International Journal of Information Security

, Volume 12, Issue 4, pp 267–297 | Cite as

Less is more: relaxed yet composable security notions for key exchange

  • C. Brzuska
  • M. Fischlin
  • N. P. SmartEmail author
  • B. Warinschi
  • S. C. Williams
Regular Contribution


Although they do not suffer from clear attacks, various key agreement protocols (for example that used within the TLS protocol) are deemed as insecure by existing security models for key exchange. The reason is that the derived keys are used within the key exchange step, violating the usual key-indistinguishability requirement. In this paper, we propose a new security definition for key exchange protocols that offers two important benefits. Our notion is weaker than the more established ones and thus allows the analysis of a larger class of protocols. Furthermore, security in the sense that we define enjoys rather general composability properties. In addition, our composability properties are derived within game-based formalisms and do not appeal to any simulation-based paradigm. Specifically, we show that for protocols, whose security relies exclusively on some underlying symmetric primitive, can be securely composed with key exchange protocols provided that two main requirements hold: (1) No adversary can break the underlying primitive, even when the primitive uses keys obtained from executions of the key exchange protocol in the presence of the adversary (this is essentially the security requirement that we introduce and formalize in this paper), and (2) the security of the protocol can be reduced to that of the primitive, no matter how the keys for the primitive are distributed. Proving that the two conditions are satisfied, and then applying our generic theorem should be simpler than performing a monolithic analysis of the composed protocol. We exemplify our results in the case of a profile of the TLS protocol.


Key agreement TLS 



The authors would like to thank the European Commission through the ICT Program under Contract ICT-2007-216676 ECRYPT II for partially funding the work in this paper. The first two authors were also supported by the German Academic Exchange Service DAAD, by CASED (, and the second author by the Emmy Noether Grant Fi 940/2-1 and the Heisenberg grant Fi 940/3-1 of the German Research Foundation DFG. The third author was supported by a Royal Society Wolfson Merit Award and by ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO. The fifth author was supported by an EPSRC Doctoral Training Account award.


  1. 1.
    Barak, B., Lindell, Y., Rabin, T.: Protocol Initialization for the Framework of Universal Composability. ePrint archive:
  2. 2.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Advances in Cryptology-EUROCRYPT 2000, LNCS, vol. 1807, pp. 259–274, Springer (2000)Google Scholar
  3. 3.
    Bellare, M., Boldyreva, A., Palacio, A.: An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In: Advances in Cryptology-EUROCRYPT 2004, LNCS, vol. 3027, pp. 171–188, Springer (2004)Google Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Advances in Cryptology-ASIACRYPT 2000, LNCS, vol. 1976, pp. 531–545, Springer (2000)Google Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Advances in Cryptology-EUROCRYPT 2000, LNCS, vol. 1807, pp. 139–155, Springer (2000)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Advances in Cryptology, CRYPTO ’93, LNCS, vol. 773, pp. 232–249, Springer (1994)Google Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th Symposium on Theory of Computing-STOC 1995, pp. 57–66, ACM (1995)Google Scholar
  8. 8.
    Blake-Wilson, S., Johnson, D., Menezes, A.J.: Key agreement protocols and their security analysis. In: IMA Cryptography and Coding-IMACC 1997, LNCS, vol. 1355, pp. 30–45, Springer (1997)Google Scholar
  9. 9.
    Blake-Wilson, S., Menezes, A.J.: Entity authentication and authenticated key transport protocols employing asymmetric techniques. In: IWSP, LNCS, vol. 1361, pp. 137–158, Springer (1998)Google Scholar
  10. 10.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Advances in Cryptology-CRYPTO ’98, LNCS, vol. 1462, pp. 1–12, Springer (1998)Google Scholar
  11. 11.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.: Composability of Bellare-Rogaway key exchange protocols In: Conference on Computer and Communication Security-CCS 2011, pp. 51–62, ACM (2011)Google Scholar
  12. 12.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13, 143–202 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Advances in Cryptology-EUROCRYPT 2001, LNCS, vol. 2045, pp. 453–474, Springer (2001)Google Scholar
  14. 14.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Advances in Cryptology-EUROCRYPT 2002, LNCS, vol. 2332, pp. 337–351, Springer (2002)Google Scholar
  15. 15.
    Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 143–161, Springer (2002)Google Scholar
  16. 16.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Advances in Cryptology-CRYPTO 2003, LNCS, vol. 2729, pp. 265–281, Springer (2003)Google Scholar
  17. 17.
    Datta, A., Derek, A., Mitchell, J., Shmatikov, V., Turuani, M.: Probabilistic polynomial-time semantics for a protocol security logic. In: Automata, Languages and Programming-ICALP 2005, LNCS, vol. 3580, pp. 16–29, Springer (2005)Google Scholar
  18. 18.
    Datta, A., Derek, A., Mitchell, J.C., Warinschi, B.: Computationally sound compositional logic for key exchange protocols. In: Computer Security Foundations Workshop-CSFW 2005, pp. 321–334, IEEE Computer Society (2006)Google Scholar
  19. 19.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.2. RFC 4346, April (2006)Google Scholar
  20. 20.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 260–274, Springer (2001)Google Scholar
  21. 21.
    Goldwasser, S., Micali, S., Rivest, R.: A digiral signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17, 281–308 (1988) Google Scholar
  22. 22.
    International Civic Aviation Organization. Supplemental Access Control for Machine Readable Travel Documents. Version 1.01. Available at (2010)
  23. 23.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Advances in Cryptology-CRYPTO 2012, LNCS, vol. 7417, pp. 273–293, Springer (2012)Google Scholar
  24. 24.
    Kaliski, B.: PKCS #1: RSA Encryption Version 1.5. RFC 2313, October (1998)Google Scholar
  25. 25.
    Krawczyk, H.: The Order of Encryption and authentication for protecting communications (or: How Secure Is SSL?). In: Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 310–331, Springer (2001)Google Scholar
  26. 26.
    Küsters, R., Tuengerthal, M.: Composition theorems without pre-established session identifiers. In: Conference on Computer and Communication Security-CCS 2011, pp. 41–50, ACM (2011)Google Scholar
  27. 27.
    Maurer, U., Tackmann, B.: On the soundness of authenticate-then-encrypt: formalizing the malleability of symmetric encryption. In: Conference on Computer and Communication Security-CCS 2010, pp. 505–515, ACM (2010)Google Scholar
  28. 28.
    Morrissey, P., Smart, N.P., Warinschi, B.: The TLS handshake protocol: a modular analysis. J. Cryptol. 23, 187–223 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  29. 29.
    Paterson, K.G., Ristenpart, T., Shrimpton, T.: Tag size boes matter: attacks and proofs for the TLS record protocol. In: Advances in Cryptology-ASIACRYPT 2011, LNCS, vol. 7073, pp. 372–389, Springer (2011)Google Scholar
  30. 30.
    Shoup, V: On formal models for secure key exchange. IBM Research Report RZ 3120 (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • C. Brzuska
    • 1
  • M. Fischlin
    • 1
  • N. P. Smart
    • 2
    Email author
  • B. Warinschi
    • 2
  • S. C. Williams
    • 2
  1. 1.Department of Computer ScienceDarmstadt University of TechnologyDarmstadtGermany
  2. 2.Department Computer ScienceUniversity of BristolBristolUK

Personalised recommendations