Making the Identity-Based Diffie-Hellman Key Exchange Efficiently Revocable

We propose an efficient identity-based authenticated-key exchange (IB-AKE) protocol that is equipped with scalable key revocation. Our protocol builds upon the most efficient identity-based Diffie-Hellman key exchange (without revocation mechanisms) presented by Fiore and Gennaro at CT-RSA 2010, which can be constructed from pairing-free groups. The key revocation is essential for IB-AKE protocols in long-term practical operation. Our key revocation mechanism allows the key exchange protocol to remain comparable to the original Fiore-Gennaro identity-based key exchange, unlike other revocable schemes that require major (inefficient) modifications to their original IB-AKE protocols. Moreover, our revocation mechanism is scalable, in the sense that its computational cost is logarithmic, rather than linear, to the number of users. We provide a security proof in the identity-based extended Canetti-Krawczyk security model that is further extended in order to incorporate key revocation. The security of our scheme reduces to the well-established strong Diffie-Hellman assumption. For this proof, we devise a multi-forking lemma, an extended version of the general forking lemma.