On security analysis of an after-the-fact leakage resilient key exchange protocol

• We point out that the ASB scheme is not secure in the model which is claimed by the authors, via showing an attack in that model.
• We propose a solution to avoid such attack is given.
• We show that the even improved ASB scheme cannot be reduced to Decisional Diffie–Hellman (DDH) assumption.
• We re-prove the improved ASB scheme based on Gap Diffie–Hellman problem under random oracle model.

In this paper, we revisit the security result of an authenticated key exchange (AKE) scheme proposed in AsiaCCS'14 by Alawatugoda, Stebila and Boyd (which is referred to as ASB scheme). The ASB scheme is proved to be secure in a new bounded (continuous) after-the-fact leakage extended Canetti–Krawczyk (B(C)AFL-eCK) model without random oracles, where the B(C)AFL-eCK is extended from the eCK model. However we disprove their security results. We first show an attack against ASB scheme in the eCK model. This also implies that the insecurity of ASB scheme in the B(C)AFL-eCK model. Secondly we point out that the security of ASB scheme is incorrectly reduced to DDH assumption. A solution is proposed to fix the problem of ASB scheme with minimum changes, which yields a new ASB' scheme. We prove the eCK security of ASB' in the random oracle model under Gap Diffie–Hellman assumption.