SPECIAL SECTION ON TRUSTED COMPUTING

Received October 24, 2017, accepted November 17, 2017, date of publication November 21, 2017,
date of current version December 22, 2017.
Digital Object Identifier 10.1109/ACCESS.2017.2776160

Provably Leakage-Resilient Password-Based

Authenticated Key Exchange in
the Standard Model
OU RUAN 1, JING CHEN2 , AND MINGWU ZHANG1
1 School of Computer Science, Hubei University of Technology, Wuhan 430068, China
2 School of Computer Science, Wuhan University, Wuhan 430072, China

Corresponding author: Ou Ruan ([email protected])

This work was supported in part by the Educational Commission of Hubei Province of China under Grant D20151401, in part by the
Natural Science Foundation of Hubei Province of China under Grant 2017CFB596, and in part by the Green Industry Technology Leading
Project of Hubei University of Technology under Grant ZZTS2017006.

ABSTRACT The password-based authenticated key exchange (PAKE) protocol is one of most practical
cryptographic primitives for trusted computing, which is used to securely authenticate devices’ identities and
generate shared session keys among devices in insecure environments by using a short, human-memorable
password. With the fast development of the Internet of Things (IoT), new challenges regarding PAKE have
emerged. The traditional PAKE protocols are completely insecure in IoT environments, since there are many
kinds of side-channel attacks. Therefore, it is very important to model and design leakage-resilient (LR)
PAKE protocols. However, there has been no prior work on modeling and constructing LR PAKE protocols.
In this paper, we first formalize an LR eCK security model for PAKE based on the eCK-secure PAKE
model and the only computation leakage model. Then, we propose the first LR PAKE protocol by using
Diffie–Hellman key exchange, LR storage (LRS) and LR refreshing of LRS appropriately and formally
present a security proof in the standard model.

INDEX TERMS Leakage-resilience, password-based authenticated key exchange, side-channel attacks,

trusted computing, internet of things.

I. INTRODUCTION authentication and session key generation for IoT devices.

Trusted computing (TC) is a very important technology,
which aims to enhance the overall security, privacy and
trustworthiness of a variety of computing devices. Trustwor-
thy software assurance, trusted execution environment and
trusted collaboration are hot research fields of TC. Estab-
lishing and protecting device identity by trustworthy soft-
ware assurance make up one of the fundamental security
requirements of TC. Authenticated key exchange (AKE) pro-
tocols [1] provide a good solution for identity authentica-
tion, which can securely authenticate device identity and
generate a shared session key among devices in an insecure
environment. With the fast development of the Internet of
Things (IoT), new challenges regarding TC have emerged.
There are many IoT devices that vary widely in their cost,
usage, and capabilities. For the trusted execution environ-
ment, IoT devices should have the ability to perform mutual
authentication with IoT services or with other IoT devices [2].
AKE is one of main technologies for performing mutual
For example, Hsu et al. [3] designed an AKE protocol
for wearable devices in IoT environments. Among AKEs,
the password-based AKE (PAKE) protocols are most widely
used since no additional device is required, just a human-
memorable password for authenticating the parties. The con-
cept of PAKE was introduced by Bellovin and Merritt [4].
The first provably secure PAKE protocols were proposed by
Bellare et al. [5] and MacKenzie et al. [6]; they formally
proved the security in the random oracle (RO) model. Then,
Byun et al. [7] and Mohammad and Mahmoud [8] improved
and generalized the constructions of PAKE in the RO model.
In 2006, the first provably secure PAKE protocol in the
standard model was shown by Goldreich and Lindell [9], and
then [10]–[13] showed efficient constructions for PAKE pro-
tocols in the standard model. In 2012, Wen et al. [14] intro-
duced a three-party password-authenticated multiple key
exchange protocol. Subsequently, Tsai et al. [15] made some
improvements to [14]. However, Luo et al. [16] demonstrated

2169-3536
2017 IEEE. Translations and content mining are permitted for academic research only.
26832 Personal use is also permitted, but republication/redistribution requires IEEE permission. VOLUME 5, 2017
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
O. Ruan et al.: Provably LR PAKE in the Standard Model
off-line password guessing attacks against both protocols.
Recently, Ruan et al. [17] designed an explicit PAKE protocol
with mutual key confirmation and gave a formal security
proof; Yi [18] et al. presented a two-server PAKE proto-
col, in which two servers know only partial information
about the client’s password, but can cooperate to authenti-
cate the client’s identity; Islam [19], Amin and Biswas [20]
and Lu [21] designed three-party/multi-party PAKE pro-
tocols with formal security proofs; Nam et al. [22] and
Guo et al. [23] proposed provably secure group PAKE
protocols.
Computations or communications of IoT devices emit
signals known as ‘‘side channels’’, such as electromagnetic
emissions and power consumption. Most IoT devices are
exposed to the public outside, and an attacker can overcome
the security protections by measuring these signals, which
are called side-channel attacks [24]. Traditional PAKEs are
completely insecure in leakage environments. Moreover, the
technologies of side channel attacks are developing, and
new attack methods may appear at any moment. Thus, it is
impossible to consider all types of side-channel attacks in
the hardware design of IoT devices. Furthermore, we know
that current TC technologies focus on establishing trust, but
how to maintain trust in dynamically changing environments
has not been deeply studied. Thus, to resist side-channel
attacks and provide trustworthy software assurance, it is very
important to model and design leakage-resilient (LR) AKE
protocols.
The first LR security model for AKEs was introduced by
Moriyama and Okamoto [25] and is called the MO model.
The MO model was based on the eCK security model [26],
which is an extension of the CK security model [27]. The
adversary of the eCK security model has more power than the
CK model and can access both the long-term secret key and
the ephemeral secret randomness of the test session. The cen-
tral limitation of the MO model is that the leakages are only
allowed until the adversary learns the challenge. Leakage that
occurs after the adversary learns the challenge is called after-
the-fact (AF) leakage. The first AFLR CK security model
and the first continuous AFLR (CAFLR) AKE protocol were
introduced by Alawatugoda et al. [28]. Then, the first AFLR
eCK security model and the first bounded AFLR (BAFLR)
AKE protocol were proposed by Alawatugoda et al. [29], and
the first CAFLR eCK-secure AKE protocol was introduced
by Alawatugoda et al. [30]. In 2016, Chen et al. [31] first
considered leakage attacks on both the long-term secret pri-
vate key and the ephemeral secret randomness, and proposed
a one-round AFLR AKE protocol under this strong security
model. In 2017, the first ID-based BAFLR AKE protocol was
introduced by Ruan et al. [32]. Recently, Toorani [33] demon-
strated an ephemeral key compromise impersonation (KCI)
attack on the construction of [28]; Yang and Li [34] also
showed that the construction of [29] was insecure against KCI
attacks and the proofs of Case 2 (the adversary is active) were
incorrectly reduced to the Decision Diffie-Hellman (DDH)
assumption, and then they improved the construction and
VOLUME 5, 2017
formally showed the security proof under the Gap Diffie-
Hellman (GDH) assumption in the RO model.
In this paper, we formalize the LR eCK security model
for PAKE and propose an LR PAKE protocol that is based
on the key derivation function (KDF) [35], leakage-resilient
storage (LRS) [36] and leakage-resilient refreshing of LRS.
Then, we give the detailed formal security proof. The main
contributions are as follows:
• First, we first formalize an LR eCK security model
for PAKE by combining the eCK security PAKE
model and the only computation leakage (OCL) model
appropriately.
• Second, we propose the first LR PAKE protocol by using
Diffie-Hellman key exchange and the Dziembowski-
Faust (DF) LRS (DF-LRS) scheme [37] properly.
Our protocol is more efficient than other LR AKE
protocols.
• Third, based on game simulation techniques, we show
a formal security proof in the standard model under
a stronger security model, namely, the λ-CAFLR eCK
security model, in which the leakages are continuous and
are allowed after the adversary selects the test session.
In the model, the total leakage size may be infinitely
large, and for each protocol instance, the amount of
leakage is bounded by λ.
The remainder of this paper is organized as follows.
In Section 2, we review the primitives that are used.
In Section 3, we describe the CAFLR eCK security model
of PAKE. In Section 4, we present the proposed protocol
and analyse the provable security, performance comparison
and leakage tolerance. Finally, in Section 5, we conclude the
paper.
Compared with the conference version [38], there are
four significant improvements in this paper. First, we for-
mally give the detailed security proof in the standard model.
Second, we analyse the leakage tolerance of our pro-
posed protocol. Third, we complement the LR eCK secu-
rity model for PAKE with a graphical framework of the
security game. Finally, we present the primitives that are
used and analyse why they are needed and how they are
used.
II. PRELIMINARIES
In this section, we address the primitives that are used, such
as the DDH assumption, KDF, LRS and leakage-resilient
refreshing of LRS.
$
Notation: Let s ←− S denote that s is a uniform value that
is selected from a finite set Sat random and let κ and λ denote
the system security parameter and the leakage parameter,
respectively.
Definition 1 (Negligible Function): A negligible function
ε(κ) is a function N → R such that for each positive integer
c ≥ 0, there exists an integer kc such that ε(κ) < k −c for all
k ≥ kc .
Definition 2 (DDH Assumption): We define a distinguish-
ing game as follows:
26833
 O. Ruan et al.: Provably LR PAKE in the Standard Model

(1) A challenger C generates a cyclic multiplicative group I. Correctness of the leakage-resilient refreshing.
G with a large prime order p, picks a generator g at $
For every s ←− M ,
random, and then sends (G, g) to an adversary A.
$ Decode(s0L × s0R ) = Decode(sL × sR ).
(2) C picks a bit b ←− (0, 1) and three elements
$
x, y, z ←− Zp∗ at random. If b = 0, C sends II. (λRefresh , λ)-security of the leakage-resilient refreshing.
(gx , gy , gxy ) to A; otherwise, A is given (gx , gy , gz ). We define a distinguishing game as follows:
0
(3) A outputs his guessed bit b0 . A wins if b = b. $
(1) A chooses two random messages (s0 , s1 ) ←− M and
DDH assumption is satisfied if sends (s0 , s1 ) to C.
$
AdvDDH (A) = | Pr[b0 = b] − 1/2| = ε(κ), (2) C picks a bit b ←− (0, 1) at random and calculates

where AdvDDH (A) denotes the advantage of A in the distin- Encode(sb ) = sLb × sRb .
guishing game and ε(κ) is a negligible function. (3) For i = 1, · · · , t, C runs the ith round refresh-
Definition 3 (λ-Leakage-Resilient Storage): An λ-LRS ing protocol, Refresh(si−1 i−1 i i
bL × sbR ) = sbL × sbR ,
consists of a pair of algorithms (Encode, Decode) and a th
A selects the i round leakage functions fRefresh-i =
bounded leakage parameter λ = (λ1 , λ2 ). L
(fRefresh-i , fRefresh-i
R ) and sends it to C, and C returns
Encode: Encode(s) = sL ×sR is a randomized and efficient
the leakages (fRefresh-i (sibL ), fRefresh-i
L R (sibR )) to A, where
probabilistic polynomial time (PPT) algorithm, where s is an
element that is chosen from the message space M and sL × sR fRefresh-i (sbL ) ≤ λRefresh1 ∧ fRefresh-i (sibR ) ≤ λRefresh2
L i R

is the encoded output element in the encoding space L × R. should hold.

0
Decode: Decode(sL × sR ) = s is a deterministic and (4) A outputs his guessed bit b0 . A wins if b = b.
efficient PPT algorithm. An (λRefresh , λ) leakage-resilient refreshing is secure if the
An λ-LRS should satisfy the following two properties: following holds:
$
I. Correctness of the LRS. For every s ←− M, AdvRefresh−LRS (A) = ε(κ),
Decode(Encode(s)) = s.
where AdvRefresh−LRS (A) denotes the advantage of A in dis-
II. Security of the LRS.
tinguishing the above security game and ε(κ) is a negligible
We define a distinguishing game as follows: function.
$
(1) A chooses two random messages (s0 , s1 ) ←− M and Definition 5 (DF-LRS Scheme): The DF-LRS Scheme [37]
sends (s0 , s1 ) to C. is an LRS that efficiently stores a secret value s ∈ (Zp∗ )m with
$
(2) C picks a bit b ←− (0, 1) at random and calculates any m ∈ N , where p is a large prime. We denote it as 8Zn,m ∗ .
p
$
Encode(sb ) = sLb × sRb . Encode: Pick sL ←− (Zp∗ )n \{(0n )} at random, compute
sR ∈ (Zp∗ )n×m such that sL × sR = s, where n ∈ N , and then
(3) For i = 1, · · · , t, A selects leakage functions f = output (sL , sR ).
(fiL , fiR ) and sends it to C and C returns the leak- Decode: Output s such that s = sL × sR .
ages (fiL (sLb ), fiR (sRb )) back to A. The total leakage size Lemma 6 [37]: The scheme that is defined in Defini-
t
should be bounded by (λ1 , λ2 ), i.e.,
P
fiL (sLb ) ≤ λ1 ∧ tion 5 is an λ-secure LRS scheme if 20m < n, where
i=1 λ = (0.3nlog p, 0.3nlog p).
t Lemma 7 [37]: If 8n,m Zp∗ is an λ-secure DF-LRS scheme
fiR (sRb ) ≤ λ2 .
P
i=1 and m/3 ≤ n ∧ n ≥ 16, there is an (λ/2, λ)-secure leakage-
resilient refreshing Refreshn,m n,m
0
(4) A outputs his guessed bit b0 . A wins if b = b. Zp∗ for 8Zp∗ .
The λ-LRS is secure if the following holds: Definition 8 (Key Derivation Function): A KDF is a
function key ← KDF(σ, `, r, c) that can generate a cryp-
AdvLRS (A) = ε(κ), tographically strong secret key efficiently, where σ is the
where AdvLRS (A) represents the advantage of A in the source material of the secret key and ` denotes some public
distinguishing security game and ε(κ) is a negligible knowledge about σ such as its length, r represents a salt value
function. and c denotes a context variable.
Definition 4 ((λRefresh , λ)-Leakage-Resilient Refreshing of Definition 9 (Security of KDF): We define a distinguishing
the LRS): A leakage-resilient refreshing is a PPT algorithm game as follows:
Refresh with an λ-LRS (Encode,Decode), a secret s and a (1) C picks (σ, `) and a salt value r at random, and then
bounded leakage amount λRefresh = (λRefresh1 , λRefresh2 ). gives (`, r) to A.
Refresh: Refresh(sL × sR ) = s0L × s0R where sL × sR is the (2) A chooses a value c at random, and then gives it to C.
$
encoding value of the secret s. (3) C selects a random bit b ←− (0, 1). If b = 0, C
A leakage-resilient refreshing of an λ-LRS should satisfy calculates key ← KDF(σ, `, r, c) and gives it to A;
the following two properties: otherwise, C picks a string s at random and gives it to

26834 VOLUME 5, 2017

O. Ruan et al.: Provably LR PAKE in the Standard Model
A, where the length of s is the same as the length of
key ← KDF(σ, `, r, c).
0
(4) A outputs his guessed bit b0 . A wins if b = b.
A KDF is secure if the following holds:
AdvKDF (A) = ε(κ),
where AdvKDF (A) denotes the advantage of A in the distin-
guishing security game and ε(κ) is a negligible function.
III. THE λ-CAFLR eCK SECURITY MODEL FOR PAKE
Based on the eCK security PAKE model and the OCL model,
we define the λ-CAFLR eCK security model for PAKE in
this section, where leakage attacks are modelled as leakage
functions that are defined in Send queries. A can learn the
leakages of the long-term secret password by asking Send
queries with leakage functions that are chosen by him. The
new model has three main properties: First, we suppose that
only the calculations will lead to leakages of the long-term
shared secret password pw. Second, in each instance of the
protocol, the total leakage size of the secret password is
limited to λ. A can perform leakage attacks by asking Send
queries with the leakage functions f = (f1 , . . . , fn ), which
are chosen adaptively by him, and get back the leakages of
pw. However, we require that the total leakage amount is
n In our security model, the total leakage size of the secret pass-
limited to λ for each instance, i.e., |fi (pw)| ≤ λ. Third,
P
i=1
A can continuously carry out the leakage attacks instance
by instance and learn an infinitely large amount of leakage
information about the secret password.
A. ADVERSARIAL POWERS
In our model, two parties, who are denoted as U and V , run
the PAKE protocol together to obtain a secure shared key. We
define the following notations.
Session is used to represent a protocol instance.
Principal is used to denote a party of a session. A principal
may be involved in multiple different sessions that may be
executed concurrently.
Oracle(5sU ,V ) is used to represent the sth session with
principals U and V , of which U is the owner principal and
V is the intended partner principal.
Initiator is used to represent the principal who activates a
session.
Responder is used to represent the principal who responds
to the initiator.
In our model, the adversary A is active, adaptive and
malicious, interacts with any oracles and performs attacks.
We model the adversarial capabilities by the following
queries.
Send(U, V, s, m, f ) query: this query models A’s abilities
to execute the protocol and carry out the leakage attacks. The
adversary A sends a Send(U, V, s, m, f ) query to the oracle
5sU ,V in the sth session, where m is a protocol message and
f is a leakage function. Then, A gets back a normal protocol
message and the leakage f (pw) of the long-term password,
which are produced by the oracle 5sU ,V based on the protocol
VOLUME 5, 2017
specifications and f . A can use this query to run a proto-
col or activate a new protocol instance as an initiator with
blank m and f .
RevealSessionKey(U, V, s) query: this query models A’s
capability to learn the sth session key. The adversary A sends
this query to the oracle 5sU ,V in the sth session. Then, A gets
back the sth session key from 5sU ,V .
RevealEphemeralKey(U, V, s) query: this query models
A’s capability to learn ephemeral keys of the sth session. The
adversary A sends this query to the oracle 5sU ,V in the sth
session. Then, A gets back the sth ephemeral keys of 5sU ,V .
RevealPassword() query: this query models A’s capability
to learn the principals’ shared password. The adversary A
sends this query to any oracle in any session. Then, A gets
back the long-term shared secret password pw.
Test(U , s) query: this query is different from all of the
above queries, as it is only used to specify the security
definition of our model. Upon receiving this query from the
$
adversary A, the challenger C chooses a bit b ←− (0, 1) at
random. If b = 1, then C sends the actual session key to A,
while a random string is given to A. A can issue this query
only once across all sessions.
B. λ-CAFLR eCK SECURITY MODEL
word for each instance is bounded by the leakage parameter
n
λ, i.e.,
P
|fi (pw)| ≤ λ.
i=1
Definition 10 (Partner in λ-CAFLR eCK Security Model):
0
Two oracles 5sU ,V and 5sU 0 ,V 0 are partners if they have the
following properties:
0
(1) 5sU ,V and 5sU 0 ,V 0 have received the same session keys;
(2) The messages that are sent from 5sU ,V are the same as
0
the messages that are received by 5sU 0 ,V 0 ;
0
(3) The messages that are sent from 5sU 0 ,V 0 are the same as
the messages that are received by 5sU ,V ;
(4) U = V 0 and V = U 0 ;
(5) There are an initiator and a responder of two principals
U and V .
Definition 11 (λ-C AFLR-eCK-Freshness): Assume f =
(f1 , . . . , fn ) denotes n PPT leakage functions for a certain
protocol instance that is chosen by the adversary A arbitrarily.
An oracle 5sU ,V is λ-CAFLR-eCK-fresh if the followings
hold:
(1) RevealSessionKey queries have not been asked by the
0
oracle 5sU ,V or its partner, 5sV ,U (if it exists).
0
(2) If the partner 5sV ,U exists, neither of the following
combinations has been queried:
(a) RevealPassword() and RevealEphemeralKey(U,
V, s);
(b) RevealPassword() and RevealEphemeralKey(V,
0
U,s ).
0
(3) If the partner 5sV ,U does not exist, A cannot ask the
RevealPassword() query.
26835

n
|fi (pw)| ≤ λ.
P
(4) For all Send(., U , ., ., fi ) queries,
i=1
n
(5) For all Send(., V , ., ., fi ) queries,
P
|fi (pw)| ≤ λ.
i=1
C. SECURITY DEFINITION
This section formalizes the security definition of the
λ-CAFLR eCK model.
FIGURE 1. The Security Game of λ-CAFLR eCK-Secure PAKE.
Definition 12 (λ -CAFLR eCK Security Game): The λ -
CAFLR eCK security game is shown in Fig. 1, which is run
by the protocol challenger C with a PPT adversary A:
(1) A asks any of the Send, RevealSessionKey, RevealE-
phemeralKey and RevealPassword queries to any
oracle.
(2) A chooses an λ-CAFLR-eCK-fresh oracle and asks
a Test query. Upon receiving a Test query, C selects
$
a random bit b ←− (0, 1). If b = 1, then sends
the actual session key to A, while a random string is
given to A.
(3) A continues asking Send, RevealSessionKey, RevealE-
phemeralKey and RevealPassword queries. All these
queries should satisfy the λ-CAFLR-eCK-freshness of
the chosen oracle.
0
(4) At last, A outputs his guessed bit b0 . A wins if b = b.
Definition 13 (λ-CAFLR eCK Security): Let
Advλ−CAFLReCK
PAKE be the advantage of A in the λ-CAFLR eCK
security game that is defined in Definition 12. λ-CAFLR eCK
security means that
Advλ−CAFLReCK = | Pr[b0 = b] − 1/2| = NS /N + ε(κ),
PAKE
where NS is the number of sessions, N denotes the size
of the password dictionary, and ε(κ) represents a negligible
function.
In other words, a PAKE protocol is λ-CAFLR eCK-secure
if there is no PPT adversary who can win the above secu-
rity game with an advantage of more than NS /N . In PAKE
26836
O. Ruan et al.: Provably LR PAKE in the Standard Model
protocols, on-line dictionary attacks are unavoidable, and
NS /N represents the success probability of on-line dictio-
nary attacks. However, this attacks can be limited by some
kind of strategy, for example, by disallowing further attempts
after a certain number of failed attempts to the correct
password.
IV. A NEW λ-CAFLR ECK-SECURE PAKE PROTOCOL
In this section, we formally present our λ-CAFLR
eCK-secure PAKE protocol and its detailed security proof
in the standard model.
A. THE PROPOSED PROTOCOL
1) OVERVIEW OF THE PROPOSED PROTOCOL
There are three main stages:
• Initially, we map the password pw to a random element
s of a group G using a one-way collision-free hash
function H, and then encode s using an LRS scheme.
This approach can resist leakage attacks on the shared
secret password. However, determining how to use the
encodings of the shared password to achieve authenti-
cation and obtain a secure session key becomes a big
challenge.
• Then, we use the encodings of the shared password
to achieve authentication and obtain a secure session
key by combining Diffie-Hellman key exchange and
the DF-LRS scheme appropriately. This method gives
a good solution to the above challenge. The important
observations are as follows: (1) Two primitives can share
a common group G with a big prime order p; (2) In the
DF-LRS scheme, (gsL )sR = gsL ·sR = gs since s = sL ·sR ,
where g is a generator of G, s denotes the secret mapping
element, and (sL , sR ) represents two encodings of the
DF-LRS scheme.
• Finally, since there is an efficient leakage-resilient
refreshing protocol for the DF-LRS scheme, we can
refresh two encodings of s after using them in the end
of the protocol. Thus, our construction is secure against
continuous leakage attacks.
2) DETAILS OF THE PROPOSED PROTOCOL
Fig. 2 illustrates the proposed protocol, which includes the
following two stages.
a: THE INITIAL SETUP STAGE
Users U and V first map the shared secret password to a
random element of the group G, sUV = H (pwUV ). We assume
that this computation is executed in secret and leakage attacks
are not allowed. Then, U runs an λ-secure DF-LRS scheme
8n,1 0 $ ∗ n n
Z ∗ , picks aL ←− (Zp ) \{(0 )} at random and generates
p
a0R ∈ (Zp∗ )n×1 such that a0L · a0R = sUV ; V also chooses
$
b0L ←− (Zp∗ )n \{(0n )} at random and computes b0R ∈ (Zp∗ )n×1
such that b0L · b0R = sUV .
VOLUME 5, 2017
O. Ruan et al.: Provably LR PAKE in the Standard Model

b: THE PROTOCOL EXECUTION STAGE

j
Step 1. User U calculates YU = gxU and TU 1 = (YU )aL ,
$
where xU ←− Zp∗ is a random number, and then sends
(U , TU 1 ) to user V.
Step 2. Upon receiving (U, TU 1 ), V calculates YV =
j $
gxV , TU 2 = (TU 1 )xV and TV 1 = (YV )bL , where xV ←− Zp∗ is
a random number, and then sends (V, TU 2 , TV 1 ) to U.
Step 3. Upon receiving (V, TU 2 , TV 1 ), U calculates TV 2 =
j
(TV 1 )xU and sends it to V. Finally, U calculates TU = (TU 2 )aR
and kUV = KDF(U, V , TU ), and refreshes the stored pieces
with
j+1 j+1 j j
(aL , aR ) ← Refreshn,1 Z ∗ (aL , aR ).
p

Step 4. Upon receiving (U, TV2 ), V calculates TV =

j
(TV 2 )bR and kUV = KDF(U, V , TV ), and refreshes the stored
pieces with
j+1 j+1 j j
(bL , bR ) ← Refreshn,1
Zp∗ (bL , bR ).
Correctness of the proposed protocol.
From
j j xV j FIGURE 2. The λ-CAFLR eCK-Secure PAKE Protocol.
TU = (TU 2 )aR = (((gxU )aL ) )aR
j j
j j aL ·aR and AdvRefresh−LRS be advantages of A against the security of
= (((gxU )xV )aL )aR = ((gxU )xV ) the DDH assumption, KDF and leakage-resilient refreshing
j j
= ((gxU )xV )sUV = (((gxU )xV )bL )bR of LRS, respectively. Then
j j
= (((gxV )bL )xU )bR λ−CAFLReCK
AdvPAKE ≤ NS /N + NP2 NS2 (AdvDDH
j j
bL xU bR
= (((YV ) ) ) + AdvRefresh−LRS + AdvKDF ),
j
bR
= (TV 2 ) = TV where NP is the number of protocol principals, NS denotes
the number of sessions on a principal, and N represents the
size of the password dictionary.
it follows that Proof: The proof can be divided into the following two
⇒ KDF(U, V , TU ) = KDF(U, V , TV ). main cases.
Case 1 (A Partner Session to the Test Session Exists):
Therefore, the proposed protocol is correct. In this case, the adversary A may obtain the principals’
long-term shared secret password pwUV by the RevealPass-
B. MUTUAL AUTHENTICATION word query. Let Advλ−CAFLReCK
PAKE be the advantage of A in the
In our protocol, we can add mutual authentication con- λ-CAFLR eCK security game. We split this case into two sub-
veniently. To do this, we can introduce an authenticator cases as follows:
structure KDF(U, V , kUV ), where kUV = KDF(U , V , TV ). (1) A asks a RevealPassword query. In this case, A can
At the end of the protocol, users U and V each calculate learn the principals’ long-term shared secret password. To not
the authenticator Auth = KDF(U, V , kUV ) and send Auth violate the λ-CAFLR-eCK-freshness of the chosen session,
to the other user. Then, each user can identify the other’s A cannot ask RevealEphemeralKey query to learn random
identity by checking whether the received authenticator Auth ephemeral keys of the owner or partner principals to the
is equal to KDF(U, V , kUV ). When we give our security chosen session.
proof, we will not consider the security of mutual authentica- (2) A doesn’t ask a RevealPassword query. In this case, A
tion because this authenticator transformation preserves the cannot obtain the long-term shared secret password, but can
indistinguishability security of the original protocol. learn random ephemeral keys of the owner and his partner to
the chosen session.
C. SECURITY PROOF Case 1.1 (A Asks a RevealPassword Query):
Our CAFLR PAKE protocol is eCK-secure if the DDH prob- In this case, the adversary A can obtain the principals’ long-
lem is hard and the leakage-resilient refreshing of LRS and term shared secret password pwUV by the RevealPassword
KDF is secure. query and learn sUV = H (pwUV ). Thus, leakage attacks do
Theorem 14: Let Advλ−CAFLReCK
PAKE represent the advan- not need to be considered. To not violate the λ-CAFLR-eCK-
tage of a PPT adversary A against the λ -CAFLR eCK- freshness of the chosen session, A cannot obtain any of the
security of the proposed protocol, and let AdvDDH , AdvKDF principals’ ephemeral keys to the chosen session.

VOLUME 5, 2017 26837


Game 1: This game is the original λ-CAFLR eCK security
game that is defined in Definition 12.
Game 2: Game 2 has the following differences from
Game 1: First, the adversaryA picks two random distinct prin-
$
cipals U ∗ , V ∗ ←− {U1 , . . . , UNp } and two random numbers
$
s∗ , t ∗ ←− {1, . . . , Ns }, where NP denotes the number of
principals and NS represents the number of sessions on a
principal. Second, A activates the security game and chooses
∗ ∗
5sU ∗ ,V ∗ as the target oracle and 5tV ∗ ,U ∗ as the partner oracle.
∗ Game 3; otherwise, it’s the same as Game 4. (2) B outputs
If the test oracle is not 5sU ∗ ,V ∗ or the partner oracle is not
∗ the bit that A outputs.
5tV ∗ ,U ∗ , the Game 2 challenger stops and exits the game.
Game 3: Game 3 has the following differences from
$
Game 2: The Game 3 challenger C picks z ←− Zp∗
at random and calculates sU∗V ∗ = H (pwU ∗ V ∗ ) and
kU ∗ V ∗ = KDF(UU ∗ , UV ∗ , (gsU ∗ V ∗ )z ). After receiving a
Test(U ∗ , V ∗ , s∗ ) query from A, C gives kU ∗ V ∗ to A. In addi-
tion, after receiving a Test(V ∗ , U ∗ , t ∗ ) query, C sends the
∗
same kU ∗ V ∗ to A, since there is a partner session 5tV ∗ ,U ∗ .
Game 4: Game 4 has the following differences from
Game 3: The Game 4 challenger C selects a random value
$
kU ∗ V ∗ ←− {0, 1}k . Then, after receiving a Test(U ∗ , V ∗ , s∗ )
query or Test(V ∗ , U ∗ , t ∗ ) query from A, C gives kU ∗ V ∗ to A.
Differences Between Games: We analyse the indistin-
guishability of each game t from its previous game t-1. Let
AdvGamet (A) be the advantage of A in Game t.
Game 1:
AdvGame1 (A) = Advλ−CAFLReCK
PAKE (I)
Game 1 and Game 2: Game 1 and Game 2 are the same if the
target oracle and the partner oracle are chosen byA correctly.
The probability of A choosing a correct test oracle and its
correct partner is 1/NP2 NS2 . Therefore,
AdvGame2 (A) = 1/NP2 NS2 AdvGame1 (A) (II)
Game 2 and Game 3: In Game 2, kU ∗ V ∗ = KDF(UU ∗ , UV ∗ ,
(gsU ∗ V ∗ )xU ∗ ·xV ∗ ), while kU ∗ V ∗ = KDF(UU ∗ , UV ∗ , (gsU ∗ V ∗ )z )
in Game 3. Assume A outputs a bit b to distinguish
between Game 2 and Game 3: b = 1 if Game 2 is
running; otherwise, b = 0. We design an algorithm
B against the DDH distinguishing game, which uses A
as a subroutine and runs as follows: (1) Upon receiv-
ing a message ((gsU ∗ V ∗ )xU ∗ , (gsU ∗ V ∗ )xV ∗ , (gsU ∗ V ∗ )xU ∗ ·xV ∗ ) or
((gsU ∗ V ∗ )xU ∗ , (gsU ∗ V ∗ )xV ∗ , (gsU ∗ V ∗ )z ) from the DDH chal-
lenger, B transfers it to A’schallenger, who uses it to generate
the response message to A’s challenge. If the received mes-
sage is ((gsU ∗ V ∗ )xU ∗ , (gsU ∗ V ∗ )xV ∗ , (gsU ∗ V ∗ )xU ∗ ·xV ∗ ), the simula-
tion is the same as Game 2; otherwise, it’s the same as Game
3. (2) B outputs the bit that A outputs.
If A can distinguish between Game 2 and Game 3, B wins
the DDH distinguishing game. Therefore,
|AdvGame2 (A) − AdvGame3 (A)| ≤ AdvDDH (III)
Game 3 and Game 4: In Game 3, kU ∗ V ∗ = KDF(UU ∗ , UV ∗ ,
$
(gsU ∗ V ∗ )z ), while in Game 4, kU ∗ V ∗ ←− {0, 1}k . Assume A
26838
O. Ruan et al.: Provably LR PAKE in the Standard Model
outputs a bit b to distinguish between Game 3 and Game 4:
b = 1 if Game 3 is running; otherwise, b = 0. We design
an algorithm B against the KDF distinguishing game, which
uses A as a subroutine and runs as follows: (1) Upon
receiving a message kU ∗ V ∗ = KDF(UU ∗ , UV ∗ , (gsU ∗ V ∗ )z )
$
or kU ∗ V ∗ ←− {0, 1}k from the KDF challenger, B trans-
fers it to A’s challenger, who uses it to generate the
answer message to A’s challenge. If the received message
is KDF(UU ∗ , UV ∗ , (gsU ∗ V ∗ )z ), the simulation is the same as
If A can distinguish between Game 3 and Game 4, B wins
the KDF distinguishing game. Therefore,
|AdvGame 3 (A) − AdvGame 4 (A)| ≤ AdvKDF (IV)
Game 4: A has no advantage in Game 4 because the session
∗
key kU ∗ V ∗ of 5sU ∗ ,V ∗ is picked at random and doesn’t depend
on any other values. Therefore,
AdvGame4 (A) = 0 (V)
Using equations (I)-(V), we obtain
λ−CAFLReCK
AdvPAKE ≤ NP2 NS2 (AdvDDH + AdvKDF ).
Case 1.2 (A Does Not Ask a RevealPassword Query):
For simplicity, we assume that the test oracle is an initiator.
Game 1: Same as Game 1 in Case 1.1.
Game 2: Same as Game 2 in Case 1.1.
Game 3: Game 3 has the following differences from
$
Game 2: Game 3 challenger C picks s ←− Zp∗ at random,
encodes (sL , sR ) = Encode(s), continues refreshing the two
encodings, and then uses the refreshed encodings of s to
simulate the answers to A’s leakage query function fRefresh =
L
(fRefresh , fRefresh
R ) of the principal U ∗ .
Game 4: Game 4 has the following differences from Game
$
3: Game 4 challenger C chooses a random element s0 ←−
Zp∗ and calculateskU ∗ V ∗ = KDF(UU ∗ , UV ∗ , (gxU ∗ ·xV ∗ )s ).
0
After receiving a Test(U ∗ , V ∗ , s∗ ) query from the adver-
sary A, C gives kU ∗ V ∗ to A. In addition, after receiving a
Test(V ∗ , U ∗ , t ∗ ) query, C also sends the same kU ∗ V ∗ to A,
∗
since there is a partner oracle 5tV ∗ ,U ∗ .
Game 5: Same as Game 4 in Case 1.1.
Differences Between Games:
Game 1:
AdvGame1 (A) = Advλ−CAFLReCK
PAKE (I)
Game 1 and Game 2: From Game 1 and Game 2 in Case 1.1.,
we get
AdvGame2 (A) = 1/NP2 NS2 AdvGame1 (A) (II)
Game 2 and Game 3: In Game 2, the leakage of the shared
password is the real leakage of sU∗V ∗ = H (pwU ∗ V ∗ ), while
the leakage in Game 3 is a leakage of a random value s.
Assume A outputs a bit b to distinguish between Game 2
and Game 3: b = 1 if Game 2 is running; otherwise, b =
0. We design an algorithm B against the leakage-resilient
VOLUME 5, 2017
O. Ruan et al.: Provably LR PAKE in the Standard Model

refreshing security distinguishing game, which uses A as a Game 4: Same as Game 3 in Case 1.2.
subroutine and runs as follows: (1) Upon receiving sU∗V ∗ or Game 5: Same as Game 4 in Case 1.2.
$ Game 6: Same as Game 5 in Case 1.2.
s ←− Zp∗ from the leakage-resilient refreshing challenger, B
transfers it to A’s challenger C. C uses it as the mapping group Differences Between Games:
element of the shared secret password, encodes it, continues Game 1:
refreshing two encodings, and then uses these encodings to AdvGame1 (A) = Advλ−CAFLReCK
PAKE (I)
simulate the answers to A’s Send queries with fRefresh =
L
(fRefresh , fRefresh
R ) of the principal U ∗ . If the received message Game 1 and Game 2: If pw0UV selected by A is equal to
is sU∗V ∗ in the first step, the simulation is the same as Game pwUV , Game 2 is the same as Game 1; otherwise, Game 2
2; otherwise, it’s the same as Game 3. (2) B outputs the same is independent of Game 1. The probability that pw0UV =
bit that A outputs. pwUV is NS /N , where NS denotes the number of sessions
If A can distinguish between Game 2 and Game 3, B wins on a principal and N is the size of the password dictionary.
the leakage-resilient refreshing security distinguishing game. Therefore,
Therefore, |AdvGame2 (A) − AdvGame1 (A)| = NS /N (II)
|AdvGame2 (A) − AdvGame3 (A)| ≤ AdvRefresh−LRS (III) Game 2 and Game 3: The analysis is the same as that for
Game 3 and Game 4: In Game 3, kU ∗ V ∗ = KDF(UU ∗ , UV ∗ , Game 1 and Game 2 in Case 1.1.
0
(gxU∗ ·xV ∗ )sU ∗ V ∗ ), while kU ∗ V ∗ = KDF(UU ∗ , UV ∗ , (gxU ∗ ·xV ∗ )s ) AdvGame3 (A) = 1/NP2 NS AdvGame2 (A) (III)
in Game 4. Because s0 is chosen at random and is indepen-
0 Game 3 and Game 4: The analysis is the same as that for
dent of sU ∗ V ∗ , (gxU ∗ ·xV ∗ )sU ∗ V ∗ and (gxU∗ ·xV ∗ )s are perfectly
Game 2 and Game 3 in Case 1.2.
indistinguishable. Therefore,
|AdvGame3 (A) − AdvGame4 (A)| ≤ AdvRefresh−LRS (IV)
|AdvGame3 (A) − AdvGame4 (A)| = 0 (IV)
Game 4 and Game 5: The analysis is the same as that for
Game 4 and Game 5: From Game 3 and Game 4 in Case 1.1.,
Game 3 and Game 4 in Case 1.2.
we obtain
|AdvGame4 (A) − AdvGame5 (A)| = 0 (V)
|AdvGame4 (A) − AdvGame5 (A)| ≤ AdvKDF (V)
Game 5 and Game 6: The analysis is the same as that for
Game 5: In Game 5, the leakage is computed using a random Game 4 and Game 5 in Case 1.2.
∗
value s, and the session key kU ∗ V ∗ of 5sU ∗ ,V ∗ is picked at
random. Therefore, |AdvGame5 (A) − AdvGame6 (A)| ≤ AdvKDF (VI)

AdvGame5 (A) = 0 (VI) Game 6: The analysis is the same as that for Game 5 in
Case 1.2.
Using equations (I)-(VI), we obtain
AdvGame6 (A) = 0 (VII)
Advλ−CAFLReCK
PAKE ≤ NP2 NS2 (AdvRefresh−LRS + AdvKDF ).
Using equations (I)-(VII), we obtain
Case 2 (A Partner Session to the Test Session Does Not
Advλ−CAFLReCK
PAKE ≤ NS /N +NP2 NS (AdvRefresh−LRS +AdvKDF ).
Exist):
In this case, A is an active adversary who masquerades FromCase 1 and Case 2, we obtain
as the intended partner principal of the owner principal.
Advλ−CAFLReCK
PAKE ≤ NS /N + NP2 NS2 (AdvDDH
Therefore, A is not permitted to obtain the principals’ long-
term shared password by asking a RevealPassword query. + AdvRefresh−LRS + AdvKDF ).
However, A can learn the two parties’ ephemeral session keys
by asking RevealEphemeralKey queries.
Game 1: Same as Game 1 in Case 1.2. D. SECURITY AND PERFORMANCE COMPARISON
Game 2: Game 2 has the following differences from We summarize the security and performance comparison of
Game 1: A picks a random password pw0UV , computes s0UV = our protocol with other protocols in Table 1, where Exp
H (pw0UV ), encodes it, and then uses the encodings of s0UV to denotes modular exponentiation.
generate the protocol message based on the protocol specifi- From Table 1, our protocol enjoys three advantages: (1)
cations. it’s the first LR PAKE protocol; (2) it’s an AFLR eCK-
Game 3: Game 3 has the following differences from secure AKE protocol in the standard model, while leakage
Game 2: First, A chooses two random distinct principals attacks are not allowed after the adversary chooses the test
$ $
U ∗ , V ∗ ←− {U1 , . . . , UNp } and a random number s∗ ←− session in [25], and its AFLR eCK-security has just been
{1, . . . , Ns }. Second, A begins to run the game and chooses proven in the CK security model in [28] and in the RO model
∗ ∗
5sU ∗ ,V ∗ as the target oracle. If the test oracle is not 5sU ∗ ,V ∗ , in [29] and [30]; (3) our protocol is more efficient than other
the Game 3 challenger stops and exits the game. LR AKE protocols [25], [28]–[31].

VOLUME 5, 2017 26839


TABLE 1. Security and efficiency comparison of AKE protocols.
E. LEAKAGE TOLERANCE OF THE PROPOSED PROTOCOL
First, the overall leakage amount is arbitrarily large since
the encodings are refreshed in each instance of the proposed
protocol and continuous leakage is allowed.
Second, for each instance of the proposed protocol, the
leakage size is bounded by λRefresh = (λRefresh1 , λRefresh2 ).
Based on Lemma 6, an LRS scheme 8n,1 Zp∗ is λ-secure with
λ = (0.3nlog p, 0.3nlog p) if 20 < n. Moreover, based
on Lemma 7, a leakage-resilient refreshing RefreshZn,1 ∗ for
p [16] M. Luo, X. Zhou, L. Li, K.-K. R. Choo, and D. He, ‘‘Security analysis of
8n,1
Zp∗ is (λ/2, λ)- secure if 1/3 ≤ n ∧ n ≥ 16. There-
fore, the leakage size for each occurrence is bounded by
(0.15nlog p, 0.15nlog p). In the protocol, the shared secret
password is mapped to a group element sUV = H (pwUV )
and encoded into two parts, namely, aL ∈ (Zp∗ )n and aR ∈
(Zp∗ )n×1 , of size n · log p. Thus, the leakage tolerance for each
occurrence is
(0.15nlog p/nlog p, 0.15nlog p/nlog p) = 15%.
V. CONCLUSION
By combining Diffie-Hellman key exchange and the
DF-LRS scheme appropriately, we first design an λ-CAFLR
eCK security PAKE protocol. Our protocol is one of most
practical cryptographic primitives for trusted computing,
which could be used to securely authenticate devices’ iden-
tities and generate shared session keys among devices in
insecure leakage environments such as IoT.
REFERENCES
[1] A. G. Reddy, E.-J. Yoon, A. K. Das, V. Odelu, and K.-Y. Yoo, ‘‘Design
of mutually authenticated key agreement protocol resistant to imper-
sonation attacks for multi-server environment,’’ IEEE Access, vol. 5,
pp. 3622–3639, 2017.
[2] Trusted Computing Group. (Sep. 2015). Guidance for Securing
IoT Using TCG Technology Reference Document. [Online]. Avail-
able: https://www.trustedcomputinggroup.org/wp-tontent/uploads/TCG
_Guidance_for_Securing_IoT_1_0r21.pdf
[3] C.-L. Hsu, T.-H. Chuang, and T.-W. Lin, ‘‘End-to-end authenticated
key exchange agreement for wearable devices in IoT environments,’’ in
Proc. IEEE Great Lakes Biomed. Conf. (GLBC), Milwaukee, WI, USA,
Apr. 2017, p. 1, doi: 10.1109/GLBC.2017.7928891.
[4] S. M. Bellovin and M. Merritt, ‘‘Encrypted key exchange: Password-based
protocols secure against dictionary attacks,’’ in Proc. IEEE Symp. Secur.
Privacy, Oakland, CA, USA, May 1992, pp. 72–84.
[5] M. Bellare, D. Pointcheval, and P. Rogaway, ‘‘Authenticated key exchange
secure against dictionary attacks,’’ in Proc. EUROCRYPT, Bruges,
Belgium, 2000, pp. 139–155.
26840
O. Ruan et al.: Provably LR PAKE in the Standard Model
[6] P. MacKenzie, S. Patel, and R. Swaminathan, ‘‘Password-authenticated
key exchange based on RSA,’’ in Proc. ASIACRYPT, Kyoto, Japan, 2000,
pp. 599–613.
[7] J. W. Byun, D. H. Lee, and J. I. Lim, ‘‘EC2C-PAKA: An efficient client-to-
client password-authenticated key agreement,’’ Inf. Sci., vol. 177, no. 19,
pp. 3995–4013, 2007.
[8] M. S. Farash and M. A. Attari, ‘‘An efficient client–client password-based
authentication scheme with provable security,’’ J. Supercomput., vol. 70,
no. 2, pp. 1002–1022, 2014.
[9] O. Goldreich and Y. Lindell, ‘‘Session-key generation using human pass-
words only,’’ J. Cryptol., vol. 19, no. 3, pp. 241–340, 2006.
[10] J. Katz, R. Ostrovsky, and M. Yung, ‘‘Efficient and secure authenticated
key exchange using weak passwords,’’ J. ACM, vol. 57, no. 1, 2009,
Art. no. 3.
[11] J. Katz, P. MacKenzie, G. Taban, and V. Gligor, ‘‘Two-server password-
only authenticated key exchange,’’ J. Comput. Syst. Sci., vol. 78, no. 2,
pp. 651–669, 2012.
[12] R. Canetti, D. Dachman-Soled, V. Vaikuntanathan, and H. Wee, ‘‘Efficient
password authenticated key exchange via oblivious transfer,’’ in Proc.
PKC, Darmstadt, Germany, 2012, pp. 449–466.
[13] V. Goyal, ‘‘Positive results for concurrently secure computation in the
plain model,’’ in Proc. 53rd Annu. Symp. Found. Comput. Sci. (FOCS),
New Brunswick, NJ, USA, 2012, pp. 41–50.
[14] W. M. Li, Q. Y. Wen, Q. Su, H. Zhang, and Z. P. Jin,, ‘‘Password-
authenticated multiple key exchange protocol for mobile applications,’’
China Commun., vol. 9, no. 1, pp. 64–72, 2012.
[15] K.-L. Tsai, Y.-L. Huang, F.-Y. Leu, and I. You, ‘‘TTP based high-efficient
multi-key exchange protocol,’’ IEEE Access, vol. 4, pp. 6261–6271, 2016.
two password-authenticated multi-key exchange protocols,’’ IEEE Access,
vol. 5, pp. 8017–8024, 2017.
[17] O. Ruan, N. Kumar, D. He, and J.-H. Lee, ‘‘Efficient provably secure
password-based explicit authenticated key agreement,’’ Pervasive Mobile
Comput., vol. 24, no. 12, pp. 50–60, 2015.
[18] X. Yi et al., ‘‘ID2S password-authenticated key exchange protocols,’’ IEEE
Trans. Comput., vol. 65, no. 12, pp. 3687–3701, Dec. 2016.
[19] S. H. Islam, ‘‘Design and analysis of a three party password-based authen-
ticated key exchange protocol using extended chaotic maps,’’ Inf. Sci.,
vol. 312, pp. 104–130, Aug. 2015.
[20] R. Amin and G. P. Biswas, ‘‘Cryptanalysis and design of a three-party
authenticated key exchange protocol using smart card,’’ Arabian J. Sci.
Eng., vol. 40, no. 11, pp. 3135–3149, 2015.
[21] C. F. Lu, ‘‘Multi-party password-authenticated key exchange scheme with
privacy preservation for mobile environment,’’ KSII Trans. Internet Inf.
Syst., vol. 9, no. 12, pp. 5135–5149, 2015.
[22] J. Nam, J. Paik, J. Kim, Y. Lee, and D. Won, ‘‘Server-aided password-
authenticated key exchange: From 3-party to group,’’ in Proc. Int. Conf.
Human Interface Manage. Inf., Orlando, FL, USA, 2011, pp. 339–348.
[23] C. Guo, Z. Zhang, L. Zhu, Y.-A. Tan, and Z. Yang, ‘‘Scalable protocol
for cross-domain group password-based authenticated key exchange,’’
Frontiers Comput. Sci., vol. 9, no. 1, pp. 157–169, 2014.
[24] A. Ometov, A. Levina, P. Borisenko, R. Mostovoy, A. Orsino, and
S. Andreev, ‘‘Mobile social networking under side-channel attacks: Prac-
tical security challenges,’’ IEEE Access, vol. 5, pp. 2591–2601, 2017.
[25] D. Moriyama and T. Okamoto, ‘‘Leakage resilient eCK-secure key
exchange protocol without random oracles,’’ in Proc. ASIACCS,
Hong Kong, 2011, pp. 441–447.
[26] B. LaMacchia, K. Lauter, and A. Mityagin, ‘‘Stronger security of authen-
ticated key exchange,’’ in Proc. ProvSec, Wollongong, NSW, Australia,
2007, pp. 1–16.
[27] R. Canetti and H. Krawczyk, ‘‘Analysis of key-exchange protocols and
their use for building secure channels,’’ in Proc. EUROCRYPT, Innsbruck,
Austria, 2001, pp. 453–474.
[28] J. Alawatugoda, C. Boyd, and D. Stebila, ‘‘Continuous after-the-fact
leakage-resilient key exchange,’’ in Proc. ACISP, Wollongong, NSW, Aus-
tralia, 2014, pp. 258–273.
[29] J. Alawatugoda, D. Stebila, and C. Boyd, ‘‘Modelling after-the-fact leakage
for key exchange,’’ in Proc. ASIA CCS, Kyoto, Japan, 2014, pp. 207–216.
[30] J. Alawatugoda, D. Stebila, and C. Boyd, ‘‘Continuous after-the-fact
leakage-resilient eCK-secure key exchange,’’ in Proc. IMA Int. Conf.
Cryptogr. Coding, Oxford, U.K., 2015, pp. 277–294.
[31] R. Chen, Y. Mu, G. Yang, W. Susilo, and F. Guo, ‘‘Strongly leakage-
resilient authenticated key exchange,’’ in Proc. CT-RSA, San Francisco,
CA, USA, 2016, pp. 19–36.
VOLUME 5, 2017
O. Ruan et al.: Provably LR PAKE in the Standard Model

[32] O. Ruan, Y. Zhang, M. Zhang, J. Zhou, and L. Harn, ‘‘After-the- JING CHEN received the M.S. and Ph.D. degrees
fact leakage-resilient identity-based authenticated key exchange,’’ IEEE from the Huazhong University of Science and
Syst. J., to be published, doi: 10.1109/JSYST.2017.2685524. Technology, China. He is currently a Professor
[33] M. Toorani, ‘‘On continuous after-the-fact leakage-resilient key with the School of Computer Science, Wuhan Uni-
exchange,’’ in Proc. 2nd Workshop Cryptogr. Secur. Comput. Syst., versity. His work focuses on wireless networks,
Amsterdam, The Netherlands, 2015, pp. 31–35. network security, routing, and distributed resource
[34] Z. Yang and S. Li, ‘‘On security analysis of an after-the-fact leakage management.
resilient key exchange protocol,’’ Inf. Process. Lett., vol. 116, no. 1,
pp. 33–40, 2016.
[35] H. Krawczyk. (Apr. 2008). On Extract-Then-Expand Key Deriva-
tion Functions and an HMAC Based KDF. [Online]. Available:
http://webee.technion.ac.il/~hugo/kdf/kdf.pdf
[36] F. Davì, S. Dziembowski, and D. Venturi, ‘‘Leakage-resilient storage,’’ in
Proc. SCN, Amalfi, Italy, 2010, pp. 121–137.
[37] S. Dziembowski and S. Faust, ‘‘Leakage-resilient cryptography from the
inner-product extractor,’’ in Proc. ASIACRYPT, Seoul, South Korea, 2011,
pp. 702–721.
[38] O. Ruan, M. Zhang, and J. Chen, ‘‘Leakage-resilient password-based
authenticated key exchange,’’ in Proc. Algorithms Archit. Parallel Process.,
Helsinki, Finland, 2017, pp. 285–296.

MINGWU ZHANG was a JSPS Post-Doctoral

OU RUAN received the Ph.D. degree from the
College of Information Security, School of Com-
puter Science and Technology, Huazhong Univer-
sity of Science and Technology of China, in 2013.
He is currently an Associate Professor with the
School of Computer Sciences, Hubei Univer-
sity of Technology. His research interests include
leakage-resilient cryptography, secure computa-
tions, and network security.
Fellow of the Japan Society of Promotion Sci-
ences, Institute of Mathematics for Industry,
Kyushu University, from 2010 to 2012. He is cur-
rently a Professor at with the School of Computer
Sciences, Hubei University of Technology, where
he is also the Director of Institute of Data Security
and Privacy Preservation. His research interests
include cryptography technology for networks,
secure computations, and privacy preservations.

VOLUME 5, 2017 26841