Tup: a New Eck-secure Ake Protocol under the Cdh Assumption

The design and analysis of authenticated key exchange protocol is an important problem in information security area. At present, extended Canetti-Krawczyk (eCK) model provides the strongest definition of security for two party key agreement protocol, however most of the current secure protocols can not be prove to secure without Gap assumption. To avoid this phenomenon, by using twinning key technology we propose a new two party key agreement protocol TUP which is obtained by modifying the UP protocol, then in conjunction with the trapdoor test, we prove strictly that the new protocol is secure in eCK model. Compared with previous protocols, the security assumption of new proposal is more standard and weaker, and it also solves an open problem in ProvSec'09.


Introduction
Authenticated key Exchange (AKE) protocol allows two parties to negotiate a session key through the exchange of some information in order to ensure the security of communications.Unlike key distribution protocol, the communicating parties do not need to have a pre-shared secret information and do not require a trusted third-party participation.In addition, the two sides can have the same contribution to generation of new session key.Therefore, the analysis and design of the AKE protocol become one of the important topics in the field of information security.
For the formal analysis of the AKE protocol, Canetti and Krawzcyk proposed a well-known security model denoted by CK model [1] in 2001.Recently, LaMacchia, Lauter and Mityagin Extend the former CK model (eCK [2]) that captures almost all the security properties.As it can reduce the dependence of the certificate authority (CA), relax the assumption on the ability of the attacker, maximize the information the protocol leak, the eCK model provides the strongest definition for two parties key agreement protocol and been widely recognized.
At present most of the key agreement protocols are based on the Diffie-Hellmn protocol which is more efficient and simpler than protocols that are based on digital signature or public key encryption to achieve authentication, such as MQV [3], HMQV [4] and so on.But these protocols are insecure in eCK model.In 2007, with a new ephemeral public key derivation ( , LaMacchia, Lauter and Mityagin proposed a new protocol (NAXOS [2]) which is secure in the eCK model under the GDH assumption [5].In 2008, According to slightly modify the NAXOS+ protocol, Lee and Park proposed NAXOS+ protocol [6] which is secure under the CDH assumption.Besides, in 2009, Ustaoglu proposed CMQV protocol [7] which is obtained from (H) MQV and NAXOS, and proof its eCK security.Then, in 2010, Lijiang Zhang modified the CMQV protocol and introduced CMQV+ [8] which has a tight security reduction.
However, according to recent studies, the NAXOS technique is vulnerable to side channel attacks and disclosure the discrete logarithm of ephemeral public keys.To avoid this attack, Ustaoglu proposed UP protocol [9] with postponed ephemeral key derivation, in which XA is seen as ephemeral public key, XA is seen as pseudo static key.At present, almost all the protocol use these two technologies to achieve eCK security.Like (H,C)MQV protocol which used the forking technology [10] to construct its security, In 2011, Jiaxin P and Libin W proposed TMQV [11] protocol which is secure under the CDH assumption, they also propose UP+ protocol [12] which admits higher security level with the same efficiency.
In order to remove the GDH assumption with the help of trapdoor test and postponed ephemeral key derivation (this is also an open problem proposed by Ustaoglu in ProvSec'09), we use the twin key technology [13]  .We say tha

Trapdoor Test
Since we need to use trapdoor test [9] to analysis the new protocol TUP, we state it briefly without proof.
Trapdoor test: Let G be a cyclic group or prime order q, generated by g G  , suppose U 1 , r, s, Y, Z 1 , Z 2 are independent random variables, where U 1 , Y, Z 1 , Z 2 takes values in G, and r, s, are uniformly distributed over Z q , compute 2 , then we have 1) U 2 is uniformly distributed over G, 2) U 1 and U 2 are independent, 3) The probability that the truth value of Z Z Y  does not agree with the truth value of

eCK Model
In this section,we recall the eCK model [2] which will be used to analysis the new proposed protocol TUP.In this article, we use denote the long term public and private keys, X, x denote ephmeral public and private keys for some party A.
Parties.Each participant (denoted as A, B), which is modeled as probabilistic polynomial time (PPT) Turing Maching, can simultaneously execute multiple sessions, the session identifier (sid) involved in the identity of both sides and the information they exchanged.Every honest party has a secure channel to connect with certificate authority (CA) to register their public keys without any checks such as proof of possess corresponding private keys.
Adversary.An adversary M, which is also modeled as PPT turning maching, has full control over communication network between honest parties.In eCK model, we allow M to execute the following oracle queries disorderly and adaptive 1) Send (A, B, comm): Get a response from A on behalf of B, when comm is null, M can active A to execute a session with B.
4) SessionKeyReveal (sid): Reveal the session key of sid which is completed., as long as M dose not execute the above query to get 1 2 or , and M does not execute SessionKeyReveal query on behalf of sid or its matching session sid , then we said sid is fresh.eCK security.After execute a test query to a fresh session, M guess a number j, we say an AKE protocol is secure if the value of the following formula is negligible.

Proposed AKE Protocol: TUP
In this section, According to modify the UP protocol with twin key technology, we propose a new protocol TUP, and it is secure under the CDH assumption which is more stander than the GDH assumption.Figure 1 depicts the new protocol.System initialization: Let   be the security parameter and G be a cyclic group of prime order q, H 1 , H 2 are hash functions modeled as random oracles where 1 H outputs integers that are half the bit-size of q.For each part A, we pick 1 2 q * , a a Z  randomly as its long term private key, compute its public key 1 2

( , )
A A * and then register to CA, the party B is simulated in the same way.
Running steps: As to avoid the attack of NAXOS protocol, In the information transfer phase, when A receives the activation message, he pick q x Z  randomly, compute its ephemeral public key x g and then send it to B. After receive the message from A, B do it in the same way.
Session key derivation: to avoid the Cremers attack, we bind session key with the session state.At the end of session, both A and B can compute d, e, σ 1 , σ 2 , σ 3 and than the session key as described in Figure 1.

IJCNS
Brief analysis: As we can see from the derivation, compare to the UP protocol, the TUP protocol is of the same structure execept extening long-term private key to double the privious bit-size, even ignoring the σ 3 , it achieves stronger security under the same environment.
In the following section, we will give its strick proof in the eCK model under the CDH assumption.Restricted by space, we simplify some parts which are same as UP protocol.

Security Analysis
Theorem 1.If H 1 and H 2 is modeled as random oracle, and G is a group where the CDP assumption holds, then the TUP is eCK secure AKE protocol.
Actually, let λ denote the denote the security parameter, M be a polynomially bound adversary, if M could attack TUP protocol in time at most t, involves at most n honest parties and activates at most k sessions, then we can construct a solver S which can solve the GDH problem with non-negligible probability.More precisely Proof: Since the session key of the test session is computed as K = H (σ) = H (σ 1 , σ 2 , σ 3 , A, B, X, Y) for some 7-tuple σ, the adversary M has only two ways to distinct K from random value.
1) Forging attack.At some point M queries random oracle on the same 7-tuple σ.
2) Key-replication attack.M succeeds in forcing the establishment of another session that has the same session key as the test session.
As the ephemeral public key is randomly generated, idel hash function H 2 produce no collisions (collisions happen with probability   2 2 O k  ), M must perform a forging attack to win the test game.Next we show if M can mount a successful forging attack, then we can construct a CDH solver S which uses M as a subroutine through providing M a indistinguishable simulation en- vironment and then solve the CDH problem with nonnegligible probability.

 
Given a CDH challenge , U V * , S randomly picked long-term and ephemeral private key from q Z for the n paries which was involved by M and then compute the corresponding public key.Now S can answer all kinds of oracle query from M because he knows all the secret information.Then S randomly select two honest parties A, B and randomly select two sessions (denote as sid * and sid ) executed by them from all the k sessions, S will guess them with probability at least Actually, event E 1a consider the case when M does not obtain (a 1 , a 2 , y), E 1b consider the case when M does not obtain (x, y), E 2a consider the case when M does not obtain (a 1 , a 2 , b 1 , b 2 ), E 2b consider the case when M does not obtain (x, b 1 , b 2 ).In any other scenario M will break freshness of the test session.For each of the complementary cases, S randomly chooses and modifies environment as follows: Event.
cording to the definition of E 1a , M can not distinguish with non-negligilbe probability.For each 7-tuple (σ 1 , σ 2 , , , CDH , According to the trapdoor test, the probability S will fail is In the case that the maching session may not exists, as M has the ability to alter or insert messages between honest parties, S may not known DLOG ( ).This is the reason that TUP need one more exponentiation (σ 3 ) than UP in the computation of shared secrets.For each 7-tuple σ, M queries to H 2 , S computes

Protocols Comparison
In Table 1, we compare the new proposed protocol TUP with other previous typical protocols in some aspects.The comparison mainly focuses on the numbers of exponentiations, security assumption, tightness of security reduction and so on.For every protocol the adversary can obtain either x  as in NAXOS or x as in HMQV.
By contrast, we can see the TUP protocol has the following advantages: 1) In message exchange satage, TUP derives ephemeral key x as in MQV, so it can avoids the side channel attacks.
2) With the use of twin key technology, It can achieves security under the CDH assumption which is more stander and weaker than GDH assumption.
3) Unlike (H,C,T)MQV protocol, we did not use forking technology in security analysis, so the security reduction is more tight.Unfortunately, compared with previous protocol, the new proposed protocol has no advantages in efficiency.

Conclusion
In this paper, we proposed a new authenticated key exchange protocol TUP which is obtained by using twin key technology in UP protocol and added one more exponentiation in shared secrets computation.The proposed protocol also can solve an open problem in ProvSec'09.However, there is no obvious advantage regarding efficiency.So in improving the security level, to make the AKE protocol more efficient is an important goal for future work.