Designs, Codes and Cryptography

, Volume 74, Issue 1, pp 183–218 | Cite as

Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

Article

Abstract

We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK\(^{w}\) and eCK-PFS. The eCK\(^{w}\) model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCK\(^{w}\) adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCK\(^{w}\) to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCK\(^{w}\), which we call eCK\(^{\text {passive}}\). We show that, given a two-message Diffie–Hellman type protocol secure in eCK\(^{\text {passive}}\), our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.

Keywords

Key exchange Security models Protocol transformations Perfect forward secrecy Ephemeral-key reveal Actor compromise 

Mathematics Subject Classification

94A60 Cryptography 

References

  1. 1.
    Basin D., Cremers C.: Degrees of security: protocol guarantees in the face of compromising adversaries. In: Computer Science Logic, 24th International Workshop, CSL 2010, 19th Annual Conference of the EACSL. Lecture Notes in Computer Science, vol. 6247, pp. 1–18. Springer, Berlin (2010).Google Scholar
  2. 2.
    Bellare M., Rogaway P.: Entity authentication and key distribution. In: 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, pp. 232–249. Springer, New York (1994).Google Scholar
  3. 3.
    Bellare M., Rogaway P.: Provably secure session key distribution: the three party case. In: 27th Annual ACM Symposium on Theory of Computing, STOC ’95, pp. 57–66. ACM, New York (1995).Google Scholar
  4. 4.
    Bellare M., Pointcheval D., Rogaway P.: Authenticated key exchange secure against dictionary attacks. In: 19th International Conference on Theory and Application of Cryptographic Techniques, EUROCRYPT’00, pp. 139–155. Springer, New York (2000).Google Scholar
  5. 5.
    Blake-Wilson S., Menezes A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai H., Zheng Y. (eds.) PKC ’99 Proceedings of the Second International Workshop on Practice and Theory in Public Key Cryptography. Lecture Notes in Computer Science, vol. 1560, pp. 154–170. Springer, Berlin (1999).Google Scholar
  6. 6.
    Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. In: ASIACRYPT’01, pp. 514–532. Springer, Berlin (2001).Google Scholar
  7. 7.
    Boneh D., Shen E., Waters B.: Strongly unforgeable signatures based on computational Diffie–Hellman. In: Yung M., Dodis Y., Kiayias A., Malkin T. (eds.) PKC’06. Lecture Notes in Computer Science, vol. 3958, pp. 229–240. Springer, Berlin (2006).Google Scholar
  8. 8.
    Boyd C., González Nieto J.: On forward secrecy in one-round key exchange. In: 13th IMA International Conference, IMACC 2011. Lecture Notes in Computer Science, vol. 7089, pp. 451–468. Springer, Berlin (2011).Google Scholar
  9. 9.
    Boyd C., Cliff Y., González Nieto J.M., Paterson K.G.: One-round key exchange in the standard model. Int. J. Appl. Cryptogr. 1, 181–199 (2009).Google Scholar
  10. 10.
    Bresson E., Manulis M., Schwenk J.: On security models and compilers for group key exchange protocols. Cryptology ePrint Archive, Report 2006/385. http://eprint.iacr.org/ (2006).
  11. 11.
    Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B. (ed.) EUROCRYPT’01. Lecture Notes in Computer Science, vol. 2045, pp. 453–474. Springer, London (2001). Full version on eprint.Google Scholar
  12. 12.
    Cheng Q., Ma C., Hu X.: A new strongly secure authenticated key exchange protocol. In: Park J.H., Chen H-H., Atiquzzaman M., Lee C., Kim T-H., Yeo S.-S. (eds.) ISA ’09. Lecture Notes in Computer Science, vol. 5576, pp. 135–144. Springer, Berlin (2009).Google Scholar
  13. 13.
    Choo K-K.R., Boyd C., Hitchcock Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Proceedings of the 11th International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT’05, pp. 585–604. Springer, Berlin (2005).Google Scholar
  14. 14.
    Chow S.S.M., Choo K-K.R.: Strongly-secure identity-based key agreement and anonymous extension. In: Garay J.A., Lenstra A.K., Mambo M., Peralta R. (eds.) Information Security, ISC’07. Lecture Notes in Computer Science, vol. 4779, pp. 203–220. Springer, Berlin (2007).Google Scholar
  15. 15.
    Cremers C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, pp. 80–91. ACM, New York (2011).Google Scholar
  16. 16.
    Cremers C., Feltz M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. Cryptology ePrint Archive, Report 2011/300. http://eprint.iacr.org/ (2011).
  17. 17.
    Cremers C., Feltz M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Proceedings of the 17th European Conference on Research in Computer Security, ESORICS. Springer, Berlin (2012).Google Scholar
  18. 18.
    Dagdelen O., Fischlin M.: Security analysis of the extended access control protocol for machine readable travel documents. In: Proceedings of the 13th International Conference on Information security, ISC’10, pp. 54–68. Springer, Berlin (2011).Google Scholar
  19. 19.
    Dent A.W.: A note on game-hopping proofs. Cryptology ePrint Archive, Report 2006/260. http://eprint.iacr.org/2006/260 (2006).
  20. 20.
    Gennaro R., Krawczyk H., Rabin T.: Okamoto–Tanaka revisited: fully authenticated Diffie–Hellman with minimal overhead. In: Zhou J., Yung M. (eds.) ACNS’10, pp. 309–328. Springer, Berlin (2010).Google Scholar
  21. 21.
    Jeong I.R., Katz J., Lee D.H.: One-round protocols for two-party authenticated key exchange. http://www.cs.umd.edu/~jkatz/papers/1round_AKE.pdf (2008).
  22. 22.
    Katz J., Lindell Y.: Introduction to Modern Cryptography. Chapman Hall/CRC, Boca Raton (2008).Google Scholar
  23. 23.
    Katz J., Yung M.: Scalable protocols for authenticated group key exchange. In: Boneh D. (ed.) Advances in Cryptology—CRYPTO 2003, vol. 2729, pp. 110–125. Springer, Berlin (2003).Google Scholar
  24. 24.
    Kim M., Fujioka A., Ustaoglu B.: Strongly secure authenticated key exchange without naxos’ approach. In: IWSEC’09, Toyama, pp. 174–191 (2009).Google Scholar
  25. 25.
    Krawczyk H.: HMQV: a high-performance secure Diffie–Hellman protocol. Cryptology ePrint Archive, Report 2005/176. http://eprint.iacr.org/ (2005).
  26. 26.
    Krawczyk H.: HMQV: a high-performance secure Diffie–Hellman protocol. In: Shoup V. (ed.) Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621, pp. 546–566. Springer, Berlin (2005).Google Scholar
  27. 27.
    LaMacchia B.A., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073. http://eprint.iacr.org/ (2006).
  28. 28.
    LaMacchia B.A., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: Susilo W., Liu J.K., Mu Y. (eds.) ProvSec’07. Lecture Notes in Computer Science, vol. 4784, pp. 1–16. Springer, Berlin (2007).Google Scholar
  29. 29.
    Lauter K., Mityagin A.: Security analysis of KEA authenticated key exchange protocol. In: Public Key Cryptography—Proceedings of the 9th International Conference on Theory and Practice in Public-Key Cryptography (PKC 2006), New York, April 24–26, 2006. Lecture Notes in Computer Science, vol. 3958, pp. 378–394. Springer, Berlin (2006).Google Scholar
  30. 30.
    Lee J., Park C.S.: An efficient authenticated key exchange protocol with a tight security reduction. Cryptology ePrint Archive, Report 2008/345. http://eprint.iacr.org/ (2008).
  31. 31.
    Lee J., Park J.H.: Authenticated key exchange secure under the computational Diffie–Hellman assumption. Cryptology ePrint Archive, Report 2008/344. http://eprint.iacr.org/ (2008).
  32. 32.
    Maurer U.: Abstract models of computation in cryptography. In: Smart N. (ed.) Cryptography and Coding 2005. Lecture Notes in Computer Science, vol. 3796, pp. 1–12. Springer, Berlin (2005).Google Scholar
  33. 33.
    Menezes A.: Another look at HMQV. J. Math. Cryptol. 1, 47–64 (2008).Google Scholar
  34. 34.
    Menezes A., van Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996).Google Scholar
  35. 35.
    Okamoto T., Pointcheval D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim K. (ed.) PKC’2001. Lecture Notes in Computer Science, vol. 1992, pp. 104–118. Springer, Berlin (2001).Google Scholar
  36. 36.
    Shoup V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332. http://eprint.iacr.org/ (2006).
  37. 37.
    Ustaoglu B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Cryptology ePrint Archive, Report 2007/123 (2007). Version June 22 (2009).Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Institute of Information SecurityETH ZurichZurichSwitzerland

Personalised recommendations