Leakage-Resilient Certificate-Based Authenticated Key Exchange Protocol

Certificate-based public key cryptography (CB-PKC) removes the problem of certificate management in traditional public key systems and avoids the key escrow problem in identity-based public key systems. In the past, many authenticated key exchange (AKE) protocols based on CB-PKC systems, called CB-AKE, were proposed to be applied to secure communications between two remote participants. However, these existing CB-AKE protocols become insecure since attackers could compute and obtain the whole secret key from some partial leaked information of the secret key by side channel attacks. In this paper, our goal is to propose the $first$ CB-AKE protocol with the property to resist side channel attacks, called leakage-resilient CB-AKE (LR-CB-AKE). The proposed LR-CB-AKE protocol is formally proven to be secure in the generic bilinear group (GBG) model under the discrete logarithm (DL) and computational Diffie-Hellman (CDH) assumptions.


I. INTRODUCTION
Certificate-based public key cryptography (CB-PKC), proposed by Gentry [1], removes the problem of certificate management in traditional public key systems and avoids the key escrow problem in identity-based public key systems. CB-PKC has two roles: certificate authority (CA) and users. Each user generates a user secret key and a partial public key, and transmits the partial public key to the CA. After receiving the partial public key of the user, the CA creates a certificate and the other partial public key for the user. Therefore, in the CB-PKC system, the public keys of each user are respectively generated by herself/himself and the CA, and her/his full private keys comprise the user secret key and the certificate.
The first authenticated key exchange (AKE) protocol [2] based on CB-PKC systems, call CB-AKE protocol, was proposed to be applied to secure communications between two remote participants. A common session key (CSK) is established by two remote participants on an open network (insecure network). They may employ the CSK to encrypt data and transmit the encrypted data to the other participant to ensure the confidentiality of the data. Until now, several CB-AKE protocols [3], [4], [5], [6] have been proposed. However, none of these protocols can resist side channel attacks [7], [8]. These protocols are insecure since attackers could compute and obtain the whole secret key from some partial leaked information of the secret key under side channel attacks. To the best of our knowledge, there is no CB-AKE protocol with the ability to resist side channel attacks. Here, we will propose the first CB-AKE protocol that can resist such attacks, called leakage-resilient CB-AKE (LR-CB-AKE) protocol.

A. RELATED WORK
Traditional public key cryptography (PKC) has an inborn problem, namely, certificate management of a public-key infrastructure (PKI). Since a user's public key in PKC systems is an arbitrary number that has no meaning, a certificate is needed to connect the user's public key with her/his identity information. Therefore, PKC needs the PKI to manage each user's certificate. An intuitive idea that a user's identity (ID) can be regarded as her/his public key was proposed by Shamir [9]. With this idea, Boneh and Franklin [10] proposed the first practical ID-based encryption scheme which includes two roles: private key generator (PKG) and users. Each user's public key is her/his own identity while her/his private key is made by the PKG. Obviously, there is a key escrow problem in the sense that the PKG knows the private key of each user.
To eliminate the problems of both certificate management and key escrow at the same time, Gentry [1] proposed the certificate-based cryptography (PKC) concept, in which the private key of each user is divided into two parts: one is selected by the user, and the other is the certificate generated by the CA.
AKE protocols [11], [12], [13], [14] can be used to establish a common session key (CSK) of two remote users for secure communication on open networks. Based on ID-based PKC (ID-PKC) systems, the first ID-AKE protocol was proposed by Smart [15]. However, the protocol has a drawback, namely, no forward secrecy property. A new ID-AKE protocol that possesses forward secrecy and has better efficiency was proposed by Shim [16]. Subsequently, several ID-AKE protocols [17], [18], [19] were proposed to improve efficiency and security. To solve the key escrow problem, the first CB-AKE protocol was proposed by Wang and Cao [2]. However, Lim et al. [3] proved that Wang and Cao's protocol was insecure when ephemeral secret keys were leaked. Moreover, Lim et al. [3] proposed a new CB-AKE protocol to improve the security. Latterly, many studies on CB-AKE protocols were published in the literatures [4], [5], [6].
Indeed, none of those existing CB-AKE protocols can resist side channel attacks [7], [8]. An attacker can obtain partial leaked information of the private key by such attacks. Once this attack is repeated, the attacker could calculate the full private key. To resist such attacks, many cryptographic researchers have put the leakage-resilient (LR) property on cryptographic protocols. Two LR-AKE protocols [20], [21] based on traditional PKC systems were proposed, but these two protocols become insecure when ephemeral secret keys are compromised. In order to improve security or efficiency, various LR-AKE protocols have been published in the literatures [22], [23]. Although these protocols can meet the leakage-resilient property, there is a common disadvantage that the total leaked information (bits) of the secret key are limited (bounded) during each session of the system life cycle. In order to achieve unbounded total leaked bits, an unbounded LR-AKE protocol was proposed by Alawatugoda et al. [24]. However, the efficiency of the unbounded LR-AKE protocol is not good enough because the employed key update technique [25] is time-consuming. The multiplicative blinding method [26], [27] is employed to construct a new unbounded LR-AKE protocol [28] to improve the efficiency of the key update processes.
To remove the use of certificates and retain the leakageresilient property, Elashry et al. [29] proposed the first LR-ID-AKE protocol. Unfortunately, both leakage and impersonation  [30]. In fact, the limitation of total leaked bits is also an important issue to be studied. A secure LR-ID-AKE protocol with bounded total leaked bits was proposed by Ruan et al. [31]. Afterwards, Wu et al. [32] proposed an unbounded LR-ID-AKE protocol in the sense that attackers can obtain some information of the secret key during each session of the system life cycle while the total leaked bits are unlimited.

B. MOTIVATION
Up to now, the related cryptography resisting side-channel attacks [7], [8] is still a recently significant research topic. One limitation of the existing CB-AKE protocols [3], [4], [5], [6] is that the private keys cannot be partially disclosed to adversaries, namely, these private keys must be completely hidden from adversaries. As a result, these protocols could suffer from side-channel attacks and become insecure. Table 1 shows the comparisons between the LR-ID-AKE protocols [31], [32], the CB-AKE protocols [5], [6] and our LR-CB-AKE protocol in terms of public key setting, avoiding key escrow issue, resisting side-channel attacks and the restriction of leaked information. Our goal is to propose the first LR-CB-AKE protocol that can avoid key escrow issue, resist side-channel attacks and possess the property with unbounded leaked information.

C. CONTRIBUTIONS AND ORGANIZATIONS
Although unbounded LR-ID-AKE protocols avoid certificate management and possess the security against leakage attacks, these protocols inherit the key escrow problem. As mentioned earlier, the existing CB-AKE protocols can remove the problems of key escrow and certificate management. However, none of them can provide the security against leakage attacks of secret key. Therefore, we will propose the first leakageresilient CB-AKE (LR-CB-AKE) protocol. We will achieve several contributions as mentioned below.
-We formulate a new framework and security model for LR-CB-AKE protocol. -Based on the new framework, a concrete LR-CB-AKE protocol is proposed. -Under the new security model, the proposed LR-CB-AKE protocol is formally proven to be secure. -As compared with the previous LR-ID-AKE and CB-AKE protocols, our LR-CB-AKE protocol not only withstands side channel attacks, but also eliminates the key escrow problem. The rest of the article is as follows. Section II gives some preliminaries. The framework and security notions for LR-CB-AKE protocol are defined in Section III. A concrete LR-CB-AKE protocol is presented in Section IV. Section V demonstrates the security of the LR-CB-AKE protocol. We compare the performance with several existing LR-ID-AKE and CB-AKE protocols in Section VI. A conclusion is given in Section VII.

A. BILINEAR GROUPS
Assume that G 1 and G 2 are multiplicative cyclic groups of the same order p for a large prime p. A mapê : G 1 × G 1 → G 2 is a bilinear map that has the following three properties.

B. GENERIC BILINEAR GROUP (GBG) MODEL
In order to provide security proofs for cryptographic mechanisms, Boneh et al. [34] defined the generic bilinear group (GBG) model based on the generic group (GG) model [35]. Injective mapping functions will be employed to encode group elements to bit-strings in the GBG model. Since we have two groups G 1 and G 2 as defined earlier, two injective mapping functions IMF 1 : Z * p → G 1 and IMF 2 : Z * p → G 2 will respectively be selected to perform the encoding process, where G 1 and G 2 are, respectively, the encoded bit-string sets of G 1 and G 2 . After the encoding process, the elements in the two groups will be represented in the form of bit-strings. We denote | G 1 | and | G 2 | as the numbers of two sets G 1 and G 2 , respectively. Here, the two sets are disjoint and Next, to express the multiplications of G 1 and G 2 and the computation ofê in the GBG model, we define three group operations as follows: -GOP 1 (IMF 1 (r), IMF 1 (s)) → IMF 1 (r + s mod p).

C. COMPLEXITY ASSUMPTIONS
Two well-known difficult problems are the discrete logarithm (DL) and the computational Diffie-Hellman (CDH) problems which are used to define two associated complexity assumptions as follows.
Definition 1 (DL assumption): By the DL problem, g and g a in G 1 are given but a ∈ Z * p is unknown. Assume that there is a probabilistic polynomial-time (PPT) adversary A who wants to calculate a. The advantage of calculating the correct value can be defined as Adv A = Pr[A(g, g a ) = a].
Definition 2 (CDH assumption): By the CDH problem, g, g a and g b in G 1 are given but a and b in Z * p are unknown. Assume that there is a probabilistic polynomial-time (PPT) adversary A who wants to calculate g ab . The advantage of calculating the correct value can be defined as Adv A = Pr[A(g, g a , g b ) = g ab ].

D. ENTROPY
Since a leakage-resilient scheme/protocol allows some information of the secret key to be leaked, the entropy concept can be hired to measure the security of the system after some information of the secret key was leaked. We define RV and CRV as two finite random variables and then state two types of min-entropies as follows.
1. The min-entropy of RV is . In a computation round, two types of participated secret keys can occur: one is a single secret key, and the other is multiple secret keys. For the leakage of a single secret key, we can use Lemma 1 [37] below to measure the security of the system. On the other hand, for the leakage of multiple secret keys, Lemma 2 are employed to measure the security of the system [26].
Lemma 1: Assume that a random variable (can be viewed as a single secret key involved in an algorithm) is K and its maximal leaked information length is λ.
Lemma 2: Assume that multiple random variables (can be viewed as multiple secret keys involved in an algorithm) are K 1 , K 2 , . . ., K n and a highest d-degree polynomial related to these variables is According to the inequality Pr[F (K 1 = k 1 , K 2 = k 2 ,..., K n = k n ) = 0] (d/p)2 λ in Lemma 2, we can obtain the following result.

III. FRAMEWORK AND SECURITY NOTIONS A. FRAMEWORK
The framework of LR-CB-AKE protocol includes two roles and six algorithms, as shown in the Fig. 1. One role is the CA who executes System setup and User certificate generation algorithms, and the other is the user who performs the remaining four algorithms, namely, User secret key generation, Key refreshment, Key agreement and Common session key derivation. For convenience, some notations used in these algorithms are summarized in Table 2. Next, we define the six algorithms as follows. -Initialization: r System setup: This algorithm is run by the CA who gains the system secret key SK after inputting a security parameter. Then, the CA uses SK to produce the initial system secret key pair SK pair 0 = (SK 0,1 , SK 0,2 ) and public parameters PP.
r User secret key generation: This algorithm is run by a user with identity ID ζ who gains her/his user secret key U SK ζ , initial user secret key pair U SK ζ pair 0 = (U SK ζ ,0,1 , U SK ζ ,0,2 ) and the first public key F PK ζ .
r User certificate generation: This algorithm is run by the CA who gains the user's two user certificates UCA ζ and UCB ζ and the corresponding second public key SPK ζ after inputting the user's identity ID ζ and first public key F PK ζ in the i-th session. Meanwhile, the CA must use (SK i−1,1 , SK i−1,2 ) to update the current system secret key pair SK pair i = (SK i,1 , SK i,2 ). In addition, the CA sends UCA ζ , UCB ζ and SPK ζ to the user so that the user can compute two initial user certificate pairs UCA ζ pair 0 = (UCA ζ ,0,1 , UCA ζ ,0,2 ) and UCB ζ pair 0 = (UCB ζ ,0,1 , UCB ζ ,0,2 ), and the complete public key (F PK ζ , SPK ζ ). -Construction of a common session key: r Key refreshment: For the k-th session, this algorithm is run by the user with identity ID ζ who gains the refreshed user secret key pair r Key agreement: Two users U ζ and U η with identities ID ζ and ID η select ephemeral secret keys ESK ζ = x and ESK η = y ∈ Z * p , and compute X = g x and Y = g y , respectively. U ζ sends X and her/his two public keys F PK ζ and SPK ζ to U η while U η sends Y and her/his two public keys F PK η and SPK η to U ζ . Then, U ζ and U η respectively compute session keys.
r Common session key derivation: This algorithm is run by U ζ and U η respectively to gain a common session key CSK after inputting the session keys.

B. SECURITY NOTIONS
In the past, the system secret key SK and users' CSK of CB-AKE protocols were not allowed to be leaked since the systems did not have the leakage-resilient properties. Instead, a LR-CB-AKE protocol allows adversaries to obtain information of SK and CSK. We employ four leakage functions f UCG,i , h UCG,i , f CSK,ζ ,k , h CSK,ζ ,k to describe how adversaries can obtain some information of SK and CSK. The first two leakage functions f UCG,i and h UCG,i respectively take SK i,1 and SK i,2 as input in the i-th invocation in User certificate generation algorithm, and output f UCG,i and h UCG,i as the length of the leaked information. The last two leakage functions f CSK,ζ ,k and h CSK,ζ ,k respectively take (U SK ζ ,k,1 , UCA ζ ,k,1 , ESK ζ ) and (U SK ζ ,k,2 , UCA ζ ,k,2 ) as input in the k-th session of the user with identity ID ζ in session key construction phase, and output f CSK,ζ ,k and h CSK,ζ ,k as the length of the leaked information. Notice that the maximum length of each output is only λ bits.
As the CB-AKE protocols [5], [6] proposed in the past, there are also two types of adversaries in our security model. Type 1 adversary is an external attacker (not a system member) who has the ability to replace the public key of any user. Type 2 adversary is the malicious CA in the system who has the system secret key, but cannot replace the public key of any user. Next, we adopt the properties of leakage resilient [31], [32] and the security models of CB-AKEs [5], [6] to define a new security model for LR-CB-AKE. Indeed, the new security model is an extension of the extended Canetti-Krawczyk (eCK) model proposed by Lamacchia et al. [11]. The eCK model allows that adversaries can compromise either shortterm secret key (ephemeral secret key) or long-term secret key (user secret key and certificate) of a participator. The new security model not only retains the properties of the eCK model, but also allows adversaries to obtain the leaked information of these secret keys by adding two leak queries, namely, user certificate generation leak query and send leak query. Assume that there exists a probabilistic polynomial time (PPT) adversary A who attempts to break a LR-CB-AKE protocol. A will play the following security game with a challenger B to obtain the probability of breaking the LR-CB-AKE protocol.
-Setup: The challenger B performs the System setup algorithm to generate the system secret key and public parameters. Then, B sends the public parameters to A, and gives the system secret key to A if A is a Type 2 adversary. -Query: A can adaptively issue B the following queries.
Here k ζ denotes an oracle with an identity ID ζ in the k-th session. r Reveal ( k ζ ): Upon inputting the oracle k ζ , the challenger B gives A a common session key which is held by k ζ .
r User secret key generation (ID ζ ): Upon inputting a user's identity ID ζ , the challenger B gives A the associated initial user secret key pair U SK ζ pair 0 and the user's first public key F PK ζ .
r User certificate generation (ID ζ , F PK ζ ): Upon inputting a user's identity ID ζ and the user's first public key F PK ζ , the challenger B gives A the associated user certificates UCA ζ and UCB ζ and the corresponding second user public key SPK ζ . This query is only issued by Type 1 adversary. r Test ( k ζ ): Upon inputting the oracle k ζ , the challenger B gives A a session key according to the result of a random coin ∈ {0, 1}. If coin = 1, the session key is held by k ζ ; otherwise, the common session key is a random value from session key space. When the adversary A receives the common session key, A responds a guess coin . If coin = coin, the adversary A wins the security game. Finally, two security properties of the security game are defined as below.
Definition 3 (Partnership): Assume that there exist k ζ and l η that state the user with identity ID ζ 's k-th session and the user with identity ID η 's l-th session, respectively. When k ζ and l η authenticate each other and generate a common session key, we say that they have the partnership property.
Definition 4 (Freshness): We say that a common session key established by two oracles k ζ and l η has freshness property, if the following three conditions in the Query phase are true.
I. The query to Reveal ( k ζ ) and Reveal ( l η ) cannot occur. II. At least one of the queries to User secret key generation (ID ζ ), User certificate generation (ID ζ , F PK ζ ) and Ephemeral secret key reveal ( k ζ ) cannot occur. III. At least one of the queries to User secret key generation (ID η ), User certificate generation (ID η , F PK η ) and Ephemeral secret key reveal ( l η ) cannot occur.

IV. LR-CB-AKE PROTOCOL
Our concrete protocol includes two phases, namely, the initialization and construction of a common session key. In the initialization phase, there are three algorithms, namely, System setup, User secret key generation and User certificate generation. In the construction of a common session key, three algorithms, namely, Key refreshment, Key agreement and Common session key derivation. -Initialization: • System setup: To generate the system public parameters PP and the initial system secret key pair SK pair 0 for LR-CB-AKE, the CA first takes as input a security parameter 1 κ and then performs the following tasks.
(1) Generate two multiplicative cyclic groups G 1 and G 2 of a large prime order p. Construct an admissible bilinear map e : Assume that g is a generator of G 1 .
(2) Pick a value s ∈ Z * p in random, and compute the system secret key SK = g s and the system public key PK =ê(g s , g).
• User secret key generation: In the i-th session, to generate the initial user secret key pair U SK ζ pair 0 and the user's first public key F PK ζ , the user U ζ with identity ID ζ performs the following tasks.
(1) Pick a random value u ζ ∈ Z * p and compute the user secret key U SK ζ = h u ζ , where h = H (PK||T ||V ).
(3) Use the value u ζ in (1) to set the user's first public key F PK ζ = g u ζ .
By the similar way, for the user ID η , we can generate the initial user secret key pair U SK η pair 0 = (U SK η,0,1 , U SK η,0,2 ) = (g c j , U SK η · g −c j ) in the j-th session and the user's first public key F PK η = g u η .
• User certificate generation: In the i-th session, when receiving an identity ID ζ of user U ζ and the associated first public key F PK ζ , the CA is responsible for generating the user's two user certificates UCA ζ and UCB ζ , and the user's second public key SPK ζ as follows.
(2) Set b ζ = ID ζ ||F PK ζ and randomly pick a value β ζ ∈ Z * p . Two user certificates are produced as follows.
The CA sends the two user certificates UCA ζ and UCB ζ , and the second public key SPK ζ to the user. Notice that the user certificate UCA ζ contains the system secret key SK Afterwards, two initial user certificate pairs UCA ζ pair 0 and UCB ζ pair 0 are computed by the user as below.
where d i ∈ Z * p and h = H (PK||T ||V ). By a similar way, for the user U η , we can generate the two initial user certificate pairs UCA η pair 0 = (g d j , UCA η · g −d j ) and UCB η pair 0 = (h d j , UCB η · h −d j ) and the second public key SPK η = g β η in the j-th session.
-Construction of a common session key: • Key refreshment: To refresh the user certificate pairs, two users U ζ and U η respectively perform the following two tasks.
• Common session key derivation: The common session key can be established by U ζ and U η as presented below. Also, Fig. 2 shows that the common session key CSK ζ ,k is equal to the common session key CSK η,l .

V. SECURITY ANALYSIS
One theorem and two lemmas are given in this section. The proof of the theorem employs the the lemmas to prove that the proposed LR-CB-AKE protocol is secure in the GBG model under the DL and CDH assumptions.
Theorem 1: In the GBG model, the proposed LR-CB-AKE protocol is secure in the security game if the DL and CDH assumptions hold.
Proof: Assume that U ζ and U η are two participants in the proposed LR-CB-AKE protocol, and they possess a partnership. We denote k ζ as an oracle with the participant U ζ in the k-th session, and l η as another oracle with the participant U η in the l-th session. Note that k ζ and l η are two oracles in the partnership session. With these two oracles, a session key can be established. The session key, which can be respectively calculated by k ζ and l η , is composed of user secret key, user certificates and ephemeral secret keys. As mentioned in Section III-B, there exists an adversary A who wants to guess the correct session key to win the security game. During the security games, the adversary A can issue the User secret key generation query, User certificate generation query and Ephemeral key reveal query to obtain the user secret key, user certificates and ephemeral secret keys, respectively. According to the definition of freshness, there are nine circumstances as discussed below.
Circumstance 1: Neither the ESK of k ζ nor l η can be obtained by A, but A is able to gain U SK and (UCA, UCB) of k ζ or l η .  ζ nor the (UCA, UCB) of l η can be obtained by A, but A is able to gain other keys of k ζ or l η . Circumstance 8: Neither the (UCA, UCB) of k ζ nor the ESK of l η can be obtained by A, but A is able to gain other keys of k ζ or l η . Circumstance 9: Neither the (UCA, UCB) of k ζ nor the U SK of l η can be obtained by A, but A is able to gain other keys of k ζ or l η . For the above circumstances, we use two Lemmas 3 and 4 to provide the security analysis. Based on the two lemmas, the proposed LR-CB-AKE protocol is secure in the security game.
Lemma 3: Under Circumstance 1, the proposed LR-CB-AKE protocol is secure in the GBG model if the CDH assumption holds.
Proof: We know that Circumstance 1 allows A to gain U SK and (UCA, UCB) of k ζ or l η . Therefore, by these obtained keys, K ζ ,k,i (= K η,l,i ), for i = 2, 3, . . . , 9, can be computed. However, neither the ephemeral secret key x of k ζ nor he ephemeral secret key y of l η can be obtained by A in Circumstance 1. A cannot obtain g xy (= K ζ ,k,1 = K η,l,1 ) by the two given values X = g x and Y = g y due to the CDH assumption. Since the composition of the session key requires all the nine keys K ζ ,k,i (i = 1, 2, . . . , 9), A cannot calculate the session key due to the lack of K ζ ,k,1 . Although A is restricted from gaining K ζ ,k,1 , some leaked information of ESK = x or y from the Send leak query can be obtained by A. However, the leaked information obtained in each session is independent since x and y are randomly reselected in each new session. Therefore, the leaked information doesn't help A to calculate K ζ ,k,1 or K η,l,1 . Under the CDH assumption, A's probability of winning the security game can be ignored.
Lemma 4: Under Circumstances 2 to 9, the proposed LR-CB-AKE protocol is secure in the GBG model if the DL assumption holds.
Proof: The GBG model provides security analysis of secret key leakage, and it converts each element in the group into a different bit-string. As mentioned in Section II-B, to express the multiplications of G 1 and G 2 and the computation ofê in the GBG model, we have three group operations GOP 1 , GOP 2 and GOP p via an algorithm B. In the security game, an adversary A can query about these three group operations. The algorithm B, who attempts to solve the DL problem (assumption), plays the role of the challenger and interacts with the adversary A in the following security game.
-Setup phase: The challenger B performs the System setup algorithm to obtain the system secret key SK and public parameters PP of the LR-CB-AKE protocol. The public parameters PP are set as {p, G 1 , G 2 , g,ê, PK, T, V, H}, where p, G 1 and G 2 are defined as in Section II, and g, PK, T , V and H are encoded as the associated bit-strings. Then, B sends the public parameters to A, and gives the system secret key to A if A is a Type 2 adversary. In order to record A's queries, including inputs and outputs, B prepares five lists L 1 , L 2 , L U SK , L UC and L S as follows. Notice that all the five lists contain the polynomial representations, since we employ the Lemma 2 to complete the security analysis.
r L 1 and L 2 are used to record the polynomial representation of elements of G 1 and G 2 , and the corresponding bit-strings of elements of G 1 and G 2 after transformation, respectively.
The following two transformations TF-1 and TF-2 are employed to assist B in answering A's queries about L 1 /L 2 .
I. TF-1: When A's query is PG 1,m,n,r /PG 2,m,n,r , B uses TF-1 to search L 1 /L 2 . If it is found, the corresponding BG 1,m,n,r /BG 2,m,n,r will be returned; otherwise, a bit-string will be randomly selected as BG 1,m,n,r /BG 2,m,n,r to be returned. In addition, B adds (PG 1,m,n,r , BG 1,m,n,r )/(PG 2,m,n,r , BG 2,m,n,r ) into L 1 /L 2 . I. TF-2: When A's query is BG 1,m,n,r /BG 2,m,n,r , B uses TF-2 to search L 1 /L 2 . If it is found, the corresponding PG 1,m,n,r /PG 2,m,n,r will be returned; otherwise, B returns ⊥.
Here, ID ζ is a user U ζ 's identity. PF PK ζ , PUCA ζ , PUCB ζ and PSPK ζ are multivariate polynomials of the user's first public key F PK ζ , two user certificates UCA ζ , UCB ζ , and the user's second public key SPK ζ , respectively.
ζ is an oracle with the participant U ζ in the k-th session. The remaining items are the communication details of k ζ and defined as follows.
BPN ζ ,k : the identity of U ζ 's partner in the k-th session. BPNF PK ζ ,k : the first public key of U ζ 's partner in the k-th session. BPNSPK ζ ,k : the second public key of U ζ 's partner in the k-th session. -Query phase: This phase allows A to make different queries as follows.
• User secret key generation query (ID ζ ): B looks for ID ζ in L U SK , and transforms (PU SK ζ , PF PK ζ ) into (BU SK ζ , BF PK ζ ) by using TF-1 if ID ζ exists in L U SK . Then, B sends (BU SK ζ , BF PK ζ ) to A. If ID ζ does not exist in L U SK , B proceeds the following steps.
• User certificate generation leak query (ID ζ , F PK ζ , f UCG,i , h UCG,i ): B takes ID ζ , F PK ζ , f UCG,i and h UCG,i as input, and returns f UCG,i = f UCG,i (SK i,1 ) and h UCG,i = h UCG,i (SK i,2 ). • Replace public key (ID ζ , BF PK ζ , BSPK ζ ): B first respectively transforms BF PK ζ and BSPK ζ into PF PK ζ and PSPK ζ by using TF-2, and then uses PF PK ζ and PSPK ζ to update the lists L U SK and L UC . • Ephemeral-secret-corrupt ( k ζ ): B looks for k ζ in L S , and returns ESK ζ ,k if k ζ exists in L S . Otherwise, B returns "false".
p is an ephemeral secret key chosen in random. Transform PT M ζ ,k into BT M ζ ,k by using TF-1, and send it to A.
• Reveal query ( k ζ ): B takes k ζ as input, and returns the session key by performing the follows. Use k ζ to find BPN ζ ,k in L S . Transform BPN ζ ,k into PPN ζ ,k by using TF-2. Use BPN ζ ,k to find partner's public keys PPNF PK ζ in L U SK and PPNSPK ζ in L UC . Obtain the corresponding user secret key PU SK ζ in L U SK and user certificates (PUCA ζ , PUCB ζ ) in L UC by using the identity ID ζ of k ζ .
Next, we split into three events to analyze A's advantage of winning the security game in Case 2.
(1) E vent SK denotes the event that A can gain SK by using In Case 1, the advantage of winning the security game is Adv A−C1 ≤ 600q 2 /p = O(q 2 /p). Since the leaked information of U SK or ESK is at most 2λ bits, we have Hence, under the situation of λ < logp − ω(loglogp) and Corollary 1, Adv A is negligible.

VI. PERFORMANCE ANALYSIS AND COMPARISONS
We compare the performance and properties between our LR-CB-AKE protocol, the LR-ID-AKE protocol [32] and the CB-AKE protocol [6]. For the performance analysis, two notations are defined to benchmark the computational cost of system setup, user secret key extract or session key construction. r • T pair : the time required for a bilinear pairing operation e : G 1 × G 1 → G 2 . r • T ex p : the time required for an exponentiation operation in G 1 or G 2 . According to the simulation results performed in [38], we have T pair = 7.8351 ms and T ex p = 0.4746 ms, as shown in Table 3. This result is obtained by the Intel Core i7-8550 U CPU 1.80 Ghz processor and using a finite field F p , G 1 and G 2 as the input parameters for simulation. Here, p is a prime number with 256 bits, and G 1 and G 2 are groups that has 224 bits prime order over the finite field F p . Table 4 shows the comparisons of our LR-CB-AKE with the existing LR-ID-AKE [32] and CB-AKE [6] in terms of computational cost and security properties. For the computation cost, it is obvious that the CB-AKE [6] is the best. However, the CB-AKE cannot withstand side-channel attacks. When the system secret key is leaked, the adversary could break the system and obtain the full system secret key. On the other hand, although the LR-ID-AKE [32] can withstand side-channel attacks, there is inborn problem, namely, key escrow problem. So, the PKG holds each user's private key and can perform signature or decryption procedures all by itself. Our LR-CB-AKE can not only withstand side-channel attacks, but also eliminate the key escrow problem.

VII. CONCLUSION
In this article, we proposed the f irst LR-CB-AKE protocol, which resists side channel attacks. We defined the framework of LR-CB-AKE protocols, and considered the leakage resilient properties and the security models of the existing CB-AKEs protocols to give a new security model for LR-CB-AKE protocols. The proposed protocol was formally proven to be secure in the GBG model under the CDH and DL assumptions. As compared with the previous LR-ID-AKE and CB-AKE protocols, our LR-CB-AKE protocol not only withstands side-channel attacks, but also eliminates the key escrow problem.