Provably-Secure (Chinese Government) SM2 and Simplified SM2 Key Exchange Protocols

We revisit the SM2 protocol, which is widely used in Chinese commercial applications and by Chinese government agencies. Although it is by now standard practice for protocol designers to provide security proofs in widely accepted security models in order to assure protocol implementers of their security properties, the SM2 protocol does not have a proof of security. In this paper, we prove the security of the SM2 protocol in the widely accepted indistinguishability-based Bellare-Rogaway model under the elliptic curve discrete logarithm problem (ECDLP) assumption. We also present a simplified and more efficient version of the SM2 protocol with an accompanying security proof.


Introduction
Due to the potential of elliptic curve cryptography (ECC) to offer similar security to established public-key cryptosystems at reduced key sizes, it has become a subject of research focus. For example, we observe an emerging trend in the use of identity-based (ID-based) cryptography, such as ID-based key agreement protocols using pairings. The latter include IDbased authenticated key agreement (ID-AKA) protocol. ID-AKA protocols (as well as other key establishment protocols such as [1][2][3][4]) allow a shared secret key to be established between two or more parties for subsequent cryptographic use. The first two-party ID-AKA protocol was proposed by Shamir, which is based on Weil Pairing [5]. Shamir's protocol requires a trusted key generation center (KGC). Challenges associated with KGC are well documented, and Alriyami and Paterson proposed the first certificateless twoparty authenticated key agreement (CTAKA) protocol that does not require a KGC [6]. Since then, a number of CTAKA protocols have been proposed in the literature [7][8][9]. Most of these CTAKA protocols are, however, based on bilinear pairings. The latter is expensive, especially in comparison to RSA algorithm [10,11].
A number of recently published certificateless ECC-based AKA protocols that do not require the use of pairings have been proposed. For example, in 2007, Zhu et al. proposed a pairing-free ID-AKA protocol [12]. However, the combination of a pairing-free ID-based signature scheme with the Diffie-Hellman key exchange in the proposed protocol results in larger computation complexity and message size. In addition, the protocol and the ECC-based pairing-free ID-AKA protocol of Cao et al. [13] require three rounds of message exchanges. Another later protocol of Cao et al. reduces the minimum message exchange rounds to two and the protocol was proven secure in the Bellare-Rogaway model [10]. He et al. also independently proposed a two-round certificateless ID-AKA protocol without the use of pairings [14] and a threeround certificateless ID-AKA protocol without the use of pairings [2], respectively.
In 2011, the Chinese government published an ECC-based key exchange protocol, SM2 [15]. According to the official report from the Chinese Government State Cryptography 2 The Scientific World Journal Administration and various media releases, SM2 protocol is mandatory in various cryptographic applications used by Chinese government agencies from 1st July, 2011 [16][17][18]. A 2005 survey by Boyd and Choo revealed that the purported security of several published ID-based protocols is based on heurstic security arguments. A number of protocols were also found to be proven secure in a restricted model. This study highlighted the need for more rigorously tested identitybased protocols [19]. Surprisingly, we observed that despite the wide usage of the SM2 protocol among Chinese commercial applications/electronics, it does not have a security proof.
A protocol's goal is defined as the properties that the protocol aims to achieve. As Boyd and Mathuria suggested, any attack on a protocol is only valid if it violates some property that the protocol was intended to achieve [20]. Without identifying at an early stage the properties and/or goals that a protocol offers, one can debate the validity of attacks against a published protocol since it may not be clear whether the protocol is not intended to provide assurances against the properties being exploited [21]. This reinforced the importance of having a security proof for protocols, particularly those that are widely used by government agencies and in the private sector.
Our contributions in this paper are two-fold.
(1) We prove the SM2 protocol secure in the widely accepted indistinguishability-based model of Bellare and Rogaway under the ECDLP assumption.
(2) We propose a simplified version of SM2 protocol that is more efficient, and prove it secure in the Bellare-Rogaway model under the ECDLP assumption.
In the next section, we will briefly review the model that we work in. We revisit the SM2 protocol and prove it secure in Section 3. Section 4 describes our simplified SM2 protocol and its proof of security. Finally, the last section concludes the paper.

Overview of the Bellare-Rogaway Model
In the Bellare-Rogaway model [22,23], the adversary (denoted by A) controls the communication channel by interacting with a set of Π 1 , 2 oracles. Π 1 , 2 is defined to be the th instantiation of a protocol participant, 1 in a specific protocol run and 2 is the other protocol participant, with whom 1 wishes to establish a secret key. The predefined oracle queries are described informally as follows.
(i) The Send ( 1 , 2 , , ) query allows A to send a message to another protocol participant at will. In other words, (a) Π 1 , 2 , upon receiving the query, will compute what the protocol specification demands. The response message and/or decision will then be sent to A, (b) if Π 1 , 2 has either accepted with some session key or terminated, this will be made known to A.
(ii) The Reveal ( , ) query allows A to expose a previously accepted session key. In other words, , upon receiving this query and if it has accepted and holds some session key, will send this session key back to A.
(iii) The Corrupt ( ) query allows A to learn the complete internal state of . This models the real world scenario of a corrupted insider.
(iv) The Test ( 1 , 2 , ) query is the only oracle query that does not correspond to any of A's abilities. If Π 1 , 2 has accepted with some session key and is being asked a Test ( 1 , 2 , ) query; then depending on a randomly chosen bit , A is given either the actual session key or a session key drawn randomly from the session key distribution. (ii) only Π , and Π , (i.e., no other oracle) have accepted with the same session ID (i.e., SID, which is defined to be the concatenation of the message flows) and agreed on the same set of principals (i.e., the initiator and the responder of the protocol). The definition of security depends on the notions of partnership as outlined in Definition 1 and freshness as outlined in Definition 2 and is defined using the game G and played between A and a collection of Π , oracles for players , ∈ { 1 , . . . , } and instances ∈ {1, . . . , }. A runs the game simulation G, whose setting is as follows.
(i) Send, Reveal, and Corrupt oracle queries are sent by A in any order at will.
(ii) A chooses a fresh session on which to be tested by sending a Test query to the fresh oracle associated with the test session at some point during G. This chosen test session must be fresh (in the sense of Definition 2). Depending on a randomly chosen bit , A is given either the actual session key or a session key drawn randomly from the session key distribution.
(iii) A continues making any Send, Reveal, and Corrupt oracle queries of its choice.
The Scientific World Journal 3 (iv) A will eventually terminate G and outputs its guess of the value of , denoted as .
We measure A's success in G in terms of A's advantage in distinguishing whether A receives the real key or a random value (i.e., whether = ).
Let be a security parameter. Then, the advantage function of A is denoted by Adv A ( ), where (1) Definition 3 (Definition of Security). A protocol is secure in the Bellare-Rogaway model if both the following requirements are satisfied.
(1) Two oracles accept the same key when the protocol is run in the absence of a malicious adversary.

SM2 Key Exchange
Protocol. The notations used in SM2 protocol (Table 1) are as follows: (i) , : two SM2 protocol participants with identities ID and ID respectively, (1) client will now run the protocol as follows: to client ; (2) upon receiving the message from client , will perform the following: Sends to client (optional for key confirmation, will also send to ); (3) upon receiving the messages, (and ), from , client will perform the following: = , and if it returns true then is assured that actually has possession of the session key, otherwise, terminates the protocol run and outputs ⊥, (i) (optional for key confirmation, computes = (0 03‖ ‖ ( ‖ ‖ ‖ 1 ‖ 1 ‖ 2 ‖ 2 ))), (ii) Sends to client ; (4) (optional for key confirmation) upon receiving the message ( ) from client , client will perform the following: (a) computes 2 = (0 03‖ ‖ ( ‖ ‖ ‖ 1 ‖  The Scientific World Journal in the case where key confirmation is required. (d) otherwise, client is assured that actually has possession of the session key; (5) session key established is = , SID is ( ‖ ) or ( ‖ ‖ ‖ ) in the case where key confirmation is required.

Security Proof.
The security of the protocol-see Theorem 5-is based on the ECDLP assumption (see Definition 4) in the random oracle model.

Theorem 5. SM2 protocol is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the elliptic curve discrete logarithm problem (ECDLP) assumption is satisfied in ( ).
The soundness requirement is trivial to verify. We will now concentrate on proving the indistinguishability requirement.
In the usual tradition of reductionist proofs, we assume that there exists an adversary A against the protocol (i.e., A has a nonnegligible advantage, ( ), where is the security parameter), and we then construct a solver S that makes use of A to solve the ECDLP problem. In other words, S will simulate the view of A by answering all Send, Reveal, Corrupt and Test queries of A. S will start by randomly selecting two users, and , and a session number, , as the test session. S will also manage two random oracles, and KDF, in order to answer A's queries. More specifically when the oracle is queried, S will check whether the tuple is already in the -list and output the stored response. Otherwise, S will respond with the appropriate output, (⋅ ⋅ ⋅ ), and adds the tuple ( (⋅ ⋅ ⋅ ), , ) to the -list. S will answer KDF queries in the same manner.
(i) Send (Ω , Ω , , ) queries: for any wellformed Send queries from A, S can trivially answer with the right output as the protocol specification demands. Specifically, S answers the query as follows.
(1) If S has rejected the message , then S will respond with ⊥. Otherwise, S will verify whether is the right format or not.
The Scientific World Journal

5
(2) If verifies correctly, then S will output messages ( , ) to A. Otherwise, S will abort the simulation and output ⊥.
(1) If S has rejected the messages , then S will respond with ⊥. Otherwise, S will verify whether is the right format or not.
(2) If verifies correctly, then S will output messages to A. Otherwise, S will abort the simulation and output ⊥.
(ii) Reveal (Ω, ) queries: if Ω = or Ω = , then S will abort the simulation and fail. Otherwise this query can be answered with the right session key as long as has accepted and neither Ω nor its partner has been corrupted. However, such a session will be rendered unfresh.
(iii) Corrupt (Ω) queries: this query can be easily answered as per the protocol specifications, unless Ω = or Ω = . In the latter scenario, S will abort the simulation and fail.
(iv) Test (Ω 1 , Ω 2 , , ) queries: if Π 1 , 2 ̸ = Π , , then S will abort the simulation and fail. Otherwise, S will check whether Π Ω 1 ,Ω 2 has accepted and that the session is fresh. If so, A will be given either the actual session key or a session key drawn randomly from the session key distribution, depending on the randomly chosen bit .
For A to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution, A has to determine the correct values of = ( , ) or = ( , ) to compute the session key (since = KDF( ‖ ‖ ‖ , ) and = KDF( ‖ ‖ ‖ , )). For this to happen, (i) A has to guess the long-term private key and short-term private key in order to compute and hence, the session key .
There is, therefore, a negligible advantage of A distinguishing whether the value returned is the actual session key or a session key drawn randomly from the session key distribution.

A Provably-Secure Simplified SM2 Key Exchange Protocol
In this section, we propose a more efficient version of the SM2 protocol-see Table 2-and prove its security in the Bellare-Rogaway model. The Scientific World Journal in the case where key confirmation is required.
(2) upon receiving from , will perform the following: to (optionally for key confirmation, will also send to ); (3) upon receiving (and , optionally for key confirmation) from , will perform the following: = , and if it returns true, then is assured that actually has possession of the session key, otherwise, terminates the protocol run and outputs ⊥, (i) (optional for key confirmation) computes = (0 03‖ ‖ ( ‖ ‖ ‖ 1 ‖ 1 ‖ 2 ‖ 2 )), (ii) Send to client ; (4) (optional for key confirmation) upon receiving , will perform the following: if the verification returns wrong, then client terminates the protocol run and outputs ⊥. If it returns true, then is assured that actually has possession of the session key. Otherwise, terminates the protocol run and outputs ⊥; (5) session key established is = , (6) SID is ( ‖ ) or ( ‖ ‖ ‖ ) in the case where key confirmation is required.

Security Proof
Theorem 6. The simplified SM2 protocol (Table 2) is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the ECDLP assumption is satisfied in ( ).
The proof process is similar to that of Section 3.2.
(i) Send (Ω , Ω , , ) queries: for any wellformed Send queries from A, S can trivially answer with the right output as the protocol specification demands. Specifically, S answers the query as follows.
(a) If Ω = initiator and Ω = responder, then the S will output the message, = , to the query. (b) Consider the case that Ω = initiator, Ω = responder, and messages = .
(1) If S has rejected the message , then S will respond with ⊥. Otherwise, S will verify whether is the right format or not.
The Scientific World Journal 7 (2) If verifies correctly, then S will output messages ( , ) to A. Otherwise, S will abort the simulation and output ⊥.
(1) If S has rejected the messages , then S will respond with ⊥. Otherwise, S will verify whether is the right format or not. (2) If verifies correctly, then S will output messages to A. Otherwise, S will abort the simulation and output ⊥.
Simulations for the Reveal, Corrupt and Test follow that of Section 3.2.
For A to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution (i.e., whether = 0 or = 1), A has to determine the correct values of = ( , ) or = ( , ) (since = KDF( ‖ ‖ ‖ , ) and = KDF( ‖ ‖ ‖ , )). For this to happen, A has to obtain the correct value of ⋅ in order to compute and consequently, the session key . For A to obtain , A has to be able to compute from since = [ ] .
Let Succ ECDLP denote A's advantage in computing from , and we have Let Succ ECDLP denote A's advantage in computing from , and we have Pr [Succ ECDLP ] = 1 |D| .

Conclusion
Key exchange protocols are the cornerstone of any secure communication. By proving the widely used Chinese Government SM2 protocol secure in the Bellare-Rogaway model under the ECDLP assumption, we hope that this provides a strong assurance to protocol implementers that the protocol is behaving as desired. In addition, we presented a more efficient version of the SM2 protocol with a proof of security in the Bellare-Rogaway model under the ECDLP assumption. A comparison with six existing pairing-free protocols reveals that the computational load of our simplified SM2 protocol is no more than that of the six and the SM2 protocols, yet provides both implicit key confirmation ( is assured that can compute the session key) and explicit key confirmation ( is assured that has actually computed the session key)-see Table 3. In Table 3, , , , and ℎ denote addition, multiplication, exponentiation, and hash operations, respectively.