Abstract
Fujioka et al. proposed the first generic construction (FSXY construction) of exposure-resilient authenticated key exchange (AKE) from a key encapsulation mechanism (KEM) without random oracles. However, the FSXY construction implicitly assumes that some intermediate computation result is never exposed though other secret information can be exposed. This is a kind of physical assumption, and an implementation trick (i.e., some on-line computation is executed in a special tamper-proof module) is necessary to achieve the assumption. Such a trick is very costly and may be missed by human errors in implementation. From the viewpoint of the human factor, it is desirable to avoid using complicated implementation tricks. In this paper, we introduce a new generic construction without implementation tricks. Our construction satisfies the same security model as the FSXY construction without increasing communication complexity. Moreover, it has another advantage that the protocol can be executed in one-round while the FSXY construction is a sequential two-move protocol. Our key idea is to use KEM with public-key-independent-ciphertext, which allows parties to be able to generate a ciphertext without depending on encryption keys.
