Interdomain Identity-Based Key Agreement Schemes

Research Article

Interdomain Identity-Based Key Agreement Schemes

Chun-I Fan,

Yi-Hui Lin,

Tuan-Hung Hsu,

and Ruei-Hau Hsu

1_{Department of Computer Science and Engineering, National Sun Yat-sen University, Kaohsiung 804, Taiwan}

2_{Institute of Information Science, Academia Sinica, Taipei 115, Taiwan}

3_{College of Computer Science, National Chiao Tung University, Hsinchu 300, Taiwan}

Correspondence should be addressed to Chun-I Fan; [email protected] Received 15 April 2014; Accepted 11 August 2014; Published 30 November 2014 Academic Editor: Tadeusz Kaczorek

Copyright © 2014 Chun-I Fan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. In order to simplify key management, two-party and three-party key agreement schemes based on user identities have been proposed recently. Multiparty (including more than three parties) key agreement protocols, which also are called conference key schemes, can be applied to distributed systems and wireless environments, such as ad hoc networks, for the purpose of multiparty secure communication. However, it is hard to extend two- or three-party schemes to multiparty ones with the guarantee of efficiency and security. In addition to the above two properties, interdomain environments should also be considered in key agreement systems due to diversified network domains. However, only few identity-based multiparty conference key agreement schemes for single domain environments and none for interdomain environments were proposed in the literature and they did not satisfy all of the security attributes such as forward secrecy and withstanding impersonation. In this paper, we will propose a novel efficient single domain identity-based multiparty conference key scheme and extend it to an interdomain one. Finally, we prove that the proposed schemes satisfy the required security attributes via formal methods.

1. Introduction

The technique of key agreement allows two or more parties to exchange information and negotiate a common session key. The first key exchange scheme was proposed by Diffie and Hellman in 1976 [1] where two parties can exchange public information and then compute a common key by their private keys and received information. However, the basic Diffie-Hellman protocol lacks mutual authentication between two parties such that the man-in-the-middle attack is valid in this scheme. Many researchers modified Diffie-Hellman protocol to ensure mutual authentication between two parties, which are called authenticated key agreement (AKA) protocols. Lots of varieties of Diffie-Hellman protocol have been proposed and several different kinds of key agreement mechanisms have been shown in [2]. Up to now, Diffie-Hellman key exchange protocol is still an important basis for most key agreement protocols.

In 1984, Shamir proposed an identity-based cryptosystem [3], where the public key of each user is her/his public identity information, and there exists a private key generator (PKG),

a key generation center (KGC), or a Trusted Authority (TA) which is trusted by all users. PKG, KGC, or TA, which will be called TA below, can produce each user’s private key according to her/his public key. In almost all of the identity-based key agreement schemes, TA provides the private/public key generation services for users. When a user registers with TA, the user’s public information like ID or email address will be her/his public key and TA gives the user the private key corresponding to her/his public key.

Pairing is a tool which is initially applied to cryptography to convert the Discrete Logarithm problem in elliptic curves to that in finite fields, and it can be derived from bilinear pairing, namely, Weil pairing [4] or Tate pairing [5]. First, Joux [6] used pairing to construct the first 3-party key agreement protocol based on a certificate system in 2000 and his scheme. Later, researchers found that pairing is suitable for the implementation of identity-based cryptosystems. Smart [7] proposed a two-party identity-based authenti-cated key agreement scheme in 2002. Boneh and Franklin [4] proposed an identity-based encryption scheme based on Weil pairing in 2003. Afterwards, pairing has become

Volume 2014, Article ID 865367, 18 pages http://dx.doi.org/10.1155/2014/865367

an important mathematic foundation of cryptography. There are many identity-based key agreement schemes, which have been proposed in the literature [7–11], based on pairings.

A conference key agreement scheme is a variety of a multiparty key agreement or group key agreement scheme, but it is different from conference key distribution scheme. In a conference key distribution scheme, a session conference chair decides the conference key and then broadcasts it to every member in this session conference. In particular, in a conference key agreement scheme, we must guarantee that the protocol satisfies the following three properties.

(1) Each conference key is negotiated by all session members.

(2) Every session member can compute the conference key via the same algorithm.

(3) No session member can predict or preselect the conference key.

The first formal security analysis in an identity-based two-party key agreement scheme was introduced by Chen and Kudla [9] and they improved the first identity-based key agreement scheme based on pairings [7]. Chen and Kudla proved that their protocol is secure on the security model of Bellare and Rogaway [12]. Later, Al-Riyami and Paterson also proposed four kinds of tripartite authenticated key agreement protocols by improving Joux’s scheme [13], and they showed that their scheme is secure. Unfortunately, Shim and Woo [14] pointed out that their scheme has some weaknesses. Furthermore, there are several conference key agreement schemes based on bilinear pairing which have been proposed in the literature [15–19], but they are all insecure, where their security weaknesses will be shown in Section3of the paper.

Section 4 will present two new hard problems, the 𝑛-Linear Diffie-Hellman (𝑛-LDH) problem and the Decisional 𝑛-Linear Diffie-Hellman (𝑛-DLDH) problem, on which our key agreement schemes are based.

In Section5, we will propose a novel efficient identity-based conference key agreement scheme by combining the concepts of [16, 19]. In addition to a single TA, we also discuss how the users, who have registered with distinct TAs, negotiate a common conference key. Moreover, in order to formally demonstrate the security of our proposed schemes, we adopt the random oracle method, which was proposed by Bellare and Rogaway [12], to prove the security of our schemes under some well-known assumptions. We will define several security attributes in the third part of Section2and formally prove the security of our schemes in Section6. Finally, we also provide performance comparison to demonstrate that our proposed schemes are more efficient than others.

Our contributions are summarized as follows.

(1) We find some security flaws in the schemes of [15–19]. (2) We introduce two new hard problems.

(3) We propose interdomain identity-based conference key agreement schemes.

(4) We formally prove that our schemes completely sat-isfy all of the security attributes.

2. Preliminaries

In this section, we review the concept of pairing which includes definitions, computationally hard problems, and security attributes of key agreement based on pairings.

2.1. Pairing. Pairing [20] in an elliptic curve cryptosystem is

a function which maps a pair of elliptic curve points to an element of a multiplicative group in a finite field. It has been applied to key agreement, signatures, broadcast encryption, and identity-based encryption widely. In the following, we will review the definitions and properties of pairings.

2.1.1. Bilinear Pairing. We briefly describe the concept of

bilinear pairing [20]. Let(G₁, +) and (G₂, +) be abelian groups written in additive notation with prime order𝑞 and identity elements𝑂₁ and 𝑂₂, respectively, such that𝑞𝑃 = 𝑂₁ and 𝑞𝑄 = 𝑂₂, where∀𝑃 ∈ G₁and∀𝑄 ∈ G₂. Suppose that(G_𝑇, ∗) is a cyclic group of order𝑞 written in multiplicative notation with identity element1_𝑇. Now we have the groups(G₁, +), (G2, +), and (G𝑇, ∗). The mapping function is

𝑒 : G₁× G₂󳨀→ G_𝑇. (1) Typically,G₁ andG₂ are subgroups of the points on an elliptic curve over a finite field andG_𝑇 is a subgroup of a multiplicative group over a finite field.

In addition, the following additional properties must be satisfied: (i) bilinearity ∀𝑃, 𝑃󸀠_{∈ G} 1, 𝑄, 𝑄󸀠∈ G2, 𝑒(𝑃+𝑃󸀠_{, 𝑄) = 𝑒(𝑃, 𝑄)⋅𝑒(𝑃}󸀠_{, 𝑄) and 𝑒(𝑃, 𝑄+𝑄}󸀠_{) =} 𝑒(𝑃, 𝑄) ⋅ 𝑒(𝑃, 𝑄󸀠_), 𝑒(𝑎𝑃, 𝑄) = 𝑒(𝑃, 𝑄)𝑎_{= 𝑒(𝑃, 𝑎𝑄) for all 𝑎 ∈ Z}∗ 𝑞; (ii) nondegeneracy

∀𝑃 ∈ G₁, with 𝑃 ̸= 𝑂₁, ∃𝑄 ∈ G₂ such that 𝑒(𝑃, 𝑄) ̸= 1_𝑇,

∀𝑄 ∈ G₂, with 𝑄 ̸= 𝑂₂, ∃𝑃 ∈ G₁ such that 𝑒(𝑃, 𝑄) ̸= 1_𝑇,

∀𝑃 ∈ G1 and∀𝑄 ∈ G2,𝑒(𝑃, 𝑂2) = 𝑒(𝑂1, 𝑄) = 1_𝑇;

(iii) computability

if 𝑃 ∈ G₁ and 𝑄 ∈ G₂, there exists an efficient algorithm which can compute𝑒(𝑃, 𝑄) in polynomial time.

The schemes in Section3use symmetric bilinear pairing, so they setG₁= G₂. In order to make the following decisional problems remain hard, we set G₁ ̸= G₂ and there is no polynomial-time computable isomorphism𝜙 : G₁ → G₂, such that𝜙(𝑃) = 𝑄, where 𝑃 is a generator of G₁and𝑄 is a generator ofG₂.

2.2. Hard Problems

(1) The Discrete Logarithm (DL) problem:

given𝑃, 𝑃󸀠 ∈ G₁, find an integer𝑥 ∈ Z∗_𝑞 such that 𝑃󸀠_{= 𝑥𝑃.}

(2) The Computational Diffie-Hellman (CDH) problem: for𝑥, 𝑦∈_𝑅Z∗_𝑞, given(𝑃, 𝑥𝑃, 𝑦𝑃) ∈ G3₁, compute𝑥𝑦𝑃. (3) The Decisional Diffie-Hellman (DDH) problem:

for𝑥, 𝑦∈_𝑅Z∗_𝑞, given(𝑃, 𝑥𝑃, 𝑦𝑃, 𝑧𝑃) ∈ G4₁where𝑧 = 𝑥𝑦 (mod 𝑞) or 𝑧∈_𝑅Z∗

𝑞is decided by flipping a coin. Output “Yes” if 𝑧 = 𝑥𝑦 (mod 𝑞); otherwise output “No”.

(4) The Divisible Computational Diffie-Hellman (DCDH) problem [21]: for𝑥, 𝑦∈_𝑅Z∗_𝑞, given(𝑃, 𝑥𝑃, 𝑦𝑃) ∈ G3₁, compute𝑥𝑦−1𝑃.

(5) The Decisional Linear Diffie-Hellman (DLDH) prob-lem in G₁ [22, 23]: for 𝑥₁, 𝑥₂, 𝑥₃, 𝑥₄∈_𝑅Z∗_𝑞, given (𝑃, 𝑥₁𝑃, 𝑥₂𝑃, 𝑥₁𝑥₃𝑃, 𝑥₂𝑥₄𝑃, 𝑍) ∈ G6

1, where𝑍 = (𝑥3+ 𝑥₄)𝑃 or 𝑍∈_𝑅G₁is decided by flipping a coin. Output “Yes” if𝑍 = (𝑥₃+ 𝑥₄)𝑃; otherwise output “No”. This hard problem was first proposed by Boneh et al. [22] in 2004 and then Boyen and Waters [23] extended it to asymmetric bilinear groups in 2006. (6) The co-Bilinear Diffe-Hellman (co-BDH) problem

[4]: given (𝑃₁, 𝑎𝑃₁, 𝑏𝑃₁) ∈ G3₁ and (𝑃₂, 𝑎𝑃₂, 𝑐𝑃₂) ∈ G3

2 in asymmetric bilinear map groups(G1, G2, G𝑇), compute𝑒(𝑃₁, 𝑃₂)𝑎𝑏𝑐∈ G_𝑇.

We propose the variant-CDH problem and extend the DLDH problem to the 𝑛-LDH and 𝑛-DLDH problems. We will prove that they are also hard in Section4.

(7) The Variant Computational Diffie-Hellman (variant-CDH) problem: given (𝑃₁, 𝑎𝑃₁, 𝑏𝑃₁) ∈ G3₁ and (𝑃₂, 𝑎𝑃₂) ∈ G2

2, compute𝑎𝑏𝑃1.

(8) The n-Linear Diffie-Hellman (𝑛-LDH) problem: given 𝑃, 𝑥_𝑖𝑃’s, and 𝑥_𝑖𝑥_𝑛+𝑗𝑃’s ∈ G₁for all𝑖, 𝑗 with 1 ≤ 𝑖, 𝑗 ≤ 𝑛, 𝑖 ̸= 𝑗, and 𝑛 ≥ 2, compute (𝑥_𝑛+1+ 𝑥_𝑛+2+ ⋅ ⋅ ⋅ + 𝑥_2𝑛)𝑃. (9) The Decisional n-Linear Diffie-Hellman (𝑛-DLDH)

problem: given𝑍, 𝑃, 𝑥_𝑖𝑃’s, and 𝑥_𝑖𝑥_𝑛+𝑗𝑃’s ∈ G₁for all𝑖, 𝑗 with 1 ≤ 𝑖, 𝑗 ≤ 𝑛, 𝑖 ̸= 𝑗, and 𝑛 ≥ 2, where 𝑍 = (𝑥_𝑛+1+ 𝑥_𝑛+2+ ⋅ ⋅ ⋅ + 𝑥_2𝑛)𝑃 or 𝑍∈_𝑅G₁is decided by flipping a coin. Output “Yes” if𝑍 = (𝑥_𝑛+1+ 𝑥_𝑛+2+ ⋅ ⋅ ⋅ + 𝑥_2𝑛)𝑃; otherwise output “No”.

2.3. Security Attributes. There are some security definitions

in the identity-based key agreement schemes based on pairing [13,14]. We describe them as follows.

Known Session Key Security. A key agreement protocol should

produce a unique common secret key, which is called a session key, for every session. The protocol should still achieve this goal when an adversary has learned all of the other session keys.

(Perfect) Forward Secrecy. Forward secrecy is that any

adversary cannot derive previous session keys from compromised long-term private keys of one or more parties.

Partial forward secrecy is that one or more (not all) parties’

long-term private keys are corrupted but any adversary cannot get any previous session keys which were established by these parties. Perfect forward secrecy means that any adversaries cannot derive previous session keys even though they have obtained the long-term private keys of all parties. In ID-based systems, perfect forward secrecy implies that TA’s and all users’ long-term private keys are corrupted but any previous session key established by the registered users cannot be derived by adversaries. We also call it TA forward

secrecy.

Key-Compromise Impersonation. A protocol can resist

key-compromise impersonation if an adversary cannot imperson-ate some users even though the other users’ long-term privimperson-ate keys were disclosed.

Man-in-the-middle attack is a special case of key-compromise impersonation in ID-based systems. If an adver-sary intercepts messages, retransmits them, and then com-municates with users without being detected in the key agree-ment protocol, we say that he succeeds in impersonation.

Withstanding key-compromise impersonation also covers unknown key-share resilience. It is the basic security attribute for key agreement scheme. Some users cannot have a key agreement with the other users without the knowledge of them. If some users cannot impersonate the others, they cannot run the key agreement scheme for them.

Key Control. It should be impossible for any participant (or

an adversary) to preselect a value as a session key or predict the value of the session key.

3. Security Problems in the Previous Schemes

In the section, we briefly introduce security weaknesses on the schemes [15–19, 24–26]. The details of the security problems in these schemes are in the Appendices.

Shi et al. [19] proposed an ID-based authenticated group key agreement protocol in 2005. The design of the protocol is efficient because it only takes one round to finish a group key agreement and it needs no exponentiation computation besides a pairing computation. We find that the protocol does not resist key-compromise impersonation since the users do not verify the messages with one another in the protocol. Moreover, it only achieves partial forward secrecy.

Du et al. [15] proposed an ID-based authenticated group key agreement protocol in 2003 and improved it in the same year. Both of them does not achieve perfect forward secrecy. Although they embed a signature scheme to verify the messages, both of the protocols still suffer from key-compromise impersonation found by Zhang and Chen [29]. In the attack of [29], the adversaries collect the messages of the user in the previous session and replay them after modifying the messages. Zhang and Chen [30] also attacked Choi et al. [24] with the same method in 2004. The protocol

of Zhang et al. [18] in 2005 has the same security problem as Du’s since they embed the same signature scheme in the protocol.

Kim et al. [17] aims to design a one-round key agreement protocol. But we find that the protocol cannot even achieve known session key security. Anyone can compute the session key through collecting the broadcasting messages.

Zhou et al. [26] proposed two schemes, one is one-round and the other is two-round. We find that both of them cannot withstand key-compromise impersonation. For the first scheme, the other users can collide to impersonate the user𝑈_𝑖. For the second one, the user𝑈₁can impersonate any other user he wants. We also find that the protocol of Yao et al. [25] is not immune to key-compromise impersonation, either. A user can impersonate another by rebroadcasting the messages. The work of [31] improved the flaw but did not provide any formal proofs. Yuan et al. [27] improved it with formal proofs.

4. Three New Hard Problems

We formally prove our proposed problems, the Variant Computational Diffie-Hellman problem, the𝑛-Linear Diffie-Hellman problem, and the Decisional 𝑛-Linear Diffie-Hellman problem, being hard by using problem reduction and generic model, respectively.

4.1. The Variant Computational Diffie-Hellman (Variant-CDH) Problem

Theorem 1. The variant-CDH problem is hard if the co-BDH

problem is hard.

Proof. Suppose that there exists an oracle which can solve

the variant-CDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the co-BDH problem with nonnegligible probability. Given any parameters of the co-BDH problem,(𝑃₁, 𝑎𝑃₁, 𝑏𝑃₁) ∈ G3₁and (𝑃₂, 𝑎𝑃₂, 𝑐𝑃₂) ∈ G3

2, we input(𝑃1, 𝑎𝑃1, 𝑏𝑃1) and (𝑃2, 𝑎𝑃2) into the variant-CDH oracle. The oracle will output𝑎𝑏𝑃₁. Then, we solve the co-BDH problem by computing𝑒(𝑎𝑏𝑃₁, 𝑐𝑃₂) = 𝑒(𝑃₁, 𝑃₂)𝑎𝑏𝑐.

4.2. The𝑛-Linear Diffie-Hellman (𝑛-LDH) Problem

Theorem 2. The 𝑛-LDH problem is hard if and only if the

DCDH problem is hard.

Proof. (1)𝑛-LDH ⇒ DCDH. Suppose that there exists an

ora-cle which can solve the𝑛-LDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the DCDH problem with nonnegligible probability.

For any DCDH triple(𝑃, 𝑥𝑃, 𝑦𝑃), we convert them into the𝑛-LDH oracle’s input parameters which are shown in(2):

[ [ [ [ [ [ [ [ [ 𝑥₁𝑃 𝑥₂𝑃 . . . 𝑥_𝑛−1𝑃 𝑥_𝑛𝑃 ⊥ 𝑥2𝑥𝑛+1𝑃 . . . 𝑥𝑛−1𝑥𝑛+1𝑃 𝑥𝑛𝑥𝑛+1𝑃 𝑥1𝑥𝑛+2𝑃 ⊥ . . . 𝑥𝑛−1𝑥𝑛+2𝑃 𝑥𝑛𝑥𝑛+2𝑃 ... ... ... ... 𝑥₁𝑥_2𝑛−1𝑃 𝑥₂𝑥_2𝑛−1𝑃 . . . ⊥ 𝑥_𝑛𝑥_2𝑛−1𝑃 𝑥₁𝑥_2𝑛𝑃 𝑥₂𝑥_2𝑛𝑃 . . . 𝑥_𝑛−1𝑥_2𝑛𝑃 ⊥ ] ] ] ] ] ] ] ] ] . (2)

We randomly pick 𝑡₂, 𝑡₃, . . . , 𝑡_𝑛 ∈ Z∗_𝑞 and 𝑄₁, 𝑄₂, . . . , 𝑄𝑛−1∈ G∗1, compute𝑄𝑛= 𝑥𝑃 − 𝑄1− 𝑄2− ⋅ ⋅ ⋅ − 𝑄𝑛−1, and set other parameters in(3): [ [ [ [ [ [ [ [ [ 𝑦𝑃 𝑡₂𝑦𝑃 𝑡₃𝑦𝑃 . . . 𝑡_𝑛−1𝑦𝑃 𝑡_𝑛𝑦𝑃 ⊥ 𝑡₂𝑄₁ 𝑡₃𝑄₁ . . . 𝑡_𝑛−1𝑄₁ 𝑡_𝑛𝑄₁ 𝑄₂ ⊥ 𝑡₃𝑄₂ . . . 𝑡_𝑛−1𝑄₂ 𝑡_𝑛𝑄₂ ... ... ... ... ... 𝑄_𝑛−1 𝑡₂𝑄_𝑛−1 𝑡₃𝑄_𝑛−1 . . . ⊥ 𝑡_𝑛𝑄_𝑛−1 𝑄𝑛 𝑡2𝑄𝑛 𝑡3𝑄𝑛 . . . 𝑡𝑛−1𝑄𝑛 ⊥ ] ] ] ] ] ] ] ] ] . (3)

Equation(2)is equal to(3); that is,𝑥₁𝑃 = 𝑦𝑃, 𝑥₂𝑃 = 𝑡₂𝑥₁𝑃 = 𝑡₂𝑦𝑃, 𝑥₃𝑃 = 𝑡₃𝑥₁𝑃 = 𝑡₃𝑦𝑃, . . . , 𝑥_𝑛𝑃 = 𝑡_𝑛𝑥₁𝑃 = 𝑡_𝑛𝑦𝑃 in row 1, 𝑥₂𝑥_𝑛+1𝑃 = 𝑡₂𝑥₁𝑥_𝑛+1𝑃 = 𝑡₂𝑄₁, 𝑥₃𝑥_𝑛+1𝑃 = 𝑡₃𝑥₁𝑥_𝑛+1𝑃 = 𝑡₃𝑄₁, . . . , 𝑥_𝑛𝑥_𝑛+1𝑃 = 𝑡_𝑛𝑥₁𝑥_𝑛+1𝑃 = 𝑡_𝑛𝑄₁in row 2 (suppose that𝑥₁𝑥_𝑛+1𝑃 = 𝑄₁),𝑥₁𝑥_𝑛+2𝑃 = 𝑄₂,𝑥₃𝑥_𝑛+2𝑃 = 𝑡₃𝑥₁𝑥_𝑛+2𝑃 = 𝑡₃𝑄₂, . . . , 𝑥_𝑛𝑥_𝑛+2𝑃 = 𝑡_𝑛𝑥₁𝑥_𝑛+2𝑃 = 𝑡_𝑛𝑄₂ in row3, . . ., and 𝑥₁𝑥_2𝑛𝑃 = 𝑄_𝑛,𝑥₂𝑥_2𝑛𝑃 = 𝑡₂𝑥₁𝑥_2𝑛𝑃 = 𝑡₂𝑄_𝑛, 𝑥₃𝑥_2𝑛𝑃 = 𝑡₃𝑥₁𝑥_2𝑛𝑃 = 𝑡₃𝑄_𝑛, . . . , 𝑥_𝑛−1𝑥_2𝑛𝑃 = 𝑡_𝑛−1𝑥₁𝑥_2𝑛𝑃 = 𝑡_𝑛−1𝑄_𝑛 in row𝑛 + 1. The oracle will output (𝑥_𝑛+1 + 𝑥_𝑛+2+ 𝑥_𝑛+3+ ⋅ ⋅ ⋅ + 𝑥_2𝑛−1+ 𝑥_2𝑛)𝑃. Thus, we have that

𝑥𝑃 = 𝑄₁+ 𝑄₂+ ⋅ ⋅ ⋅ + 𝑄_𝑛−1+ 𝑄_𝑛

= 𝑥₁𝑥_𝑛+1𝑃 + 𝑥₁𝑥_𝑛+2𝑃 + ⋅ ⋅ ⋅ + 𝑥₁𝑥_2𝑛−1𝑃 + 𝑥₁𝑥_2𝑛𝑃 = (𝑥_𝑛+1+ 𝑥_𝑛+2+ ⋅ ⋅ ⋅ + 𝑥_2𝑛−1+ 𝑥_2𝑛) 𝑥₁𝑃

= (𝑥_𝑛+1+ 𝑥_𝑛+2+ ⋅ ⋅ ⋅ + 𝑥_2𝑛−1+ 𝑥_2𝑛) 𝑦𝑃.

(4)

From(4), we can get𝑥𝑦−1𝑃 = (𝑥_𝑛+1+𝑥_𝑛+2+⋅ ⋅ ⋅+𝑥_2𝑛−1+𝑥_2𝑛)𝑃. (2)𝑛-LDH ⇐ DCDH. Suppose that there exists an oracle which can solve the the DCDH problem with nonnegligible probability. We will prove that the oracle can help us to solve the𝑛-LDH problem with nonnegligible probability, too.

For any 𝑛-LDH tuple in (2), we input (𝑥₁𝑥_𝑛+2𝑃, 𝑥₁𝑃), (𝑥₁𝑥_𝑛+3𝑃, 𝑥₁𝑃), . . . , (𝑥₁𝑥_2𝑛𝑃, 𝑥₁𝑃), and (𝑥₂𝑥_𝑛+1𝑃, 𝑥₂𝑃) into the oracle. Then the oracle outputs 𝑥_𝑛+2𝑃, 𝑥_𝑛+3𝑃, . . . , 𝑥_2𝑛𝑃, and𝑥_𝑛+1𝑃, respectively.

Finally, we can compute 𝑥_𝑛+1𝑃 + 𝑥_𝑛+2𝑃 + ⋅ ⋅ ⋅ + 𝑥_2𝑛𝑃 = (𝑥𝑛+1+ 𝑥𝑛+2+ ⋅ ⋅ ⋅ + 𝑥2𝑛)𝑃 to solve the 𝑛-LDH problem.

We use a way similar to [22] to prove the 𝑛-DLDH problem being hard. In the generic model, elements ofG₁, G₂, andG_𝑇are encoded as unique random strings, whereG₁ andG₂are additive groups andG_𝑇is a multiplicative group. There is a bilinear pairing function𝑒 : G₁× G₂ → G_𝑇. Let 𝑆1, 𝑆2, and 𝑆𝑇 be the sets of strings. The opaque encoding of the elements of G₁ is modeled as an injective function

𝜁₁ : Z_𝑞 → 𝑆₁, where𝑆₁ ⊂ {0, 1}∗, which maps all𝑎 ∈ Z_𝑞 to the string representation𝜁₁(𝑎) of 𝑎𝑃 ∈ G₁. Analogous mapping𝜁₂ : Z_𝑞 → 𝑆₂and𝜁_𝑇 : Z_𝑞 → 𝑆_𝑇map all𝑎 ∈ Z_𝑞 to the string representation𝜁₂(𝑎) of 𝑎𝑃󸀠 ∈ G₂and𝜁_𝑇(𝑎) of 𝑔𝑎 _{∈ G}

𝑇, where𝑔 = 𝑒(𝑃, 𝑃󸀠).

4.3. The Decisional𝑛-Linear Diffie-Hellman

(𝑛-DLDH) Problem

Theorem 3. Let A be an algorithm that solves the 𝑛-DLDH

problem in the generic bilinear group model with at most𝑞_𝑘

oracle queries. Let𝑥_𝑖’s,𝑥_𝑛+𝑗’s, and𝑧 ∈ Z_𝑞be chosen at random,

where1 ≤ 𝑖, 𝑗 ≤ 𝑛, and 𝑛 ≥ 2, 𝜁₁,𝜁₂, and𝜁_𝑇 are random

encoding functions for 𝐺₁,𝐺₂, and𝐺_𝑇, and 𝑏 ∈ {0, 1} is a

random bit. Let𝑤_𝑏 = 𝑧 and 𝑤_1−𝑏 = ∑𝑛_𝑗=1𝑥_𝑛+𝑗mod𝑞. The

probability is Pr [ [ A (𝜁₁, 𝜁₂, 𝜁_𝑇; 1, 𝑥_𝑖’𝑠, 𝑥_𝑖𝑥_𝑛+𝑗’𝑠, 𝑤₀, 𝑤₁) = 𝑏 : ∀𝑖, 𝑗, 𝑥_𝑖, 𝑥_𝑛+𝑗∈ Z∗ 𝑞, 1 ≤ 𝑖, 𝑗 ≤ 𝑛, 𝑖 ̸= 𝑗, 𝑛 ≥ 2, 𝑏 ∈ {0, 1} ] ] =1 2 + 2 (𝑛2_{+ 3 + 𝑞} 𝑘)2 𝑞 . (5)

Proof. B plays the following game with A. B maintains

the lists 𝐿₁ = {(𝐹_1,𝑠, 𝜁_1,𝑠) : 𝑠 = 0, 1, 2, . . . , 𝜏₁ − 1}, 𝐿₂ = {(𝐹_2,𝑡, 𝜁_2,𝑡) : 𝑡 = 0, 1, 2, . . . , 𝜏₂ − 1}, and 𝐿_𝑇 = {(𝐹_𝑇,𝑢, 𝜁_𝑇,𝑢) : 𝑡 = 0, 1, 2, . . . , 𝜏_𝑇− 1}. Let 𝑋_𝑖’s,𝑋_𝑖𝑋_𝑛+𝑗’s, 𝑊₀, and𝑊₁ (∀𝑖, 𝑗, 1 ≤ 𝑖, 𝑗 ≤ 𝑛, 𝑖 ̸= 𝑗) be indeterminate. All𝐹_1,𝑠’s, 𝐹_2,𝑡’s, and𝐹_𝑇,𝑢’s ∈ Z_𝑞[𝑋_𝑖’s,𝑋_𝑖𝑋_𝑛+𝑗’s,𝑊₀, 𝑊₁] are polynomials and𝜁_1,𝑠’s,𝜁_2,𝑡’s,𝜁_𝑇,𝑢’s∈ {0, 1}∗are distinct strings. At the beginning of the game,B sets 𝐹_1,0 = 1, 𝐹_1,1 = 𝑋₁, 𝐹_1,2= 𝑋₂, . . . , 𝐹_1,𝑛 = 𝑋_𝑛,𝐹_1,𝑛2₊₁= 𝑊₀,𝐹_1,𝑛2₊₂ = 𝑊₁,𝐹_2,0= 1,

𝐹𝑇,0 = 1, and the following polynomials: [(⊥, 𝐹1,𝑛+1 = 𝑋2𝑋𝑛+1, . . . , 𝐹1,2𝑛−2 = 𝑋𝑛−1𝑋𝑛+1, 𝐹1,2𝑛−1 = 𝑋𝑛𝑋𝑛+1), (𝐹1,2𝑛= 𝑋1𝑋𝑛+2,⊥, . . . , 𝐹1,3𝑛−3 = 𝑋𝑛−1𝑋𝑛+2, 𝐹1,3𝑛−2 = 𝑋𝑛𝑋𝑛+2), . . . , (𝐹_1,𝑛2_−2𝑛+3 = 𝑋₁𝑋_2𝑛−1, 𝐹_1,𝑛2_−2𝑛+4 = 𝑋₂𝑋_2𝑛−1, . . . , ⊥

, 𝐹_1,𝑛2_−𝑛+1 = 𝑋_𝑛𝑋_2𝑛−1), (𝐹_1,𝑛2_−𝑛+2 = 𝑋₁𝑋_2𝑛, 𝐹_1,𝑛2_−𝑛+3 =

𝑋₂𝑋_2𝑛, . . . , 𝐹_1,𝑛2 = 𝑋_𝑛−1𝑋_2𝑛,, ⊥)], where the symbol “⊥”

means emptiness and B gives A the distinct strings 𝜁_1,0, 𝜁_1,1, . . . , 𝜁_1,𝑛2₊₂,𝜁_2,0, and𝜁_𝑇,0. In the initial list index, the

numbers of the records in𝐿₁,𝐿₂, and𝐿_𝑇 are𝜏₁ = 𝑛2+ 3, 𝜏2= 1, and 𝜏𝑇= 1, respectively, where 𝜏 = 𝜏1+𝜏2+𝜏𝑇= 𝑛2+5. At any step in the game,A can make the group and pairing queries.B performs and responds to A as follows.

Group Action.A gives B two operands 𝜁_1,𝑠, 𝜁_1,𝑡 and a sign

bit, where0 ≤ 𝑠, 𝑡 < 𝜏₁.B sets 𝐹_1,𝜏1← 𝐹_1,𝑠± 𝐹_1,𝑡. If𝐹_1,𝜏1= 𝐹_1,𝑙 for some𝑙 < 𝜏₁,B sets 𝜁_1,𝜏1 ← 𝜁_1,𝑙. Otherwise,B sets 𝜁_1,𝜏1 to be a string in {0, 1}∗ distinct from 𝜁_1,0, 𝜁_1,1, . . . , 𝜁_1,𝜏1−1. Finally,B adds (𝐹_1,𝜏1, 𝜁_1,𝜏) to the list 𝐿₁, gives𝜁_1,𝜏1toA, and sets𝜏₁ ← 𝜏₁+ 1. The group action queries in 𝐺₂and𝐺_𝑇are simulated similarly.

Pairing.A gives B two operands 𝜁_1,𝑠and𝜁_1,𝑡with0 ≤ 𝑠 < 𝜏₁

and0 ≤ 𝑡 < 𝜏₂.B sets the product 𝐹_{𝑇,𝜏𝑇} ← 𝐹_1,𝑠𝐹_2,𝑡. If𝐹_{𝑇,𝜏𝑇} = 𝐹𝑇,𝑙for some𝑙 < 𝜏𝑇,B sets 𝜁𝑇,𝜏𝑇 ← 𝜁𝑇,𝑙. Otherwise,B sets

𝜁_{𝑇,𝜏𝑇}to be a string in{0, 1}∗distinct from𝜁_𝑇,0, 𝜁_𝑇,1, . . . , 𝜁_{𝑇,𝜏𝑇−1}. Finally,B adds (𝐹_{𝑇,𝜏𝑇}, 𝜁_{𝑇,𝜏𝑇}) to the list 𝐿_𝑇, gives𝜁_{𝑇,𝜏𝑇}toA, and sets𝜏_𝑇← 𝜏_𝑇+ 1.

Consider the operation that B performs: (1) B adds/subtracts all polynomials in the list𝐿₁,𝐿₂, and𝐿_𝑇by any A’s query. (2) B produces any of two polynomials in 𝐿₁ and 𝐿₂ to generate a new polynomial in 𝐿_𝑇. For any variant 𝑋_𝑛+𝑗, it occurs within the monomials 𝑋₁𝑋_𝑛+𝑗, 𝑋₂𝑋_𝑛+𝑗, . . . , 𝑋_{𝑛+𝑗−1}𝑋_𝑛+𝑗, 𝑋_𝑛+𝑗+1𝑋_𝑛+𝑗, . . . , 𝑋_2𝑛𝑋_𝑛+𝑗 in 𝐿₁ and 𝐿_𝑇 lists and it occurs no monomial in 𝐿₂ list. Therefore,B cannot produce any polynomial that contains the monomial 𝑐𝑋_𝑛+𝑗’s in 𝐺₁ or 𝐺₂ and the monomial 𝐹2,𝑡𝑋𝑛+𝑗’s in𝐺𝑇for any coefficient𝑐 ̸= 0 and any nonzero monomial𝐹_2,𝑡in𝐿₂in the available operations.

After at most 𝑞 queries, A terminates and returns a guess ̂𝑏 ∈ {0, 1}. The distinct values of operands provide no information to A because they are random bit strings. Therefore, the probability thatA wins the game in the generic model is1/2.

However, when B randomly chooses 𝑥_𝑖’s, 𝑥_𝑛+𝑗’s, and 𝑧 ∈ Z, sets 𝑤_𝑏 = ∑𝑛_𝑗=1𝑥_𝑛+𝑗 and 𝑤_1−𝑏 = 𝑧, and assigns 𝑋1 ← 𝑥1, 𝑋2 ← 𝑥2, . . . , 𝑋2𝑛 ← 𝑥2𝑛, 𝑊𝑏 ← 𝑤𝑏, and 𝑊1−𝑏 ← 𝑤1−𝑏, a nontrivial equality relation may occur and giveA some information that is not revealed in the generic model; that is, for some𝐹_1,𝑠 ̸= 𝐹_1,𝑡 (and𝐹_𝑇,𝑠 ̸= 𝐹_𝑇,𝑡, resp.) and𝑠, 𝑡 < 𝜏₁(and𝑠, 𝑡 < 𝜏_𝑇, resp.),𝐹_1,𝑠(𝑥_𝑖’s,𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) =𝐹_1,𝑡(𝑥_𝑖’s,𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) (and𝐹_𝑇,𝑠(𝑥_𝑖’s,𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) = 𝐹_𝑇,𝑡(𝑥_𝑖’s, 𝑥_𝑖𝑥_𝑛+𝑗’s, 𝑤₀, 𝑤₁), resp.).

The probability of the occurrence is computed according to the following lemma.

Lemma 4 (see [32]). Let 𝑞 be prime and let 𝑡 ≥ 1. Let 𝐹(𝑋₁, 𝑋₂, . . . , 𝑋_𝑘) ∈ 𝑍/𝑞𝑡_[𝑋

1, 𝑋2, . . . , 𝑋𝑘] be a nonzero

poly-nomial of total degree𝑑. Then for random 𝑥₁, 𝑥₂, . . . , 𝑥_𝑘 ∈

𝑍/𝑞𝑡_{, the probability that𝐹(𝑥}

1, 𝑥2, . . . , 𝑥𝑘) = 0 is at most 𝑑/𝑞. By Lemma 4, all polynomials in the𝐿₁ have degree at most 2, so that, for some𝑠, 𝑡 and 𝐹_1,𝑠 ̸= 𝐹_1,𝑡, the probability of 𝐹(𝑥_𝑖’s,𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) = 𝐹_1,𝑠(𝑥_𝑖’s,𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) − 𝐹_1,𝑡(𝑥_𝑖’s, 𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) = 0 is at most 2/𝑞. The degree of polynomials in the𝐿₂is 0. All polynomials in the𝐿_𝑇have degree at most 2, so that, for some𝑠, 𝑡 and 𝐹_𝑇,𝑠 ̸= 𝐹_𝑇,𝑡, the probability of 𝐹󸀠(𝑥_𝑖’s,𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) = 𝐹_𝑇,𝑠(𝑥_𝑖’s, 𝑥_𝑖𝑥_𝑛+𝑗’s, 𝑤₀, 𝑤₁) − 𝐹_𝑇,𝑡(𝑥_𝑖’s, 𝑥_𝑖𝑥_𝑛+𝑗’s,𝑤₀, 𝑤₁) = 0 is at most 2/𝑞. Therefore, A wins the game with the probability𝜀 ≤ 1/2 + (𝜏1

2)(2/𝑞) + (𝜏2𝑇)(2/𝑞). Since𝜏₁+ 𝜏_𝑇≤ 𝑛2+ 4 + 𝑞_𝑘, we have𝜀 ≤ 1/2 + (𝑛2+ 4 + 𝑞_𝑘)2/𝑞, where the advantage is not greater thanO(𝑞2_𝑘/𝑞).

5. Our Key Agreement Schemes

In this section, we propose two conference key agreement schemes. The first scheme is designed for the situation where the users who register with a single TA (single domain) want to negotiate a session conference key. Furthermore, the second scheme makes it possible for the users in distinct groups who register with different TAs (interdomain) to negotiate a session conference key. In addition, we will prove

the security of the two proposed schemes in Section6 and compare them with others in Section7.

5.1. The Proposed Scheme in Single TA

Setup. TA inputs a security parameter𝜅 into a setup algorithm

which returns groupsG₁,G₂, andG_𝑇(G₁ ̸= G₂) of prime order𝑞 with 𝑞 ∈ {0, 1}𝜅, a suitable bilinear mapping 𝑒 : G₁ × G₂ → G_𝑇, generators𝑃 ∈ G₁,𝑃󸀠 ∈ G₂, and three hash functions𝐻 : {0, 1}∗ → G₁, 𝐻₁ : G₁ → {0, 1}𝑙,𝐻₂ : G₁× {0, 1}∗ _{→ {0, 1}}𝑙_{, and𝐻}

3 : G1 → {0, 1}𝑙where𝑙 is the output length of the hash functions. TA randomly generates a long-term private key𝑠 ∈ Z∗_𝑞and the public key(𝑠𝑃, 𝑠𝑃󸀠) and then publishes⟨𝑞, 𝑒, G₁, G₂, G_𝑇, 𝑃, 𝑠𝑃, 𝑃󸀠, 𝑠𝑃󸀠, 𝐻, 𝐻₁, 𝐻₂, 𝐻₃⟩.

Extract. When a user𝑈_𝑖registers a public identity (ID), such

as an email address, with TA, TA will check whether the ID belongs to the user. If true, TA issues a long-term private key 𝑠𝑄𝑖to𝑈𝑖where𝑄𝑖= 𝐻(TA’s ID‖𝑈𝑖’s ID) is𝑈𝑖’s public key.

Conference Key Agreement. Suppose that there are 𝑛 legal

users𝑈₁, 𝑈₂, . . ., and 𝑈_𝑛who want to negotiate a conference key. Our conference key agreement scheme contains three rounds described as follows.

Round 1: every user𝑈_𝑖 (1 ≤ 𝑖 ≤ 𝑛) randomly picks an integer𝑟_𝑖 ∈ Z∗_𝑞 as a blinding factor, and then𝑈_𝑖 computes 𝑏_𝑖= 𝑟−1

𝑖 𝑃 and broadcasts 𝑏𝑖to all users who join this session. The flow is shown in Algorithm1.

Round 2: after𝑈_𝑖receives all𝑏_𝑗’s(1 ≤ 𝑗 ≤ 𝑛, 𝑗 ̸= 𝑖), she/he randomly picks an integer𝑘_𝑖 ∈ Z∗_𝑞 as an ephemeral key and computes𝐵_𝑖 = (𝑘_𝑖𝑏₁, 𝑘_𝑖𝑏₂, . . . , 𝑘_𝑖𝑏_𝑖−1, ⊥, 𝑘_𝑖𝑏_𝑖+1, . . . , 𝑘_𝑖𝑏_𝑛), and then𝑈_𝑖broadcasts𝐵_𝑖. The flow is shown in Algorithm2.

Round 3: for all𝐵_𝑖’s in Round 2, we can rearrange them as shown in(7). When receiving𝐵_𝑗’s,𝑈_𝑖only stores𝑘_𝑗𝑏_𝑖 (1 ≤ 𝑗 ≤ 𝑛, 𝑗 ̸= 𝑖) and drops other useless information 𝑘_𝑗𝑏_𝑡’s(1 ≤ 𝑗 ≤ 𝑛, 1 ≤ 𝑡 ≤ 𝑛, 𝑡 ̸= 𝑖). For example, 𝑈₁stores column 1 and 𝑈₂stores column 2 in(7). Then𝑈_𝑖computes𝐾 as follows:

𝐾 = 𝑟_𝑖∑𝑛 𝑗=1 𝑘_𝑗𝑏_𝑖 = 𝑟_𝑖⋅ (𝑘₁𝑟−1_𝑖 + 𝑘₂𝑟_𝑖−1+ ⋅ ⋅ ⋅ + 𝑘_𝑖𝑟−1_𝑖 + ⋅ ⋅ ⋅ + 𝑘_𝑛𝑟−1_𝑖 ) 𝑃 = (𝑘₁+ 𝑘₂+ ⋅ ⋅ ⋅ + 𝑘_𝑖+ ⋅ ⋅ ⋅ + 𝑘_𝑛) 𝑃. (6) All𝐵_𝑖’s in Round 2 𝑈₁ 𝑈₂ . . . 𝑈_𝑖 . . . 𝑈_𝑛 𝐵₁ ⊥ 𝑘₁𝑟−1₂ 𝑃 . . . 𝑘₁𝑟_𝑖−1𝑃 . . . 𝑘₁𝑟_𝑛−1𝑃 𝐵₂ 𝑘₂𝑟−1 1 𝑃 ⊥ . . . 𝑘2𝑟𝑖−1𝑃 . . . 𝑘2𝑟𝑛−1𝑃 ... ... ... d ... ... ... 𝐵_𝑖 𝑘_𝑖𝑟−1 1 𝑃 𝑘𝑖𝑟−12 𝑃 . . . ⊥ . . . 𝑘𝑖𝑟𝑛−1𝑃 ... ... ... ... ... d ... 𝐵_𝑛 𝑘_𝑛𝑟−1 1 𝑃 𝑘𝑛𝑟−12 𝑃 . . . 𝑘𝑛𝑟𝑖−1𝑃 . . . ⊥ (7) 𝑈_𝑖 computes 𝛼 = 𝐻₁(𝐾), 𝑇_𝑖 = 𝛼𝑠𝑄_𝑖 + 𝑟_𝑖−1𝑠𝑃, and 𝛽_𝑖 = 𝐻₂(𝑇_𝑖, 𝛼), and then she/he broadcasts (𝑇_𝑖, 𝛽_𝑖). When 𝑈_𝑖 receives all (𝑇_𝑗, 𝛽_𝑗)’s (1 ≤ 𝑗 ≤ 𝑛, 𝑗 ̸= 𝑖), she/he first

verifies all𝛽_𝑗’s by checking if𝐻₂(𝑇_𝑗, 𝛼) = 𝛽_𝑗for each𝑗. If they are true,𝑈_𝑖randomly chooses𝑎₁, 𝑎₂, . . . , 𝑎_𝑛 ∈ Z∗_𝑞, computes 𝑉𝑖 = 𝑒(∑𝑛𝑖=1𝑎𝑖𝑏𝑖+ 𝛼 ∑𝑛𝑖=1𝑎𝑖𝑄𝑖, 𝑠𝑃󸀠), and verifies whether 𝑉𝑖= 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑇_𝑖, 𝑃󸀠_{) or not. If true, 𝑈}

𝑖accepts𝐾 and computes the session conference key SCK= 𝐻₃(𝐾). Algorithm3illustrates the flow in Round 3.

5.2. The Proposed Scheme in Distinct TAs. Our single domain

conference key agreement scheme can be extended to an interdomain conference key agreement scheme. Interdomain means that there are distinct domains with different TAs’, respectively. In this subsection, we present our interdomain conference key scheme. Assume that there are 𝑚 Trusted Authorities TA₁, TA₂, . . ., and TA_𝑚 and 𝑚 user groups 𝐺₁, 𝐺₂, . . ., and 𝐺_𝑚 who register with the 𝑚 distinct TAs, respectively. In the proposed scheme, the users in𝑚 different groups can negotiate a session conference key SCK via the following process.

Setup. TA_𝑖,𝑖 ∈ {1, 2, . . . , 𝑚}, inputs a security parameter 𝜅

into a setup algorithm which returns two groups G₁, G₂, and G_𝑇 (G₁ ̸= G₂) of prime order𝑞 ∈ {0, 1}𝜅, a suitable bilinear mapping𝑒 : G₁ × G₂ → G_𝑇, generators𝑃 ∈ G₁, 𝑃󸀠 ∈ G2, and three hash functions 𝐻 : {0, 1}∗ → G1, 𝐻₁ : G₁ → {0, 1}𝑙_{, 𝐻}

2 : G1 × {0, 1}∗ → {0, 1}𝑙, and 𝐻₃ : G₁ → {0, 1}𝑙where𝑙 is the output length of the hash functions. TA_𝑖randomly generates a long-term key𝑠_𝑖 ∈ Z∗_𝑞 and public key(𝑠_𝑖𝑃, 𝑠_𝑖𝑃󸀠) and then publishes ⟨𝑞, 𝑒, G₁, G₂, G_𝑇, 𝑃, 𝑠_𝑖𝑃, 𝑃󸀠, 𝑠_𝑖𝑃󸀠, 𝐻, 𝐻₁, 𝐻₂, 𝐻₃⟩.

Extract. When a user 𝑈_𝑗 in group 𝑖 registers a public ID

with TA_𝑖, TA_𝑖 will check whether the ID belongs to the user. If true, TA_𝑖 issues private key𝑠_𝑖𝑄_𝑖,𝑗to the user, where 𝑄_𝑖,𝑗= 𝐻(TA_𝑖’s ID‖𝑈_𝑖,𝑗’s ID) is the public key and𝑈_𝑖,𝑗denotes user𝑈_𝑗who has registered with TA_𝑖.

Interdomain Conference Key Agreement. Suppose that users in

𝑚 distinct domains or groups want to negotiate a conference key. Let𝑛_ℎ(1 ≤ ℎ ≤ 𝑚) be the number of users in the ℎth domain and𝑁 be the number of the total users (𝑁 = 𝑛₁+ 𝑛₂ + ⋅ ⋅ ⋅ + 𝑛_𝑚). Our interdomain conference key agreement protocol contains three rounds where Round 1 and Round 2 are similar to those of the proposed single domain conference key protocol.

Round 1: every user𝑈_𝑖,𝑗randomly picks an integer𝑟_𝑖,𝑗 ∈ Z∗

𝑞 and then broadcasts𝑏𝑖,𝑗 = (𝑟𝑖,𝑗)−1𝑃 to the users who join this session.

Round 2: after receiving 𝑏_ℎ,𝑙’s (1 ≤ ℎ ≤ 𝑚, 1 ≤ 𝑙 ≤ 𝑛_ℎ, ℎ ̸= 𝑖, 𝑙 ̸= 𝑗), 𝑈_𝑖,𝑗 computes 𝑘_𝑖,𝑗𝑏_ℎ,𝑙, where 𝑘_𝑖,𝑗∈_𝑅Z∗

𝑞 is 𝑈𝑖,𝑗’s ephemeral key, and broadcasts 𝐵_𝑖,𝑗 = (𝑘_𝑖,𝑗𝑏_1,1, 𝑘_𝑖,𝑗𝑏_1,2, , . . . ,𝑘_𝑖,𝑗𝑏_1,𝑛1, . . . , 𝑘_𝑖,𝑗𝑏_𝑖,1,. . . , 𝑘_𝑖,𝑗𝑏_{𝑖,𝑗−1}, ⊥ , 𝑘_𝑖,𝑗𝑏_𝑖,𝑗+1, . . . , 𝑘_𝑖,𝑗𝑏_{𝑖,𝑛𝑖}, . . . , 𝑘_𝑖,𝑗𝑏_𝑚,1, . . . , 𝑘_𝑖,𝑗𝑏_{𝑚,𝑛𝑚}).

Round 3: when receiving 𝐵_ℎ,𝑙’s,𝑈_𝑖,𝑗 only stores 𝑘_ℎ,𝑙𝑏_𝑖,𝑗’s (1 ≤ ℎ ≤ 𝑚, 1 ≤ 𝑙 ≤ 𝑛ℎ, ℎ ̸= 𝑖, and 𝑙 ̸= 𝑗) and drops other useless information𝑘_ℎ,𝑙𝑏_𝑢,V’s(1 ≤ ℎ ≤ 𝑚, 1 ≤ 𝑙 ≤ 𝑛_ℎ, 1 ≤ 𝑢 ≤

Round1 𝑈_𝑖 𝑈₁, 𝑈₂, . . . , 𝑈_𝑖−1, 𝑈_𝑖+1, . . . , 𝑈_𝑛 Pick𝑟_𝑖∈_𝑅Z∗_𝑞 Compute𝑏_𝑖= 𝑟−1_𝑖 𝑃 Broadcast𝑏_𝑖 󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ 𝑏₁, 𝑏₂, . . . , 𝑏_𝑖−1, 𝑏_𝑖+1, . . . , 𝑏_𝑛 ←󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀

Algorithm 1: Round 1 of the first conference key protocol.

Round2 𝑈𝑖 𝑈1, 𝑈2, . . . , 𝑈𝑖−1, 𝑈𝑖+1, . . . , 𝑈𝑛 Pick𝑘_𝑖∈_𝑅Z∗_𝑞 Compute 𝑘_𝑖𝑏_𝑗= 𝑘_𝑖𝑟−1 𝑗 𝑃 (1 ≤ 𝑗 ≤ 𝑛, 𝑗 ̸= 𝑖) 𝐵_𝑖= (𝑘_𝑖𝑏₁, 𝑘_𝑖𝑏₂, . . . , 𝑘_𝑖𝑏_𝑖−1, ⊥, 𝑘_𝑖𝑏_𝑖+1, . . . , 𝑘_𝑖𝑏_𝑛), Broadcast𝐵_𝑖 󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ 𝐵₁, 𝐵₂, . . . , 𝐵_𝑖−1, 𝐵_𝑖+1, . . . , 𝐵_𝑛 ←󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀

Algorithm 2: Round 2 of the first conference key protocol.

𝑚, 1 ≤ V ≤ 𝑛𝑢, 𝑢 ̸= 𝑖, and V ̸= 𝑗). Then 𝑈𝑖,𝑗computes every domain’s key𝐾_ℎas follows:

𝐾_ℎ= 𝑟_𝑖,𝑗∑𝑛ℎ 𝑡=1 𝑘_ℎ,𝑡𝑏_𝑖,𝑗 = 𝑟_𝑖,𝑗(𝑘_ℎ,1𝑟_𝑖,𝑗−1+ 𝑘_ℎ,2𝑟−1_𝑖,𝑗 + ⋅ ⋅ ⋅ + 𝑘_ℎ,𝑛ℎ𝑟−1_𝑖,𝑗) 𝑃 = (𝑘_ℎ,1+ 𝑘_ℎ,2+ ⋅ ⋅ ⋅ + 𝑘_ℎ,𝑛ℎ) 𝑃. (8) 𝑈_𝑖,𝑗computes𝐾 = ∑𝑚_ℎ=1𝐾_ℎ,𝛼 = 𝐻₁(𝐾), 𝑇_𝑖,𝑗 = 𝛼𝑠_𝑖𝑄_𝑖,𝑗+ 𝑟−1

𝑖,𝑗𝑠𝑖𝑃, and 𝛽𝑖,𝑗 = 𝐻2(𝑇𝑖,𝑗, 𝛼), and then she/he broadcasts (𝑇_𝑖,𝑗, 𝛽_𝑖,𝑗). When 𝑈_𝑖,𝑗receives all messages,𝑈_𝑖,𝑗first verifies all 𝛽_ℎ,𝑙’s by examining if𝐻₂(𝑇_ℎ,𝑙, 𝛼) = 𝛽_ℎ,𝑙for eachℎ and 𝑙 (1 ≤ ℎ ≤ 𝑚, 1 ≤ 𝑙 ≤ 𝑛_ℎ, ℎ ̸= 𝑖, and 𝑙 ̸= 𝑗). If all 𝛽_ℎ,𝑙’s are correct, 𝑈_𝑖,𝑗randomly chooses𝑁 integers 𝑎_ℎ,𝑙’s, where each𝑎_ℎ,𝑙∈ Z∗_𝑞, computes 𝑉_ℎ,𝑙 = ∏𝑚_ℎ=1𝑒(∑𝑛ℎ

𝑙=1𝑎ℎ,𝑙𝑏ℎ,𝑙 + 𝛼 ∑𝑛𝑙=1ℎ 𝑎ℎ,𝑙𝑄ℎ,𝑙, 𝑠ℎ𝑃󸀠), and checks if𝑉_ℎ,𝑙 = 𝑒(∑𝑚_ℎ=1∑𝑛ℎ

𝑙=1𝑎ℎ,𝑙𝑇ℎ,𝑙, 𝑃󸀠). If it is true, 𝑈𝑖,𝑗 accepts𝐾 and computes the session conference key SCK = 𝐻3(𝐾).

6. Security Proof

Bellare-Rogaway random oracle model [12, 33], which was extended by Blake-Wilson et al. [34], is suitably modified and adapted in analyzing the security of key agreement protocols like those in the literatures [9,13]. In this section, we modify Bellare-Rogaway random oracle model and adopt the similar concepts and definitions in [8] to set our security game.

Definition 5 (game environment). Let adversaryA be a

prob-abilistic polynomial time Turing machine andB a simulator to simulate this game forA. Let I = {𝑈₁, 𝑈₂, . . . , 𝑈_𝑞} be all users andU the group users who follow our first identity-based conference key(IDCK) scheme, where 𝑞 is the order ofG₁andU ⊆ {𝑈₁, 𝑈₂, . . . , 𝑈_𝑞}. In the game, we allow A to make the following types of queries.

(1) Execute(Π𝑠

U): when A makes the Execute query, B simulates U to run the first IDCK protocol Π (Section5.1) and responds with all public messages (i.e.,(𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖)’s for all 𝑈_𝑖’s∈ U) in the 𝑠th session. (2) Send(Π𝑠

̃

U, 𝑚): when A makes the Send query with a set of users ̃U ⊂ U and a message 𝑚 which is the set of(𝑏_𝑗, 𝐵_𝑗, 𝑇_𝑗, 𝛽_𝑗)’s broadcast by the users in ̃U, B simulates all 𝑈_𝑖’s ∈ U − ̃U to interact with A by broadcasting the messages(𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖)’s of 𝑈_𝑖’s in the 𝑠th session.

(3) Reveal(Π𝑠

U): B reveals the session conference key SCK which was held byU in the 𝑠th session.

(4) Corrupt(𝑈_𝑖): B responds with the long-term private key of𝑈_𝑖.

(5) Test(Π𝑠

U): when A makes the Test query, B returns the broadcast messages of the𝑠th session and gives the adversary either the session key of the𝑠th session or a random string.A then outputs a bit to decide whether the string is the session key or not.

Round3 𝑈_𝑖 𝑈₁, 𝑈₂, . . . , 𝑈_𝑖−1, 𝑈_𝑖+1, . . . , 𝑈_𝑛 Compute 𝐾 = 𝑟_𝑖∑𝑛 𝑗=1 𝑘_𝑗𝑏_𝑖= (𝑘₁+ 𝑘₂+ ⋅ ⋅ ⋅ + 𝑘_𝑖+ ⋅ ⋅ ⋅ + 𝑘_𝑛) 𝑃 𝛼 = 𝐻1(𝐾) 𝑇_𝑖= 𝛼𝑠𝑄_𝑖+ 𝑟−1 𝑖 𝑠𝑃 𝛽𝑖= 𝐻2(𝑇𝑖, 𝛼) Broadcast(𝑇_𝑖, 𝛽_𝑖) 󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀→ (𝑇1, 𝛽1), (𝑇2, 𝛽2), . . . , (𝑇𝑖−1, 𝛽𝑖−1), (𝑇𝑖+1, 𝛽𝑖+1), . . . , (𝑇𝑛, 𝛽𝑛) ←󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀󳨀 Verify: 𝛽1, 𝛽2, . . . , 𝛽𝑖−1, 𝛽𝑖+1, . . . , 𝛽𝑛 𝑉_𝑖= 𝑒 (∑𝑛 𝑖=1 𝑎_𝑗𝑏_𝑖+ 𝛼∑𝑛 𝑖=1 𝑎_𝑖𝑄_𝑖, 𝑠𝑃󸀠_{)? = 𝑒 (∑}𝑛 𝑖=1 𝑎_𝑖𝑇_𝑖, 𝑃󸀠₎

Compute session conference key SCK =𝐻₃(𝐾)

Algorithm 3: Round 3 of the first conference key protocol.

(6)𝐻 (⋅): when a participant inputs a string to 𝐻, it responds with the hashed value of the string and the hashed value will be recorded.

(7)𝐻₁(⋅): when a participant inputs a message 𝑚 ∈ G₁ to𝐻₁, it responds with the hashed value of𝑚 and the hashed value will be recorded, too.

(8)𝐻₂(⋅): when a participant inputs (𝑚₁, 𝑚₂), where 𝑚₁∈ G₁and𝑚₂∈ {0, 1}∗, to𝐻₂, it responds with the hashed value of(𝑚₁, 𝑚₂) and the hashed value will be recorded, too.

6.1. Correctness

Theorem 6 (correctness). In the presence of a benign

adver-saryA, all the parties always accept holding the same session conference key, which is distributed randomly and uniformly in

{0, 1}𝜅_{, where𝜅 is the security parameter.}

Proof. Every user 𝑈_𝑖 can generate a valid message

(𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖) by following our proposed single domain scheme (Section5.1), verify the correctness of the message 𝑉_𝑖 = 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑏_𝑖 + 𝛼 ∑𝑛_𝑖=1𝑎_𝑖𝑄_𝑖, 𝑠𝑃󸀠_{) = 𝑒((𝑎} 1𝑟1−1 + 𝑎2𝑟−12 + ⋅ ⋅ ⋅ + 𝑎_𝑛𝑟−1 𝑛 )𝑃 + (𝛼𝑎1𝑄1 + 𝛼𝑎2𝑄2 + ⋅ ⋅ ⋅ + 𝛼𝑎𝑛𝑄𝑛), 𝑠𝑃󸀠) = 𝑒(𝑎₁(𝛼𝑠𝑄₁ + 𝑟−1₁ 𝑠𝑃) + 𝑎₂(𝛼𝑠𝑄₂ + 𝑟₂−1𝑠𝑃) + ⋅ ⋅ ⋅ + 𝑎_𝑛(𝛼𝑠𝑄_𝑛 + 𝑟−1 𝑛 𝑠𝑃), 𝑃󸀠) = 𝑒(∑𝑛𝑖=1𝑎𝑖(𝛼𝑠𝑄𝑖 + 𝑟𝑖−1𝑠𝑃), 𝑃󸀠) = 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑇_𝑖, 𝑃󸀠_{), and negotiate a common session conference} key SCK= 𝐻₃(𝐾).

In our proposed interdomain scheme (Section 5.2),𝑈_𝑖𝑗 can generate a valid message(𝑏_𝑖𝑗, 𝐵_𝑖𝑗, 𝑇_𝑖𝑗, 𝛽_𝑖𝑗) and verify the correctness of the message because

𝑉_ℎ,𝑙=∏𝑚 ℎ=1 𝑒 (∑𝑛ℎ 𝑙=1 𝑎_ℎ,𝑙𝑏_ℎ,𝑙+ 𝛼∑𝑛ℎ 𝑙=1 𝑎_ℎ,𝑙𝑄_ℎ,𝑙, 𝑠_ℎ𝑃󸀠) = 𝑒 ((𝑎_1,1𝑟_1,1−1+ 𝑎_1,2𝑟_1,2−1 + ⋅ ⋅ ⋅ + 𝑎_1,𝑛1𝑟_1,𝑛−1₁) 𝑃 + (𝛼𝑎_1,1𝑄_1,1+ 𝛼𝑎_1,2𝑄_1,2+ ⋅ ⋅ ⋅ + 𝛼𝑎_1,𝑛1𝑄_1,𝑛1) , 𝑠₁𝑃󸀠) ⋅ 𝑒 ((𝑎_2,1𝑟_2,1−1+ 𝑎_2,2𝑟_2,2−1+ ⋅ ⋅ ⋅ + 𝑎_2,𝑛2𝑟−1_2,𝑛2) 𝑃 + (𝛼𝑎_2,1𝑄_2,1+ 𝛼𝑎_2,2𝑄_2,2+ ⋅ ⋅ ⋅ + 𝛼𝑎_2,𝑛2𝑄_2,𝑛2) , 𝑠₂𝑃󸀠) ⋅ 𝑒 ((𝑎_𝑚,1𝑟_𝑚,1−1 + 𝑎_𝑚,2𝑟_𝑚,2−1 + ⋅ ⋅ ⋅ + 𝑎_{𝑚,𝑛𝑚}𝑟_𝑚,𝑛−1_𝑚) 𝑃 + (𝛼𝑎_𝑚,1𝑄_𝑚,1+ 𝛼𝑎_𝑚,2𝑄_𝑚,2+ ⋅ ⋅ ⋅ + 𝛼𝑎_{𝑚,𝑛𝑚}𝑄_{𝑚,𝑛𝑚}) , 𝑠𝑚𝑃󸀠) = 𝑒 (𝑎_1,1(𝛼𝑠₁𝑄_1,1+ 𝑟_1,1−1𝑠₁𝑃) + 𝑎_1,2(𝛼𝑠₁𝑄_1,2+ 𝑟_1,2−1𝑠₁𝑃) + ⋅ ⋅ ⋅ +𝑎_1,𝑛1(𝛼𝑠₁𝑄_1,𝑛1+ 𝑟−1_1,𝑛1𝑠₁𝑃) , 𝑃󸀠) ⋅ 𝑒 (𝑎_2,1(𝛼𝑠₂𝑄_2,1+ 𝑟_2,1−1𝑠₂𝑃) + 𝑎_2,2(𝛼𝑠₂𝑄_2,2+ 𝑟_2,2−1𝑠₂𝑃) + 𝑎_2,𝑛2(𝛼𝑠₂𝑄_2,𝑛2+ 𝑟−1 2,𝑛2𝑠2𝑃) , 𝑃 󸀠₎ ... ⋅ 𝑒 (𝑎_𝑚,1(𝛼𝑠_𝑚𝑄_𝑚,1+ 𝑟_𝑚,1−1𝑠_𝑚𝑃) + 𝑎_𝑚,2(𝛼𝑠_𝑚𝑄_𝑚,2+ 𝑟_𝑚,2−1𝑠_𝑚𝑃)

+ ⋅ ⋅ ⋅ + 𝑎_{𝑚,𝑛𝑚}(𝛼𝑠_𝑚𝑄_{𝑚,𝑛𝑚}+ 𝑟−1_{𝑚,𝑛𝑚}𝑠_𝑚𝑃) , 𝑃󸀠) = 𝑒 (∑𝑚 ℎ=1 𝑛ℎ ∑ 𝑙=1 𝑎ℎ,𝑙(𝛼𝑠ℎ𝑄ℎ,𝑙+ 𝑟ℎ,𝑙−1𝑠ℎ𝑃) , 𝑃󸀠) = 𝑒 (∑𝑚 ℎ=1 𝑛ℎ ∑ 𝑙=1 𝑎_ℎ,𝑙𝑇_ℎ,𝑙, 𝑃󸀠) . (9)

6.2. Known Session Key Security. After given broadcast

mes-sages and previous session keys according to theIDCK scheme, an adversary makes a Test query and then receives a random string or a current session key. The adversary can continue asking for broadcast messages and other session keys. If no polynomial-time adversary can decide whether the received string is the current session key or not with nonnegligible advantage, we say that theIDCK scheme satisfies known session key security.

Definition 7 (known session key security). An IDCK

scheme is with known session key security if no polynomial-time adversary can decide if a challenge string is a current session key or a random string under the knowledge of previous session keys with the probability at least(𝜀 + 1/2) where𝜀, called the advantage, is nonnegligible.

Theorem 8. If an adversary A can (𝑡, 𝑞_𝐸, 𝑞_𝑆, 𝑞_𝐶, 𝑞_𝑅, 𝑞_𝐻1

𝜀)-decide whether the string received from a Test query is the

session key SCK held byΠℓ_U or not with advantage at least

𝜀, where 𝑡 is the running time and 𝑞_𝐸, 𝑞_𝑆, 𝑞_𝐶, 𝑞_𝑅, and𝑞_𝐻1 are the numbers of making Execute queries, Send queries, Corrupt

queries, Reveal queries, and 𝐻₁ queries, respectively, there

exists an algorithm which can solve the𝑛-DLDH problem with

advantage at least𝜀󸀠in time𝑡󸀠, where

𝜀󸀠≥_𝑞𝜀 0, 𝑡󸀠≈ 𝑡 + 𝑞_𝐸O (𝑡_𝐸) + +𝑞_𝑆O (𝑡_𝑆) + 𝑞_𝐶O (𝑡_𝐶) + 𝑞_𝑅O (𝑡_𝑅) + 𝑞_𝐻1O (𝑡_𝐻1) + O (𝑛2) , (10) 𝑞₀ = 𝑞_𝐸 + 𝑞_𝑆 + 𝑞_𝐶 + 𝑞_𝑅 + 𝑞_𝐻,𝑡_𝐸, 𝑡_𝑆, 𝑡_𝐶, 𝑡_𝑅, and 𝑡_𝐻1 are

the computing time of the Execute oracle, the Send oracle, the

Corrupt oracle, the Reveal oracle, and𝐻₁oracle, respectively.

Proof. Initially, we construct a simulatorB which prepares

the pairing parameters and simulates the system as follows. B randomly picks 𝑠 ∈ Z∗

𝑞 as the system master private key and computes(𝑠𝑃, 𝑠𝑃󸀠) as the system master public key. B computes each user’s long-term public/private key pair (𝑄_𝑖, 𝑠𝑄_𝑖). B allows A to make the following queries

(i) Execute(Π𝑡

U):A can request U that is a set of users who are chosen by itself to run the key agreement protocol in session 𝑡. B follows the protocol (Sec-tion 5.1) to produce every (𝑟_𝑖, 𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖, 𝑘_𝑖), and

𝐾 = ∑_𝑈𝑖∈U𝑘_𝑖𝑃, and then records them. Finally, B responds every(𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖) to A, where 𝑈_𝑖∈ U. (ii) Send(Π𝑡_̃U, 𝑚): if A actively broadcasts the messages

of users ̃U ⊂ U to run the key agreement protocol in session 𝑡, B follows the protocol (Section 5.1) to produce every(𝑟_𝑖, 𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖, 𝑘_𝑖) and generate the session conference key in the end of the protocol and then records them. Finally,B responds (𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖) toA for each 𝑈_𝑖∈ U − ̃U.

(iii) Reveal(Π𝑡_U): if Π𝑡_U does not exist,B creates Π𝑡_U.B returns the session conference key SCK= 𝐻₃(𝐾). (iv) Corrupt(𝑈_𝑖): B returns (𝑄_𝑖, 𝑠𝑄_𝑖) to A.

(v) 𝐻₁(𝑚): after given 𝑚 ∈ G₁,B randomly chooses 𝛼 ∈ {0, 1}𝜆_{, returns𝐻}

1(𝑚) = 𝛼, and stores (𝑚, 𝛼) in a list, called𝐻₁-list.

(vi) Test(Πℓ

U∗):B guesses that A will send a Test query

at the ℎth session in advance. If A makes a Test query at theℓth session, where ℓ ̸= ℎ, B randomly answers “YES” or “NO” to the 𝑛-DLDH problem. WhenA makes a Test query at the ℓth session, where ℓ = ℎ, B checks whether there exists 𝑈𝑖which has been corrupted or not, where𝑈_𝑖 ∈ U∗and|U∗| = 𝑛. If one of them has been corrupted, B returns ⊥ and aborts the game. Otherwise, B is given the parameters of an instance of the𝑛-DLDH problem, 𝑍, 𝑃, and (𝑥_𝑖𝑃, 𝑥_𝑖𝑥_𝑛+𝑗𝑃)’s for all 𝑖, 𝑗 with 1 ≤ 𝑖, 𝑗 ≤ 𝑛, and𝑖 ̸= 𝑗, and takes the advantage of A to decide whether𝑍 = (𝑥_𝑛+1+ 𝑥_𝑛+2 + ⋅ ⋅ ⋅ + 𝑥_2𝑛)𝑃 or not. B sets the public messages(𝑏_𝑖∗, 𝐵∗_𝑖, 𝑇_𝑖∗, 𝛽_𝑖∗) of every user inU∗in theℓth session as follows.

First,B forms 𝑏₁∗ = 𝑥₁𝑃, 𝑏₂∗ = 𝑥₂𝑃, . . . , 𝑏_𝑛∗ = 𝑥_𝑛𝑃, 𝐾∗ = 𝑍, 𝛼∗= 𝐻1(𝐾∗), and prepares 𝐵∗𝑖 = (𝑥1𝑥𝑛+𝑖𝑃, 𝑥2𝑥𝑛+𝑖𝑃, . . . , 𝑥𝑖−1𝑥𝑛+𝑖𝑃,⊥, 𝑥𝑖+1𝑥𝑛+𝑖𝑃, . . . , 𝑥𝑛𝑥𝑛+𝑖𝑃), for each𝑈_𝑖∗ ∈ U∗; that is,

𝑈∗ 1 𝑈2∗ . . . 𝑈𝑖∗ . . . 𝑈𝑛∗ 𝐵∗₁ ⊥ 𝑥2𝑥𝑛+1𝑃 . . . 𝑥𝑖𝑥𝑛+1𝑃 . . . 𝑥𝑛𝑥𝑛+1𝑃 𝐵∗₂ 𝑥1𝑥𝑛+2𝑃 ⊥ . . . 𝑥𝑖𝑥𝑛+2𝑃 . . . 𝑥𝑛𝑥𝑛+2𝑃 ... ... ... d ... ... ... 𝐵∗ 𝑖 𝑥1𝑥𝑛+𝑖𝑃 𝑥2𝑥𝑛+𝑖𝑃 . . . ⊥ . . . 𝑥𝑛𝑥𝑛+𝑖𝑃 ... ... ... ... ... d ... 𝐵∗ 𝑛 𝑥1𝑥2𝑛𝑃 𝑥2𝑥2𝑛𝑃 . . . 𝑥𝑖𝑥2𝑛𝑃 . . . ⊥ (11) B sets 𝑇∗ 𝑖 = 𝑠𝛼∗𝑄𝑖 + 𝑠𝑥𝑖𝑃 and computes 𝛽𝑖∗ = 𝐻₂(𝑇∗ 𝑖, 𝛼∗) and SCK∗ = 𝐻3(𝐾∗), where 1 ≤ 𝑖 ≤ 𝑛. B responds every (𝑏_𝑖∗, 𝐵∗_𝑖, 𝑇_𝑖∗, 𝛽∗_𝑖) and SCK∗toA. A can continue making the queries of Execute(Π𝑡_U),

Send(Π𝑡_U), Reveal(Π𝑡_U), and Corrupt(𝑈_𝑖), where 𝑡 ̸= ℓ and

𝑈_𝑖∉ U∗_{, untilA outputs a bit 𝑏. If SCK}∗_{is the key in sessionℓ} fromA’s point of view, A will output 𝑏 = 1; otherwise, 𝑏 = 0. If𝑏 = 1, B outputs “YES”; that is, 𝑍 = (𝑥_𝑛+1+𝑥_𝑛+2+⋅ ⋅ ⋅+𝑥_2𝑛)𝑃; otherwise,B outputs “NO”.

If the adversary can compromise known session key security of the scheme with advantage at least 𝜀, B can

solve the𝑛-DLDH problem with the advantage at least 𝜀󸀠 ≥ (1/𝑞₀) (1/2 + 𝜀) + (1/2)((𝑞₀− 1)/𝑞₀) − 1/2 = 𝜀/𝑞₀.

By Theorem 8, we can solve the 𝑛-DLDH problem in polynomial time with nonnegligible advantage if there exists a polynomial-time adversary that can break the known session key security with nonnegligible advantage of the proposed single domain key agreement scheme.

As for the proof of the interdomain case, we can let𝑛 be the number of the total users from all domains; that is,𝑛 = 𝑁. Then, by the proof of Theorem8, the𝑛-DLDH problem can be solved if the adversary can distinguish the session key from a random string in the proposed interdomain key agreement scheme.

6.3. Key-Compromise Impersonation. An adversary is given

all users’ long-term keys by making Corrupt queries except the one that he claims to impersonate. If no adversary can output the correct messages of the user with nonnegligi-ble probability, the IDCK scheme can withstand key-compromise impersonation.

Definition 9 (key-compromise impersonation). AnIDCK

scheme can withstand key-compromise impersonation if no adversary can have nonnegligible probability to impersonate a user without the long-term private key of the user.

Lemma 10 (the forking lemma [35]). Let𝑇_𝑖 = 𝛼𝑠𝑄_𝑖+ 𝑟_𝑖−1𝑠𝑃

be a valid authentic parameter of user𝑈_𝑖, where𝑠𝑄_𝑖 is 𝑈_𝑖’s

private key,𝑠𝑃 is TA’s public key, 𝑟_𝑖−1is randomly chosen by𝑈_𝑖,

and𝛼 is a hashed value of 𝐾 shared by all users. Let A be a probabilistic polynomial time Turing machine. Given only the

public data of the key agreement scheme as input, ifA can find,

with nonnegligible probability, a valid authentic parameter𝑇_𝑖

with 𝛼, then, with nonnegligible probability, a replay of this machine, with the same random tape and a different value returned by the random oracle, can output two valid authentic

parameters𝑇_𝑖with𝛼 and 𝑇_𝑖󸀠with𝛼󸀠, such that𝛼 ̸= 𝛼󸀠.

Lemma 11 (the splitting lemma [36]). Let𝐴 ⊂ 𝑋×𝑌 such that Pr[(𝑥, 𝑦) ∈ 𝐴] = |𝐴|/(|𝑋| × |𝑌|) ≥ 𝛿. For any 𝜌 < 𝛿, define 𝐵 = {𝑥 ∈ 𝑋 | Pr [(𝑥, 𝑦) ∈ 𝐴] ≥ 𝛿 − 𝜌} and 𝐵 = 𝑋 \ 𝐵. Then

the following statements hold:

(1) Pr[𝑥 ∈ 𝐵] = |𝐵|/|𝑋| ≥ 𝜌, (2)∀𝑥 ∈ 𝐵, Pr [(𝑥, 𝑦) ∈ 𝐴] ≥ 𝛿 − 𝜌, (3) Pr[𝑥 ∈ 𝐵 | (𝑥, 𝑦) ∈ 𝐴] ≥ 𝜌/𝛿.

Lemma 12. Assume that 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑏_𝑖 + 𝛼 ∑𝑛_𝑖=1𝑎_𝑖𝑄_𝑖, 𝑠𝑃󸀠_{) =} 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑇_𝑖, 𝑃󸀠_{). Let 𝐸 be an event that occurs if there is at least}

one𝑇_𝑖such that𝑒(𝑎_𝑖𝑏_𝑖+ 𝛼𝑎_𝑖𝑄_𝑖, 𝑠𝑃󸀠) ̸= 𝑒(𝑎_𝑖𝑇_𝑖, 𝑃󸀠). Then, the

probability Pr[𝐸] ≤ 1/2𝑞, where𝑞 is a security parameter.

Proof. The proof is using the technique of the small exponents

test in [37]. If𝑒(𝑎_𝑖𝑏_𝑖+ 𝛼𝑎_𝑖𝑄_𝑖, 𝑠𝑃󸀠) ̸= 𝑒(𝑎_𝑖𝑇_𝑖, 𝑃󸀠) for some 𝑖, then 𝑇_𝑖 ̸= 𝑠𝑏_𝑖+ 𝑠𝛼𝑄_𝑖. That is, there exists𝑐_𝑖 ̸= 0 (mod 𝑞) such that 𝑇_𝑖= 𝑠𝑏_𝑖+ 𝑠𝛼𝑄_𝑖+ 𝑐_𝑖𝑃. Let𝑇_𝑗 = 𝑠𝑏_𝑗 + 𝑠𝛼𝑄_𝑗 + 𝑐_𝑗𝑃 where ∀𝑗 ∈ {1, . . . , 𝑛} − {𝑖} and𝑐_𝑗 ∈ {0, . . . , 𝑞 − 1}. As 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑏_𝑖 + 𝛼 ∑𝑛_𝑖=1𝑎_𝑖𝑄_𝑖, 𝑠𝑃󸀠) = 𝑒(∑𝑛_𝑖=1𝑎_𝑖𝑇_𝑖, 𝑃󸀠_{), ∑}𝑛 𝑖=1𝑐𝑖𝑎𝑖≡ 0 (mod 𝑞). Hence, 𝑎𝑖≡ −𝑐𝑖−1(𝑐1𝑎1+ 𝑐₂𝑎₂+ ⋅ ⋅ ⋅ + 𝑐_𝑖−1𝑎_𝑖−1+ 𝑐_𝑖+1𝑎_𝑖+1+ ⋅ ⋅ ⋅ + 𝑐_𝑛𝑎_𝑛) (mod 𝑞). Since 𝑎_𝑖is randomly chosen fromZ∗_𝑞, Pr[𝐸] ≤ 1/2𝑞.

Theorem 13. If an adversary A can (𝑡, 𝑞_𝑆, 𝑞_𝐶, 𝑞_𝑅, 𝑞_𝐻, 𝑞_𝐻1,

𝜀)-impersonate a user𝑈_𝑖∗ without the long-term private key of

𝑈∗

𝑖 with probability at least𝜀, where 𝑡 is the running time, 𝑞𝑆,

𝑞_𝐶,𝑞_𝑅,𝑞_𝐻, and𝑞_𝐻1 are the numbers of making Send queries,

Corrupt queries, Reveal queries,𝐻 queries, and 𝐻₁ queries,

respectively, there exists an algorithm to solve the variant-CDH

problem with probability at least𝜀󸀠in time𝑡󸀠, where

𝜀󸀠≥ ((1/|U|) (1 − 1/ |U|) (1 − 1/2 ℎ_{) (𝜀 − 1/2}𝑞₎ 2 ) 2 , 𝑡󸀠≈ 2 (𝑡 + 𝑞_𝑆O (𝑡_𝑆) + 𝑞_𝐶O (𝑡_𝐶) + 𝑞_𝑅O (𝑡_𝑅) + 𝑞_𝐻O (𝑡_𝐻) + 𝑞_𝐻1O (𝑡_𝐻1)) + O (𝑛2) , (12)

ℎ is the length of 𝐻1’s output,U is a set of users, and 𝑡𝐻is the

computing time of𝐻 oracle.

Proof. At first, B inputs 𝜅 to generate pairing parameters

and a variant-CDH tuple(𝑃, 𝑎𝑃, 𝑏𝑃, 𝑃󸀠, 𝑎𝑃󸀠) ∈ G₁, where 𝑎, 𝑏∈𝑅Z∗𝑞. We will show thatB can solve the variant-CDH problem with the assistance of an adversaryA. B’s task is to compute and output the value𝑐𝑃 = 𝑎𝑏𝑃.

B simulates the system as follows. We define (𝑎𝑃, 𝑎𝑃󸀠) as the system master public key andB does not know the master private key𝑎. 𝐻 and 𝐻₁are two random oracles simulated byB to respond the queries to 𝐻 and 𝐻₁, respectively.B randomly chooses one user 𝑈_𝑖∗ and let 𝑏𝑃 be 𝑈_𝑖∗’s long-term public key. Except𝑈_𝑖∗,B computes other users’ long-term public/private key pairs by𝐻. B allows A to make the following queries.

(i)𝐻 (⋅): after given 𝑚 ∈ {(TA’s ID‖𝑈_𝑖’s ID) | 1 ≤ 𝑖 ≤ 𝑞}, B responds the query, 𝐻(𝑚), and maintains the 𝐻-list as follows.

If𝑚 = (TA’s ID‖𝑈_𝑖∗’s ID),B returns 𝐻(𝑚) = 𝑏𝑃 and stores a record(𝑈_𝑖∗, 𝑏𝑃, ⊥, ⊥) in the 𝐻-list. Otherwise, B randomly chooses 𝑢_𝑖 ∈ Z∗

𝑞, returns𝐻(𝑚) = 𝑢𝑖𝑃, and stores a record (𝑈_𝑖, 𝑢_𝑖𝑃, 𝑢_𝑖𝑎𝑃, 𝑢_𝑖) in the 𝐻-list, where 𝑢_𝑖𝑃 and 𝑢_𝑖𝑎𝑃 are the long-term public and private keys, respectively, of𝑈_𝑖.

(ii)𝐻₁(⋅): after given 𝑚 ∈ G₁,B randomly chooses 𝛼 ∈ {0, 1}ℓ, returns𝐻₁(𝑚) = 𝛼, and stores a record (𝑚, 𝛼) in the𝐻₁-list.

(iii) Execute(Π𝑡

U): A can choose U and ask B to run the key agreement protocol. B returns the public messages (𝑏_𝑖, 𝐵_𝑖, 𝑇_𝑖, 𝛽_𝑖)’s of all 𝑈_𝑖’s in U to A. B produces the messages as follows.

If𝑈_𝑖∗ ∈ U, B picks 𝑘_𝑖, 𝑧, 𝛼∈_𝑅Z∗_𝑞 and computes𝑏_𝑖 = 𝑧𝑃 − 𝛼𝑏𝑃 = (𝑧 − 𝛼𝑏)𝑃, 𝑇_𝑖= 𝑧𝑎𝑃, and 𝛽_𝑖= 𝐻₂(𝑇_𝑖, 𝛼). For each of the other𝑈_𝑗’s ∈ U, B randomly picks 𝑟_𝑗, 𝑘_𝑗 ∈ Z∗_𝑞 and computes𝑏_𝑗 = 𝑟−1_𝑗 𝑃, 𝑇_𝑗 = 𝛼𝑢_𝑗𝑎𝑃 + 𝑟_𝑗−1𝑎𝑃, and 𝛽𝑗 = 𝐻2(𝑇𝑗, 𝛼). Thus, B can follow the