#### Abstract

In* extended Key Compromise Impersonation* (eKCI)* attack* against* authenticated key establishment* (AKE) protocols the adversary impersonates one party, having the long term key and the ephemeral key of the other peer party. Such an attack can be mounted against variety of AKE protocols, including 3-pass HMQV. An intuitive countermeasure, based on BLS (Boneh–Lynn–Shacham) signatures, for strengthening HMQV was proposed in literature. The original HMQV protocol fulfills the deniability property: a party can deny its participation in the protocol execution, as the peer party can create a fake protocol transcript indistinguishable from the real one. Unfortunately, the modified BLS based version of HMQV is not deniable. In this paper we propose a method for converting HMQV (and similar AKE protocols) into a protocol resistant to eKCI attacks but without losing the original deniability property. For that purpose, instead of the undeniable BLS, we use a modification of Schnorr authentication protocol, which is deniable and immune to ephemeral key leakages.

#### 1. Introduction

An authenticated key establishment (AKE) protocol enables two parties: the initiator (starting the protocol, usually called Alice) and the responder (usually called Bob) to mutually identify themselves and establish a secret shared session key, subsequently used to protect communication channel. The* deniability* property for AKE protocols [1, 2] guarantees that parties still can mutually verify their identities, but the transcript of the protocol cannot be regarded as a proof that the parties have executed the protocol together. We distinguish the* initiator deniability* and the* responder deniability* as the deniability feature can be achieved for each party independently. Deniability may be desirable in various privacy protecting scenarios where the proof of interaction should not be transferable; for example, clients of some Internet services might wish to have the right and real possibility of denying using the service.

Many general AKE schemes have been proposed so far; see, for example, MQV [3], HMQV [4], SIGMA [5], KEA+ [6], NAXOS [7], CMQV [8], SMQV [9], E-NAXOS [10], Huang [11], or Kim et al. [12] with numerous additional modifications. Their security has been analyzed in many models, for example, CK [13], eCK [7], and seCK [9], under various attack scenarios. In Key Compromise Impersonation (KCI) attack scenario [14–16], an adversary, which obtained long term secrets of one party, say Alice, can execute AKE protocol with her, and impersonate her another party, say Bob, without using the long term secret of Bob. This attack is especially devastating when the correct identification is of the paramount importance. Imagine the attacker learning the long term key of a bank. Now, the attacker not only can play a role of the bank to any identity (which is obvious), but also can be authenticated as any identity in front of that bank, for example, can be authenticated to the account of some very rich person and subsequently order the money transfer from that logged-in account to his own.

In [17] Tang and Chen proposed a new impersonation attack type on AKE protocols called extended KCI (eKCI). In this attack, the adversary has access not only to Alice’s long term secret, but also to her ephemeral secret, for example, the ephemeral Diffie-Hellman key. With the knowledge of both these keys it can impersonate any party to Alice. This new kind of attack can be mounted against protocols already proven to be secure for regular KCI attacks, for example, NAXOS secure in the extended Canetti-Krawczyk model. In [17] authors exemplified the eKCI attack against HMQV protocol [4]. Subsequently they proposed an intuitive and elegant countermeasure based on BLS signatures [18]: in the rest of the paper we refer to this solution by BLS-HMQV.

From the design point of view BLS-HMQV is a composition of original HMQV with another layer of authentication, done by the BLS signature scheme. In BLS-HMQV, a party running the protocol sends to its peer an additional signature over some challenge depending on previous messages. The signature forms a proof of identity, since it can be produced only with the secret key corresponding to the certified public key of the signer. Unfortunately, there is one aspect of this solution which in some scenarios can be regarded as a serious drawback: signed messages in the protocol transcript may be used as undeniable proof for a third party where the communication with the signers took place. In this context the modification to HMQV proposed in [17] makes it resistant to eKCI, but at the same time the protocol loses its* deniability* property.

Therefore to achieve the deniability property altogether with the eKCI resistance, we follow two-layer architecture of BLS-HMQV. However in our modified protocol (called mHMQV) we exchange the undeniable layer of BLS with the deniable layer of Schnorr-like protocol from [19]. Therefore our proposition mHMQV is deniable like original HMQV and is eKCI resistant like BLS-HMQV, with its two-layer composition.

As a final remark we recall that secrecy and fairness of values generated by both parties rely on the internal implementation of pseudorandom number generator algorithm, which itself may utilize hardware based randomness or external environmental sources. One of the most comprehensive recommendations for such algorithms can be found in [20]. However note that even algorithms approved for scientific simulations [21], with super long periods, like [22], must be specially tuned for cryptographic purposes [23]. A practical construction for using external source of randomness in AKE protocol, resembling the common reference string model, is given in [24]. Secrecy of values gained in this way can be compromised if an adversary captures the measurements of the external source as well. An example countermeasure for that problem, which uses distributed leader election for selecting a random source of data, was proposed in [25]. As for the internal hardware sources of randomness, the promising approach of using physically unclonable functions is also considered, for example, [26, 27]. Such hardware functions rely on micro differences of the used material and characteristics of processes in production phase, which—as unpredictable and unrepeatable even for the device manufacturer—guarantee the uniqueness of the final results.

##### 1.1. Contribution and Organization of the Paper

The contributions of the paper are the following.

*(i) Undeniability of BLS-HMQV*. We show that BLS-HMQV protocol from [17], which is BLS based modification of HMQV, although resistant to eKCI is no longer deniable.

*(ii) Proposition of mHMQV-eKCI as Resistant and Deniable*. This is the main contribution. We propose an extension to HMQV (applicable to similar 2-party protocols) which protects against the eKCI attack and which does not destroy the protocol deniability property: for the initiator and subsequently for the responder. We use for that purpose the modified Schnorr identification scheme [19], which is secure even if the ephemeral secrets of parties are compromised. To the best of our knowledge it is the first proposition of this kind for AKE protocols so far.

*(iii) Prototype Implementation*. To compare the complexity overhead for deniability and eKCI resistance, we implemented prototypes of HMQV, the BLS based scheme (BLS-HMQV), and our deniable proposition mHMQV.

##### 1.2. Previous Work

In Table 1 we give the comparison showing the eKCI resistance and deniability feature of the majority of AKE protocols, alongside level of complexity (based on required computational effort for used operations) and number of rounds. Note that eKCI resistance in [11, 17, 31] is provided by undeniable signature scheme that is used to identify the parties to each other. In the case of [11, 17] BLS signatures are used: we call these protocols “without NAXOS” and “BLS-HMQV,” respectively. We observe and stress here that the scheme of [11] does not withstand repetition attack in the setup of eKCI. Namely, after the protocol execution between parties and (with the knowledge of the transcript), an adversary can later impersonate in front of if long term and ephemeral secrets of are leaked during the new sessions (and* vice versa*). Therefore we put “!” instead of “” in the table. Finally we denote the protocols we proposed in this paper by “mHMQV.”

Beside the typical protocols, securing the session key against the combinations of secrets leakages, comparable in terms of the exponentiation operations for Diffie-Hellman based key exchange and listed in Figure 1, there are schemes that address additional requirements and adversarial assumptions. The AKE schemes in identity-based setup using elliptic curves were analyzed, for example, in [32, 33]. Those 2-round schemes are still vulnerable to eKCI attacks (actually the first one does not withstand the regular KCI as well). Authors of [34] proposed a ring signature based scheme, useful for vehicles key exchange and authentication. Note that they use idea close to one already presented in [2]. However, as it was signaled in [2], the ring signature based authentication makes the schemes vulnerable to KCI and eKCI-adversary knowing the peer long term key can impersonate other parties to that peer. In [35] the lattice based HMQV version for postquantum era was proposed. The proposition exchanges the cryptographic building blocks, preserving the construction design, but as the original version, it is still eKCI vulnerable. It is an interesting open question how this particular postquantum HMQV construction can be improved, as the modification based on [19] proposed in our paper is also vulnerable to quantum attacks. There are also approaches for a partial leakage of cryptographic material and bad randomness. The security model assuming partial leakage of bits of secret keys was analyzed in [36]; however the proposed solution is based on the signatures and as so is undeniable. The next solution from [37], addressing similar problem, results in 2-round protocol which still is not eKCI resistant. Another 2-round protocol from [38], addressing the “bad randomness” problem for pseudorandom number generators in user devices, is also not eKCI resistant. Another AKE construction, secure without ROM under the hardness of integer factorization problem, code-based problems, or learning with errors problems, was proposed in [39]. Note that this proposition also is not secure to aKCI attacks. In [40] the authors analyzed security model with the adversary registering arbitrary bit strings as keys. They showed generic results for protocols that achieve security even if some keys have been produced maliciously in this way. However this also does not solve the eKCI resistance for typical protocols; for example, the strengthened version of CMQV presented there is still eKCI vulnerable.

To the best of our knowledge the problem of construction of an AKE protocol, both deniable and withstanding eKCI, as stated in Section 1.1, is still open in literature, since the original eKCI introduction in [17]. Please note, additionally, that in the context of immunizing AKE protocols to eKCI attacks, the construction [41], which follows up the paper [19] and is a modification of Okamoto identification scheme, can be also taken into consideration as the authentication layer: as it is deniable and resistant to ephemeral values leakage and setup.

*Organization of the Paper*. The paper is organized in the following way. In Section 2.2 we recall the HMQV protocol and discuss its deniability property. In Section 3 we recall the eKCI attack on HMQV and the defense method proposed in [17]. We discuss how that approach breaks the deniability of the original HMQV. In Section 4 we propose a solution to the eKCI attack on HMQV based on the modified Schnorr authentication protocol from [19]. We recall the original Schnorr authentication protocol, discuss its deniability property, and show that it is inadequate in setups where the ephemeral keys can be leaked. Then we propose using its modified version to get* initiator deniability.* Subsequently we show how the protocol can be modified further to achieve the* responder deniability*. We prove the security of our claims. In Section 6 we discuss the* proof-of-concept* implementation of our protocols.

#### 2. Preliminaries

##### 2.1. Notation

Presented AKE protocols are based on Diffie-Hellman (DH) key exchange, so we assume that corresponding computations are done within a group of prime order , where computational Diffie-Hellman assumption (CDH) holds.

Let (denotes initiator called Alice) and (denotes responder called Bob) be two peer parties of the key exchange protocol . Alice as initiator is the party which starts (sends the first message) the protocol . Bob is the other party. Let and denote pairs of long term secret/public keys of Alice and Bob, respectively, randomly chosen according to the key generating algorithm. Usually, apart from the long term keys, each party in protocol coins additional random secret key, called ephemeral key, used in computation during protocol execution. Let , denote ephemeral keys of Alice and Bob, respectively. Thus denotes the protocol run between the initiator (Alice) having the secret key , the ephemeral key , and the public key of Bob and the responder (Bob) having the secret key , the ephemeral key , and the public key of Alice.

Typical requirements after the authenticated key establishment protocol

is completed (i.e., after both parties finished their computations successfully) are the following:(i)Both parties mutually identified themselves. We denote that initiator speaks with responder of identity* Bob*. Bob knows he speaks with Alice.(ii)Both parties have computed the same session key.(iii)The session key is secret; that is, it is known only to the parties of the protocol.

The eKCI attack proposed in [17] affects the first requirement. Intuitively we demand that each party should use its secret key to perform the protocol and be accepted by its peer party. In eKCI attack the adversary can use the peer party secret to impersonate another party.

*Definition 1. *One says that AKE protocol is eKCI vulnerable if there exists an efficient adversary algorithm such that at least one of the probabilities is nonnegligible.

*Remark 2. *In the first event denotes the adversary which possesses Alice’s secrets but does not have Bob’s long term secret key . It is identified falsely by Alice as Bob. Similarly in the second event denotes the adversary which possesses Bob’s secrets but does not have Alice’s long term secret key . It is identified falsely by Bob as Alice. Note that this reflects the scenario in which a hacker, knowing secrets of the bank, can impersonate any user in front of that bank, subsequently ordering malicious money transfers on behalf of this user.

*Deniability Model*. In this point we recall the deniability model from [1], which is applicable to authenticated key establishment protocols.

*Definition 3. *One says that is a concurrently deniable key establishment protocol with respect to the class AUX of auxiliary inputs if, for any adversary , for any input of public keys and any auxiliary input , there exists a simulator that, running on the same inputs as , produces a simulated view which is indistinguishable from the real view of . That is, consider the following two probability distributions, where is the set of public keys of the honest parties: then for all probabilistic polytime machines Dist and all

We say that the protocol is* initiator deniable* if there exists the simulator , denoted as , that running on the same inputs as Bob (and without Alice’s secret key) can provide Alice’s part of the protocol. That is when Bob can simulate the whole transcript itself. Conversely, we say that the protocol is* responder deniable* if there exists the simulator , denoted as , that running on the same inputs as Alice (and without Bob’s secret key) can provide Bob’s part of the protocol. That is when Alice can simulate the whole transcript itself.

##### 2.2. Description of the 3-Pass HMQV

Let us recall the 3-pass protocol of the HMQV family from [4], which is proved to be secure against the standard KCI attacks. The two users Alice and Bob agree on a group of prime order , a generator of , a hash function , and a message authentication code function . Alice selects her long term private key at random and lets the trusted third party (TTP) certify the public key . Similarly, Bob selects his long term private key and lets the TTP certify the public key . The protocol is shown in Figure 1. The values and are defined as follows: where outputs the first bits of the input of the hash function , and is a security parameter. Note that = = = = = = . Thus the values and the secret session key computed independently on both sides are the same.

##### 2.3. Deniability of HMQV

Theorem 4. *HMQV is initiator deniable.*

*Proof. *We show that the protocol is* initiator deniable* as Bob can produce the transcript of the protocol execution alone, but with the same probability distribution as it would be produced altogether with Alice. Namely, the simulator (run with Bob’s input) chooses and computes and the rest of parameters , , , which does not require Alice’s secret key . Observe that for he does not apply the derivations from the protocol (the private key of Alice would be necessary). Instead, he makes use of the equality = .

It follows that a transcript cannot be regarded as a proof that Alice participates in the protocol execution. Similarly we state the following.

Theorem 5. *HMQV is responder deniable.*

*Proof. *It is analogical to the proof of Theorem 4. Alice can produce the transcript alone: (run with Alice’s view and input) chooses and computes and the rest of parameters , , , which does not require Bob’s secret key .

##### 2.4. eKCI Attack on the 3-Pass HMQV

We recall the original eKCI attack on HMQV from [17]. Suppose that an adversary has access to and and mounts an attack against Alice. After obtaining the first message the adversary computes = = . This equals . Then it computes the rest of parameters on Bob’s side and sends them to Alice, impersonating in this way itself as Bob. Note the fact that the computation of does not require the knowledge of . It is straightforward to verify that , and the adversary always succeeds in the attack.

#### 3. Prevention of the Attack: Undeniable Version

Let us recall the method from [17] protecting against the eKCI attack. The idea is that the users (Alice and Bob) should mutually demonstrate the knowledge of their long term private key to each other. The authors propose the use of deterministic BLS signature scheme [18]. We denote the resulting protocol as BLS-HMQV. The construction of that protocol is very intuitive: It can be viewed as two-layer approach:(i)The first layer is the original HMQV.(ii)The second layer includes the BLS signatures over the parameters of the HMQV protocol (parties identifiers, messages). Indeed any adversary algorithm that would break eKCI resistance of BLS-HMQV, that is, would impersonate one party by means of anything but the long term secret key (e.g., the other party parameters) would be immediately used to break unforgeability of BLS signature scheme.

##### 3.1. BLS-HMQV

First let us briefly recall the BLS scheme. Let , be groups of a prime order and be a generator of . Let . We assume that is a bilinear map, and a signer holds a private/public key pair , where . For a message , the signature generation and verification procedures are as follows:(1)The signer computes a signature , where .(2)The verifier checks whether = . If so, the signature is accepted.

The BLS-HMQV based solution to the eKCI attack on HMQV is depicted in Figure 2. We follow the notation from [17]. The important part of the protocol extension computed on the responder side is boxed. Similarly respective computations on the initiator side are underlined.

##### 3.2. Loosing Deniability

Although BLS-HMQV is resistant to eKCI attack, we observe that the protocol depicted in Figure 2 is* not initiator deniable*.

Theorem 6. *The BLS-HMQV protocol depicted in Figure 2 is not initiator deniable.*

*Proof. *Indeed, in order to produce a simulated transcript indistinguishable from the original one, a simulator (run with Bob’s input and without the knowledge of Alice’s secret key ) would have to create a verifiable signature . So it would be used as an efficient forger for the underlying BLS scheme, contradicting BLS security.

Corollary 7. *The BLS-HMQV protocol in not responder deniable due to the similar reasoning.*

#### 4. Our Proposition: Deniable Prevention to eKCI Attack

In this section we propose the deniable version of the solution to eKCI attack. It is based on exchanging the undeniable BLS layer from BLS-HMQV with the deniable identification (IS) scheme, for example, Schnorr IS. To illustrate the idea of the construction we first show the* initiator deniable* solution based on the Schnorr identification protocol [42]. Next we observe that this particular solution is imperfect in systems where the ephemeral secrets may be leaked: the security of the long term key relies on the security of the ephemeral key; thus once the ephemeral secrets are leaked the long term secrets are also compromised.

##### 4.1. The Basic Schnorr Based Imperfect Solution

Let us recall the Schnorr identification protocol from [42].

*Schnorr Identification Protocol*. Let be a group of prime order and be a generator of . Suppose that an authenticator possesses the certified private/public key pair , and a verifier already knows the public key .(1)The authenticator computes , and sends to the verifier.(2)The verifier choses and sends it to the authenticator.(3)The authenticator computes and sends to the verifier.(4)The verifier accepts the verification iff .

The* initiator deniable* version of the protocol from Figure 2 augmented with the Schnorr identification protocol is presented in Figure 3. The hash function effectively produces challenge computed from , which itself contains coined at Bob’s side.

*Deniability of the Basic Schnorr Based Solution*. To prove the deniability of the protocol (Figure 3) for Alice it suffices to show the construction of the efficient simulator that produces the protocol transcript without the knowledge of Alice’s secret . Indeed such a simulator exists: Bob simulates the messages of Alice with the distribution indistinguishable from the original one:(1)Bob chooses randomly .(2)Bob computes . Thus , although Bob does not know the value .(3)Having and Bob computes the rest of the parameters and protocol messages: , , are computed by Bob alone from his secrets; is computed as , where values on both sides are equal; hence . Thus he produces the transcript which has the same distribution as the original transcript that would be produced altogether with Alice.Note that message computed on Alice’s side does not contain . Otherwise it would be impossible to compute for . Indeed, this trick was used to provide deniability of PACE∣AA protocol from [43].

*Imperfection of the Basic Schnorr Based Solution*. The solution is imperfect in scenarios where ephemeral keys can be leaked. If the ephemeral secret is known to the adversary, it can compute Alice’s long term secret and impersonate her since then. Therefore in the next section we propose using the secure version from [19].

##### 4.2. Prevention of the Attack: Secure Deniable Solution

*Modified Schnorr Identification Protocol from [19]*. The idea of that protocol is to perform response computation in the exponent using a new generator . Let recall the steps:(1)The authenticator computes , and sends to the verifier.(2)The verifier computes a challenge and sends it to the authenticator.(3)The authenticator computes , and sends to the verifier.(4) The verifier accepts the verification iff .

Note that we do not require the intermediate computation of . Such intermediate values can be leaked in some scenarios and together with the leaked ephemerals can be used to compromise the long term keys. The modified HMQV protocol which uses the above technique for initiator is depicted in Figure 4. We denote the protocol as mHMQV-1.

*Deniability of the Modified Schnorr Based Solution*. The* initiator deniability* property is preserved. We state the following.

Theorem 8. *The mHMQV-1 protocol depicted in Figure 4 is initiator deniable.*

*Proof. *We have to show how the simulator (with Bob’s view) would produce the transcript , , , , , which has exactly the same distribution as the transcript produced by two parties Alice and Bob together. The simulator computes values , , , , , , where in the following way: It computes everything in the generator first. It takes , and randomly computes , = , and . Afterwards it is able to compute the commitment of the first message = = accordingly (as in the example from Section 4.1). , , are computed by Bob alone from his secrets as in HMQV. is computed as , because values on both sides are equal as . Then it computes . Note that it does not need to compute : this value is not a part of the transcript. Therefore the resulting transcript has exactly the same distribution as the transcript computed by Alice and Bob together.

*Proving of Interaction for Initiator*. Note that in the* initiator deniable* version of the protocol mHMQV-1 in Figure 4 the transcript could have been produced by Bob alone, or together by Alice and Bob really interacting with each other. Therefore the simple trick can be made by Alice to have a proof of interaction. She simply has to remember as the commitment to the value she uses in the first message. Usually ephemeral values are deleted once they are not needed anymore. However Alice may record the ephemeral value and produce it in front of the judge to prove that the transcript, and particularly , was not computed by Bob’s simulation. Indeed if Bob is to present he will have to break DLP problem for . Still, if Alice does not store , then no algorithm can tell if the transcript was the result of the protocol interaction or Bob’s simulation.

*Achieving Responder Deniability*. The deniability of the responder also can be achieved; however it requires a slight modification of the protocol. The mechanism is symmetrical. The procedures of Bob mimic/reflect the behavior of Alice: this also requires an additional message from Bob at the end (so 4 messages in total). Note that storing values and enables Alice and Bob to prove the interaction according to reasoning from Section 4.2.

We state that the modified protocol depicted in the Figure 5 provides deniability for both Alice and Bob:(i)The transcript can be simulated by the responder alone (Alice deniability).(ii)The transcript can be simulated by the initiator alone (Bob deniability). We call the protocol mHMQV-2. It is deniable for both the initiator and the responder.

Theorem 9. *The mHMQV-2 protocol depicted in Figure 5 is “initiator deniable.”*

*Proof. *Essentially it is as the proof of Theorem 8. The only difference is that the value is computed by the simulator as and included in the last fourth message (not in the second).

Theorem 10. *The mHMQV-2 protocol depicted in Figure 5 is “responder deniable.”*

*Proof. *Analogically it is as above. The simulator for the responder, with Alice’s secrets, produces the transcript , , , , , , where = should be equal to for = : It starts with and uniformly at random, computes = , and sets = , and = . Then it computes = as . is computed as , because values on both sides are equal as . The parameters , can be easily computable with the input of Alice. Subsequently it computes = .

#### 5. Key Security and eKCI Resistance

In this point we discuss the security aspects of the proposed modification.

*(i) Ephemeral Key Leakage Does Not Compromise Long Term Keys*. This addresses the problem with the regular Schnorr authentication signalized in Section 4.1.

*(ii) eKCI Resistance*. The mHMQV protocols, extended with the proposed modification of Schnorr identification scheme, are resistant against eKCI attack, that is, are immune against impersonation attacks of the adversary authenticator which learns both the long term key and the ephemeral key of the verifier.

*(iii) Session Key Security*. The resulting protocol mHMQV still fulfills the session key security of the original unmodified version. In other words, the proposed modifications do not affect and impair the original AKE security.

The following theorem states that leakage of authenticator’s ephemeral secret gives no advantage to the adversary whose goal is to extract the long term key.

Theorem 11. *No adversary can extract the long term secret key of the authenticator given public parameters, transcript of the protocol, and the ephemeral secret of the authenticator.*

*Proof. *The proof is by contradiction. W.l.o.g. let the authenticator be Alice, whose ephemeral key is leaked. Now suppose that some algorithm , when given the public parameters , transcript of the protocol , , , , , , and the ephemeral secret of Alice , outputs Alice’s long term secret in nonnegligible probability. Then we can use it as a subprocedure to break the DLP problem for a given value, say , for unknown . We have to prepare the input for , including as public key of Alice, and , as it would be computed by corresponding Alice’s secret key . We set up the system in which is the public key of Alice and a random is her ephemeral key. We simulate the transcript which would be indistinguishable from the real one. Hence we know and we can compute . Values , , , are also easily computable. The only problem here is to produce the suitable . Indeed in ROM we program as for randomly chosen . Then we compute , which equals = = . Then verification holds: = , and we obtain a perfect simulation in ROM. Now we treat the value output from as the discrete logarithm of .

##### 5.1. eKCI Resistance of mHMQV-1 and mHMQV-2

The eKCI resistance requires that the attacker cannot launch the impersonation attack, even if(1)the attacker knows the long term key of the verifier,(2)the ephemeral key of the verifier, after it is coined, is also leaked to the attacker as soon as it is coined. The attacker is required to possess and use the secret key corresponding to the public key of the authenticator with identity ID, to be positively verified and accepted with this identity ID.

*Remark 12. *It is of the paramount importance, here, to strictly follow the protocol scheduled steps and implement the protocol in the designed order. Indeed, if the verifier carelessly changes the protocol schedule and prepares the challenge before the very first step of the protocol (before receiving the commitment message ) and if the ephemeral is leaked to the attacker before the first message, then it possible to impersonate any ID, say with public key , but without corresponding secret . In this case the attacker follows the simulator : it starts with random and the leaked computes , = , and . Then it computes = as . Subsequently it computes . Then in the first message it sends to Bob precomputed and later on after receiving it sends back precomputed , impersonating itself in this way to Bob.

Theorem 13. *No adversary can authenticate as Alice in front of responder without the knowledge of the secret key “” corresponding to public in mHMQV-1 and mHMQV-2 protocols.*

*Proof. * *(**1) Reduction to Security of Mod-Schnorr [19]*. The proof is an immediate consequence of the security of the mod-Schnorr identification scheme: any attacker that would impersonate Alice without her keys in mHMQV-1 and mHMQV-2 protocols would be used to break the underlying security of the mod-Schnorr identification scheme [19]. Conversely assume that there is an effective adversary that impersonates Alice, without her secret key , in front of Bob in mHMQV-1 protocol with nonnegligible probability. We use that adversary as a subprocedure to break mod-Schnorr in the following way: We play the role of Bob for . After obtaining from we forward it to our challenger as the first message. Then after obtaining from our challenger we compute the values on Bob’s side and send the second message to . Now after the adversary issues an oracle query we set in ROM table return value . After outputs we forward it as the third message to our challenger. Note that if is successfully accepted in mHMQV-1 then it is also accepted in mod-Schnorr.*(**2) Reduction to CDH*. Below we show how that adversary can be used to break the instance of the underlying CDH problem, as in original paper [19]. Suppose the adversary plays Alice in front of Bob without the knowledge of her secret key and is accepted. We give the adversary the secret key of Bob. Note that Bob’s ephemeral key can only be given (leaked to the adversary only ASAP after it is created on Bob’s side). Since then is another representation of the challenge . We set up the system for with as the public key of Alice. Then we use a* rewinding technique* (as in regular Schnorr identification): we fix the random value used in by the algorithm and let interact twice with Bob, choosing each time a different random , say and . These will result with and accordingly. Note that on ’s query to we answer with the value . If Bob accepts both times we have and . Thus we have = , so we can compute = .

Theorem 14. *No adversary can be authenticated as Bob in front of Alice without the knowledge of the secret key corresponding to public in mHMQV-2 protocol.*

*Proof. *The proof is similar to the proof of Theorem 13. We omit it to save the space.

As a simple conclusion from Theorems 13 and 14 we state the following.

Corollary 15. *The protocols mHMQV-1 and mHMQV-2 are resistant to eKCI attacks.*

Now we address the security of the session key. This refers to the requirement that the session key established by the parties in the course of the protocol execution is known only to those parties. Usually the security model for the session key defines the so-called* session key security game*, in which the attacker is allowed to issue queries to various oracles, about the long term keys, and ephemeral keys of both parties. Usually the attacker is allowed to issue any combination of such queries, except those which would trivially reveal the session key. Eventually the attacker should not be able to distinguish whether the* test-key,* it was given, is the real established session key or some unrelated random value. However if it does distinguish that, with nonnegligible probability, it wins the security game, and the protocol is considered broken.

##### 5.2. Session Key Security

To show the session key security we follow the same approach as in [17]. It is based on the actual HMQV security proven in [44]. Now observe that extension from [17] that immunes HMQV against eKCI only adds BLS layer for authentication purposes and does not affect the underlying session key security of HMQV. We follow the same approach. We want to show that our modifications do not spoil the session key security of the original HMQV. Our modified version adds some additional computation on each side, providing extra deniable authentication steps, against eKCI attack. This extra computation does not affect the session key security of the original HMQV. We take for granted that HMQV is “session-key-secure”; that is, no adversary can learn the session key for the completed session between uncorrupted parties (refer [45] for proof of that in Canetti-Krawczyk model). Note that these extra computations can be easily simulated in ROM. Thus the execution of original HMQV can be easily transformed in execution of our mod versions. Now any attacker breaking the session key security of mHMQV could be used to break the session key security of org HMQV. We state the following.

Theorem 16. *If the original AKE protocol is “session-key-secure,” then the modified protocol, extended with the authentication method proposed in Section 4.2, is also “session-key-secure” assuming programmable random oracle model.*

*Proof. *The proof is by contradiction. Assume that there exists an efficient adversary algorithm that breaks the security of the modified protocol. We can use it as a subprocedure, to build the adversary algorithm , which breaks the session key security of the original “unmodified” protocol. Observe that each oracle query from can be served by via forwarding question and answers to/from corresponding oracles for org protocol. The only exception is queries concerning values and . These however can be easily simulated in ROM: for we set for some random and compute = as (for we simulate similarly). This way we transform the transcript of the original protocol “org” into the transcript of the modified protocol “mod.” Now any answer from concerns the session key we output as the answer of . If wins the session key security game for mod, then also wins the security game for org. This would contradict assumption about session key security of org protocol.

#### 6. Performance

Each of the proposed modifications of the scheme strengthens its security but requires performing certain amount of additional computations, which should be expected to affect the overall performance of the protocol. We implemented the basic scheme* (3-pass HMQV)*, the BLS based scheme* (BLS-HMQV)*, the basic Schnorr based imperfect modification* (mHMQV-0)*, the modified Schnorr based initiator deniable version* (mHMQV-1),* and the modified Schnorr based fully deniable version* (mHMQV-2)* in order to measure how much do the proposed improvements extend the execution time of the protocol.

##### 6.1. Implementation

Our implementations have been created using* Python 3* with the* Charm Crypto* library [46], a commonly used open-source cryptographic toolbox providing methods to perform operations on elliptic curves, including bilinear pairings and hashing and the* timeit* for measuring the average execution times. All computations are performed on the same NIST-approved symmetric elliptic curve with a 512-bit base field [47]. In order to measure nothing but the time of computations strictly related to the schemes, each implementation is created as a single program, where the two parties are simulated by interweaving methods.

##### 6.2. Results

Average execution time for each protocol has been measured by running 1000 full rounds of each version on a* Ubuntu 12* virtual machine with* Intel i7* 2.5 GHz and 8 GB RAM. The acquired results are presented in Table 2. As it was expected, each modified version of the protocol is 4 to 8 times slower than the original one. This is intuitively self-explained: each subsequent modification requires additional computing hashes and bilinear pairings.

As a first step in assessing which modifications affect the execution time of the protocols, we had to measure the execution times for every* building block* operation used in the protocol. The results can be seen in Table 3. It emerges that the bilinear pairing operation, crucial for our modifications, requires relatively much computational power. However, to better assess the protocols, we have measured how much time is taken for the most complex* building blocks*, as it has to be noticed that each of them may be used multiple times in a single protocol round.

A detailed assessment of time complexity for every protocol version has been presented in Table 4. It depicts how much time in the protocols is consumed by computing bilinear pairings, hashes, and modular exponents (ModPow operations). One can easily notice that the longer execution time in the modified versions resulted mostly from usage of bilinear pairings. One should take it into consideration while implementing these schemes, as some hardware enhancements could possibly improve the performance of the pairing routines and, as a result, the entire protocol.

Nevertheless, it has to be pointed that the average execution time remains to be just several milliseconds in all the cases, making any of the proposed modification applicable to implementation in real-world usage.

#### 7. Conclusion

In this paper we extended the results from [17]. We observed that the solution from [17], protecting HMQV against the eKCI attack, destroys the deniability property of HMQV. Therefore, following the two-layer construction of [17], we exchange the undeniable BLS signatures layer, with the modified Schnorr identification scheme from [19] resistant to ephemeral key leakages. This way we immune HMQV against eKCI in such a way that the deniability property is preserved. Compared with the undeniable solution from [17], in our* initiator deniable* version of the protocol Alice needs to compute one more exponentiation. The* initiator and responder* deniable version requires two more exponentiations (one more per side) and the additional fourth message. The conducted experiments confirmed that, despite the additional computational effort, the newly proposed protocols remain efficient enough to be implemented in real-world applications.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was partially supported by funding from Polish NCN Contract no. DEC-2013/09/D/ST6/03927.