Participants

Let 𝓢𝓝 and 𝓤 be the sets of all sensors and users, respectively, registered with the gateway GW. Let 𝓔 = 𝓤∪𝒮𝓝∪{GW}. We identify each entity E ∈ 𝓔 by a string, and interchangeably use E and ID_E to refer to this identifier string. To formally capture the user anonymity property, we assume that: (1) each user U ∈ 𝓤 has its pseudo identity PID_U in addition to the true identity ID_U and (2) the adversary 𝓐 is given only PID_U but not ID_U.

Protocol Executions

A user U ∈ may run multiple sessions of the authentication and key exchange protocol of a sca-wsn scheme, either serially or concurrently, to establish a session key with a sensor SN ∈ 𝒮𝓝 via assistance of the gateway GW. Therefore, at any given time, there could be multiple instances of the entities U, SN and GW. We use ${\Pi }_E^i$ to denote instance i of entity E ∈ 𝓔. Instances of U and SN are said to accept when they compute a session key in an execution of the protocol. We denote the session key of ${\Pi }_E^i$ by $s{k}_E^i$.

Long-Lived Keys

During the initialization of the protocol,

• each U ∈ 𝓤 chooses its password PW_U from a fixed dictionary 𝒟, and
• GW generates its master secret(s), issues a smart card to each U ∈ 𝓤, and shares a cryptographic key with each SN ∈ 𝒮𝓝.

Partnering

Informally, two instances are said to be partners of each other if they participate together in the same protocol session and as a result, compute the same session key. Formally, partnering between instances is defined in terms of the notion of session identifier. A session identifier (sid) is an identifier of a protocol session and is typically defined as a function of the messages exchanged in the session. Let $si{d}_E^i$ denote the sid of instance ${\Pi }_E^i$. We say that two instances, ${\Pi }_U^i$ and ${\Pi }_{SN}^j$, are partners if (1) both the instances have accepted and (2) $si{d}_U^i=si{d}_{SN}^j$.

Adversary Capabilities

We assume there exists an adversary 𝓐 running in a probabilistic polynomial time (ppt) in the security parameter κ, which represents the bit-length of session keys. We note that the size of the dictionary 𝒟 is a fixed constant that is independent of the security parameter κ. The ppt adversary 𝓐 has complete control of all communications between entities, can request for access to session keys and long-term keys, and can extract user’s information stored on the smart card. These capabilities of 𝓐 are modeled via the following oracle queries which are allowed for 𝓐 to make.

• $\mathsf{\text{Execute}}$ (${\Pi }_U^i$, ${\Pi }_{SN}^j$, ${\Pi }_{GW}^k$): This query models passive attacks against the protocol. It prompts an execution of the protocol between the instances ${\Pi }_U^i$, ${\Pi }_{SN}^j$ and ${\Pi }_{GW}^k$, and outputs the transcript of the protocol execution to 𝓐.
• $\mathsf{\text{Send}}$ (${\Pi }_E^i,m$): This query sends a message m to an instance ${\Pi }_E^i$, modelling active attacks against the protocol. Upon receiving m, the instance ${\Pi }_E^i$ proceeds according to the protocol specification. The message output by ${\Pi }_E^i$, if any, is returned to 𝓐. A query of the form $\mathsf{\text{Send}}$(${\Pi }_U^i$, start:⟨SN, GW⟩) prompts ${\Pi }_U^i$ to initiate a protocol session with instances of SN and GW.
• $\mathsf{\text{Reveal}}$ (${\Pi }_E^i$): This query captures the notion of known key security. The instance ${\Pi }_E^i$, upon receiving the query and if it has accepted, returns the session key, $s{k}_E^i$, back to 𝓐.
• $\mathsf{\text{CorruptLL}}(U)/\mathsf{\text{CorruptSC}}(U)$: These queries together capture the notion of two-factor security. The former returns the password of U while the latter returns the information stored in the smart card of U.
• $\mathsf{\text{CorruptLL}}$(SN): This query returns the long-lived secret(s) of the sensor SN, modelling node capture attacks.
• $\mathsf{\text{CorruptLL}}$(GW), modelling privileged insider attacks.
• $\mathsf{\text{CorruptVFR}}$(GW): This query returns the password verifiers stored by GW, modelling stolen verifier attacks.
• $\mathsf{\text{TestAKE}}$ (${\Pi }_E^i$): This query is used for determining whether the protocol achieves authenticated key exchange or not. If ${\Pi }_E^i$ has accepted, then depending on a random bit b chosen by the oracle, 𝓐 is given either the real session key $s{k}_E^i$ if b = 1 or a random key drawn from the session-key space if b = 0.
• $\mathsf{\text{TestUA}}$(U): This query is used for determining whether the protocol provides user anonymity or not. Depending on a randomly chosen bit b, 𝓐 is given either the identity actually used for U in the protocol sessions (when b = 1) or a random identity drawn from the identity space (when b = 0).

$\mathsf{\text{CorruptLL}}$ queries all together also capture the notion of perfect forward secrecy. SN and GW are said to be corrupted when they are asked a $\mathsf{\text{CorruptLL}}$ query while U is considered as corrupted if it has been asked both $\mathsf{\text{CorruptLL}}$ and $\mathsf{\text{CorruptSC}}$ queries.

Authenticated Key Exchange (AKE)

The AKE security of an authentication and key exchange protocol P is defined via the notion of freshness. Intuitively, a fresh instance is one that holds a session key which should not be known to the adversary 𝓐, and an unfresh instance is one whose session key (or some information about the key) can be known by trivial means. A formal definition of freshness follows:

Definition 1 (Freshness). An instance ${\Pi }_E^i$ is fresh if none of the following occurs:

1. 𝓐 queries $\mathsf{\text{Reveal}}({\Pi }_E^i)$ or $\mathsf{\text{Reveal}}({\Pi }_{E^{\prime }}^j)$, where ${\Pi }_{E^{\prime }}^j$ is the partner of ${\Pi }_E^i$.
2. 𝓐 queries both $\mathsf{\text{CorruptLL}}(U)$ and $\mathsf{\text{CorruptSC}}(U)$ when U is E itself or the peer entity of E.
3. 𝓐 queries $\mathsf{\text{CorruptLL}}(SN)$ when SN is E itself or the peer entity of E.
4. 𝓐 queries $\mathsf{\text{CorruptLL}}(GW)$.

Note that this definition of freshness is unable to capture the notion of perfect forward secrecy. (As explained in the next section, the authentication and key exchange protocol of our scheme does not provide perfect forward secrecy.) The AKE security of protocol P is defined in the context of the following two-stage experiment:

Experiment ExpAKE₀:

1. Stage 1. 𝓐 makes any oracle queries at will, except that:
   1. 𝓐 is not allowed to make the $\mathsf{\text{TestAKE}}$(${\Pi }_E^i$) query if the instance ${\Pi }_E^i$ is not fresh.
   2. 𝓐 is not allowed to make the $\mathsf{\text{Reveal}}$(${\Pi }_E^i$) query if it has already made a $\mathsf{\text{TestAKE}}$ query to ${\Pi }_E^i$ or its partner instance.
   3. 𝓐 is not allowed to access to the $\mathsf{\text{TestUA}}$ oracle.
2. Stage 2. Once 𝓐 decides that Stage 1 is over, it outputs a bit b^′ as a guess on the hidden bit b chosen by the $\mathsf{\text{TestAKE}}$ oracle. 𝓐 is said to succeed if b = b^′.

Let ${\mathsf{\text{SuccAKE}}}_0$ be the event that 𝓐 succeeds in the experiment ExpAKE₀, and ${\mathsf{\text{Adv}}}_P^{\mathrm{\text{AKE}}}(𝓐)$ denote the advantage of 𝓐 in breaking the AKE security of protocol P. Then, we define ${\mathsf{\text{Adv}}}_P^{\mathrm{\text{AKE}}}(𝓐)=2\cdot {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_0]-1$.

Definition 2 (AKE Security). An authentication and key exchange protocol P is AKE-secure if ${\mathsf{\text{Adv}}}_P^{\mathrm{\text{AKE}}}(𝓐)$ is negligible for any ppt adversary 𝓐.

User Anonymity

An authentication and key exchange protocol that does not provide user anonymity may still be rendered AKE-secure. That is, the AKE security does not imply user anonymity. Therefore, a new, separate definition is necessary to capture the user anonymity property. Our definition of user anonymity is based on the notion of cleanness.

Definition 3 (Cleanness). A user U ∈ 𝓤 is clean if none of the following occurs:

1. 𝓐 queries both $\mathsf{\text{CorruptLL}}(U)$ and $\mathsf{\text{CorruptSC}}(U)$.
2. 𝓐 queries $\mathsf{\text{CorruptLL}}(GW)$.

Note that the definition of cleanness does not impose any restriction on making $\mathsf{\text{CorruptLL}}$ queries to sensors. This reflects our objective to achieve user anonymity even against sensors.

User anonymity is formalized in the context of the following two-stage experiment:

Experiment ExpUA₀:

1. Stage 1. 𝓐 makes any oracle queries at will, except that:
   1. 𝓐 is not allowed to make the $\mathsf{\text{TestUA}}$(U) query if the user U is not clean.
   2. 𝓐 is not allowed to corrupt GW and U if it has already made the $\mathsf{\text{TestUA}}(U)$ query.
   3. 𝓐 is not allowed to access to the $\mathsf{\text{TestAKE}}$ oracle.
2. Stage 2. Once 𝓐 decides that Stage 1 is over, it outputs a bit b^′ as a guess on the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle. 𝓐 is said to succeed if b = b^′.

Let ${\mathsf{\text{SuccUA}}}_0$ be the event that 𝓐 succeeds in the experiment ExpUA₀, and ${\mathsf{\text{Adv}}}_P^{\mathrm{\text{UA}}}(𝓐)$ denote the advantage of 𝓐 in attacking the user anonymity of protocol P. Then, we define ${\mathsf{\text{Adv}}}_P^{\mathrm{\text{UA}}}(𝓐)=2\cdot {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_0]-1$.

Definition 4 (User Anonymity). An authentication and key exchange protocol P provides user anonymity if ${\mathsf{\text{Adv}}}_P^{\mathrm{\text{UA}}}(𝓐)$ is negligible for any ppt adversary 𝓐.

Building Blocks

Description of the Scheme

The scheme consists of three phases: the registration phase, the authentication and key exchange phase, and the password update phase. During the system initialization, the gateway GW determines the following public parameters: (1) an elliptic curve group 𝔾 with a generator P of prime order q, (2) a MAC scheme $\Sigma =(\mathsf{\text{Mac}},\mathsf{\text{Ver}})$, (3) a symmetric encryption scheme $\Delta =(\mathsf{\text{Enc}},\mathsf{\text{Dec}})$, and (4) three hash functions H, J and I. We assume that these parameters are known to all parties in the network including the adversary 𝓐. As part of the system initialization, GW chooses two master secrets $y\in {\mathbb{Z}}_q^{*}$ and z ∈ {0, 1}^ℓ, computes its public key Y = yP, and shares a secret key k_GS = J(ID_SN‖z) with each sensor SN.

Authentication and key exchange phase.

U needs to perform this phase with SN and GW whenever it wishes to access to the sensor network and data. The steps of the phase are depicted in Fig. 1 and are described as follows:

1. Step 1. U inserts its smart card into a card reader and inputs its identity ID_U and password PW_U. Then, the smart card retrieves the current timestamp T_U, selects two random $x\in {\mathbb{Z}}_q^{*}$ and k_US ∈ {0, 1}^κ, and computes After the computations, the smart card sends the message M₁ = ⟨T_U,ID_SN,X,C_U,σ_U⟩ to the gateway GW.
2. Step 2. GW rejects the message M₁ (and aborts the session) if T_U is not fresh. Otherwise, GW computes K_UG = yX and k_UG = J(T_U‖X‖Y‖K_UG), and checks if ${\mathsf{\text{Ver}}}_{k_{UG}}(I{D}_{GW}\Vert I{D}_{SN}\Vert$ T_U‖C_U,σ_U) = 1. If the check fails, GW aborts the session. Otherwise, GW decrypts C_U with key k_UG and then EID_U with key z, and checks if the decryption of EID_U yields the same ID_U as produced through the decryption of C_U. If only the two IDs match, GW retrieves the current timestamp T_GW, computes and sends the message M₂ = ⟨ID_GW,T_GW,T_U,C_GW,σ_GW⟩ to the sensor SN.
3. Step 3. Upon receiving M₂, SN verifies that (1) T_GW is fresh and (2) ${\mathsf{\text{Ver}}}_{k_{GS}}(I{D}_{GW}\Vert I{D}_{SN}\Vert T_{GW}\Vert$ T_U‖C_GW,σ_GW) = 1. If any of the verifications fails, SN aborts the session. Otherwise, SN decrypts C_GW to obtain k_US and computes the session key sk and the authenticator ρ_SN as follows: Then, SN sends the message M₃ = ⟨ρ_SN⟩ to the user U.
4. Step 4. With M₃ in hand, U checks if ρ_SN is equal to H(k_US‖ID_SN‖T_U). U aborts the session if the check fails or otherwise computes the session key sk = H(k_US‖T_U‖ID_SN).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. Our proposed authentication and key exchange protocol for wireless sensor networks.

https://doi.org/10.1371/journal.pone.0116709.g001

Performance and Security Comparison

In Table 1, we provide a comparative summary between our scheme and other sca-wsn schemes both in terms of computation and security. As shown in the table, our scheme requires the sensor SN to perform only lightweight cryptographic operations while enjoying provable anonymity in an extension of the widely accepted model of Bellare et al. [30]. While the recent schemes of Shi & Gong [12] and Choi et al. [20] provide forward secrecy, they impose 2 scalar-point multiplications on the resource-constrained sensor SN. Note that scalar-point multiplication is much more expensive than the lightweight cryptographic operations considered in the table, such as symmetric encryption/decryption, MAC generation/verification, and hash function evaluation. Moreover, these two schemes fail to achieve user anonymity despite their use of elliptic curve cryptography. The schemes presented in [10, 11, 13–19] are computationally efficient, but suffer from the inherent failure of user anonymity. To the best of our knowledge, all existing sca-wsn schemes fall into one of the two classes.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. A comparative summary of smart-card-based user authentication schemes for wireless sensor networks.

https://doi.org/10.1371/journal.pone.0116709.t001

According to Crypto++ 5.6.0 benchmarks that ran on an Intel Core 2 1.83 GHz processor under Windows Vista in 32-bit mode, SHA-1 and HMAC take 11.4 and 11.9 cycles per byte respectively; while AES (with 128-bit key) takes 12.6 to 16.9 cycles per byte, depending on the operation mode used—see Table 2 and we refer interested readers to http://www.cryptopp.com/benchmarks.html for Crypto++ benchmarks for commonly used cryptographic algorithms.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Crypto++ 5.6.0 benchmarks for SHA-1, HMAC and AES.

https://doi.org/10.1371/journal.pone.0116709.t002

Our scheme requires the sensor SN to perform 1E+1A+2H operations which amount to about 4.5H operations. Therefore, in terms of computational requirements for SN, our scheme is comparable with other sca-wsn schemes [11, 13–16, 18, 19] using only lightweight cryptographic techniques. Although the schemes of Vaidya et al. [10] and Kim et al. [17] require SN to perform only 2 hash function evaluations, these schemes do not achieve user anonymity and are vulnerable to a stolen smart card attack. Under the non-tamper-resistance assumption of smart cards, our scheme is the only one that provides user anonymity and resists stolen smart card attacks.

User Anonymity

Theorem 1. Our authentication and key exchange protocol, P, provides user anonymity in the random oracle model under the ECCDH assumption in 𝔾 and the security of the symmetric encryption scheme Δ.

Proof. Let 𝓐 be a ppt adversary against the user anonymity property of protocol P. We prove the theorem by making a series of modifications to the original experiment ExpUA₀, bounding the difference in the success probability of 𝓐 between two consecutive experiments, and ending up with an experiment where 𝓐 has a success probability of 1/2 (i.e., 𝓐 has no advantage). Let ${\mathsf{\text{SuccUA}}}_i$ denote the event that 𝓐 correctly guesses the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle in experiment ExpUA_i. Let $t_{UA}^i$ be the maximum time required to perform the experiment ExpUA_i involving the adversary 𝓐.

Experiment ExpUA₁. In this experiment, we simulate the random oracle J as follows:

Simulation of the J oracle: For each J query on a string str, the simulator first checks if an entry of the form (str,j) is in a list called JList which contains all the input-output pairs of J. If such an entry exists in JList, the simulator returns j as the output of the J query. Otherwise, the simulator chooses a random ℓ-bit string j^′, returns j^′ in response to the query, and adds the entry (str,j^′) to JList.

For all other oracle queries of 𝓐, the simulator answers them as in the original experiment ExpUA₀. Then, ExpUA₁ is perfectly indistinguishable from ExpUA₀ and therefore, Claim 1 holds.

Claim 1. ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_1]={\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_0]$.

Experiment ExpUA₂. Here, we modify the experiment so that X is computed as follows:

The ExpUA₂ modification:

• The simulator chooses a random exponent $a\in {\mathbb{Z}}_q^{*}$ and computes A = aP.
• For each user instance, the simulator chooses a random $r\in {\mathbb{Z}}_q^{*}$ and sets X = rA.

As a result of the modification, each K_UG is set to rayP for some random $r\in {\mathbb{Z}}_q^{*}$. Since the view of 𝓐 is identical between ExpUA₂ and ExpUA₁, it follows that:

Claim 2. ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_2]={\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_1]$.

Experiment ExpUA₃. We next modify the computations of X and Y as follows:

The ExpUA₃ modification:

• The simulator chooses two random elements A, B ∈ 𝔾 and sets Y = B.
• For each instance of clean users, the simulator chooses a random $r\in {\mathbb{Z}}_q^{*}$ and sets X = rA. For other instances, the simulator computes X as in experiment ExpUA₂.
• For each instance of clean users, the simulator sets each k_UG to a random ℓ-bit string. For other instances, the simulator computes k_UG as in experiment ExpUA₂.

Since k_UG is set to a random ℓ-bit string (for instances of clean users), the success probability of 𝓐 may be different between ExpUA₃ and ExpUA₂ if it makes an J(T_U‖X‖Y‖K_UG) query. However, this difference is bounded by Claim 3.

Claim 3. $\mid {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_3]-{\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_2]\mid \le 1/q_J\cdot {\mathsf{\text{Adv}}}_{𝔾}^{\mathrm{\text{ECCDH}}}(t_{UA}^3)$ , where q_J is the number of queries made to the J oracle.

Proof. We prove the claim via a reduction from the ECCDH problem which is believed to be hard. Assume that the success probability of 𝓐 is non-negligibly different between ExpUA₃ and ExpUA₂. Then we construct an algorithm 𝓐_ECCDH that solves the ECCDH problem in 𝔾 with a non-negligible advantage. The objective of 𝓐_ECCDH is to compute and output the value W = uvP ∈ 𝔾 when given an ECCDH-problem instance (U = uP, V = vP) ∈ 𝔾². 𝓐_ECCDH runs 𝓐 as a subroutine while simulating all the oracles on its own.

𝓐_ECCDH handles all the oracle queries of 𝓐 as specified in experiment ExpUA₃ but using U and V in place of X and Y. When 𝓐 outputs its guess b^′, 𝓐_ECCDH chooses an entry of the form (T_U‖X‖Y‖K,j) at random from JList and terminates outputting K/r. From the simulation, it is clear that 𝓐_ECCDH outputs the desired result W = uvP with probability at least 1/q_J if 𝓐 makes a J(T_U‖X‖Y‖K_UG) query for some instance of a clean user U ∈ 𝓤. This completes the proof of Claim 3.

Experiment ExpUA₄. We finally modify the experiment so that, for each clean user U ∈ 𝓤, a random identity $I{D}_U^{\prime }$ drawn from the identity space is used in place of the true identity ID_U in generating C_U.

Claim 4. $\mid {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_4]-{\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_3]\mid \le {\mathsf{\text{Adv}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}(t_{UA}^4)$ .

Proof. We prove the claim by constructing an eavesdropping adversary 𝓐_IND-MEK who attacks the indistinguishability of Δ in ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}(𝓐,n,d,b)$ with advantage equal to $\mid {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_4]-{\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_3]\mid$ (see Section 1 for details of experiment ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}(𝓐,n,d,b)$).

𝓐_IND-MEK begins by choosing a random bit b ∈ {0, 1}. Then, 𝓐_IND-MEK invokes the adversary 𝓐 and answers all the oracle queries of 𝓐 as in experiment ExpUA₃ except that, for each clean user U ∈ 𝓤, it generates C_U by accessing its own encryption oracle as follows:

𝓐_IND-MEK outputs $(I{D}_U\Vert EI{D}_U\Vert k_{US},I{D}_U^{\prime }\Vert EI{D}_U\Vert k_{US})$ as the first plaintext-pair in the indistinguishability experiment ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}$. Let c₁ be the ciphertext received in return for the first pair. 𝓐_IND-MEK sets C_U equal to the ciphertext c₁.

That is, 𝓐_IND-MEK sets C_U to the encryption of either ID_U‖EID_U‖k_US or $I{D}_U^{\prime }\Vert EI{D}_U\Vert k_{US}$. Now when 𝓐 terminates and outputs its guess b^′, 𝓐_IND-MEK outputs 1 if b = b^′, and 0 otherwise. Then, it is clear that:

• the probability that 𝓐_IND-MEK outputs 1 when the first plaintexts are encrypted in the experiment ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}$ is equal to the probability that 𝓐 succeeds in the experiment ExpUA₃, and
• the probability that 𝓐_IND-MEK outputs 1 when the second plaintexts are encrypted in the experiment ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}$ is equal to the probability that 𝓐 succeeds in the experiment ExpUA₄.

In the experiment ExpUA₄, the adversary 𝓐 gains no information on the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle because the identities of all clean users are chosen uniformly at random from the identity space. It, therefore, follows that ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_4]=1/2$. This result combined with Claims 1–4 yields the statement of Theorem 1.

AKE Security

Theorem 2. As long as the MAC scheme Σ and the symmetric encryption scheme Δ are both secure, our authentication and key exchange protocol P is secure in the random oracle model under the ECCDH assumption in 𝔾.

Proof. Fix a ppt adversary 𝓐 against the security of the protocol P. To prove the theorem, we make a series of modifications to the original experiment ExpAKE₀, bounding the effect of each change in the experiment on the success probability of 𝓐 and ending up with an experiment where 𝓐 has a success probability of 1/2. We use ${\mathsf{\text{SuccAKE}}}_i$ to denote the event that 𝓐 correctly guesses the hidden bit b chosen by the $\mathsf{\text{Test}}$ oracle in experiment ExpAKE_i. Let $t_{AKE}^i$ be the maximum time required to perform the experiment ExpAKE_i involving the adversary 𝓐.

Experiment ExpAKE₁. This experiment is different from ExpAKE₀ in that the random oracle J is simulated as follows:

Simulation of the J oracle: For each J query on a string str, the simulator first checks if an entry of the form (str,j) is in a list called JList which contains all the input-output pairs of J. If such an entry exists in JList, the simulator returns j as the output of the J query. Otherwise, the simulator chooses a random ℓ-bit string j^′, returns j^′ in response to the query, and adds the entry (str,j^′) to JList.

The other oracle queries of 𝓐 are answered as in the original experiment ExpAKE₀. Then, since J is a random oracle, ExpAKE₁ is perfectly indistinguishable from ExpAKE₀, and Claim 5 immediately follows.

Claim 5. ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_1]={\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_0]$.

Experiment ExpAKE₂. Here, we modify the experiment so that X is computed as follows:

The ExpAKE₂ modification:

• The simulator chooses a random exponent $a\in {\mathbb{Z}}_q^{*}$ and computes A = aP.
• For each instance of users, the simulator chooses a random $r\in {\mathbb{Z}}_q^{*}$ and sets X = rA.

As a result, each K_UG is set to rayP for some random $r\in {\mathbb{Z}}_q^{*}$. Since the view of 𝓐 is identical between ExpAKE₂ and ExpAKE₁, it follows that:

Claim 6. ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_2]={\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_1]$.

Experiment ExpAKE₃. We further modify the experiment as follows:

The ExpAKE₃ modification:

• The simulator chooses two random elements A,B ∈ 𝔾 and sets Y = B.
• For each fresh instance, the simulator chooses a random $r\in {\mathbb{Z}}_q^{*}$ and sets X = rA. For other instances, the simulator computes X as in experiment ExpAKE₂.
• For each fresh instance, the simulator sets each k_UG to a random ℓ-bit string. For other instances, the simulator computes k_UG as in experiment ExpAKE₂.

Since k_UG is set to a random ℓ-bit string (for fresh instances), the success probability of 𝓐 may be different between ExpAKE₂ and ExpAKE₃ if it makes an J(T_U‖X‖Y‖K_UG) query. This difference is bounded by Claim 7.

Claim 7 $\mid {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_3]-{\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_2]\mid \le 1/q_J\cdot {\mathsf{\text{Adv}}}_{𝔾}^{\mathrm{\text{ECCDH}}}(t_{AKE}^3)$ , where q_J is the number of queries made to the J oracle.

Proof. We prove the claim via a reduction from the ECCDH problem which is believed to be hard. Assume that the success probability of 𝓐 is non-negligibly different between ExpAKE₂ and ExpAKE₃. Then we construct an algorithm 𝓐_ECCDH that solves the ECCDH problem in 𝔾 with a non-negligible advantage. The objective of 𝓐_ECCDH is to compute and output the value W = uvP ∈ 𝔾 when given an ECCDH-problem instance (U = uP,V = vP) ∈ 𝔾². 𝓐_ECCDH runs 𝓐 as a subroutine while simulating all the oracles on its own.

𝓐_ECCDH handles all the oracle queries of 𝓐 as specified in experiment ExpAKE₃ but using U and V in place of X and Y. When 𝓐 outputs its guess b^′, 𝓐_ECCDH chooses an entry of the form (T_U‖X‖Y‖K,j) at random from JList and terminates outputting K/r. From the simulation, it is clear that 𝓐_ECCDH outputs the desired result W = uvP with probability at least 1/q_J if 𝓐 makes a J(T_U‖X‖Y‖K_UG) query for some fresh instance of any U ∈ 𝓤. This completes the proof of Claim 7.

Experiment ExpAKE₄. This experiment is different from ExpAKE₃ in that it is aborted if the following event $\mathsf{\text{Forge}}$ occurs.

$\mathsf{\text{Forge}}$: The event that the adversary 𝓐 makes a $\mathsf{\text{Send}}$ query that contains a MAC forgery.

Then we claim that:

Claim 8 $\mid {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_4]-{\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_3]\mid \le q_{\mathrm{\text{send}}}\cdot {\mathsf{\text{Adv}}}_{\Sigma }^{\mathrm{\text{EF-CMA}}}(t_{AKE}^4)$ , where q_send is the number of queries made to the $\mathsf{\text{Send}}$ oracle.

Proof. Assume that the event $\mathsf{\text{Forge}}$ occurs with a non-negligible probability. Then, we construct an algorithm ${𝓐}_{\mathsf{\text{EF}}}$ who generates, with a non-negligible probability, a forgery against the MAC scheme Σ. The algorithm ${𝓐}_{\mathsf{\text{EF}}}$ is is given access to the ${\mathsf{\text{Mac}}}_k(\cdot )$ and ${\mathsf{\text{Ver}}}_k(\cdot )$ oracles. The goal of ${𝓐}_{\mathsf{\text{EF}}}$ is to produce a message/MAC pair (m,σ) such that: (1) ${\mathsf{\text{Ver}}}_k(m,\sigma )=1$ and (2) σ has not been output by the oracle ${\mathsf{\text{Mac}}}_k(\cdot )$ on input m.

Let n be the total number of MAC keys used in the sessions initiated via a $\mathsf{\text{Send}}$ query. ${𝓐}_{\mathsf{\text{EF}}}$ begins by choosing a random i ∈ {1, …, n}. Let k_i denote the i^th key among all the n MAC keys, and ${\mathsf{\text{Send}}}_i$ be any $\mathsf{\text{Send}}$ query that is expected to be answered and/or verified using k_i. ${𝓐}_{\mathsf{\text{EF}}}$ runs 𝓐 as a subroutine and answers the oracle queries of 𝓐 as in experiment ExpAKE₃ except that: it answers all ${\mathsf{\text{Send}}}_i$ queries by accessing its ${\mathsf{\text{Mac}}}_k(\cdot )$ and ${\mathsf{\text{Ver}}}_k(\cdot )$ oracles. As a result, the i^th MAC key k_i is not used during the simulation. If $\mathsf{\text{Forge}}$ occurs against an instance who holds ${𝓐}_{\mathsf{\text{EF}}}$ halts and outputs the message/MAC pair generated by 𝓐 as its forgery. Otherwise, ${𝓐}_{\mathsf{\text{EF}}}$ terminates with a failure indication.

If the guess i is correct, then the simulation is perfect and ${𝓐}_{\mathsf{\text{EF}}}$ achieves its goal. Namely, ${\mathsf{\text{Adv}}}_{\Sigma }^{\mathrm{\text{EF-CMA}}}({𝓐}_{\mathsf{\text{EF}}})=\mathrm{\text{Pr}}[\mathsf{\text{Forge}}]/n$. Since n ≤ q_send and ${𝓐}_{\mathsf{\text{EF}}}$ runs in time at most $t_{AKE}^4$, we get

This completes the proof of Claim 8.

Experiment ExpAKE₅. We next modify the way of answering queries to the H oracle as follows: Simulation of the H oracle: For each H query on a string str, the simulator first checks if an entry of the form (str,h) is in a list called HList which is maintained to store input-output pairs of H. If it is, h is the answer to the hash query. Otherwise, the simulator chooses a random κ-bit string h^′, answers the query with h^′, and adds the entry (str,h^′) to HList.

The other oracle queries of 𝓐 are handled as in experiment ExpAKE₄. Since ExpAKE₅ is perfectly indistinguishable from ExpAKE₄, it is clear that:

Claim 9. ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_5]={\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_4]$

Experiment ExpAKE₆. We finally modify the experiment so that the session key sk is set to a random κ-bit string for each fresh instance and its partner. Accordingly, the success probability of 𝓐 may be different between ExpAKE₆ and ExpAKE₅ if it asks an H query of the form H(k_US‖T_U‖ID_SN) for some uncorrupted U ∈ 𝓤 and SN ∈ 𝒮𝓝. But the difference is bounded by:

Claim 10 $\mid {\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_6]-{\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccAKE}}}_5]\mid \le \frac{1}{q_H}\cdot {\mathsf{\text{Adv}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}(t_{AKE}^6)$ , where q_H is the number of queries made to the H oracle.

Proof. We prove the claim by constructing an eavesdropper 𝓐_IND-MEK who attacks the indistinguishability of Δ in experiment ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}(𝓐,n,d,b)$. 𝓐_IND-MEK invokes the adversary 𝓐 and answers all the oracle queries of 𝓐 as in experiment ExpAKE₅ except that it generates each C_GW to be sent to a fresh sensor instance by accessing its own encryption oracle as follows:

Let $k_{US}^{\prime }\ne k_{US}$ be a random string chosen from {0, 1}^κ. 𝓐_IND-MEK outputs $(k_{US},k_{US}^{\prime })$ as a plaintext pair in the indistinguishability experiment ${\mathbf{\text{Exp}}}_{\Delta }^{\mathrm{\text{IND-MEK}}}$. Let c be the ciphertext received in return for the plaintext pair. 𝓐_IND-MEK sets C_GW equal to the ciphertext c.

That is, each C_GW is set to the encryption of either k_US or $k_{US}^{\prime }$. Now when 𝓐 terminates and outputs its guess b^′, 𝓐_IND-MEK selects an entry of the form (k_US‖T_U‖ID_SN,h) at random from HList and outputs 0 if k = k_US, and 1 otherwise. If 𝓐 asks an H query of the form H(k_US‖T_U‖ID_SN) for some uncorrupted U ∈ 𝓤 and SN ∈ 𝒮𝓝, 𝓐_IND-MEK correctly guesses the bit b in its indistinguishability experiment with probability at least $\frac{1}{q_H}$ and therefore, Claim 10 follows.

In experiment ExpAKE₆, the adversary 𝓐 obtains no information on the hidden bit b chosen by the $\mathsf{\text{TestUA}}$ oracle since the session keys of all fresh instances are selected uniformly at random from {0, 1}^κ. Therefore, it follows that ${\mathrm{\text{Pr}}}_{P,𝓐}[{\mathsf{\text{SuccUA}}}_4]=1/2$. This result combined with Claims 5–10 completes the proof of Theorem 2.