Universally Composable Notions of Key Exchange and Secure Channels

Extended Abstract
  • Ran Canetti
  • Hugo Krawczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)


Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for key-exchange (ke) protocols, called SK-security, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability properties of SK-secure ke protocols.

We show that while the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SK-security guarantees the security of the key for any application that desires to set-up secret keys between pairs of parties. We also provide new definitions of secure-channels protocols with similarly strong composability properties, and show that SK-security suffices for obtaining these definitions.

To obtain these results we use the recently proposed framework of “universally composable (UC) security.” We also use a new tool, called “non-information oracles,” which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishability-based definitions such as SK-security and more powerful, simulation-based definitions, such as UC security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a full-fledged multi-session key-exchange protocol to the (simpler) analysis of individual, stand-alone, key-exchange sessions.


Key Exchange Cryptographic Protocols Proofs of Security Composition of protocols 


  1. [B91]
    D. Beaver, “Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority”, J. Cryptology (1991) 4: 75–122.zbMATHCrossRefGoogle Scholar
  2. [BCK98]
    M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key-exchange protocols”, 30th STOC, 1998.Google Scholar
  3. [BR93]
    M. Bellare and P. Rogaway, “Entity authentication and key distribution”, Advances in Cryptology,-CRYPTO’93, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994, pp. 232–249.Google Scholar
  4. [BR95]
    M. Bellare and P. Rogaway, “Provably secure session key distribution-the three party case,” Annual Symposium on the Theory of Computing (STOC), 1995.Google Scholar
  5. [BR91]
    [B91]_R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva and M. Yung, “Systematic design of two-party authentication protocols,” IEEE Journal on Selected Areas in Communications (special issue on Secure Communications), 11(5):679–693, June 1993. (Preliminary version: Crypto’91.)Google Scholar
  6. [BJM97]
    S. Blake-Wilson, D. Johnson and A. Menezes, “Key exchange protocols and their security analysis,” Proceedings of the sixth IMA International Conference on Cryptography and Coding, 1997.Google Scholar
  7. [C00]
    R. Canetti, “Security and Composition of Multiparty Cryptographic Protocols”, Journal of Cryptology, Winter 2000. On-line version at
  8. [C01]
    R. Canetti, “Universally Composable Security: A New paradigm for Cryptographic Protocols”, 42nd FOCS, 2001. Full version available at
  9. [CK01]
    R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Eurocrypt 01, 2001. Full version at
  10. [CK02]
    R. Canetti and H. Krawczyk, “Universally Composable Notions of Key Exchange and Secure Channels”, IACR’s Eprint archive,
  11. [CR02]
    R. Canetti and T. Rabin, “Universal Composition with Join State”, available on the Eprint archive,, 2002.
  12. [DH76]
    W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Info. Theory IT-22, November 1976, pp. 644–654.Google Scholar
  13. [DOW92]
    W. Diffie, P. van Oorschot and M. Wiener, “Authentication and authenticated key exchanges”, Designs, Codes and Cryptography, 2, 1992, pp. 107–125.CrossRefGoogle Scholar
  14. [DM00]
    Y. Dodis and S. Micali, “Secure Computation”, CRYPTO’ 00, 2000.Google Scholar
  15. [FS90]
    U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
  16. [G01]
    O. Goldreich, “Foundations of Cryptography”, Cambridge University Press, 2001. Prelim. version available at
  17. [GL90]
    S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO’ 90, LNCS 537, Springer-Verlag, 1990.Google Scholar
  18. [GM84]
    S. Goldwasser and S. Micali, Probabilistic encryption, JCSS, Vol. 28, No 2, April 1984, pp. 270–299.zbMATHMathSciNetGoogle Scholar
  19. [GMRA89]
    S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems”, SIAM Journal on Comput., Vol. 18, No. 1, 1989, pp. 186–208.zbMATHCrossRefMathSciNetGoogle Scholar
  20. [GMRI88]
    S. Goldwasser, S. Micali, and R.L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput., April 1988, pages 281–308.Google Scholar
  21. [MOV96]
    A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.Google Scholar
  22. [MR91]
    S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO 91.Google Scholar
  23. [PSW00]
    B. Pfitzmann, M. Schunter and M. Waidner, “Provably Secure Certified Mail”, IBM Research Report RZ 3207 (#93253), IBM Research, Zurich, August 2000.Google Scholar
  24. [S99]
    V. Shoup, “On Formal Models for Secure Key Exchange” Theory of Cryptography Library, 1999. Available at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Ran Canetti
    • 1
  • Hugo Krawczyk
    • 2
  1. 1.IBM T.J. Watson Research CenterUSA
  2. 2.EE DepartmentTechnionUSA

Personalised recommendations