Efficient Key Exchange with Tight Security Reduction

In this paper, we propose two authenticated key exchange (AKE) protocols, SMEN and SMEN−, which have efficient online computation and tight security proof in the extended Canetti-Krawczyk (eCK) model. SMEN takes 1.25 exponentiations in online computation, close to that (1.17 exponentiations) of the most efficient AKEs MQV and its variants HMQV and CMQV. SMEN has a security reduction as tight as that of NAXOS, which is the first AKE having a tight security reduction in the eCK model. As a comparison, MQV does not have a security proof; both HMQV and CMQV have a highly non-tight security reduction, and HMQV needs a non-standard assumption; NAXOS takes 2.17 exponentiations in online computation; NETS, a NAXOS variant, takes two online exponentiations in online computation. SMEN simultaneously achieves online efficiency and a tight security proof at a cost of 0.17 more exponentiations in offline computation and the restriction that one party is not allowed to establish a key with itself. SMEN− takes 1.29 exponentiations in online computation, but SMEN− does not use the static private key to compute the ephemeral public key (as does in SMEN, NAXOS, CMQV, and NETS), and hence reduces the risk of leaking the static private key.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[3]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[4]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[5]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[6]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[7]  Berkant Ustaoglu,et al.  Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS , 2008, Des. Codes Cryptogr..

[8]  Jooyoung Lee,et al.  An Efficient Authenticated Key Exchange Protocol with a Tight Security Reduction , 2008, IACR Cryptol. ePrint Arch..

[9]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[10]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[11]  Hassan M. Elkamchouchi,et al.  An efficient protocol for authenticated key agreement , 2011, 2011 28th National Radio Science Conference (NRSC).

[12]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.

[13]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[14]  David M'Raïhi,et al.  Batch exponentiation: a fast DLP-based signature generation strategy , 1996, CCS '96.