Paper 2016/862

Flaw in the Security Analysis of Leakage-resilient Authenticated Key Exchange Protocol from CT-RSA 2016 and Restoring the Security Proof

Suvradip Chakraborty, Goutam Paul, and C. Pandu Rangan

Abstract

In this paper, we revisit the security result of an authenticated key exchange (AKE) protocol recently proposed in CT-RSA 2016 by Chen, Mu, Yang, Susilo and Guo (we refer to this scheme as the CMYSG scheme). The security of the CMYSG scheme is shown in a new (stronger) challenge-dependent leakage-resilient eCK (CLR-eCK) model that captures (bounded) leakage from both the long term secret key of the parties as well the (per-session) randomness of the parties involved in an AKE protocol even after the challenge/test session. In this model, they proposed a generic framework for constructing one-round AKE protocols. The main tool employed in their construction is a (extended) 2-smooth projective hash proof system. The security of their protocol is reduced to the security of the underling hash-proof system, the existence of pseudo-random functions (PRF) and $$-PRFs, collision-resistant hash functions and the Decisional Diffie-Hellman (DDH) hardness assumption. However, we disprove their security result and show that the security of the CMYSG protocol is incorrectly reduced to that of the DDH assumption. We then re-prove the security of the CMYSG scheme in the CLR-eCK model under the Gap Diffie-Hellman (GDH) hardness assumption in the random oracle model. Our security analysis continues the troubled past of the make-and-break efforts of constructing leakage-resilient AKE protocols and also leaves open the construction of CLR-eCK secure AKE protocol in the standard model.