On Forward Secrecy in One-Round Key Exchange

  • Colin Boyd
  • Juan González Nieto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7089)


Most one-round key exchange protocols provide only weak forward secrecy at best. Furthermore, one-round protocols with strong forward secrecy often break badly when faced with an adversary who can obtain ephemeral keys. We provide a characterisation of how strong forward secrecy can be achieved in one-round key exchange. Moreover, we show that protocols exist which provide strong forward secrecy and remain secure with weak forward secrecy even when the adversary is allowed to obtain ephemeral keys. We provide a compiler to achieve this for any existing secure protocol with weak forward secrecy.


Message Authentication Code Forward Secrecy Perfect Forward Secrecy Cryptology ePrint Archive Matching Session 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols. In: 30th ACM Symposium on Theory of Computing, pp. 419–428. ACM Press (1998),
  2. 2.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994), CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Provably secure session key distribution – the three party case. In: 27th ACM Symposium on Theory of Computing, pp. 57–66. ACM Press (1995)Google Scholar
  5. 5.
    Boyd, C., Cliff, Y., Gonzalez Nieto, J.M., Paterson, K.G.: Efficient One-Round Key Exchange in the Standard Model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Analysis of Key-exchange Protocols and their use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001), CrossRefGoogle Scholar
  7. 7.
    Canetti, R., Krawczyk, H.: Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Chatterjee, S., Menezes, A., Ustaoglu, B.: Reusing Static Keys in Key Agreement Protocols. In: Roy, B., Sendrier, N. (eds.) INDOCRYPT 2009. LNCS, vol. 5922, pp. 39–56. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Chow, S.S.M., Choo, K.-K.R.: Strongly-Secure Identity-Based Key Agreement and Anonymous Extension. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 203–220. Springer, Heidelberg (2007), CrossRefGoogle Scholar
  10. 10.
    Cremers, C., Feltz, M.: One-round strongly secure key exchange with perfect forward secrecy and deniability. Cryptology ePrint Archive, Report 2011/300 (2011),
  11. 11.
    Cremers, C.J.F.: Formally and practically relating the CK, CK-HMQV, and eCK security models for authenticated key exchange. Cryptology ePrint Archive, Report 2009/253 (2009),
  12. 12.
    Dent, A.W.: A note on game-hopping proofs. Cryptology ePrint Archive, Report 2006/260 (2006),
  13. 13.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22(6), 644–654 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  14. 14.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchange. Designs, Codes and Cryptography 2, 107–125 (1992)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Gennaro, R., Krawczyk, H., Rabin, T.: Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 309–328. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Jeong, I.R., Katz, J., Lee, D.-H.: One-round Protocols for Two-party Authenticated Key Exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Krawczyk, H.: HMQV: A High-Performance Secure Diffie–Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005), CrossRefGoogle Scholar
  18. 18.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger Security of Authenticated Key Exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Menezes, A., Ustaoglu, B.: Comparing the pre- and post-specified peer models for key agreement. IJACT 1(3), 236–250 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    Okamoto, E.: Key Distribution Systems Based on Identification Information. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 194–202. Springer, Heidelberg (1988)Google Scholar
  21. 21.
    Okamoto, E., Tanaka, K.: Key distribution system based on identification information. IEEE Journal on Selected Areas in Communications 7(4), 481–485 (1989)CrossRefGoogle Scholar
  22. 22.
    Okamoto, T., Pointcheval, D.: The Gap-problems: a New Class of Problems for the Security of Cryptographic Schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Sarr, A.P., Elbaz-Vincent, P., Bajard, J.-C.: A new security model for authenticated key agreement. Cryptology ePrint Archive, Report 2010/237 (2010),
  24. 24.
    Shoup, V.: On formal models for secure key exchange (November 1999),
  25. 25.
    Ustaoglu, B.: Comparing SessionStateReveal and EphemeralKeyReveal for Diffie–Hellman Protocols. In: Pieprzyk, J., Zhang, F. (eds.) ProvSec 2009. LNCS, vol. 5848, pp. 183–197. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography 46(3), 329–342 (2008)CrossRefzbMATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Colin Boyd
    • 1
  • Juan González Nieto
    • 1
  1. 1.Information Security InstituteQueensland University of TechnologyBrisbaneAustralia

Personalised recommendations