Provably-Secure (Chinese Government) SM2 and Simplified SM2 Key Exchange Protocols

Abstract

We revisit the SM2 protocol, which is widely used in Chinese commercial applications and by Chinese government agencies. Although it is by now standard practice for protocol designers to provide security proofs in widely accepted security models in order to assure protocol implementers of their security properties, the SM2 protocol does not have a proof of security. In this paper, we prove the security of the SM2 protocol in the widely accepted indistinguishability-based Bellare-Rogaway model under the elliptic curve discrete logarithm problem (ECDLP) assumption. We also present a simplified and more efficient version of the SM2 protocol with an accompanying security proof.

1. Introduction

Due to the potential of elliptic curve cryptography (ECC) to offer similar security to established public-key cryptosystems at reduced key sizes, it has become a subject of research focus. For example, we observe an emerging trend in the use of identity-based (ID-based) cryptography, such as ID-based key agreement protocols using pairings. The latter include ID-based authenticated key agreement (ID-AKA) protocol. ID-AKA protocols (as well as other key establishment protocols such as [1–4]) allow a shared secret key to be established between two or more parties for subsequent cryptographic use. The first two-party ID-AKA protocol was proposed by Shamir, which is based on Weil Pairing [5]. Shamir's protocol requires a trusted key generation center (KGC). Challenges associated with KGC are well documented, and Alriyami and Paterson proposed the first certificateless two-party authenticated key agreement (CTAKA) protocol that does not require a KGC [6]. Since then, a number of CTAKA protocols have been proposed in the literature [7–9]. Most of these CTAKA protocols are, however, based on bilinear pairings. The latter is expensive, especially in comparison to RSA algorithm [10, 11].

A number of recently published certificateless ECC-based AKA protocols that do not require the use of pairings have been proposed. For example, in 2007, Zhu et al. proposed a pairing-free ID-AKA protocol [12]. However, the combination of a pairing-free ID-based signature scheme with the Diffie-Hellman key exchange in the proposed protocol results in larger computation complexity and message size. In addition, the protocol and the ECC-based pairing-free ID-AKA protocol of Cao et al. [13] require three rounds of message exchanges. Another later protocol of Cao et al. reduces the minimum message exchange rounds to two and the protocol was proven secure in the Bellare-Rogaway model [10]. He et al. also independently proposed a two-round certificateless ID-AKA protocol without the use of pairings [14] and a three-round certificateless ID-AKA protocol without the use of pairings [2], respectively.

In 2011, the Chinese government published an ECC-based key exchange protocol, SM2 [15]. According to the official report from the Chinese Government State Cryptography Administration and various media releases, SM2 protocol is mandatory in various cryptographic applications used by Chinese government agencies from 1st July, 2011 [16–18]. A 2005 survey by Boyd and Choo revealed that the purported security of several published ID-based protocols is based on heurstic security arguments. A number of protocols were also found to be proven secure in a restricted model. This study highlighted the need for more rigorously tested identity-based protocols [19]. Surprisingly, we observed that despite the wide usage of the SM2 protocol among Chinese commercial applications/electronics, it does not have a security proof.

A protocol's goal is defined as the properties that the protocol aims to achieve. As Boyd and Mathuria suggested, any attack on a protocol is only valid if it violates some property that the protocol was intended to achieve [20]. Without identifying at an early stage the properties and/or goals that a protocol offers, one can debate the validity of attacks against a published protocol since it may not be clear whether the protocol is not intended to provide assurances against the properties being exploited [21]. This reinforced the importance of having a security proof for protocols, particularly those that are widely used by government agencies and in the private sector.

Our contributions in this paper are two-fold.

1. We prove the SM2 protocol secure in the widely accepted indistinguishability-based model of Bellare and Rogaway under the ECDLP assumption.

2. We propose a simplified version of SM2 protocol that is more efficient, and prove it secure in the Bellare-Rogaway model under the ECDLP assumption.

In the next section, we will briefly review the model that we work in. We revisit the SM2 protocol and prove it secure in Section 3. Section 4 describes our simplified SM2 protocol and its proof of security. Finally, the last section concludes the paper.

2. Overview of the Bellare-Rogaway Model

In the Bellare-Rogaway model [22, 23], the adversary (denoted by A) controls the communication channel by interacting with a set of Π_U1,U2 ⁱ oracles. Π_U1,U2 ⁱ is defined to be the ith instantiation of a protocol participant, U ₁ in a specific protocol run and U ₂ is the other protocol participant, with whom U ₁ wishes to establish a secret key. The predefined oracle queries are described informally as follows.

1. The Send  (U ₁, U ₂, i, m) query allows A to send a message m to another protocol participant at will. In other words,

   1. Π_U1,U2 ⁱ, upon receiving the query, will compute what the protocol specification demands. The response message and/or decision will then be sent to A,
   2. if Π_U1,U2 ⁱ has either accepted with some session key or terminated, this will be made known to A.

2. The Reveal  (U, i) query allows A to expose a previously accepted session key. In other words, U ⁱ, upon receiving this query and if it has accepted and holds some session key, will send this session key back to A.

3. The Corrupt  (U) query allows A to learn the complete internal state of U. This models the real world scenario of a corrupted insider.

4. The Test  (U ₁, U ₂, i) query is the only oracle query that does not correspond to any of A's abilities. If Π_U1,U2 ⁱ has accepted with some session key and is being asked a Test  (U ₁, U ₂, i) query; then depending on a randomly chosen bit b, A is given either the actual session key or a session key drawn randomly from the session key distribution.

Definition 1 (Definition of Partnership). —

Let us denote Π_A,B ⁱ and Π_B,A ^j as two oracles in the protocol run. These two oracles are considered partners if and only if

1. both Π_A,B ⁱ and Π_B,A ^j have accepted the same session key,

2. only Π_A,B ⁱ and Π_B,A ^j (i.e., no other oracle) have accepted with the same session ID (i.e., SID, which is defined to be the concatenation of the message flows) and agreed on the same set of principals (i.e., the initiator and the responder of the protocol).

Definition 2 (Definition of Freshness). —

Oracle Π_A,B ⁱ holds a fresh session key at the end of execution, if and only if all the following conditions are satisfied:

1. Π_A,B ⁱ has accepted with, or without, a partner oracle Π_B,A ^j,

2. Π_A,B ⁱ and Π_B,A ^j (if such a partner oracle exists) has/have not been sent a  Reveal  query,

3. both A and B (if such a partner exists) has/have not been sent a  Corrupt  query.

The definition of security depends on the notions of partnership as outlined in Definition 1 and freshness as outlined in Definition 2 and is defined using the game G and played between A and a collection of Π_Ux,Uy ⁱ oracles for players U _x, U _y ∈ {U ₁,…, U _Np} and instances i ∈ {1,…, N _s}. A runs the game simulation G, whose setting is as follows.

1. Send,   Reveal, and Corrupt  oracle queries are sent by A in any order at will.

2. A chooses a fresh session on which to be tested by sending a  Test  query to the fresh oracle associated with the test session at some point during G. This chosen test session must be fresh (in the sense of Definition 2). Depending on a randomly chosen bit b, A is given either the actual session key or a session key drawn randomly from the session key distribution.

3. A continues making any  Send,  Reveal, and  Corrupt  oracle queries of its choice.

4. A will eventually terminate G and outputs its guess of the value of b, denoted as b′.

We measure A's success in G in terms of A's advantage in distinguishing whether A receives the real key or a random value (i.e., whether b′ = b).

Let k be a security parameter. Then, the advantage function of A is denoted by  Adv^A(k), where

$$\begin{array}{c}\mathsf{A}\mathsf{d}{\mathsf{v}}^{\mathcal{A}}\left(k\right)=\mathrm{2}\times \mathsf{P}\mathsf{r}[b^{\prime }=b]-\mathrm{1}.\end{array}$$ (1)

Definition 3 (Definition of Security). —

A protocol is secure in the Bellare-Rogaway model if both the following requirements are satisfied.

1. Two oracles accept the same key when the protocol is run in the absence of a malicious adversary.

2. For all probabilistic, polynomial-time (PPT) adversaries  A, Adv^A(k) is negligible.

3. A Provably-Secure SM2 Key Exchange Protocol

3.1. SM2 Key Exchange Protocol

The notations used in SM2 protocol (Table 1) are as follows:

1. A, B: two SM2 protocol participants with identities ID_A and ID_B respectively,

2. a, b: a, b ∈ f _q: the parameters of the elliptic curve E on F _q where elliptic function is y ² = x ³ + ax + b,

3. F _q: the prime field F includes q elements,

4. E(F _q): the set of all points on the elliptic curve E defined over F _q,

5. G: the base point of elliptic curve, order of G is prime number that G = (x _G, y _G),

6. h: cofactor, h = #E(F _q)/n, n is the order of G,

7. D: the space of number that D = [1, n − 1],

8. (d, P): long-term private and public key pair,

9. K: session key,

10. ID: identification of client,

11. Z: hash value of identification, the length of Z is entlen _A bits,

12. H _v(): one-way hash function,

13. (r, R): temporary private and public key pair,

14. klen and entlen: the bit length of the key and ID, respectively,

15. KDF(Z, klen): the one-way key derivation hash function whose output length is klen,

16. x||y: concatenation of two strings x and y,

17. ⊥: there is no message or the value is not known.

Table 1.

SM2 key exchange protocol.

A	B
d A, E(F q), G, n, Z A, Z B, P A, P B, H(), KDF(), G	d B, E(F q), G, n, Z A, Z B, P A, P B, H(), KDF(), G
Randomly selects r A ∈ [1, n − 1]	Randomly selects r B ∈ [1, n − 1]
Computes R A = [r A]G = (x 1, y 1)	Computes R B = [r B]G = (x 2, y 2)
Computes $\overline{x_{\mathrm{1}}}={\mathrm{2}}^w+(x_{\mathrm{1}}\&({\mathrm{2}}^w-\mathrm{1}))$	Computes $\overline{x_{\mathrm{2}}}={\mathrm{2}}^w+(x_{\mathrm{2}}\&({\mathrm{2}}^w-\mathrm{1}))$
Computes $t_A=(d_A+\overline{x_{\mathrm{1}}}·r_A)\mathrm{mod}n$	Computes $t_B=(d_B+\overline{x_{\mathrm{2}}}·r_B)\mathrm{mod}n$
$\stackrel{R_A}{\to }$
	Computes $\overline{x_{\mathrm{1}}}={\mathrm{2}}^w+(x_{\mathrm{1}}\&({\mathrm{2}}^w-\mathrm{1}))$
	Computes $V=[h·t_B](P_A+[\overline{x_{\mathrm{1}}}]R_A)=(x_V,y_V)$
	Computes K B = KDF(x V||y V||Z A||Z B, klen)
	Computes S B = H(0x02||y V||H(x V||Z A||Z B||x 1||y 1||x 2||y 2))
$\stackrel{R_B,S_B}{\leftarrow }$
Computes $\overline{x_{\mathrm{2}}}={\mathrm{2}}^w+(x_{\mathrm{2}}\&({\mathrm{2}}^w-\mathrm{1}))$
Computes $U=[h·t_A](P_B+[\overline{x_{\mathrm{2}}}]R_B)=(x_U,y_U)$
Computes K A = KDF(x U||y U||Z A||Z B, klen)
Computes S 1 = H(0x02||y U||H(x U||Z A||Z B||x 1||y 1||x 2||y 2))
Verifies $S_{\mathrm{1}}\stackrel{?}{=}{S}_B$
Computes S A = H(0x03||y U||H(x U||Z A||Z B||x 1||y 1||x 2||y 2))
$\stackrel{S_A}{\to }$
	Computes S 2 = H(0x03||y V||H(x V||Z A||Z B||x 1||y 1||x 2||y 2))
	Verifies $S_{\mathrm{2}}\stackrel{?}{=}{S}_A$
Key established K A = K B	Key established K B = K A
SID is (R A||R B) or (R A||R B||S B||S A) in the case where key confirmation is required.

A randomly selects d _A ∈ [1, n − 1] and computes P _A = [d _A]G = (x _A, y _A), prior to sending P _A to B. B will also randomly select d _B ∈ [1, n − 1] and compute P _B = [d _B]G = (x _B, y _B), before sending P _B to A. The public parameters are (E(Fq), G, n, Z _A, Z _B, P _A, P _B). And Z _A and Z _B are hash values of the identification of A and B, respectively, where Z _A = H(ENTL _A||ID_A||a||b||x _G||y _G||x _A||y _A) and Z _B = H(ENTL _B||ID_B||a||b||x _G||y _G||x _B||y _B). To establish a session key with client B,

1. client A will now run the protocol as follows:

   1. randomly selects r _A ∈ [1, n − 1],
   2. computes R _A = [r _A]G = (x ₁, y ₁) and $\overline{x_{\mathrm{1}}}={\mathrm{2}}^w+(x_{\mathrm{1}}\&({\mathrm{2}}^w-\mathrm{1}))$ where w = ⌈(⌈log⁡₂(n)⌉/2)⌉ − 1,
   3. computes $t_A=(d_A+\overline{x_{\mathrm{1}}}·r_A)\mathrm{mod}n$,
   4. sends R _A to client B;

2. upon receiving the message R _A from client A, B will perform the following:

   1. randomly selects r _B ∈ [1, n − 1],
   2. computes R _B = [r _B]G = (x ₂, y ₂), $\overline{x_{\mathrm{2}}}={\mathrm{2}}^w+(x_{\mathrm{2}}\&({\mathrm{2}}^w-\mathrm{1}))$, t _B = $(d_B+\overline{x_{\mathrm{2}}}·r_B)\mathrm{mod}n$, $V=[h·t_B](P_A+[\overline{x_{\mathrm{1}}}]R_A)=(x_V,y_V)$ and K _B = KDF(x _V||y _V||Z _A||Z _B, klen),
   3. (optional for key confirmation) computes S _B = H(0x02||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
   4. Sends R _B to client A (optional for key confirmation, B will also send S _B to A);

3. upon receiving the messages, R _B (and S _B), from B, client A will perform the following:

   1. computes $\overline{x_{\mathrm{2}}}={\mathrm{2}}^w+(x_{\mathrm{2}}\&({\mathrm{2}}^w-\mathrm{1}))$, U = $[h·t_A](P_B+[\overline{x_{\mathrm{2}}}]R_B)$ = (x _U, y _U) and K _A = KDF(x _U||y _U||Z _A||Z _B, klen),
   2. (optional for key confirmation) computes S ₁ = H(0x02||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
   3. verifies $S_{\mathrm{1}}\stackrel{?}{=}{S}_B$, and if it returns true then A is assured that B actually has possession of the session key, otherwise, terminates the protocol run and outputs ⊥,
      1. (optional for key confirmation, computes S _A = H(0x03||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂))),
      2. Sends S _A to client B;

4. (optional for key confirmation) upon receiving the message (S _A) from client A, client B will perform the following:

   1. computes S ₂ = H(0x03||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
   2. verifies whether $S_A\stackrel{?}{=}{S}_{\mathrm{2}}$,
   3. if the verification returns wrong, then client B terminates the protocol run and outputs ⊥,
   4. otherwise, client B is assured that A actually has possession of the session key;

5. session key established is K _A = K _B,

6. SID is (R _A||R _B) or (R _A||R _B||S _B||S _A) in the case where key confirmation is required.

3.2. Security Proof

The security of the protocol—see Theorem 5—is based on the ECDLP assumption (see Definition 4) in the random oracle model.

Definition 4 (ECDLP Assumption). —

The ECDLP problem is defined as follows:

$$\begin{array}{c}\text{Instance:}\hspace{0.17em}\hspace{0.17em}E\setminus F_p,\hspace{1em}P,Q\in E\left(F_p\right)\\ \text{Output:}\hspace{0.17em}\hspace{0.17em}k\in N^{\ast },\hspace{1em}k>\mathrm{1}\hspace{0.17em}\hspace{0.17em}\text{such}\hspace{0.17em}\hspace{0.17em}\text{that}\hspace{0.17em}\hspace{0.17em}Q\equiv kP\mathrm{mod}p.\end{array}$$ (2)

If we can solve the discrete logarithm problem (DLP) [26], then we can also (immediately) solve the ECDLP problem.

Theorem 5 . —

SM2 protocol is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the elliptic curve discrete logarithm problem (ECDLP) assumption is satisfied in E(F _q).

The soundness requirement is trivial to verify. We will now concentrate on proving the indistinguishability requirement.

In the usual tradition of reductionist proofs, we assume that there exists an adversary A against the protocol (i.e., A has a nonnegligible advantage, η(k), where k is the security parameter), and we then construct a solver S that makes use of A to solve the ECDLP problem. In other words, S will simulate the view of A by answering all Send, Reveal, Corrupt, and Test queries of A. S will start by randomly selecting two users, I and J, and a session number, i, as the test session. S will also manage two random oracles, H and KDF, in order to answer A's queries. More specifically when the H oracle is queried, S will check whether the tuple is already in the H-list and output the stored response. Otherwise, S will respond with the appropriate output, H(⋯), and adds the tuple (H(⋯), U, i) to the H-list. S will answer KDF queries in the same manner.

1. Send  (Ω _I, Ω _J, j, m) queries: for any well-formed  Send queries from A, S can trivially answer with the right output as the protocol specification demands. Specifically, S answers the query as follows.

   1. If Ω _I = initiator and Ω _J = responder, then the S will output the message m = (R _I, Z _I, Z _J, P _I, P _J).
   2. Consider the case that Ω _J = initiator, Ω _I = responder, and message m = R _I.
      1. If S has rejected the message m, then S will respond with ⊥. Otherwise, S will verify whether m is the right format or not.
      2. If m verifies correctly, then S will output messages (R _J, S _J) to A. Otherwise, S will abort the simulation and output ⊥.
   3. Assume Ω _I = initiator, Ω _J = responder, and messages m = R _J, S _J.
      1. If S has rejected the messages m, then S will respond with ⊥. Otherwise, S will verify whether m is the right format or not.
      2. If m verifies correctly, then S will output messages S _I to A. Otherwise, S will abort the simulation and output ⊥.

2. Reveal  (Ω, j) queries: if Ω _j = I _i or Ω _j = J _i, then S will abort the simulation and fail. Otherwise this query can be answered with the right session key as long as U _j has accepted and neither Ω nor its partner has been corrupted. However, such a session will be rendered unfresh.

3. Corrupt  (Ω) queries: this query can be easily answered as per the protocol specifications, unless Ω = I or Ω = J. In the latter scenario, S will abort the simulation and fail.

4. Test  (Ω ₁, Ω ₂, j, m) queries: if Π_U1,U2 ^j ≠ Π_I,J ⁱ, then S will abort the simulation and fail. Otherwise, S will check whether Π_Ω1,Ω2 ^j has accepted and that the session is fresh. If so, A will be given either the actual session key or a session key drawn randomly from the session key distribution, depending on the randomly chosen bit b.

For A to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution, A has to determine the correct values of U = (x _U, y _U) or V = (x _V, y _V) to compute the session key (since K _I = KDF(x _U||y _U||Z _A||Z _B, klen) and K _J = KDF(x _V||y _V||Z _A||Z _B, klen)). For this to happen,

• (i)
  A has to guess the long-term private key d _I and short-term private key r _I in order to compute t _I and hence, the session key K _I. If A is able to successfully guess d _I and r _I via P _I = [d _I]G and R _I = [r _I]G, then S would be able to use A to solve the ECDLP problem. Let Succ_dI ^ECDLP and Succ_rI ^ECDLP denote A's advantage in computing the correct values of d _I and r _I, respectively, and Succ_A ^U denotes the event that A can successfully guess the session key using the computed values of d _I and r _I. So we have

  $$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{d_I}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{\left|\mathcal{D}\right|};\hspace{1em}\hspace{1em}\mathrm{Pr}\left[{\text{Succ}}_{r_I}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{\left|\mathcal{D}\right|},\\ \mathrm{Pr}\left[{\text{Succ}}_{\mathcal{A}}^U\right]=\mathrm{Pr}\left[{\text{Succ}}_{d_I}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]·\mathrm{Pr}\left[{\text{Succ}}_{r_I}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}.\end{array}$$ (3)
• (ii)
  A has to guess the correct value of V. Similar to the above, we let Succ_dJ ^ECDLP and Succ_rJ ^ECDLP denote A's advantage in computing the correct value of d _J and r _J, respectively, and Succ_A ^V denotes the event that A can successfully guess the session key using the computed values of d _J and r _J. So we have

  $$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{d_J}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{\left|\mathcal{D}\right|};\hspace{1em}\hspace{1em}\mathrm{Pr}\left[{\text{Succ}}_{r_J}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{\left|\mathcal{D}\right|},\\ \mathrm{Pr}\left[{\text{Succ}}_{\mathcal{A}}^V\right]=\mathrm{Pr}\left[{\text{Succ}}_{d_J}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]·\mathrm{Pr}\left[{\text{Succ}}_{r_J}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}.\end{array}$$ (4)

There is, therefore, a negligible advantage of A distinguishing whether the value returned is the actual session key or a session key drawn randomly from the session key distribution. Let q _t and Succ_A ^SM2 denote the number of  Test  queries asked and the event that A can correctly distinguish the session key, respectively. We now have

$$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{\mathcal{A}}^{\text{SM}\mathrm{2}}\right]=\left(\mathrm{1}-\mathrm{Pr}\left[\overline{{\text{Succ}}_{\mathcal{A}}^U}\right]\mathrm{Pr}\left[\overline{{\text{Succ}}_{\mathcal{A}}^V}\right]\right)·q_t\\ =\left(\mathrm{1}-\left(\mathrm{1}-\frac{\mathrm{1}}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}\right)·\left(\mathrm{1}-\frac{\mathrm{1}}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}\right)\right)·q_t\\ =\frac{\mathrm{2}{q}_t}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}-\frac{q_t}{{\left|\mathcal{D}\right|}^{\mathrm{4}}}.\end{array}$$ (5)

Since D = [1, n − 1], n → ∞, D → ∞, 1/|D|² → 0, 1/|D|⁴ → 0, q _t ≪ D, and q _t/|D|² → 0, q _t/|D|⁴ → 0, we have ((2q _t/|D|²) − (q _t/|D|⁴)) → 0 and ((2q _t/|D|²) − (q _t/|D|⁴)) = (q _t/|D|²)(2 − (1/|D|²)) > 0. Therefore,

$$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{\mathcal{A}}^{\text{SM}\mathrm{2}}\right]=\frac{\mathrm{2}{q}_t}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}-\frac{q_t}{{\left|\mathcal{D}\right|}^{\mathrm{4}}}⟶\mathrm{0}.\end{array}$$ (6)

This concludes the proof for Theorem 5.

4. A Provably-Secure Simplified SM2 Key Exchange Protocol

In this section, we propose a more efficient version of the SM2 protocol—see Table 2—and prove its security in the Bellare-Rogaway model.

Table 2.

Simplified SM2 key exchange protocol.

A	B
pub: E(F q), G, n, H(), KDF(), G, P A, P B, Z A, Z B
Randomly selects r A ∈ [1, n − 1]	Randomly selects r B ∈ [1, n − 1]
Computes t A = (d A · r A)mod⁡n	Computes t B = (d B · r B)mod⁡n
Computes R A = [t A]G = (x 1, y 1)	Computes R B = [t B]G = (x 2, y 2)
$\stackrel{R_A}{\to }$
	Computes V = [t B] · R A + d B · P A = (x V, y V)
	Computes K B = KDF(x V||y V||Z A||Z B, klen)
	Computes S B = H(0x02||y V||H(x V||Z A||Z B||x 1||y 1||x 2||y 2))
$\stackrel{R_B,S_B}{\leftarrow }$
Computes U = [t A] · R B + d A · P B = (x U, y U)
Computes K A = KDF(x U||y U||Z A||Z B, klen)
Computes S 1 = H(0x02||y U||H(x U||Z A||Z B||x 1||y 1||x 2||y 2))
Verifies $S_{\mathrm{1}}\stackrel{?}{=}{S}_B$
Computes S A = H(0x03||y U||H(x U||Z A||Z B||x 1||y 1||x 2||y 2))
$\stackrel{S_A}{\to }$
	Computes S 2 = H(0x03||y V||H(x V||Z A||Z B||x 1||y 1||x 2||y 2))
	Verifies $S_{\mathrm{2}}\stackrel{?}{=}{S}_A$
Key established K A = K B	Key established K B = K A
SID is (R A||R B) or (R A||R B||S B||S A) in the case where key confirmation is required.

4.1. Protocol Description

A randomly selects d _A ∈ [1, n − 1] and computes long-term public key P _A = [d _A]G = (x _A, y _A) and Z _A = H(ENTL _A||ID_A||a||b||x _G||y _G||x _A||y _A). It then sends P _A and Z _A to B. B also randomly selects d _B ∈ [1, n − 1] and computes P _B = [d _B]G = (x _B, y _B) and Z _B = H(ENTL _A||ID_A||a||b||x _G||y _G||x _B||  y _B), prior to sending P _B and Z _B to A. E(Fq),  G,  n,  H(),  KDF(),  G,  P _A,  P _B,  Z _A,  Z _B are system parameters. To establish a session key with B,

1. A will now run the protocol as follows:

   1. randomly selects r _A ∈ [1, n − 1],
   2. computes t _A = (d _A · r _A)mod⁡n and R _A = [t _A]G = (x ₁, y ₁),
   3. sends R _A to B;

2. upon receiving P _A from A, B will perform the following:

   1. randomly selects r _B ∈ [1, n − 1],
   2. computes t _B = (d _B · r _B)mod⁡n, R _B = [t _B]G = (x ₂, y ₂), V = [t _B] · R _A + d _B · P _A = (x _V, y _V), and K _B = KDF(x _V||y _V||Z _A||Z _B, klen),
   3. (optional for key confirmation) computes S _B = H(0x02||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
   4. sends R _B to A (optionally for key confirmation, B will also send S _B to A);

3. upon receiving R _B (and S _B, optionally for key confirmation) from B, A will perform the following:

   1. computes U = [t _A] · R _B + d _A · P _B = (x _U, y _U) and K _A = KDF(x _U||y _U||Z _A||Z _B, klen),
   2. (optional for key confirmation) compute S ₁ = H(0x02||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
   3. verifies that $S_{\mathrm{1}}\stackrel{?}{=}{S}_B$, and if it returns true, then A is assured that B actually has possession of the session key, otherwise, terminates the protocol run and outputs ⊥,
      1. (optional for key confirmation) computes S _A = H(0x03||y _U||H(x _U||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
      2. Send S _A to client B;

4. (optional for key confirmation) upon receiving S _A, B will perform the following:

   1. computes S ₂ = H(0x03||y _V||H(x _V||Z _A||Z _B||x ₁||y ₁||x ₂||y ₂)),
   2. verifies whether $S_A\stackrel{?}{=}{S}_{\mathrm{2}}$,
   3. if the verification returns wrong, then client B terminates the protocol run and outputs ⊥. If it returns true, then B is assured that A actually has possession of the session key. Otherwise, terminates the protocol run and outputs ⊥;

5.  session key established is K _A = K _B,

6.  SID is (R _A||R _B) or (R _A||R _B||S _B||S _A) in the case where key confirmation is required.

4.2. Security Proof

Theorem 6 . —

The simplified SM2 protocol (Table 2) is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the ECDLP assumption is satisfied in E(F _q).

The proof process is similar to that of Section 3.2.

1. Send  (Ω _I, Ω _J, j, m) queries: for any well-formed Send queries from A, S can trivially answer with the right output as the protocol specification demands. Specifically, S answers the query as follows.

   1. If Ω _I = initiator and Ω _J = responder, then the S will output the message, m = R _I, to the query.
   2. Consider the case that Ω _J = initiator, Ω _I = responder, and messages m = R _I.
      1. If S has rejected the message m, then S will respond with ⊥. Otherwise, S will verify whether m is the right format or not.
      2. If m verifies correctly, then S will output messages (R _J, S _J) to A. Otherwise, S will abort the simulation and output ⊥.
   3. Assume Ω _I = initiator, Ω _J = responder, and messages m = R _J, S _J.
      1. If S has rejected the messages m, then S will respond with ⊥. Otherwise, S will verify whether m is the right format or not.
      2. If m verifies correctly, then S will output messages S _I to A. Otherwise, S will abort the simulation and output ⊥.

Simulations for the Reveal, Corrupt, and Test follow that of Section 3.2.

For A to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution (i.e., whether b = 0 or b = 1), A has to determine the correct values of U = (x _U, y _U) or V = (x _V, y _V) (since K _I = KDF(x _U||y _U||Z _A||Z _B, klen) and K _J = KDF(x _V||y _V||Z _A||Z _B, klen)). For this to happen, A has to obtain the correct value of d _I · r _I in order to compute t _I and consequently, the session key K _I. For A to obtain t _I, A has to be able to compute from R _I since R _I = [t _I]G.

Let Succ_tI ^ECDLP denote A's advantage in computing t _I from R _I, and we have

$$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{t_I}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{\left|\mathcal{D}\right|}.\end{array}$$ (7)

Let Succ_tJ ^ECDLP denote A's advantage in computing t _J from R _J, and we have

$$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{t_J}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}\right]=\frac{\mathrm{1}}{\left|\mathcal{D}\right|}.\end{array}$$ (8)

Let Succ_A ^ESM2 denote the event that A is able to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution. We then have

$$\begin{array}{c}\mathrm{Pr}\left[{\text{Succ}}_{\mathcal{A}}^{\text{ESM}\mathrm{2}}\right]=\left(\mathrm{1}-\mathrm{Pr}\left[\overline{{\text{Succ}}_{t_I}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}}\right]·\mathrm{Pr}\left[\overline{{\text{Succ}}_{t_J}^{\mathsf{E}\mathsf{C}\mathsf{D}\mathsf{L}\mathsf{P}}}\right]\right)·q_t\\ =\left(\mathrm{1}-{\left(\mathrm{1}-\frac{\mathrm{1}}{\left|\mathcal{D}\right|}\right)}^{\mathrm{2}}\right)·q_t=\frac{\mathrm{2}{q}_t}{\left|\mathcal{D}\right|}-\frac{q_t}{{\left|\mathcal{D}\right|}^{\mathrm{2}}}.\end{array}$$ (9)

Since  D = [1, n − 1], n → ∞, D → ∞, 2/|D| → 0, 1/|D|⁴ → 0, q _t ≪ D, and 2q _t/|D| → 0, q _t/|D|² → 0, we have ((2q _t/|D|)  −  (q _t/|D|²)) → 0 and ((2q _t/|D|) − (q _t/|D|²)) = (q _t/|D|)(2 − (1/|D|)) > 0. It follows that Pr⁡[Succ_A ^ESM2] = (2q _t/|D|) − (q _t/|D|²) → 0.

This concludes the proof for Theorem 6.

5. Conclusion

Key exchange protocols are the cornerstone of any secure communication. By proving the widely used Chinese Government SM2 protocol secure in the Bellare-Rogaway model under the ECDLP assumption, we hope that this provides a strong assurance to protocol implementers that the protocol is behaving as desired. In addition, we presented a more efficient version of the SM2 protocol with a proof of security in the Bellare-Rogaway model under the ECDLP assumption.

A comparison with six existing pairing-free protocols reveals that the computational load of our simplified SM2 protocol is no more than that of the six and the SM2 protocols, yet provides both implicit key confirmation (A is assured that B can compute the session key) and explicit key confirmation (A is assured that B has actually computed the session key)—see Table 3. In Table 3, a, m, e, and h denote addition, multiplication, exponentiation, and hash operations, respectively.

Table 3.

Protocol comparison.

Protocol	Cost	Both implicit and explicit key confirmation?
Cao et al. (2008) [13]	10m + 4a + 4h + 1e	No
Cao et al. (2010) [10]	8m + 3a + 2h	No
He et al. (2012) [2]	6m + 5a + 2e + 2h	No
Yang and Tan (2011) [24]	6m + 2h	No
He et al. (2011) [14]	5m + 4a + 2h	No
Chen and Han (2013) [25]	9m + 2a + 7h + 1e	No
SM2 [15]	5m + 4a + 3h	Yes
Our simplified SM2 protocol	4m + 1a + 3h	Yes

Conflict of Interests

As the authors of the paper, we do not have a direct financial relation with any institution or organization mentioned in our paper that might lead to a conflict of interests for any of the authors.