Universally Composable Notions of Key Exchange and Secure Channels
Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for key-exchange (ke) protocols, called SK-security, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability properties of SK-secure ke protocols.
We show that while the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SK-security guarantees the security of the key for any application that desires to set-up secret keys between pairs of parties. We also provide new definitions of secure-channels protocols with similarly strong composability properties, and show that SK-security suffices for obtaining these definitions.
To obtain these results we use the recently proposed framework of “universally composable (UC) security.” We also use a new tool, called “non-information oracles,” which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishability-based definitions such as SK-security and more powerful, simulation-based definitions, such as UC security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a full-fledged multi-session key-exchange protocol to the (simpler) analysis of individual, stand-alone, key-exchange sessions.
KeywordsKey Exchange Cryptographic Protocols Proofs of Security Composition of protocols
- [BCK98]M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key-exchange protocols”, 30th STOC, 1998.Google Scholar
- [BR93]M. Bellare and P. Rogaway, “Entity authentication and key distribution”, Advances in Cryptology,-CRYPTO’93, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994, pp. 232–249.Google Scholar
- [BR95]M. Bellare and P. Rogaway, “Provably secure session key distribution-the three party case,” Annual Symposium on the Theory of Computing (STOC), 1995.Google Scholar
- [BR91][B91]_R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva and M. Yung, “Systematic design of two-party authentication protocols,” IEEE Journal on Selected Areas in Communications (special issue on Secure Communications), 11(5):679–693, June 1993. (Preliminary version: Crypto’91.)Google Scholar
- [BJM97]S. Blake-Wilson, D. Johnson and A. Menezes, “Key exchange protocols and their security analysis,” Proceedings of the sixth IMA International Conference on Cryptography and Coding, 1997.Google Scholar
- [C00]R. Canetti, “Security and Composition of Multiparty Cryptographic Protocols”, Journal of Cryptology, Winter 2000. On-line version at http://philby.ucsd.edu/cryptolib/1998/98-18.html.
- [C01]R. Canetti, “Universally Composable Security: A New paradigm for Cryptographic Protocols”, 42nd FOCS, 2001. Full version available at http://eprint.iacr.org/2000/067.
- [CK01]R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Eurocrypt 01, 2001. Full version at http://eprint.iacr.org/2001.
- [CK02]R. Canetti and H. Krawczyk, “Universally Composable Notions of Key Exchange and Secure Channels”, IACR’s Eprint archive, http://eprint.iacr.org/2002.
- [CR02]R. Canetti and T. Rabin, “Universal Composition with Join State”, available on the Eprint archive, http://eprint.iacr.org/2002, 2002.
- [DH76]W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Info. Theory IT-22, November 1976, pp. 644–654.Google Scholar
- [DM00]Y. Dodis and S. Micali, “Secure Computation”, CRYPTO’ 00, 2000.Google Scholar
- [FS90]U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
- [G01]O. Goldreich, “Foundations of Cryptography”, Cambridge University Press, 2001. Prelim. version available at http://philby.ucsd.edu/cryptolib.html
- [GL90]S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO’ 90, LNCS 537, Springer-Verlag, 1990.Google Scholar
- [GMRI88]S. Goldwasser, S. Micali, and R.L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput., April 1988, pages 281–308.Google Scholar
- [MOV96]A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.Google Scholar
- [MR91]S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO 91.Google Scholar
- [PSW00]B. Pfitzmann, M. Schunter and M. Waidner, “Provably Secure Certified Mail”, IBM Research Report RZ 3207 (#93253), IBM Research, Zurich, August 2000.Google Scholar
- [S99]V. Shoup, “On Formal Models for Secure Key Exchange” Theory of Cryptography Library, 1999. Available at: http://philby.ucsd.edu/cryptolib/1999/99-12.html.