Forward-Secure Authenticated Symmetric Key Exchange Protocol: New Security Model and Secure Construction

  • Suvradip Chakraborty
  • Goutam Paul
  • C. Pandu Rangan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9451)


While a lot of work has been done on the design and security analysis of PKI-based authenticated key exchange (AKE) protocols, very few exist in the symmetric key setting. The first provably secure symmetric AKE was proposed by Bellare and Rogaway (BR) in CRYPTO 1994 and so far this stands out as the most prominent one for symmetric key setting. In line with the significant progress done for PKI based system, we propose a stronger model than the BR model for symmetric key based system. We assume that the adversary can launch active attacks. In addition, the adversary can also obtain long term secret keys of the parties and the internal states of parties by getting access to their ephemeral secrets (or internal randomness) by means of appropriate oracle queries. The salient feature of our model is the way we handle active adversaries even in the test session.

We also design a symmetric key AKE construction that is provably secure against active adversaries in our new model using weak primitives. Dodis et al. (EUROCRYPT 2012) used weak Pseudo Random Functions (wPRF) and weak Almost-XOR Universal hash function family (wAXU) to design a three-pass one-sided authentication protocol in the symmetric key paradigm. A direct application of their techniques yields a four-pass (two-round) symmetric key AKE protocol with mutual authentication. Our construction uses particular instances of these weak primitives and introduces a novel technique called input-swapping to achieve a three-pass symmetric key AKE protocol with mutual authentication resisting active attacks (even in the test session). Our construction is proven secure in the Random oracle Model under the DDH assumption.


Authenticated key exchange Input swapping Random oracle Key evolving Perfect forward secrecy Weak pseudo random functions Weak almost universal hash functions 



The first two authors sincerely thank Rishiraj Bhattacharyya for a few technical discussions during the early stage of this work, that clarified some doubts on this topic. Part of this work was done while the first author was visiting R. C. Bose Centre for Cryptology and Security, Indian Statistical Institute, Kolkata during the Summer of 2015, and the third author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS-1523467. The second author is also grateful to the Project CoEC (Centre of Excellence in Cryptology), Indian Statistical Institute, Kolkata, funded by the Government of India, for partial support towards this project.


  1. Basin, D., Cremers, C., Meier, S.: Provably repairing the iso/iec 9798 standard for entity authentication. J. Comput. Secur. 21(6), 817–846 (2013)zbMATHGoogle Scholar
  2. Bird, R.S., Gopal, I., Herzberg, A., Janson, P., Kutten, S., Molva, R., Yung, M.: Systematic design of two-party authentication protocols. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 44–61. Springer, Heidelberg (1992) Google Scholar
  3. Byun, J.K., Lee, D.H., Lim, J.I.: Ec2c-paka: An efficient client-to-client password-authenticated key agreement. Inf. Sci. 177(19), 3995–4013 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  4. Boyd, C.: Hidden assumptions in cryptographic protocols. IEE Proc. E (Comput. Digital Tech.) 137(6), 433–436 (1990)CrossRefGoogle Scholar
  5. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  6. Chien, H.-Y.: Sasi: A new ultralightweight rfid authentication protocol providing strong authentication and strong integrity. IEEE Trans. Dependable Secure Comput. 4(4), 337–340 (2007)MathSciNetCrossRefGoogle Scholar
  7. Clark, J.A., Jacob, J.L.: A survey of authentication protocol literature: Version 1.0. (1997)Google Scholar
  8. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  9. Cao, T., Lei, H.: Privacy-enhancing authenticated key agreement protocols based on elliptic curve cryptosystem. Acta Electronica Sinica 36(2), 397 (2008)Google Scholar
  10. Cheng, H., Yang, G.: Ekaes: An efficient key agreement and encryption scheme for wireless sensor networks. J. Electron. (China) 25(4), 495–502 (2008)CrossRefGoogle Scholar
  11. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  12. Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. Diffie, W., Van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Crypt. 2(2), 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  14. Gong, L., Needham, R., Yahalom, R.: Reasoning about belief in cryptographic protocols. In: Proceedings of the 1990 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 234–248. IEEE (1990)Google Scholar
  15. Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990) CrossRefGoogle Scholar
  16. Jeong, I.R., Katz, J., Lee, D.-H.: One-round protocols for two-party authenticated key exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  17. Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  18. Rongxing, L., Cao, Z., Zhu, H.: An enhanced authenticated key agreement protocol for wireless mobile communication. Comput. Stand. Interfaces 29(6), 647–652 (2007)CrossRefGoogle Scholar
  19. LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  20. Law, L., Menezes, A., Minghua, Q., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)CrossRefMathSciNetzbMATHGoogle Scholar
  21. Menezes, A., Ustaoglu, B.: Comparing the pre- and post-specified peer models for key agreement. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 53–68. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  22. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)CrossRefzbMATHGoogle Scholar
  23. Otway, D., Rees, O.: Efficient and timely mutual authentication. ACM SIGOPS Operating Syst. Rev. 21(1), 8–10 (1987)CrossRefGoogle Scholar
  24. Satyanarayanan, M.: Scalable, secure, and highly available distributed file access. Computer 23(5), 9–18 (1990)CrossRefGoogle Scholar
  25. Sarr, A.P., Elbaz-Vincent, P., Bajard, J.-C.: A new security model for authenticated key agreement. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 219–234. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  26. Shoup, V.: On formal models for secure key exchange. Citeseer (1999)Google Scholar
  27. Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (h) mqv and naxos. Des. Codes Crypt. 46(3), 329–342 (2008)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Suvradip Chakraborty
    • 1
  • Goutam Paul
    • 2
  • C. Pandu Rangan
    • 1
  1. 1.Department of Computer Science and EngineeringIndian Institute of Technology MadrasChennaiIndia
  2. 2.Cryptology and Security Research Unit (CSRU)R. C. Bose Centre for Cryptology and Security, Indian Statistical InstituteKolkataIndia

Personalised recommendations