Efficient identity-based authenticated key agreement protocol with provable security for vehicular ad hoc networks

Abstract

In vehicular ad hoc networks, establishing a secure channel between any two vehicles is fundamental. Authenticated key agreement is a useful mechanism, which can be used to negotiate a shared key for secure data transmission between authentic vehicles in vehicular ad hoc networks. Among the existing identity-based two-party authenticated key agreement protocols without pairings, there are only a few protocols that provide provable security in strong security models such as the extended Canetti–Krawczyk model. This article presents an efficient pairing-free identity-based one-round two-party authenticated key agreement protocol with provable security, which is more suitable for real-time application environments with highly dynamic topology such as vehicular ad hoc networks than the existing identity-based two-party authenticated key agreement protocols. The proposed protocol is proven secure under the passive and active adversaries in the extended Canetti–Krawczyk model based on the Gap Diffie–Hellman assumption. The proposed protocol can capture all essential security attributes including known-session key security, perfect forward secrecy, basic impersonation resistance, key compromise impersonation resistance, unknown key share resistance, no key control, and ephemeral secrets reveal resistance. Compared with the existing identity-based two-party authenticated key agreement protocols, the proposed protocol is superior in terms of computational cost and running time while providing higher security.

Keywords

Authenticated key agreement pairing-free identity-based connected and autonomous vehicles eCK model

Introduction

The significant advances in the embedded technology and wireless communication drive the evolution of vehicular ad hoc networks (VANETs). Vehicular networks comprise three types of components: a trusted authority, road-side units (RSUs) distributed on the roadside, and Connected and Autonomous Vehicles (CAVs) with on-board units (OBUs). Drivers can make some decisions based on the sensed road and traffic information transmitted from other CAVs and RSUs nearby. In many VANET applications such as pothole collection,¹ file sharing among familiar entities,² and infotainment applications, the messages exchanged between two vehicles are sensitive and need to be kept secret. Due to the open nature of wireless links, it is crucial for VANETs to establish secure communications between any two vehicles. Compared with traditional public key encryption, symmetric key encryption with a shared key is more efficient in providing confidential communication. Authenticated key agreement (AKA) is an appealing mechanism in which authentic parties can agree on a shared session key over an open network to ensure the confidentiality, authentication, or integrity of subsequent session messages. For instance, in the literatures,^3–5 a key agreement protocol is used for a vehicle to update its pseudonym-private key pairs. In the literature,⁶ a key agreement protocol is used to establish a vehicular cloud. In addition, AKA protocols achieve implicit authentication, that is, each party is assured that no party but the intended peers can possibly generate the shared session key, which is important in key agreement. The shared session key, which is generated from two or more parties as a function of their long-term keys and ephemeral materials, cannot be predetermined.

In 1993, Bellare and Rogaway⁷ first presented a security model to formalize symmetric key-based AKA protocols. Based on the Bellare-Rogaway (BR) model, some security models for other types of AKA protocols were formalized, for example, AKA protocols with a trusted server,⁸ AKA with key confirmation (AKC) protocols,⁹ asymmetric key-based AKA protocols,¹⁰ and AKA protocols against dictionary attack.¹¹ However, these models do not capture ephemeral secrets reveal attack. The Canetti–Krawczyk (CK) model¹² proposed in 2001 also does not completely cover ephemeral secrets reveal resistance (ESRR) because it cannot support the adversary’s Session-State Reveal queries against the test session. In addition, the CK model also does not catch forward security (FS) and key compromise impersonation resistance (KCIR). In 2005, Choo et al.¹³ examined and compared the differences among these security models. Subsequently, LaMacchia et al.¹⁴ made the extended CK (eCK) model to prove the security of AKA protocols in 2007. The eCK model can capture all essential security attributes including known-session key security (K-SKS), perfect forward security (PFS), basic impersonation resistance (BIR), KCIR, unknown key share resistance (UKSR), no key control (NKC), ESRR, and so on. Therefore, AKA protocols should be given formal proofs in the eCK model.

According to the number of involving parties, the existing AKA protocols are divided into three categories: (1) authenticated group KA protocols, (2) three-party AKA protocols, and (3) two-party AKA (2PAKA) protocols. According to the public key setting employed, previously proposed asymmetric key-based AKA protocols are roughly classified into three groups: (1) traditional public key infrastructure (PKI)-based AKA protocols, (2) identity (ID)-based AKA protocols, and (3) certificateless AKA protocols. In the traditional PKI-based 2PAKA protocols, the management of public key certificates is a heavy burden, which contains the maintenance, transmission, and authentication of certificates. To eliminate the certificate management problem, many research works^15–33 employed ID-based cryptography (IBC) first introduced by Shamir,³⁴ in which a user’s public key is the user’s identities (e.g. telephone number, e-mail address, etc.) and the user’s private key is extracted based on his or her ID and a key generation center (KGC) master key. Therefore, these ID-based 2PAKA protocols^15–33 have improved the efficiency by removing the use of public key certificates. However, these ID-based 2PAKA protocols^15–33 were built using bilinear pairings, which is seen to be one of the most time-consuming operations. The operation cost of a pairing is about 3 to 20 times that of an elliptic curve point multiplication.^25,35,36 Consequently, in order to accomplish a better performance, some ID-based 2PAKA protocols without pairings^35,37–49 have been proposed. Unfortunately, among these pairing-free ID-based 2PAKA protocols,^35,37–49 only a few protocols^46–48 provide provable security in the eCK model. Moreover, the running times of these protocols^46–48 need to be further reduced if they are deployed in real-time application environments with highly dynamic topology such as VANETs. The reason is that the time for key agreement between any two vehicles should be minimized considering the fast moving and topology dynamic natures of VANETs. In addition, ID-based 2PAKA protocol with two message exchanges may be more attractive in reality. Therefore, it is a challenge to design a provably secure and efficient pairing-free ID-based one-round 2PAKA protocol that is more suitable for VANETs.

Related works

Since Boneh and Franklin⁵⁰ first presented an ID-based encryption scheme from pairings in 2001, a great deal of ID-based 2PAKA protocols^15–33 have been designed using pairings, and some of them have been pointed out having security flaws later. These protocols were continuously devoted to seek a secure ID-based 2PAKA protocol with minimal pairing operations.

In order to remove the expensive pairing operation, Zhu et al.³⁷ started the research of pairing-free ID-based 2PAKA protocol in 2007. However, Zhu et al.’s protocol realizes explicit authentication by introducing an ID-based signature scheme, which leads to larger computational cost and bandwidth. In addition, Zhu et al.’s protocol requires three message exchanges. After 1 year, Cao et al.³⁸ put forward an ID-based 2PAKA protocol without pairings, which achieves implicit authentication but requires the same message exchanges as Zhu et al.’s protocol. In 2010, Fiore and Gennaro³⁹ presented an ID-based 2PAKA protocol using exponentiation operation, which is proven secure in the CK model. However, the CK model cannot cover FS, KCIR, and ESRR. In order to reduce the message exchange, Cao et al.³⁵ proposed another ID-based two-message 2PAKA protocol without pairings in 2010. Unfortunately, Hou and Xu^40,41 and Islam and Biswas⁴² independently demonstrated that two protocols proposed by Cao et al. are vulnerable to ephemeral secrets reveal attack, in 2011 and 2012. However, Hou et al. and Islam et al.’s informal security analysis cannot guarantee that their protocols satisfy all essential security properties. Moreover, Islam et al.’s⁴² protocol requires three message exchanges and the last message exchange may be intercepted by adversaries, which enable the two involved parties to have different session keys. In 2012, Xie and Wang⁴³ used a signature scheme to realize mutual authentication in their protocol, which causes computation cost to be increased. In 2013, Vivek et al.⁴⁴ put forward an ID-based 2PAKA protocol using exponentiation, which is provable secure in the CK model. Nevertheless, the CK model cannot ensure Vivek et al.’s protocol catches FS, KCIR, and ESRR. In addition, Vivek et al.’s protocol involves more exponentiation operations than Fiore et al.’s protocol. In 2015, Ghoreishi et al.⁴⁵ and Sun et al.,⁴⁶ respectively, presented two pairing-free ID-based 2PAKA protocols. Ghoreishi et al. only analyzed the security of their protocol informally and roughly. It is clear that Ghoreishi et al.’s protocol cannot resist key compromise impersonation attack. Sun et al.’s protocol needs six elliptic curve point multiplication operations. Moreover, the formal proof in the eCK model does not take active adversaries into account. In 2016, Bala et al.⁴⁷ put forward an ID-based 2PAKA protocols without pairings, which only needs four elliptic curve point multiplication operations. However, the security proof in the eCK model also does not consider active adversaries. In the same year, two other ID-based 2PAKA protocols were proposed by Ni et al.,⁴⁸ which require seven and five elliptic curve point multiplication operations, respectively. Ni et al.’s protocols are given the formal proofs under the passive and active adversaries in the eCK model. In 2017, Islam and Biswas⁴⁹ put forward a pairing-free ID-based 2PAKA protocol. Unfortunately, the security analysis using Burrows-Abadi-Needham (BAN) logic model cannot guarantee that Islam et al.’s protocol is secure.⁵¹

Our contributions

Our contributions are as below:

Our ID-based 2PAKA protocol is proven to be secure under the passive and active adversaries in the eCK model. Therefore, it can capture all essential security attributes including K-SKS, PFS, BIR, KCIR, UKSR, NKC,ESRR, and so on, which is also analyzed later.

Performance analysis demonstrates that our protocol has less computational cost and running time than previous ID-based 2PAKA protocols while providing stronger or the same level of security. For example, considering pre-computation, the running time of our protocol is 77.1% of Bala’s protocol, 36.8% of Ni-I protocol, and 53.8% of Ni-II protocol. In conclusion, our protocol is more applicable for VANETs than other existing protocols.

Outline of the article

The remainder of the article is arranged as below. In section “Preliminaries,” we review several computational problems and essential security attributes required by ID-based AKA protocols. The section “Proposed pairing-free ID-based 2PAKA protocol” describes the eCK model and then presents a pairing-free ID-based 2PAKA protocol. The section “Security analyses” gives a formal proof of the proposed protocol in the eCK model, analyzes essential security attributes that the proposed protocol catches, and compares the security of our protocol with the existing ID-based 2PAKA protocols. The section “Performance analyses” provides the performance analyses and comparisons between the proposed protocol and previous ID-based 2PAKA protocols. Finally, the article concludes in section “Conclusions and future works.”

Preliminaries

This section introduces the preliminaries including several computational problems and essential security attributes required in ID-based AKA protocols.

Computational problems

Let $G$ be a q-order cyclic additive group of $E / F_{p}$ , and $P$ be a generator of $G$ . We recall elliptic curve discrete logarithm (ECDL), computational Diffie–Hellman (CDH), Decisional Diffie–Hellman (DDH), and Gap Diffie–Hellman (GDH) problems over the additive group as follows.

Definition 1 (ECDL problem)

Given $(P, xP)$ where unknown $x \in_{R} Z_{p}^{*}$ , for any probabilistic polynomial time (PPT) algorithm, computing $x$ is intractable.

Definition 2 (CDH problem)

For unknown $x, y \in_{R} Z_{p}^{*}$ , given $(P, xP, yP)$ , it is infeasible to compute $xyP$ by any PPT algorithm.

Definition 3 (DDH problem)

For unknown $x, y, z \in_{R} Z_{p}^{*}$ , given $(P, xP, yP, zP)$ , it is impossible to determine whether or not $z = xy mod q$ in PPT.

Definition 4 (GDH problem)

Given a DDH oracle and $(P, xP, yP)$ where $x, y \in_{R} Z_{p}^{*}$ , for any PPT algorithm, the probability of computing $xyP$ is negligible.

Essential security attributes

It is essential for ID-based 2PAKA protocols to satisfy the following security requirements. Suppose that two legal parties A and B run the protocol exactly.

K-SKS. Any session key should not be disclosed when an adversary has known the keys generated in some other sessions.

Forward secrecy (FS). If the long-term secrets of parties are leaked, past session keys should not be compromised. The security property falls into four types:

Partial forward secrecy: Learning some parties’ long-term secrets should not have any influence on the security of the keys in past sessions.

Perfect forward secrecy (PFS). The loss of all the parties’ long-term secrets should not make past session keys known.

Master key forward secrecy (MFS). The past session keys should not be endangered by the leakage of the KGC master private key.

Weak perfect forward secrecy (wPFS). In 2005, Krawczyk⁵² showed that none of one-round AKA protocols can keep full PFS if the adversary can modify communications between the parties. Thus, one-round AKA protocols can achieve PFS under a passive adversary, which is defined as wPFS.

BIR. An adversary who does not acquire a party A’s long-term secret cannot disguise himself as A.

KCIR. The leakage of party A’s long-term secret cannot enable an adversary to masquerade as any other party to A.

UKSR. It will be prevented that two parties A and B compute the same session key but B deem that the key is negotiated with the adversary E.

NKC. No party can enforce the key in a session to a predetermined value.

ESRR. The compromise of one session’s ephemeral private keys cannot affect the security of the session key.

Proposed pairing-free ID-based 2PAKA protocol

This section first describes the eCK model and then presents a secure pairing-free ID-based one-round 2PAKA protocol $Σ$ for VANETs, which satisfies all the essential security attributes.

Security model

The original eCK model¹⁴ was originally proposed for the conventional PKI-based AKA protocols. In order to formalize ID-based AKA protocols, the modified eCK model was presented by Huang and Cao²⁸ and Ni et al.,²⁹ respectively.

Participants

The protocol participants are modeled as a group of parties, in which each party $I D_{a}$ is regarded as a PPT Turing machine. Any two parties can be involved in a run of the protocol. Each party may participate in a polynomial number of sessions at the same time. $Π_{a, b}^{s}$ denotes the sth session of party $I D_{a}$ communicating with intended peer $I D_{b}$ . A session $Π_{a, b}^{s}$ is completed by party $I D_{a}$ when $I D_{a}$ computes a session key.

Adversary model

The adversary $M$ is regarded as a PPT Turing machine. The communication link is fully controlled by $M$ . That is to say, $M$ can possibly eavesdrop, suspend, intercept, replay, modify, and inject messages randomly. The power of the adversary is modeled by allowing it to issue the first six queries in any sequence:

$EphemeralKeyReveal (Π_{a, b}^{s})$ : The adversary $M$ has access to the ephemeral private key of party $I D_{a}$ in session $Π_{a, b}^{s}$ .

$SessionKeyReveal (Π_{a, b}^{s})$ : The adversary $M$ can get the key of a completed session $Π_{a, b}^{s}$ . The session $Π_{a, b}^{s}$ enters an opened state when the adversary $M$ makes the query against it.

$StaticKeyReveal (I D_{a})$ : The query returns party $I D_{a}$ ’s long-term secret to the adversary $M$ .

MasterPrivateKeyReveal: The KGC master private key is revealed to the adversary $M$ . MFS can be modeled by the query.

$EstablishParty ({ID}_{a})$ : The adversary $M$ may register a lawful user in the name of party $I D_{a}$ and obtains ${ID}_{a}$ ’s long-term secret by the query. Then party $I D_{a}$ is said to be not honest.

$Send (Π_{a, b}^{s}, m)$ : The query enables the adversary $M$ to send the message m to party $I D_{a}$ in the name of party $I D_{b}$ and control $I D_{a}$ to start the session $Π_{a, b}^{s}$ with party $I D_{b}$ . If $m = λ$ , party $I D_{a}$ launches the session $Π_{a, b}^{s}$ . Otherwise, if party $I D_{a}$ is an initiator, it only outputs a decision to the session (i.e. accept or reject it); if party $I D_{a}$ is a responder, party $I D_{a}$ selects an ephemeral secret and returns a message and a decision to the session.

$Test (Π_{a, b}^{s})$ : The query can be made to a fresh session $Π_{a, b}^{s}$ only once. A fair coin $b \in {0, 1}$ is flipped. If $b = 0$ , the session key is returned to the adversary, otherwise the adversary obtains a selected random value from the distribution of session key.

Definition 5 (matching session)

The session $Π_{a, b}^{s}$ has a matching session $Π_{b, a}^{t}$ when the session $Π_{b, a}^{t}$ is executed by the other party $I D_{b}$ with the same message exchanged, although in different sequence.

Definition 6 (fresh session)

Supposing $Π_{a, b}^{s}$ is a completed session and executed by honest party $I D_{a}$ with honest party $I D_{b}$ , $Π_{a, b}^{s}$ is a fresh session if none of the three cases occur:

Both the session key of $Π_{a, b}^{s}$ and its matching session $Π_{b, a}^{t}$ (if $Π_{b, a}^{t}$ exists) are leaked to the adversary.

$Π_{a, b}^{s}$ has a matching session $Π_{b, a}^{t}$ , and the adversary $M$ obtains the long-term and ephemeral secret of party $I D_{a}$ in $Π_{a, b}^{s}$ or the long-term and ephemeral secret of party $I D_{b}$ in $Π_{b, a}^{t}$ .

The matching session of $Π_{a, b}^{s}$ does not exist, and the adversary $M$ obtains the long-term and ephemeral secret of party $I D_{a}$ in $Π_{a, b}^{s}$ or the long-term secret of $I D_{b}$ .

In the first stage of the game, the adversary queries the first six oracles in any order. During the second stage, the adversary selects a fresh session $Π_{a, b}^{s}$ (see Definition 6) and makes a $Test (Π_{a, b}^{s})$ query. The game terminates as soon as the adversary outputs a guess $b'$ for b.

The adversary $M$ wins the game when $b' = b$ and the test session is still fresh. Assuming k is the security parameter, the advantage of $M$ in the game is denoted as

Ad v_{M} (k) = | \Pr [M wins] - \frac{1}{2} |

Definition 7 (secure 2PAKA protocols)

A 2PAKA protocol is deemed secure in the eCK model when the protocol satisfies the following two conditions:

Matching sessions executed by two parties, respectively, generate the same session key.

No any PPT adversary has a non-negligible advantage to win the above game.

Remark 1

In ID-based 2PAKA protocols, the shared session key can be computed by using four pieces of secret information: the long-term and ephemeral secrets of two involved parties. The eCK model allows the adversary to query the long-term secrets of two parties, the ephemeral secrets of two parties, or the long-term secret of one party and the ephemeral secret of the other party, but cannot know the long-term and ephemeral secrets of one party.

Protocol description

In our protocol, the trusted authority acts as KGC. Our protocol $Σ$ is composed of the following three parts:

Setup

With the security parameter $k$ , the trusted authority (acts as KGC) gets system parameters and its master public/private key pair as below:

Selects a $k$ -bit prime number $p$ and produces the parameters $〈 E / F_{p}, G, q, P 〉$ , where $G$ is a cyclic additive group over $E / F_{p}$ with the order $q$ and $P$ is a generator of $G$ .

Picks the master private key $s \in_{R} Z_{p}^{*}$ , and sets $P_{pub} = sP$ as the master public key.

Chooses two cryptographic hash functions $H_{1} : {0, 1}^{*} \times G \to Z_{p}^{*}$ and $H_{2} : {0, 1}^{*} \times {0, 1}^{*} \times G \times G \times G \times G \times G \to {0, 1}^{k}$ .

Publishes the parameters $〈 E / F_{p}, G, q, P, P_{pub}, H_{1}, H_{2} 〉$ and keeps s secret.

Extract

Suppose the ID of a vehicle is $I D_{i} \in {0, 1}^{*}$ , the trusted authority computes the long-term private key of the vehicle as below:

Picks randomly $r_{i} \in_{R} Z_{p}^{*}$ , and computes $R_{i} = r_{i} P$ and $h_{i} = H_{1} (I D_{i} | | R_{i})$ .

Computes $s_{i} = r_{i} + h_{i} s mod q$ and sets the key pair $(s_{i}, R_{i})$ as the long-term private key of the vehicle.

Return the key pair $(s_{i}, R_{i})$ to the vehicle in a safe manner.

Upon receiving the key pair, the vehicle can validate its correctness by checking if the equation $s_{i} P = R_{i} + H_{1} (I D_{i} | | R_{i}) P_{pub}$ holds. The long-term public key of the vehicle is $P K_{i} = s_{i} P$ .

Key agreement

Suppose that vehicle A with ID $I D_{A}$ wishes to agree a key with vehicle B with ID $I D_{B}$ . Figure 1 shows the proposed ID-based two-message 2PAKA protocol that proceeds as follows:

A randomly selects $a \in_{R} Z_{p}^{*}$ as its ephemeral private key, computes its ephemeral public keys $T_{A}^{1} = a R_{A}$ , $T_{A}^{2} = a P_{pub}$ , and then sends $(I D_{A}, R_{A}, T_{A}^{1}, T_{A}^{2})$ to B

A \to B : I D_{A}, R_{A}, T_{A}^{1}, T_{A}^{2}

Upon receiving A’s message, B selects $b \in_{R} Z_{p}^{*}$ at random as its ephemeral private key, calculates its ephemeral public keys $T_{B}^{1} = b R_{B}$ , $T_{B}^{2} = b P_{pub}$ , and then sends $(I D_{B}, R_{B}, T_{B}^{1}, T_{B}^{2})$ to A

B \to A : I D_{B}, R_{B}, T_{B}^{1}, T_{B}^{2}

A computes $K_{AB} = a s_{A} (T_{B}^{1} + H_{1} (I D_{B} | | R_{B}) T_{B}^{2})$ and the shared session key $sk = H_{2} (I D_{A} | | I D_{B} | | T_{A}^{1} | | T_{A}^{2} | | T_{B}^{1} | | T_{B}^{2} | | K_{AB})$ .

B computes $K_{BA} = b s_{B} (T_{A}^{1} + H_{1} (I D_{A} | | R_{A}) T_{A}^{2})$ and the shared session key $sk = H_{2} (I D_{A} | | I D_{B} | | T_{A}^{1} | | T_{A}^{2} | | T_{B}^{1} | | T_{B}^{2} | | K_{BA})$ .

Figure 1.

Proposed ID-based two-message 2PAKA protocol for VANETs.

Consistency

The correctness of the protocol is proved as follows

\begin{matrix} K_{AB} & = a s_{A} (T_{B}^{1} + H_{1} (I D_{B} | | R_{B}) T_{B}^{2}) \\ = a s_{A} (b R_{B} + H_{1} (I D_{B} | | R_{B}) b P_{pub}) \\ = a s_{A} b s_{B} P \\ K_{BA} & = b s_{B} (T_{A}^{1} + H_{1} (I D_{A} | | R_{A}) T_{A}^{2}) \\ = b s_{B} (a R_{A} + H_{1} (I D_{A} | | R_{A}) a P_{pub}) \\ = b s_{B} a s_{A} P = K_{AB} \end{matrix}

Thus, A and B can get the same session key

\begin{matrix} sk = H_{2} (I D_{A} | | I D_{B} | | T_{A}^{1} | | T_{A}^{2} | | T_{B}^{1} | | T_{B}^{2} | | K_{AB}) \\ = H_{2} (I D_{A} | | I D_{B} | | T_{A}^{1} | | T_{A}^{2} | | T_{B}^{1} | | T_{B}^{2} | | K_{BA}) \end{matrix}

Security analyses

This section first proves that the proposed ID-based 2PAKA protocol is secure in the eCK model, and then analyzes the security attributes that the proposed protocol captures.

Security proof

Theorem 1

Assume that GDH problem is intractable and $H_{1}$ and $H_{2}$ are random oracles, the protocol $Σ$ proposed in section “Proposed pairing-free ID-based 2PAKA protocol” is said to be secure in the eCK model.

Proof 1

If the two conditions shown in Definition 7 hold, the proposed ID-based 2PAKA protocol $Σ$ is deemed secure in the eCK model. The correctness proof of the protocol $Σ$ guarantees that matching sessions executed by two involved parties, respectively, generate the same session key. Therefore, the first condition holds. Next, we will demonstrate that the second condition also holds. Namely, no any PPT adversary against the protocol $Σ$ can win the game described in section “Security model” with non-negligible probability.

Assume that $k$ is the security parameter and the adversary $M$ against the protocol $Σ$ succeeds in the game outlined above with non-negligible probability ${Adv}_{M}^{Σ} (k)$ . Suppose that no more than $p (k)$ honest parties are activated by the adversary $M$ and each party is engaged in at most $s (k)$ sessions. Assume that the adversary $M$ chooses the Sth protocol session $Π_{A, B}^{S}$ initiated by party $I D_{A}$ communicating with party $I D_{B}$ as the test session in the game. The adversary $M$ differentiates between the test session key and a random value only through the following three ways:

Guessing attack: The adversary $M$ conjectures the test session key rightly.

Key replication attack: The adversary $M$ succeeds in establishing a session, which does not match the test session but possesses the same session key with it. Therefore, $M$ can know the test session key by querying the key of the non-matching session.

Forging attack: At some point, $M$ queries $H_{2}$ on $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, K_{AB})$ in the test session. It is obvious that the adversary $M$ computes the value $K_{AB}$ itself.

Since the session key’s size is k bit, the success probability of guessing attack is $O (1 / 2^{k})$ . If two sessions are not matched, the key derivation function $H_{2}$ has the same input with probability $O (s (k)^{2} / 2^{k})$ . Consequently, the first two attacks succeed with negligible probability.

In the following, forging attack is analyzed by employing a reduction approach. A challenger $S$ executes the eCK game described in section “Security model” with $M$ against the protocol $Σ$ . In the course of the game, the challenger $S$ makes a response to all queries of $M$ . If the adversary $M$ is successful in forging attack with non-negligible probability ${Adv}_{M}^{Σ} (k)$ , the challenger $S$ can utilize $M$ to solve the GDH problem with non-negligible probability ${Adv}_{S}^{GDH} (k)$ . Given a GDH problem instance $(X = xP, Y = yP)$ where $x, y \in_{R} Z_{p}^{*}$ , the challenger $S$ ’s task is to compute $GDH (X, Y) = xyP$ with the help of a DDH oracle. When the game begins, the challenger $S$ ascertains the test session that the adversary $M$ selects is $Π_{A, B}^{S}$ with probability greater than $1 / p (k)^{2} s (k)$ . According to the fresh definition in the eCK model, there are two cases that require attention: (1) the matching session of $Π_{A, B}^{S}$ (i.e. $Π_{B, A}^{T}$ ) exists; (2) the test session $Π_{A, B}^{S}$ has no matching session. In the first case, the adversary is passive and faithfully transmits the messages between party $I D_{A}$ and party $I D_{B}$ . In the second case, the challenger $S$ also needs to face an active adversary that may alter $I D_{B}$ ’s public key material $R_{B}$ . Based on the above analysis and the fresh definition, the challenger $S$ has to guess the strategy that the adversary $M$ adopts from the following six choices:

S1. $M$ does not know $I D_{A}$ ’s ephemeral private key and $I D_{B}$ ’s long-term private key, and $M$ correctly transmits $I D_{B}$ ’s public key material $R_{B}$ .

S2. $M$ does not know the long-term private keys of $I D_{A}$ and $I D_{B}$ , and $M$ correctly transmits $I D_{B}$ ’s public key material $R_{B}$ .

S3. $M$ does not know the ephemeral private keys of $I D_{A}$ and $I D_{B}$ .

S4. $M$ does not know $I D_{A}$ ’s long-term private key and $I D_{B}$ ’s ephemeral private key.

S5. $M$ does not know $I D_{A}$ ’s ephemeral private key and $I D_{B}$ ’s long-term private key, and the adversary $M$ may alter $I D_{B}$ ’s public key material $R_{B}$ .

S6. $M$ does not know the long-term private keys of $I D_{A}$ and $I D_{B}$ , and the adversary $M$ may alter $I D_{B}$ ’s public key material $R_{B}$ .

The success probability that $S$ chooses both the test session and the strategy is larger than $1 / 6 p (k)^{2} s (k)$ . Next, we will analyze the six strategies.

S1

$M$ does not know $I D_{A}$ ’s ephemeral private key and $I D_{B}$ ’s long-term private key, and $M$ correctly transmits $I D_{B}$ ’s public key material $R_{B}$ .

Setup

The challenger $S$ sets the KGC’s master public key and all parties’ long-term keys as follows:

$S$ randomly selects a value $P_{pub} \in G$ as the KGC’s master public key.

$S$ selects $h_{B} \in_{R} Z_{p}^{*}$ as $H_{1} (I D_{B} | | R_{B})$ , computes $R_{B} = Y - h_{B} P_{pub}$ , and sets $(⊥, R_{B})$ as party $I D_{B}$ ’s long-term private key. Therefore, party $I D_{B}$ ’s long-term public key $P K_{B} = R_{B} + h_{B} P_{pub} = Y$ .

$S$ picks $h_{i}, s_{i} \in_{R} Z_{p}^{*}$ , computes $R_{i} = s_{i} P - h_{i} P_{pub}$ , sets $H_{1} (I D_{i} | | R_{i}) = h_{i}$ , and sets $(s_{i}, R_{i})$ as long-term private key of party $I D_{i} (i \neq B)$ . Therefore, $I D_{i}$ ’s long-term public key $P K_{i} = R_{i} + h_{i} P_{pub} = s_{i} P$ .

For each party $I D_{i}$ , $S$ passes $(I D_{i}, R_{i})$ to $M$ , and inserts the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ .

Queries

$H_{1} (I D_{i}, R_{i})$ . After the challenger $S$ sets long-term private keys to party $I D_{i}$ , $S$ adds the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ . If an $H_{1}$ query issued by the adversary $M$ matches one entry in the list $H_{1}^{list}$ , $S$ returns $h_{i}$ of the entry to $M$ . Otherwise, $S$ selects $h_{i} \in_{R} Z_{p}^{*}$ , inserts the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ , and responds with the randomly chosen value.

$H_{2} (I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij})$ . At first, $S$ maintains an empty list $H_{2}^{list}$ in which each entry is the form of $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ .

If $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ is already in the list $H_{2}^{list}$ , the challenger $S$ returns $h_{2}$ to $M$ .

Otherwise, $S$ looks up the matching entry in the list $R^{list}$ . If the entry exists and $i = B$ , $S$ checks if $K_{ij}$ is correctly generated by verifying whether $DDH ((T_{i}^{1} + h_{i} T_{i}^{2}), (T_{j}^{1} + h_{j} T_{j}^{2}), K_{ij}) = 1$ . If $K_{ij}$ is correct, the challenger $S$ sets $h_{2} = sk$ , and stores the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $R^{list}$ . If the entry exists and $i \neq B$ , the challenger $S$ sets $h_{2} = sk$ , and stores the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ . Otherwise (no such an entry exists in the list $R^{list}$ or $K_{ij}$ is not correctly generated), the challenger $S$ selects $h_{2} \in {0, 1}^{k}$ at random and adds the entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ .

$EstablishParty (I D_{i})$ . $S$ selects $h_{i}, s_{i} \in_{R} Z_{p}^{*}$ , computes $R_{i} = s_{i} P - h_{i} P_{pub}$ , sets $H_{1} (I D_{i} | | R_{i}) = h_{i}$ , and reveals $I D_{i}$ ’s long-term private key $(s_{i}, R_{i})$ to the adversary $M$ . $M$ totally controls the party $I D_{i}$ .

$StaticKeyReveal (I D_{i})$ . If $i \neq B$ , $S$ returns $(s_{i}, R_{i})$ to $M$ . Otherwise, $S$ aborts.

MasterPrivateKeyReveal. $S$ aborts.

$EphemeralSecretReveal (Π_{i, j}^{s})$ . If $Π_{i, j}^{s} = Π_{A, B}^{S}$ , $S$ aborts. Otherwise, $S$ reveals the ephemeral private key to $M$ .

$Send (Π_{i, j}^{s}, m)$ . At first, the challenger $S$ maintains an empty list $R^{list}$ in which each entry is the form of $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ .

If $Π_{i, j}^{s} = Π_{A, B}^{S}$ and $m = λ$ , $S$ picks $U \in G$ , and then returns $s_{A} X - h_{A} U$ and U to $M$ .

If $i = B$ and $m = (s_{j} Z - h_{j} W, W)$ , $S$ randomly chooses $V \in G$ , chooses $b \in_{R} Z_{p}^{*}$ as its ephemeral private key, and returns $bY - h_{B} V$ and $V$ to the adversary $M$ . Then, $S$ looks for the matching entry in the list $H_{2}^{list}$ . If the entry exists, $S$ checks if $K_{ij}$ is correctly generated by verifying whether $DDH ((T_{i}^{1} + h_{i} T_{i}^{2}), (T_{j}^{1} + h_{j} T_{j}^{2}), K_{ij}) = 1$ . If $K_{ij}$ is correct, the challenger $S$ sets $sk = h_{2}$ , and adds the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ to the list $R^{list}$ . Otherwise (no such an entry exists in the list $H_{2}^{list}$ or $K_{ij}$ is not correctly generated), the challenger $S$ chooses $sk \in {0, 1}^{k}$ at random and adds the entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ to the list $R^{list}$ .

If $i \neq B$ , $S$ responds in accordance with the protocol specification.

$SessionKeyReveal (Π_{i, j}^{s})$ . If $Π_{i, j}^{s} = Π_{A, B}^{S}$ or $Π_{i, j}^{s} = Π_{B, A}^{T}$ , $S$ aborts. Otherwise, $S$ returns the stored value $sk$ in the list $R^{list}$ to $M$ .

$Test (Π_{i, j}^{s})$ . If $Π_{i, j}^{s} = Π_{A, B}^{S}$ , $S$ selects $ξ \in {0, 1}^{k}$ and returns it to the adversary $M$ . Otherwise, $S$ aborts.

Analysis

If the adversary $M$ succeeds in forging attack with non-negligible probability, $M$ should have made a query to $H_{2}$ with the input $K_{AB} = s_{A} DLOG (X) (bY - h_{B} V + h_{B} V) = s_{A} DLOG (X) bY$ . To settle the $GDH (X, Y)$ problem, $S$ verifies whether there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, K_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), K_{AB}) = 1$ . If there is such an $H_{2}$ query, the challenger solves $GDH (X, Y) = DLOG (X) Y = (b s_{A})^{- 1} K_{AB}$ . $S$ correctly computes the GDH problem with the following advantage

{Adv}_{S}^{GDH} (k) \geq \frac{{Adv}_{M}^{Σ} (k)}{6 p {(k)}^{2} s (k)}

S2

$M$ does not know the long-term private keys of $I D_{A}$ and $I D_{B}$ , and $M$ correctly transmits $I D_{B}$ ’s public key material $R_{B}$ .

Setup

The challenger $S$ sets the KGC’s master public key and all parties’ long-term keys as below:

The challenger $S$ selects a value $P_{pub} \in G$ as the KGC’s master public key.

For the party $I D_{A}$ , $S$ selects $h_{A} \in_{R} Z_{p}^{*}$ as $H_{1} (I D_{A} | | R_{A})$ , computes $R_{A} = X - h_{A} P_{pub}$ , and sets $(⊥, R_{A})$ as party $I D_{A}$ ’s long-term private key. Therefore, party $I D_{A}$ ’s long-term public key $P K_{A} = R_{A} + h_{A} P_{pub} = X$ .

For the party $I D_{B}$ , $S$ selects $h_{B} \in_{R} Z_{p}^{*}$ as $H_{1} (I D_{B} | | R_{B})$ , computes $R_{B} = Y - h_{B} P_{pub}$ , and sets $(⊥, R_{B})$ as party $I D_{B}$ ’s long-term private key. Therefore, party $I D_{B}$ ’s long-term public key $P K_{B} = R_{B} + h_{B} P_{pub} = Y$ .

For any party $I D_{i}$ ( $i \neq A$ and $i \neq B$ ), $S$ selects $h_{i}, s_{i} \in_{R} Z_{p}^{*}$ , computes $R_{i} = s_{i} P - h_{i} P_{pub}$ , sets $H_{1} (I D_{i} | | R_{i}) = h_{i}$ , and sets $(s_{i}, R_{i})$ as long-term private key of party $I D_{i}$ . Therefore, party $I D_{i}$ ’s long-term public key $P K_{i} = R_{i} + h_{i} P_{pub} = s_{i} P$ .

For each party $I D_{i}$ , $S$ passes $(I D_{i}, R_{i})$ to $M$ , and inserts the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ .

Queries

$S$ maintains three initially empty lists $H_{1}^{list}$ , $H_{2}^{list}$ , and $R^{list}$ to handle the $H_{1}$ , $H_{2}$ , and SessionKeyReveal queries. $S$ responds to the queries issued by $M$ as follows. Note that $S$ answers $H_{1} (I D_{i}, R_{i})$ , $EstablishParty (I D_{i})$ , MasterPrivateKeyReveal, $SessionKeyReveal (Π_{i, j}^{s})$ , and $Test (Π_{i, j}^{s})$ as it does in S1.

$H_{2} (I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij})$ . At first, $S$ maintains an empty list $H_{2}^{list}$ in which each entry consists of $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ .

If $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ already exists in $H_{2}^{list}$ , $S$ responds to $M$ with $h_{2}$ .

Otherwise, $S$ looks for the matching entry in the list $R^{list}$ . If the entry exists and $i = A$ or $i = B$ , $S$ checks if $K_{ij}$ is correctly generated by verifying whether $DDH ((T_{i}^{1} + h_{i} T_{i}^{2}), (T_{j}^{1} + h_{j} T_{j}^{2}), K_{ij}) = 1$ . If $K_{ij}$ is correct, the challenger $S$ sets $h_{2} = sk$ , and stores the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ . If the entry exists and $i \neq A$ and $i \neq B$ , the challenger $S$ sets $h_{2} = sk$ , and stores the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ . Otherwise (no such an entry exists in the list $R^{list}$ or $K_{ij}$ is not correctly generated), the challenger $S$ randomly chooses $h_{2} \in {0, 1}^{k}$ and adds the entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ .

$StaticKeyReveal (I D_{i})$ . If $i \neq A$ and $i \neq B$ , $S$ returns $(s_{i}, R_{i})$ to $M$ . Otherwise, $S$ aborts.

$EphemeralSecretReveal (Π_{i, j}^{s})$ . $S$ responds to $M$ with the ephemeral private key.

$Send (Π_{i, j}^{s}, m)$ . At first, $S$ maintains an empty list $R^{list}$ whose each entry is $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ .

If $Π_{i, j}^{s} = Π_{A, B}^{S}$ , the challenger $S$ randomly chooses $U \in G$ , chooses $a \in_{R} Z_{p}^{*}$ as its ephemeral private key, and then returns $aX - h_{A} U$ and U to the adversary $M$ .

If $i = B$ , the challenger $S$ randomly chooses $V \in G$ , chooses $b \in_{R} Z_{p}^{*}$ as its ephemeral private key, and returns $bY - h_{B} V$ and V to the adversary $M$ . Then $S$ simulates the oracle in the same way as does in S1.

If $i = A$ , the simulation of $S$ is similar to that when $i = B$ .

Otherwise, the challenger $S$ responds according to the protocol specification.

Analysis

If the adversary $M$ is successful in forging attack with non-negligible probability, $M$ should have made a query to $H_{2}$ with the input $K_{AB} = aDLOG (X) (bY - h_{B} V + h_{B} V) = abDLOG (X) Y$ . To settle the $GDH (X, Y)$ problem, $S$ verifies whether there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, K_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), K_{AB}) = 1$ . If there is such an $H_{2}$ query, $S$ calculates $GDH (X, Y) = DLOG (X) Y = (ab)^{- 1} K_{AB}$ . $S$ correctly computes the GDH problem with the following advantage

{Adv}_{S}^{GDH} (k) \geq \frac{{Adv}_{M}^{Σ} (k)}{6 p {(k)}^{2} s (k)}

S3

$M$ does not know the ephemeral private keys of $I D_{A}$ and $I D_{B}$ .

Setup

The challenger $S$ sets the master keys of KGC and all parties’ long-term keys as below:

$S$ selects $s \in_{R} Z_{p}^{*}$ as the master private key of KGC and computes $P_{pub} = sP$ as the master public key of KGC. Therefore, S3 simulates MFS.

$S$ picks $h_{i}, s_{i} \in_{R} Z_{p}^{*}$ , computes $R_{i} = s_{i} P - h_{i} P_{pub}$ , sets $H_{1} (I D_{i} | | R_{i}) = h_{i}$ , and sets $(s_{i}, R_{i})$ as long-term private key of party $I D_{i}$ . Therefore, party $I D_{i}$ ’s long-term public key $P K_{i} = R_{i} + h_{i} P_{pub} = s_{i} P$ .

For each party $I D_{i}$ , $S$ passes $(I D_{i}, R_{i})$ to $M$ , and inserts the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ .

Queries

$S$ maintains three initially empty lists $H_{1}^{list}$ , $H_{2}^{list}$ , and $R^{list}$ to handle the $H_{1}$ , $H_{2}$ , and SessionKeyReveal queries. $S$ responds to the queries issued by $M$ as follows. Note that $S$ answers $H_{1} (I D_{i}, R_{i})$ , $EstablishParty (I D_{i})$ , $SessionKeyReveal (Π_{i, j}^{s})$ , and $Test (Π_{i, j}^{s})$ as it does in S1.

$H_{2} (I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij})$ . Originally, $S$ maintains an empty list $H_{2}^{list}$ in which each entry is $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ .

If $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ is already in the list $H_{2}^{list}$ , the challenger $S$ returns $h_{2}$ to $M$ .

Otherwise, $S$ looks up the matching entry in $R^{list}$ . If the entry exists, the challenger $S$ sets $h_{2} = sk$ , and stores the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ . Otherwise, the challenger $S$ chooses $h_{2} \in {0, 1}^{k}$ at random and adds the entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, K_{ij}, h_{2})$ to the list $H_{2}^{list}$ .

$StaticKeyReveal (I D_{i})$ . $S$ returns $(s_{i}, R_{i})$ to $M$ .

MasterPrivateKeyReveal. $S$ returns s to $M$ .

$EphemeralSecretReveal (Π_{i, j}^{s})$ . If $Π_{i, j}^{s} = Π_{A, B}^{S}$ or $Π_{i, j}^{s} = Π_{B, A}^{T}$ , $S$ aborts. Otherwise, $S$ reveals the ephemeral private key to $M$ .

$Send (Π_{i, j}^{s}, m)$ . At first, $S$ maintains an empty list $R^{list}$ whose each entry is $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ .

If $Π_{i, j}^{s} = Π_{A, B}^{S}$ , the challenger $S$ randomly chooses $U \in G$ , and then returns $s_{A} X - h_{A} U$ and U to the adversary $M$ .

If $Π_{i, j}^{s} = Π_{B, A}^{T}$ , $S$ randomly chooses $V \in G$ , and returns $s_{B} Y - h_{B} V$ and V to $M$ . Then $S$ looks up the matching entry in $H_{2}^{list}$ . If the entry exists, the challenger $S$ sets $sk = h_{2}$ , and adds the new entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ to the list $R^{list}$ . Otherwise, the challenger $S$ chooses $sk \in {0, 1}^{k}$ at random and adds the entry $(I D_{i}, I D_{j}, T_{i}^{1}, T_{i}^{2}, T_{j}^{1}, T_{j}^{2}, sk)$ to the list $H_{2}^{list}$ .

Otherwise, the challenger $S$ responds according to the protocol specification.

Analysis

If the adversary $M$ successfully mounts the forging attack with non-negligible probability, $M$ should issue a query to $H_{2}$ with the input $K_{AB} = DLOG (X) s_{A} (s_{B} Y - h_{B} V + h_{B} V) = DLOG (X) s_{A} s_{B} Y$ . To solve the $GDH (X, Y)$ problem, $S$ verifies whether there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, K_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), K_{AB}) = 1$ . If there is such an $H_{2}$ query, $S$ calculates $GDH (X, Y) = DLOG (X) Y = (s_{A} s_{B})^{- 1} K_{AB}$ . $S$ successfully solves the GDH problem with the following advantage

{Adv}_{S}^{GDH} (k) \geq \frac{{Adv}_{M}^{Σ} (k)}{6 p {(k)}^{2} s (k)}

S4

$M$ does not know $I D_{A}$ ’s long-term private key and $I D_{B}$ ’s ephemeral private key.

For S4, the simulation of $S$ is similar to that in S1 (only $I D_{A}$ and $I D_{B}$ are exchanged). The details are omitted. $S$ successfully solves the GDH problem with the advantage

{Adv}_{S}^{GDH} (k) \geq \frac{{Adv}_{M}^{Σ} (k)}{6 p {(k)}^{2} s (k)}

S5

$M$ does not know $I D_{A}$ ’s ephemeral private key and $I D_{B}$ ’s long-term private key, and the adversary $M$ may alter $I D_{B}$ ’s public key material $R_{B}$ .

Initially, the challenger $S$ randomly selects $X \in G$ as the KGC’s master public key. Then, $S$ sets all parties’ long-term keys as follows. $S$ selects $h_{i}, s_{i} \in_{R} Z_{p}^{*}$ , computes $R_{i} = s_{i} P - h_{i} P_{pub}$ , sets $H_{1} (I D_{i} | | R_{i}) = h_{i}$ , and sets $(s_{i}, R_{i})$ as long-term private key of party $I D_{i}$ . Therefore, party $I D_{i}$ ’s long-term public key $P K_{i} = R_{i} + h_{i} P_{pub} = s_{i} P$ . For each party $I D_{i}$ , $S$ passes $(I D_{i}, R_{i})$ to $M$ , and inserts the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ . Specifically, $S$ randomly chooses $Y, U \in G$ , and sets the ephemeral public keys of $I D_{A}$ to $s_{A} Y - h_{A} U$ and $U$ . Since $S$ is aware of all parties’ long-term private keys, the answers to all queries are easy.

Assume that $M$ neither queries $EphemeralSecret Reveal (Π_{A, B}^{S})$ nor $StaticKeyReveal (I D_{B})$ , and the simulation does not abort. Assume that the session $Π_{A, B}^{S}$ has the incoming message $(I D_{B}, R_{(B, M)}, bP K_{B} - b h_{B} X, bX)$ which can possibly be generated by $M$ . Here the adversary $M$ selects $b \in_{R} Z_{p}^{*}$ , and may alter $I D_{B}$ ’s public key material $R_{B}$ . Suppose that $S$ selects ${\bar{h}}_{B} \in_{R} Z_{p}^{*}$ , and sets $H_{1} (I D_{B} | | R_{(B, M)}) = {\bar{h}}_{B}$ . If the adversary $M$ is successful in forging attack with non-negligible probability, $M$ should make a query to $H_{2}$ with the input $K_{AB} = DLOG (Y) s_{A} (bP K_{B} - b h_{B} X + H_{1} (I D_{B} | | R_{(B, M))} bX) = DLOG (Y) s_{A} (bP K_{B} - b h_{B} X + {\bar{h}}_{B} bX)$ . $S$ verifies whether there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, K_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), K_{AB}) = 1$ .

According to the forking lemma,⁵³ $S$ replays $M$ with the same input and tossing coins. During this run, $S$ selects ${\bar{h}}_{B}^{'} \in_{R} Z_{p}^{*}$ , and sets $H_{1} (I D_{B} | | R_{(B, M)}) = {\bar{h}}_{B}^{'}$ , where ${\bar{h}}_{B}^{'} \neq {\bar{h}}_{B}$ . If the adversary $M$ succeeds in forging attack with non-negligible probability, $M$ should make a query to $H_{2}$ with the input ${\tilde{K}}_{AB} = DLOG (Y) s_{A} (bP K_{B} - b h_{B} X + H_{1} (I D_{B} | | R_{(B, M)}) bX) = DLOG (Y) s_{A} (bP K_{B} - b h_{B} X + {\bar{h}}_{B}^{'} bX)$ . $S$ verifies whether there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, {\tilde{K}}_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), {\tilde{K}}_{AB}) = 1$ .

To solve the $GDH (X, Y)$ problem, $S$ computes $K_{A B} - {\tilde{K}}_{A B} = D L O G (Y) s_{A} (b P K_{B} - b h_{B} X + {\bar{h}}_{B} b X) - D L O G (Y) s_{A} (b P K_{B} - b h_{B} X + {\bar{h}}_{B}^{'} b X) = D L O G (Y) s_{A} ({\bar{h}}_{B} - {\bar{h}}_{B}^{'}) b X$ , and then $S$ computes $GDH (X, Y) = DLOG (Y) X = (b s_{A} ({\bar{h}}_{B} - {\bar{h}}_{B}^{'}))^{- 1} (K_{AB} - {\tilde{K}}_{AB})$ . Suppose that $λ$ is the utilization factor of the forking lemma in S5. Consequently, $S$ successfully solves the GDH problem with the following advantage

{Adv}_{S}^{GDH} (k) \geq \frac{λ {Adv}_{M}^{Σ} (k)}{6 p {(k)}^{2} s (k)}

S6

$M$ does not know the long-term private keys of $I D_{A}$ and $I D_{B}$ , and the adversary $M$ may alter $I D_{B}$ ’s public key material $R_{B}$ .

Initially, the challenger $S$ randomly selects $X \in G$ as the KGC’s master public key. Then $S$ sets all parties’ long-term keys as follows. For any party $I D_{i} (i \neq A)$ , $S$ selects $h_{i}, s_{i} \in_{R} Z_{p}^{*}$ , computes $R_{i} = s_{i} P - h_{i} P_{pub}$ , sets $H_{1} (I D_{i} | | R_{i}) = h_{i}$ , and sets $(s_{i}, R_{i})$ as long-term private key of party $I D_{i}$ . Therefore, party $I D_{i}$ ’s long-term public key $P K_{i} = R_{i} + h_{i} P_{pub} = s_{i} P$ . For the party $I D_{A}$ , $S$ selects $h_{A} \in_{R} Z_{p}^{*}$ as $H_{1} (I D_{A} | | R_{A})$ , computes $R_{A} = Y - h_{A} P_{pub}$ , and sets $(⊥, R_{A})$ as party $I D_{A}$ ’s long-term private key. Therefore, party $I D_{A}$ ’s long-term public key $P K_{A} = R_{A} + h_{A} P_{pub} = Y$ . For each party $I D_{i}$ , $S$ passes $(I D_{i}, R_{i})$ to $M$ , and inserts the entry $(I D_{i}, R_{i}, h_{i})$ to $H_{1}^{list}$ . Specifically, $S$ randomly chooses $U \in G$ , chooses $a \in_{R} Z_{p}^{*}$ , and sets the ephemeral public keys of $I D_{A}$ to $aY - h_{A} U$ and $U$ .

Assume that $M$ neither queries $StaticKey Reveal (I D_{A})$ nor $StaticKeyReveal (I D_{B})$ , and the simulation does not abort. Assume that the session $Π_{A, B}^{S}$ has the incoming message $(I D_{B}, R_{(B, M)}, bP K_{B} - b h_{B} X, bX)$ which can possibly be generated by $M$ . Here the adversary $M$ selects $b \in_{R} Z_{p}^{*}$ , and may alter $I D_{B}$ ’s public key material $R_{B}$ . Suppose that $S$ selects ${\bar{h}}_{B} \in_{R} Z_{p}^{*}$ and sets $H_{1} (I D_{B} | | R_{(B, M)}) = {\bar{h}}_{B}$ . If the success probability of the adversary in forging attack is non-negligible, it must have queried $H_{2}$ with inputs of the form $K_{AB} = aDLOG (Y) (bP K_{B} - b h_{B} X + H_{1} (I D_{B} | | R_{(B, M))} bX)) = aDLOG (Y) (bP K_{B} - b h_{B} X + {\bar{h}}_{B} bX)$ . $S$ verifies whether there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, K_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), K_{AB}) = 1$ .

According to the forking lemma, $S$ replays $M$ with the same input and tossing coins. In the course of this run, $S$ selects ${\bar{h}}_{B}^{'} \in_{R} Z_{p}^{*}$ and sets $H_{1} (I D_{B} | | R_{(B, M)})$ to ${\bar{h}}_{B}^{'}$ , where ${\bar{h}}_{B}^{'} \neq {\bar{h}}_{B}$ . If the success probability of the adversary in forging attack is non-negligible, it should make a query to $H_{2}$ with the input ${\tilde{K}}_{AB} = aDLOG (Y) (bP K_{B} - b h_{B} X + H_{1} (I D_{B} | | R_{(B, M)}) bX) = aDLOG (Y) (bP K_{B} - b h_{B} X + {\bar{h}}_{B}^{'} bX)$ . $S$ checks if there is an $H_{2}$ query issued by $M$ on the value $(I D_{A}, I D_{B}, T_{A}^{1}, T_{A}^{2}, T_{B}^{1}, T_{B}^{2}, {\tilde{K}}_{AB})$ , such that $DDH ((T_{A}^{1} + h_{A} T_{A}^{2}), (T_{B}^{1} + h_{B} T_{B}^{2}), {\tilde{K}}_{AB}) = 1$ .

To solve the $GDH (X, Y)$ problem, $S$ computes $K_{AB} - {\tilde{K}}_{AB} = aDLOG (Y) (bP K_{B} - b h_{B} X + {\bar{h}}_{B} bX) - aDLOG (Y) (bP K_{B} - b h_{B} X + {\bar{h}}_{B}^{'} bX) = aDLOG (Y) ({\bar{h}}_{B} - {\bar{h}}_{B}^{'}) bX$ , and then $S$ computes $GDH (X, Y) = DLOG (Y) X = (ab ({\bar{h}}_{B} - {\bar{h}}_{B}^{'}))^{- 1} (K_{AB} - {\tilde{K}}_{AB})$ . Suppose that $θ$ is the utilization factor of the forking lemma in S6. Therefore, $S$ successfully solves the GDH problem with the following advantage

{Adv}_{S}^{GDH} (k) \geq \frac{θ {Adv}_{M}^{Σ} (k)}{6 p {(k)}^{2} s (k)}

For the six strategies, since ${Adv}_{M}^{Σ} (k)$ is assumed to be non-negligible, ${Adv}_{S}^{GDH} (k)$ is also non-negligible. This is in contradiction to the GDH assumption.

The proof of Theorem 1 is complete.□

Security attributes

Our protocol $Σ$ catches all essential security attributes.

K-SKS. The eCK model can cover the K-SKS property because it supports the SessionKeyReveal query. According to the fresh definition, the adversary $M$ may reveal the session keys of other sessions than the test session and its matching session (if its matching session exists). The probability that $M$ differentiates between the test session key and a random value is negligible. Therefore, the test session key is not disclosed even if $M$ has known any other session keys.

FS. Our protocol captures the wPFS and MFS properties. In section “Security proof,” our protocol is proven to be secure in the eCK model. Therefore, the adversary cannot know the long-term and ephemeral secrets of one party, which implies wPFS. Moreover, the proof of S3 guarantees MFS.

BIR. When the long-term secret of party A is not revealed to an adversary $M$ , $M$ does not know the key of the session of party A with any other party because it cannot calculate the correct input to $H_{2}$ . Therefore, the adversary cannot impersonate party A.

KCIR. The property is guaranteed by the proofs of S1, S3, S4, and S5. Even when $M$ learns the long-term secret of party A and modifies the message sent to party A, it cannot calculate the key of the session of party A with any other party with no knowledge of party A’s ephemeral secret. Therefore, $M$ cannot masquerade as any other party to party A. That is to say, the proposed protocol can catch KCIR.

UKSR. Unknown key share (UKS) attack should not be launched successfully in ID-based AKA protocols because the involved parties’ identities are the input of the key derivation function. In addition, a party’s public key is derived from its ID, which also resists UKS attack.

NKC. Because two sessions that are not matched do not have the same input of the key derivation function $H_{2}$ , the session key cannot be forced to a predetermined value by one involved party or an outside adversary. Moreover, from the security proof, we can know that the adversary $M$ cannot differentiate between the test session key and a random value. Thus, our protocol can prevent key control attack.

ESRR. The property is guaranteed by the proofs of all strategies except for S3. The proofs for S1, S4, and S5 guarantee the proposed protocol is secure when ephemeral secrets are revealed partially. The proofs for S2 and S6 guarantee the proposed protocol is secure when ephemeral secrets are disclosed entirely.

Comparisons with the existing protocols

We compare our protocol with other existing ID-based 2PAKA protocols: the most efficient ID-based 2PAKA protocol using pairings (McCullagh-Barreto (MB)-I protocol²⁰), a provably secure ID-based one-round 2PAKA protocol with pairings in the eCK model that catches all essential security attributes (Huang et al.’s²⁸ protocol), and four latest provably secure pairing-free ID-based one-round 2PAKA protocols that catch all essential security attributes (Sun et al.’s⁴⁶ protocol, Bala et al.’s⁴⁷ protocol, Ni et al.’s⁴⁸ protocols; and Islam and Biswas’s⁴⁹ protocol).

Table 1 shows the comparison results in term of security, in which we only list security model, assumption, and the properties of KCIR and ESRR because these compared protocols catch other basic desirable security properties including K-SKS, wPFS, BIR, UKSR, and NKC. “√” and “×” mean that the security property is captured and is not captured by the protocol, respectively. “ ${eCK}^{*}$ ” is used to denote the eCK model that does not take active adversaries into account. From Table 1, it is clear that Huang and Cao’s²⁸ protocol, Sun et al.’s⁴⁶ protocol, and Bala et al.’s⁴⁷ protocol do not consider active adversaries although they are given the security proofs in strong model such as eCK model. In addition, the security analysis based on BAN logic model does not make certain that Islam and Biswas’s⁴⁹ protocol is secure.⁵¹ Therefore, among these compared ID-based 2PAKA protocols, only Ni-I,⁴⁸ Ni-II,⁴⁸ and our protocol are proven secure under the passive and active adversaries in the eCK model. It can be concluded that Ni et al.’s⁴⁸ protocols and our protocol achieve higher security than the five protocols.^{20,28,46,47,49}

Table 1.

Security comparison of ID-based 2PAKA protocols.

Protocol	Security model	Assumption	KCIR	ESRR
MB-I²⁰	mBR	BIDH	×	×
Huang and Cao²⁸	${eCK}^{*}$	CBDH	√	√
Sun et al.⁴⁶	${eCK}^{*}$	GDH	√	√
Bala et al.⁴⁷	${eCK}^{*}$	GDH	√	√
Ni-I⁴⁸	eCK	CDH	√	√
Ni-II⁴⁸	eCK	GDH	√	√
Islam and Biswas⁴⁹	BAN	GDH	√	√
Our protocol	eCK	GDH	√	√

ID: identity; 2PAKA: two-party authenticated key agreement; KCIR: key compromise impersonation resistance; ESRR: ephemeral secrets reveal resistance; MB: McCullagh-Barreto; mBR: modified Bellare-Rogaway; BIDH: bilinear inverse Diffie-Hellman; eCK: extended Canetti-Krawczyk; CBDH: computational bilinear Diffie-Hellman; GDH: Gap Diffie-Hellman; CDH: computational Diffie–Hellman; BAN: Burrows-Abadi-Needham.

Performance analyses

In this section, the efficiency of our protocol is compared with the existing protocols in terms of message size, computational cost, and running time. We omit the communication round because these compared protocols all have one-round communication. We implement the cryptographic operations by using MIRACL,⁵⁴ a standard cryptographic library. Since a vehicle has unlimited computation ability and power in VANETs,⁵⁵ the hardware platform that we select is an Intel Core 2 E8400 processor with 2 GB memory and a Windows XP operation system. For the two protocols using pairings,^20,28 to provide the 80-bit security level, we choose the Tate pairing on the elliptic curve $y^{2} = x^{3} + x$ over $F$ _p with embedding degree 2, where q is a 160-bit prime $q = 2^{159} + 2^{17} + 1$ and p is a 512-bit prime meeting the condition of $p + 1 = 12 qr$ . As for the pairing-free protocols,^46–49 to reach the same level of security, we employ the group on elliptic curve cryptography (ECC) secp160r1. The cryptographic operating times are shown in Table 2 where Exponent. in mult.group and poi.mult. stands for exponentiation in a multiplicative group and point multiplication, respectively.

Table 2.

Cryptographic Operating Time (in milliseconds).

Pairing	Exponent. in mult.group	Pairing-based poi.mult.	ECC-based poi.mult.
18.32	5.30	5.54	2.01

Table 3 lists the comparison results in terms of message size, computational cost, and running time. Assume that one user ID is 2 bytes long. Our protocol’s exchanged message is one ID and three points, and thus the message size is $(2 \times 8 + 160 \times 3) / 8 = 62 bytes$ . In Bala et al.’s⁴⁷ protocol, the exchanged message comprises one ID and two points, and thus the message size is $(2 \times 8 + 160 \times 2) / 8 = 42 bytes$ . Similarly, the message sizes of other compared protocols can be given.

Table 3.

Performance comparison of ID-based 2PAKA protocols (using pre-computation).

Protocol	Message size	Computational cost	Running time
MB-I²⁰	64 bytes	$1 P + 1 E + 1 PM$	$24.276 ms$
Huang and Cao²⁸	66 bytes	$2 P + 3 PM$	$42.852 ms$
Sun et al.⁴⁶	42 bytes	$6 EM (5 EM)$	$10.594 ms$
Bala et al.⁴⁷	42 bytes	$4 EM (3 EM)$	$6.574 ms$
Ni-I⁴⁸	62 bytes	$7 EM (6 EM)$	$12.716 ms$
Ni-II⁴⁸	62 bytes	$5 EM (4 EM)$	$8.696 ms$
Islam and Biswas⁴⁹	62 bytes	$5 EM (4 EM)$	$8.696 ms$
Our protocol	62 bytes	$4 EM (2 EM)$	$4.676 ms$

ID: identity; 2PAKA: two-party authenticated key agreement; MB: McCullagh and Barreto.

In the comparison of the computational cost, for simplicity, we only consider the expensive operations including pairing operation, exponentiation in a multiplicative group, pairing-based point multiplication, and ECC-based point multiplication, which are denoted as P, E, PM, and EM, respectively. The values in parentheses are the computational costs of these protocols when pre-computation is considered.

The running time of an AKA protocol is approximately equal to the computation time of one party and the transmission times of two exchanged messages in wireless links. In vehicular environments, the time spent on one message transmission is the sum of transmission times of the physical layer convergence procedure (PLCP) preamble (i.e. $0.032 ms$ ), the SIGNAL field (i.e. $0.008 ms$ ), and DATA field. The DATA field consists of the 16-bit SERVICE field, the physical service data unit (PSDU) (i.e. the medium-access control (MAC) frame), the 6-bit TAIL field, and the PAD field. The length of PAD field satisfies the condition that the number of bits in the DATA field should be a multiple of the number of data bits per orthogonal frequency division multiplexing (OFDM) symbol. According to 802.11⁵⁶ and dedicated short-range communications (DSRC) standards,⁵⁷ the data rate varies from 3 to 27 Mbps. In addition, the network and transport layers, Wave Short Message (WSM) header is at least 5 bytes in length, and subnetwork access protocol (SNAP) header and the logical link control (LLC) sublayer header are 5 and 3 bytes in length, respectively. The MAC sublayer header is 28 bytes in length. In order to better reflect the performation advantages of our protocol, the minimum data rate (i.e. 3 Mbps) and the corresponding number of data bits per OFDM symbol (i.e. 24 data bits) are chosen to compute the running time of compared protocols. Accordingly, the running time of our protocol can be computed as follows: 2EM + 2 (the transmission time of PLCP preamble + the transmission time of SIGNAL + (PSDU + TAIL + PAD) / (data rate)) = 4.676 ms. Similiarly, the running times of other compared protocols are listed in Table 3.

As listed in Table 3, it is clear that the ID-based pairing-free 2PAKA protocols achieve much better performance than the ID-based 2PAKA protocols using pairings. In addition, it is found that our protocol is superior to Ni-I⁴⁸ protocol and Ni-II⁴⁸ protocol in terms of computational cost and running time while having the same message size as them. Specifically, the running time of our protocol is 36.8% of Ni-I protocol, 53.8% of Ni-II protocol when pre-computation is considered. From Table 3, we can observe that our protocol is computationally more efficient than Bala et al.’s⁴⁷ protocol considering pre-computation with the disadvantage of slightly increased message size. The reason is that, (1) the intended partner vehicles communicating with vehicle A are not the same in different sessions of vehicle A; (2) in our protocol, $a R_{A}$ and $a P_{pub}$ are suitable for pre-computation as these two values have nothing to do with other parties and party A only needs to store two points; (3) in Bala’s protocol, vehicle A is not suitable to pre-compute and store $h_{B} P_{pub}$ for large numbers of unpredictable vehicles due to the rapid topology changes nature of vehicular networks. Therefore, Bala et al.’s⁴⁷ protocol and our protocol require three and two ECC-based point multiplication operations, respectively, when pre-computation is carried out. Moreover, the security proof of Bala et al.’s⁴⁷ protocol does not take active adversaries into account. Although the message size of our protocol is one point more than that of Bala’s protocol, our protocol has less running time than Bala’s protocol. Namely, the running time of our protocol is 77.1% of that of Bala’s protocol. Figure 2 illustrates the comparison result of Bala et al.’s⁴⁷ protocol, Ni-I,⁴⁸ Ni-II,⁴⁸ and our protocol in terms of running time when pre-computation is carried out.

Figure 2.

Comparison result of the running time (with pre-computation).

To summarize, our protocol has better performance than previous ID-based protocols while achieving higher or the same security level. It is concluded that our protocol is more suitable to real-time application environments with highly dynamic topology such as VANETs than the existing ID-based 2PAKA protocols.

Discussion

The proposed 2PAKA protocol enables two authentic vehicles to agree on a shared session key, which can be used for secure communication. For example, the secure communication protocol for VANETs⁵⁸ achieves the multi-level conditional privacy preservation authentication and integrity of transmitted messages based on ring signature. However, the signature is generated by using the private key of sender and L collected public keys, and the transmitted message consists of payload, timestamp, signature, and L public keys. Therefore, the message size is a little long and the signature verification requires 2 × L + 3 time-consuming pairing operations. The secure communication protocol for VANETs² offers the confidentiality, conditional privacy preservation authentication, and integrity of transmitted messages based on group signcryption. The session key used for signcryption is derived from the group secret key, which is generated by the group secret key agreement. However, the group secret key and group public key need to be updated on all unrevoked vehicles each time a member is revoked or quits the group. In addition, the group-based communication protocols for VANETs^2,58 are only suitable for the application scenarios with low mobility and little topology changing, such as traffic jam, urban road, and parking lot. Therefore, the article focuses on 2PAKA for VANETs.

Conclusions and future works

This article presents a provably secure and efficient one-round ID-based 2PAKA protocol without pairings for VANETs. The proposed protocol is given the formal proof under the passive and active adversaries in the eCK model. We also analyze that the proposed protocol can capture all essential security properties including K-SKS, wPFS, MFS, BIR, KCIR, UKSR, NKC, ESRR, and so on. The proposed protocol outperforms the existing ID-based 2PAKA protocols in terms of computational cost and running time while providing higher or the same level of security. In particular, if pre-computation is considered, our protocol reduces the running time to 77.1% of Bala’s protocol, 36.8% of Ni-I protocol, and 53.8% of Ni-II protocol while providing stronger or the same security level. As a result, our protocol is more applicable than other existing ID-based 2PAKA protocols for real-time application environments with quickly changing topology such as VANETs. Our future work is to present a provably secure and efficient certificateless 2PAKA protocol without pairings.

Footnotes

Handling Editor: Daniel Gutierrez-Reina

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the National Natural Science Foundation of China (NSFC) (grant number 61402351), the Fundamental Research Funds for the Central Universities (grant number JB140116), and the Programme of Introducing Talents of Discipline to Universities (111 Project) (grant numbers B16037, B08038).

References

Büttner

Bartels

Huss

. Real-world evaluation of an anonymous authenticated key agreement protocol for vehicular ad-hoc networks. In: 2015 IEEE 11th international conference on wireless and mobile computing, networking and communications (WiMob), Abu Dhabi, United Arab Emirates, 19–21 October 2015, pp.651–658. New York: IEEE.

Xiong

Zhu

Chen

et al . Efficient communication scheme with confidentiality and privacy for vehicular networks. Comput Electr Eng 2013; 39(6): 1717–1725.

Zhang

. OTIBAAGKA: a new security tool for cryptographic mix-zone establishment in vehicular ad hoc networks. IEEE T Inf Foren Sec 2017; 12(12): 2998–3010.

Zhang

Domingo-Ferrer

et al . Distributed aggregate privacy-preserving authentication in VANETs. IEEE T Intell Transp 2017; 18(3): 516–526.

Zhang

et al . Privacy-preserving vehicular communication authentication with hierarchical aggregation and fast response. IEEE T Comput 2016; 65(8): 2562–2574.

Zhang

Meng

Raymond Choo

K-K

et al . Privacy-preserving cloud establishment and data dissemination scheme for vehicular cloud. IEEE T Depend Secure 2018; 99: 1–1.

Bellare

Rogaway

. Entity authentication and key distribution. In: Stinson

(ed.) Advances in cryptology—CRYPTO’93, LNCS 773. Berlin: Springer-Verlag, pp.232–249.

Bellare

Rogaway

. Provably secure session key distribution: the three party case. In: Proceedings of the 27th annual ACM STOC, Las Vegas, NV, 29 May–1 June 1995, pp.57–66. New York: ACM.

Blake-Wilson

Johnson

Menezes

. Key agreement protocols and their security analysis. In: Darnell

(ed.) International conference on cryptography and coding, LNCS 1355. Berlin: Springer-Verlag, pp.30–45.

10.

Blake-Wilson

Menezes

. Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: Christianson

Crispo

Lomas

et al . (eds) International workshop on security protocols, LNCS 1361. Berlin: Springer-Verlag, pp.137–158.

11.

Bellare

Pointcheval

Rogaway

. Authenticated key exchange secure against dictionary attacks. In: Preneel

(ed.) Advances in cryptology—EUROCRYPT 2000, LNCS 1807. Berlin: Springer-Verlag, pp.139–155.

12.

Canetti

Krawczyk

. Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann

(ed.) Advances in cryptology—EUROCRYPT 2001, LNCS 2045. Berlin: Springer-Verlag, pp.453–474.

13.

Choo

KKR

Boyd

Hitchcock

. Examining indistinguishability-based proof models for key establishment protocols. In: Roy

(ed.) Advances in cryptology—ASIACRYPT 2005, LNCS 3788. Berlin: Springer-Verlag, pp.585–604.

14.

LaMacchia

Lauter

Mityagin

. Stronger security of authenticated key exchange. In: Susilo

Liu

(eds) International conference on provable security, LNCS 4784. Berlin: Springer-Verlag, pp.1–16.

15.

Smart

. Identity based authenticated key agreement protocol based on the Weil pairing. Electron Lett 2002; 38(13): 630–632.

16.

Chen

Kudla

. Identity based authenticated key agreement protocols from pairings. In: Proceedings of the 16th IEEE computer security foundations workshop, Pacific Grove, CA, 30 June–2 July 2003, pp.219–233. New York: IEEE.

17.

Shim

. Efficient ID-based authenticated key agreement protocol based on Weil pairing. Electron Lett 2003; 39(8): 653–654.

18.

Sun

Hsieh

. Security analysis of Shim’s authenticated key agreement protocols from pairings. Cryptology ePrint Archive, Report 2003/113, 2003, http://eprint.iacr.org/2003/113/

19.

Ryu

Yoon

Yoo

. An efficient ID-based authenticated key agreement protocol from pairings. In: Mitrou

Kontovasilis

Rouskas

et al . (eds) Proceedings of the networking ’04, LNCS 3042. Berlin: Springer-Verlag, pp.1458–1463.

20.

McCullagh

Barreto

. A new two-party identity-based authenticated key agreement. In: Menezes

(ed.) Topics in cryptology—CT-RSA 2005, LNCS 3376. Berlin: Springer-Verlag, pp.262–274.

21.

Xie

. Cryptanalysis of Noel McCullagh and Paulo S.L.M. Barreto’s two-party identity-based key agreement. Cryptology ePrint Archive, Report 2004/308, 2004, http://eprint.iacr.org/2004/308/

22.

Yuan

. Towards security two-party authenticated key agreement protocols. Cryptology ePrint Archive, Report 2005/300, 2005, http://eprint.iacr.org/2005/300/

23.

Choie

Jeong

Lee

. Efficient identity-based authenticated key agreement protocol from pairings. Appl Math Comput 2005; 162(1): 179–188.

24.

Yuan

. A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/309, 2005, http://eprint.iacr.org/2005/309/

25.

Chen

Cheng

Smart

. Identity-based key agreement protocols from pairings. Int J Inf Secur 2007; 6(4): 213–241.

26.

Wang

Cao

. Efficient identity-based authenticated key agreement protocol with PKG Forward Secrecy. Int J Netw Sec 2008; 7(2): 181–186.

27.

Wang

Cao

Choo

et al . An improved identity-based key agreement protocol and its security proof. Inform Sciences 2009; 179(3): 307–318.

28.

Huang

Cao

. An ID-based authenticated key exchange protocol based on bilinear Diffie-Hellman problem. In: Proceeding of the ACM ASIACCS 2009, Sydney, NSW, Australia, 10–12 May 2009, pp.333–342. New York: ACM.

29.

Chen

et al . Strongly secure identity-based authenticated key agreement protocols. Comput Electr Eng 2011; 37(2): 205–217.

30.

Zhang

. An improved identity-based authenticated key agreement protocol using pairings. In: International conference on computer science and network technology, Harbin, China, 24–26 December 2011, pp.45–49. New York: IEEE.

31.

Hölbl

Welzer

Brumen

. An improved two-party identity-based authenticated key agreement protocol using pairings. J Comput Syst Sci 2012; 78(1): 142–150.

32.

Chen

. Escrowable identity-based authenticated key agreement protocol with strong security. Comput Math Appl 2013; 65(9): 1339–1349.

33.

Chen

et al . Strongly secure identity-based authenticated key agreement protocols in the escrow mode. Sci China Inform Sci 2013; 56(8): 1–14.

34.

Shamir

. Identity-based cryptosystems and signature schemes. In: Blakley

Chaum

(eds) Advances in cryptology—EUROCRYPT 1984, LNCS 196. Berlin: Springer-Verlag, pp.47–53.

35.

Cao

Kou

. A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges. Inform Sciences 2010; 180(15): 2895–2903.

36.

Aranha

Faz-Hernández

López

et al . Faster implementation of scalar multiplication on Koblitz curves. In: Hevia

Neven

(eds) International conference on cryptology and information security in Latin America, LNCS 7533. Berlin: Springer-Verlag, pp.177–193.

37.

Zhu

Yang

Wong

. An efficient identity-based key exchange protocol with KGS forward secrecy for low-power devices. Theor Comput Sci 2007; 378(2): 198–207.

38.

Cao

Kou

et al . Identity-based authentication key agreement protocols without bilinear pairings. IEICE T Fund Electr 2008; 91(12): 3833–3836.

39.

Fiore

Gennaro

. Making the Diffie-Hellman protocol identity-based. In: Pieprzyk

(ed.) Topics in cryptology—CT-RSA 2010, LNCS 5985. Berlin: Springer-Verlag, pp.165–178.

40.

Hou

. An efficient and secure one-round authenticated key agreement protocol without pairings. In: 2011 international conference on multimedia technology, Taipei, Taiwan, 28–30 March 2005, pp.160–163. New York: IEEE.

41.

Hou

. A one-round ID-based authenticated key agreement protocol with enhanced security. In: 2011 2nd international conference on intelligent control and information processing, Harbin, China, 25–28 July 2011, pp.194–197. New York: IEEE.

42.

Islam

Biswas

. An improved pairing-free identity-based authenticated key agreement protocol based on ECC. Procedia Engineer 2012; 30: 499–507.

43.

Xie

Wang

. One-round identity-based key exchange with Perfect Forward Security. Theor Comput Sci 2012; 112(14): 587–591.

44.

Vivek

Selvi

Venkatesan

et al . Efficient, pairing-free, authenticated identity based key agreement in a single round. In: Susilo

Reyhanitabar

(eds) International conference on provable security, LNCS 8209. Berlin: Springer-Verlag, pp.38–58.

45.

Ghoreishi

Isnin

Razak

et al . A novel secure two-party identity-based authenticated key agreement protocol without bilinear pairings. In: Abraham

Muda

Choo

(eds) Pattern analysis, intelligent security and the Internet of Things, AISC 355. Cham: Springer-Verlag, pp.287–294.

46.

Sun

Wen

Zhang

et al . A strongly secure identity based authenticated key agreement protocol without pairings under the GDH assumption. Secur Commun Netw 2015; 8(17): 3167–3179.

47.

Bala

Sharma

Verma

. PF-ID-2PAKA: pairing free identity-based two-party authenticated key agreement protocol for wireless sensor networks. Wireless Pers Commun 2016; 87(3): 995–1012.

48.

Chen

et al . Strongly secure identity-based authenticated key agreement protocols without bilinear pairings. Inform Sciences 2016; 367: 176–193.

49.

Islam

Biswas

. A pairing-free identity-based two-party authenticated key agreement protocol for secure and efficient communication. J King Saud Univ: Comput Inform Sci 2017; 29(1): 63–73.

50.

Boneh

Franklin

. Identity-based encryption from the Weil pairing. In: Kilian

(ed.) Advances in cryptology—CRYPTO 2001, LNCS 2139. Berlin: Springer-Verlag, pp.213–229.

51.

Cheng

Nistazakis

Comley

et al . On the indistinguishability-based security model of key agreement protocols in simple cases. Cryptology ePrint Archive, Report 2005/300, 2005, http://eprint.iacr.org/2005/300/

52.

Krawczyk

. HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup

(ed.) Advances in cryptology—CRYPTO 2005, LNCS 3621. Berlin: Springer-Verlag, pp.546–566.

53.

Pointcheval

Stern

. Security arguments for digital signatures and blind signatures. J Cryptol 2000; 13(3): 361–396.

54.

Shamus Software Ltd. MIRACL library, http://www.shamus.ie/index.php?page=home

55.

Hwang

Chu

. A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks. Comput Commun 2008; 31(12): 2803–2814.

56.

IEEE 802.11-2016:2016. IEEE Standard for Information Technology —telecommunications and information exchange between systems local and metropolitan area networks—specific requirements—part 11: wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications.

57.

Kenney

. Dedicated Short-Range Communications (DSRC) Standards in the United States. Proc IEEE 2011; 99(7): 1162–1182.

58.

Xiong

Chen

. Efficient and multi-level privacy-preserving communication protocol for VANET. Comput Electr Eng 2012; 38(3): 573–581.