contributions. We build an RRA security model for AKE in the RRA setting in this paper, under which the protocol is secure even after the adversary is able to reset a participant to use related random coins in multiple AKE sessions. Based on the security models Bellare–Rogaway (BR) [13] and Canetti–Krawczyk (CK) [14], we define the RRA security by providing additional capabilities to the adversaries in the Reset-2 model in [11]. In our RRA model, the adversary can reset to make the random coins used in multiple AKE sessions related to each other by satisfying some function defined by the adversary, which is called related-randomness deriving (RRD) function. Since the RRD functions can set the random coins in one AKE session identical to the random values in other AKE sessions, it is straightforward that the RRA model is stronger than the Reset-2 model. Different from that in the Reset-1 model [11], the adversary under related randomness attacks does not know the exact values of the used randomness, so our model allows the adversary to corrupt either participant’s long-lived key, thereby capturing the weak forward secrecy (FS) [15], which requires that compromising the long-lived secret keys of the participants will not compromise any already established session key. This reflects that, similar to the relations between the Reset-1 and Reset-2 models analysed in [11], the Reset-1 and RRA models are incomparable and we need to preclude an RRA adversary from making queries such that the RRD functions are set to be constants, i.e., the adversary controls the random coins used in the AKE protocol.

Then we show that the AKE protocols in [11] become insecure against RRAs if the adversary can manipulate randomness in a way defined in related randomness attacks. In addition, we present techniques to build RRA-secure AKE protocols from the random oracle model and the standard model, respectively.

• Random oracle construction. This can be simply realised by hashing the output session key.
• Standard model construction. We achieve this by slightly changing the way of applying pseudorandom function (PRF) in Yang et al.’s ISO-R protocol.

The above two constructions mess up the relations of different session keys, thereby building RRA-secure authenticated key exchange protocols with restrictions on the related-randomness deriving functions and additional requirements on the PRFs.

In addition, given the power of the adversary in the RRA setting, a certain set of adversarial queries must be excluded to prevent the adversary from trivially breaking security. For example, constant functions must be disallowed for security in our RRA setting, which could be regarded as the Reset-1 model for the chosen randomness in [11], where the random coins are controlled by the adversary. When the related randomness functions $\varphi$ are restricted to be from some set $\Phi$, we name the functions $\Phi$-restricted RRD functions, and call the corresponding adversary a $\Phi$-restricted adversary.

Other Results. In [11], Yang et al. also presented a generic transformation on a Reset-2 secure AKE protocol to obtain a Reset-1 and Reset-2 secure ABE protocol. Their technique is to make a PRF be a strong randomness extractor (SRE) [11] such that the output of the PRF is close to uniform distribution even when the secret key used in the function is revealed. In our construction in the standard model, we ask the PRF to be RKA-secure to build the RRA-secure AKE protocols. Can our constructions for RRA-secure ABE be extended to cover the Reset-1 model? To our best knowledge, we cannot give an affirmative answer in this paper (this will be explained later with regard to the concrete constructions), and we leave this as an open problem.

1.2. Related Work

Authenticated Key Exchange. In 1993, Bellare and Rogaway [13] gave the first theoretical treatment of the security notion of AKE, which, referred to as the BR model, became the standard for analysing AKE protocols. Later, in 2001, Canetti and Krawczyk [14] gave another security model, known as the CK model, where they showed that AKE protocols composed with symmetric key encryption and authentication functions can be secure in their model to provide secure communication channels. Several popular AKE protocols (e.g., ISO [14], SIGMA [16,17], and HMQV [18]) have been proved to be secure under the CK model. LaMacchia, Lauter, and Mityagin [19] extended the CK model to the eCK model in 2007, where either the long-lived keys or the ephemeral keys of the participants of a protocol session can be comprised by the adversary. Even though there are many comparisons between the CK model and the eCK model [19,20,21], it is suggested by Boyd et al. [20] that these two models are incomparable.

Bad Randomness. For signatures, there exists a method that can avoid security issues arising from bad randomness while keeping the verification procedure as normal, which simply strengthens the private key in the signature scheme with a key for a PRF, and derives any needed randomness during the signing by applying this PRF to the “to be signed” message.

Regarding the randomness used in symmetric encryption setting, Rogaway [22] proposed nonce-based encryption, Rogaway and Shrimpton [23] proposed the notion of misuse-resistant authenticated-encryption concerning residual security when then nonce is repeated, and Kamara and Katz [24] introduced the security model of such attacks that the random coins are poorly generated, and showed generic transformations for achieving security in this context.

In the public-key setting, Bellare et al. [25] provided the best possible security guarantees for public-key encryption using bad randomness, and gave several public-key encryption schemes achieving this notion. Ristenpart and Yilek [7] studied the use of “hedge” to protect broad classes of randomness failures in already-deployed systems in the random oracle model, and performed this technique in OpenSSL. Yilek [8] focused on the public-key encryption security in a setting where resetting and reusing random numbers are possible, and presented a simple and efficient way to make any existing public-key encryption scheme secure under this model. Paterson, Schuldt, and Sibborn [3], to preserve security under randomness failures, initiated the study of security for public-key encryption in the setting of related randomness attack (RRA).

In terms of authenticated key exchange, Aiello et al. [26] discussed the reuse of Diffie–Hellman (DH) exponents in multiple AKE sessions, excluding reusing the same randomness to sign different messages in the authentication and key exchange phase. Yang et al. [11] presented its formal security model under bad randomness where the adversary is given the power of controlling or resetting the random coins used by the stateless AKE algorithms, but their approaches of building AKE protocols cannot be extended to achieve RRA security. Feltz and Cremers also [1] systematically analysed the security of both stateless and stateful AKE protocols under bad randomness, but the maliciously registered public keys are disallowed in their systems.

1.3. Organization

The rest in this paper is structured as follows. In Section 2, we briefly review the notions and definition related to this work. In Section 3, we elaborate the security model of RRA-secure AKE protocol. In Section 4, we point out some simple related randomness attacks on the AKE under bad randomness protocols. In Section 5, we present constructions of AKE with RRA security based on signature. In Section 6, we propose a construction of AKE with RRA security based on encryption. Finally, this paper is summarised in Section 7.

2. Preliminaries

In this section, we recall some basic notions to be used in this paper.

2.1. Pseudorandom Functions

Let $\mathcal{F}:$ K${}_{\lambda }$× D${}_{\lambda }$→ R${}_{\lambda }$ be a set of PRFs [10] with $\lambda$ being a security parameter, and K${}_{\lambda }$, D${}_{\lambda }$, and R${}_{\lambda }$ being arbitrary finite sets. Following the security games in Figure 1, the advantage of a PRF adversary $\mathcal{A}$ against $\mathcal{F}$ is

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathcal{F},\mathcal{A}}^{\mathrm{prf}}\left(\lambda \right)=\mathrm{Pr}[{\mathrm{REAL}}_{\mathcal{F}}^{\mathcal{A}}\Rightarrow 1]-\mathrm{Pr}[{\mathrm{RAND}}_{\mathcal{F}}^{\mathcal{A}}\Rightarrow 1].\end{array}$$

We say that $\mathcal{F}$ is a secure PRF family if the advantage of any probabilistic polynomial time adversary is negligible in the security parameter $\lambda$.

RKA-secure pseudorandom functions. Let $\Phi$ be a class of related-key deriving functions $\varphi :$K→K mapping a key to a related key, which is a finite set of functions with the same domain and range [2]. Let $\mathcal{F}:$ K${}_{\lambda }$× D${}_{\lambda }$→ R${}_{\lambda }$ be a set of PRFs indexed by a security parameter $\lambda$ with K${}_{\lambda }$, D${}_{\lambda }$, and R${}_{\lambda }$ being arbitrary finite sets. The advantage of a $\Phi$-restricted related-key attack secure pseudorandom function ($\Phi$-RKA-PRF) adversary $\mathcal{A}$ against $\mathcal{F}$ is

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathcal{F},\mathcal{A}}^{\Phi -\mathrm{rka}-\mathrm{prf}}\left(\lambda \right)=\mathrm{Pr}[{\mathrm{RKA}-\mathrm{REAL}}_{\mathcal{F}}^{\mathcal{A}}\Rightarrow 1]-\mathrm{Pr}[{\mathrm{RKA}-\mathrm{RAND}}_{\mathcal{F}}^{\mathcal{A}}\Rightarrow 1],\end{array}$$

where the security games (following the definitions in [12]) are shown in Figure 1.

We say that $\mathcal{F}$ is a related-key attack secure PRF family if the advantage of any $\Phi$ polynomial-time adversary (PPT) is negligible in the security parameter $\lambda$.

2.2. Deterministic Digital Signatures

If the signing algorithm $\mathcal{DS}$.Sign of a digital signature scheme $\mathcal{DS}$ = $(\mathcal{DS}$.SKG, $\mathcal{DS}$.Sign, $\mathcal{DS}$.Vf) is deterministic, then $\mathcal{DS}$ is deterministic. A randomised digital signature scheme can be transformed into a deterministic one as follows [11].

• Firstly, the signing key is expanded to include a uniformly random key $K^{\prime }$ from the key space of a PRF family.
• To sign a message m, it computes random coin $r=F_{K^{\prime }}^{\prime }\left(m\right)$, where $F^{\prime }$ is a pseudorandom function, and then invokes the randomised signing algorithm $\mathcal{DS}$.Sign with random coin r.

We say that $\mathcal{DS}$ is existentially unforgeable under adaptive chosen message attacks (uf-cma), if for any PPT algorithm $\mathcal{A}$, the advantage function

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathcal{DS},\mathcal{A}}^{\mathrm{uf}-\mathrm{cma}}\left(\lambda \right)=\mathrm{Pr}\end{array}\left[\begin{array}{c}\mathcal{DS}.\mathrm{Vf}(\mathrm{VK},m^{\prime },{\sigma }^{\prime })\hfill \\ =\mathrm{true}\wedge \hfill \\ \mathcal{A}\mathrm{never}\mathrm{queried}\hfill \\ \mathcal{DS}.\mathrm{Sign}(\mathrm{SK},m^{\prime })\hfill \end{array}\left|\begin{array}{c}(\mathrm{VK},\mathrm{SK})\leftarrow \mathcal{DS}.\mathrm{SKG}\left(1^{\lambda }\right).\hfill \\ (m^{\prime },{\sigma }^{\prime })\leftarrow {\mathcal{A}}^{\mathcal{DS}.\mathrm{Sign}(\mathrm{SK},·)}\left(VK\right).\hfill \end{array}\right.\right]$$

is negligible in the security parameter $\lambda$.

2.3. Complexity Assumption

Decisional Diffie–Hellman (DDH). The DDH problem is that for any PPT algorithm, it is difficult to distinguish $(g$, $g^a$, $g^b$, $Z)$ from $(g$, $g^a$, $g^b$, $g^{ab})$, where g, $Z\in G$, a, $b\in Z_p^{*}$ are randomly and independently selected.

3. Modeling RRA Security

In this section, after reviewing the related notions about AKE, we describe its security model in detail.

3.1. Restricted Related-Randomness Deriving Functions

Let $\Phi$ be a set of functions that maps from randomness R to randomness R. Let $\alpha$ and $\beta$ be positive integers. Based on the properties of the $\Phi$-related-key deriving functions described in [12], we exhibit some necessary conditions that the $\Phi$-restricted related-randomness deriving functions must satisfy with the difference that the latter is concerned with the functions executing on the randomness used in the AKE schemes rather than the PRF keys.

• $(\alpha$, $\beta )$-output-unpredictability for $\Phi$. We say that a set $\Phi$ is output-unpredictable if, for all sets $P\subseteq \Phi$, $X\subseteq$ R over the randomness r, the probability that there exist $\varphi \in P$ and $r^{\prime }\in X$ such that $\varphi \left(r\right)$ = $r^{\prime }$, is negligible. This can be formally defined as

  $$\begin{array}{c}\hfill {\mathrm{InSec}}_{\Phi }^{\mathrm{up}}(\alpha ,\beta )=\max \left\{\mathrm{Pr}[(\{\varphi \left(r\right):\varphi \in P\}\cap X)\ne \varnothing |r\leftarrow \mathrm{R}]\right\},\end{array}$$

  where $P\subseteq \Phi$, $X\subseteq$ R, $\left|P\right|\le \alpha$, $\left|X\right|\le \beta$. This restriction guarantees that under related randomness attacks, the adversary has negligible probability of learning the randomness used in the queried session.
• $\alpha$-collision-resistance for $\Phi$. We say that a set $\Phi$ is collision-resistant if, for all sets $P\subseteq \Phi$ over the randomness r, the probability that there exist two distinct ${\varphi }_1,{\varphi }_2\in P$ such that ${\varphi }_1\left(r\right)$ = ${\varphi }_2\left(r\right)$, is negligible. This can be formally defined as

  $$\begin{array}{c}\hfill {\mathrm{InSec}}_{\Phi }^{\mathrm{cr}}\left(\alpha \right)=\max \left\{\mathrm{Pr}\right[\left|\{\varphi \left(r\right):\varphi \in P\}\right|\le \left|P\right||r\leftarrow \mathrm{R}\left]\right\},\end{array}$$

  where $P\subseteq \Phi$, $\left|P\right|\le \alpha$. This restriction makes sure that the adversary, given the access to the related randomness in the AKE system, has negligible probability of yielding the same session key within two different sessions.

3.2. Protocol Descriptions

An AKE protocol is composed of two PPT algorithms [11]: the long-lived key generation algorithm SKG (we consider the public-key setting in this paper where algorithm SKG returns a private and public key pair for each invocation) and the protocol execution algorithm P.

• Protocol participants. Let $\mathcal{U}$ be a set of parties which is not empty. Each party $U\in \mathcal{U}$ is named by a unique string with some fixed length. Let $\mathcal{MU}$ be a set of malicious parties added by adversary $\mathcal{A}$ to the system after the initialisation stage. Every malicious participant $MU\in \mathcal{MU}$ is also assigned with a distinctive fixed-length string without being used by another party inside the system.
• Long-lived keys. Each participant $U\in \mathcal{U}$ has a public key $p{k}_U$ and private key $s{k}_U$ created by the SKG algorithm, but each participant $MU\in \mathcal{MU}$’s public key $p{k}_{MU}$ can be any value as long as $p{k}_{MU}$ has never been claimed as the public key by another participant inside the system (this is to ensure that $p{k}_{MU}$ is uniquely possessed by each party).
• Instances. One participant may run many instances at the same time. We denote instance i of party U by ${\Pi }_U^i$. When a new instance is built, a unique instance number within the party is selected, a sequence of random coins are created and added to that instance, and the instance is set to the “ready” state.
• Protocol execution. A protocol execution algorithm decides how instances of participants behave to respond to messages from their environment. Upon receiving an incoming message $M_{in}$, an instance runs the protocol P and creates

  $$\begin{array}{c}\hfill (M_{out},\mathrm{acc},{\mathrm{term}}_U^i,{\mathrm{sid}}_U^i,{\mathrm{pid}}_U^i,ssk,S{t}_U^i)\leftarrow \\ \hfill \mathrm{P}(1^k,U,p{k}_U,s{k}_U,S{t}_U^i,M_{in}),\end{array}$$

  where $M_{out}$ is the responding message, acc is the decision made by the instance, term${}_U^i$ is whether the protocol execution has been terminated, sid${}_U^i$ is the session identity and pid${}_u^i$ is the partner identity that may be generated during the protocol run, $ssk$ is the session key hold by the instance when the decision is accepted, and $S{t}_U^i$ is the internal state information which is deleted from U’s memory once term${}_U^i$ is true.
  In this paper, unless otherwise stated explicitly, the session identity will be defined as the concatenation of the messages exchanged between the two participants in the form of (initiator-message$\left|\right|$responder-message), and two matching instances will generate the same session identity.
• Partnership. The partnership between two instances is defined via the partner identity (named as) pid with which the instance believes it has an exchanged key, and the session identity sid uniquely labelling the AKE session as an identifier. If pid${}_U^i$=V, pid${}_V^j$=U and sid${}_U^i$= sid${}_V^j$, we say that two instances ${\Pi }_U^i$ and ${\Pi }_V^j$ are partners.

3.3. Security Model

We define the security model RRA-AKE to capture the scenario where the related randomness will be used in an authenticated key exchange protocol, on the basis of the strong corruption Reset-2 security model, under the assumption that the all honest participants’ long-lived keys in the set $\mathcal{U}$ are securely yielded with fresh random coins, defined in [11].

RRA Security Model. In this case, we consider that the adversary can launch related randomness attacks but cannot directly set random coins’ values. The game RRA-AKE, defined in Figure 2, is used to define the security of AKE protocols in the related randomness setting, of which the queries are explained as follows.

• AddUser$(U$, $p{k}_U)$: With this query, adversary $\mathcal{A}$ can add a new user U with public key $p{k}_U$. The adversary does not need to prove the knowledge on the secret key corresponding to $p{k}_U$. In other words, either the public key $p{k}_U$ or the user identity U exists in the system.
• NewInstance$(U$, i, j, $\varphi )$: This query allows adversary $\mathcal{A}$ to initialise a new instance ${\Pi }_U^i$ within party U. Adversary $\mathcal{A}$ can specify an existing instance ${\Pi }_U^j$, and Adversary $\mathcal{A}$ can set $j=\perp$ to make ${\Pi }_U^i$ use fresh random coins.
• Send$(U$, i, $M_{in})$: This query invokes the instance i of U with a message $M_{in}$. The instance runs P$(1^k$, U, $p{k}_U$, $s{k}_U$, $S{t}_U^i$, $M_{in})$, and sends the response to adversary $\mathcal{A}$ which includes whether ${\Pi }_U^i$ terminates or accepts the session identity sid${}_U^i$ and partner identity pid${}_U^i$ when they are available.
• Reveal$(U$, $i)$: The key $ss{k}_U^i$ is returned to adversary $\mathcal{A}$ if instance ${\Pi }_U^i$ has been accepted and a session key $ss{k}_U^i$ is generated.
• RevealState$(U$, $i)$: Adversary $\mathcal{A}$ obtains the state information $S{t}_U^i$ from making this query. This is similar to the Canetti–Krawczyk approach [14] where adversary $\mathcal{A}$ is allowed to obtain the secret information stored in the parties memories. Note that adversary $\mathcal{A}$ is prohibited from issuing this query to the target instance ${\Pi }_{U^{*}}^{i^{*}}$ or its partner instance ${\Pi }_{V^{*}}^{j^{*}}$ (if exists).
• Corrupt$\left(U\right)$: Adversary $\mathcal{A}$ can access to the party U’s long-lived secret key $s{k}_U$ from this query.
• Test$(U^{*}$, $i^{*})$: This query is only issued one time in the whole game. Adversary $\mathcal{A}$ in this query chooses a challenge instance ${\Pi }_{U^{*}}^{i^{*}}$. If ${\Pi }_{U^{*}}^{i^{*}}$ is accepted and a session key $ss{k}_{U^{*}}^{i^{*}}$ is created, then $ss{k}_U^{*}$ is returned to adversary $\mathcal{A}$ if the coin b flipped in the Initialise phase or a session key randomly selected from the session key space is returned to adversary $\mathcal{A}$ if the coin b is 0.

An adversary’s success is determined by its capability to distinguish a random key in the session key space from a real session key. However, some queries could expose the session keys; thus, adversary $\mathcal{A}$ can trivially win the game by asking these queries.

• Adversary $\mathcal{A}$ can obtain a session key if adversary $\mathcal{A}$ itself is one of the parties involved in that session.
• Adversary $\mathcal{A}$ can know the value of a session key from a Reveal query. Under related randomness attacks, adversary $\mathcal{A}$ can also learn a session key through reset-and-reply attacks [11] where adversary $\mathcal{A}$ first invokes a protocol execution between instance ${\Pi }_U^i$ with random value $R_U^i$ and instance ${\Pi }_V^j$ with random value $R_V^j$, and then it activates another instance ${\Pi }_U^{i^{\prime }}$ with random value $\varphi \left(R_U^i\right)=R_U^i$. Thus, adversary $\mathcal{A}$ can make $ss{k}_U^i$ = $ss{k}_U^{i^{\prime }}$ by replaying the same message from ${\Pi }_V^i$. In this case, revealing $ss{k}_U^i$ (or $ss{k}_U^{i^{\prime }}$) will simultaneously disclose $ss{k}_U^{i^{\prime }}$ (or $ss{k}_U^i$). Such attacks tell that if the randomness of instance ${\Pi }_U^i$ is used by instance ${\Pi }_U^{i^{\prime }}$ in a way that $R_U^{i^{\prime }}$ = $\varphi \left(R_U^i\right)$ = $R_U^i$ and their partner instances ${\Pi }_V^{j^{\prime }}$ and ${\Pi }_V^j$ share the same randomness (i.e., the random tapes at the sides of the initiator and the responder are reset to the identical ones for a previous session), it is impossible to guarantee the security on the session keys generated during these two instances. Therefore, when defining the freshness of an instance, it is necessary to require that either its randomness or its partner’s randomness will never be used by another instance in the same format. In this paper, our goal is to design AKE protocols secure against related-randomness attacks such that the security of session keys generated by those one-side reset and un-reset instances will not be affected.

We do not consider these trivial attacks, and adversary $\mathcal{A}$ is said to be successful only if it can specify a fresh one in the Test query [11].

This model can be used to achieve forward secrecy (fs), which requires that the adversary does not have an advantage in revealing any (already) created session key by compromising the long-lived secret keys of two users. If an instance ${\Pi }_U^i$$(U\in \mathcal{U})$ is true in any of the conditions below, we say that it is fs-unfresh in the RRA model.

• pid${}_U^i$ is generated by adversary $\mathcal{A}$ from an AddUser query.
• Adversary $\mathcal{A}$ exposes the session key of either ${\Pi }_U^i$ or its partner instance ${\Pi }_V^j$ (if it exists).
• There exists another instance of U whose session key equals that of either ${\Pi }_U^i$ ($ss{k}_U^i$) or ${\Pi }_U^i$’s partner instance ${\Pi }_V^j$ ($ss{k}_V^j$, if it exists), i.e., related randomness attacks $\varphi \left(R_U^i\right)$ = $R_U^i$ against ${\Pi }_U^i$ and $\varphi \left(R_V^j\right)$ = $R_V^j$ against ${\Pi }_U^i$’s partner instance ${\Pi }_V^j$ (if it exists) have happened.
• Adversary $\mathcal{A}$ corrupts pid${}_U^i$ if ${\Pi }_U^i$ does not have a partner instance.

Otherwise, ${\Pi }_U^i$ is said to be fs-fresh.

Definition 1. 

We denote $\mathcal{AKE}$ as an AKE protocol, $\mathcal{A}$ as a Φ-restricted RRA adversary against $\mathcal{AKE}$, and λ as a security parameter. Adversary $\mathcal{A}$’s advantage is defined to be

$$\begin{array}{c}\hfill {\mathit{Adv}}_{\mathcal{AKE},\mathcal{A}}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)=\mathit{Pr}[{\mathit{RRA}-\mathit{AKE}}_{\mathcal{AKE},\mathcal{A}}\left(\lambda \right)\Rightarrow \mathit{true}]-1/2.\end{array}$$

The protocol $\mathcal{AKE}$ is said to be RRA-secure if

• Two partnering instances generate the same session key when a benign adversary honestly transmits messages;
• For any PPT adversary $\mathcal{A}$, ${\mathit{Adv}}_{\mathcal{AKE},\mathcal{A}}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)$ is negligible in the security parameter λ.

4. Security Analysis on Yang’s Authenticated Key Exchange Protocols

In this section, we point out that Yang’s authenticated key exchange protocols under bad randomness are vulnerable in our security model.

4.1. A Related Randomness Attack on Yang’s ISO-R2 Protocol

We define G as a prime-order (which is p) group with a generator g and we let $\mathcal{DS}$ = $(\mathcal{DS}$.SKG, $\mathcal{DS}$.Sign, $\mathcal{DS}$.Vf) be a deterministic digital signature scheme. We revisit the AKE protocol under bad randomness ISO-R2 of Yang et al. [11] between two entities A and B in Figure 3.

The attack. We show that under the related randomness attacks, the security of this scheme can be broken. Let the related-randomness deriving functions $\varphi :$$Z_p^{*}$→$Z_p^{*}$ be indexed by $▵\in Z_p^{*}$ such that $\varphi \left(r\right)$ = $r*▵$≠r, where * could be addition (+) or multiplication (·).

• The adversary activates a new session of A. After receiving $(A$, $X)$ for $X=g^x$ from A, the adversary sends $(A$, $X)$ to B.
• * The adversary activates A another session of using the related randomness $x^{\prime }$ = $\varphi \left(x\right)$ = $x*▵$. After receiving $(A$, $X^{\prime })$ for $X^{\prime }=g^{x^{\prime }}$ from A, the adversary sends $(A$, $X^{\prime })$ to B.
• After receiving $(B$, Y, ${\sigma }_B)$ for $Y=g^y$ from B, the adversary sends back $(B$, Y, ${\sigma }_B)$ to A.
• * The adversary activates B to use the related randomness $y^{\prime }$ = $\varphi \left(y\right)$=y. After receiving $(B$, $Y^{\prime }$, ${\sigma }_B^{\prime })$ for $Y^{\prime }=g^y$, ${\sigma }_B^{\prime }$←$\mathcal{DS}$.Sign$(s{k}_B$, X, $Y^{\prime }$, A, $0)$ from B, the adversary sends back $(B$, $Y^{\prime }$, ${\sigma }_B^{\prime })$ to A.
• After receiving ${\sigma }_A$ from A, the adversary sends back ${\sigma }_A$ to B.
• * The adversary receives ${\sigma }_A^{\prime }$ for ${\sigma }_A^{\prime }$←$\mathcal{DS}$.Sign$(s{k}_A$, $Y^{\prime }$, X, B, $1)$ from A, and sends back ${\sigma }_A^{\prime }$ to B.

In the above process, the adversary builds two sessions between A and B with sid = $X\left|\right|Y$ and sid${}^{\prime }$ = $X^{\prime }\left|\right|Y$, respectively. In this case, once the adversary knows the session key sid${}^{\prime }$, it obtains the session key sid from

$$\begin{array}{c}\hfill g^{x^{\prime }y}=g^{xy}{Y}^{▵}\mathrm{or}{g}^{x^{\prime }y}={\left(g^{xy}\right)}^{▵}.\end{array}$$

Notice that since the reset attack has happened to B, the result of $\varphi \left(x\right)$ cannot be x. Otherwise, the session sid = $X\left|\right|Y$ between A and B will not regarded as a fresh session.

4.2. A Related Randomness Attack on Yang’s ISO-R Protocol

Let G be a group of prime order p with a generator g. Let $\mathbb{F}$ = $\{F_K:$${\{0,1\}}^{\rho \left(\lambda \right)}$→$Z_p^{*}$|$K\in Z_p^{*}\}$ be a pseudorandom function family and a strong randomness extractor (SRE) [27], where $\rho \left(\lambda \right)$ is the polynomial of $\lambda$. Let $\mathcal{DS}$ = $(\mathcal{DS}$.SKG, $\mathcal{DS}$.Sign, $\mathcal{DS}$.Vf) be a deterministic digital signature scheme. We revisit the AKE protocol under bad randomness ISO-R between two entities A and B of Yang et al. [11] in Figure 4.

The attack. We show that under the related randomness attacks, the security of this scheme can be broken. Let the related-randomness deriving functions $\varphi :$$Z_p^{*}$→$Z_p^{*}$ be indexed by $▵\in Z_p^{*}$ such that $\varphi \left(r\right)$≠r. The attack mostly follows that ofISO-R2 protocol. After the attack, the adversary builds two sessions between A and B with sid = $X\left|\right|Y$ and sid${}^{\prime }$ = $X^{\prime }\left|\right|Y$, respectively. As the adversary is given A’s long-lived secret key a, it is highly possible that it controls the pseudorandom function $F_a$ and thereby inferring the relationship between $x^{\prime }$ = $F_a\left(\varphi \left(\tilde{x}\right)\right)$ and x = $F_a\left(\tilde{x}\right)$ (if $F_a$ is poorly built in the form such as $g^{a\tilde{x}}$). Denote the relation between x and $x^{\prime }$ as $x^{\prime }$ = $x*▵$. If * is addition (+) or multiplication (·), then once the adversary knows the session key of sid${}^{\prime }$, it obtains the session key of sid from

$$\begin{array}{c}\hfill g^{x^{\prime }y}=g^{xy}{Y}^{▵}\mathrm{or}{g}^{x^{\prime }y}={\left(g^{xy}\right)}^{▵}.\end{array}$$

Likewise, $\varphi \left(\tilde{x}\right)$ cannot be equal $\tilde{x}$. Otherwise, the session between A and B for sid = $X\left|\right|Y$ is not a fresh session.

5. Authenticated Key Exchange under Related Randomness Attacks Based on Signature

In the previous section, we show that Yang’s authenticated key exchange protocols are insecure under the related randomness attack model. Here, we modify Yang’s authenticated key exchange protocols based on signature to make it resistant against related randomness attacks. For brevity, we omit all the related verification algorithms in the protocols.

5.1. Construction in the Random Oracle Model

In Figure 5, we present a slightly modified protocol to Yang’s ISO-R2 protocol [8], and call it ISO-RR2. We denote G as a group of prime order p with a generator g, and H as a collision resistant hash function. We let $\mathcal{DS}$ = $(\mathcal{DS}$.SKG, $\mathcal{DS}$.Sign, $\mathcal{DS}$.Vf) be a deterministic digital signature scheme.

Related Randomness Attack. The ISO-RR2 protocol is similar to Yang’s ISO-R2 protocol with the difference that a hash function is used to generate the session key. The modification can prevent the related randomness attack described in Section 4, because the relation between two session keys is messed up by the hash function, thereby disabling the adversary to learn one session key from the other session key.

Interleaving attacks [11]. An interleaving attack occurs when the session identity is denoted as the concatenation of the initiator’s and the responder’s random group elements. To resist such an attack, a role indicator (’1’ for initiator and ’0’ for responder) can be added into the signed message of each party. In addition to adding a role indicator, there are other ways to resolve the problem [11]: (1) denoting “(self-message$\left|\right|$peer-message)” as the session identity to make different session identities for two matching instances; (2) using an explicit session identity rather than the concatenation of exchanged messages between two entities.

Theorem 1. 

The ISO-RR2 protocol is RRA-secure for a Φ-restricted adversary in the random oracle model if DDH assumption holds in the underlying group and the deterministic digital signature $\mathcal{DS}$ is a uf-cma secure.

Proof. 

The proof of this part is very similar to that in [11] except that in the last game, the session key outputted by the simulator is from a random oracle controlled by the simulator itself. It is not difficult to see that the random oracle plays a very important role here, which prevents the adversary, given the relation between the random coins in different instances, from learning one session key from another session key. We omit the details of the proof. □

Reset-1 Security. In the Reset-1 model, the adversary controls the randomness and is not allowed to corrupt the long-lived key of either participant in the protocol. Thus, in the ISO-RR2 protocol, x is chosen by the adversary. Similar to the analysis about the ISO-R2 protocol in [11], it is not difficult to see that the ISO-RR2 protocol cannot achieve the Reset-1 security.

5.2. Construction from RKA-PRFs

In Figure 6, we present a slightly modified protocol to Yang’s ISO-R protocol [11] (denoted by ISO-RR), and prove its RRA security. We denote G as a group of prime order p wiht a generator of g. We denote $\mathbb{F}$ = $\{F_K:$${\{0,1\}}^{\rho \left(\lambda \right)}$→$Z_p^{*}$|$K\in Z_p^{*}\}$ as a related-key attack secure PRF family, where $\rho \left(\lambda \right)$ is the polynomial of $\lambda$. We assume that $\mathcal{DS}$ = $(\mathcal{DS}$.SKG, $\mathcal{DS}$.Sign, $\mathcal{DS}$.Vf) is a deterministic digital signature scheme.

The ISO-RR protocol is similar to Yang’s ISO-R protocol with the difference that the pseudorandom function F is related-key attack secure, and it takes the randomness, rather than the long-lived key, as the key. The reason that Yang’s ISO-R protocol fails to prevent related randomness attacks is that when the long-lived key and the underlying relationship of the random coins are known to the adversary, it is hard to assume that the outputs of the strong randomness extractor SRE function [27] under different random coins are still independent of each other. Our modification is to prevent the related randomness attack described in Section 4, as now, due to the RKA security, the outputs of the pseudorandom function become unknown to the adversary.

Theorem 2. 

The ISO-RR protocol is secure in the RRA-AKE model for a Φ-restricted adversary if the deterministic digital signature $\mathcal{DS}$ is a uf-cma secure, $\mathbb{F}$ is a Φ-restricted related-key attack secure pseudorandom function family, and DDH assumption holds in the underlying group.

Proof. 

If an adversary in the Test query outputs an instance $(U^{*}$, $i^{*})$, then there should be a partner instance $(V^{*}$, $j^{*})$ for $(U^{*}$, $i^{*})$. Otherwise, the security of the signature scheme $\mathcal{DS}$ is broken. We prove it as follows.

Let ${\mathcal{A}}_1$ be a restricted RRA adversary that adversary ${\mathcal{A}}_1$ creates an instance $(U^{*}$, $i^{*})$ with a partner instance $(V^{*}$, $j^{*})$ in the Test query. Given an adversary $\mathcal{A}$ against the RRA security model in the ISO-RR protocol, we construct adversary ${\mathcal{A}}_1$ to answer all adversary $\mathcal{A}$’s queries using its own oracle. If adversary $\mathcal{A}$ generates an instance $(U^{*}$, $i^{*})$ without a partner instance, adversary ${\mathcal{A}}_1$ halts. Otherwise, adversary ${\mathcal{A}}_1$ generates $(U^{*}$, $i^{*})$ in the Test query, and returns the received response to adversary $\mathcal{A}$. When adversary $\mathcal{A}$ outputs a bit $b^{\prime }$ and halts, adversary ${\mathcal{A}}_1$ outputs $b^{\prime }$ and halts.

We denote Forge by the event that adversary $\mathcal{A}$ in the game generates a pair $(m^{*}$, ${\sigma }^{*})$ such that a party $I\in \mathcal{U}$, which is not corrupted when adversary $\mathcal{A}$ outputs $(m^{*}$, ${\sigma }^{*})$, exists such that true ←$\mathcal{DS}$.Vf$(p{k}_I$, $m^{*}$, ${\sigma }^{*})$, and the party I has never created a signature on message $m^{*}$.

We denote E as the event that adversary $\mathcal{A}$ outputs an instance $(U^{*}$, $i^{*})$ (without a partner instance) in the Test query. A Forge event occurs if the event E occurs. Adversary ${\mathcal{A}}_1$ and adversary $\mathcal{A}$ will be the same if the event E does not occur. Therefore, we conclude that

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},\mathcal{A}}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)-{\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_1}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)\le \mathrm{Pr}\left[\mathrm{E}\right]\le \mathrm{Pr}\left[\mathrm{Forge}\right].\end{array}$$

Below, we prove that there is a negligible probability for the event Forge to occur, or the signature $\mathcal{DS}$’s uf-cma security is broken. Given adversary $\mathcal{A}$ in the original RRA-AKE game, we can build a signature forger $\mathcal{S}$ which is given a public key $pk$ created by $(pk$, $sk)$←$\mathcal{DS}$.SKG$\left(1^k\right)$, and the access to the signing oracle $\mathcal{DS}$.Sign$(sk$, $·)$. Forger $\mathcal{S}$ randomly chooses an entity $U\in \mathcal{U}$, sets $p{k}_U$ = $pk$, and then creates the long-lived keys for all entities in the set $\mathcal{U}\setminus \left\{U\right\}$ for $\left|\mathcal{U}\right|=n$.

Forger $\mathcal{S}$ simulates the original RRA-AKE game for adversary $\mathcal{A}$. If a Forge event occurs in the simulation and $I=U$, then Forger $\mathcal{S}$ outputs the forgery by adversary $\mathcal{A}$ and halts. Thus, we conclude that

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathcal{DS},\mathcal{S}}^{\mathrm{uf}-\mathrm{cma}}\left(\lambda \right)\ge \frac{1}{n}\mathrm{Pr}\left[\mathrm{Forge}\right].\end{array}$$

Therefore, we have

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_1}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)\ge {\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},\mathcal{A}}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)-n·{\mathbf{Adv}}_{\mathcal{DS},\mathcal{S}}^{\mathrm{uf}-\mathrm{cma}}\left(\lambda \right).\end{array}$$

Given adversary ${\mathcal{A}}_1$ with advantage ${\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_1}^{\mathrm{rr}-\mathrm{ake}}\left(k\right)$, we define another restricted adversary, ${\mathcal{A}}_2$, which outputs two integers l and $l^{\prime }$ after the Initialise phase. Adversary ${\mathcal{A}}_2$ assumes that the Test session outputted by adversary ${\mathcal{A}}_1$ is between the l-th and $l^{\prime }$-th instances. Given adversary ${\mathcal{A}}_1$ making at most $q_I$ NewInstance queries, adversary ${\mathcal{A}}_2$ can be constructed as

$$\begin{array}{c}\hfill {\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)\ge \frac{1}{q_I(q_I-1)}{\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_1}^{\mathrm{rr}-\mathrm{ake}}\left(\lambda \right).\end{array}$$

Game${}_1$. Let $F_{K_{U^{*}}}(·)$ be the PRF with the key $K_{U^{*}}$ used by the party $U^{*}$ in the RRA-AKE game, and $F_{K_{V^{*}}}(·)$ be the PRF with the key $K_{V^{*}}$ used by the party $V^{*}$ in the RRA-AKE game. We modify the RRA-AKE game for adversary ${\mathcal{A}}_2$ to a game Game${}_1$ such that the output of the function $F_{K_{U^{*}}}(·)$ in the l-th instance (or $(U^{*}$, $i^{*})$) is a random string, and the output of the function $F_{K_{V^{*}}}(·)$ in $l^{\prime }$-th instance (or $(V^{*}$, $j^{*})$) is another random string. Adversary ${\mathcal{A}}_2$ has similar advantages in the original RRA-AKE game and game Game${}_1$, or we can construct an adversary $\mathcal{D}$ against the RKA security of the PRF.

Adversary $\mathcal{D}$ has access to an oracle $\mathcal{O}$ which returns either a true result of $F_{\varphi \left(K\right)}(·)$ or a random output of $G_{\varphi \left(K\right)}(·)$, where $G\in \mathbb{F}$. Adversary $\mathcal{D}$ simulates the RRA-AKE game by honestly running all operations except that adversary $\mathcal{D}$ simulates the PRFs $F_{K_{U^{*}}}(·)$ of party $U^{*}$ and $F_{K_{V^{*}}}(·)$ of party $V^{*}$ by asking its own oracle. Finally, when adversary ${\mathcal{A}}_2$ outputs a bit $b^{\prime }$ and halts, adversary $\mathcal{D}$ outputs the same $b^{\prime }$ and halts. We can then conclude that

$$\begin{array}{cc}\hfill 2·{\mathbf{Adv}}_{\mathbb{F},\mathcal{D}}^{\mathrm{rka}-\mathrm{prf}}\left(\lambda \right)& =\mathrm{Pr}[{\mathcal{D}}^{F_{\varphi \left(K\right)}(·)}\left(1^{\lambda }\right)=1]-\mathrm{Pr}[{\mathcal{D}}^{G_{\varphi \left(K\right)}(·)}\left(1^{\lambda }\right)=1]\hfill \\ \hfill & =\mathrm{Pr}\left[{\mathcal{A}}_2\mathrm{wins}\mathrm{the}\mathrm{game}\right|\mathcal{O}=F_{\varphi \left(K\right)}(·)]-\hfill \\ \hfill & \mathrm{Pr}\left[{\mathcal{A}}_2\mathrm{wins}\mathrm{the}\mathrm{game}\right|\mathcal{O}=G_{\varphi \left(K\right)}(·)]\hfill \\ \hfill & =\mathrm{Pr}[{\mathrm{RRA}-\mathrm{AKE}}^{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}\left(\lambda \right)\Rightarrow \mathrm{true}]-\hfill \\ \hfill & \mathrm{Pr}[{\mathrm{Game}}_1^{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}\left(\lambda \right)\Rightarrow \mathrm{true}]\hfill \\ \hfill & ={\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)-{\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}^{{\mathrm{G}}_1}\left(\lambda \right).\hfill \end{array}$$

Game${}_2$. We modify the game Game${}_1$ to a game Game${}_2$ such that the simulator randomly chooses a key and sets it as the session key of the l-th and the $l^{\prime }$-th instances. Adversary ${\mathcal{A}}_2$ has similar advantages in game Game${}_1$ and game Game${}_2$, or we can construct an adversary $\mathcal{B}$ breaking the DDH assumption.

Given a tuple $\{g$, $g^a$, $g^b$, $Z\}$, adversary $\mathcal{B}$’s goal is to guess whether Z is a random group element or $Z=g^{ab}$. Following the procedure of the game Game${}_1$, adversary $\mathcal{B}$ simulates the game Game${}_2$ for adversary ${\mathcal{A}}_2$ except that the ephemeral public key in the l-th instance is set to be X by adversary $\mathcal{B}$, the ephemeral public key in the $l^{\prime }$-th instance is set to be Y by adversary $\mathcal{B}$, and the session key of the l-th and the $l^{\prime }$-th instances is set to be Z by adversary $\mathcal{B}$. We then conclude that

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathcal{B}}^{\mathrm{DDH}}\left(\lambda \right)& =\mathrm{Pr}\left[{\mathcal{A}}_2\mathrm{wins}\mathrm{the}\mathrm{game}\right|Z=g^{ab}]-\mathrm{Pr}\left[{\mathcal{A}}_2\mathrm{wins}\mathrm{the}\mathrm{game}\right|Z=g^r]\hfill \\ \hfill & =\mathrm{Pr}[{\mathrm{Game}}_1^{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}\left(\lambda \right)\Rightarrow \mathrm{true}]-\mathrm{Pr}[{\mathrm{Game}}_2^{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}\left(\lambda \right)\Rightarrow \mathrm{true}]\hfill \\ \hfill & ={\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}^{{\mathrm{G}}_1}\left(\lambda \right)-{\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}^{{\mathrm{G}}_2}\left(\lambda \right).\hfill \end{array}$$

Since in Game${}_2$, adversary ${\mathcal{A}}_2$ has no advantage in winning the game, i.e., ${\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},{\mathcal{A}}_2}^{{\mathrm{G}}_2}\left(k\right)$= 0. Combining all the above results, we have

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathrm{ISO}-\mathrm{RR},\mathcal{A}}^{\mathrm{rra}-\mathrm{ake}}\left(\lambda \right)& \le n·{\mathbf{Adv}}_{\mathcal{DS},\mathcal{S}}^{\mathrm{uf}-\mathrm{cma}}\left(\lambda \right)+q_I(q_I-1)({\mathbf{Adv}}_{\mathcal{B}}^{\mathrm{DDH}}\left(\lambda \right)\hfill \\ \hfill & +2·{\mathbf{Adv}}_{\mathbb{F},\mathcal{D}}^{\mathrm{rka}-\mathrm{prf}}\left(\lambda \right)).\hfill \end{array}$$

□

Reset-1 Security. In the Reset-1 model, the adversary controls the randomness and is not allowed to corrupt the long-lived key of either participant in the protocol. Thus, in the ISO-RR protocol, $\tilde{x}$ is known to the adversary. Therefore, according to the approach used to obtain the Reset-1 and Reset-2 security from a Reset-2 secure AKE protocol in [11], the pseudorandom function should be a strong extractor. However, the PRF in the ISO-RR protocol is already set to be RKA-secure. Do such kind of pseudorandom functions, which are RKA-secure and can be strong extractors as well, exist? To the best of our knowledge, we cannot affirmatively answer this.

6. RRA-Secure Authenticated Key Exchange Based on Encryption

In the full version of [11], there are also authenticated key exchange constructions on the basis of public-key encryption with message authentication code. If we modify the PKEDH-R2 and PKEDH-R protocols in [11] following the modifications to the ISO-R2 and ISO-R protocols, and require the underlying public-key encryption scheme to be secure against related randomness attacks [3], we can achieve weak corruption RRA security in both of them. To show this, below, we will take the modified PKEDH-R protocol (which is named as PKEDH-RR) as an instance.

Public-Key Encryption (PKE). A PKE scheme $\mathcal{PKE}$ is composed of three algorithms [11]: a key generation algorithm $\mathcal{PKE}$.SKG$\left(1^{\lambda }\right)$ outputting a public key $pk$ and private key $sk$ on inputting a security parameter, an encryption algorithm $\mathcal{PKE}$.Enc$(pk$, $m)$ outputting a ciphertext c on inputting a message m and the public key $pk$, and a decryption algorithm $\mathcal{PKE}$.Dec$(sk$, $c)$ outputting a failure symbol ⊥ or a message m on inputting the private key $sk$ and a ciphertext c. The encryption algorithm can also be denoted as $\mathcal{PKE}$.Enc$(pk$, m; $r)$, meaning that message m is encrypted under public key $pk$ using randomness r.

If for any PPT adversary $\mathcal{A}$ = $({\mathcal{A}}_1$, ${\mathcal{A}}_2)$, the advantage function for the scheme $\mathcal{PKE}$

$$\begin{array}{cc}\hfill & {\mathbf{Adv}}_{\mathcal{PKE},\mathcal{A}}^{\mathrm{ind}-\mathrm{cca}}\left(\lambda \right)=\hfill \\ \hfill & \mathrm{Pr}\left[b^{\prime }=b\left|\begin{array}{c}(pk,sk)\leftarrow \mathcal{PKE}.\mathrm{SKG},b\leftarrow \{0,1\}\hfill \\ (m_0,m_1,state)\leftarrow {\mathcal{A}}_1^{\mathcal{PKE}.\mathrm{Dec}(sk,·)},|m_0|\ne |m_1|\hfill \\ C^{*}\leftarrow \mathcal{PKE}.\mathrm{Enc}(pk,m_b)\hfill \\ b^{\prime }\leftarrow {\mathcal{A}}_2^{\mathcal{PKE}.\mathrm{Dec}(sk,·)}(pk,m_0,m_1,state,C^{*})\hfill \end{array}\right.\right]-1/2\hfill \end{array}$$

is negligible in the security parameter $\lambda$ and adversary ${\mathcal{A}}_2$ is excluded from making a decryption query on the ciphertext $C^{*}$, then the PKE scheme $\mathcal{PKE}$ is IND-CCA secure.

Message Authentication Code (MAC). An MAC scheme $\mathcal{MAC}$ with key space $\mathcal{K}$ [11] consists of a message authentication algorithm MAC${}_K\left(m\right)$ outputting an authentication tag $\tau$ on inputting a message m and a key $K\in \mathcal{K}$, and a verification algorithm MAV${}_K(m$, $\tau )$ outputting 0 or 1 on inputting a message and tag pair $(m$, $\tau )$ and a key $K\in \mathcal{K}$.

If for any PPT adversary $\mathcal{A}$, the advantage function for the scheme $\mathcal{MAC}$

$$\begin{array}{cc}\hfill & {\mathbf{Adv}}_{\mathcal{MAC},\mathcal{A}}^{\mathrm{ind}-\mathrm{cca}}\left(\lambda \right)=\hfill \\ \hfill & \hfill \mathrm{Pr}\left[\begin{array}{c}{\mathrm{MAV}}_K(m^{*},{\tau }^{*})=1\wedge \hfill \\ \mathcal{A}\mathrm{has}\mathrm{never}\mathrm{queried}{\mathrm{MAC}}_K\left(m^{*}\right)\hfill \end{array}\left|\begin{array}{c}K\leftarrow \mathcal{K}\hfill \\ (m^{*},{\tau }^{*})\leftarrow {\mathcal{A}}^{{\mathrm{MAC}}_K(·)\left(1^{\lambda }\right)}\hfill \end{array}\right.\right]\end{array}$$

is negligible in the security parameter $\lambda$, then the MAC scheme $\mathcal{MAC}$ is secure under chosen message attacks.

6.1. A PKEDH-RR Protocol

Let $\mathbb{F}$ = $\{F_K:$${\{0,1\}}^{\rho \left(\lambda \right)}$→$Z_p^{*}$|$K\in Z_p^{*}\}$ be a related-key attack secure PRF family where $\rho \left(\lambda \right)$ is the polynomial of $\lambda$. Let $\mathcal{PKE}$ = $(\mathcal{PKE}$.SKG, $\mathcal{PKE}$.Enc, $\mathcal{PKE}$.Dec) be a PKE scheme. Let $\mathcal{MAC}$=(MAC, MAV) be an MAC scheme. We present the PKEDH-RR protocol in Figure 7, where G is a group of prime order p, and g is a generator of G.

Similarly, the PKEDH-RR protocol is similar to Yang’s PKEDH-R protocol with the difference that the pseudorandom function F is related-key attack secure, and it takes the randomness rather than the long-lived key as the key. The reason that Yang’s PKEDH-R protocol fails to prevent related randomness attacks is that when the long-lived key and the underlying relationship of the random coins are known to the adversary, it is hard to assume that the outputs of the strong randomness extractor SRE function [27] under different random coins are still independent of each other. Our modification is to prevent the related randomness attack described in Section 4, as now, due to the RKA security, the outputs of the pseudorandom function become unknown to the adversary.

6.2. Security Proof

Theorem 3. 

The PKEDH-RR protocol is secure in the weak corruption RRA-AKE model for a Φ-restricted adversary if $\mathcal{PKE}$ is an IND-CCA secure PKE scheme, $\mathcal{MAC}$ is an MAC scheme secure under adaptive chosen message attacks, $\mathbb{F}$ is a Φ-restricted related-key attack secure pseudorandom function family, and DDH assumption holds in the underlying group.

Proof. 

Similar to the proof of Theorem 2, there must be a partner instance $(V^{*}$, $j^{*})$ corresponding to an instance $(U^{*}$, $i^{*})$ output by an adversary in the Test query, or the security of the public-key encryption scheme $\mathcal{PKE}$ or the message authentication code $\mathcal{MAC}$ could be broken. □

Following the proof in [11], we define an encryption forger $\mathcal{B}$. Let $(pk$, $sk)$←$\mathcal{PKE}$.SKG$\left(1^{\lambda }\right)$, and $c^{*}$←$\mathcal{PKE}$.Enc$(pk$, S, $N^{*})$, where S is a randomly selected string by forger $\mathcal{B}$, and $N^{*}$ is a randomly selected key from $\mathcal{MAC}$’s key space (unknown to forger $\mathcal{B}$). Given $pk$, $c^{*}$, and access to an oracle ${\mathcal{O}}_{sk}(·)$ decrypting ciphertexts unequal to $c^{*}$, and an oracle ${\mathcal{O}}_{N^{*}}(·)$ returning MAC${}_{N^{*}}\left(m\right)$ on an input m, the goal of forger $\mathcal{B}$ is to output $m^{*}$, MAC${}_{N^{*}}\left(m^{*}\right)$ with forger $\mathcal{B}$ never querying to the oracle ${\mathcal{O}}_{N^{*}}(·)$ on $m^{*}$.

We denote E by the event that the instance $(U^{*}$, $i^{*})$ in the Test query created by adversary $\mathcal{A}$ has no partner instance. We can build an encryption forger $\mathcal{B}$ in the RRA-AKE game if the event E occurs.

We denote $q_I$ as the maximum number of NewInstance queries sent by adversary $\mathcal{A}$. Forger $\mathcal{B}$ randomly chooses two entities $U^{*}$, $V^{*}$ from $\mathcal{U}$ ($\left|\mathcal{U}\right|$=n), and creates all long-lived keys for other entities in $\mathcal{U}\setminus \left\{V^{*}\right\}$. Forger $\mathcal{B}$ then chooses an integer l←$[1$, $q_I]$, and requests the challenger to return the challenge $c^{*}$ = $\mathcal{PKE}$.Enc$(pk$, $U^{*}$, $N^{*})$ on input $U^{*}$ under $pk$, and then it sets $p{k}_{V^{*}}$ = $pk$, and simulates the RRA-AKE game with adversary $\mathcal{A}$ with an exception in cases below.

• Forger $\mathcal{B}$ halts if adversary $\mathcal{A}$ does not make a Test query with an instance of $U^{*}$.
• Forger $\mathcal{B}$ halts if pid${}_{U^{*}}^{i^{*}}$≠$V^{*}$.
• Forger $\mathcal{B}$ halts if $(U^{*}$, $i^{*})$ is not the l-th instance.
• Forger $\mathcal{B}$ halts if adversary $\mathcal{A}$ makes a corrupt query with input $V^{*}$.
• Forger $\mathcal{B}$ sets $c_{U^{*}}$ = $c^{*}$ in the l-th instance, generates the ephemeral DH public and private key pair for $(U^{*}$, $i^{*})$, utilises $s{k}_{U^{*}}$ to obtain N←$\mathcal{PKE}$.Dec$(s{k}_{U^{*}}$, $c_{V^{*}})$, and honestly yields the tag ${\tau }_{U^{*}}$ with N.
• If adversary $\mathcal{A}$ forwards a message $(c$, $\dots )$ to $V^{*}$ with $c=c^{*}$, forger $\mathcal{B}$ queries c to its decryption oracle ${\mathcal{O}}_{sk}(·)$, and proceeds as usual after receiving from ${\mathcal{O}}_{N^{*}}(·)$.
• If adversary $\mathcal{A}$ forwards a message $(c^{*}$, $\dots )$ to $V^{*}$, forger $\mathcal{B}$ queries to its oracle ${\mathcal{O}}_{N^{*}}$ to obtain the response tag.
• If adversary $\mathcal{A}$ forwards the MAC tag to the l-th instance, forger $\mathcal{B}$ outputs its forgery with the message and MAC tag pair and halts.

Therefore, we can conclude that

$$\begin{array}{c}\hfill ϵ=\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right]\ge \frac{1}{n(n-1)q_I}\mathrm{Pr}\left[\mathrm{E}\right].\end{array}$$

Given an encryption forger $\mathcal{B}$, we can build another adversary $\mathcal{D}$ against the PKE scheme in the IND-CCA security game. Adversary $\mathcal{D}$ is given a public key $pk$ and can access both encryption and decryption oracles. When forger $\mathcal{B}$ requests a challenge on the input S, adversary $\mathcal{D}$ randomly chooses numbers $N_0$ and $N_1$, and requests its challenger with inputs $S\left|\right|N_0$ and $S\left|\right|N_1$. Adversary $\mathcal{D}$ sets $pk$, $c^{*}$ as forger $\mathcal{B}$’s challenge after obtaining the challenge $c^{*}$. When forger $\mathcal{B}$ queries to the encryption oracle on a ciphertext $c\ne c^{*}$, adversary $\mathcal{D}$ queries to the decryption oracle on the input c to its challenger. When forger $\mathcal{B}$ queries to the MAC oracle on a message m, adversary $\mathcal{D}$ responds to forger $\mathcal{B}$ MAC${}_{N_0}\left(m\right)$. Lastly, adversary $\mathcal{D}$ outputs 0 if forger $\mathcal{B}$ makes a successful forgery MAC${}_{N_0}\left(m^{*}\right)$, meaning that $c^{*}$ is a ciphertext for $S\left|\right|N_0$. Otherwise, adversary $\mathcal{D}$ outputs 0 if forger $\mathcal{B}$’s forgery fails, meaning that $c^{*}$ is a ciphertext for $S\left|\right|N_1$. Hence, we can conclude that

$$\begin{array}{cc}\hfill {\mathbf{Adv}}_{\mathcal{PKE},\mathcal{D}}^{\mathrm{ind}-\mathrm{cca}}\left(\lambda \right)& =\mathrm{Pr}\left[\mathcal{D}\mathrm{outputs}0\right|b=0\left]\mathrm{Pr}\right[b=0]+\hfill \\ \hfill & \mathrm{Pr}\left[\mathcal{D}\mathrm{outputs}1\right|b=1]\mathrm{Pr}[b=1]-\frac{1}{2}\hfill \\ \hfill & =\frac{1}{2}\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=0]+\frac{1}{2}(1-\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=1])-\frac{1}{2}\hfill \\ \hfill & =\frac{1}{2}(\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=0]-\mathrm{Pr}\left[\mathcal{B}\mathrm{succeeds}\right|b=1])\hfill \\ \hfill & =\frac{1}{2}(ϵ-{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{B}}^{\mathrm{cma}}\left(\lambda \right)),\hfill \end{array}$$

where the last line is summarised from the fact that forger $\mathcal{B}$ is in the encryption forger game when $b=0$, and forger $\mathcal{B}$ is in the chosen message attack game when $b=1$, $c^{*}$ is independent of $N_0$.

Integrating all previous results, we can conclude that

$$\begin{array}{c}\hfill \mathrm{Pr}\left[\mathrm{E}\right]\le n(n-1)q_I(2·{\mathbf{Adv}}_{\mathcal{PKE},\mathcal{D}}^{\mathrm{ind}-\mathrm{cca}}\left(k\right)+{\mathbf{Adv}}_{\mathcal{MAC},\mathcal{B}}^{\mathrm{cma}}\left(\lambda \right)).\end{array}$$

The rest of the proof is similar to that in Theorem 2, so we omit the details.

Reset-1 Security. The method used to construct a PKEDH-RR protocol that is RRA-secure is similar to that used in the ISO-RR protocol. Therefore, for the same reason, we are not sure whether the PKEDH-RR protocol can be extended to cover the Reset-1 model defined in [11].

7. Conclusions

Several recent incidents caused by the various kinds of randomness failures make the research community begin to find methods hedging cryptographic primitives against such failures. In this paper, we focus on a special attack, called related randomness attack (RRA), executed on the randomness used in authenticated key exchange, where an adversary is able to force the participants of an authenticated key exchange scheme to reuse the random values and the functions of these values. We start from formalising the RRA security model for an authenticated key exchange protocol. Following the RRA security model of public-key encryption and the randomness resetting security model of authenticated key exchange, we present our model of RRA security for authenticated key exchange. After pointing out the related randomness attacks on the authenticated key exchange protocols in [11], we propose several constructions of authenticated key exchange under related randomness attacks.