A Certificateless Noninteractive Key Exchange Protocol with Provable Security

In this paper, we propose a certiﬁcateless noninteractive key exchange protocol. No message exchange is required in the protocol, and this feature will facilitate the applications where the communication overhead matters, for example, the communications between the satellites and the earth. The public key certiﬁcate is removed as well as the key escrow problem using the certiﬁcateless public key cryptosystem. The security of the protocol rests on the bilinear Diﬃe–Hellman problem, and it could be proved in the random oracle model. Compared with previous protocols, the new protocol reduces the running time by at least 33.0%. ,


Introduction
Noninteractive key exchange (NIKE) protocols enable two users to establish a shared key without any interactions. In a NIKE, every user puts up his public key in a public directory, and two users can set up a shared key with the other's public key and his own private key [1]. e earliest example of NIKE is Diffie-Hellman key exchange proposed in the seminal paper of [2]. In the protocol, Alice and Bob share a common group G of order q with generator g. Alice's public key is of the form g x ∈ G, and Bob's public key is of the form g y ∈ G. en, Alice and Bob can establish a shared key g xy without any communications. NIKE is very useful to secure the communications where the communication delay matters, for example, the communications in the wireless networks where two terminals are far away from each other. Another example is the communication between the satellite and the earth. e distance between the satellite and the earth will increase the running time of a security protocol dramatically, and a NIKE protocol will reduce the protocol delay to the minimum because no interaction is needed between the earth and the satellite [3]. With NIKE protocols, two participants can establish a key and sends encrypted message to its peer right away [4,5].
Similar to NIKE protocols, public key encryption can also realize noninteractive communications. However, there are differences between the two. In a public key encryption system, anyone who wants to send the receiver Alice an encrypted message, only needs to know Alice's public key and the system parameters. In a NIKE system, both parties should be enrolled in the system and have their private keys in order to establish a shared key. Furthermore, the encryption algorithm in a public key system is much slower than the encryption algorithm in a NIKE system because the latter could use the symmetric encryption algorithm once the shared key is set up.
In this paper, we propose a noninteractive key exchange protocol based on certificateless public key cryptosystem. e security of the protocol is based on the bilinear Diffie-Hellman problem. Our contributions are mainly as follows: (1) A noninteractive key agreement protocol is proposed based on the certificateless public key cryptosystem. (2) e security model of NIKE protocols in the setting of certificateless public key cryptosystem is studied. (3) e security of the proposed protocol is proved formally using the security model of NIKE protocols.
(4) e computation efficiency of the proposed protocol is improved compared with the available NIKE protocols.
e remaining part of this paper is organized as follows: Section 2 provides a research on the related work of NIKE protocols; Section 3 introduces the preliminaries, security definition, and security model; in Section 4, we introduce our scheme; Section 5 gives the security proof of our scheme. Section 6 gives the performance comparison; and Section 7 concludes the paper.

Related Works
According to the cryptosystems underlined, available NIKE protocols can be divided into three categories, i.e., certificate-based ones, identity-based ones, and certificateless ones. Certificate-based NIKE protocols employ the traditional certificate-based cryptography. Diffie-Hellman's noninteractive key exchange scheme falls into this category. In 2006, a certificate-based NIKE protocol was proposed using an elliptic curve [6], and a PKI-based security model was given. Later, Cash et al. proposed a stronger security model for NIKE, and a NIKE protocol using the twin Diffie-Hellman problem was also proposed [7]. In 2013, Freire et al. provided different security models for NIKE and studied the relationship between different security models. ey also gave two NIKE constructions with provable security [8]. Hesse et al. proposed a NIKE with tight security reduction in [9].
In 1991, Maurer and Yacobi proposed an identity-based NIKE protocol based on a one-way trapdoor function [10]. However, it was pointed out that Maurer and Yacobi's scheme was weak in security [11]. Later, Maurer and Yacobi improved their protocol [12], but the scheme was still proven insecure [13]. In 2000, Sakai et al. [14] proposed an ID-based NIKE protocol by introducing the bilinear pairings, but there were no formal security proofs. Dupont and Enge extended Sakai et al.'s scheme to a more general case and provided a security model for ID-based NIKE [15]. Paterson and Sirinivasan studied the relationship between ID-based NIKE and ID-based encryption and proposed an ID-NIKE scheme [16] and a security model stronger than Dupont and Enge's model. An improved ID-NIKE with forward secrecy is proposed in [17].
To remove the inborn issue of key escrow with ID-based cryptosystem, Al-Riyami and Paterson proposed the certificateless cryptography [18]. In certificateless cryptography, a user's private key is generated both by the key generation center (KGC) and the user. Since, in the private key, there is a portion which is unknown to KGC, certificateless cryptography removes the key escrow problem. Compared with ID-based cryptosystem, certificateless cryptosystem maintains the former's strength of lightweight public key management while achieves an improved level of security. Even the security authority is unable to know the secret established. In 2014, Sang et al. proposed a certificateless NIKE (CL-NIKE) protocol [19]. Later, Fu and Liu proposed another CL-NIKE protocol [20].
However, neither of the two protocols provided integrated security proof.

Preliminaries.
Let G 1 be an additive group of order q, where q is a large prime, and G 2 be a multiplicative group of the same order. Let P be an arbitrary generator of G 1 ; then, a bilinear pairing e is a map e: G 1 × G 1 ⟶ G 2 satisfying the following properties: (1) Bilinearity: given P ∈ G 1 and a, b ∈ Z * q , we have e(aP, bP) � e(P, P) ab .

Security Definition.
In this section, we present the definition of CL-NIKE. A CL-NIKE scheme is defined by the following six algorithms: (1) Setup: this algorithm is run by the KGC once at the beginning to set up a certificateless key agreement system. It takes security parameter k and returns system parameters params and the master key of KGC master-key. params are publicly authentically available, but the master-key is known only to the KGC. (2) Partial-private-key-extract: the algorithm generates the partial private key for system users. 3.3. Security Model. CK model [21] and eCK model [22] are the most widely used security models for authenticated key exchange (KE) protocols. However, they are not suitable for noninteractive key exchange protocols because CK model and eCK model provide security analysis to ephemeral secrets [23] but no ephemeral secrets are used in NIKE protocols. erefore, a NIKE protocol needs its own security model.
Bernstein [6] and Cash et al. [7] first proposed the security models for NIKE protocols, respectively. Later, Dupont and Enge [15] and Paterson and Srinivasan [16] extended the security models in [6,7] from the certificatebased cryptosystem to the ID-based cryptosystem. Paterson's security model is stronger than Dupont's security model because Paterson's model considers the security against the known session key attack by allowing the reveal query in the security model. Our security model follows Paterson's model in [16]. Furthermore, we extend Paterson's security model from ID-based cryptosystem to certificateless cryptosystem. Our security model considers the particular public/private key setting in the certificateless public key cryptosystem, and the case where an attacker replaces the legal user's public key, and the case where the malicious KGC wants to break the shared key. Now we define our security model of CL-NIKE protocols.
ere are two types of adversaries to a CL-NIKE protocol, i.e., type I adversary A I and type II adversary A II . Type I adversary simulates the ordinary attacker who is not able to get a user's partial private key but is able to replace a legal user's public key. A I is able to do this because there is no public key certificate in a CL-NIKE. Type II adversary simulates the malicious KGC who owns the system master key and hence knows every user's partial private key but cannot replace the legal user's public key because that is easily detected and could destroy KGC's reputation. Consider two games, game I and game II between a challenger C and A I and A II , respectively. e security of a CL-NIKE protocol is defined via the two games: Game I: the game is between A I and C. Setup phase: in this phase, given security parameter k, challenger C obtains the system parameters params and master key. C gives params to A I while keeps the master key secretly.
Query phase: in this phase, the adversary A I can carry out the following queries in any order, and C will answer the queries.
(1) Partial private key extraction: A I chooses an entity with identifier ID I and queries user I's partial private key. C runs the Partial-Private-Key-Extract to generate the partial private key D I and returns it to A I . (2) Secret value extraction: after receiving the query, C runs the Set-Secret-Value algorithm and returns x I to A I . (3) Private key extraction: C will call Partial-Private-Key-Extract and Set-Secret-Value in this query to obtain D I and x I , and then, C runs Set-Private-Key on D I and x I to generate the private key S I . (4) Public key request: C first runs Set-Secret-Value and keeps x I for itself. en, C runs Set-Public-Key to generate ID I 's public key P I and returns it to A I . (5) Public key replacement: A I will replace the public key of an entity with any value of its choice.
(6) Shared key revealing: suppose the query is on ID A and ID B , C obtains S A and P B , then runs Shared Key to obtain the K AB between ID A and ID B and returns it to A I .
Test phase: given a pair of identities ID M and ID N , C obtains K MN as above. en, C selects at random b← 0, 1 { } and returns K MN when b � 0 and 0, 1 { } l when b � 1. l is the length of the shared key.
Finally, A I outputs its guess b ′ , and A I will win the We say the CL-NIKE scheme is secure against is negligible. Game II: the game is between A II and C. Setup phase: in this phase, given security parameter k, challenger C obtains the system parameters params and master key. C gives both params and master key to A II . Query phase: since A II has master key, it can compute the partial private key of any user. en, in this phase, A II does not make the partial private key extraction query. Also, since A II is not allowed to replace the user's public key, it does not make the public key replacement query. In game II, A II makes the queries and C answers as follows: (1) Secret value extraction: on receiving the query on ID I , C runs the Set-Secret-Value and returns x I to A II . (2) Private key extraction: if user I's partial private key has not been computed, C first computes I's partial private key using master key, then it calls the Set-Secret-Value to obtain x I . At last, C runs the Set-Private-Key to obtain user I's private key and returns it to A II . (3) Public key request: on receiving this query, C first runs Set-Secret-Value to obtain x I and then it runs Set-Public-Key to obtain the public key and returns it to A II . (4) Shared key revealing: suppose this query is made on ID A and ID B . C runs corresponding algorithms to obtain the S A and P B , and then, it computes K AB by running the SharedKey and returns K AB to A II .
Test phase: given a pair of identities ID M and ID N , C obtains K MN as above. en, C selects at random b ⟵ 0, 1 { } and returns K MN when b � 0 and 0, 1 { } l when b � 1. l is the length of the shared key.
Finally, A II outputs its guess b ′ , and A II will win the game if b ′ � b. A II 's advantage in the game is We say the CL-NIKE scheme is secure against A II if Adv Game II A II is negligible.

Security and Communication Networks
A CL-NIKE scheme is secure if it is secure both against A I and A II .

Protocol Description
In this section, we propose a new CL-NIKE protocol. e new protocol includes six algorithms, as described in Section 3.2, and each algorithm is as follows: (i) Setup: given system security parameter k, KGC does the following: (1) Outputs G 1 and G 2 and e satisfying the definitions in Section 3.1. (2) Chooses an arbitrary generator P of G 1 .
(3) Selects the master key s∈ R Z * q at random and computes the system public key P 0 � sP. (i) Partial-Private-Key-Extract: given a user A's iden- x A P 0 and his public key is P A � (X A , Y A ). holds. If the verification is correct, A computes the shared secrets: e shared key is To compute the shared key, B first verifies A's public key by checking if the equation e(X A , P 0 ) � e(Y A , P) holds. If the verification is correct, B computes the shared secrets: e shared key is e correctness of the protocol could be guaranteed because e procedure of the SharedKey algorithm is illustrated in Figure 1.

Security Proof
In this section, we prove the security of our protocol in the random oracle model based on the security model in Section 3. We have the following theorem: Theorem 1. If BDH problem is hard, our CL-NIKE protocol is secure in the random oracle model. e theorem can be proven via Lemma 1 and Lemma 2.

Lemma 1. If there exists a type I adversary A I which wins game I against our CL-NIKE protocol, then BDH problem can be solved with nonnegligible probability in the random oracle model.
Proof. Suppose a challenger C is given an instance of (aP, bP, cP) ∈ G 3 1 and is tasked to compute e(P, P) abc . If there is a type I adversary A I which wins the game I against the proposed protocol, then C can solve the BDH problem by controlling the queries with A I .
In the setup phase, C chooses the system parameters G 1 , G 2 , q, e, P, H 1 , H 2 , and C sets the system public key P 0 � cP with the master-key c unknown to C.
In the query phase, hash functions H 1 and H 2 are modeled as random oracles. Without generality, we suppose that there are n 1 users in the system, and A I chooses ID A and ID B in the test phase. We also suppose A I is allowed to ask n 2 H 2 queries. During this phase, C answers every query as follows: ( If there is not an item indexed by ID i , C runs the Set-Secret-Value to obtain x i , computes (X i , Y i ), and then adds Public key replacement: without generality, we assume that the query is of the form . On receiving such a query, C sets the entry indexed by ID i as ID i , ⊥, D i , X i ′ , Y i ′ , 1 in the K-list. (8) Shared key revealing: A I ' query is on (ID i , ID j ). C aborts the game if (ID i , ID j ) � (ID A , ID B ). Otherwise, C queries ID i 's private key and ID j 's public key, computes the shared key according to the protocol description, and returns K ij to A I .
In the test phase, A I 's query is on (ID i , ID j ). If (ID i , ID j ) ≠ (ID A , ID B ), C aborts the game. Else, C chooses uniformly 0, 1 { } l and returns it to A I . If A I makes the correct guess, then he must have queried H 2 oracle. C searches the H 2 list for the entry ID A , ID B , K 1 AB , K 2 AB , h 2 AB . Suppose B's public key has been replaced with (X B ′ , Y B ′ ), then we have that so e(P, P) abc � K 1 AB · e(K 2 AB , −bP). Suppose A I 's probability of success is Adv Game I   Figure 1: Procedure of SharedKey algorithm.

Security and Communication Networks
NIKE protocol, then the BDH problem can be solved with nonnegligible probability.
Proof. Suppose there is a challenger C who is given an instance of (aP, bP, cP) ∈ G 3 1 and is tasked to compute e(P, P) abc . If there is a type II adversary A II , then C can solve the BDH problem by controlling the queries with A II .
In the setup phase, C chooses the system parameters G 1 , G 2 , q, e, P, H 1 , H 2 and the master key s and computes the system public key P 0 � sP. C gives the system parameters G 1 , G 2 , q, e, P, H 1 , H 2 as well as the master key s to A II .
In the query phase, hash functions H 1 and H 2 are modeled as random oracles. Without generality, we suppose that there are n 1 users in the system, and A II chooses ID A and ID B to ask the test query. We also suppose A II is allowed to ask n 2 H 2 queries. e ways that C answers A II 's queries are as follows: (1) H 1 query: A II 's H 1 query is of the form (ID i ). C maintains an H 1 -list with each entry of the form On receiving A II 's query, C first searches H 1 -list. If there is an item indexed with ID i , C returns the corresponding h 1 i P to A I . If there is not such an item, the following holds: (a) If ID i � ID B , C inserts ID B , ⊥, bP in the list and returns bP.
and there is an entry indexed by ID i , then the entry must be generated when A II queries ID i 's private key. C obtains x i from the entry, computes X i � x i P and Y i � x i sP, and adds (X i , Y i ) to the entry. )/(n 2 1 n 2 )). We also note here that, in a CL-NIKE protocol, a participant ID A has the private key or long-term secret of the form (x A , D A ), where x A is ID A 's secret number, and D A is ID A 's partial private key. A CL-NIKE protocol allows the leakage of x A or D A .
In the above security proof, the security against a leaked x A is modeled by game I, which allows an attacker to obtain x A via the public key replacement query. e security against a leaked D A is modeled by game II, which gives the attacker the master key or the partial private key of every participant in the system.
A CL-NIKE protocol does not allow the leakage of both x A and D A or the private key. is is very different from authenticated KE protocols because authenticated KE protocols use ephemeral keys [24,25], and the security of the shared key could be guaranteed by the ephemeral keys even if both participants' private keys are lost. In order to realize the noninteractive key establishment, there is no ephemeral keys used in NIKE protocols; thus, the leakage of private keys is not allowed in NIKE protocols. However, compared with certificate-based NIKE protocols [7] or identity-based NIKE protocols [15,16], our CL-NIKE protocol allows the leakage of part of the private key, and this results in the improved security.

Performance Analysis
In this section, we compare our protocol with Sang et al.'s protocol [19] and Fu and Liu's protocol [20] in terms of computation complexity and running time. e computation complexity is compared in terms of complex operations including pairing, scalar multiplication, and hash to G 1 point. We neglect operations including ordinary hash functions, point addition, and integer computations because the running time of these operations is trivial compared with those complex operations. We compare how many complex operations are employed in every protocol. In the comparison, P stands for a pairing operation, S stands for a scalar multiplication, and H stands for a map to G 1 point hash. To evaluate the running time of a protocol, we first implement the complex cryptographic operations and then add up to get the overall running time.
We implement the complex operations with Miracle Version 7.0 [26]. We use the Tate pairing defined over supersingular elliptic curve (E/F p ): y 2 � x 3 + x with embedding degree 2. q is a 160-bit Solinas prime q � 2 159 + 2 17 + 1 and p a 512-bit prime satisfying p + 1 � 12qr. e evaluation is carried out in a PC with Intel Core i7-6700 CPU at 2.8 GHZ and 8.0 GB memory. e operation system is Windows 10. e operation time of every complex operation is listed in Table 1.
e comparison results are given in Table 2. From the comparison, we can see that our protocol reduces the running time by limiting the pairing operation times. Compared with Sang et al.'s protocol, the running time is reduced by 34.75%; compared with Fu-Liu's protocol, the running time is reduced by 33.00%.

Conclusion
In this paper, we propose a certificateless noninteractive key exchange protocol. e protocol requires no interaction; thus, the communication delay is minimized. Moreover, the computation efficiency is improved because the pairing operation times are reduced. Compared with existing CL-NIKE protocols, our protocol improves the computation efficiency by at least 33.00%. e security of the protocol is based on the bilinear Diffie-Hellman problem and could be proved in the random oracle model.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.