1. Introduction

The authenticated key exchange protocols (AKE) based on conventional certificates are still widely deployed. Even in relatively new standards, such as TLS 1.3 [1], certificate-based cipher suites remains significant. Theoretical frameworks for evaluating protocol security, such as extensions of the Bellare–Rogaway model (BR) [2], eCK model [3] and universal composability (UC) [4], are usually used while assuming the existence of certificate-based public key infrastructure (PKI) [5,6].

However, the drawbacks of certificate-based infrastructure are also obvious. Ever-growing certificate revocation lists (CRL), floods of Online-Certificate States Protocol (OCSP) requests and the complicated logic of certificate chain verification may not fit into constrained devices [7] in the Internet of Things (IoT), where 50 KB RAM is already a luxury. Turning to pure symmetric key cryptography is not optimal in practice, either, as that introduces heterogeneity in the infrastructure, and scales poorly.

Therefore, exploring practical certificate-less AKE protocols (CL-AKE) is extremely meaningful.

CL-AKE solutions can use certificate-less public key encryption (CL-PKE) or signature (CL-SIG) to replace certificate chains. The syntax of the scheme and the types of adversaries have been defined for the first CL-PKE and CL-SIG by Al-Riyami and Paterson [8]. Unlike the key generation center (KGC) in identity-based or attribute-based cryptography (IBC, ABC), the KGC in CL-PKE can only compute partial private keys of users, so solutions based on CL-PKC do not suffer from the key escrow problem. The initial construction of CL-PKC in [8] is bilinear pairing based. Later, in 2007, Crampton et al. proposed a password-enabled and certificate-free grid security infrastructure (PECF-GSI) [9]. The protocols in PECF-GSI use bilinear pairing as heavily as the original Al-Ruyami–Paterson schemes. Other pairing-based certificate-less solutions in the last two decades [10,11,12,13,14,15] have experienced various improvement and trade-offs.

One of the major challenges for building certificate-less infrastructure is to optimize the efficiency of every protocol in its cryptographic core. As pointed out in [16], a bilinear pairing operation is about ten-times slower than a point multiplication on elliptic curves (EC), so it is necessary to avoid pairing and also to trim the redundant components, such as signature generation or decryption, off the CL-AKE main protocol.

Another critical challenge is establishing a unified security model for the two stages: user key registration and AKE. An adversary $\mathcal{A}$ against CL-PKE/SIG with key registration [8] has the power to corrupt users, corrupt KGC and register new public keys. However, whether $\mathcal{A}$ can see any message exchanged between an honest user and the KGC is undefined. In contrast, adversaries against AKE protocols have different powers in BR [2], eCK [3] and other game-based models [5]. These adversaries can tamper with messages and corrupt parties but may not be allowed to register new public keys. Although it has not been theoretically ruled out that messages in the key registration phase can threaten the AKE phase, most previous works on CL-AKE [15,17,18,19] used separate game-based models for the generation/registration of user key pairs (in a secure channel or out of band channel) and AKE protocol (in the public channel), or ignore the messages exchanged during the registration.

1.1. Our Contribution and Paper Outline

To meet the challenges mentioned above, we make the following contribution in this paper.

• We propose a practical cryptographic core of a certificate-less (CL) infrastructure, including user key registration and CL-AKE. The protocols are constructed from elliptic curves (EC) without pairing or any signature so that they can be easily supported by most industrial public key cryptography libraries for constrained devices. To the best of our knowledge, our AKE protocol also enjoys the optimal number of point multiplication over EC compared to other pairing-free solutions (see Table 1).

• We integrate CL-AKE into TLS ciphersuites [1]. The performance is compared with TLS-DHE with certificates in data volume and computation. We also deploy and test the slim implementation of CL-AKE without the TLS stack on constrained IoT devices. Subsequently, the evaluation confirms the real-world efficiency of our proposal.

• Our new provably secure CL signature scheme ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ with two-way public key reconstruction can be of independent interest.

After the introduction, we present the necessary notation and preliminaries in Section 2. As a starting point for building CL-AKE and proving its security in the game-based framework, we introduce a new certificate-less and paring-free signature scheme with two-way public key reconstruction in Section 3. The game-based AKE security model is presented in Section 4. The new certificate-less key registration, CL-AKE protocols and the security analysis can be found in Section 5. We present the integration to TLS and the evaluation in Section 6.

1.2. Technical Road Map

The cost of verifying a conventional certificate chain is proportional to the number of certificates on the chain. More specifically, to verify the end-level signature, a user has to verify the first-level signature with the public key in the root certificate and then the second-level signature with the public key of the first-level certificate. The verification continues until the signature on the end-level certificate is verified. For EC-based signatures, the verification usually involves a significant amount of point multiplication in an EC group.

A CL-SIG is designed to identify and utilize shortcuts during the verification process. Ideally, a user only has to verify the end-level public key with the root public key, usually the public key of the KGC. This verification can also be enforced implicitly through computation. If an end-level public key ${\mathsf{pk}}_j$ can be reconstructed by any honest user using the KGC’s public key ${\mathsf{pk}}_{\mathsf{KGC}}$ and the identifier ${\mathsf{PID}}_j$, then intuitively, the verification of ${\mathsf{pk}}_j$ is almost finished.

The shortcut we implement in CL-SIG is to replace the signature verification with a hash function, which is considerably more efficient. The hash function ${\mathsf{H}}_1\left(\right)$ maps binary strings to elements in an integer group. If a public key is an EC point that can be encoded as a binary string, and the corresponding private key is an integer in a group, ${\mathsf{H}}_1\left(\right)$ provides an efficient way to bind the public keys ${\mathsf{pk}}_j$, ${\mathsf{pk}}_{\mathsf{KGC}}$ and the identifier ${\mathsf{PID}}_j$ with the private key. Moreover, to make CL-SIG fully functional, there must be two alternatives to how ${\mathsf{pk}}_j$ can be reconstructed. One is through ${\mathsf{sk}}_j$, i.e., the way that only the key owner can take, and another one is through the use of ${\mathsf{H}}_1\left(\right)$, ${\mathsf{pk}}_{\mathsf{KGC}}$ and some additional information $B_j$, i.e., any user can do it. For details, we refer the reader to Figure 1 in Section 3.

We implement another shortcut to construct CL-AKE from CL-SIG. Instead of using the signing and verification algorithms in our CL-SIG, we keep only the public key reconstruction algorithms in the AKE. An AKE participant can reliably reconstruct its peer’s public key ${\mathsf{pk}}_j$ and then use ${\mathsf{pk}}_j$ with its own ephemeral key materials to derive the session keys. A message authenticate code is used to confirm the knowledge of all related secrets, replacing the expensive signature verification. For details, we refer the reader to Figure 2 in Section 5.

In summary, we replace as many public key operations (e.g., signature and point multiplication) with efficient symmetric essential operations (e.g., hash, message authentication code and pseudo-random function) as possible, while keeping the CL solution provably secure. The resulting CL-AKE enjoys forward secrecy due to the Gap Diffie–Hellman problem’s hardness and the new CL-SIG’s security.

1.3. Related Work

We review existing approaches to construct certificate-less AKE and authentication infrastructure, including identity-based cryptography, attribute-based cryptography, and CL-AKE with and without pairing.

1.3.1. IBC and ABC-Based CL Solutions

An important line of research is replacing certificate-based PKI with identity-based cryptography (IBC) [21]. In principle, the IBC public key is a user identity $\mathsf{pid}$ itself, and $\mathsf{pid}$ is embedded algebraically into the user’s secret key by KGC with its master secret key $\mathsf{msk}$. IBC eliminates certificates and simplifies the management of public keys greatly, but it suffers from the key escrow problem. More specifically, in the standard syntax of IBC, such as in [21,22], every user secret key is derived from its $\mathsf{pid}$ and a system-wide static $\mathsf{msk}$ of KGC. Once $\mathsf{msk}$ is compromised, the adversary can use $\mathsf{msk}$ to recover all previous user secret keys, destroying forward secrecy (FS). Attribute-based cryptography (ABC) [23] can be seen as a generalization of IBC. Instead of using one single identity, ABC uses a combination of multiple attributes to encrypt a message. However, the key escrow problem remains if any user secret key is derivable from $\mathsf{msk}$ and the attribute combinations alone. This KGC setting is preserved in various IBC-/ABC-based solutions [24,25], and some are flawed or without FS later [15,26].

1.3.2. CL-PKC and Pairing-Based Attempts

The notion of certificate-less public key cryptography (CL-PKC) was first formalized in 2003 by Al-Riyami and Paterson [8]. As the KGC in CL-PKC can only compute partial private keys for users, solutions based on CL-PKC do not inherently suffer from the key escrow problem. Later, Crampton et al. proposed a password-enabled and certificate-free grid security infrastructure (PECF-GSI) [9] in 2007. The protocols in PECF-GSI use bilinear pairing heavily as the original Al-Ruyami–Paterson schemes.

Various pairing-based attempts have been made for different trade-offs between security and efficiency. In 2012, Sanaa Taha et al. proposed certificate-less authentication key agreement (CL-AKA), a link-layer authentication and key agreement protocol based on CL-PKC, which does not consider ephemeral key leakage attacks [10]. Maity et al. proposed a novel certificate-less on-demand public key management (CL-PKM) protocol for self-organized MANETs [27]. Memon et al. proposed two authentication protocols based on Al-Ruyami–Paterson CL-PKC and IBE [11,12] in 2015. The security is analyzed with BAN-logic. Balakrishnan et al. proposed a practical email system based on CL-PKC with user authentication and key exchange in 2016, but the encryption of messages actually bears no forward secrecy when the receiver’s long-term keys are exposed [13]. Bala et al. proposed a secure key management and authentication protocol in 2017, making use of hybrid cryptography that involves both symmetric and CL-PKC but without formal security models [14]. Saeed et al. proposed a lightweight online/offline certificate-less signature (L-OOCLS) and a heterogeneous remote anonymous authentication protocol (HRAAP) for IoT applications in 2018 [15]. The L-OOCLS scheme is pairing-based and provably secure in random oracle model. The proposed HRAAP, however, cannot be proved secure in the BR or eCK model as the session key is directly used in handshake.

1.3.3. Pairing-Free CL-AKE

Pairin-free CL solutions have also been proposed. Song et al. [16] proposed a secure lightweight certificate-less authenticated key agreement (CL-AKA) for securing vehicle-to-vehicle (V2V) communication without using pairings. Unfortunately, the protocols need a large number of exponentiations in an integer group. Yang and Tan [17] proposed a CL-AKA that is provably secure in a dedicated model. He et al. [19] proposed efficient CL-AKA with security proofs in an extended eCK model dedicated to the key agreement part alone. Farouk et al. also introduced an efficient pairing-free CL-AKA protocol for grid computing environments [18] by extending the work of He et al. [19]. In 2018, KhanSafi et al. proposed an authentication framework for the message dissemination of toll payment information with a pairing-free CL-PKC system [20]. Unfortunately, there is no security proof provided in [19,20].

Defining a unified security model for each stage of CL-AKE is not a trivial task. On the one hand, the adversary for CL-PKE or CL-SIG in [8] has the power to corrupt users, corrupt the KGC or register new public keys, but cannot see any messages exchanged between the user and KGC. On the other hand, adversaries against authenticated key exchange (AKE) protocols, however, have different powers in BR [2], eCK [3] and other game-based models [5]. These adversaries can tamper with messages and corrupt parties (users) but cannot register new public keys. However, it has not been confirmed or denied whether messages in the key pair generation phase can threaten the AKE phase. Most previous works on CL-AKE [10,15,16,18,19] used separate models for the generation of user key pairs (in a secure channel or out-of-band channel) and AKE protocol (in public channels), or even ignore the messages exchanged during the key pair generation.

From 2021 till now, lattice-based (LBC) and isogeny-based cryptography have been introduced for post-quantum security, and new constructions have been proposed [28,29,30,31,32]. However, deploying LBC on constrained devices remains challenging now and in the near future, especially when facing the conflict between the large key/ciphertext size required by LBC and the limited RAM/storage on constrained devices [33].

2. Notation and Preliminaries

In this section, we introduce the necessary cryptographic building blocks of our solution.

2.1. Notations

We use $\kappa \in \mathbb{N}$ and $1^{\kappa }$ to denote the security parameter. Let $\left[n\right]=\{1,\dots ,n\}\subset \mathbb{N}$ be the set of integers from 1 to n. If S is a set, $a\stackrel{\$}{\leftarrow }S$ means sampling a uniformly random element a from S. If $\mathcal{A}\left(\right)$ is an algorithm, $m\leftarrow {\mathcal{A}}^{\mathcal{O}(·)}\left(x\right)$ and ${\mathcal{A}}^{\mathcal{O}(·)}\left(x\right)\stackrel{\$}{\to }m$ denote that $\mathcal{A}$ outputs m on input x with the help of another oracle $\mathcal{O}(·)$. $X\left|\right|Y$ means concatenating two binary strings X and Y. We use $Pr[E:A]$ to denote the probability that event E happens if action A is taken. Other notations will be introduced as needed.

2.2. Cryptographic Primitives and Hardness Assumptions

Message authentication code (MAC) is frequently used in AKE protocols for message integrity and can also work as a proof of the knowledge of the secret key.

Hash functions are used for obtaining a digest of the input. The digest can be of fixed length or in a finite domain.

Pseudo-random function (PRF) can be used for key derivation as in TLS 1.3 [1]. PRF ensures that the output looks random if the secret key is not leaked.

The Schnorr signature scheme can be seen as a general template for (EC-)group-based signature. The most critical operation is the scalar-point multiplication. Note that the verification algorithm $\mathsf{SIG}.\mathsf{Vfy}$ of Schnorr needs two point multiplication, one on the base point G and one on the non-base point $\mathsf{pk}$. In contrast, the signing only needs one base point multiplication. In practice, base point multiplication has been optimized for each EC group, so it is usually much quicker than non-base point multiplication.

We refer the reader to standard cryptography literature, such as [34], for the security definition of all the cryptographic primitives above and Diffie–Hellman key exchange (DH).

The proof of Schnorr’s security or schemes that use group elements with hash usually relies on the hardness of the Discrete logarithm problem above. For proving security of AKE, we need the gap computational Diffie–Hellman Problem ($\mathsf{GCDH}$), which is defined as: given public parameter $\mathsf{params}$ and $(a·G,b·G)$ for $a,b\in {\mathbb{Z}}_q$, compute the element Z = $\left(ab\right)·G$ with the help of a Decisional Diffie–Hellman Oracle ${\mathcal{O}}_{\mathsf{ddh}}(·)$, i.e., ${\mathcal{O}}_{\mathsf{ddh}}(·)$ answers whether a given quadruple $(G,a·G,b·G,c·G)$ has $ab\equiv cmodq$.

In this section, we have reviewed the most relevant cryptographic primitives and hard problems. In the next section, we show how to construct an efficient CL-SIG from them.

3. New Certificate-Less Signature with Two-Way Reconstructable Public Key

We construct an extended certificate-less signature (CL-SIG) as the starting point. Although signing and verification are not used in our CL-AKE protocol, the security of ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ simplifies the argument in the game-based framework.

Algorithms and outputs in dashed boxes are the extensions to the syntax in [8]. In the original syntax, ${\mathsf{pk}}_i$ can only be computed by its owner with $\mathsf{Set}-\mathsf{Public}-\mathsf{Key}\left(\right)$. The extension $\mathsf{Reconst}-\mathsf{Pk}(\mathsf{params},{\mathsf{PID}}_i,B_i)$, allows anyone who knows $B_i$ and the KGC’s pubic key to reconstruct ${\mathsf{pk}}_i$. Thus, there are two ways to reconstruct the public key, giving space for more efficiency improvement in the CL-AKE construction.

The security game for $\mathsf{CL}-\mathsf{SIG}$ in [8] is an EUF-CMA game extended with queries in Table 2. In principle, Type I adversaries can replace public keys but cannot get KGC’s private key, while Type II adversaries can have the KGC’s private key but cannot replace public keys.

More specifically, let ${\mathsf{PID}}_j$ be the challenged party and $(m^{*},{\sigma }^{*})$ the forgery. Besides being forbidden to ask $\mathsf{getKeyKGC}\left(\right)$, the restrictions on a Type I adversary $\mathcal{A}$ are:

• $\mathcal{A}$ cannot query $\mathsf{PPKey}-\mathsf{Extract}\left({\mathsf{PID}}_j\right)$.

• For any ${\mathsf{PID}}_i$, $\mathcal{A}$ cannot query $\mathsf{getPrivateKey}\left({\mathsf{PID}}_i\right)$, if it has previously queried $\mathsf{ReplacePK}($${\mathsf{PID}}_i,{\mathsf{pk}}_i^{\prime })$.

• $\mathcal{A}$ cannot query $\mathsf{ReplacePK}({\mathsf{PID}}_j,{\mathsf{pk}}_j^{\prime })$ before submitting forgery, if it has previously asked $\mathsf{PPKey}-\mathsf{Extract}\left({\mathsf{PID}}_j\right)$.

• $\mathcal{A}$ has not queried $\mathsf{SIG}.\mathsf{Sign}({\mathsf{PID}}_j,m^{*})$ before submitting $(m^{*},{\sigma }^{*})$.

Besides being forbidden to ask $\mathsf{ReplacePK}{({\mathsf{PID}}_i,{\mathsf{pk}}_i)}^{\prime }$ for any i, the restrictions on a Type II adversary $\mathcal{A}$ are:

• $\mathcal{A}$ cannot ask $\mathsf{getPrivateKey}\left({\mathsf{PID}}_j\right)$.

• $\mathcal{A}$ has not queried $\mathsf{SIG}.\mathsf{Sign}({\mathsf{PID}}_j,m^{*})$ before submitting $(m^{*},{\sigma }^{*})$.

Our new CL-SIG-TRK ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ is in Figure 1, where $\mathsf{SIG}$ is the Schnorr signature scheme in Definition 4. The security of ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ is summarized in Theorem 1. We still stick to the original syntax of $\mathsf{Verify}\left(\right)$. On the other hand, the extension, $\mathsf{Reconst}-\mathsf{Pk}\left(\right)$, also provides more flexibility in the verification, as a signature $({\sigma }^{\prime },B_i)$ can now be verified with itself and the KGC public key ${\mathsf{pk}}_{\mathsf{KGC}}$. We will show how a receiver of the partial public key $B_i$ can check and use it efficiently in AKE in Section 5.

We defer the proof of Theorem 1 to Appendix A, as it relies on the multiple forking lemmma in [35] and is rather technical. Intuitively, the multiple-forking lemma helps us connect the CL-SIG security to the hardness of $\mathsf{DLP}$ (Definition 5).

From Theorem 1, we can have Corollary 1, which is necessary for proving the security of the user key registration protocol (see Figure 3 in Section 5). The proof of Corollary 1 is quite straight forward, as unforgeable CL-SIG implies unforgeable and non-replaceable key pairs.

Now, we have all the necessary tools to construct a CL-AKE with forward secrecy [1].

4. Game-Based Security Model for CL-AKE

In this section, we define a security model for certificate-less AKE protocols. We assume each participant communicates through a public network, and the adversary controls all the data traffic. This setting is formalized in the execution environment.

4.1. Protocol Execution Environment

Let $\mathcal{SK}\in {\{0,1\}}^{\kappa }$ denote the session key space, and $\mathcal{K}$ is the pre-shared key space. Let $\{P_1,\dots ,P_{\ell }\}$ be the set of all parties for ℓ$\in \mathbb{N}$, where a potential participant $P_i$ has a long-term pre-shared key $\mathsf{K}\in \mathcal{K}$ that corresponds to its identity i.

Each $P_i$ can have a polynomial number of process oracles $\left\{{\pi }_i^s\right\}$, where $s\in \left[d\right]$ is an index with $d\in \mathbb{N}$. A unique session identifier $\mathsf{sid}$ labels a protocol session between a client and a server instance. Moreover, we assume that besides the access to long-term secrets, such as private keys, each oracle ${\pi }_i^s$ maintains a list of independent internal state variables as described in the following list (Table 3).

The internal state of each oracle ${\pi }_i^s$ is initialized as (${\mathsf{PID}}_i^s$, ${\Phi }_i^s$, ${\mathsf{sid}}_i^s$, ${\mathsf{K}}_i^s$, ${\mathsf{Eph}}_i^s$) = (∅, ∅, ∅, ∅, ∅), where ∅ denotes the empty string. We assume that the session key is assigned to the variable ${\mathsf{K}}_i^s$ such that ${\mathsf{K}}_i^s\ne \varnothing$ if each oracle completes the execution with an internal state ${\Phi }_i^s=\mathtt{accept}$.

4.2. Adversary Model

An active adversary $\mathcal{A}$ can interact with the execution environment by issuing the queries below. Queries in the dashed boxes are our extensions to the eCK model [3].

• $\mathsf{Send}({\pi }_i^s,m)$: $\mathcal{A}$ can use this query to send any message m of its choice to oracle ${\pi }_i^s$. The oracle will respond according to the protocol specification and its internal state. If m consists of a special symbol ⊤ ($m=\top$), then ${\pi }_i^s$ will respond with the first protocol message.

• $\mathsf{RegCorruptParty}(i,{\mathsf{sk}}_i,{\mathsf{pk}}_i)$ This query allows $\mathcal{A}$ to register a new party with ${\mathsf{sk}}_i,{\mathsf{pk}}_i$ given by $\mathcal{A}$. If party i already exists, then upon this query, all long-term key pairs will be replaced with ${\mathsf{sk}}_i,{\mathsf{pk}}_i$, and existing randomness and session keys holding by any ${\pi }_i^s$ will be erased. In any case, party i has ${\tau }_i=0$ once this query has been issued.

• $\mathsf{Corrupt}\left(i\right)$: The oracle ${\pi }_i^s$ responds with the long-term private keys of party $P_i$. If $\mathsf{Corrupt}\left(i\right)$ is the $\tau$-th query issued by $\mathcal{A}$, then we say that $P_i$ is $\tau$-corrupted. For parties that have never been corrupted, we define $\tau :=\infty$.

• $\mathsf{RevealKey}\left({\pi }_i^s\right)$: Oracle ${\pi }_i^s$ responds to this query with the contents of variable ${\mathsf{K}}_i^s$ to $\mathcal{A}$. This query models the attacks that the exposure of a session key should not be damaging to other sessions. (Note that we have ${\mathsf{K}}^s\ne \varnothing$ if and only if ${\Phi }_i^s=\mathtt{accept}$.)

• $\mathsf{RevealEph}\left({\pi }_i^s\right)$: Oracle ${\pi }_i^s$ responds with the contents of the ephemeral secret stored in variable ${\mathsf{Eph}}_i^s$.

• $\mathsf{Test}\left({\pi }_i^s\right)$: This query can be made at most once. It does not model attacks but functions as a judgment for whether $\mathcal{A}$’s attacks are successful. Oracle ${\pi }_i^s$ handles this query as follows. If the oracle has state ${\Phi }_i^s\ne \mathtt{accept}$, then it returns a failure symbol ⊥. If the oracle does not have access to the corresponding type of keys, it returns some failure symbol ⊥.

  Otherwise, it flips a fair coin b, and it returns ${\mathsf{K}}_b$, where ${\mathsf{K}}_0$ is the real ${\mathsf{K}}_i^s$ and ${\mathsf{K}}_1\stackrel{\$}{\leftarrow }\mathcal{K}$.

• $\mathsf{TestForge}(i,{\mathsf{sk}}_i^{\prime },{\mathsf{pk}}_i^{\prime })$ This query judges the result of an attack, the goal of which is to forge a valid key pair. The output is 1 if $\mathsf{checkKey}({\mathsf{sk}}_i^{\prime },$${\mathsf{pk}}_i^{\prime })=\mathsf{TRUE}$ and 0 otherwise, where $\mathsf{checkKey}\left(\right)$ is parameterized by concrete protocols.

4.3. Security Definitions

Let ${\mathsf{sid}}_i^s$∈$\mathcal{SID}$ denote the session identifier received by oracle ${\pi }_i^s$, where $\mathcal{SID}\subseteq {\{0,1\}}^{\mathsf{poly}\left(\kappa \right)}$, i.e., a set of binary strings of length $\mathsf{poly}\left(\kappa \right)$.

Here, we define the security of the key pair registration protocol.

The model that we have discussed so far provides a unified framework to evaluate the new CL-AKE protocols. The freshness ensures that we are focusing on real threats, and the queries can be combined to emulate attacks such as replay and man-in-the-middle.

5. New Protocols for Certificate-Less Infrastructure

The canonical way to transform a certificate-based AKE to CL-AKE is to replace the signature with a CL-SIG. However, the efficiency of the result is sub-optimal due to redundant computation and the extra demand for randomness. For example, to sign a message with our CL-SIG, an extra randomness is needed for the Schnorr component (line 4 in $\mathsf{Sign}(\mathsf{params},{\mathsf{sk}}_i,m)$ in Figure 1), and point multiplications are needed for verification.

Our new CL-AKE protocols save the participants from any signature verification. $\mathsf{Reconst}-\mathsf{Pk}(\mathsf{params},{\mathsf{PID}}_i,B_i)$ in ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$ (Figure 1) ensures that once Alice has a reliable ${\mathsf{pk}}_{\mathsf{KGC}}$$\in \mathsf{params}$, its peer Bob has to use a correct secret key with respect to $B_i$ and ${\mathsf{pk}}_{\mathsf{KGC}}$ in AKE (Figure 2), leading to optimal performance.

5.1. Client Key Registration

Initially, a client is provisioned with the KGC’s public keys ${\mathsf{ek}}_{\mathsf{KGC}},{\mathsf{pk}}_{\mathsf{KGC}}$ and its own encryption/decryption key pairs. A client can then register its key pair to a KGC, which also knows the client’s encryption key. Details of our new client key pair generation protocol (Protocol 2) can be found in Figure 3. The security is summarized in the following theorem, where $\mathsf{checkKey}$ for $\mathsf{TestForge}$ is defined as checking the discrete log relation ${\mathsf{sk}}_i^{\prime }·G={\mathsf{pk}}_i^{\prime }$.

5.2. Certificate-Less Authenticated Key Exchange

The certificate-less authenticated key exchange protocol (CL-AKE) with explicit authentication is presented in Figure 2. The correctness is trivial, and the three non-base point multiplications are for computing ${\mathsf{pk}}_i$ (or ${\mathsf{pk}}_j$) and $\mathsf{ms}$. Let $\mathsf{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_{\left|\mathbb{G}\right|}$ be a hash function modeled as a random oracle that maps any binary string to an integer in group ${\mathbb{Z}}_{\left|\mathbb{G}\right|}$.

6. Integration into TLS and Performance Evaluation

Since our solution is already asymptotically better than other provably secure ones (see Table 1), we only demonstrate its performance in real-world scenarios and compare with the original certificate-based TLS (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, henceforth TLS-DHE).

The two standard ways to integrate the Protocol 3 in Figure 2 are via the certificate type RawPublicKey [37] and via the PSK identities [38] (We merged mTag1 and mTag2 with the finish-messages in the TLS handshake.). When RawPublicKey is chosen, the TLS server sends ${\mathbf{M}}_{\mathbf{1}}$ in the (Server) Certificate message, and the TLS client sends ${\mathbf{M}}_{\mathbf{2}}$ in the (Client) Certificate message. When PSK identities is used, the TLS server sends ${\mathbf{M}}_{\mathbf{1}}$ in the ServerkeyExchange.psk_identity_hint field, and the TLS client sends ${\mathbf{M}}_{\mathbf{2}}$ in the ClientKeyExchange.psk_identity field.

6.1. Set Up

Opting for the PSK identifiers, we insert the encoded $\mathsf{PID}$, the EC group ID and auxiliary information into it. We implement Protocol 3 with the BouncyCastle library and OpenSSL (https://www.bouncycastle.org/ and https://www.openssl.org/, accessed on 8 September 2022) on the server, which runs Ubuntu 18.04.6 on 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80 GHz CPU with 16.0 GB RAM. Each client node is emulated with mbedTLS (https://github.com/Mbed-TLS/mbedtls) (accessed on 9 September 2022) on a STM32F107VCT6 (https://www.st.com/resource/en/datasheet/stm32f107vc.pdf) (accessed on 4 December 2023) board with 32-bit MCU and 64/256 KB Flash, which corresponds to a Class 2 constrained device [7]. For a fair comparison, we use the widely deployed EC curve NIST P-256 and a two-level certificate chain, i.e., the direct issuer of TLS certificates is trusted by both TLS peers.

6.2. Results

6.2.1. Computational Cost

Besides using absolute time, we measured the time consumption for the elementary functions with the base-point multiplication as a unit. We consider only the point multiplication, signature signing and verification to be elementary operations. Here, the cost of point addition, arithmetic operations and hash functions are ignored, as they are relatively negligible compared to the above operations.

We use ${\mathsf{t}}_{\mathsf{BPM}}$ to denote the time for computing one base point multiplication (BPM) and use ${\mathsf{t}}_{\mathsf{BPM}}$ as a unit.

• A non-base point multiplication (PM) costs 6 ${\mathsf{t}}_{\mathsf{BPM}}$. This difference comes from the optimization of base-point multiplication [39].

• A signing costs 2.5 ${\mathsf{t}}_{\mathsf{BPM}}$ and verification 8.5 ${\mathsf{t}}_{\mathsf{BPM}}$. This 6 ${\mathsf{t}}_{\mathsf{BPM}}$ difference comes exactly from the extra non-base point multiplication in the verification. Signing with ECDSA also needs extra operations in the integer group, so it is slower (2.5 ${\mathsf{t}}_{\mathsf{BPM}}$) than a simple base-point multiplication (1 ${\mathsf{t}}_{\mathsf{BPM}}$).

While the TLS with certificates needs $26.5 {\mathsf{t}}_{\mathsf{BPM}}$, this work needs only $19 {\mathsf{t}}_{\mathsf{BPM}}$, saving at least 28% local computation time for the cryptographic core. Details are provided in Table 4.

6.2.2. Communication Cost

In this part, we compare the communication cost between this work and TLS-DHE. We measure the communicated messages using the tool Wireshark (https://www.wireshark.org/) (accessed on 8 September 2022), and count the size of all TLS handshake messages (see Table 5). For one full handshake, TLS-DHE consumes about 2430 bytes, while this work consumes only about 840 bytes. That means our work reduces 65% of the payload.

6.2.3. Resource Consumption on the Constrained Client

The execution time is 2.09 s for Protocol 3 in the LAN setting (1 Gbps with 0.1 ms latency), saving 70% of the time compared to TLS-DHE with certificates.

Meanwhile, it is 13.8 KB for TLS-DHE, the maximal RAM consumption during key registration and Protocol 3 is 4.09 KB, making a considerable 70% reduction in RAM consumption. Whereas TLS-DHE consumes more than 150 KB, the binary of Protocol 3 consumes 48.32 KB in maximum in flash, i.e., a good reduction of 67% in storage can also be seen.

7. Conclusions and Future Work

Without using bilinear pairings, we construct practical certificate-less signature, key registration, and authenticated key exchange protocols with integration to TLS. To the best of our knowledge, our AKE protocols have the lowest number of point-multiplication among DH-based CL-AKE, while enjoying strong security in the eCK model.

We believe that the construction of practical post-quantum-secure CL-AKE can be pursued as meaningful future work, to design general compilers that can transform CL-SIG with two-way-reconstructable PK to CL-AKE, and to analyze the possible equivalence of game-based and universally composable security formalization [4].

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Enlarge this image.

Figure 1. Construction 1, the pairing-free CL-SIG-TRK construction [Forumla omitted. See PDF.]. Capital letters, such as A, B and T, represent EC group elements (points). Lowercase letters, such as a, b and s, represent integers in [Forumla omitted. See PDF.].

Enlarge this image.

Figure 2. Protocol 3: Three-pass certificate-less AKE with mutual authentication.

Enlarge this image.

Figure 3. Protocol 2, client key pair registration with [Forumla omitted. See PDF.].

Appendix A. Proof of EUF-CMA Security of ${\Pi }_{\mathsf{CL}-\mathsf{SIG}}$

Appendix A.1. Multiple-Forking Lemma

We recall the multiple-forking lemma introduced by Boldyreva et al. [35].

Lemma A1 

(Multiple-Forking Lemma, Lemma C.5 in [35]). Let $\alpha \in {\mathbb{Z}}^{+}$ be a fixed integer. Let $n\ge 1$ be an odd integer and S a set with no less than two elements. Let $\mathcal{B}\left(\right):{\{0,1\}}^{*}\times S^{\alpha }\to {\mathbb{Z}}^2\times {\{0,1\}}^{*}$, $(x,(s_1,\cdots ,s_{\alpha }))\mapsto (I,J,\Sigma )$ be a randomized algorithm, where I and J are integers with $0\le J\le I\le \alpha$. The multiple-forking algorithm ${\mathcal{MF}}_{\mathcal{B},n}$ associated to $\mathcal{B}$ and n is defined as in Figure A1 where $x\in {\{0,1\}}^{*}$.

Let $\mathsf{IGen}$ be a non-deterministic algorithm that takes no input and returns a binary string. Let $$\begin{array}{cc}\hfill \mathsf{accMf}=Pr[& I\ge 1,J\ge 1:x\stackrel{\$}{\leftarrow }\mathsf{IGen};(s_1,\cdots ,s_{\alpha })\stackrel{\$}{\leftarrow }{S}^{\alpha };\hfill \\ \hfill & (I,J,\Sigma )\stackrel{\$}{\leftarrow }\mathcal{B}\left((x,(s_1,\cdots ,s_{\alpha }))\right);]\hfill \\ \hfill \mathsf{frkMf}=Pr[& b=1:x\stackrel{\$}{\leftarrow }\mathsf{IGen};(b,\mathsf{RessultMF})\stackrel{\$}{\leftarrow }{\mathcal{MF}}_{\mathcal{B},n}\left(x\right)]\hfill \end{array}$$

Then (A1) $$\begin{array}{cc}\hfill \mathsf{frkMf}& \ge \mathsf{accMf}·\left(\frac{{\mathsf{accMf}}^n}{{\alpha }^{2n}}-\frac{n}{\left|S\right|}\right)\hfill \end{array}$$ (A2) $$\begin{array}{cc}\hfill \mathsf{accMf}& \le \sqrt[n+1]{{\alpha }^{2n}·\mathsf{frkMf}}+\sqrt[n+1]{\frac{n·{\alpha }^{2n}}{\left|S\right|}}\hfill \end{array}$$

This lemma allows forks to happen at two distinct positions I and J. When $n=1$, this lemma collapses to the generalized forking lemma [40], allowing forking at only one position.

Enlarge this image.

Figure A1. The multiple-forking algorithm [Forumla omitted. See PDF.] associated to [Forumla omitted. See PDF.] in Lemma A1. We use [Forumla omitted. See PDF.] in the proof of Lemma A2.