Authenticated Key Exchange Protocol in the Standard Model under Weaker Assumptions

A two-party authenticated key exchange (AKE) protocol allows each of the two parties to share a common secret key over insecure channels even in the presence of active adversaries who can actively control and modify the exchanged messages. To capture the various kind of malicious behaviors of the adversaries, there have been lots of eﬀorts to deﬁne the security models. Amongst them, the extended Canetti-Krawczyk (eCK) security model is considered as one of the strongest ones and widely adopted. In this paper, we present a pairing-based eCK-secure AKE protocol in the standard model. The underlying assumptions of our construction are the hardness of the decisional bilinear Diﬃe-Hellman (DBDH) problem and the existence of pseudorandom functions. It is notable that the previous constructions either relied their security on random oracles or used somewhat strong assumptions such as the existence of strong-pseudorandom functions. We believe our construction is well-suited for real-world implementations such as the TLS protocol suite since our construction is simple and based on standard assumptions without random oracles.


Introduction
A two-party key exchange protocol has been a fundamental building block of cryptography and network security.It allows any two parties to share a common session key over an insecure channel.Since its early introduction in 1976, the Diffie-Hellman key exchange protocol [DH76] has been the most famous key exchange protocol.However, as is well known, the Diffie-Hellman protocol is insecure against the man-in-the-middle attack, where an adversary impersonates one party to the other to read and modify the exchanged message between two parties.This vulnerability is possible since the parties are not authenticated in the Diffie-Hellman protocol.
To capture such vulnerabilities, including the man-in-the-middle attack, there have been many attempts [BR93,BR95,Can01,LLM07] to define security models for key exchange protocols in the presence of active adversaries who can actively read and modify the exchanged messages.Amongst several security models, the extended Canetti-Krawczyk (eCK) model proposed by LaMacchia, Lauter, and Mityagin [LLM07] is considered as one of the strongest security models, since it captures various possible behaviors of an active adversary.For instance, the properties captured by the eCK model include the following: • Implicit Key Authentication: If a key exchange protocol provides a guarantee that no party apart from the protocol participants can compute the session key, the key exchange protocol is said to provide implicit key authentication.If a key exchange protocol provides implicit key authentication it is said to be an authenticated key exchange (AKE) protocol.
• Key Confirmation: If a key exchange protocol provides a guarantee that each party is assured that all other participants possess the same session key, the key exchange protocol is said to provide key confirmation.
• Known Key Security: The knowledge of a session key should not allow the adversary to learn the session keys in other sessions; all session keys should not depend on the session keys of the other sessions.
• Security against Unknown Key Share (UKS) Attacks: Party A should not share a session key with party B, believing that it is sharing the session key with party C. The public keys and identities of the parties should be certified and confirmed or incorporated into protocol execution.
• Security against Key Compromise Impersonation (KCI) Attacks: Knowledge of the longterm secret key of party A should not enable the adversary to impersonate the other honest parties to the party A.
• (weak) Forward Secrecy: A (passive) adversary who knows the long-term secret keys of any two parties should not be able to compute the past session keys of the two parties.
Since the proposal of the eCK security model, many eCK-secure AKE protocols have been presented [LLM07, KFU09, MO09, Ust08, Yan13, ASB15].However, some of them [LLM07, KFU09, Ust08, ASB15] are constructed to be secure under the ideal-world assumption of the random oracle model (ROM), and the others are constructed to be secure in the standard model but based on somewhat strong hardness assumptions such as the existence of strong-pseudorandom functions [MO09] or randomness extractor functions [Yan13].
Our Contribution.In this paper, we construct an eCK-secure AKE protocol based on pairings.Our construction is proven to be secure without the ROM assumption, and the only assumptions are the existence of pseudorandom functions and the hardness of the decisional bilinear Diffie-Hellman (DBDH) problem.We remark that we use fewer and more standard assumptions compared to the previous works.As a result, we believe our construction is well-suited for real-world implementations such as the TLS protocol suite.
To help the reader's understanding, we provide a comparison of our protocol with several existing eCK-secure AKE protocols in Table 1.In general, the AKE protocols in the standard model require more computational costs compared to those in the ROM.Nevertheless, it is remarkable that, among the AKE protocols in the standard model, our protocol outperforms Yang's P1 protocol [Yan13] and is comparable to Yang's GC-KKN protocol [Yan13] and MO protocol [MO11].Also, note that our protocol uses a weaker assumption (the existence of the pseudorandom functions) than those protocols where they rely on the assumption of the existence of either the target collision-resistant function or the strong pseudorandom function.

Protocol
Proof Model Hardness Assumptions Overall Computational Cost at a protocol principal

Preliminaries
Now we recall the preliminaries that we use in our protocol construction.

Pseudorandom Function
We describe the security definition of pseudorandom functions [KL07].
Definition 2.1 (Pseudorandom Function).Let F : {0, 1} * × {0, 1} * → {0, 1} * be an efficient, length preserving, keyed function.We say F is a pseudorandom function, if for all probabilistic polynomial-time adversaries A, there exists a negligible function PRF in the security parameter k such that, where key ∈ {0, 1} k is chosen uniformly at random an f rnd is chosen uniformly at random from the set of functions mapping k-bit strings to k-bit strings.
Definition 2.2 (Decisional Bilinear Diffie-Hellman assumption (DBDH)).Let k be the security parameter and G be a group generation algorithm.Let (G, G T , q, e) ← G(1 k ), where q is a prime number, the description of two groups G, G T of order q, and the description of an admissible bilinear map e : G × G → G T .Let g, g 1 be two arbitrary generators of G.
The decisional bilinear Diffie-Hellman (DBDH) problem in (G, G T , q, e) is as follows: Consider two distributions (g, g 1 , g a , g b , e(g, g 1 ) ab ) and (g, g 1 , g a , g b , T ) for some a, b ∈ Z q , and random T ∈ G T .It is said that decisional BDH assumption holds in (G, G T , q, e), if for all probabilistic polynomial-time algorithms A, the advantage in distinguishing the two distributions is given as,

Adv DBDH
G,G T ,q,e (A) = Pr A g, g 1 , g a , g b , e(g, g 1 ) ab = 1 − Pr A g, g 1 , g a , g b , T = 1 is negligible for a given security parameter k.
3 Extended Canetti-Krawczyk Model (eCK) The motivation of LaMacchia et al. [LLM07] in designing the eCK model was that an adversary should have to compromise both the long-term and ephemeral secret keys of a party to recover the session key.
Parties and Long-term Keys.Let U = {U 1 , . . ., U N P } be a set of N P parties.Each party U i where i ∈ [1, N P ] has a pair of long-term public and secret keys, (pk Ui , sk Ui ).Each party U i owns at most N S number of protocol sessions.
Sessions.Each party may run multiple instances of the protocol concurrently or sequentially; we use the term principal to refer a party involved in a protocol instance, and the term session to identify a protocol instance at a principal.The notation Π s U,V represents the s th session at the owner principal U , with intended partner principal V .The principal which sends the first protocol message of a session is the initiator of the session, and the principal which responds to the first protocol message is the responder of the session.A session Π s U,V enters an accepted state when it computes a session key.Note that a session may terminate without ever entering into the accepted state.The information of whether a session has terminated with or without acceptance is public.
Partnering.Legitimate execution of a key exchange protocol between two principals U and V makes two partnering sessions owned by U and V respectively.Two sessions Π s U,V and Π s U ,V are said to be partners if all of the following hold: 1. both Π s U,V and Π s U ,V have computed session keys; 2. messages sent from Π s U,V and messages received by Π s U ,V are identical; 3. messages sent from Π s U ,V and messages received by Π s U,V are identical; 4. U = V and V = U ; 5. Exactly one of U and V is the initiator and the other is the responder.
The protocol is said to be correct if two partner sessions compute identical session keys.
Adversarial Powers.The adversary A is a probabilistic polynomial time algorithm in the security parameter k, that has the control over the whole network.A interacts with set of sessions which represent protocol instances.A can adaptively ask following queries.
• Send (U, V, s, m) query-This query allows A to run the protocol.It sends the message m to the session s U,V as coming from the session s V,U .
s U,V will return to A the next message according to the protocol conversation so far or decision on whether to accept or reject the session.A can also use this query to initiate a new protocol instance with blank m.This query captures capabilities of active adversary, who can initiate sessions and modify or delay protocol messages.
• SessionKeyReveal (U, V, s) query-If a session s U,V has accepted and holds a session key, A gets the session key of s U,V .A session can only accept a session key once.This query captures the known key attacks.
• EphemeralKeyReveal (U, V, s) query-Gives all the ephemeral keys (per session randomness) of the session s U,V to A. • Corrupt (U ) query-A gets all the long-term secrets of the principal U .Then A may set up long-term secrets at principal U at will.But this query does not reveal any session keys to A. This query captures the KCI attacks, UKS attacks and (weak) forward secrecy • Test (U, s) query-Once a session s U,V has accepted and holds a session key, A can attempt to distinguish it from a random key.When A asks the Test query, the session s U,V first chooses a random bit b ∈ {0, 1} and if b = 1, the actual session key is returned to A, otherwise a random session key is chosen uniformly at random from the same session key distribution, and is returned to A. This query is only allowed to be asked once.

Freshness. A session
s U,V is said to be fresh if and only if all of the following hold: 1.The session s U,V and its partner (if it exists), s V,U have not been asked the Session-Key reveal query.• Stage 0: The challenger generates the keys by using the security parameter k.

If partner
• Stage 1: A is executed and may ask any of Send, SessionKeyReveal, EphemeralKeyReveal, Corrupt queries to any session at will.
• Stage 2: At some point A chooses a fresh session and asks the Test query.
• Stage 3: A continue asking Send, SessionKeyReveal, EphemeralKeyReveal,Corrupt queries.The only condition is that A cannot violate the freshness of the test session.
• Stage 4: At some point A outputs the bit b ∈ {0, 1} which is its guess of the value b on the test session.A wins if b = b.
Definition of Security.Let Succ A be the event that the adversary A wins the eCK game.
Definition 3.1.A protocol (π) is said to be secure in the eCK model if there is no probabilistic polynomialtime adversary A who can win the eCK game with non-negligible advantage in the security parameter k.
The advantage of an adversary A is defined as: 4 Construction of the Pairing-based eCK-secure AKE Protocol We present a pairing-based construction of an eCK-secure AKE protocol, namely protocol EC-P1.Security of the protocol EC-P1 is proven in the standard model, assuming the hardness of the decisional bilinear Diffie-Hellman (DBDH) problem, and the existence of pseudorandom functions.

Construction Details
The protocol EC-P1 shown in Table 2 is a Diffie-Hellman-style [DH76] key exchange protocol.Let k be the security parameter and G be a group generation algorithm.Let (G, G T , q, e) ← G(1 k ), where q is a prime number, the description of two groups G, G T of order q, and the description of an admissible bilinear map e : G × G → G T .Let g, g 1 be arbitrary generators of G such that g 1 = g α for arbitrary α ∈ Z q .Let (a 1 , a 2 ) and (b 1 , b 2 ) be the long-term secret keys of Alice and Bob respectively, whereas A and B be the long-term public keys of Alice and Bob respectively.Let x, X and y, Y be the ephemeral secret and public keys of Alice and Bob respectively for the current session.The execution of the protocol EC-P1 is clearly illustrated in Table 2.

Security Analysis of the Protocol EC-P1
Theorem 4.1.Let k be the security parameter and G be a group generation algorithm.Let (G, G T , q, e) ← G(1 k ), where q is a prime number, the description of two groups G, G T of order q, and the description of an admissible bilinear map e : G×G → G T .Let g, g 1 be arbitrary generators of G such that g 1 = g α , where α ∈ Z q .If the DBDH assumption holds in e : G × G → G T and the function PRF is a pseudorandom function, then the protocol EC-P1 is secure in the eCK model.
Let U = {U 1 , . . ., U N P } be a set of N P parties.Each party U i owns at most N s number of protocol sessions.Let A be any adversary against the eck challenger of the protocol EC-P1.Then, the advantage of A against the eCK security challenge of the protocol EC-P1, Adv eCK EC-P1 is: where C is the algorithm against a DBDH challenger.
Proof.We split the proof of Theorem 4.1 into two main cases: when the partner to the test session exists, and when it does not.We show that the advantage of the adversary A in each of the above cases is negligible.
Case 1a: Adversary corrupts both the owner and partner principals to the test session.
Game 1: This is the original game.When Test query is asked the game 1 challenger will choose a random bit b ← {0, 1}.If b = 1, the real session key is given to A, otherwise a random value chosen from the same session-key space is given.Hence, Game 2: Same as game 1 with the following exception: Before A begins, two distinct random principals U * , V * ← {U 1 , ..., U N P } are chosen and two random numbers s * , t * ← {1, ...N s } are chosen, where N P is the number of protocol principals and N s is the number of sessions on a principal.The session Π s * U * ,V * is chosen as the target session and the session Π t * V * ,U * is chosen as the partner to the target session.If the test session is not the session Π s * U * ,V * or partner to the session is not Π t * V * ,U * , the game 2 challenger aborts the game.Unless the incorrect choice happens, the game 2 is identical to the game 1.Hence, Game 3: Same as game 2 with the following exception: The game 3 challenger randomly chooses δ ← Z q and computes K according to the protocol description, using Z 1 = e(g, g 1 ) δ a1b1 .When the adversary asks the Test(U * , V * , s * ) query, game 3 challenger will answer with K.
We construct an algorithm C against a DBDH challenger, using the adversary A as a subroutine.The game 3 challenger sets all the long-term secret/public key pairs of the protocol principals.The algorithm C runs a copy of A and interacts with A, such that A is interacting with either game 2 or game 3. The DBDH challenger sends values (g, g 1 , g β 1 , g γ 1 , e(g, g 1 ) δ ) such that either δ = βγ or δ ← Z q , as the inputs to the algorithm C. The game 3 challenger uses g and g 1 as the generators for the protocol setup.Moreover, the game 3 challenger sets the value X of the target session (Π s * U * ,V * ) as g β 1 , the value Y of the target session (Π s * U * ,V * ) as g γ 1 , and computes W 1 = e(g β , g) a2 and W 2 = e(g γ , g) b2 .Upon receiving the Test(U * , V * , s * ) query, the game 3 challenger computes the K using e(g, g 1 ) δ a1b1 and answers.The game 3 challenger can answer all the other queries normally.
If C's input satisfies δ = βγ, simulation constructed by the game 3 challenger is identical to game 2, otherwise it is identical to game 3.If A can distinguish the difference between games, then C can answer the DBDH challenge.Hence, Game 4: Same as game 3 with the following exception: the game 4 challenger randomly chooses K ← {0, 1} k and sends it to the adversary A as the answer to the Test(U * , V * , s * ) query.
The game 4 challenger sets all the long-term secret/public key pairs and all the encryption key pairs of the protocol principals.Therefore, the challenger can answer all the queries normally.
If K is computed using the real pseudorandom function with a hidden key, the simulation is identical to game 3, whereas if K is chosen randomly from the session key space, the simulation constructed is identical to game 4. Hence, Semantic security of the session key in Game 4: Since the session key K of Π s * U * ,V * is chosen randomly and independently from all other values, A does not have any advantage in game 4. Hence, Adv Game 4 (A) = 0 . (5) Using equations (1)-( 5) we find, Case 1b: Adversary corrupts neither the owner nor the partner principals to the test session.
Game 1: This is the original game.When Test query is asked the game 1 challenger will choose a random bit b ← {0, 1}.If b = 1, the real session key is given to A, otherwise a random value chosen from the same session-key space is given.Hence, Game 2: Same as game 1 with the following exception: Before A begins, two distinct random principals U * , V * ← {U 1 , ..., U N P } are chosen and two random numbers s * , t * ← {1, ...N s } are chosen, where N P is the number of protocol principals and N s is the number of sessions on a principal.The session Π s * U * ,V * is chosen as the target session and the session Π t * V * ,U * is chosen as the partner to the target session.If the test session is not the session Π s * U * ,V * or partner to the session is not Π t * V * ,U * , the game 2 challenger aborts the game.Unless the incorrect choice happens, the game 2 is identical to the game 1.Hence, Game 3: Same as game 2 with the following exception: The game 3 challenger randomly chooses δ ← Z q and computes K according to the protocol description, using Z 1 = e(g, g 1 ) δ xy .When the adversary asks the Test(U * , V * , s * ) query, game 3 challenger will answer with K.
We construct an algorithm C against a DBDH challenger, using the adversary A as a subroutine.The game 3 challenger sets all the long-term secret/public key pairs of the protocol principals except for the principals U * and V * .The algorithm C runs a copy of A and interacts with A, such that A is interacting with either game 2 or game 3. The DBDH challenger sends values (g, g 1 , g β , g γ , e(g, g 1 ) δ ) such that either δ = βγ or δ ← Z q , as the inputs to the algorithm C. The game 3 challenger uses g and g 1 as the generators for the protocol setup.For the principal U * , the long-term public key is computed as g β g a2 , and for the principal V * , the long-term public key is computed as g γ g b2 .The game 3 challenger computes W 1 = e(g, g 1 ) a2x and W 2 = e(g, g 1 ) b2y .Upon receiving the Test(U * , V * , s * ) query, the game 3 challenger computes the K using e(g, g 1 ) δ xy and answers.The game 3 challenger can answer all the other queries normally.
If C's input satisfies δ = βγ, simulation constructed by the game 3 challenger is identical to game 2, otherwise it is identical to game 3.If A can distinguish the difference between games, then C can answer the DBDH challenge.Hence, Game 4: Same as game 3 with the following exception: the game 4 challenger randomly chooses K ← {0, 1} k and sends it to the adversary A as the answer to the Test(U * , V * , s * ) query.
The game 4 challenger sets all the long-term secret/public key pairs and all the encryption key pairs of the protocol principals, as in the previous game.Therefore, the challenger can answer all the queries normally.
If K is computed using the real pseudorandom function with a hidden key, the simulation is identical to game 3, whereas if K is chosen randomly from the session key space, the simulation constructed is identical to game 4. Hence, Semantic security of the session key in Game 4: Since the session key K of Π s * U * ,V * is chosen randomly and independently from all other values, A does not have any advantage in game 4. Hence, Using equations ( 6)-( 10) we find, Case 1c: Adversary corrupts the owner to the test session, but does not corrupt the partner.
Game 1: This is the original game.When Test query is asked the game 1 challenger will choose a random bit b ← {0, 1}.If b = 1, the real session key is given to A, otherwise a random value chosen from the same session-key space is given.Hence, Game 2: Same as game 1 with the following exception: before A begins, two distinct random principals U * , V * ← {U 1 , ..., U N P } are chosen and two random numbers s * , t * ← {1, ...N s } are chosen, where N P is the number of protocol principals and N s is the number of sessions on a principal.The session Π s * U * ,V * is chosen as the target session and the session Π t * V * ,U * is chosen as the partner to the target session.If the test session is not the session Π s * U * ,V * or partner to the session is not Π t * V * ,U * , the game 2 challenger aborts the game.Unless the incorrect choice happens, game 2 is identical to game 1.Hence, Game 3: Same as game 2 with the following exception: the game 3 challenger randomly chooses δ ← Z q and computes K according to the protocol description, using Z 1 = e(g, g 1 ) δ a1y .When the adversary asks the Test(U * , V * , s * ) query, game 3 challenger will answer with K.
We construct an algorithm C against a DBDH challenger, using the adversary A as a subroutine.The game 3 challenger sets all the long-term secret/public key pairs of the protocol principals except for the principals V * .The algorithm C runs a copy of A and interacts with A, such that A is interacting with either game 2 or game 3. The DBDH challenger sends values (g, g 1 , g β , g γ , e(g, g 1 ) δ ) such that either δ = βγ or δ ← Z q , as the inputs to the algorithm C. The game 3 challenger uses g and g 1 as the generators for the protocol setup.For the principal V * , the long-term public key is computed as g β g b2 .Moreover, the game 3 challenger sets the value X of the target session (Π s * U * ,V * ) as g γ , and computes W 1 = e(g γ , g) a2 and W 2 = e(g, g 1 ) b2y .Upon receiving the Test(U * , V * , s * ) query, the game 3 challenger computes the K using e(g, g 1 ) δ a1y and answers.The game 3 challenger can answer all the other queries normally.
If C's input satisfies δ = βγ, simulation constructed by the game 3 challenger is identical to game 2, otherwise it is identical to game 3.If A can distinguish the difference between games, then C can answer the DBDH challenge.Hence, Game 4: Same as game 3 with the following exception: the game 4 challenger randomly chooses K ← {0, 1} k and sends it to the adversary A as the answer to the Test(U * , V * , s * ) query.
The game 4 challenger sets all the long-term secret/public key pairs and all the encryption key pairs of the protocol principals, as in the previous game.Therefore, the challenger can answer all the queries normally.
If K is computed using the real pseudorandom function with a hidden key, the simulation is identical to game 3, whereas if K is chosen randomly from the session key space, the simulation constructed is identical to game 4. Hence, Semantic security of the session key in Game 4: Since the session key K of Π s * U * ,V * is chosen randomly and independently from all other values, A does not have any advantage in game 4. Hence, Using equations ( 11)-( 15) we find, Case 1d: Adversary corrupts the partner to the test session, but does not corrupt the owner.
The analysis of this case is similar the analysis of case 1c.The only difference at the game 3. We briefly explain the simulation of game 3 as follows: We construct an algorithm C against a DBDH challenger, using the adversary A as a subroutine.The game 3 challenger sets all the long-term secret/public key pairs of the protocol principals except for the principals U * .The algorithm C runs a copy of A and interacts with A, such that A is interacting with either game 2 or game 3. The DBDH challenger sends values (g, g 1 , g β , g γ , e(g, g 1 ) δ ) such that either δ = βγ or δ ← Z q , as the inputs to the algorithm C. The game 3 challenger uses g and g 1 as the generators for the protocol setup.For the principal U * , the long-term public key is computed as g β g a2 .Moreover, the game 3 challenger sets the value Y of the target session (Π s * U * ,V * ) as g γ , and computes W 1 = e(g, g 1 ) a2x and W 2 = e(g γ , g) b2 .Upon receiving the Test(U * , V * , s * ) query, the game 3 challenger computes the K using e(g, g 1 ) δ b1x and answers.The game 3 challenger can answer all the other queries normally.
Apart from the foregoing changes in game 3 simulation, the rest of the simulation of case 1d is the same as case 1c.Therefore, we get, Adv eCK EC-P1,Case 1d (A) ≤ N 2 P N s 2 Adv DBDH G,G T ,q,e (C) + PRF .

Case 2a: Adversary corrupts the owner to the test session.
There is no partner existing to the target session.Note that the owner of the target session is U * .We can further classify this case into two subcases as follows: • (2a.1)There is no peer session existing to the target session, the adversary computes the protocol message itself as the peer principal.
• (2a.2) There is a peer session existing to the target session, the adversary tricks the peer principal to compute the protocol message and delivers it to the owner principal.
2a.1:There is no peer session existing to the target session, the adversary computes the protocol message itself as the peer principal.
In this case, the peer session is supposed to be at the principal V * , but the peer session does not exist at V * .If there is no peer session existing, the adversary A needs to compute the protocol message as the partner of the target session by itself.In order to compute this message the adversary needs the long-term secret key b 2 of the principal V * .Even for an unbounded adversary b 2 value is information theoretically hidden, as the corresponding long-term public key B is computed as g b1 g b2 .Therefore, the advantage of the adversary in this case is zero.Therefore, we get, Adv eCK EC-P1,Case 2a.1 (A) = 0.
2a.2:There is a peer session existing to the target session, the adversary tricks the peer principal to compute the protocol message and delivers it to the owner principal.
In this case, the adversary A corrupts the owner principal U * .Then, the adversary picks an ephemeral secret key, computes a protocol message as coming from the owner U * (or the adversary may also use a previous message computed by the the principal U * ), and sends it to the peer principal V * .That way the adversary can trick the peer principal to compute a protocol message.Once the peer computes a protocol message as a response to the message sent by the adversary (as came from U * ), the adversary use this message to send to the owner principal U * , as the message from the peer principal V * .This message can be used as a responding message, if the principal U * is the initiator of the target session.Otherwise,it can be used as an initial message if the principal U * is the responder of the target session.Note that at this case, the adversary does not know the ephemeral secret key, that is picked at the intended peer principal V * .We construct an algorithm C against a DBDH challenger, using the adversary A as a subroutine.Game hopping simulation of this case is the same as the cases 1c.Thus, Adv eCK EC-P1,Case 2a.2 (A) ≤ N 2 P N s 2 Adv DBDH G,G T ,q,e (C) + PRF .
Case 2b: Adversary does not corrupt the owner to the test session.
We can further classify this case into two subcases as follows: • (2b.1)There is no peer session existing to the target session, the adversary computes the protocol message itself as the peer principal.
• (2b.2) There is a peer session existing to the target session, the adversary tricks the peer principal to compute the protocol message and delivers it to the owner principal.
2b.1:There is no peer session existing to the target session, the adversary computes the protocol message itself as the peer principal.
In this case, the peer session is supposed to be at the principal V * , but the peer session does not exist at V * .If there is no peer session existing, the adversary A needs to compute the protocol message as the partner of the target session by itself.In order to compute this message the adversary needs the long-term secret key b 2 of the principal V * .Even for an unbounded adversary b 2 value is information theoretically hidden, as the corresponding long-term public key B is computed as g b1 g b2 .Therefore, the advantage of the adversary in this case is zero.Therefore, we get, Adv eCK EC-P1,Case 2b.1 (A) = 0.
2b.2:There is a peer session existing to the target session, the adversary tricks the peer principal to compute the protocol message and delivers it to the owner principal.
In this case, the adversary A does not corrupt the owner principal U * .The adversary may use a previous message computed by the the principal U * , and sends it to the peer principal V * .That way the adversary can trick the peer principal to compute a protocol message.Once the peer computes a protocol message as a response to the message sent by the adversary (as came from U * ), the adversary use this message to send to the owner principal U * , as the message from the peer principal V * .This message can be used as a responding message, if the principal U * is the initiator of the target session.Otherwise,it can be used as an initial message if the principal U * is the responder of the target session.Note that at this case, the adversary does not know the ephemeral secret key, that is picked at the intended peer principal V * .We construct an algorithm C against a DBDH challenger, using the adversary A as a subroutine.Game hopping simulation of this case is the same as the cases 1d (but without allowing to corrupt the peer to the target session).Thus, Adv eCK EC-P1,Case 2b.2 (A) ≤ N 2 P N s 2 Adv DBDH G,G T ,q,e (C) + PRF .
s V,U exists none of the following combinations have been asked: (a) Corrupt(U ) and EphemeralKeyReveal(U, V, s) (b) Corrupt(V ) and EphemeralKeyReveal(V, U, s ) 3. If partner s V,U does not exist none of the following combinations have been asked (a) Corrupt(V ) (b) Corrupt(U ) and EphemeralKeyReveal(U, V, s) Security Game.
1.A partner to the test session exists.(a) Adversary corrupts both the owner and the partner principals to the test session -Case 1a (b) Adversary corrupts neither the owner nor the partner principal to the test session -Case 1b (c) Adversary corrupts the owner to the test session, but does not corrupt the partner to the test session -Case 1c (d) Adversary corrupts the partner to the test session, but does not corrupt the owner to the test session -Case 1d 2. A partner to the test session does not exist: the adversary is not allowed to corrupt the peer to the target session.(a) Adversary corrupts the owner to the test session -Case 2a (b) Adversary does not corrupt the owner to the test session -Case 2b

Table 1 :
Basic characteristics of few eCK-secure AKE protocols