Universally Composable Notions of Key Exchange and Secure Channels

Extended Abstract
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)


Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for key-exchange (ke) protocols, called SK-security, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability properties of SK-secure ke protocols.

We show that while the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SK-security guarantees the security of the key for any application that desires to set-up secret keys between pairs of parties. We also provide new definitions of secure-channels protocols with similarly strong composability properties, and show that SK-security suffices for obtaining these definitions.

To obtain these results we use the recently proposed framework of “universally composable (UC) security.” We also use a new tool, called “non-information oracles,” which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishability-based definitions such as SK-security and more powerful, simulation-based definitions, such as UC security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a full-fledged multi-session key-exchange protocol to the (simpler) analysis of individual, stand-alone, key-exchange sessions.


Key Exchange Cryptographic Protocols Proofs of Security Composition of protocols 


  1. [B91]
    D. Beaver, “Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority”, J. Cryptology (1991) 4: 75–122.zbMATHCrossRefGoogle Scholar
  2. [BCK98]
    M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key-exchange protocols”, 30th STOC, 1998.Google Scholar
  3. [BR93]
    M. Bellare and P. Rogaway, “Entity authentication and key distribution”, Advances in Cryptology,-CRYPTO’93, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994, pp. 232–249.Google Scholar
  4. [BR95]
    M. Bellare and P. Rogaway, “Provably secure session key distribution-the three party case,” Annual Symposium on the Theory of Computing (STOC), 1995.Google Scholar
  5. [BR91]
    [B91]_R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva and M. Yung, “Systematic design of two-party authentication protocols,” IEEE Journal on Selected Areas in Communications (special issue on Secure Communications), 11(5):679–693, June 1993. (Preliminary version: Crypto’91.)Google Scholar
  6. [BJM97]
    S. Blake-Wilson, D. Johnson and A. Menezes, “Key exchange protocols and their security analysis,” Proceedings of the sixth IMA International Conference on Cryptography and Coding, 1997.Google Scholar
  7. [C00]
    R. Canetti, “Security and Composition of Multiparty Cryptographic Protocols”, Journal of Cryptology, Winter 2000. On-line version at
  8. [C01]
    R. Canetti, “Universally Composable Security: A New paradigm for Cryptographic Protocols”, 42nd FOCS, 2001. Full version available at
  9. [CK01]
    R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels”, Eurocrypt 01, 2001. Full version at
  10. [CK02]
    R. Canetti and H. Krawczyk, “Universally Composable Notions of Key Exchange and Secure Channels”, IACR’s Eprint archive,
  11. [CR02]
    R. Canetti and T. Rabin, “Universal Composition with Join State”, available on the Eprint archive,, 2002.
  12. [DH76]
    W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Info. Theory IT-22, November 1976, pp. 644–654.Google Scholar
  13. [DOW92]
    W. Diffie, P. van Oorschot and M. Wiener, “Authentication and authenticated key exchanges”, Designs, Codes and Cryptography, 2, 1992, pp. 107–125.CrossRefGoogle Scholar
  14. [DM00]
    Y. Dodis and S. Micali, “Secure Computation”, CRYPTO’ 00, 2000.Google Scholar
  15. [FS90]
    U. Feige and A. Shamir. Witness Indistinguishability and Witness Hiding Protocols. In 22nd STOC, pages 416–426, 1990.Google Scholar
  16. [G01]
    O. Goldreich, “Foundations of Cryptography”, Cambridge University Press, 2001. Prelim. version available at
  17. [GL90]
    S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO’ 90, LNCS 537, Springer-Verlag, 1990.Google Scholar
  18. [GM84]
    S. Goldwasser and S. Micali, Probabilistic encryption, JCSS, Vol. 28, No 2, April 1984, pp. 270–299.zbMATHMathSciNetGoogle Scholar
  19. [GMRA89]
    S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems”, SIAM Journal on Comput., Vol. 18, No. 1, 1989, pp. 186–208.zbMATHCrossRefMathSciNetGoogle Scholar
  20. [GMRI88]
    S. Goldwasser, S. Micali, and R.L. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput., April 1988, pages 281–308.Google Scholar
  21. [MOV96]
    A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.Google Scholar
  22. [MR91]
    S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO 91.Google Scholar
  23. [PSW00]
    B. Pfitzmann, M. Schunter and M. Waidner, “Provably Secure Certified Mail”, IBM Research Report RZ 3207 (#93253), IBM Research, Zurich, August 2000.Google Scholar
  24. [S99]
    V. Shoup, “On Formal Models for Secure Key Exchange” Theory of Cryptography Library, 1999. Available at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  1. 1.IBM T.J. Watson Research CenterUSA
  2. 2.EE DepartmentTechnionUSA

Personalised recommendations