Cryptanalysis and Improvement of Several Identity-Based Authenticated and Pairing-Free Key Agreement Protocols for IoT Applications

Internet of Things (IoT) applications have been increasingly developed. Authenticated key agreement (AKA) plays an essential role in secure communication in IoT applications. Without the PKI certificate and high time-complexity bilinear pairing operations, identity-based AKA (ID-AKA) protocols without pairings are more suitable for protecting the keys in IoT applications. In recent years, many pairing-free ID-AKA protocols have been proposed. Moreover, these protocols have some security flaws or relatively extensive computation and communication efficiency. Focusing on these problems, the security analyses of some recently proposed protocols have been provided first. We then proposed a family of eCK secure ID-AKA protocols without pairings to solve these security problems, which can be applied in IoT applications to guarantee communication security. Meanwhile, the security proofs of these proposed ID-AKA protocols are provided, which show they can hold provable eCK security. Some more efficient instantiations have been provided, which show the efficient performance of these proposed ID-AKA protocols. Moreover, comparisons with similar schemes have shown that these protocols have the least computation and communication efficiency at the same time.


Introduction
Internet of Things (IoT) applications have been increasingly exploited as information technology, operational technology, communication technology, and electronic technology develop.Examples include Smart Grid, Internet of Vehicles, Industrial IoT, and Agriculture IoT, which have enhanced living conditions greatly.With the development of 5G, secure and efficient communication demands have become huge as massive IoT devices are participating in these IoT applications.In general, IoT end devices and IoT servers play important roles in IoT applications.IoT end devices, mounted with sensors, collect useful information and transmit data to the IoT servers over the open network.When these IoT data are transmitted among different IoT devices, the sensitive information inserted in these IoT data needs more secure cryptographic algorithms to protect IoT user privacy and data security.
To protect the security of data transmission, cryptographic means that require secret keys are presented.For IoT user identity authentication, the shared key, public key certificate, and zero-knowledge proof are some common cryptographic methods [1].For secure IoT data transmission, the digital signature can help confirm data ownership [2], the key agreement can help establish a secure session key [3], and the public key encryption can guarantee IoT data security with ciphertext in the public Internet environment [4].For IoT data with fine-grained access control, attribute-based encryption can help establish a secure access control strategy with the attributes of IoT users and data [5], and security policy protocol can solve Internet control message protocol (ICMP) attacks [6].Many cryptographic algorithms guarantee secure and efficient communication among different IoT applications-there are too many to mention one by one.However, these cryptographic algorithms are public; therefore, the keys are essential for secure data transmission.Moreover, blockchain technology has been applied to IoT applications to solve the centralized management problem [7].
Key agreement (KA) is an important method to protect keys, which supports building a common session key between no less than two different users for subsequent communications.Authenticated key agreement (AKA) not only generates a common session key, but also prevents active attacks and implicitly authenticates the participants simultaneously.In the public-key infrastructure (PKI) setting, the user's long-term public key is matched with the corresponding identity in a certificate, which is derived by a trusted certificate authority.However, managing and transmitting these certificates results in heavy computation and storage costs.Considering IoT end-devices are usually resource-constrained and have limited memory, computation power, storage, and battery life, PKI-based AKA protocols (e.g., [3,8]) are not suitable for IoT applications.Therefore, to avoid the PKI certificate problem, AKA (ID-AKA) protocols with identity are proposed [9].In ID-AKA protocols, every user owns a unique identity, the long-term public key is constructed by the user's personal identity, and the private key is composed of the identity and a master key, which is created by the trusted key generation center (KGC).Since the introduction of the first ID-AKA protocol in [10], many ID-AKA protocols have been introduced based on bilinear pairings [11][12][13][14][15][16][17][18], which is a high time-complexity operation.Because of the resource restriction of IoT end devices, ID-AKA protocols without pairings are more suitable for IoT applications.
Currently, the modified Bellare and Rogaway (mBR) model [12], the Canetti-Krawczyk (CK) model [19], and the extended Canetti-Krawczyk (eCK) model [20] are some famous security models for AKA protocols.In particular, the eCK model can achieve the most security properties [13].Meanwhile, to satisfy the communication demands of the high speed, low latency, and large connections in IoT applications, a more secure and efficient AKA protocol is needed.Thus, designing efficient ID-AKA protocols without pairings while maintaining eCK security would be more suitable for IoT applications.

Motivation and Our Contribution
Aiming at considering the aforementioned problems, this paper presents some efficient ID-AKA protocols while holding the eCK security for IoT applications.

•
We provide the preliminaries of some Diffie-Hellman assumptions and the forking lemma, provide a detailed description of the eCK-security model for two-party ID-AKA protocols, and draw a figure to show the network model for these protocols.

•
We analyze three recently proposed ID-AKA protocols without pairings [21][22][23], and point out the security flaws against some known attacks.

•
We propose a family of pairing-free ID-AKA protocols in the eCK security model.The security proof also considers the case where the public key materials related to the long-term private key can be altered by an active adversary.Furthermore, events in our security proof are complementary.

•
We provide some more efficient protocols that need four elliptic curve point multiplication operations.Protocol comparison shows that our efficient protocols have the advantage over similar protocols with the items of security, computation, and communication efficiency.
The paper is organized as follows: Section 2 provides some related work, Section 3 presents the cryptanalysis of several ID-AKA protocols, Section 4 proposes a family of pairing-free ID-AKA protocols, Section 5 shows some more efficient instantiations, Section 6 presents the performance and comparison, and Section 7 gives the conclusion.

Related Work
Some related works about the cryptographic methods for IoT applications and developments of KA protocols are provided in the following two subsections.

Cryptographic Methods for IoT Applications
In IoT applications, the IoT data generally contain plenty of sensitive information about the system users, such as their personal identity, location, and production data.When these IoT data are transmitted among different IoT devices and applications, cryptographic technologies play an essential role in the processes of user identity authentication, IoT data transmission, IoT data fine-grained access control, and so on.Jayabalasamy et al. [2] proposed an aggregate signature scheme to solve the nonrepudiation problem in blockchain ecosystems, which could also confirm the data ownership in the untrusted IoT environment.Li et al. [3] designed a KA protocol based on the SM2 algorithm, which could help establish a secure session key between different system users in smart grid communications.Pu et al. [4] introduced a public key authentication encryption scheme, and added the function of keyword search into this scheme to guarantee IoT data security in industrial IoT applications.Rasori et al. [5] provided a survey of the attributed-based encryption protocols in recent years, and figured out the problems and challenges of IoT data fine-grained access control in most current IoT applications.Onyema et al. [6] presented a security policy protocol for the detection and prevention of Internet control message protocol (ICMP) attacks in software-defined networks.For these different cryptographic algorithms, the key is an essential part of secure IoT communication.Therefore, establishing a secure session key is the first issue that should be taken into consideration for secure communication in IoT applications.

Developments of KA Protocols
Numerous interesting pairing-free ID-AKA protocols have been introduced in recent years.In 2010, Cao et al. [24] provided a one-round ID-AKA protocol without pairing and presented the security proof in the mBR model.Then, two pairing-free ID-AKA protocols were proposed in [25,26], which utilized the CK model to prove its security.In 2016, Ni et al. [27] showed that the security proof of Sun et al.'s protocol neglected the case where the public key materials related to the long-term private key could be altered by an active adversary, and proposed two eCK-secure ID-AKA protocols without pairings.However, events in the security proof of their protocols were not complementary, which resulted in a mismatch in the freshness definition.Moreover, KGC needed to generate one extra longterm private key, which increased the storage, computation, and communication costs with the increase in the number of users.Bala et al. [21] presented an ID-AKA scheme without pairing for wireless sensor networks and claimed it was secure in the eCK security model.But Dang et al. [28] showed that its security proof had the same problem.Furthermore, the eCK security model was not secure as it suffered from an ephemeral key reveal attack.
In 2018, Dang et al. [28] provided a pairing-free ID-AKA protocol that could achieve eCK security in vehicular ad hoc networks.However, in 2021, Deng et al. [29] showed that it was not eCK-secure and put forward a new scheme that required only four scale multiplication operations.However, we found that the security proof had some flaws, for example, it was inappropriate that the challenger grasped the private key of KGC in the proof Cases CA2, CA3, CA4, and CA6.Mohammadali et al. [22] proposed the NIKE protocol, an ID-AKA protocol without pairing.However, there were still some drawbacks to it.Firstly, we found this scheme had a design flaw, i.e., if an individual was to learn about the long-term private keys of two parties (say A(Meter) and B(AHE)), they could easily obtain KGC's master key.Secondly, it could not resist a KCI attack.Thirdly, although the NIKE protocol only needed, at most, three elliptic curve point multiplication operations, it needed three hash-to-point operations, which was a more time-consuming operation than the point multiplication operation.In 2019, Zhang et al. [23] gave two pairing-free and unbalanced ID-AKA protocols for disaster scenarios.Their protocols were actually unbalanced versions of the protocol in [24].Their protocols reduced one elliptic curve point multiplication operation for the limited party.However, Zhang et al.'s protocols did not have ephemeral key reveal resistance.In 2020, Daniel et al. [30] pointed out that Bala et al.'s protocol [21] could not resist an ephemeral key reveal attack.They also provided an ID-AKA protocol and presented its security proof in the eCK model [27].However, its computational cost was still higher, which needed five-point multiplication operations in the elliptic curve.Furthermore, they pointed out that protocol [27] suffered from key offset attacks; however, key offset attacks could be simply avoided by adding a message authentication code using the same method in [30].
In 2021, Kumar and Chand [31] presented an ID-AKA protocol with cloud for the wireless body area network for anonymous health data authentication.However, Rakeei and Moazami [32] pointed out that this protocol could not resist a man-in-the-middle attack and achieve perfect forward secrecy.In 2022, Pu et al. [33] provided a mutual authentication and KA protocol for data privacy preserving in unmanned aerial vehicles (UAVs).Zhang et al. [34] designed a group key agreement (GKA) protocol for user privacy protection and data resource secure sharing in an intelligent IoT system.In 2023, Zhou et al. [35] presented an AGKA protocol for an AI-based automation system, which utilized a semi-trusted authority to perform precomputation operations.Pan et al. [36] focused on the communication security of UAVs to introduce a heterogeneous AKA protocol.Zhang et al. [37] provided a symmetric-key AKA protocol for edge-cloud IIoT, which could achieve perfect forward secrecy based on both authentication and derivation master keys.Abdussami et al. [38] proposed an AKA protocol for secure patient health-related data sharing in IoMT.
The security comparisons of these ID-AKA protocols are shown in Table 1, and the security items of the KGC's master key (MSS), weak perfect forward secrecy (wPFS), key compromise impersonation resilience (KCIR), ephemeral secrets reveal resistance (ESRR), and assumption (AS) were compared.Facing these problems and secure IoT communication demands, a secure ID-AKA protocol is needed to strengthen the security of session keys between different IoT users.The next sections will present the cryptanalysis of several ID-AKA protocols [21][22][23] first, and then provide the proposed ID-AKA protocols.eCK@ Yes Yes Yes Yes GDH DRS-20 [30] eCK Yes Yes Yes Yes GDH DSH-21 [29] eCK* Yes Yes Yes Yes GDH PWCAS-22 [33] eCK* Yes Yes Yes Yes PUF ZHVLH-23 [37] eCK* Yes Yes Yes Yes PRF eCK* and mBR* are without the case where an active adversary may alter all public key materials not only the temporary public key."-" denotes that there is no formal security proof for the protocol.eCK@ denotes that events in the proof are not complementary.

Preliminaries
Some basic concepts including complexity assumptions and the eCK security model for two-party ID-AKA protocols are reviewed in this section.

Complexity Assumptions
Let G be an elliptic curve additive group with a large prime order q, and P is a generator of G. Some Diffie-Hellman assumptions over G are recalled as follows.

•
Computational Diffie-Hellman (CDH) Assumption: Given three points, P, aP, and bP, where a, b ∈ Z * q , the advantage Adv CDH M to compute abP is negligible for any probabilistic polynomial time (PPT) adversary M.
• Decision Diffie-Hellman (DDH) Assumption: Given four points P, aP, bP, and cP, where a, b, c ∈ Z * q , the advantage Adv DDH M to decide whether c ≡ ab mod q is negligible for any PPT adversary M.
• Gap Diffie-Hellman (GDH) Assumption: Given four points P, aP, bP, and cP, where a, b, c ∈ Z * q , the advantage Adv GDH M to compute abP by accessing a DDH oracle is negligible for any PPT adversary M.

The Forking Lemma
The forking lemma is applied in the security proof of our proposed protocols.Here, we recall it described in [27].
Let Θ S be a generic digital signature scheme.Given an input message m, Θ S produces a triple (K, h, v), where K is a randomly selected value in a large set, h is the hash value of (m, K), and v is only dependent on K, m, and h.Assume that a PPT algorithm M can produce a valid signature (K, h, v) on the message m with non-negligible probability.Then, with non-negligible probability, a replay of this algorithm can output two valid signatures (K, h, v) and (K, h, v) on the same message m, such that h ̸ = h.

eCK-Security Model for Two-Party ID-AKA Protocols
We now recall the eCK-security model for two-party ID-AKA protocols in [13,27].

•
Participants.Send (∏ m i,j , M). Via this query, the adversary M can send any message M to party ID i in session ∏ m i,j on behalf of party ID j .The adversary M is responded to according to the protocol specification.∏ m i,j can be initiated by ID i when M = λ.In general, for simplicity ID i ̸ = ID j is required, i.e., two identical participants will not run a session.Internal states of ∏ m i,j should be maintained accordingly.
-Test (∏ m i,j ).The input session ∏ m i,j must be fresh.In response to this query, ∏ m i,j flips a fair coin b ∈ {0, 1}, and returns the real session key if b = 0, or a random sample from the distribution of the session key if b = 1.• Security Experiment.The security experiment between the adversary M and the challenger CH consists of the following phases.
-Setup.The challenger CH generates the system parameters along with the master private key and valid long-term secret keys for each party.The adversary M is then provided all public data, including the identities of all the honest parties.

-
The first phase of the game.Adversary M is allowed to issue a polynomial number of EphemeralKeyReveal, SessionKeyReveal, Corrupt, KGCStaticKeyReveal, RegCT, and Send queries in any order.

-
The second phase of the game.At some point, adversary M chooses a fresh session ∏ m i,j (see Definition 2) and issues a Test(∏ m i,j ) query at most once.After this, adversary M can keep asking other queries under the condition that the test session must remain fresh.

-
The end of the game.M makes a guess b ′ for b.

•
Advantage.M wins the above security experiment if the test session ∏ m i,j is still fresh and b ′ = b.The advantage of M in winning the above security experiment is defined as Adv AKE (M) = |2Pr[M wins] − 1|, where M wins refers to M can distinguish the tested session key from a random string.
In the following, we introduce definitions for Matching Session, Freshness, and eCK Security.

Definition 1 (Matching Session). If two completed sessions ∏ m
i,j and ∏ n j,i have the same message transcript, they are said to be matching.Definition 2 (Freshness).Let ∏ m i,j be a completed session between honest party ID i and ID j , ∏ m i,j is said to be fresh if none of the following three conditions hold: (1) The adversary M knows the session key of ∏ m i,j or its matching session ∏ n j,i (if ∏ n j,i exists); (2) ∏ m i,j has a matching session ∏ n j,i , and the adversary M knows both the long-term private key of participant ID i and the ephemeral private key of ∏ m i,j , or both the long-term private key of participant ID j and the ephemeral private key of ∏ n j,i .(3) ∏ m i,j has no matching session, and the adversary M knows both the long-term private key of participant ID i and the ephemeral private key of ∏ m i,j , or the long-term private key of participant ID j .
Remark 1.The first condition in Definition 2 is to exclude the trivial attack that M obtains the session key directly.The second and third conditions in Definition 2 are to exclude the trivial attack that M obtains the long-term private key and the ephemeral private key of one party simultaneously.If ∏ m i,j has no matching session, it means that M has obtained the ephemeral private key of participant ID j ; therefore, M cannot obtain the long-term private key of ID j .Definition 3 (eCK Security).We say that an ID-AKA protocol is secure in the eCK model if the following conditions hold: (1) If two honest parties successfully complete matching sessions, they both compute the same session key.(2) For any PPT adversary, M, Adv AKE (M) is negligible in security parameter k.
Remark 2. If a protocol is secure under Definition 3, then it achieves implicit mutual key authentication and the basic security properties, including weak perfect forward secrecy (wPFS), key compromise impersonation resilience (KCIR), ephemeral secrets reveal resistance (ESRR), known key security, no key control, resistance to basic impersonation attack, replay attack resilience, resistance to man-in-the-middle attack, and unknown key share resilience.

Cryptanalysis of Several ID-AKA Protocols
Figure 1 shows the network model for ID-AKA protocols considered in our paper.Here, user A, user B, and trusted authority (acts as KGC) are the three main parties of an ID-AKA protocol.A and B obtain their long-term private keys in the extract phase and use them to reach AKA each other.Next, this section provides the cryptanalysis of several ID-AKA protocols.

The PF-ID-2PAKA Protocol
PF-ID-2PAKA [21] is also composed of three stages, i.e., setup, extract, and key agreement.The former two stages are the same as those of the DXCLCZF-18 protocol [28].Here, we only describe the key agreement stage in Figure 2.
e T e P

Ephemeral Key Reveal Attack
Suppose that A's ephemeral key e A is compromised by an adversary.Next, we show that the PF-ID-2PAKA protocol suffers from an ephemeral key reveal attack.
(1) The adversary M initializes a session ∏ ℓ A,B through the query Send(∏ ℓ A,B , ⊥), and then obtains the message M 1 = {ID A , R A , T A }, where T A = e A P with a random element e A ∈ Z * q .(2) Upon receiving the message, M 1 , M randomly picks an ephemeral private key e and correct public key material R B can be obtained from the response of the query Send(∏ t B,U , ⊥).
(3) Upon the receipt of M 2 , A calculates the shared session key and completes this session.Specifically, B and e A , M computes The following provides the correctness of the attack process.As a result of Thus, A and M receive the same session key, which means that the PF-ID-2PAKA protocol suffers from an ephemeral key reveal attack.Note that our construction cannot suffer from the above attack as both of the two shared secrets not only depend on the ephemeral private key, but also depend on the long-term private key, and they are linearly independent.Therefore, it is impossible to remove the long-term private key from the two shared secrets simultaneously.

Flaws in the Security Proof
The PF-ID-2PAKA protocol can not be proved secure under the hardness of the GDH problem in Case 3 (i.e., M can neither obtain the long-term private key of ID A nor that of ID B ).Meanwhile, the ephemeral key t B of ID B may be created by M, then CH cannot know t B .In ignorance of t B , CH does not calculate CDH(U, Therefore, the challenger CH cannot solve the GDH instance.

The ZHWY-19 Protocol
Here, we only describe the key agreement stage of the ZHWY-19-I protocol [23] in Figure 3.For more details, one can refer to [23].Note that Cheng et al. [39] pointed out that the ZHWY-19-I protocol [23] cannot achieve forward security and resist the key compromise impersonation attack.Here, we point out that this protocol is weak against the ephemeral key reveal attack and flaws in the security proof.

Ephemeral Key Reveal Attack
If e A and e B in a past session have been compromised by the adversary M, M can compute the session key sk.
(1) M accesses to as the shared session key.
Thus, the ZHWY-19-I protocol is weak against the ephemeral secret key leakage.Note that they did not claim their protocol holds ephemeral key reveal resistance.

Flaws in the Security Proof
In the ZHWY-19-I protocol, the answer to oracle Corrupt(ID i ) is improper.Actually, Corrupt(ID i ) should return the long-term private key (s i , R i , v i , V i ) rather than s i to the adversary. ) The key agreement phrase of the ZHWY-19-I protocol [23].

Mohammadali et al.'s Protocols
Mohammadali et al. [22] proposed two protocols, the NIKE protocol and the NIKE + protocol.These two protocols contain three stages, namely setup, extract, and key agreement.The NIKE protocol is briefly shown in Figure 4.Note that, here, we did not analyze the flaws in the security proof as there was no security proof in [22].

The Insecurity of the KGC's Master Key
If the user A(Meter) and the user B(AHE) launch collusion attacks, they can know the KGC's master key s.As

Key Compromise Impersonation (KCI) Attack
The NIKE protocol suffers from a key compromise impersonation (KCI) attack, i.e., if the user B(AHE)'s long-term private key Y B is compromised by M, M can impersonate any user (say A(Meter) ) with B(AHE)'s long-term private key Y B to communicate with B(AHE).The details are as follows.Note that they did not claim their protocol held KCI resistance.
(1) M obtains ID A , R A by eavesdropping on a connection between A(Meter) and any user.
Then, M picks e M A ∈ Z * q at random, calculates , and finally sends m M A to B(AHE).
(4) Upon receiving m M A , B(AHE) verifies m M A is correct and computes the session key according to the protocol. )

Correctness.
The following provides the correctness of the attack process.As T M A = e M A P − H 2 (ID B , y B )P pub − R A and T B = t B P, we can obtain Thus, A and M obtain the same session key, which means that the NIKE protocol suffers from a KCI attack.The KCI attack on the NIKE + protocol is the same as above.

Our General Construction
This section firstly provides the construction ∑ C 1 ,C 2 ,C 3 ,C 4 , secondly show the construction ∑ C 1 ,C 2 ,C 3 ,C 4 is correct, and thirdly provides the security proof.

Construction Description
The ∑ C 1 ,C 2 ,C 3 ,C 4 is composed of three stages, i.e., setup, extract, and key agreement.

•
Setup: Select security parameter k, KGC performs as follows: (1) Pick an elliptic curve E/F p , where F p is a finite filed, and p is a prime number with k bits.(2) Create a cyclic additive group G with the order q, which is generated by a base point P over E/F p .(3) Choose s ∈ Z * q randomly, and then set the master private key s and the system public key P pub = sP.(4) Pick H 1 : {0, 1} * → Z * q and H 2 : {0, 1} * → {0, 1} k .(5) Expose ⟨E/F p , G, q, P, P pub , H 1 , H 2 ⟩, and meanwhile retain s unrevealed.

•
Extract: KGC derives the long-term private key for user ID i ∈ {0, 1} * as below.
(1) KGC randomly selects r i ∈ Z * q , and calculates R i = r i P and (2) KGC computes s i = r i + h i s mod q and derives (s i , R i ) as the user's long-term private key.(3) KGC sends (s i , R i ) to the user securely.Upon receiving (s i , R i ), the user can verify s i P If this verification succeeds, the key pair (s i , R i ) is correct and valid.s i P serves as the real public key in relation to ID i .
• Key Agreement: Assume that user A with identity ID A hopes to compute a key with user B with identity ID B .
(1) A randomly picks an ephemeral secret key e A ∈ Z * q , calculates T A = e A P, and returns M 1 = {ID A , R A , T A } to B. The agreement process in Figure 5.
(2) When {ID A , R A , T A } is received, B picks an ephemeral secret key e B ∈ Z * q , calculates T B = e B P, and returns {ID B , R B , as the shared session key, where and two shared secrets The key agreement phrase of our proposed construction Note that our construction provides a method to construct eCK secure ID-AKA protocols; however, parameters C 1 , C 2 , C 3 , and C 4 should be fixed in the real execution environment.One can choose a concrete and efficient protocol derived from our construction to execute in the real environment, e.g., protocol ∑ 1,1,−1,−1 , protocol ∑ 1,−1,−1,1 and protocol ∑ 1,1,2,2 described in Section 6.

Construction Correctness
The following provides the correctness of our construction.As PK B = R B + H 1 (ID B ||R B ) P pub = s B P, PK A = R A + H 1 (ID A ||R A )P pub = s A P, T A = e A P and T B = e B P, we can obtain: as their session key.Hence the correctness holds.

Security Proof
Here, the events in our security proof are complementary, while they are not complementary in [27], and the security proof can be reduced to the following theorems.Theorem 1. Provide two random oracles, H 1 and H 2 , the proposed ID-AKA protocol is secure in the eCK model based on the GDH assumption over the elliptic curve group.
Proof.This theorem is under the condition that the two conditions shown in Definition 3 hold.The correctness analysis shows that the first condition stands.The second condition would be proven by contradiction, i.e., there is an adversary who can execute a PPT algorithm to win the game with non-negligible probability, we can use M to create a GDH solver CH who can find a solution for the GDH instance.
Assume M is a polynomially (in security parameter k) bounded adversary whose advantage is Adv M (k).Suppose that M activates no more than n p (k) different honest parties, and each party can take part in no more than n s (k) sessions.Suppose that M chooses ∏ n a,b , the nth protocol session which executes between party ID a (the owner) and the target party ID b (the peer) as the test session.Assume that M performs, at most, n h (k) H 2 queries.
According to Adv AKE (M) = |2Pr[M wins] − 1|, we can derive that Pr[M wins] is non-negligible as Adv AKE (M) is non-negligible.As H 2 is modeled as a random oracle, M can make a clear distinction between a random string and the tested session key in the following three ways: A1.Guessing attack: M directly guesses the correct session key.A2.Key replication attack: M successfully creates a session that cannot match the test session while holding the same session key.Here, M can obtain the test session key by querying the non-matching session key.A3.Forging attack: Sometimes, M makes H 2 queries on (ID a , ID b , R a , R b , T a , T b , K 1 , K 2 ) in the test session.Here, M calculates K 1 and K 2 itself.
The guessing of H 2 's output is with the negligible probability O(1/2 k ).If two sessions are different, H 2 has the same input by probability O(n s (k) 2 /2 k ), which is also negligible.Then, M can provide the difference between a random string and the tested session key only by forging attack.
Next, a reduction approach is applied to analyze the forging attack.This approach reduces the protocol security to the hardness of mathematical problems in the GDH assumption.By making assumptions about the adversary, a challenger can solve a GDH instance with the queried data and forged session key derived by a query-respond game between them.As the GDH instance cannot be solved with the current computation ability in polynomial time, the assumptions about the adversary are invalid, and the proposed ID-AKA protocols are secure.Now, the detailed descriptions of the reduction proofs are as follows.
If M can successfully execute forging attack with non-negligible probability Adv F M (k), we will use M to create a GDH solver CH to find a solution for the GDH instance with Adv GDH S (k).Here, GDH instance is (U = uP, V = vP), and u, v ∈ Z * q , P ∈ G, CH plans to calculate GDH(U, V) = uvP performing the DDH oracle.CH acts as a challenger that performs the eCK game with M and makes response for M's queries.
Before the game starts, CH guesses the test session that M's choices is ∏ n a,b with a correct probability at least 1/n p (k) 2 n s (k).Next, CH needs to guess the strategy that M adopts.Then, according to Definition 2, test session ∏ n a,b has the matching session ∏ l b,a , then M can only passively forward messages between participant ID a and participant ID b , i.e., messages including public key materials and ephemeral keys of ∏ n a,b and ∏ l b,a are selected by CH.Test session ∏ n a,b has no matching session, then M alters some messages at its own will, i.e., messages including the public key material and the ephemeral key of One of the former operation successes is if M succeeds in a forging attack with nonnegligible probability.Therefore, the assumption about adversary M is invalid, and the proposed ID-AKA protocol is secure in the eCK model.

The Analysis of Strategy S1
In this subsection, we analyze strategy S1.

•
Setup: CH initializes a list Setup list with entries of (ID i , (d i , R i ), PK i ).CH creates the system parameters and long-term private keys of all parties as follows.
-CH picks P pub ∈ G at random, and exposes ⟨E/F p , G, q, P, P pub , H 1 , H 2 ⟩.Thus, CH cannot obtain any information about KGC's master key.
-For ID a , CH sets the long-term private key (⊥, R a ), where h a ∈ R Z * q , R a = U − h a P pub .Thus, PK a = R a + h a P pub = U.

-
For ID i (i ̸ = a), CH sets the long-term private key (s i , R i ), where h i , s i ∈ R Z * q , R i = s i P − h i P pub .Thus, PK i = R i + h i P pub = s i P.

-
For every participant, CH transfers (ID i , R i ) to M, and stores the tuple (ID i , (d i , R i ), PK i ) and (ID i , R i , h i ) in Setup list and H 1 list (described later), respectively.CH starts M by answering M's queries, as follows. - Then, CH randomly selects h i ∈ Z * q , appends (ID i , R i , h i ) to H 1 list , and sends and ∏ l b,a as the test session and its corresponding matching session, respectively, this condition can be met.
(2) For the test session ∏ n a,b , adversary M must have conducted H 2 queries on the values {ID a , ID b , R a , R b , T a , V, K 1 , K 2 }, where R a and R b are the public key materials of ID a and ID b picked by the challenger CH, respectively, T a and V are the outgoing messages of ID a and ID b picked by the challenger CH , respectively, and K 1 and K 2 are correctly formed.
Finally, CH receives the item in H 2 list and outputs GDH(U,

S
(k) can also be seen as non-negligible.Now, it derives the contradiction of the GDH assumption.

The Analysis of Strategy S2
In this subsection, we analyze strategy S2.

•
Setup: Setup list is an initially empty list with (ID i , (d i , R i ), PK i ).CH creates the system parameters and all parties' long-term private keys as follows.
-CH picks s ∈ Z * q at random, computes P pub = sP, and exposes system parameters ⟨E/F p , G, q, P, P pub , H 1 , H 2 ⟩.Thus, CH cannot obtain any information about KGC's master key.

-
For ID i , CH sets the long-term private key (s i , R i ), where h i , s i ∈ R Z * q , R i = s i P − h i P pub .Thus, PK i = R i + h i P pub = s i P.

-
For every participant, CH transfers (ID i , R i ) to M, and stores the tuple (ID i , (d i , R i ), PK i ) and (ID i , R i , h i ) in Setup list and H 1 list (described later), respectively.

*
Else CH performs the following steps.
• If ∏ m i,j = ∏ n a,b , CH sets r m i,j = ⊥, receives R a from Setup list , and replies with {ID a , R a , U}.

•
Else If ∏ m i,j = ∏ l b,a , CH sets r m i,j = ⊥, receives R b from Setup list , and replies with {ID b , R b , V}.

•
Else CH randomly chooses r m i,j ∈ Z * q , obtains R i from Setup list , and replies with {ID i , R i , r m i,j P}.

•
Finally, CH updates Send list , and updates State m i,j to completed if the newly generated message is the second message on the transcript.

•
Analysis: Here, we assume that ∏ n a,b is an initiator here.If M indeed chooses Strategy S2, ∏ n a,b and ∏ l b,a as the test session and its matching session, respectively, then CH continues this simulation.If M successfully executes the forging attack, it must have queried oracle H 2 (ID a , ID b , R a , R b , U, V, K 1 , K 2 ), where R a , R b , U, and V are all picked by the challenger CH, Finally, CH receives the item in H 2 list , and outputs GDH(U,

S
(k) can also be seen as also non-negligible.Now, it derives the contradiction of the GDH assumption.

The Analysis of Strategy S3
Here, we omit the detailed analysis of Strategy S3 as the analysis is almost the same as that for Strategy S1.

The Analysis of Strategy S4
In this subsection, we analyze strategy S4.

•
Setup: CH initializes a list Setup list with (ID i , (d i , R i ), PK i ).CH creates the system parameters and all parties' long-term private keys.
-CH picks P pub ∈ G at random, and exposes ⟨E/F p , G, q, P, P pub , H 1 , H 2 ⟩.Thus, CH does not obtain any information about KGC's master key.

-
For ID a , CH sets the long-term private key (⊥, R a ), where h a ∈ R Z * q , R a = U − h a P pub .Thus, PK a = R a + h a P pub = U.

-
For ID b , CH sets the long-term private key (⊥, R b ), where For every participant, CH transfers (ID i , R i ) to M, and stores (ID i , (d i , R i ), PK i ) and (ID i , R i , h i ) in Setup list and H 1 list (described later), respectively.
• Queries: CH maintains four lists H 1 list , H 2 list , Send list , and R list , which are initially empty and used for recording H 1 , H 2 , Send, and SessionKeyReveal oracles, respectively.CH performs the queries game with M as follows: , and KGCStaticKeyReveal: These five queries are described in the same way as those in Strategy S1.
, where tran m i,j , r m i,j , and State m i,j are the transcript by now, the ephemeral secret key, and the state by now, respectively.

*
If M is the second message on the transcript, CH sets State m i,j = completed and updates Send list .

*
Else CH randomly chooses r m i,j ∈ Z * q , obtains R i from Setup list , and replies with {ID i , R i , r m i,j P}.Then, CH updates Send list , and updates State m i,j to completed if the newly generated message is the second message on the transcript.

•
Analysis: Here, we assume that ∏ n a,b is an initiator.If M selects Strategy S4, ∏ n a,b and ∏ l b,a as the test session and its matching session, then CH does not abort in the simulation.If M successfully performs the forging attack, it must have queried oracle H 2 (ID a , ID b , U − h a P pub , V − h b P pub , T a , T b , K 1 , K 2 ), where T a , T b , U, and V are all picked by the challenger CH, As Adv F M (k) is non-negligible, Adv GDH S (k) can also be seen as non-negligible.Now, it derives the contradiction of the GDH assumption.Hence, a GDH instance cannot be embedded in the long-term private key in strategy S5.

•
Setup: Setup list is an initially empty list and (ID i , (d i , R i ), PK i ) is needed in this phase.CH creates the system parameters and all parties' long-term private keys.
-CH sets V as the system public key P pub and exposes the system parameters ⟨E/F p , G, q, P, P pub , H Finally, CH receives the item in H 2 list , and outputs GDH(U, ) − s a V using the knowledge of s a .Note that as C 1 ∈ Z * q , the solution of GDH(U, V) is correct.Let λ be a factor from the forking lemma for Strategy S5.CH's success probability is at least

S
(k) can also be seen as non-negligible.Now, it derives the contradiction of the GDH assumption.

The Analysis of Strategy S6
In this subsection, we will analyze strategy S6.A GDH instance cannot be embedded in the long-term private key in Strategy S6.

•
Setup: Setup list is an initially empty list, and (ID i , (d i , R i ), PK i ) is needed in this phase.CH creates the system parameters and all parties' long-term private keys.
-CH sets V as the system public key P pub and exposes ⟨E/F p , G, q, P, P pub , H 1 , H 2 ⟩. - The five queries H 1 (ID i , R i ), SessionKeyReveal(∏ m i,j ), Test(∏ m i,j ), KGCStaticKeyRevea, and H 2 (ID i , ID j , R i , R j , T i , T j , K 1 , K 2 ) are described in the same way as those in Strategy S5.

-
Corrupt(ID i ), EphemeralKeyReveal(∏ m i,j ) and Send(∏ m i,j ,M): These three queries are described to be the same as those in Strategy S4. as the test session, then CH continues this simulation.If M successfully performs the forging attack, it should execute H 2 query on (ID a , ID b , R a , R b , T a , T b , K 1 , K 2 ), where Note that ID a 's public key material R a and outgoing message T a are both picked by the challenger CH, and at least one of ID b 's public key material R b and outgoing message T b is chosen by M. By the forking lemma [27], CH replays M with the same input and tossing coins.Here, CH only changes the query results of a,b V using the knowledge of r n a,b .Note that as h b ̸ = h b , the solution of GDH(U, V) is correct.Let λ be a factor from the forking lemma in Strategy S6.CH's success probability is at least

S
(k) can also be seen as non-negligible.Now, it derives the contradiction of the GDH assumption.
The former formal security proof has proven that the proposed ID-AKA protocol ∑ C 1 ,C 2 ,C 3 ,C 4 is secure against some comment attacks of guessing attacks, key replication attacks, and forging attacks.Its security can be reduced to the hardness of GDH assumption over the elliptic curve group in the eCK model.

More Efficient Instantiations
As C i (i = 1, 2, 3, 4) ∈ Z * q , our construction needs six scalar multiplications (here, we ignore less time-consuming point additions and general hash function outputs), which is a bit higher than the NCL-16-II protocol [27] at the same security level.However, the NCL-16-II protocol is only a special protocol, while our construction will result in different special protocols with different C i values, for example, protocol ∑ 1,1,−1,−1 and protocol How should the values of C 1 , C 2 , C 3 , and C 4 be chosen in the real execution environment?It would be better to select values that result in more efficient instantiation as different protocols have different computation costs.The following provides some efficient instantiations of our construction.
).This protocol reduces two scalar multiplications compared with the general construction.
. This protocol only adds a point addition operation compared with the protocol of ∑ 1,1,−1,−1 .

Performance and Comparison
This section presents the efficiency and security comparison between our Protocols 1 and 2 with other competitive ID-AKA protocols.Note that only the HC protocols [13] were pairings-based ID-AKA protocols, the other ID-AKA protocols [21][22][23][24][25][26][27][28] and ours were all pairing-free.

Comparison of Computation Overheads
To evaluate the computational overhead, Table 2 lists the same execution time of different cryptographic operations, reported in [40].The execution time was calculated using the MIRACL library on a Samsung Galaxy S5 smartphone, equipped with a 2.5 GHz ARM Krait processor with 2GB RAM memory running the Android 4.4.2operating system.Next, the total execution times of these two protocols and the competitive ID-AKA protocols [13, [21][22][23][24][25][26][27][28] were computed, which are shown in Table 3.In our Protocols 1 and 2, to agree on a session key, each party needed to compute four ECC-based scalar multiplications, three ECC-based point additions, and two general hash function outputs.Therefore, the total computation time at each party was about 4T esm + 3T epa + 2T h ≈ 13.454 ms.Similarly, the communication costs of protocols in [13,21,24-28] were computed.In protocols ZHWY-19 [23] and NIKE [22], two parties had unbalanced computation costs, i.e., one party had a lower computation cost than the other party.Here, we adopted the lower computation cost of one party.According to Table 2, our Protocols 1 and 2 were nearly 80% of protocols NCL-16-II [27] and CKD [24], 100% of protocols [25] and [21,23,28], 72% of protocol XW [26], and 8% of the HC protocol [13] with relation to the computation cost.That is to say, our Protocols 1 and 2 almost had the lowest computation cost.The comparison results are shown in Figure 6.Energy consumption is one essential item for IoT communication, and the energy consumption of ID-AKA protocol decides the energy efficiency of IoT communication as it is executed by the IoT device.As shown in the former comparative computation overheads in Table 3, the computation costs were calculated.To compute the energy consumption of these key agreement algorithms, the IoT devices equipped with 3.0 V and 8.0 mA were selected.This parameter was set according to the power level of MICA 2 [41].For the proposed ID-AKA protocol, the energy consumption was 3.0 * 8.0 * 13.454 = 322.896mj, and the comparison results with similar protocols are shown in Figure 7. Therefore, the low computation overheads led to low energy consumption, and the proposed ID-AKA protocol had more advantages than similar protocols in relation to the costs of computation and energy.

Security Comparisons
As shown in Table 1, some related ID-AKA protocols can capture other security attributes, including known key security, no key control, resistance to basic impersonation attacks, replay attack resilience, resistance to man-in-the-middle attacks, and unknown key share resilience.But, for the proposed IA-AKA protocols, we did not consider explicit mutual authentication, as it can be easily achieved for all one-round protocols [13,21,[24][25][26][27][28] by adding a key confirmation.Here, the protocol PWCAS-22 [33] is based on physical unclonable function (PUF), and ZHVLH-23 [37] is based on pseudo-random permutation (PRF).The HC protocol [13], the NCL-16-II protocol [27], the DRS-20 protocol [30], and our protocols are provably secure in the eCK security model.But events in the security proof of NCL-16-II [27] are not complementary, which mismatches the freshness definition.Table 3 shows that our Protocols 1 and 2 can reach the best computation efficiency.
Compared with similar ID-AKA protocols, the proposed Protocols 1 and 2 presented the lowest computation and communication overheads, which could improve IoT com-munication efficiency in IoT applications.Meanwhile, with the increase in the number of devices, these ID-AKA protocols could also maintain high efficiency, as the key agreement process was executed between two different IoT users.The key agreement between the two parties was less affected by the number of devices in IoT applications and only affected by the hardware, software, and communication protocol in the public internet environment.Although the key agreement times will increase more, this can be ignored with the increasing IoT computation ability.

Conclusions
This paper first reviews several ID-AKA protocols without pairings in terms of security and efficiency.We carefully studied them and pointed out the security weaknesses against the ephemeral key reveal attack, key compromise impersonation attack, and launch collusion attack.We also proposed a family of ID-AKA protocols without pairings and proven the security in the eCK security model, a widely accepted security model for AKA protocols.Six strategy analyses were provided, and these ID-AKA protocols were proven to be secure in the eCK model based on the GDH assumption over the elliptic curve group.Then, the instantiations, performance and comparison were presented, and the results show that the proposed ID-AKA protocols were more efficient than other protocols in similar literature.In addition, these ID-AKA protocols no only improved communication security and efficiency in IoT applications, but also saved energy consumption for the communication process.
In the future, with the increasing amount of IoT devices, some security issues of identity authentication, data fine-grained access control, and user privacy protection should still be taken into consideration.Especially with the development of quantum computers and quantum computation, the anti-quantum attack security ID-AKA protocol will be a hot research direction.Meanwhile, many customized ID-AKA schemes should be designed to meet the special requirements of future IoT applications.

Figure 1 .
Figure 1.Network model for ID-AKA protocols.
) Now, M performs the query EphemeralKeyReveal(∏ ℓ A,B ) to reveal an ephemeral private key e A .With the knowledge of e M
∏ n a,b are chosen by CH, and another one of ID b is chosen by M, and, thus, for ID b , CH can only consider the long-term private key of ID b .With the former analysis and the freeness definition, CH guesses the operation that M selects one of the following six complementary choices.Note that, strictly speaking, the ephemeral private key of ID a refers to ∏ n a,b 's ephemeral private key, and the ephemeral private key of ID b refers to the matching session ∏ l b,a 's ephemeral private key.S1: ∏ n a,b has ∏ l b,a , and M obtains neither the long-term private key of ID a nor the ephemeral private key of ID b .S2: ∏ n a,b has ∏ l b,a , and M cannot obtain any information about the ephemeral private keys of ID a and ID b .S3: ∏ n a,b has ∏ l b,a , and M knows neither the ephemeral private key of ID a nor the longterm private key of ID b .S4: ∏ n a,b has ∏ l b,a , and M cannot obtain any information about the long-term private keys of ID a and ID b .S5: ∏ n a,b does not have a matching session, and M knows neither the ephemeral private key of ID a nor the long-term private key of ID b .S6: ∏ n a,b does not have a matching session, and M does not know any information about the long-term private keys of ID a and ID b .

5. 3 . 5 .
The Analysis of Strategy S5 ∏ n a,b has no matching session in strategy S5, thus at least one of ID b 's public key material R b and ID b 's ephemeral private key is chosen by M. If the adversary selects R b themselves, then the change in R b means the change in the ID b 's long-term private key s b .

•
Analysis: Here, we assume that ∏ n a,b is an initiator.If M selects Strategy S6 and ∏ n a,b

Figure 7 . 7 . 2 .
Figure 7.Comparison of energy consumption.7.2.Comparison of Communication Overheads Let |G |, |G 2 |, |G|, and |Z * q | represent elements sizes of G 1 , G 2 , G, and Z * q , respectively.Furthermore, assume |ID| and |H| represent the length of an identifier and a general hash output, respectively.Considering the Ate pairing and elliptic curves, |G 1 |, |G 2 |, |G|, |Z * q |, and |H| are 1024, 1024, 320, 160, and 160 bits, respectively.We assumed |ID| is 32 bits in length.Table 4 demonstrates the communication cost comparison of the key agreement phase.Note that in our Protocol 1 (Protocol 2), party A sends{ID A , R A , T A } to party B, where R A , T A ∈ G and ID A is the identity of A. Party B symmetrically sends {ID B , R B , T B } to party A, where R B , T B ∈ G and ID B is the identity of B. Therefore, the communication cost of our protocol 1 (protocol 2) is 2 * (|ID|+2|G|) = 2 * (32 + 2 * 320) = 1344 bits.The results show that Protocols 1 and 2 have the lowest communication cost.

•
Queries: CH maintains four lists, H 1 list , H 2 list , Send list , and R list , which are initially empty and used to record H 1 , H 2 , Send, and SessionKeyReveal oracles, respectively.
stored in H 2 list , CH replies with h 2 .ID i , ID j , R i , R j , T i , T j , * ) in R list .Then, if such an entry exists, CH sees if K 1 and K 2 are produced correctly by validating DDH(PK i +C 1 T i , PK j + C 2 T j , K 1 ) tively, where PK i = R i + H 1 (ID i , R i )P pub and PK j = R j + H 1 (ID j , R j )P pub .If both verifications pass, CH receives the corresponding SK m i,j and sets h 2 ← SK m i,j .Otherwise (at least one verification fails or none), CH picks h 2 ∈ {0, 1} k at random.Finally, CH inserts the tuple(ID i , ID j , T i , T j , K 1 , K 2 , h 2 ) into H 2list and provides h 2 as the answer.CH sets r m i,j = ⊥, gets R b from Setup list and replies with {ID b , R b , V}.•Else CH randomly chooses r m i,j ∈ Z * q , obtains R i from Setup list and replies with {ID i , R i , r m i,j P}. • Finally, CH updates Send list , and updates State m i,j to completed if the newly generated message is the second message on the transcript.ID ini , ID resp , R ini , R resp , T ini , T resp , SK m i,j ), where ini ∈ {i, j} and resp ∈ {i, j} denote the initiator and the responder of ∏ m i,j , respectively.CH receives State m i,j from Send list .If State m i,j ̸ = completed, CH returns ⊥.Then, if it exists, CH sees if K 1 and K 2 are produced correctly by validating DDH(PK ini + C 1 T ini , PK resp + C 3 T resp , K 1 ) = 1 and DDH(PK ini + C 3 T ini , PK resp +C 4 T resp , K 2 ) = 1, respectively, where PK ini = R ini + H 1 (ID ini , R ini )P pub and PK resp = R resp + H 1 (ID resp , R resp )P pub .If both verifications pass, CH receives the corresponding h 2 and sets SK m i,j ← h 2 .Otherwise (at least one verification fails or no such a tuple exists), CH picks SK m i,j ∈ {0, 1} k at random.Finally, CH inserts the tuple (∏ m i,j , ID ini , ID resp , R ini , R resp , T ini , T resp , SK m i,j ) into R list CH picks ξ ∈ {0, 1} k at random and sends ξ back to M. Otherwise, CH aborts.
*Else, CH seeks ( * ,? = 1 and DDH(PK i + C 3 T i , PK j + C 4 T j , K 2 ) ? = 1, respec--Corrupt(ID i ): If ID i = ID a , CHdiscontinues.Otherwise, CH responds with s i .* If M is the second message on the transcript, CH sets State m i,j = completed and updates Send list .* Else CH executes as follows.* * Else if ∏ m i,j = ∏ n a,b or ∏ m i,j = ∏ l b,a , CH aborts.* Else if the session key SK m i,j already exists, CH responds with SK m i,j .* Else CH obtains {ID ini , R ini , T ini } and {ID resp , R resp , T resp } from Send list , and looks up H 2 list to see if there is a tuple ( * , ID ini , ID resp , R ini , R resp , T ini , T resp , * ).??

•
Queries: CH maintains four lists H 1 list , H 2 list , Send list , and R list to store H 1 , H 2 , Send, and SessionKeyReveal oracles, respectively.CH performs the queries game with M as follows: -H 1 (ID i , R i ), SessionKeyReveal(∏ m i,j ), Test(∏ m i,j ), and H 2 (ID i , ID j , R i , R j , T i , T j , K 1 , K 2 ): These four queries are described in the same as those in Strategy S1. -Corrupt(ID i ): CH responds with (s i , R i ).If M is the second message on the transcript, CH sets State m i,j = completed and updates Send list . * 1 , H 2 ⟩.Thus CH cannot know KGC's master key.-For ID i , CH sets the long-term private key (s i , R i ), where h i , s i ∈ R Z * q , R i = s i P − h i P pub .Thus, PK i = R i + h i P pub = s i P. -For every participant, CH transfers (ID i , R i ) to M, and stores (ID i , (d i , R i ), PK i ) and (ID i , R i , h i ) in Setup list and H 1 list (described later), respectively.CH maintains four lists, H 1 list , H 2 list , Send list , and R list to store H 1 , H 2 , Send, and SessionKeyReveal oracles, respectively.CH performs the queries game with M as follows: -H 1 (ID i , R i ), KGCStaticKeyReveal, Test(∏ m i,j ), and H 2 (ID i , ID j , R i , R j , T i , T j , K 1 , K 2 ) are described the same as those in Strategy S1. -Corrupt(ID i ): If ID i = ID b , CH discontinues.Otherwise, CH responds with (s i , R i ).If M is the second message on the transcript, CH sets State m i,j = completed and updates Send list .CH sets r m i,j = ⊥, receives R a from Setup list , and replies with {ID a , R a , U}. • Else CH randomly chooses r m i,j ∈ Z * q , obtains R i from Setup list , and replies with {ID i , R i , r m i,j P}. • Finally, CH updates Send list , and updates State m i,j to completed if the newly generated message is the second message on the transcript.as the test session, then CH continues using the above simulation.If M successfully performs the forging attack with non-negligible probability, it should execute the H 2 query on * Note that ID a 's public key material R a and outgoing message U are both picked by the challenger CH, and at least one of ID b 's public key material R b and outgoing message T b is chosen by M. By the forking lemma [27], CH replays M with the same input and tossing coins.Here, CH only changes the query results of H 1 (ID b , R b ), i.e., CH sets H 1 (ID b , R b ) to h b , where h b ∈ Z * q and h b ̸ = h b .Then, if M succeeds, it should perform a query on H 2 with Thus, CH does not obtain any information about KGC's master key.-ForID a , CH sets the long-term private key (⊥, R a ), whereh a ∈ R Z * q , R a = U − h a P pub .Thus, PK a = R a + h a P pub = U. -For ID i (i ̸ = a), CH sets (s i , R i ) as the long-term private key, where h i , s i ∈ R Z * q , R i = s i P − h i P pub .Thus, PK i = R i + h i P pub = s i P. -Forevery participant, CH transfers (ID i , R i ) to M, and stores (ID i , (d i , R i ), PK i ) and (ID i , R i , h i ) in Setup list and H 1 list (described later), respectively.CH maintains four lists, H 1 list , H 2 list , Send list , and R list , which are initially empty and used for recording H 1 , H 2 , Send, and SessionKeyReveal oracles, respectively.CH starts M by answering M's queries as follows: •Queries:

Table 2 .
Execution time on a Samsung Galaxy S5.