Practical Certificate-Less Infrastructure with Application in TLS

Abstract

We propose highly efficient certificate-less (CL) protocols for the infrastructure used by authenticated key exchange (AKE). The construction is based on elliptic curves (EC) without pairing, which means it can be easily supported by most industrial cryptography libraries on constrained devices. Compared with other pairing-free CL solutions, the new CL-AKE protocol enjoys the least number of scalar multiplications over EC groups. We use a unified game-based model to formalize the security of each protocol, while most previous works only assess the security against a list of attacks, provide informal theorems without proper modeling, or use separate models for protocols in different stages. We also present an efficient integration of the core protocols into the TLS cipher suites and a stand-alone implementation for constrained devices. The performance is evaluated on constrained devices in real-world settings, which further confirms the efficiency of our proposal.

1. Introduction

The authenticated key exchange protocols (AKE) based on conventional certificates are still widely deployed. Even in relatively new standards, such as TLS 1.3 [1], certificate-based cipher suites remains significant. Theoretical frameworks for evaluating protocol security, such as extensions of the Bellare–Rogaway model (BR) [2], eCK model [3] and universal composability (UC) [4], are usually used while assuming the existence of certificate-based public key infrastructure (PKI) [5,6].

However, the drawbacks of certificate-based infrastructure are also obvious. Ever-growing certificate revocation lists (CRL), floods of Online-Certificate States Protocol (OCSP) requests and the complicated logic of certificate chain verification may not fit into constrained devices [7] in the Internet of Things (IoT), where 50 KB RAM is already a luxury. Turning to pure symmetric key cryptography is not optimal in practice, either, as that introduces heterogeneity in the infrastructure, and scales poorly.

Therefore, exploring practical certificate-less AKE protocols (CL-AKE) is extremely meaningful.

CL-AKE solutions can use certificate-less public key encryption (CL-PKE) or signature (CL-SIG) to replace certificate chains. The syntax of the scheme and the types of adversaries have been defined for the first CL-PKE and CL-SIG by Al-Riyami and Paterson [8]. Unlike the key generation center (KGC) in identity-based or attribute-based cryptography (IBC, ABC), the KGC in CL-PKE can only compute partial private keys of users, so solutions based on CL-PKC do not suffer from the key escrow problem. The initial construction of CL-PKC in [8] is bilinear pairing based. Later, in 2007, Crampton et al. proposed a password-enabled and certificate-free grid security infrastructure (PECF-GSI) [9]. The protocols in PECF-GSI use bilinear pairing as heavily as the original Al-Ruyami–Paterson schemes. Other pairing-based certificate-less solutions in the last two decades [10,11,12,13,14,15] have experienced various improvement and trade-offs.

One of the major challenges for building certificate-less infrastructure is to optimize the efficiency of every protocol in its cryptographic core. As pointed out in [16], a bilinear pairing operation is about ten-times slower than a point multiplication on elliptic curves (EC), so it is necessary to avoid pairing and also to trim the redundant components, such as signature generation or decryption, off the CL-AKE main protocol.

Another critical challenge is establishing a unified security model for the two stages: user key registration and AKE. An adversary $\mathcal{A}$ against CL-PKE/SIG with key registration [8] has the power to corrupt users, corrupt KGC and register new public keys. However, whether $\mathcal{A}$ can see any message exchanged between an honest user and the KGC is undefined. In contrast, adversaries against AKE protocols have different powers in BR [2], eCK [3] and other game-based models [5]. These adversaries can tamper with messages and corrupt parties but may not be allowed to register new public keys. Although it has not been theoretically ruled out that messages in the key registration phase can threaten the AKE phase, most previous works on CL-AKE [15,17,18,19] used separate game-based models for the generation/registration of user key pairs (in a secure channel or out of band channel) and AKE protocol (in the public channel), or ignore the messages exchanged during the registration.

1.1. Our Contribution and Paper Outline

To meet the challenges mentioned above, we make the following contribution in this paper.

• We propose a practical cryptographic core of a certificate-less (CL) infrastructure, including user key registration and CL-AKE. The protocols are constructed from elliptic curves (EC) without pairing or any signature so that they can be easily supported by most industrial public key cryptography libraries for constrained devices. To the best of our knowledge, our AKE protocol also enjoys the optimal number of point multiplication over EC compared to other pairing-free solutions (see

  Table 1. Comparison with other provably secure pairing-free (EC)DH-based CL-AKE. Proposals without security models, such as [18,20], are not included. BPM: base-point multiplication on each side; PM: non-base-point multiplication on each side.

  	# BPM	# PM	Security Model
  Yang and Tan [17]	1	10	dedicated, game-based, stage-separated
  Song et al. [16]	1	7	dedicated, game-based, stage-separated
  He et al. [19]	1	4	eCK for CL-AKA only
  This work	1	3	extended eCK for AKE and key reg.

  ).
• We integrate CL-AKE into TLS ciphersuites [1]. The performance is compared with TLS-DHE with certificates in data volume and computation. We also deploy and test the slim implementation of CL-AKE without the TLS stack on constrained IoT devices. Subsequently, the evaluation confirms the real-world efficiency of our proposal.
• Our new provably secure CL signature scheme ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ with two-way public key reconstruction can be of independent interest.

After the introduction, we present the necessary notation and preliminaries in Section 2. As a starting point for building CL-AKE and proving its security in the game-based framework, we introduce a new certificate-less and paring-free signature scheme with two-way public key reconstruction in Section 3. The game-based AKE security model is presented in Section 4. The new certificate-less key registration, CL-AKE protocols and the security analysis can be found in Section 5. We present the integration to TLS and the evaluation in Section 6.

1.2. Technical Road Map

The cost of verifying a conventional certificate chain is proportional to the number of certificates on the chain. More specifically, to verify the end-level signature, a user has to verify the first-level signature with the public key in the root certificate and then the second-level signature with the public key of the first-level certificate. The verification continues until the signature on the end-level certificate is verified. For EC-based signatures, the verification usually involves a significant amount of point multiplication in an EC group.

A CL-SIG is designed to identify and utilize shortcuts during the verification process. Ideally, a user only has to verify the end-level public key with the root public key, usually the public key of the KGC. This verification can also be enforced implicitly through computation. If an end-level public key ${\mathsf{pk}}_j$ can be reconstructed by any honest user using the KGC’s public key ${\mathsf{pk}}_{\mathsf{KGC}}$ and the identifier ${\mathsf{PID}}_j$, then intuitively, the verification of ${\mathsf{pk}}_j$ is almost finished.

The shortcut we implement in CL-SIG is to replace the signature verification with a hash function, which is considerably more efficient. The hash function ${\mathsf{H}}_1\left(\right)$ maps binary strings to elements in an integer group. If a public key is an EC point that can be encoded as a binary string, and the corresponding private key is an integer in a group, ${\mathsf{H}}_1\left(\right)$ provides an efficient way to bind the public keys ${\mathsf{pk}}_j$, ${\mathsf{pk}}_{\mathsf{KGC}}$ and the identifier ${\mathsf{PID}}_j$ with the private key. Moreover, to make CL-SIG fully functional, there must be two alternatives to how ${\mathsf{pk}}_j$ can be reconstructed. One is through ${\mathsf{sk}}_j$, i.e., the way that only the key owner can take, and another one is through the use of ${\mathsf{H}}_1\left(\right)$, ${\mathsf{pk}}_{\mathsf{KGC}}$ and some additional information $B_j$, i.e., any user can do it. For details, we refer the reader to Figure 1 in Section 3.

We implement another shortcut to construct CL-AKE from CL-SIG. Instead of using the signing and verification algorithms in our CL-SIG, we keep only the public key reconstruction algorithms in the AKE. An AKE participant can reliably reconstruct its peer’s public key ${\mathsf{pk}}_j$ and then use ${\mathsf{pk}}_j$ with its own ephemeral key materials to derive the session keys. A message authenticate code is used to confirm the knowledge of all related secrets, replacing the expensive signature verification. For details, we refer the reader to Figure 2 in Section 5.

In summary, we replace as many public key operations (e.g., signature and point multiplication) with efficient symmetric essential operations (e.g., hash, message authentication code and pseudo-random function) as possible, while keeping the CL solution provably secure. The resulting CL-AKE enjoys forward secrecy due to the Gap Diffie–Hellman problem’s hardness and the new CL-SIG’s security.

1.3. Related Work

We review existing approaches to construct certificate-less AKE and authentication infrastructure, including identity-based cryptography, attribute-based cryptography, and CL-AKE with and without pairing.

1.3.1. IBC and ABC-Based CL Solutions

An important line of research is replacing certificate-based PKI with identity-based cryptography (IBC) [21]. In principle, the IBC public key is a user identity $\mathsf{pid}$ itself, and $\mathsf{pid}$ is embedded algebraically into the user’s secret key by KGC with its master secret key $\mathsf{msk}$. IBC eliminates certificates and simplifies the management of public keys greatly, but it suffers from the key escrow problem. More specifically, in the standard syntax of IBC, such as in [21,22], every user secret key is derived from its $\mathsf{pid}$ and a system-wide static $\mathsf{msk}$ of KGC. Once $\mathsf{msk}$ is compromised, the adversary can use $\mathsf{msk}$ to recover all previous user secret keys, destroying forward secrecy (FS). Attribute-based cryptography (ABC) [23] can be seen as a generalization of IBC. Instead of using one single identity, ABC uses a combination of multiple attributes to encrypt a message. However, the key escrow problem remains if any user secret key is derivable from $\mathsf{msk}$ and the attribute combinations alone. This KGC setting is preserved in various IBC-/ABC-based solutions [24,25], and some are flawed or without FS later [15,26].

1.3.2. CL-PKC and Pairing-Based Attempts

The notion of certificate-less public key cryptography (CL-PKC) was first formalized in 2003 by Al-Riyami and Paterson [8]. As the KGC in CL-PKC can only compute partial private keys for users, solutions based on CL-PKC do not inherently suffer from the key escrow problem. Later, Crampton et al. proposed a password-enabled and certificate-free grid security infrastructure (PECF-GSI) [9] in 2007. The protocols in PECF-GSI use bilinear pairing heavily as the original Al-Ruyami–Paterson schemes.

Various pairing-based attempts have been made for different trade-offs between security and efficiency. In 2012, Sanaa Taha et al. proposed certificate-less authentication key agreement (CL-AKA), a link-layer authentication and key agreement protocol based on CL-PKC, which does not consider ephemeral key leakage attacks [10]. Maity et al. proposed a novel certificate-less on-demand public key management (CL-PKM) protocol for self-organized MANETs [27]. Memon et al. proposed two authentication protocols based on Al-Ruyami–Paterson CL-PKC and IBE [11,12] in 2015. The security is analyzed with BAN-logic. Balakrishnan et al. proposed a practical email system based on CL-PKC with user authentication and key exchange in 2016, but the encryption of messages actually bears no forward secrecy when the receiver’s long-term keys are exposed [13]. Bala et al. proposed a secure key management and authentication protocol in 2017, making use of hybrid cryptography that involves both symmetric and CL-PKC but without formal security models [14]. Saeed et al. proposed a lightweight online/offline certificate-less signature (L-OOCLS) and a heterogeneous remote anonymous authentication protocol (HRAAP) for IoT applications in 2018 [15]. The L-OOCLS scheme is pairing-based and provably secure in random oracle model. The proposed HRAAP, however, cannot be proved secure in the BR or eCK model as the session key is directly used in handshake.

1.3.3. Pairing-Free CL-AKE

Pairin-free CL solutions have also been proposed. Song et al. [16] proposed a secure lightweight certificate-less authenticated key agreement (CL-AKA) for securing vehicle-to-vehicle (V2V) communication without using pairings. Unfortunately, the protocols need a large number of exponentiations in an integer group. Yang and Tan [17] proposed a CL-AKA that is provably secure in a dedicated model. He et al. [19] proposed efficient CL-AKA with security proofs in an extended eCK model dedicated to the key agreement part alone. Farouk et al. also introduced an efficient pairing-free CL-AKA protocol for grid computing environments [18] by extending the work of He et al. [19]. In 2018, KhanSafi et al. proposed an authentication framework for the message dissemination of toll payment information with a pairing-free CL-PKC system [20]. Unfortunately, there is no security proof provided in [19,20].

Defining a unified security model for each stage of CL-AKE is not a trivial task. On the one hand, the adversary for CL-PKE or CL-SIG in [8] has the power to corrupt users, corrupt the KGC or register new public keys, but cannot see any messages exchanged between the user and KGC. On the other hand, adversaries against authenticated key exchange (AKE) protocols, however, have different powers in BR [2], eCK [3] and other game-based models [5]. These adversaries can tamper with messages and corrupt parties (users) but cannot register new public keys. However, it has not been confirmed or denied whether messages in the key pair generation phase can threaten the AKE phase. Most previous works on CL-AKE [10,15,16,18,19] used separate models for the generation of user key pairs (in a secure channel or out-of-band channel) and AKE protocol (in public channels), or even ignore the messages exchanged during the key pair generation.

From 2021 till now, lattice-based (LBC) and isogeny-based cryptography have been introduced for post-quantum security, and new constructions have been proposed [28,29,30,31,32]. However, deploying LBC on constrained devices remains challenging now and in the near future, especially when facing the conflict between the large key/ciphertext size required by LBC and the limited RAM/storage on constrained devices [33].

2. Notation and Preliminaries

In this section, we introduce the necessary cryptographic building blocks of our solution.

2.1. Notations

We use $\kappa \in \mathbb{N}$ and $1^{\kappa }$ to denote the security parameter. Let $\left[n\right]=\{1,\dots ,n\}\subset \mathbb{N}$ be the set of integers from 1 to n. If S is a set, $a\stackrel{\$}{\leftarrow }S$ means sampling a uniformly random element a from S. If $\mathcal{A}\left(\right)$ is an algorithm, $m\leftarrow {\mathcal{A}}^{\mathcal{O}(·)}\left(x\right)$ and ${\mathcal{A}}^{\mathcal{O}(·)}\left(x\right)\stackrel{\$}{\to }m$ denote that $\mathcal{A}$ outputs m on input x with the help of another oracle $\mathcal{O}(·)$. $X\left|\right|Y$ means concatenating two binary strings X and Y. We use $Pr[E:A]$ to denote the probability that event E happens if action A is taken. Other notations will be introduced as needed.

2.2. Cryptographic Primitives and Hardness Assumptions

Message authentication code (MAC) is frequently used in AKE protocols for message integrity and can also work as a proof of the knowledge of the secret key.

Definition 1 

(Message Authentication Code, MAC). A MAC scheme $\mathsf{MAC}=(\mathsf{MAC}.\mathsf{Gen},$$\mathsf{MAC}.\mathsf{Tag},$$\mathsf{MAC}.\mathsf{Vfy})$ consists of three algorithms: $\mathsf{MAC}.\mathsf{Gen}$,$\mathsf{MAC}.\mathsf{Tag}$ and $\mathsf{MAC}.\mathsf{Vfy}$ described below.

• $\mathsf{MAC}.\mathsf{Gen}\left(1^{\kappa }\right)\stackrel{\$}{\to }\mathsf{k}$. The non-deterministic key generation algorithm $\mathsf{MAC}.\mathsf{Gen}\left(\right)$ takes the security parameter $1^{\kappa }$ as the input and outputs the secret key $\mathsf{k}$.
• $\mathsf{MAC}.\mathsf{Tag}(\mathsf{k},m)\stackrel{\$}{\to }\mathsf{mTag}$. The (non-deterministic) message tagging algorithm $\mathsf{MAC}.\mathsf{Tag}\left(\right)$ takes the secret key $\mathsf{mTag}$ and a message m as the input and outputs the authentication tag $\mathsf{mTag}$.
• $\mathsf{MAC}.\mathsf{Vfy}(\mathsf{k},m,\mathsf{mTag})=b$. The deterministic tag verification algorithm $\mathsf{MAC}.\mathsf{Vfy}\left(\right)$ takes the MAC secret key $\mathsf{k}$, a message m and a tag $\mathsf{mTag}$ as input and outputs a boolean value b. b is $\mathsf{TRUE}$ if $\mathsf{mTag}$ is a valid MAC tag on m.

Hash functions are used for obtaining a digest of the input. The digest can be of fixed length or in a finite domain.

Definition 2 

(Collision-resistant Hash Function). A hash function $H:\mathcal{M}\to \mathcal{D}$ is collision-resistant if there exists a negligible function ${ϵ}_{\mathsf{coll}}\left(\right)$ such that for any algorithm $\mathcal{A}$ with running time bounded by $\mathsf{poly}\left(\kappa \right)$, it holds that

$$\begin{array}{c}\hfill Pr\left[\begin{array}{c}(m_0,m_1)\leftarrow \mathcal{A}(1^{\kappa },H):\\ m_0\ne m_1\bigwedge H\left(m_0\right)=H\left(m_1\right)\end{array}\right]\le {ϵ}_{\mathsf{coll}}\left(\kappa \right),\end{array}$$

where $\mathcal{M}$ is the message space, and $\mathcal{D}$ is the hash image space.

Pseudo-random function (PRF) can be used for key derivation as in TLS 1.3 [1]. PRF ensures that the output looks random if the secret key is not leaked.

Definition 3 

(Pseudo-random function, PRF). A pseudo-random function $\mathbb{F}=(\mathsf{FKGen},\mathsf{PRF})$ consists of two algorithms, $\mathsf{FKGen}$ and $\mathsf{PRF}$, described below.

• $\mathsf{FKGen}\left(1^{\kappa }\right)\stackrel{\$}{\to }\mathsf{k}$. The non-deterministic key generation algorithm $\mathsf{FKGen}\left(\right)$ takes the security parameter $1^{\kappa }$ as the input and outputs the secret key $\mathsf{k}$.
• $\mathsf{PRF}(\mathsf{k},x)=y$. The PRF evaluation algorithm $\mathsf{PRF}\left(\right)$ takes as the input the secret key $\mathsf{k}$ and a value x in the domain and outputs an image y.

The Schnorr signature scheme can be seen as a general template for (EC-)group-based signature. The most critical operation is the scalar-point multiplication. Note that the verification algorithm $\mathsf{SIG}.\mathsf{Vfy}$ of Schnorr needs two point multiplication, one on the base point G and one on the non-base point $\mathsf{pk}$. In contrast, the signing only needs one base point multiplication. In practice, base point multiplication has been optimized for each EC group, so it is usually much quicker than non-base point multiplication.

Definition 4 

(Schnorr signature scheme). Let ${\mathsf{H}}_2\left(\right):{\{0,1\}}^{\kappa }\to {\mathbb{Z}}_q$ be a collision-resistant cryptographic hash function. The Schnorr signature scheme $\mathsf{SIG}$ consists of three algorithms $(\mathsf{SIG}.\mathsf{Gen}$, $\mathsf{SIG}.\mathsf{Sign}$, $\mathsf{SIG}.\mathsf{Vfy})$ described below.

• $\mathsf{SIG}.\mathsf{Gen}\left(1^{\kappa }\right)\stackrel{\$}{\to }(\mathsf{params},\mathsf{pk},\mathsf{sk})$. The non-deterministic key generation algorithm $\mathsf{SIG}.\mathsf{Gen}\left(\right)$ takes the security parameter $1^{\kappa }$ as the input and outputs the public parameters $\mathsf{params}$, the public key $\mathsf{pk}$ and the corresponding private key $\mathsf{sk}$, where $\mathsf{params}=(\mathbb{G},G,{\mathsf{H}}_2\left(\right))$, G is the generator of group $\mathbb{G}$ of large prime order q, $\mathsf{pk}=x·G$, $\mathsf{sk}=x$ with $x\stackrel{\$}{\leftarrow }{\mathbb{Z}}_{\left|\mathbb{G}\right|}$, and $\mathsf{H}\left(\right)$ maps any bit string to an integer in ${\mathbb{Z}}_q$.
• $\mathsf{SIG}.\mathsf{Sign}(\mathsf{sk},m)\stackrel{\$}{\to }\sigma$. This signing algorithm $\mathsf{SIG}.\mathsf{Sign}\left(\right)$ takes the private key $\mathsf{sk}$ and the message m as the input. It chooses $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q$, computes $R=r·G$, $e={\mathsf{H}}_2\left(R\right|\left|m\right)$, and $\beta =r+e·\mathsf{sk}$. It outputs the signature $\sigma =(R,\beta )$.
• $\mathsf{SIG}.\mathsf{Vfy}(\mathsf{pk},m,\sigma )=b$. This verification algorithm $\mathsf{RingVrfy}\left(\right)$ takes a public key $\mathsf{pk}$, a message m and a signature $\sigma =(R,\beta )$ as input. It first computes $e^{\prime }=$${\mathsf{H}}_2\left(R\right|\left|m\right)$, then outputs $\mathsf{TRUE}$ if $\beta ·G=R+e^{\prime }·\mathsf{pk}$, and $\mathsf{FALSE}$ otherwise.

We refer the reader to standard cryptography literature, such as [34], for the security definition of all the cryptographic primitives above and Diffie–Hellman key exchange (DH).

Definition 5 

(Discrete logarithm, DL). Let $\mathsf{GGen}\left(1^{\kappa }\right)$ be a group generation algorithm which outputs $\mathsf{params}=(\mathbb{G},G,q)$, where $\mathbb{G}$ is the description of a cyclic group, with G as its generator and q as its order. The discrete logarithm (DL) assumption with respect to $\mathbb{G}$ states that the following quantity is negligible for any probabilistic polynomial time (PPT) adversary $\mathcal{A}$.

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{\mathcal{A},\mathsf{DL}}:=Pr\left[Y=x·G:Y\stackrel{\$}{\leftarrow }\mathbb{G};x\leftarrow \mathcal{A}(\mathsf{params},Y)\right]\end{array}$$

The proof of Schnorr’s security or schemes that use group elements with hash usually relies on the hardness of the Discrete logarithm problem above. For proving security of AKE, we need the gap computational Diffie–Hellman Problem ($\mathsf{GCDH}$), which is defined as: given public parameter $\mathsf{params}$ and $(a·G,b·G)$ for $a,b\in {\mathbb{Z}}_q$, compute the element Z = $\left(ab\right)·G$ with the help of a Decisional Diffie–Hellman Oracle ${\mathcal{O}}_{\mathsf{ddh}}(·)$, i.e., ${\mathcal{O}}_{\mathsf{ddh}}(·)$ answers whether a given quadruple $(G,a·G,b·G,c·G)$ has $ab\equiv cmodq$.

Definition 6 

(Hardness of $\mathsf{GCDH}$). $\mathsf{GCDH}$ is hard with respect to $\mathbb{G}$, if for any PPT adversary $\mathcal{A}$, the following quantity is negligible.

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{\mathcal{A},\mathsf{GCDH}}:=Pr\left[Z=\left(ab\right)·G:a,b\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q;Z\leftarrow {\mathcal{A}}^{{\mathcal{O}}_{\mathsf{ddh}}(·)}(\mathsf{params},a·G,b·G)\right]\end{array}$$

In this section, we have reviewed the most relevant cryptographic primitives and hard problems. In the next section, we show how to construct an efficient CL-SIG from them.

3. New Certificate-Less Signature with Two-Way Reconstructable Public Key

We construct an extended certificate-less signature (CL-SIG) as the starting point. Although signing and verification are not used in our CL-AKE protocol, the security of ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ simplifies the argument in the game-based framework.

Definition 7 

(CL-SIG with Two-way Reconstructable PK). A certificate-less signature scheme with a two-way reconstructable public key (CL-SIG-TRK) is a tuple of seven algorithms $(\mathsf{Setup},$$\mathsf{PPKey}-\mathsf{Extract},$$\mathsf{Set}-\mathsf{Private}-\mathsf{Key},$$\mathsf{Set}-\mathsf{Secret}-\mathsf{Value},$$\mathsf{Set}-\mathsf{Public}-\mathsf{Key},$ $\mathsf{Sign},$$\mathsf{Verify}$, $\mathsf{Reconst}-\mathsf{Pk})$ defined as follows.

• $\mathsf{Setup}\left(1^{\kappa }\right)\stackrel{\$}{\to }\left(\mathsf{params},\mathsf{msk}\right)$. The (non-deterministic) algorithm $\mathsf{Setup}\left(\right)$ takes in the security parameter $1^{\kappa }$ and outputs the system parameters $\mathsf{params}$ and the master key $\mathsf{msk}$.
• $\mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(\mathsf{params},{\mathsf{PID}}_i)\stackrel{\$}{\to }(a_i,A_i)$. This algorithm outputs party i’s secret value $a_i$ and auxiliary information $A_i$ on input $\mathsf{params}$ and the identifier ${\mathsf{PID}}_i$.
• $\mathsf{PPKey}-\mathsf{Extract}(\mathsf{params},\mathsf{msk},{\mathsf{PID}}_i,A_i)\stackrel{\$}{\to }(s_i,$$B_i)$. This partial key extraction algorithm outputs party i’s partial private key $s_i$ and the partial public key $B_i$ on input $\mathsf{params}$, $\mathsf{msk}$, ${\mathsf{PID}}_i$ and $A_i$.
• $\mathsf{Set}-\mathsf{Public}-\mathsf{Key}(\mathsf{params},s_i,B_i,a_i)\to {\mathsf{pk}}_i$. This algorithm takes as input $\mathsf{params}$, $s_i$, $a_i$ and $B_i$, and outputs i’s public key ${\mathsf{pk}}_i$.
• $\mathsf{Reconst}-\mathsf{Pk}(\mathsf{params},{\mathsf{PID}}_i,B_i)\to {\mathsf{pk}}_i$. This public key reconstruction algorithm takes as input $\mathsf{params}$, identity ${\mathsf{PID}}_i$ and the partial public key $B_i$, and it outputs the complete public key ${\mathsf{pk}}_i$ of party i.
• $\mathsf{Sign}(\mathsf{params},{\mathsf{sk}}_i,m)\stackrel{\$}{\to }\sigma$. This algorithm takes $\mathsf{params}$, the private signing key ${\mathsf{sk}}_i$ and a valid message m as input and outputs a signature σ.
• $\mathsf{Verify}(\mathsf{params},{\mathsf{pk}}_i,{\mathsf{PID}}_i,m,\sigma )\to b$. This algorithm outputs a bit value $b\in \{\mathsf{TRUE},$$\mathsf{FALSE}\}$ on input ${\mathsf{pk}}_i$, ${\mathsf{PID}}_i$, m and a signature σ. The value b is $\mathsf{TRUE}$ if σ is a valid signature on m with respect to ${\mathsf{pk}}_i$ and ${\mathsf{PID}}_i$.

Algorithms and outputs in dashed boxes are the extensions to the syntax in [8]. In the original syntax, ${\mathsf{pk}}_i$ can only be computed by its owner with $\mathsf{Set}-\mathsf{Public}-\mathsf{Key}\left(\right)$. The extension $\mathsf{Reconst}-\mathsf{Pk}(\mathsf{params},{\mathsf{PID}}_i,B_i)$, allows anyone who knows $B_i$ and the KGC’s pubic key to reconstruct ${\mathsf{pk}}_i$. Thus, there are two ways to reconstruct the public key, giving space for more efficiency improvement in the CL-AKE construction.

The security game for $\mathsf{CL}-\mathsf{SIG}$ in [8] is an EUF-CMA game extended with queries in

Table 2. Queries (adversary’s ability) in the $\mathsf{CL}-\mathsf{SIG}$ security game [8]. Notations are adapted to ours.

Query	Description
$\mathsf{PPKey}-\mathsf{Extract}\left({\mathsf{PID}}_i\right)$	return partial private/public keys
$\mathsf{ReplacePK}({\mathsf{PID}}_i,{\mathsf{pk}}_i^{\prime })$	replace the public key of ${\mathsf{PID}}_i$ with ${\mathsf{pk}}_i^{\prime }$
$\mathsf{getPrivateKey}\left({\mathsf{PID}}_i\right)$	get the private key of ${\mathsf{PID}}_i$
$\mathsf{getKeyKGC}\left(\right)$	return $\mathsf{msk}$
$\mathsf{SIG}.\mathsf{Sign}({\mathsf{PID}}_i,m)$	get ${\mathsf{PID}}_i$’s signature on m

. In principle, Type I adversaries can replace public keys but cannot get KGC’s private key, while Type II adversaries can have the KGC’s private key but cannot replace public keys.

More specifically, let ${\mathsf{PID}}_j$ be the challenged party and $(m^{*},{\sigma }^{*})$ the forgery. Besides being forbidden to ask $\mathsf{getKeyKGC}\left(\right)$, the restrictions on a Type I adversary $\mathcal{A}$ are:

• $\mathcal{A}$ cannot query $\mathsf{PPKey}-\mathsf{Extract}\left({\mathsf{PID}}_j\right)$.
• For any ${\mathsf{PID}}_i$, $\mathcal{A}$ cannot query $\mathsf{getPrivateKey}\left({\mathsf{PID}}_i\right)$, if it has previously queried $\mathsf{ReplacePK}($${\mathsf{PID}}_i,{\mathsf{pk}}_i^{\prime })$.
• $\mathcal{A}$ cannot query $\mathsf{ReplacePK}({\mathsf{PID}}_j,{\mathsf{pk}}_j^{\prime })$ before submitting forgery, if it has previously asked $\mathsf{PPKey}-\mathsf{Extract}\left({\mathsf{PID}}_j\right)$.
• $\mathcal{A}$ has not queried $\mathsf{SIG}.\mathsf{Sign}({\mathsf{PID}}_j,m^{*})$ before submitting $(m^{*},{\sigma }^{*})$.

Besides being forbidden to ask $\mathsf{ReplacePK}{({\mathsf{PID}}_i,{\mathsf{pk}}_i)}^{\prime }$ for any i, the restrictions on a Type II adversary $\mathcal{A}$ are:

• $\mathcal{A}$ cannot ask $\mathsf{getPrivateKey}\left({\mathsf{PID}}_j\right)$.
• $\mathcal{A}$ has not queried $\mathsf{SIG}.\mathsf{Sign}({\mathsf{PID}}_j,m^{*})$ before submitting $(m^{*},{\sigma }^{*})$.

Our new CL-SIG-TRK ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ is in Figure 1, where $\mathsf{SIG}$ is the Schnorr signature scheme in Definition 4. The security of ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ is summarized in Theorem 1. We still stick to the original syntax of $\mathsf{Verify}\left(\right)$. On the other hand, the extension, $\mathsf{Reconst}-\mathsf{Pk}\left(\right)$, also provides more flexibility in the verification, as a signature $({\sigma }^{\prime },B_i)$ can now be verified with itself and the KGC public key ${\mathsf{pk}}_{\mathsf{KGC}}$. We will show how a receiver of the partial public key $B_i$ can check and use it efficiently in AKE in Section 5.

Theorem 1 

(Security of ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$). If the discrete logarithm problem is hard with respect to group $\mathbb{G}$, then the CL-SIG-TRK scheme ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ is existentially unforgeable against chosen message attack (EUF-CMA) in the presence of Type I and Type II adversaries in the random oracle model, where Type I and Type II adversaries have access to queries defined in [8].

More specifically, if there exists $\mathcal{S}$ against ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$, then there exist DL problem solvers $\mathcal{D}$ and $\mathcal{U}$, such that

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{\mathcal{S},\mathsf{CL}-\mathsf{SIG}}\le & 2d·{\mathsf{Adv}}_{\mathsf{SIG}}+\sqrt[4]{{(q_{{\mathsf{H}}_1}+q_{{\mathsf{H}}_2})}^6·{\mathsf{Adv}}_{\mathcal{D},\mathbb{G}}^{\mathsf{DLP}}}\hfill \\ \hfill & +\sqrt[4]{\frac{3·(q_{{\mathsf{H}}_1}+q_{{\mathsf{H}}_2})}{\left|\mathbb{G}\right|}}+\frac{d^2+q_{{\mathsf{H}}_1}^2+2·q_{{\mathsf{H}}_2}^2+2}{\left|\mathbb{G}\right|}\hfill \\ \hfill \mathit{with}{\mathsf{Adv}}_{\mathsf{SIG}}\le & \sqrt[2]{(q_{{\mathsf{H}}_2}+q_{\mathsf{SIG}}+1)·{\mathsf{Adv}}_{\mathcal{U},\mathbb{G}}^{\mathsf{DLP}}}\hfill \\ \hfill & +\sqrt[2]{\frac{(q_{{\mathsf{H}}_2}+q_{\mathsf{SIG}}+1)·(q_{\mathsf{SIG}}+1)}{\left|\mathbb{G}\right|}},\hfill \end{array}$$

(1)

where ${\mathsf{Adv}}_{\mathcal{S},\mathsf{CL}-\mathsf{SIG}}$ is the advantage of any PPT adversary $\mathcal{S}$ against ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$, ${\mathsf{Adv}}_{\mathcal{D},\mathbb{G}}^{\mathsf{DLP}}$ and ${\mathsf{Adv}}_{\mathcal{U},\mathbb{G}}^{\mathsf{DLP}}$ the advantage of $\mathcal{D}$ and $\mathcal{U}$ against $\mathsf{DLP}$, respectively, ${\mathsf{Adv}}_{\mathsf{SIG}}$ the advantage of any PPT adversary against Schnorr Signature $\mathsf{SIG}$, d the maximal number of clients with distinct identifiers, $q_{{\mathsf{H}}_1}$ the number of queries to random oracle ${\mathsf{H}}_1$ used in ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$, $q_{{\mathsf{H}}_2}$ the number of queries to random oracle ${\mathsf{H}}_2$ used in Schnorr $\mathsf{SIG}$, and $q_{\mathsf{SIG}}$ the number of signing queries.

We defer the proof of Theorem 1 to Appendix A, as it relies on the multiple forking lemmma in [35] and is rather technical. Intuitively, the multiple-forking lemma helps us connect the CL-SIG security to the hardness of $\mathsf{DLP}$ (Definition 5).

From Theorem 1, we can have Corollary 1, which is necessary for proving the security of the user key registration protocol (see Figure 3 in Section 5). The proof of Corollary 1 is quite straight forward, as unforgeable CL-SIG implies unforgeable and non-replaceable key pairs.

Corollary 1. 

If the advantages of Type I and Type II adversaries against ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ are upper-bounded by ${\mathsf{Adv}}_{\mathsf{CL}-\mathsf{SIG}}$, the probability that any public-private key pair $({\mathsf{pk}}_i,{\mathsf{sk}}_i)$ is forgeable or replaceable by Type I and Type II adversaries is also upper-bounded by ${\mathsf{Adv}}_{\mathsf{CL}-\mathsf{SIG}}$.

Now, we have all the necessary tools to construct a CL-AKE with forward secrecy [1].

4. Game-Based Security Model for CL-AKE

In this section, we define a security model for certificate-less AKE protocols. We assume each participant communicates through a public network, and the adversary controls all the data traffic. This setting is formalized in the execution environment.

4.1. Protocol Execution Environment

Let $\mathcal{SK}\in {\{0,1\}}^{\kappa }$ denote the session key space, and $\mathcal{K}$ is the pre-shared key space. Let $\{P_1,\dots ,P_{\ell }\}$ be the set of all parties for ℓ$\in \mathbb{N}$, where a potential participant $P_i$ has a long-term pre-shared key $\mathsf{K}\in \mathcal{K}$ that corresponds to its identity i.

Each $P_i$ can have a polynomial number of process oracles $\left\{{\pi }_i^s\right\}$, where $s\in \left[d\right]$ is an index with $d\in \mathbb{N}$. A unique session identifier $\mathsf{sid}$ labels a protocol session between a client and a server instance. Moreover, we assume that besides the access to long-term secrets, such as private keys, each oracle ${\pi }_i^s$ maintains a list of independent internal state variables as described in the following list (

Table 3. Internal states of oracles.

Variable	Description
${\mathsf{PID}}_i^s$	records the identities $\left\{j\right\}\subset \{1,\dots ,\ell \}$ of intended communication partners $\left\{P_j\right\}$
${\Phi }_i^s$	denotes ${\Phi }_i^s\in \{\mathtt{accept},\mathtt{reject}\}$
${\mathsf{sid}}_i^s$	denotes the session identifiers
${\mathsf{K}}_i^s$	records the session key ${\mathsf{K}}_i^s\in \mathcal{K}$
${\mathsf{Eph}}_i^s$	records the ephemeral secret used to compute the session key ${\mathsf{K}}_i^s$

).

The internal state of each oracle ${\pi }_i^s$ is initialized as (${\mathsf{PID}}_i^s$, ${\Phi }_i^s$, ${\mathsf{sid}}_i^s$, ${\mathsf{K}}_i^s$, ${\mathsf{Eph}}_i^s$) = (∅, ∅, ∅, ∅, ∅), where ∅ denotes the empty string. We assume that the session key is assigned to the variable ${\mathsf{K}}_i^s$ such that ${\mathsf{K}}_i^s\ne \varnothing$ if each oracle completes the execution with an internal state ${\Phi }_i^s=\mathtt{accept}$.

4.2. Adversary Model

An active adversary $\mathcal{A}$ can interact with the execution environment by issuing the queries below. Queries in the dashed boxes are our extensions to the eCK model [3].

• $\mathsf{Send}({\pi }_i^s,m)$: $\mathcal{A}$ can use this query to send any message m of its choice to oracle ${\pi }_i^s$. The oracle will respond according to the protocol specification and its internal state. If m consists of a special symbol ⊤ ($m=\top$), then ${\pi }_i^s$ will respond with the first protocol message.
• $\mathsf{RegCorruptParty}(i,{\mathsf{sk}}_i,{\mathsf{pk}}_i)$ This query allows $\mathcal{A}$ to register a new party with ${\mathsf{sk}}_i,{\mathsf{pk}}_i$ given by $\mathcal{A}$. If party i already exists, then upon this query, all long-term key pairs will be replaced with ${\mathsf{sk}}_i,{\mathsf{pk}}_i$, and existing randomness and session keys holding by any ${\pi }_i^s$ will be erased. In any case, party i has ${\tau }_i=0$ once this query has been issued.
• $\mathsf{Corrupt}\left(i\right)$: The oracle ${\pi }_i^s$ responds with the long-term private keys of party $P_i$. If $\mathsf{Corrupt}\left(i\right)$ is the $\tau$-th query issued by $\mathcal{A}$, then we say that $P_i$ is $\tau$-corrupted. For parties that have never been corrupted, we define $\tau :=\infty$.
• $\mathsf{RevealKey}\left({\pi }_i^s\right)$: Oracle ${\pi }_i^s$ responds to this query with the contents of variable ${\mathsf{K}}_i^s$ to $\mathcal{A}$. This query models the attacks that the exposure of a session key should not be damaging to other sessions. (Note that we have ${\mathsf{K}}^s\ne \varnothing$ if and only if ${\Phi }_i^s=\mathtt{accept}$.)
• $\mathsf{RevealEph}\left({\pi }_i^s\right)$: Oracle ${\pi }_i^s$ responds with the contents of the ephemeral secret stored in variable ${\mathsf{Eph}}_i^s$.
• $\mathsf{Test}\left({\pi }_i^s\right)$: This query can be made at most once. It does not model attacks but functions as a judgment for whether $\mathcal{A}$’s attacks are successful. Oracle ${\pi }_i^s$ handles this query as follows. If the oracle has state ${\Phi }_i^s\ne \mathtt{accept}$, then it returns a failure symbol ⊥. If the oracle does not have access to the corresponding type of keys, it returns some failure symbol ⊥.
  Otherwise, it flips a fair coin b, and it returns ${\mathsf{K}}_b$, where ${\mathsf{K}}_0$ is the real ${\mathsf{K}}_i^s$ and ${\mathsf{K}}_1\stackrel{\$}{\leftarrow }\mathcal{K}$.
• $\mathsf{TestForge}(i,{\mathsf{sk}}_i^{\prime },{\mathsf{pk}}_i^{\prime })$ This query judges the result of an attack, the goal of which is to forge a valid key pair. The output is 1 if $\mathsf{checkKey}({\mathsf{sk}}_i^{\prime },$${\mathsf{pk}}_i^{\prime })=\mathsf{TRUE}$ and 0 otherwise, where $\mathsf{checkKey}\left(\right)$ is parameterized by concrete protocols.

4.3. Security Definitions

Let ${\mathsf{sid}}_i^s$∈$\mathcal{SID}$ denote the session identifier received by oracle ${\pi }_i^s$, where $\mathcal{SID}\subseteq {\{0,1\}}^{\mathsf{poly}\left(\kappa \right)}$, i.e., a set of binary strings of length $\mathsf{poly}\left(\kappa \right)$.

Definition 8 

(Partnering Using $\mathsf{sid}$). In the protocol execution described above, we say that ${\pi }_i^s$ (with (${\mathsf{PID}}_i^s$, ${\Phi }_i^s$, ${\mathsf{sid}}_i^s$)) and ${\pi }_j^t$ (with (${\mathsf{PID}}_t^j$, ${\Phi }_j^t$, ${\mathsf{sid}}_j^t$)) are partnered if the following hold for both oracles: (1) ${\mathsf{PID}}_i^s$ = j and ${\mathsf{PID}}_j^t$ = i; (2) ${\Phi }_i^s$ = accept and ${\Phi }_j^t$ = accept; (3) ${\mathsf{sid}}_i^s$ = ${\mathsf{sid}}_j^t$;

Definition 9 

(Registration Freshness). Let $\mathsf{TestForge}({\mathsf{PID}}_i,{\mathsf{pk}}_i^{\prime },{\mathsf{sk}}_i^{\prime })$ be the ${\tau }_1$-th query. We call an oracle ${\pi }_i^s$${\tau }_1$-reg-fresh if all the following conditions hold for the adversary $\mathcal{A}$.

• (No direct corruption) i is τ-corrupt with $\tau >{\tau }_1$.
• (No corrupt-and-replace) If ${\mathsf{pk}}_i^{\prime }={\mathsf{pk}}_j$ and ${\mathsf{pk}}_j$ is an honest generated public key, then j is ${\tau }^{\prime }$-corrupt with ${\tau }^{\prime }>{\tau }_1$.
• (Type 1) If the first $\mathsf{RegCorruptParty}\left(i\right)$ is the τ-th query with $\tau <\infty$, then $\mathsf{Server}$ is ${\tau }_S$-corrupt, ${\tau }_S>{\tau }_1$, where $\mathsf{Server}$ is the KGC,
• (Type 2) If $\mathsf{Corrupt}\left(\mathsf{Server}\right)$ is the ${\tau }_S$-th query of $\mathcal{A}$ with ${\tau }_S<{\tau }_1$, then $\mathcal{A}$ has not made any $\mathsf{RegCorruptParty}\left(i\right)$ before ${\tau }_S$.

Here, we define the security of the key pair registration protocol.

Definition 10 

(Secure Key Pair Registration). Let the KGC be party $\mathsf{S}$. We say that a key pair registration protocol Π is $(t,ϵ)$-secure, if for all adversaries $\mathcal{A}$ with running time bounded by t, for some function $ϵ=ϵ\left(\kappa \right)$, it holds that if $\mathcal{A}$ has issued a $\mathsf{TestForge}({\mathsf{PID}}_i,·,·)$-query as the ${\tau }_1$-th query to oracle ${\pi }_i^s$, every client oracle ${\pi }_i^s$ is ${\tau }_1$-reg-fresh, then the advantage ${\mathsf{Adv}}_{reg}$ is bounded by a function ϵ. More specifically,

$${\mathsf{Adv}}_{reg}=Pr[\mathsf{TestForge}(i,{\mathsf{pk}}_i^{\prime },{\mathsf{sk}}_i^{\prime })=1:(i,{\mathsf{pk}}_i^{\prime },{\mathsf{sk}}_i^{\prime })\stackrel{\$}{\leftarrow }{\mathcal{A}}^{\mathcal{O}(·)}\left(1^{\kappa }\right)]\le ϵ,$$

where $\mathcal{O}=\left\{\mathsf{Send}\right(),\mathsf{RegCorruptParty}(),\mathsf{Corrupt}(\left)\right\}$.

Definition 11 

(Session Oracle Freshness). Let ${\pi }_i^s$ be an accepting oracle held by a party $P_i$ with intended partner $P_j$. Meanwhile, let ${\pi }_j^t$ be an oracle (if it exists), such that ${\pi }_i^s$ and ${\pi }_j^t$ are partnered. Then the oracle ${\pi }_i^s$ is said to be ${\tau }_0$-fresh, if it is ${\tau }_0$-reg-fresh, and when the adversary $\mathcal{A}$ issues its ${\tau }_0$-th query to ${\pi }_i^s$ and NONE of the following conditions holds:

• $\mathcal{A}$ has either made a $\mathsf{RevealKey}\left({\pi }_i^s\right)$ query or a $\mathsf{RevealKey}\left({\pi }_j^t\right)$ query, (if ${\pi }_j^t$ exists);
• $P_i$ is ${\tau }_i$-corrupted with ${\tau }_i\le {\tau }_0$;
• $P_j$ is ${\tau }_i$-corrupted with ${\tau }_j\le {\tau }_0$, (if ${\pi }_j^t$ exists);
• if ${\pi }_j^t$ exists, it is NOT ${\tau }_0$-reg-fresh;
• $\mathcal{A}$ has either made both $\mathsf{RevealEph}\left({\pi }_i^s\right)$ and $\mathsf{Corrupt}\left(i\right)$ queries, or both $\mathsf{RevealEph}\left({\pi }_j^t\right)$ and $\mathsf{Corrupt}\left(j\right)$ (if ${\pi }_j^t$ exists).

Definition 12 

(Secure Authenticated Key Exchange). We say that an AKE protocol Π is $(t,ϵ)$-secure, if for all adversaries $\mathcal{A}$ with running time t, for some probability $ϵ=ϵ\left(\kappa \right)$, it holds that: when $\mathcal{A}$ returns $b^{\prime }$ such that $\mathcal{A}$ has issued a $\mathsf{Test}\left(\right)$-query as the ${\tau }_0$-th query to oracle ${\pi }_i^s$, and the client oracle ${\pi }_i^s$ is ${\tau }_0$-fresh and has a synchronized partner throughout the security game, then the advantage ${\mathsf{Adv}}_{ake}$ is bounded by a function ϵ. More specifically,

$${\mathsf{Adv}}_{ake}=\left|Pr[b=b^{\prime }:b^{\prime }\leftarrow {\mathsf{Adv}}^{\mathcal{O}(·)}\left(1^{\kappa }\right)]-1/2\right|\le ϵ,$$

where $\mathcal{O}=\left\{\mathsf{Send}\right(),\mathsf{RegCorruptParty}(),\mathsf{Corrupt}(),\mathsf{RevealKey}(),$$\mathsf{RevealEph}\left(\right),\mathsf{Test}\left(\right)\}$.

The model that we have discussed so far provides a unified framework to evaluate the new CL-AKE protocols. The freshness ensures that we are focusing on real threats, and the queries can be combined to emulate attacks such as replay and man-in-the-middle.

5. New Protocols for Certificate-Less Infrastructure

The canonical way to transform a certificate-based AKE to CL-AKE is to replace the signature with a CL-SIG. However, the efficiency of the result is sub-optimal due to redundant computation and the extra demand for randomness. For example, to sign a message with our CL-SIG, an extra randomness is needed for the Schnorr component (line 4 in $\mathsf{Sign}(\mathsf{params},{\mathsf{sk}}_i,m)$ in Figure 1), and point multiplications are needed for verification.

Our new CL-AKE protocols save the participants from any signature verification. $\mathsf{Reconst}-\mathsf{Pk}(\mathsf{params},{\mathsf{PID}}_i,B_i)$ in ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ (Figure 1) ensures that once Alice has a reliable ${\mathsf{pk}}_{\mathsf{KGC}}$$\in \mathsf{params}$, its peer Bob has to use a correct secret key with respect to $B_i$ and ${\mathsf{pk}}_{\mathsf{KGC}}$ in AKE (Figure 2), leading to optimal performance.

5.1. Client Key Registration

Initially, a client is provisioned with the KGC’s public keys ${\mathsf{ek}}_{\mathsf{KGC}},{\mathsf{pk}}_{\mathsf{KGC}}$ and its own encryption/decryption key pairs. A client can then register its key pair to a KGC, which also knows the client’s encryption key. Details of our new client key pair generation protocol (Protocol 2) can be found in Figure 3. The security is summarized in the following theorem, where $\mathsf{checkKey}$ for $\mathsf{TestForge}$ is defined as checking the discrete log relation ${\mathsf{sk}}_i^{\prime }·G={\mathsf{pk}}_i^{\prime }$.

Theorem 2 

(Security of Protocol 2). Assuming an authenticated channel, if the public encryption scheme ${\Pi }_{pke}$ is $\mathrm{IND}-\mathrm{CCA}$ secure and discrete logarithm problem is hard with respect to group $\mathbb{G}$, then Protocol 2 is secure in the sense of Definition 10 in the random oracle model. More specifically, for any PPT adversary ${\mathcal{A}}_{reg}$,

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{reg}\le \frac{{(d·\ell )}^2}{\left|\mathbb{G}\right|}+{ϵ}_{{\mathsf{H}}_1}+{ϵ}_{\mathsf{PKE}}+{ϵ}_{\mathsf{CL}-\mathsf{SIG}},\end{array}$$

(2)

where d is the maximal number of parties, ℓ is the maximal number of oracles owned by each party, $\mathbb{G}$ is the group and the range of the hash function $\mathsf{H}\left(\right)$, ${ϵ}_{\mathsf{H}}$ is the advantage against the hash function $\mathsf{H}\left(\right)$, ${ϵ}_{\mathsf{PKE}}$ is the advantage against ${\Pi }_{\mathsf{PKE}}$ in the $\mathrm{IND}-\mathrm{CCA}$ game, and ${ϵ}_{\mathsf{CL}-\mathsf{SIG}}$ is the advantage against ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$.

Proof. 

We use a sequence of games [36] to argue $\mathcal{A}$’s advantage against Protocol 2. The term ${\mathsf{Adv}}_i$ means $\mathcal{A}$’s advantage in ${\mathsf{Game}}_{\mathsf{i}}$.

${\mathsf{Game}}_{\mathsf{0}}$. This is the original game, so we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{reg}={\mathsf{Adv}}_0\end{array}$$

(3)

${\mathsf{Game}}_{\mathsf{1}}$. We add an abort rule in this game. We abort the game if any collision of honestly generated randomness or any hash collision happens. The abort probability can be bounded by the term $\frac{{(d·\ell )}^2}{\left|\mathbb{G}\right|}+{ϵ}_{{\mathsf{H}}_1}$. Therefore, we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_0\le {\mathsf{Adv}}_1+\frac{{(d·\ell )}^2}{\left|\mathbb{G}\right|}+{ϵ}_{{\mathsf{H}}_1}.\end{array}$$

(4)

Once the collisions have all been eliminated, from Corollary 1 we can have

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_1& \le {ϵ}_{\mathsf{CL}-\mathsf{SIG}}\hfill \end{array}$$

(5)

By combining the (in)equalities (3)–(5), we have (2) in Theorem 2.    □

5.2. Certificate-Less Authenticated Key Exchange

The certificate-less authenticated key exchange protocol (CL-AKE) with explicit authentication is presented in Figure 2. The correctness is trivial, and the three non-base point multiplications are for computing ${\mathsf{pk}}_i$ (or ${\mathsf{pk}}_j$) and $\mathsf{ms}$. Let $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_{\left|\mathbb{G}\right|}$ be a hash function modeled as a random oracle that maps any binary string to an integer in group ${\mathbb{Z}}_{\left|\mathbb{G}\right|}$.

Theorem 3 

(Security of Protocol 3). If the key pair registration scheme is secure, the $\mathsf{GCDH}$ problem is hard, and $\mathsf{PRF}$ and $\mathsf{MAC}$ are secure, then Protocol 3 is secure in the sense of Definition 12 in the random oracle model. More specifically, for any PPT adversary ${\mathcal{A}}_{ake}$,

$$\begin{array}{cc}\hfill {\mathsf{Adv}}_{ake}\le & {\mathsf{Adv}}_{reg}+\frac{{(d·\ell )}^2}{\left|\mathbb{G}\right|}+{ϵ}_{{\mathsf{H}}_1}+{ϵ}_{\mathsf{H}}\hfill \\ \hfill & +{(d·\ell )}^2·({ϵ}_{\mathsf{PRF}}+{ϵ}_{\mathsf{MAC}}+4·{ϵ}_{\mathsf{GCDH}}),\hfill \end{array}$$

(6)

where d is the maximal number of parties, ℓ the maximal number of oracles owned by each party, $\mathbb{G}$ is the group for $\mathsf{CL}-\mathsf{SIG}$, ${ϵ}_{{\mathsf{H}}_1},{ϵ}_{\mathsf{H}}$ the advantages against hash functions ${\mathsf{H}}_1\left(\right)$ and $\mathsf{H}\left(\right)$, ${ϵ}_{\mathsf{PRF}}$ the advantage against the pseudo-random function $\mathsf{PRF}$, ${ϵ}_{\mathsf{MAC}}$ the advantage against $\mathsf{MAC}$, and ${ϵ}_{\mathsf{GCDH}}$ the advantage against the $\mathsf{GCDH}$ problem.

Proof. 

We use another sequence of games to bound $\mathcal{A}$’s advantage against Protocol 3. The term ${\mathsf{Adv}}_i$ denotes $\mathcal{A}$’s advantage in ${\mathsf{Game}}_{\mathsf{i}}$.

${\mathsf{Game}}_{\mathsf{0}}$. This is the original game, so we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_{ake}={\mathsf{Adv}}_0\end{array}$$

(7)

${\mathsf{Game}}_{\mathsf{1}}$. We add an abort rule in this game. If any collision of honestly generated randomness happens, or any hash collision happens, we abort the game. The abort probability can be bounded by the term $\frac{{(d·\ell )}^2}{\left|\mathcal{N}\right|}+{ϵ}_{{\mathsf{H}}_1}+{ϵ}_{\mathsf{H}}$, Therefore we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_0\le {\mathsf{Adv}}_1+\frac{{(d·\ell )}^2}{\left|\mathcal{N}\right|}+{ϵ}_{{\mathsf{H}}_1}+{ϵ}_{\mathsf{H}}.\end{array}$$

(8)

${\mathsf{Game}}_{\mathsf{2}}$. We add an abort rule here. If $\mathcal{A}$ successfully forges a key pair and uses in the first message in the transportation phase, prior to the corruption of any party, abort the game. This probability is bounded by ${\mathsf{Adv}}_{reg}$. Thus, we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_1\le {\mathsf{Adv}}_2+{\mathsf{Adv}}_{reg}\end{array}$$

(9)

${\mathsf{Game}}_{\mathsf{3}}$. We add an abort rule here. Let the challenger first guess $\mathcal{A}$’s target $(i,s)$ and its peer $(j,t)$. If the guess is wrong, abort the game. Thus, we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_2\le {(d·\ell )}^2·{\mathsf{Adv}}_3\end{array}$$

(10)

${\mathsf{Game}}_{\mathsf{4}}$. We replace $\mathsf{PRF}\left(\right)$ with a random oracle $\mathsf{RF}\left(\right)$. Distinguishing ${\mathsf{Game}}_{\mathsf{4}}$ from ${\mathsf{Game}}_{\mathsf{3}}$ implies the existence of another adversary against the security of $\mathsf{PRF}\left(\right)$. We now have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_3\le {\mathsf{Adv}}_4+{ϵ}_{\mathsf{PRF}}\end{array}$$

(11)

${\mathsf{Game}}_{\mathsf{5}}$. We add an abort rule here. If $\mathcal{A}$ successfully forges an $\mathsf{MAC}.{\mathsf{Tag}}_1$ or $\mathsf{MAC}.{\mathsf{Tag}}_2$ in the second or the last message in the transportation phase, prior to the corruption of the target party or its peer, abort the game. This probability is again bounded by ${ϵ}_{\mathsf{MAC}}$. Thus, we have

$$\begin{array}{c}\hfill {\mathsf{Adv}}_4\le {\mathsf{Adv}}_5+{ϵ}_{\mathsf{MAC}}\end{array}$$

(12)

We use ${\mathsf{fresh}}_{··}\left({\pi }_i^s\right)$ to mark four (sub-)cases when the freshness of ${\pi }_i^s$ still holds, i.e., $\mathcal{A}$’s attack is non-trivial.

• ${\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)$: $\mathcal{A}$ has never queried both $\mathsf{Corrupt}\left(i\right)$ and $\mathsf{Corrupt}\left(j\right)$.
• ${\mathsf{fresh}}_{EE}\left({\pi }_i^s\right)$: $\mathcal{A}$ has never queried both $\mathsf{RevealEph}\left({\pi }_i^s\right)$ and $\mathsf{RevealEph}\left({\pi }_j^t\right)$.
• ${\mathsf{fresh}}_{EL}\left({\pi }_i^s\right)$: $\mathcal{A}$ has never queried both $\mathsf{RevealEph}\left({\pi }_i^s\right)$ and $\mathsf{Corrupt}\left(j\right)$.
• ${\mathsf{fresh}}_{LE}\left({\pi }_i^s\right)$: $\mathcal{A}$ has never queried both $\mathsf{Corrupt}\left(i\right)$ and $\mathsf{RevealEph}\left({\pi }_j^t\right)$.

It is straightforward to see that if none of the cases exist in ${\mathsf{Game}}_{\mathsf{5}}$, then $\mathcal{A}$’s attack is trivial. Let ${\mathsf{Adv}}_5^{\mathsf{fresh}..}$ denote $\mathcal{A}$’s advantage in ${\mathsf{Game}}_{\mathsf{5}}$ when ${\mathsf{fresh}}_{··}\left({\pi }_i^s\right)$ holds. We have from the union bound

$$\begin{array}{c}\hfill {\mathsf{Adv}}_5\le {\mathsf{Adv}}_5^{{\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)}+{\mathsf{Adv}}_5^{{\mathsf{fresh}}_{EL}\left({\pi }_i^s\right)}+{\mathsf{Adv}}_5^{{\mathsf{fresh}}_{LE}\left({\pi }_i^s\right)}+{\mathsf{Adv}}_5^{{\mathsf{fresh}}_{EE}\left({\pi }_i^s\right)}\end{array}$$

(13)

We rewrite the computation of $\mathsf{ms}$ as

(14)

Observe that each of the four products on the right-hand side of (14) corresponds to one of the four fresh cases, and each fresh case allows a different strategy of embedding the $\mathsf{GCDH}$. Let ${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)}$ ${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{EE}\left({\pi }_i^s\right)}$ ${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{EL}\left({\pi }_i^s\right)}$ and ${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{LE}\left({\pi }_i^s\right)}$ be the game ${\mathsf{Game}}_{\mathsf{5}}$ when one of the four cases exist.

${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)}$. We claim that

$$\begin{array}{cc}\hfill & {\mathsf{Adv}}_5^{{\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)}\le {ϵ}_{\mathsf{GCDH}}\hfill \end{array}$$

(15)

We show how to construct a $\mathsf{GCDH}$ solver $\mathcal{S}$ to prove (15). $\mathcal{S}$ chooses a random value ${\mathsf{K}}^{*}$ in the key space and program the random oracle $\mathsf{PRF}(·,W||"\mathsf{MAC}")$ with ${\mathsf{K}}^{*}$, where $W=B_i\left|\right|B_j\left|\right|{\mathsf{PID}}_i\left|\right|{\mathsf{PID}}_j\left|\right|X\left|\right|Y\left|\right|{\mathsf{params}}_i$ and all the variables are from the target session. Let $(\mathbb{G},A,B)$ be $\mathcal{S}$’s $\mathsf{GCDH}$ challenge. $\mathcal{S}$ sets $\underline{({\mathsf{pk}}_i,{\mathsf{pk}}_j)}$ to $(A,B)$, aborts the game when

• $\mathcal{A}$ queries the random oracle with a $\mathsf{ms}$ at the place of any PRF queries,
• and ${\mathcal{O}}_{DDH}(g,A,B,Z)=\mathsf{TRUE}$ where $Z=\mathsf{ms}-\mathsf{H}{\left(W\right)}^{2}x·Y-\mathsf{H}\left(W\right)x·{\mathsf{pk}}_j-\mathsf{H}\left(W\right)y·{\mathsf{pk}}_i$.

In other words, if the game aborts, $\mathcal{S}$ finds a solution to the $\mathsf{GCDH}$ instance.

As ${\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)$ guarantees that neither ${\mathsf{sk}}_i$ nor ${\mathsf{sk}}_j$ would be asked by $\mathcal{A}$, $\mathcal{S}$ can generate all other randomness including $(x,y)$ freely and simulate all the other $\mathsf{Corrupt}\left(\right)$, $\mathsf{RevealEph}\left(\right)$ and $\mathsf{RevealKey}\left(\right)$ queries perfectly for $\mathcal{A}$. The probability of aborting the game is thus upper bounded by ${ϵ}_{\mathsf{GCDH}}$.

On the other hand, if ${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{LL}\left({\pi }_i^s\right)}$ simulated by $\mathcal{S}$ does not abort, then $\mathcal{A}$ has never queried the random oracle with the correct value to compute the target session key. Due to the property of random oracle, $\mathcal{A}$ has zero advantage in distinguishing the random key ${\mathsf{K}}^{*}$.

${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{EE}\left({\pi }_i^s\right)}$. $\mathcal{S}$ embeds $(A,B)$ into $(X,Y)$, and aborts when ${\mathcal{O}}_{DDH}(g,A,$$B,Z)=\mathsf{TRUE}$ where $Z=\mathsf{H}{\left(W\right)}^{-2}·(\mathsf{ms}-{\mathsf{sk}}_j·{\mathsf{pk}}_i-{\mathsf{sk}}_j\mathsf{H}\left(W\right)·X-{\mathsf{sk}}_i\mathsf{H}\left(W\right)·Y)$. This abort means a $\mathsf{GCDH}$ solution of $(A,B)$ has been found.

$$\begin{array}{c}\hfill {\mathsf{Adv}}_5^{{\mathsf{fresh}}_{EE}\left({\pi }_i^s\right)}\le {ϵ}_{\mathsf{GCDH}}\end{array}$$

(16)

${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{EL}\left({\pi }_i^s\right)}$. $\mathcal{S}$ embeds $(A,B)$ into $({\mathsf{pk}}_j,X)$, and aborts when ${\mathcal{O}}_{DDH}(g,A,$$B,Z)=\mathsf{TRUE}$ where $Z=\mathsf{H}{\left(W\right)}^{-1}·(\mathsf{ms}-{\mathsf{sk}}_i·{\mathsf{pk}}_j-\mathsf{H}{\left(W\right)}^{2}y·X-{\mathsf{sk}}_i\mathsf{H}\left(W\right)·Y)$. This abort means a $\mathsf{GCDH}$ solution of $(A,B)$ has been found.

$$\begin{array}{c}\hfill {\mathsf{Adv}}_5^{{\mathsf{fresh}}_{EL}\left({\pi }_i^s\right)}\le {ϵ}_{\mathsf{GCDH}}\end{array}$$

(17)

${\mathsf{Game}}_{\mathsf{5}}^{{\mathsf{fresh}}_{LE}\left({\pi }_i^s\right)}$. Similar to the previous case, if $\mathcal{S}$ embeds $(A,B)$ into $(Y,{\mathsf{pk}}_i)$, it can also find a $\mathsf{GCDH}$ solution when the game aborts.

$$\begin{array}{c}\hfill {\mathsf{Adv}}_5^{{\mathsf{fresh}}_{LE}\left({\pi }_i^s\right)}\le {ϵ}_{\mathsf{GCDH}}\end{array}$$

(18)

Now, we can conclude from the arguments above and (13) that

$$\begin{array}{c}\hfill {\mathsf{Adv}}_5\le 4·{ϵ}_{\mathsf{GCDH}}.\end{array}$$

(19)

By combining the (in)equalities (7)–(19), we have proved (6).    □

6. Integration into TLS and Performance Evaluation

Since our solution is already asymptotically better than other provably secure ones (see Table 1), we only demonstrate its performance in real-world scenarios and compare with the original certificate-based TLS (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, henceforth TLS-DHE).

The two standard ways to integrate the Protocol 3 in Figure 2 are via the certificate type RawPublicKey [37] and via the PSK identities [38] (We merged mTag1 and mTag2 with the finish-messages in the TLS handshake.). When RawPublicKey is chosen, the TLS server sends ${\mathbf{M}}_{\mathbf{1}}$ in the (Server) Certificate message, and the TLS client sends ${\mathbf{M}}_{\mathbf{2}}$ in the (Client) Certificate message. When PSK identities is used, the TLS server sends ${\mathbf{M}}_{\mathbf{1}}$ in the ServerkeyExchange.psk_identity_hint field, and the TLS client sends ${\mathbf{M}}_{\mathbf{2}}$ in the ClientKeyExchange.psk_identity field.

6.1. Set Up

Opting for the PSK identifiers, we insert the encoded $\mathsf{PID}$, the EC group ID and auxiliary information into it. We implement Protocol 3 with the BouncyCastle library and OpenSSL (https://www.bouncycastle.org/ and https://www.openssl.org/, accessed on 8 September 2022) on the server, which runs Ubuntu 18.04.6 on 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80 GHz CPU with 16.0 GB RAM. Each client node is emulated with mbedTLS (https://github.com/Mbed-TLS/mbedtls) (accessed on 9 September 2022) on a STM32F107VCT6 (https://www.st.com/resource/en/datasheet/stm32f107vc.pdf) (accessed on 4 December 2023) board with 32-bit MCU and 64/256 KB Flash, which corresponds to a Class 2 constrained device [7]. For a fair comparison, we use the widely deployed EC curve NIST P-256 and a two-level certificate chain, i.e., the direct issuer of TLS certificates is trusted by both TLS peers.

6.2. Results

6.2.1. Computational Cost

Besides using absolute time, we measured the time consumption for the elementary functions with the base-point multiplication as a unit. We consider only the point multiplication, signature signing and verification to be elementary operations. Here, the cost of point addition, arithmetic operations and hash functions are ignored, as they are relatively negligible compared to the above operations.

We use ${\mathsf{t}}_{\mathsf{BPM}}$ to denote the time for computing one base point multiplication (BPM) and use ${\mathsf{t}}_{\mathsf{BPM}}$ as a unit.

• A non-base point multiplication (PM) costs 6 ${\mathsf{t}}_{\mathsf{BPM}}$. This difference comes from the optimization of base-point multiplication [39].
• A signing costs 2.5 ${\mathsf{t}}_{\mathsf{BPM}}$ and verification 8.5 ${\mathsf{t}}_{\mathsf{BPM}}$. This 6 ${\mathsf{t}}_{\mathsf{BPM}}$ difference comes exactly from the extra non-base point multiplication in the verification. Signing with ECDSA also needs extra operations in the integer group, so it is slower (2.5 ${\mathsf{t}}_{\mathsf{BPM}}$) than a simple base-point multiplication (1 ${\mathsf{t}}_{\mathsf{BPM}}$).

While the TLS with certificates needs $26.5 {\mathsf{t}}_{\mathsf{BPM}}$, this work needs only $19 {\mathsf{t}}_{\mathsf{BPM}}$, saving at least 28% local computation time for the cryptographic core. Details are provided in

Table 4. Computation cost. BPM: base-point scalar multiplication, PM: point scalar multiplication. Columns 2 to 4: number of operations on each side.

	BPM (1 ${\mathsf{t}}_{\mathsf{BPM}}$)	PM (6 ${\mathsf{t}}_{\mathsf{BPM}}$)	Sign (2.5 ${\mathsf{t}}_{\mathsf{BPM}}$)	Vrfy (8.5 ${\mathsf{t}}_{\mathsf{BPM}}$)	Total
TLS-DHE.	1	1	1	2	26.5 ${\mathsf{t}}_{\mathsf{BPM}}$
Protocol 3 TLS	1	3	0	0	19 ${\mathsf{t}}_{\mathsf{BPM}}$

.

6.2.2. Communication Cost

In this part, we compare the communication cost between this work and TLS-DHE. We measure the communicated messages using the tool Wireshark (https://www.wireshark.org/) (accessed on 8 September 2022), and count the size of all TLS handshake messages (see

Table 5. Communication cost comparison in bytes. ${}^{*}:$ Server Response includes Server Hello, Server Certificate, Server Key Exchange, Certificate Request and Server Hello Done.

Operation	Data${}_{\mathsf{TLS}-\mathsf{DHE}}$	Data${}_{\mathsf{Protocol}\mathsf{3}}$
Client Hello	309	106
Server Response ${}^{*}$	1092	421
Client Certificate	733	0
Client Key Exchange	119	266
Certificate Verify	128	0
Change Cipher Spec	50	50
Total	≈2430	≈840 ($35\%$)

). For one full handshake, TLS-DHE consumes about 2430 bytes, while this work consumes only about 840 bytes. That means our work reduces 65% of the payload.

6.2.3. Resource Consumption on the Constrained Client

The execution time is 2.09 s for Protocol 3 in the LAN setting (1 Gbps with 0.1 ms latency), saving 70% of the time compared to TLS-DHE with certificates.

Meanwhile, it is 13.8 KB for TLS-DHE, the maximal RAM consumption during key registration and Protocol 3 is 4.09 KB, making a considerable 70% reduction in RAM consumption. Whereas TLS-DHE consumes more than 150 KB, the binary of Protocol 3 consumes 48.32 KB in maximum in flash, i.e., a good reduction of 67% in storage can also be seen.

7. Conclusions and Future Work

Without using bilinear pairings, we construct practical certificate-less signature, key registration, and authenticated key exchange protocols with integration to TLS. To the best of our knowledge, our AKE protocols have the lowest number of point-multiplication among DH-based CL-AKE, while enjoying strong security in the eCK model.

We believe that the construction of practical post-quantum-secure CL-AKE can be pursued as meaningful future work, to design general compilers that can transform CL-SIG with two-way-reconstructable PK to CL-AKE, and to analyze the possible equivalence of game-based and universally composable security formalization [4].