{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,7]],"date-time":"2025-07-07T21:40:06Z","timestamp":1751924406033,"version":"3.41.2"},"reference-count":36,"publisher":"International Association for Cryptologic Research","issue":"2","license":[{"start":{"date-parts":[[2025,4,2]],"date-time":"2025-04-02T00:00:00Z","timestamp":1743552000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,6,2]]},"abstract":"<jats:p>  Privacy-preserving authenticated key exchange (PPAKE) is a cryptographic protocol that enables two users to exchange a session key while protecting users' privacy (i.e., hiding the user's identity) against the machine-in-the-middle adversary.   To hide user identities, PPAKE messages are broadcast to the network, increasing communication complexity.   In ASIACRYPT2022, Lyu et al. introduced a concept of robustness to reduce communication complexity. Roughly, robust PPAKE allows receivers to decide whether it is the intended user by processing the first message with its long-term secret key. As a result, only the intended user replies to the first message, and thus, messages in the network are reduced. However, if a user's secret key is leaked, an adversary can also use it to determine whether the past first message was intended for the user, and thus, the PPAKE scheme of Lyu et al. does not have full forward privacy.   Lyu et al. leave an open problem of constructing a PPAKE scheme with robustness and full forward privacy.   In this work, we solve this problem by introducing a new framework called key updatable PPAKE (kuPPAKE).   In kuPPAKE schemes, a long-term secret key is updated so that the updated key does not work for past messages. Therefore, robustness no longer conflicts with full forward privacy.   We propose a generic construction of a 2-round kuPPAKE and show a concrete scheme in the standard model from DH-style assumptions over bilinear groups. <\/jats:p>","DOI":"10.62056\/a0iv7ta5v","type":"journal-article","created":{"date-parts":[[2025,7,7]],"date-time":"2025-07-07T21:09:09Z","timestamp":1751922549000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Round-Optimal Authenticated Key Exchange with Full Forward Privacy"],"prefix":"10.62056","volume":"2","author":[{"given":"Koki","family":"Matsui","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05dqf9946","id-type":"ROR","asserted-by":"publisher"}],"name":"Institute of Science Tokyo","place":["Japan"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shoma","family":"Kanzaki","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05dqf9946","id-type":"ROR","asserted-by":"publisher"}],"name":"Institute of Science Tokyo","place":["Japan"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4671-4485","authenticated-orcid":false,"given":"Wakaha","family":"Ogata","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/05dqf9946","id-type":"ROR","asserted-by":"publisher"}],"name":"Institute of Science Tokyo","place":["Japan"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2232-9443","authenticated-orcid":false,"given":"Keitaro","family":"Hashimoto","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01703db54","id-type":"ROR","asserted-by":"publisher"}],"name":"National Institute of Advanced Industrial Science and Technology (AIST)","place":["Japan"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2025,7,7]]},"reference":[{"key":"ref1:NDSS:Krawczyk96","doi-asserted-by":"publisher","first-page":"114","DOI":"10.1109\/NDSS.1996.492418","article-title":"SKEME: a versatile secure key exchange mechanism for\n  Internet","author":"Hugo Krawczyk","year":"1996"},{"key":"ref2:PoPETS:ABFNO19","doi-asserted-by":"publisher","first-page":"190","DOI":"10.2478\/popets-2019-0065","article-title":"The privacy of the TLS 1.3 protocol","volume":"2019","author":"Ghada Arfaoui","year":"2019","journal-title":"PoPETs"},{"key":"ref3:USENIX:DinMatSyv04","doi-asserted-by":"publisher","first-page":"303","DOI":"10.21236\/ada465464","article-title":"Tor: The Second-Generation Onion Router","author":"Roger Dingledine","year":"2004"},{"key":"ref4:USENIX:HHSSW21","first-page":"3577","article-title":"PrivateDrop: Practical Privacy-Preserving Authentication\n  for Apple AirDrop","author":"Alexander Heinrich","year":"2021"},{"key":"ref5:PKC:SchSchLau20","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"567","DOI":"10.1007\/978-3-030-45388-6_20","article-title":"Privacy-Preserving Authenticated Key Exchange and the Case\n  of IKEv2","volume":"12111","author":"Sven Sch\u00e4ge","year":"2020"},{"key":"ref6:ESORICS:RamSlaWen21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"676","DOI":"10.1007\/978-3-030-88428-4_33","article-title":"Privacy-Preserving Authenticated Key Exchange: Stronger\n  Privacy and Generic Constructions","volume":"12973","author":"Sebastian Ramacher","year":"2021"},{"key":"ref7:AC:LLHG22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"210","DOI":"10.1007\/978-3-031-22969-5_8","article-title":"Privacy-Preserving Authenticated Key Exchange in the\n  Standard Model","volume":"13793","author":"You Lyu","year":"2022"},{"key":"ref8:PKC:IshYon22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"35","DOI":"10.1007\/978-3-030-97131-1_2","article-title":"Post-quantum Anonymous One-Sided Authenticated Key Exchange\n  Without Random Oracles","volume":"13178","author":"Ren Ishibashi","year":"2022"},{"key":"ref9:EC:GHJL17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"519","DOI":"10.1007\/978-3-319-56617-7_18","article-title":"0-RTT Key Exchange with Full Forward Secrecy","volume":"10212","author":"Felix G\u00fcnther","year":"2017"},{"key":"ref10:AC:GenSil02","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"548","DOI":"10.1007\/3-540-36178-2_34","article-title":"Hierarchical ID-Based Cryptography","volume":"2501","author":"Craig Gentry","year":"2002"},{"key":"ref11:C:BonFra01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"213","DOI":"10.1007\/3-540-44647-8_13","article-title":"Identity-Based Encryption from the Weil Pairing","volume":"2139","author":"Dan Boneh","year":"2001"},{"key":"ref12:RSA:Ducas10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"148","DOI":"10.1007\/978-3-642-11925-5_11","article-title":"Anonymity from Asymmetry: New Constructions for Anonymous\n  HIBE","volume":"5985","author":"L\u00e9o Ducas","year":"2010"},{"key":"ref13:EC:AgrBonBoy10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"553","DOI":"10.1007\/978-3-642-13190-5_28","article-title":"Efficient Lattice (H)IBE in the Standard Model","volume":"6110","author":"Shweta Agrawal","year":"2010"},{"key":"ref14:EC:CanHalKat04","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/978-3-540-24676-3_13","article-title":"Chosen-Ciphertext Security from Identity-Based Encryption","volume":"3027","author":"Ran Canetti","year":"2004"},{"key":"ref15:PKC:BelSho07","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"201","DOI":"10.1007\/978-3-540-71677-8_14","article-title":"Two-Tier Signatures, Strongly Unforgeable Signatures, and\n  Fiat-Shamir Without Random Oracles","volume":"4450","author":"Mihir Bellare","year":"2007"},{"key":"ref16:PKC:BonSheWat06","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"229","DOI":"10.1007\/11745853_15","article-title":"Strongly Unforgeable Signatures Based on Computational\n  Diffie-Hellman","volume":"3958","author":"Dan Boneh","year":"2006"},{"key":"ref17:EC:DKPW12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"355","DOI":"10.1007\/978-3-642-29011-4_22","article-title":"Message Authentication, Revisited","volume":"7237","author":"Yevgeniy Dodis","year":"2012"},{"key":"ref18:PKC:FarSchSid07","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"426","DOI":"10.1007\/978-3-540-71677-8_28","article-title":"Efficient Pseudorandom Generators Based on the DDH\n  Assumption","volume":"4450","author":"Reza Rezaeian Farashahi","year":"2007"},{"key":"ref19:PKC07","series-title":"LNCS","volume-title":"PKC\u00a02007","volume":"4450","year":"2007"},{"key":"ref20:STOC:ImpLevLub89","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1145\/73007.73009","article-title":"Pseudo-random Generation from one-way functions (Extended\n  Abstracts)","author":"Russell Impagliazzo","year":"1989"},{"key":"ref21:AC22-3","series-title":"LNCS","volume-title":"ASIACRYPT\u00a02022, Part\u00a0III","volume":"13793","year":"2022"},{"key":"ref22:AC02","series-title":"LNCS","volume-title":"ASIACRYPT\u00a02002","volume":"2501","year":"2002"},{"key":"ref23:C01","series-title":"LNCS","volume-title":"CRYPTO\u00a02001","volume":"2139","year":"2001"},{"key":"ref24:RSA10","series-title":"LNCS","volume-title":"CT-RSA\u00a02010","volume":"5985","year":"2010"},{"key":"ref25:ESORICS21-2","series-title":"LNCS","volume-title":"ESORICS\u00a02021, Part\u00a0II","volume":"12973","year":"2021"},{"key":"ref26:EC17-3","series-title":"LNCS","volume-title":"EUROCRYPT\u00a02017, Part\u00a0III","volume":"10212","year":"2017"},{"key":"ref27:EC12","series-title":"LNCS","volume-title":"EUROCRYPT\u00a02012","volume":"7237","year":"2012"},{"key":"ref28:EC10","series-title":"LNCS","volume-title":"EUROCRYPT\u00a02010","volume":"6110","year":"2010"},{"key":"ref29:EC04","series-title":"LNCS","volume-title":"EUROCRYPT\u00a02004","volume":"3027","year":"2004"},{"key":"ref30:NDSS96","volume-title":"NDSS'96","year":"1996"},{"key":"ref31:PKC22-2","series-title":"LNCS","volume-title":"PKC\u00a02022, Part\u00a0II","volume":"13178","year":"2022"},{"key":"ref32:PKC20-2","series-title":"LNCS","volume-title":"PKC\u00a02020, Part\u00a0II","volume":"12111","year":"2020"},{"key":"ref33:PKC06","series-title":"LNCS","volume-title":"PKC\u00a02006","volume":"3958","year":"2006"},{"key":"ref34:STOC89","volume-title":"21st ACM STOC","year":"1989"},{"key":"ref35:USENIX21","volume-title":"USENIX Security 2021","year":"2021"},{"key":"ref36:USENIX04","volume-title":"USENIX Security 2004","year":"2004"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,7,7]],"date-time":"2025-07-07T21:09:36Z","timestamp":1751922576000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/2\/12"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,7]]},"references-count":36,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2025,7,7]]}},"URL":"https:\/\/doi.org\/10.62056\/a0iv7ta5v","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,7]]},"assertion":[{"value":"2025-04-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-06-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-2-14"}}