This paper proposes an id-eCK secure identity-based authenticated key exchange (ID-AKE) scheme, where the id-eCK security implies that a scheme resists against leakage of all combinations of master, static, and ephemeral secret keys except ones trivially break the security. Most existing id-eCK secure ID-AKE schemes require two symmetric pairing operations or a greater number of asymmetric pairing, which is faster than symmetric one, operations to establish a session key. However, our scheme is realized with a single asymmetric pairing operation for each party, and this is an advantage in efficiency. The proposed scheme is based on the ID-AKE scheme by McCullagh and Barreto, which is vulnerable to an active attack. To achieve id-eCK security, we apply the HMQV construction and the NAXOS technique to the McCullagh-Barreto scheme. The id-eCK security is proved under the external Diffie-Hellman for target group assumption and the q-gap-bilinear collision attack assumption.

This paper examines two-pass authenticated key exchange (AKE) protocols that are secure without the NAXOS technique under the gap Diffie-Hellman assumption in the random oracle model: FHMQV [18], KFU1 [21], SMEN- [13], and UP [17]. We introduce two protocol, biclique DH protocol and multiplied biclique DH protocol, to analyze the subject protocols, and show that the subject protocols use the multiplied biclique DH protocol as internal protocols. The biclique DH protocol is secure, however, the multiplied biclique DH protocol is insecure. We show the relations between the subject protocols from the viewpoint of how they overcome the insecurity of the multiplied biclique DH protocol: FHMQV virtually executes two multiplied biclique DH protocols in sequence with the same ephemeral key on two randomized static keys. KFU1 executes two multiplied biclique DH protocols in parallel with the same ephemeral key. UP is a version of KFU1 in which one of the static public keys is generated with a random oracle. SMEN- can be thought of as a combined execution of two multiplied biclique DH protocols. In addition, this paper provides ways to characterize the AKE protocols and defines two parameters: one consists of the number of static keys, the number of ephemeral keys, and the number of shared secrets, and the other is defined as the total sum of these numbers. When an AKE protocol is constructed based on some group, these two parameters indicate the number of elements in the group, i.e., they are related to the sizes of the storage and communication data.