Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

@article{Cremers2015BeyondEP,
  title={Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal},
  author={Cas J. F. Cremers and Mich{\`e}le Feltz},
  journal={Designs, Codes and Cryptography},
  year={2015},
  volume={74},
  pages={183-218}
}
  • C. Cremers, M. Feltz
  • Published 2015
  • Computer Science, Mathematics
  • Designs, Codes and Cryptography
We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK$$^{w}$$w and eCK-PFS. The eCK$$^{w}$$w model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK… 

Figures from this paper

Towards modelling perfect forward secrecy in two-message authenticated key exchange under ephemeral-key revelation
TLDR
It is shown that it is possible to apply the transformation to all CF-secure AKE protocols including all eCK-secure TMAKE protocols in the random oracle model, without restricting to a small specific class of Diffie-Hellman key based protocols.
0-RTT Key Exchange with Full Forward Secrecy
TLDR
0-RTT protocols are a class of KE protocols which allow a client to send cryptographically protected payload in zero round-trip time (0- RTT) along with the very first KE protocol message, thereby minimizing latency.
On Continuous After-the-Fact Leakage-Resilient Key Exchange
  • M. Toorani
  • Computer Science, Mathematics
    IACR Cryptol. ePrint Arch.
  • 2014
TLDR
This paper presents an attack and counterproofs for the security of protocol π which invalidates the formal security proofs of protocolπ in the CAFL model, and shows that it does not capture its claimed security.
Multi-cast key distribution: scalable, dynamic and provably secure construction
TLDR
This paper introduces the first formal security definition for DMKD under the star topology in order to capture such strong exposure resilience and time-based backward secrecy.
Breakdown Resilience of Key Exchange Protocols and the Cases of NewHope and TLS 1.3
TLDR
This work introduces an extension to the common Bellare–Rogaway model that can provide security guarantees in what is called the breakdown scenario and describes the resulting security notion breakdown resilience, which allows to make security claims even in case of unexpected failure of primitives in the protocol.
Strongly secure authenticated key exchange in the standard model
TLDR
Three new efficient compilers are presented to generically turn passively secure key exchange protocols (KE) into authenticated key Exchange protocols (AKE) where security also holds in the presence of active adversaries.
Authenticated Key Exchange from Ideal Lattices
TLDR
A practical and provably secure two-pass authenticated key exchange protocol over ideal lattices, which is conceptually simple and has similarities to the Diffie-Hellman based protocols such as HMQV and OAKE.
Future-Proofing Key Exchange Protocols
TLDR
This thesis systematically classify the PRF-ODH assumption, a complexity-theoretic hardness assumption that has been used in key exchange security analyses of such prominent protocols as TLS, Signal, and Wireguard, and investigates the effects of primitive failures on key exchange protocols.
Mind the Gap: Modular Machine-Checked Proofs of One-Round Key Exchange Protocols
TLDR
This proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: it considers a stronger adversary model, provides support tailored to protocols that utilize the Naxos trick, and supports proofs under the Computational DH assumption not relying on Gap oracles.
On Post-compromise Security
TLDR
This work provides the first informal and formal definitions for post-compromise security, and shows that it can be achieved in several scenarios and develops two new strong security models for two different threat models.
...
1
2
3
4
...

References

SHOWING 1-10 OF 36 REFERENCES
Beyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal
We show that it is possible to achieve perfect forward secrecy in two-message key exchange (KE) protocols that satisfy even stronger security properties than provided by the extended Canetti-Krawczyk
One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability
TLDR
A concrete protocol is proposed and it is proved that it satisfies the definition of key-exchange security in the random oracle model as well as peer-and-time deniability.
Strongly-Secure Identity-Based Key Agreement and Anonymous Extension
TLDR
This work proposes an ID-based key agreement protocol and proves its security in the widely accepted indistinguishability-based model of Canetti and Krawczyk and extends its basic protocol to support ad-hoc anonymous key agreement with bilateral privacy.
Strongly Secure Authenticated Key Exchange without NAXOS' Approach
TLDR
It is shown that it is possible to construct eCK-secure protocol without the NAXOS' approach by proposing two eCk-secure protocols, one is secure under the GDH assumption and the other under the CDH assumption; their efficiency and security assurances are comparable to the well-known HMQV protocol.
One-Round Protocols for Two-Party Authenticated Key Exchange
TLDR
This work provides the first provably- secure one-round protocols for two-party AKE which achieve forward secrecy, and is the first to provide forward secrecy in the random oracle model.
Security Analysis of KEA Authenticated Key Exchange Protocol
TLDR
It is proved that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked.
Scalable Protocols for Authenticated Group Key Exchange
TLDR
The main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; the protocol uses a constant number of rounds and requires only O(1) "full" modular exponentiations per user.
Stronger Security of Authenticated Key Exchange
TLDR
This work extends the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary and introduces a new AKE protocol called NAXOS to prove that it is secure against these stronger adversaries.
On Forward Secrecy in One-Round Key Exchange
TLDR
It is shown that protocols exist which provide strong forward secrecy and remain secure with weak forward secrecy even when the adversary is allowed to obtain ephemeral keys.
HMQV: A High-Performance Secure Diffie-Hellman Protocol
TLDR
HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.
...
1
2
3
4
...