IET Review Copy Only IET Information Security AW: We would like to thank the reviewer for such good suggestion. We modify the proof in this game accordingly. Briefly speaking, we change Game 2 by asking the challenger to: (i) generate all (ℓ + dℓ) NIKE key pairs (which will be later used as either long-term or ephemeral key) at the beginning of the game, (ii) and abort if: there are two public keys are equivalent. The first change could enable us to check the abort rule (in the second change).

more »

... f the challenger aborts with non-negligible probability, then we could break the NIKE security as suggested. (c) Game 5: CM: In particular, I was not able to follow the reduction to the PRF security, because everything is extremely sketchy and the considered PRF security model seems inconsistent with the security definition given in Section 2.2. For instance, in Section 2.2 there are adversaries B 1 , B 2 , which are not reflected in the proof, but it is just claimed that "B could ask queries....", without clarifying in which stage. AW: We enriched the proof in Game 5. We now show how adversaries B 1 , B 2 are run to simulate the AKE security game. Roughly speaking, the adversary B 1 would generate the protocol messages recorded in the session identifier of the test oracle. Those protocol messages will be used as the PRF challenge message submitted to the PRF challenger. Then the adversary B 2 would continue to simulate the AKE game. We also wrote a few sentences (in conjunction of our proof) to illustrate why our new scheme can resist with our PFS attack against the BJS scheme. Abstract: In PKC 2015, Bergsma et al. introduced an interesting one-round key exchange protocol (which will be referred to as BJS scheme) with strong security in particular for perfect forward secrecy (PFS). In this paper, we unveil a PFS attack against the BJS scheme. This would simply invalidate its security proof. An improvement is proposed to fix the problem of the BJS scheme with minimum changes.