Forward secrecy (FS) is a central security requirement of authenticated key exchange (AKE). Especially, strong FS (sFS) is desirable because it can guarantee security against a very realistic attack scenario that an adversary is allowed to be active in the target session. However, most of AKE schemes cannot achieve sFS, and currently known schemes with sFS are only proved in the random oracle model. In this paper, we propose a generic construction of AKE protocol with sFS in the standard model against a constrained adversary. The constraint is that session-specific intermediate computation results (i.e., session state) cannot be revealed to the adversary for achieving sFS, that is shown to be inevitable by Boyd and González Nieto. However, our scheme maintains weak FS (wFS) if session state is available to the adversary. Thus, our scheme satisfies one of strongest security definitions, the CK+ model, which includes wFS and session state reveal. The main idea to achieve sFS is to use signcryption KEM while the previous CK+ secure construction uses ordinary KEM. We show a possible instantiation of our construction from Diffie-Hellman problems.

In this letter, we show that Jung's ID-based scheme, which is the improved version of the Chikazawa-Yamagishi scheme, satisfies only the weak forward secrecy. But the weak forward secrecy is not quite realistic, since it is not sufficient for modeling the real attacks. To address this problem, the strong forward secrecy has been pursued, which is modeling the more realistic attacks. We then suggest a modification of Jung's ID-based scheme to provide the strong forward secrecy.