Strongly secure authenticated key exchange from factoring, codes, and lattices

Abstract

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security proposed by Krawczyk (we call it the $${\mathrm {CK}}^+$$CK+ model), which includes resistance to advanced attacks. However, the security proof is given under the random oracle model. We propose a generic construction of AKE from a key encapsulation mechanism (KEM). The construction is based on a chosen-ciphertext secure KEM, and the resultant AKE protocol is $${\mathrm {CK}}^+$$CK+ secure in the standard model. The construction gives the first $${\mathrm {CK}}^+$$CK+ secure AKE protocols based on the hardness of integer factorization problem, code-based problems, or learning problems with errors. In addition, instantiations under the Diffie---Hellman assumption or its variant can be proved to have strong security without non-standard assumptions such as $$\pi $$?PRF and KEA1. Furthermore, we extend the $${\mathrm {CK}}^+$$CK+ model to identity-based (called the $${\hbox {id-CK}^+}$$id-CK+ model), and propose a generic construction of identity-based AKE (ID-AKE) based on identity-based KEM, which satisfies $${\hbox {id-CK}^+}$$id-CK+ security. The construction leads first strongly secure ID-AKE protocols under the hardness of integer factorization problem, or learning problems with errors.