One-Round Authenticated Key Exchange without Implementation Trick
Fujioka et al. proposed the first generic construction (FSXY construction) of exposure-resilient authenticated key exchange (AKE) from key encapsulation mechanism (KEM) without random oracles. However, the FSXY construction implicitly assumes some intermediate computation result is never exposed though other secret information can be exposed. This is a kind of physical assumption, and an implementation trick (i.e., some on-line computation is executed in a special tamper-proof module) is necessary to achieve the assumption. Unfortunately, such an implementation trick is very costly and should be avoided. In this paper, we introduce a new generic construction without the implementation trick. Our construction satisfies the same security model as the FSXY construction without increasing communication complexity. Moreover, it has another advantage that the protocol can be executed in one-round while the FSXY construction is a sequential two-move protocol. Our key idea is to use KEM with public-key-independent-ciphertext, which allows parties to be able to generate a ciphertext without depending on encryption keys.
Keywordsauthenticated key exchange NAXOS trick key encapsulation mechanism exposure-resilience
Unable to display preview. Download preview PDF.
- 6.Cremers, C.J.F.: Examining Indistinguishability-Based Security Models for Key Exchange Protocols: The case of CK, CK-HMQV, and eCK. In: ASIACCS 2011, pp. 80–91 (2011)Google Scholar
- 7.Damgård, I.: Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)Google Scholar
- 13.Yoneyama, K.: One-Round Authenticated Key Exchange with Strong Forward Secrecy in the Standard Model against Constrained Adversary. IEICE Transactions 96-A(6), 1124–1138 (2013)Google Scholar
- 14.Yoneyama, K.: Generic Construction of Two-Party Round-Optimal Attribute-Based Authenticated Key Exchange without Random Oracles. IEICE Transactions 96-A(6), 1112–1123 (2013)Google Scholar
- 18.Gennaro, R., Shoup, V.: A Note on An Encryption Scheme of Kurosawa and Desmedt. In: Cryptology ePrint Archive: 2004/194 (2004)Google Scholar