Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security

We propose a generic construction of 2-pass authenticated key exchange (AKE) scheme with explicit authentication from key encapsulation mechanism (KEM) and signature (SIG) schemes. We improve the security model due to Gjøsteen and Jager [Crypto2018] to a stronger one. In the strong model, if a replayed message is accepted by some user, the authentication of AKE is broken. We define a new security notion named “IND-mCPA with adaptive reveals” for KEM. When the underlying KEM has such a security and SIG has unforgeability with adaptive corruptions, our construction of AKE equipped with counters as states is secure in the strong model, and stateless AKE without counter is secure in the traditional model. We also present a KEM possessing tight “IND-mCPA security with adaptive reveals” from the Computation Diffie-Hellman assumption in the random oracle model. When the generic construction of AKE is instantiated with the KEM and the available SIG by Gjøsteen and Jager [Crypto2018], we obtain the first practical 2-pass AKE with tight security and explicit authentication. In addition, the integration of the tightly IND-mCCA secure KEM (derived from PKE by Han et al. [Crypto2019]) and the tightly secure SIG by Bader et al. [TCC2015] results in the first tightly secure 2-pass AKE with explicit authentication in the standard model.

[1]  Tibor Jager,et al.  Tightly-Secure Authenticated Key Exchange , 2015, IACR Cryptol. ePrint Arch..

[2]  Dawu Gu,et al.  Tight Leakage-Resilient CCA-Security from Quasi-Adaptive Hash Proof System , 2019, IACR Cryptol. ePrint Arch..

[3]  Yong Li,et al.  No-Match Attacks and Robust Partnering Definitions: Defining Trivial Attacks for Security Protocols is Not Trivial , 2017, CCS.

[4]  Zhang Ya-juan,et al.  An identity-based key-exchange protocol , 2008, Wuhan University Journal of Natural Sciences.

[5]  Chris Peikert,et al.  Lattice Cryptography for the Internet , 2014, PQCrypto.

[6]  Marc Fischlin,et al.  Replay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[7]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[8]  Hugo Krawczyk,et al.  One-Pass HMQV and Asymmetric Key-Wrapping , 2011, IACR Cryptol. ePrint Arch..

[9]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[10]  Yuting Xiao,et al.  Tightly Secure Two-Pass Authenticated Key Exchange Protocol in the CK Model , 2020, CT-RSA.

[11]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[12]  Jorge Luis Villar,et al.  An Algebraic Framework for Diffie–Hellman Assumptions , 2015, Journal of Cryptology.

[13]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2012, ESORICS.

[14]  Zhengzhong Jin,et al.  Generic and Practical Key Establishment from Lattice , 2019, ACNS.

[15]  Jintai Ding,et al.  Key Exchange and Authenticated Key Exchange with Reusable Keys Based on RLWE Assumption , 2019, IACR Cryptol. ePrint Arch..

[16]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[17]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[18]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[19]  Tibor Jager,et al.  Practical and Tightly-Secure Digital Signatures and Authenticated Key Exchange , 2018, IACR Cryptol. ePrint Arch..

[20]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[21]  Tibor Jager,et al.  Highly Efficient Key Exchange Protocols with Optimal Tightness - Enabling real-world deployments with theoretically sound parameters , 2019, IACR Cryptol. ePrint Arch..