Tightly Secure ID-based Authenticated Key Exchange

In CRYPTO 2021, Han et al. proposed a PKI-based authenticated key exchange (AKE) scheme that satisfies tight security in the standard model by using KEM and digital signature with multi-user security as building blocks. On the other hand, no tightly secure ID-based AKE (ID-AKE) scheme is known. ID-AKE has the advantage that certificate management is unnecessary, and the authentication can be based on the party's public ID, such as an e-mail address. In this paper, we propose the first tightly secure ID-AKE scheme in the standard model. First, we extend the security model of Han et al.'s PKI-based AKE to the security model for ID-AKE. Next, we introduce a generic construction with multi-user secure KEM and ID-based signature (IBS) as building blocks and prove the tight security in our security model. For instantiating the underlying IBS, we also revisit the security proof of the existing generic construction of tightly secure IBS proposed by Lee et al. We point out a problem in their proof and correct it by strengthening an assumption. As an instantiation of our scheme, a tightly secure ID-AKE scheme under the MDDH assumption can be realized in the standard model.