Designs, Codes and Cryptography

, Volume 74, Issue 1, pp 183–218

Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal


DOI: 10.1007/s10623-013-9852-1

Cite this article as:
Cremers, C. & Feltz, M. Des. Codes Cryptogr. (2015) 74: 183. doi:10.1007/s10623-013-9852-1


We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK\(^{w}\) and eCK-PFS. The eCK\(^{w}\) model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCK\(^{w}\) adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCK\(^{w}\) to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCK\(^{w}\), which we call eCK\(^{\text {passive}}\). We show that, given a two-message Diffie–Hellman type protocol secure in eCK\(^{\text {passive}}\), our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.


Key exchange Security models Protocol transformations Perfect forward secrecy Ephemeral-key reveal Actor compromise 

Mathematics Subject Classification

94A60 Cryptography 

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Institute of Information SecurityETH ZurichZurichSwitzerland

Personalised recommendations