One-round authenticated key exchange without implementation trick

Abstract

Fujioka et al. proposed the first generic construction (FSXY construction) of exposure-resilient authenticated key exchange (AKE) from key encapsulation mechanism (KEM) without random oracles. However, the FSXY construction implicitly assumes some intermediate computation result is never exposed though other secret information can be exposed. This is a kind of physical assumption, and an implementation trick (i.e., some on-line computation is executed in a special tamper-proof module) is necessary to achieve the assumption. Unfortunately, such an implementation trick is very costly and should be avoided. In this paper, we introduce a new generic construction without the implementation trick. Our construction satisfies the same security model as the FSXY construction without increasing communication complexity. Moreover, it has another advantage that the protocol can be executed in one-round while the FSXY construction is a sequential two-move protocol. Our key idea is to use KEM with public-key-independent-ciphertext, which allows parties to be able to generate a ciphertext without depending on encryption keys. © 2013 Springer-Verlag.