Abstract
Weak forward secrecy (wFS) of authenticated key exchange (AKE) protocols is a passive variant of (full) forward secrecy (FS). A natural mechanism to upgrade from wFS to FS is the use of key confirmation messages which compute a message authentication code (MAC) over the transcript. Unfortunately, Gellert, Gjøsteen, Jacobson and Jager (GGJJ, CRYPTO 2023) show that this mechanism inherently incurs a loss proportional to the number of users, leading to an overall non-tight reduction, even if wFS was established using a tight reduction.
Inspired by GGJJ, we propose a new notion, called one-way verifiable weak forward secrecy (OW-VwFS), and prove that OW-VwFS can be transformed tightly to FS using key confirmation in the random oracle model (ROM). To implement our generic transformation, we show that several tightly wFS AKE protocols additionally satisfy our OW-VwFS notion tightly. We highlight that using the recent lattice-based protocol from Pan, Wagner, and Zeng (CRYPTO 2023) can give us the first lattice-based tightly FS AKE via key confirmation in the classical random oracle model. Besides this, we also obtain a Decisional-Diffie-Hellman-based protocol that is considerably more efficient than the previous ones.
Finally, we lift our study on FS via key confirmation to the quantum random oracle model (QROM). While our security reduction is overall non-tight, it matches the best existing bound for wFS in the QROM (Pan, Wagner, and Zeng, ASIACRYPT 2023), namely, it is square-root- and session-tight. Our analysis is in the multi-challenge setting, and it is more realistic than the single-challenge setting as in Pan et al.
You have full access to this open access chapter, Download conference paper PDF
Keywords
1 Introduction
Forward secrecy (FS) is an essential security requirement for authenticated key exchange (AKE) protocols. It states that even if an active adversary corrupts a user’s long-term secret key, all session keys agreed before should remain secret to the adversary. A weaker form of FS is called weak FS (wFS), where an adversary is not allowed to perform active attacks, namely, it does not actively interfere with the protocol transcripts of the session that it attacks.
Key confirmation is simple and arguably the most efficient way in achieving FS and has been used in many works, e.g., [10, 15, 24]. Essentially, it generically transforms an AKE protocol with wFS to FS. More precisely, two parties firstly run a wFS AKE protocol to agree on a session key k, and then they exchange key confirmation messages derived from k. These messages are usually message authentication codes (MAC) on the protocol transcripts using k as the MAC key. Apart from key confirmation, one can use a digital signature scheme to sign a passively secure key exchange protocol as in the signed Diffie-Hellman protocol [19, 27] to provide FS. Considering that using a MAC or hash function is much more efficient than digital signatures, the signature-based approach is often inefficient and less desirable.
Security Models for AKE. Defining the security for AKE protocols is a complex task, and there are many different security models for AKE (e.g., [3, 7, 25]). In this paper, we consider active adversaries that can modify, drop, or inject some messages. Moreover, they may adaptively corrupt users’ long-term secret keys via \(\textsc {Corr}\) oracle and reveal session keys via \(\textsc {Reveal}\) oracle. Some of the models even allow adversaries to learn ephemeral states (which are usually randomness in generating protocol messages) via \(\textsc {Rev}\text {-}\textsc {State}\) oracle. We formalize key secrecy via \(\textsc {Test}\), where an adversary \(\mathcal {A}\) chooses a fresh session, receives either a real or random key for it, and shall distinguish between the two. We consider the single-bit guessing, multi-challenge security, namely, \(\mathcal {A}\) can query \(\textsc {Test}\) multiple times and each time \(\textsc {Test}\) responds using the same bit in deciding real or random. Composability for this notion was initially proven for password-based key exchange [1], and we refer to [21] for further discussion on why this is the realistic and meaningful notion. For forward secrecy, keys of these \(\textsc {Test}\)-sessions must be computed before \(\textsc {Corr}\) is queried to either parties of a \(\textsc {Test}\)-session. Depending on the type of forward secrecy, freshness is defined differently. If it is wFS, then \(\mathcal {A}\) must perform only passive attacks on this fresh session. Otherwise, \(\mathcal {A}\) can perform active attacks, for instance, modify or inject some messages.
Security Loss for FS via Key Confirmation. The complexity of AKE models makes it challenging to prove security of an AKE protocol, in particular, giving tight security proofs for AKE. The security of modern cryptographic protocols is often proven by reductions. A reduction \(\mathcal {R}\) uses an adversary \(\mathcal {A}\) against protocol \(\varPi \) to break the security of the underlying primitive P. By doing so, we can conclude the concrete security bound, \(\varepsilon _{\mathcal {A}} \le \ell \cdot \varepsilon _{\mathcal {R}}\), where \(\varepsilon _{\mathcal {A}}\) and \(\varepsilon _{\mathcal {R}}\) are the success probability of \(\mathcal {A}\) and \(\mathcal {R}\), respectively. \(\ell \) is called the security loss. Assuming \({\mathcal {A}}\) and \({\mathcal {R}}\) have roughly the same running time, if \(\ell \) is a small constant, we say protocol \(\varPi \) has tight security, and non-tight security, otherwise. A tight security reduction is highly desirable, since it allows protocols to be instantiated with optimal parameters without compensation for the security loss.
A natural question to ask is whether the key confirmation approach preserves the tightness of the underlying wFS AKE. Due to its high efficiency, it would be ideal to have an affirmative answer to this question, since it means that we do not need to increase the security parameter of the wFS AKE to compensate any security loss.
Intuitively, there should not be a tightness loss when going from wFS to FS, which was even falsely claimed by the work of Cohn-Gordon et al. [10] previously. At CRYPTO 2023, Gellert, Gjøsteen, Jacobsen, and Jager (GGJJ) [18] identified a flaw in [10] and proposed a fix by using a selective variant of wFS (called selective key secrecy in [18]). The selective wFS is essentially the same as wFS, except that an adversary \(\mathcal {A}\) has to select a user of which \(\mathcal {A}\) will not corrupt the long-term secret key. Unfortunately, when we construct a reduction \(\mathcal {R}\) to prove FS based on this selective wFS, \(\mathcal {R}\) has to guess the non-corrupted user, which leads to a security loss of \(O(\mu )\) where \(\mu \) is the maximal number of users. This security loss is proven to be inherent (and thus optimal) in [18] when starting from a wFS AKE with key indistinguishability.
However, a linear loss in the number of users is undesirable, since in the real world the number of users can be massive. According to the impossibility result in [10], it seems inherent to have this security loss. Hence, it motivates us to propose a different modularization that potentially requires strong security for the underlying wFS AKE in achieving tight FS.
1.1 Our Contribution I: Tight Forward Secrecy via Key Confirmation
We revise the security proof for the wFS-to-FS transformation.
Tight FS from Verifiable wFS. We propose a new variant of wFS, called One-Wayness against key Verification attacks and weak Forward Secrecy (OW-VwFS). In the OW-VwFS security game, an adversary has the same capability as in the usual wFS game, but additionally it can verify whether a session key is the valid one of a particular session. Hence, the adversary capability of OW-VwFS is stronger than that of wFS and it is the main reason why we bypass the optimality result from Gellert et al. [18]. In terms of security goals, OW-VwFS is weaker than wFS, namely, OW-VwFS only requires an adversary cannot compute the session key of a fresh session, while wFS requires a session key to be indistinguishable from a random key.
Using key confirmation, we prove that OW-VwFS tightly implies FS in the random oracle model. Our transformation is the same as the standard wFS-to-FS transformation, but ours preserves the tightness of the underlying OW-VwFS protocol, and it enables tight FS in contrast to the selective notion in [18]. An important consequence of our work is that the future AKE design can aim at OW-VwFS, since its transformation to FS is the same as the standard wFS-to-FS one, but tightness-preserving. Moreover, our analysis considers security against (ephemeral) state reveals. Such a strong form of attacks was not considered in the work of Gellert et al. [18], which is why we bypass their impossibility.
Constructing (Tightly) Verifiable wFS. Furthermore, we show that several tightly wFS protocols satisfy our new OW-VwFS notion tightly, in particular, the lattice-based protocol of Pan, Wagner, and Zeng [30]Footnote 1. Subsequently, this yields the first AKE protocol with tight FS from lattices.
Essentially, we show that a One-Way Checkable against Chosen-Ciphertext Attacks (OW-ChCCA) [30] secure key encapsulation mechanism (KEM) tightly implies a OW-VwFS AKE protocol. Once again, our analysis allows adversaries to reveal ephemeral state in the AKE protocol. Roughly speaking, the OW-ChCCA game is a multi-user, multi-challenge variant of the standard IND-CCA game: Besides the oracles provided by the standard IND-CCA security, it allows adversaries to corrupt some of the user’s decryption keys and decrypt some of the challenge ciphertexts, and, most importantly, it allows an adversary to check if a key is valid with respect to a ciphertext. The adversary goal is to invert a fresh challenge ciphertext. As shown in [30], we can construct OW-ChCCA KEM tightly from the Decisional Diffie-Hellman (DDH) and Learning-With-Errors (LWE) assumptions, respectively. As a technical note, our proof requires only a slightly weaker version of OW-ChCCA, where adversaries are not allowed to ask for a decryption, but to verify whether a ciphertext can be decapsulated.
Efficiency Comparison among DDH-based Protocols. Besides having the first lattice-based AKE with tight FS, we also obtain the most efficient DDH-based protocol against state reveal attacks. In Table 1, we compare efficiency among well-known DDH-based AKE with tight or “optimal” tight FS (namely, with security loss \(O(\mu )\)) to show the practicality of our work. Our estimation focuses on communication and computation complexity for both parties to agree on a session key. For computation complexity, we only count the number of exponentiations, since they are the most costly operations. For concrete efficiency, we instantiate the protocols at 128-bit security and assume that the number of users \(\mu \approx 2^{30}\). This is about the number of monthly active users in a social media appFootnote 2. We instantiate the fully tight protocols with a NIST P256 curve and “optimal” tight ones with a NIST P384 (since they require a 158-bit hard DLog assumption). Our benchmarks for an exponentiation in a P256 and P384 are 0.5 ms and 1 ms, using Apple M1 Max, 32GB of RAM and macOS Ventura 13.3.1 (a).
We observe that the DDH-based non-committing KEM in [21] is tightly OW-ChCCA secure (cf. [30, Footnote 1]). Our analysis shows that the wFS JKRS in [21] is tightly OW-VwFS, and after adding key confirmation to the wFS JKRS in [21] we get \(\mathsf {JKRS_{KC}} \) that is tightly FS. According to Table 1, our tight security proofs allow one to implement \(\mathsf {JKRS_{KC}} \) with about 30% shorter transcripts and 50% faster speed than the one with the “optimal”, non-tight proofs in [18] at 128-bit security. Considering security against State Reveals, \(\mathsf {JKRS_{KC}} \) is the most efficient DDH-based protocol, due to our tight security proofs. It is worth mentioning that the \(\mathsf {CCGJJ_{KC}}\) has shorter protocol transcripts, but it is insecure under State Reveals.
Interestingly, although the signature-based JKRS uses relatively inefficient primitives as signatures, its tight security proof allows an instantiation that is slightly more efficient than the non-tight, signature-less JKRS (namely, \(\mathsf {JKRS_{KC}} \) with proofs in [18]).
Relation to the Work of Gellert et al. [18]. We circumvent the impossibility result of Gellert et al. [18] by using a different wFS notion, OW-VwFS, and random oracles. As discussed earlier, the key checking oracle makes our notion stronger. The security definition in [18] does not have such an oracle and thus their impossibility result does not apply to our proof. At the same time, we opted for the weakest definition which allows a tight reduction (i.e., one-wayness and also no Reveal oracle), which makes our definition and that of [18] incomparable (neither implies the other). Moreover, their impossibility is in the standard model, while ours is in the random oracle model. For these reasons, our results do not contradict the impossibility result in [18], but rather provides an alternative way to prove security while enabling full tightness.
1.2 Our Contribution II: Forward Secrecy via Key Confirmation in the QROM
Our second contribution is proposing the first security proof for FS via key confirmation in the quantum random oracle model (QROM) [6], where a quantum adversary can have quantum access to the hash function. Our analysis considers the KEM-based AKE protocol (via key confirmation) and assumes a Multi-User, Multi-Challenge Chosen-Ciphertext Attacks (MUC-CCA) KEM and a Multi-Challenge CCA (MC-CCA) KEM. The main reason of doing so is that we do not know how to tightly prove OW-VwFS implies FS in the QROM, since it will trigger the Oneway-to-Hiding Lemma [32] and lead to a square-root-loss such as \(\sqrt{\varepsilon }\), where \(\varepsilon \) is the advantage of breaking the underlying KEM. We still think that our tight lattice-based protocol in the classical ROM is interesting, since it is the first protocol with tight FS from post-quantum assumptions. Of course, one may alternatively rephrase our analysis in the classical ROM with the suitable KEMs, but it may lower the readability. More importantly, our OW-VwFS notion is more generic and gives more freedom to designers to construct their OW-VwFS protocols that will lead to FS in a tightness-preserving manner.
Our security bound in the QROM is unfortunately non-tight. More precisely, ignoring the statistically negligible terms, our security bound for FS in the QROM is
where \(\mu \) is the number of users, \(\varepsilon _{\text {MC-CCA}}\) is the advantage of MC-CCA, and \(\varepsilon _{\text {MUC-CCA}}\) is that of MUC-CCA. It matches the best known bound for wFS in the QROM proposed by Pan, Wagner, and Zeng (PWZ) [31]. In this sense our FS bound preserves the tightness of the KEM-based AKE protocol with wFS. It is worth mentioning that, as shown in [31], we can tightly instantiate MC-CCA and MUC-CCA from the LWE assumption in the QROM.
We also improve PWZ’s analysis in the sense that their analysis considers only one single \(\textsc {Test}\) query, but our security bound (as stated in Eq. (1)) is established in the context of multiple challenges, where an adversary is allowed to query \(\textsc {Test}\) multiple times. The multi-challenge setting is more realistic and well-established for public-key primitives [2, 10, 16, 17], since in the real world, an adversary usually wants to attack multiple instances of a primitives. Although the security bound of PWZ can be extended to the multi-\(\textsc {Test}\) setting with a multiplicative factor t (which is the number of \(\textsc {Test}\)-queries), ours does not need to lose such a factor. In practice, t can be up to the total number of established sessions, which can be much larger than the number of users. We stress that the analysis of PWZ is only for wFS, and transforming it to FS, it may lose another multiplicative factor \(\mu \) by applying the analysis of GGJJ [18]. Hence, combining the analysis of PWZ and GGJJ leads to a bound for FS in the QROM as
Strictly speaking, the bound above is only an estimation and not theoretically sound, since the analysis of GGJJ is in the classical setting. Their bound may change, if an adversary can query the hash function or key derivation function with a quantum state.
More Related Work in the QROM. Another work on the KEM-based AKE protocol in the QROM is due to Hövelmanns, Kiltz, Schäge, and Unruh [20], and it has a square-root-loss, namely, its security bound is
where \(S\), \(\mu \), and Q are the numbers of total sessions, users, and random oracle queries, respectively, and \(\varepsilon _{\text {CPA}}\) is the advantage of breaking the underlying CPA secure PKE. Similar to the work of PWZ, Eq. (3) is only for wFS and in the single-\(\textsc {Test}\) setting. Upgrading to FS in the multi-\(\textsc {Test}\) setting requires an additional multiplicative loss in \(\mu t\). It is usually less desirable to have the square-root-loss as in Eq. (3), since it reduces the security guarantee of the underlying PKE in half.
2 Preliminaries
For \( n \in \mathbb {N}\), let \([n] = \{1, \ldots , n\}\). For a finite set \(\mathcal {S}\), we denote the sampling of a uniform random element x by . By \(\llbracket B\rrbracket \) we denote the bit that is 1 if the evaluation of the Boolean statement B is \(\textbf{true}\) and 0 otherwise.
Algorithms. For an algorithm \(\mathcal {A}\) which takes x as input, we denote its computation by \(y {:}{=}\mathcal {A}(x)\) if \(\mathcal {A}\) is deterministic, and \(y \leftarrow \mathcal {A}(x)\) if \(\mathcal {A}\) is probabilistic. We assume all the algorithms (including adversaries) in this paper to be probabilistic unless stated differently. We denote an algorithm \(\mathcal {A}\) with access to an oracle \(\textsc {O}\) by \(\mathcal {A}^\textsc {O}\). In terms of running time, if a reduction’s running time \(t'\) is dominated by that of an adversary t (more precisely, \(t'=t+s\) where \(s \ll t\)), we write \(t'\approx t\).
Games. We use code-based games [4] to present our definitions and proofs. We implicitly assume all Boolean flags to be initialized to 0 (\(\textbf{false}\)), numerical variables to 0, sets to \(\emptyset \) and strings to \(\bot \). We make the convention that a procedure terminates once it has returned an output. \(G^\mathcal {A}\Rightarrow b\) denotes the final (Boolean) output b of game G running adversary \(\mathcal {A}\), and if \(b=1\) we say \(\mathcal {A}\) wins G. The randomness in \(\Pr [G^\mathcal {A}\Rightarrow 1]\) is over all random coins in game G. More generically, we write \(\Pr [{\textsf{Event}} : G]\) to denote the probability that \({\textsf{Event}}\) happens in the game G. If the context is clear, we simply write it as \(\Pr [{\textsf{Event}}]\). Within a procedure, “abort” means that we terminate the run of an adversary \(\mathcal {A}\).
3 Three-Message Authenticated Key Exchange
We recall the AKE security model from [21] and adapt it to three-message protocols. A three-message key exchange protocol \(\textsf{AKE}{:}{=}(\textsf{Setup},\mathsf {Gen_{AKE}}, \textsf{Init}_{\textrm{I}},\mathsf {Init_{R}}, \textsf{Der}_{\textrm{I}}, \mathsf {Der_{R}})\) consists of five algorithms which are executed interactively by two parties as shown in Fig. 1.
\(\textsf{Setup}\) is the setup algorithm for the system parameters. We denote the party which initiates the session by \(\textsf{P}_i\) and the party which responds to the session by \(\textsf{P}_r\). The key generation algorithm \(\mathsf {Gen_{AKE}}\) outputs a key pair \((\textsf{pk},\textsf{sk})\) for one party. The initiator’s initialization algorithm \(\textsf{Init}_{\textrm{I}}\) inputs the initiator’s long-term secret key \(\textsf{sk}_i\) and the responder’s long-term public key \(\textsf{pk}_r\), and outputs a message \(m_{i,1}\) and the initiator’s state \(\textrm{st}_i\). The responder’s initialization algorithm \(\mathsf {Init_{R}}\) inputs the responder’s long-term secret key \(\textsf{sk}_r\) and the initiator’s long-term public key \(\textsf{pk}_i\), and outputs a message \(m_{r}\) and the responder’s state \(\textrm{st}_r\). The initiator’s derivation algorithm \(\textsf{Der}_{\textrm{I}}\) takes as input \(\textsf{sk}_i\), \(\textsf{pk}_r\), a message \(m_{r}\) and the state \(\textrm{st}_i\). It computes the final message \(m_{i,2}\) and a session key K. The responder’s derivation algorithm \(\mathsf {Der_{R}}\) takes as input the \(\textsf{sk}_r\), \(\textsf{pk}_i\), a message \(m_{i,2}\) and the state \(\textrm{st}_r\). It computes the session key K. Here K can be \(\bot \) meaning that the session is rejected during the execution. Correctness of an AKE protocol states that an honest execution between two parties should yield the same session key.
Definition 1
(Correctness of three-message AKE). Let \(\textsf{AKE}{:}{=}(\textsf{Setup}, \mathsf {Gen_{AKE}}, \textsf{Init}_{\textrm{I}},\mathsf {Init_{R}}, \textsf{Der}_{\textrm{I}}, \mathsf {Der_{R}})\) be a three-message AKE protocol. We say \(\textsf{AKE}\) is \(\rho \)-correct if
where the probability is taken over the randomness of \(\textsf{Setup}, \mathsf {Gen_{AKE}}, \textsf{Init}_{\textrm{I}}, \mathsf {Init_{R}}\), and \(\textsf{Der}_{\textrm{I}}\).
We give a security game written in pseudocode focusing on (full) forward secrecy, rather than implicit or explicit authentication. We refer readers to [12] for more details on different types of authentication for key exchange protocols, and their connections to forward secrecy in [18].
Execution Environment. We consider \(\mu \) parties \(\textsf{P}_1,\dotsc ,\textsf{P}_\mu \) with long-term key pairs \((\textsf{pk}_n,\textsf{sk}_n)\), \(n\in [\mu ]\). When two parties A and B want to communicate, the initiator, say, A first creates a session. To identify this session, we increase the global identification number \(\text {sID}\) and assign the current state of \(\text {sID}\) to identify this session owned by A. The state of \(\text {sID}\) will increase after every assignment. Moreover, a message will be sent to the responder. The responder then similarly creates a corresponding session which is assigned the current state of \(\text {sID}\). Hence each conversation includes two sessions. We then define variables in relation to the identifier \(\text {sID}\):
-
\(\texttt{Init}[\text {sID}]\in [\mu ]\) denotes the initiator of the session.
-
\(\texttt{Resp}[\text {sID}]\in [\mu ]\) denotes the responder of the session.
-
\(\texttt{Type}[\text {sID}]\in \{\text {``In''},\text {``Re''}\}\) denotes the session’s view, i. e. whether the initiator or the responder computes the session key.
-
\(\texttt{Msg}_\textsf{I,1}[\text {sID}]\) denotes the first message that was computed by the initiator.
-
\(\texttt{Msg}_\textsf{R}[\text {sID}]\) denotes the message that was computed by the responder.
-
\(\texttt{Msg}_\textsf{I,2}[\text {sID}]\) denotes the final message that was computed by the initiator.
-
\(\texttt{ST}[\text {sID}]\) denotes the (secret) state information, i. e. ephemeral secret keys.
-
\(\texttt{SK}[\text {sID}]\) denotes the session key. If the session terminates without a valid session key, we set this variable to the special string \(\text {``reject''}\).
To establish a session between two parties, the adversary is given access to oracles \(\textsc {Session}_{\textsc {I}}\) and \(\textsc {Session}_{\textsf{R}}\), where the first one starts a session of type \(\text {``In''}\) and the second one of type \(\text {``Re''}\). In order to complete a session, oracles \(\textsc {Der}_{\textsc {I}}\) and \(\textsc {Der}_{\textsf{R}}\) have to be queried. The adversary has also access to oracles \(\textsc {Corr}\), \(\textsc {Reveal}\) and \(\textsc {Rev}\text {-}\textsc {State}\) to obtain secret information. (The latter is only available if state reveal attacks are considered.) We use the following boolean values to keep track of which queries the adversary made:
-
\(\texttt{cor}[n]\) denotes whether the long-term secret key of party \(\textsf{P}_n\) was given to the adversary.
-
\(\texttt{peerPreCor}[\text {sID}]\) denotes whether the peer of the session was corrupted and its long-term key was given to the adversary before the owner’s session key was computed, which is important for forward security.
-
\(\texttt{revST}[\text {sID}]\) denotes whether the session state was given to the adversary.
-
\(\texttt{revSK}[\text {sID}]\) denotes whether the session key was given to the adversary.
The adversary can forward messages between sessions or modify them. By that, we can define the relationship between two sessions:
-
Matching Session: Two sessions \(\text {sID}\) and \(\text {sID}'\) match if the same parties are involved, the messages sent and received are the same they are of different types (cf. line 12 in Fig. 3).
-
Partially Matching Session: A session \(\text {sID}\) has a partially matching session \(\text {sID}'\) if the same parties are involved, the messages sent and received are the same without considering the last message and they are of different types, where \(\text {sID}'\) is of type \(\text {``Re''}\) (cf. line 14 in Fig. 3).
Finally, the adversary is given access to oracle \(\textsc {Test}\) which can be queried multiple times and which will return either the session key of the specified session or a uniformly random key. We use one bit b for all queries, and store test sessions in a set \(\mathcal {S}_\texttt{test}\). For each test session, we require that the adversary does not issue queries such that the session key can be trivially computed. In Fig. 3 we define the properties of freshness and validity which all test sessions have to satisfy:
-
Freshness: A (test) session is called fresh if the session key was not revealed. Furthermore, if there exists a matching session, we require that this session’s key is not revealed and that this session is not also a test session.
-
Validity: A (test) session is called valid if it is fresh and the adversary performed any attack which is defined in the security model. For game \(\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\), we capture this with attacks listed in our full paper [28, Table 4]. For game \(\textsf{IND}\text {-}\textsf{FS}\), we use Table 2 to capture valid attacks.
If the protocol does not use appropriate randomness, it should not be considered secure. In this case, there can be multiple matching sessions to a test session, which an adversary can take advantage of. We capture this as part of the validity property (cf. line 08). For an honest run of the protocol, the underlying min-entropy ensures that this attack will only happen with negligible probability.
We define validity of different attack strategies in Table 2, using variables to indicate which queries the adversary may (not) make. The purpose is to make our proofs precise by listing all the possible and non-trivial attacks. Attacks covered in the \(\textsf{IND}\text {-}\textsf{FS}\) model capture forward secrecy (FS) and key compromise impersonation (KCI) attacks. We provide a more detailed description of Table 2 and the full table for \(\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\) in our full paper [28, Appendix B]. For all test sessions, at least one attack has to evaluate to true. Then, the adversary wins if he distinguishes the session keys from uniformly random keys which he obtains through queries to the \(\textsc {Test}\) oracle.
Definition 2
(Key Indistinguishability of AKE). We define games \(\textsf{IND}\text {-}\textsf{FS}\) and \(\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\) as in Figs. 2 and 3. We say \(\textsf{AKE}\) is \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}})\text {-}\textsf{IND}\text {-}\textsf{FS}\)-secure resp. \((t',\varepsilon ', \mu , S, T, {Q}_{\textsc {Cor}},{Q}_{\textsc {St}})\text {-}\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\)-secure if for all adversaries \(\mathcal {A}\) attacking the protocol in time t resp. \(t'\) with \(\mu \) users, \(S\) sessions, \(T\) test queries, \({Q}_{\textsc {Cor}}\) corruptions, and \({Q}_{\textsc {St}}\) state reveals, we have
Note that if there exists a session which is neither fresh nor valid, the game outputs the bit b, which implies that \(\Pr [\textsf{IND}\text {-}\textsf{FS}_{\textsf{AKE}}^{\mathcal {A}} \Rightarrow 1] = \frac{1}{2}\) or \(\Pr [\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}_{\textsf{AKE}}^{\mathcal {A}} \Rightarrow 1] = \frac{1}{2}\), giving the adversary an advantage equal to 0. This captures that an adversary will not gain any advantage by performing a trivial attack.
4 Verifiable Authenticated Key Exchange
To build a tightly secure three-message AKE protocol with key confirmation from a two-message AKE protocol, we define two security notions of the two-message protocol: The first one is One-Way against key Verification attacks and weak Forward Secrecy, or \(\mathsf {OW\text {-}VwFS}\) for short, and the second one is \(\mathsf {OW\text {-}VwFS}\) with state-reveal attacks, or \(\mathsf {OW\text {-}VwFS\text {-}St}\) for short.
We define the syntax of a two-message key exchange protocol in a similar fashion as the three-message AKE. Let \({\textsf{AKE}}'_{}:=({\textsf{Setup}}'_{\!},{\textsf{Gen}}'_{\!},{\textsf{Init}}'_{\textrm{I}}, {\textsf{Init}}'_{\textsf{R}}, {\textsf{Der}}'_{\textrm{I}})\), where \({\textsf{Setup}}'_{\!}\), \({\textsf{Gen}}'_{\!}\) and \({\textsf{Init}}'_{\textrm{I}}\) are defined exactly as in the three-message protocol. instead of a state, the responder’s algorithm \({\textsf{Init}}'_{\textsf{R}}\) computes a session key K. The initiator’s algorithm \({\textsf{Der}}'_{\textrm{I}}\) does not output a second message, but only the session key. Correctness is defined similarly to the three-message case.
Definition 3
(Correctness of two-message AKE). Let \({\textsf{AKE}}'_{}{:}{=}({\textsf{Setup}}'_{\!}, {\textsf{Gen}}'_{\!}, {\textsf{Init}}'_{\textrm{I}},{\textsf{Init}}'_{\textsf{R}}, {\textsf{Der}}'_{\textrm{I}})\) be an AKE protocol. We say \({\textsf{AKE}}'_{}\) is \(\rho \)-correct if
where the probability is taken over the randomness of \({\textsf{Setup}}'_{\!}, {\textsf{Gen}}'_{\!}, {\textsf{Init}}'_{\textrm{I}},\) and \({\textsf{Init}}'_{\textsf{R}}\).
\(\mathsf {OW\text {-}VwFS}\) is similar to the standard weak forward secrecy, but an adversary is additionally allowed to check if a key corresponds to some generated transcripts. The security notion \(\mathsf {OW\text {-}VwFS\text {-}St}\), based on \(\mathsf {OW\text {-}VwFS}\), allows the adversary to reveal session states. Moreover, these two security notions do not have \(\textsc {Reveal}\) and \(\textsc {Test}\) oracles. Our notion is motivated by the one-wayness against honest and key verification attacks in [27], but it is stronger in the sense that it allows active attacks. These are formally defined by Definition 4 with security games \(\mathsf {OW\text {-}VwFS}\) and \(\mathsf {OW\text {-}VwFS\text {-}St}\) as in Fig. 4.
Definition 4
(\(\mathsf {OW\text {-}VwFS}\) and \(\mathsf {OW\text {-}VwFS\text {-}St}\) security). A two-message authenticated key exchange protocol \({\textsf{AKE}}'_{}\) is \((t, \varepsilon , \mu , S, {Q}_{\textsc {Cor}},Q_{Ver}) \text {-}\mathsf {OW\text {-}VwFS}\) secure resp. \((t', \varepsilon ', \mu , S, {Q}_{\textsc {Cor}}, Q_{Ver}, {Q}_{\textsc {St}}) \text {-}\mathsf {OW\text {-}VwFS\text {-}St}\) secure, where \(\mu \) is the number of users, \(S\) is the number of sessions, \(Q_{Ver}\) is the number of calls to \(\textsc {KVer}\) and \({Q}_{\textsc {St}}\) is the number of calls to \({\textsc {Rev}\text {-}\textsc {State}}'_{}\), if for all adversaries \(\mathcal {A}\) attacking the protocol in time at most t resp. \(t'\), we have
Valid attacks are defined via \({\textsc {Valid}}'_{}\). For the session \(\text {sID}^*\) for which the adversary aims to compute the session key, we basically allow two types of attacks: If there is a (partially) matching session, then both parties may be corrupted. Otherwise, the adversary must not corrupt the peer of the session. Additionally for the model with state reveal attacks, the state for \(\text {sID}^*\) must not be revealed in any case.
Min-Entropy. We require that public keys have \(\gamma \) bits of min-entropy, i. e., for all \((\textsf{pk}_0,\textsf{sk}_0)\leftarrow {\textsf{Gen}}'_{\!}\), \((\textsf{pk}_1,\textsf{sk}_1)\leftarrow {\textsf{Gen}}'_{\!}\), we have \(\Pr [\textsf{pk}_0 = \textsf{pk}_1] \le 2^{-\gamma }\). Similarly, we require that messages have \(\alpha \) bits of min-entropy, i. e., for all messages \(m'\) we have \(\Pr [m = m'] \le 2^{-\alpha }\), where m is output by either \({\textsf{Init}}'_{\textrm{I}}\) or \({\textsf{Init}}'_{\textsf{R}}\).
5 AKE with Key Confirmation
We now build a three-message AKE protocol \(\textsf{AKE}_{\textsf{KC}}\) with key confirmation from a two-message AKE protocol \({\textsf{AKE}}'_{}\) and three hash functions \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R},\textsf{H}\). An overview is given in Fig. 5. Hash functions \(\textsf{G}_\textrm{I}\), \(\textsf{G}_\textsf{R}\) and \(\textsf{H}\) are defined as follows: \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}:\{0,1\}^*\rightarrow \{0,1\}^\lambda \) and \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\), where \(\lambda \) is the length of key confirmation tags and \(\mathcal {K}\) is the key space of \(\textsf{AKE}_{\textsf{KC}}\).Footnote 3
Let \({\textsf{AKE}}'_{}=({\textsf{Setup}}'_{\!},{\textsf{Gen}}'_{\!},{\textsf{Init}}'_{\textrm{I}},{\textsf{Init}}'_{\textsf{R}},{\textsf{Der}}'_{\textrm{I}})\). We define \(\textsf{AKE}_{\textsf{KC}}\) as follows: \(\textsf{Setup}\), \(\mathsf {Gen_{AKE}}\), \(\textsf{Init}_{\textrm{I}}\) will be the same as \({\textsf{Setup}}'_{\!}\), \({\textsf{Gen}}'_{\!}\) and \({\textsf{Init}}'_{\textrm{I}}\), respectively. \(\mathsf {Init_{R}}\) first runs \({\textsf{Init}}'_{\textsf{R}}\) to obtain the responder’s message \(m_{r}\) and the key \(k\) of \({\textsf{AKE}}'_{}\), where the latter is used to derive the final session key and key confirmation messages. In particular, the responder first computes the key confirmation tag \(\pi _r{:}{=}\textsf{G}_\textsf{R}(k,\text {ctxt})\), where \(\text {ctxt}\) is defined as the two parties’ public keys and the initial messages (cf. Fig. 5). It then also computes the expected key confirmation tag \(\pi _i'\) and session key \(K'\) using \(\textsf{G}_\textrm{I}\) and \(\textsf{H}\) on the same input. It sends \((m_{r},\pi _r)\) to the initiator and keeps \((\pi _i',K')\) as state. The initiator runs \(\textsf{Der}_{\textrm{I}}\) which is defined as follows: First, it runs \({\textsf{Der}}'_{\textrm{I}}\) to get \(k\) and then performs the same computations as the responder to compute key confirmation tags \(\pi _i\), \(\pi _r'\) and the final session key K. It accepts K if \(\pi _r'=\pi _r\) and sends \(\pi _i\) as the final message. The responder’s derivation algorithm \(\mathsf {Der_{R}}\) checks whether the key confirmation tag is valid, i. e., \(\pi _i=\pi _i'\), and if this is the case it sets the session key to \(K'\).
Whenever an equality check fails or the underlying algorithms of \({\textsf{AKE}}'_{}\) return \(\bot \), the parties terminate the session, i. e., they reject, and return \(\bot \).
Correctness. The correctness of \(\textsf{AKE}_{\textsf{KC}}\) follows directly from the correctness of \({\textsf{AKE}}'_{}\). In particular, if \({\textsf{AKE}}'_{}\) is \((1-\delta )\)-correct, then so is \(\textsf{AKE}_{\textsf{KC}}\).
Security. We prove \(\textsf{IND}\text {-}\textsf{FS}\) security of \(\textsf{AKE}_{\textsf{KC}}\) based on \(\mathsf {OW\text {-}VwFS}\) security of \({\textsf{AKE}}'_{}\) and modeling \(\textsf{G}_\textrm{I}\), \(\textsf{G}_\textsf{R}\) and \(\textsf{H}\) as random oracles.
Theorem 1
Let \({\textsf{AKE}}'_{}\) be \((1-\delta )\)-correct and have public keys with \(\gamma \) bits of entropy and messages with \(\alpha \) bits of entropy. Let \(\textsf{AKE}_{\textsf{KC}}\) be as defined in Fig. 5, where \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}: \{0,1\}^*\rightarrow \{0,1\}^\lambda \) and \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\) are modelled as random oracles. For every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}})\text {-}\textsf{IND}\text {-}\textsf{FS}\)-security of \(\textsf{AKE}_{\textsf{KC}}\), there exists an adversary \(\mathcal {B}\) that breaks the \((t', \varepsilon ', \mu , S, {Q}_{\textsc {Cor}}, Q_{Ver})\text {-}\mathsf {OW\text {-}VwFS}\) security of \({\textsf{AKE}}'_{}\) with \(t' \approx t\) and
where \(Q_{{\textsf{G}_\textrm{I}}},Q_{{\textsf{G}_\textsf{R}}}\) and \(Q_{{\textsf{H}}}\) are the number of queries to random oracles \(\textsf{G}_\textrm{I}\), \(\textsf{G}_\textsf{R}\) and \(\textsf{H}\) and \(Q_{Ver}\le S+Q_{{\textsf{G}_\textrm{I}}}+Q_{{\textsf{G}_\textsf{R}}}+Q_{{\textsf{H}}}\).
The idea of the proof is that we can simulate the key confirmation tags and session keys without knowing the key \(k\) of the underlying two-message protocol as long as it has not been queried to (one of) the random oracles. For this we have to keep track of whether the adversary trivially knows \(k\) because the session is not fresh anymore. We can handle this case and still simulate correctly using \(\textsc {KVer}\) oracle. The only way to win the game is to compute \(k\) for a fresh and valid session, thus breaking one-wayness of the underlying protocol. We now prove the theorem formally.
Proof
Let \(\mathcal {A}\) be an adversary against \(\textsf{IND}\text {-}\textsf{FS}\) security of \(\textsf{AKE}_{\textsf{KC}}\). We consider the sequence of games \(\textsf{G}_{0}\)-\(\textsf{G}_{3}\) in Figs. 6 and 7.
Game \(\textsf{G}_{0}\). The first game \(\textsf{G}_{0}\) is the original \(\textsf{IND}\text {-}\textsf{FS}\) security game, however we exclude that public keys or messages collide (which means that if such events happen, then the game will abort and return a random bit). This also includes the key confirmation tags. Thus we get
Note that this means there can be at most one (partially) matching session for each session.
Game \(\textsf{G}_{1}\). In game \(\textsf{G}_{1}\), we want to ensure that \(\pi _r\), \(\pi _i\) and K have not been queried to the respective random oracle before they are determined. Note that all three values will be determined in \(\textsc {Session}_{\textsf{R}}\) when \(m_{r}\) and \(k\) are computed. Thus, whenever \(\textsc {Session}_{\textsf{R}}\) is queried, we check whether there already exists a query \((k',\textsf{pk}_i,\textsf{pk}_r,m_{i},m_{r})\) to \(\textsf{G}_\textsf{R}\), \(\textsf{G}_\textrm{I}\) or \(\textsf{H}\) for some \(k'\) (line 19). If this is the case, we raise flag \({\textsf{BadEntropy}}\) and abort. If \({\textsf{BadEntropy}}\) is not raised, we draw fresh values for \(\pi _r\), \(\pi _i\) and K and explicitly assign them to the corresponding entry of the respective random oracle (lines 21–24). We make this explicit here to prepare for the next step where we have to do a case distinction. Note that \(\textsf{G}_{0}\) and \(\textsf{G}_{1}\) are the same, except if \({\textsf{BadEntropy}}\) is raised. Thus,
where we bound the event by the entropy of \({\textsf{AKE}}'_{}\). The message \(m_{r}\) is computed by the game directly before we check for this event. We then use the union bound over the maximum number of sessions \(S\).
Game \(\textsf{G}_{2}\). In game \(\textsf{G}_{2}\), we want to compute \(\pi _r\), \(\pi _i\) and K without using k explicitly and prepare for the reduction to \(\mathsf {OW\text {-}VwFS}\). For this, we have to make a distinction between fresh and non-fresh sessions. We add two additional variables \(\texttt{ctxt}[\text {sID}]\) and \(\texttt{k}[\text {sID}]\) for each session which store the context and the session key of the underlying \({\textsf{AKE}}'_{}\). When \(\textsc {Session}_{\textsf{R}}\) is queried, we no longer assign the random oracle entries \([k,\textsf{pk}_i,\textsf{pk}_r,m_{i},m_{r}]\). Instead, we use a special placeholder symbol for the key k. In particular, if the session is still fresh and valid (i. e., there exists a session with a matching context up to this point, or the intended peer is not (yet) corrupted), we use the symbol \(\diamond \) (lines 28–30). Otherwise, in case the session is not valid, we use the symbol \(\oplus \) (lines 32–34). This distinction will be necessary to patch the random oracle correctly. Note that an adversary might be able to compute the correct key k for a non-valid session.
We describe how the random oracles are patched below. First, we explain how to change \(\textsf{Der}_{\textrm{I}}\) and \(\mathsf {Der_{R}}\) accordingly. For each query to \(\textsf{Der}_{\textrm{I}}\), we first update the context with the message \(m_{r}\) that was used to query the oracle. Then we check whether there exists a potential partnered session with the same context (line 61). In this case we know the corresponding values \(\pi _r\), \(\pi _i\) and K which are stored with the symbol \(\diamond \). We check whether the tag \(\pi _r\) is correct (if not, the session rejects) and assign the session key (lines 62–66). If there is no other session with the same context, we have to make another case distinction. In the first case, we use k explicitly to check whether there has been a query to the random oracle \(\textsf{G}_\textsf{R}\) such that the tag \(\pi _r\) matches (line 68). In this case, we proceed normally. Looking ahead, this will be a critical point in the next game modification. If there exists no such query to \(\textsf{G}_\textsf{R}\), then the game makes the query and chooses a tag uniformly at random (line 74). If this tag is the same as the one provided by the adversary, we raise flag \({\textsf{RandKC}}\) and abort (line 76). Otherwise, the session simply rejects. We modify \(\textsc {Der}_{\textsf{R}}\) in the exact same way, except that we are now looking at \(\pi _i\) (Fig. 7, lines 09–24).
Before bounding \({\textsf{RandKC}}\), we explain the simulation of random oracles as described in Fig. 7. We explain \(\textsf{G}_\textsf{R}\) in more detail. (\(\textsf{G}_\textrm{I}\) and \(\textsf{H}\) are modeled in exactly the same way). For each query \((k,\textsf{pk}_i,\textsf{pk}_r,m_{i},m_{r})\), we first check for entries with the special symbol. More specifically, if there exists an entry with the given context and the symbol \(\diamond \), we look for the \(\text {sID}\) with this context. Note that there can be at most two sessions (one of type \(\text {``In''}\) and one of type \(\text {``Re''}\) which will be matching sessions), which we capture by computing a set \(\mathcal {S}\) containing the corresponding \(\text {sID}\)(s) (line 29). If the key \(k\) of the random oracle query corresponds to the one stored in \(\texttt{k}[\text {sID}]\)Footnote 4, then \(\textsf{G}_\textsf{R}\) simply outputs the stored value \(\pi \) (line 32). We do the same for special symbol \(\oplus \) (line 34, note that here \(\text {sID}\) is always unique), except that we also update the entry accordingly, i. e., replace \(\oplus \) with k if \(k=\texttt{k}[\text {sID}]\) (line 36). This way, the simulation is consistent with the other oracles.
Overall, the two games only differ when flag \({\textsf{RandKC}}\) is raised. Note that we can bound the probability that a tag is valid without the random oracle being queried by the length of the tag. Union bound over \(S\) session gives us
Game \(\textsf{G}_{3}\). In the final game \(\textsf{G}_{3}\), we raise flag \({\textsf{QueryRO}}\) if the adversary ever queries the random oracle on a key k of a fresh session. Depending on the order of queries, this event can occur for different oracles: \(\textsc {Der}_{\textsc {I}}\) (Fig. 6, line 70), \(\textsc {Der}_{\textsf{R}}\) (Fig. 7, line 17) or one of the random oracles (Fig. 7, line 31). First, we look at sessions that do not have a matching session with the same context. For queries to oracle \(\textsc {Der}_{\textsc {I}}\) we check the validity of \(\pi _r\) in line 68. If the peer \(r\) is not corrupted, then the session is still fresh and valid. Thus, we raise \({\textsf{QueryRO}}\) if there has been a query to \(\textsf{G}_\textsf{R}\) on the correct key and context such that the output is indeed \(\pi _r\). We proceed similarly for responder sessions when \(\textsc {Der}_{\textsf{R}}\) is queried, checking for queries to \(\textsf{G}_\textrm{I}\). This means that all sessions where the peer is uncorrupted and no session with a matching context exist will reject (or abort).
We now look at sessions that have a session with matching context and whose relevant random oracle entries are marked with \(\diamond \). Whenever one of the random oracles is queried, we check whether the key matches the one stored in \(\texttt{k}[\text {sID}]\) (as described earlier) and if this is the case, we also raise \({\textsf{QueryRO}}\) and abort.
We claim that
Before proving the claim, note that in \(\textsf{G}_{3}\) we have \(\Pr [\textsf{G}_{3}^{\mathcal {A}}\Rightarrow 1]=1/2 \ .\) For this, observe that all sessions must have a (partially) matching session and that random oracle \(\textsf{H}\) is never queried on k for any of those sessions. Thus, the session key is indistinguishable from a uniformly random key.
Bounding Event \({\textsf{QueryRO}}\). We now describe an adversary \(\mathcal {B}\) against \(\mathsf {OW\text {-}VwFS}\) security of the underlying \({\textsf{AKE}}'_{}\) to bound event \({\textsf{QueryRO}}\). A pseudocode description is given in Fig. 8. The idea is that whenever \(\mathcal {A}\) queries one of the random oracles on the underlying key \(k\) of a fresh and valid session (either in order to forge a key confirmation tag or to distinguish the actual session key), we can use this to break \(\mathsf {OW\text {-}VwFS}\) security of \({\textsf{AKE}}'_{}\), where the verification oracle \(\textsc {KVer}\) is used to simulate the random oracles consistently.
We now describe \(\mathcal {B}\) in more detail. It gets as input \(\mu \) public keys and forwards them to \(\mathcal {A}\). \(\mathcal {B}\) simulates queries to oracle \(\textsc {Session}_{\textsc {I}}\) in a straightforward way by querying its own oracle \({\textsc {Session}}'_{\textsc {I}}\) which returns \((\text {sID},m_{i})\). After assigning the corresponding variables, \(\mathcal {B}\) forwards the output to \(\mathcal {A}\). Queries to \(\textsc {Session}_{\textsf{R}}\) are simulated as in game \(\textsf{G}_{3}\). \(\mathcal {B}\) first queries \({\textsc {Der}}'_{\textsf{R}}\) to receive \((\text {sID},m_{r})\). Instead of checking whether \(k=\bot \), \(\mathcal {B}\) checks whether \(m_{r}=\bot \). If this is the case, it rejects and outputs \(\bot \). Otherwise, it proceeds as described in \(\textsf{G}_{3}\), preparing random oracle assignments by assigning fresh values to \(\pi _i\), \(\pi _r\) and K and returning \((\text {sID},(m_{r},\pi _r))\).
When \(\mathcal {A}\) queries \(\textsc {Der}_{\textsc {I}}\), \(\mathcal {B}\) queries \({\textsc {Der}}'_{\textsc {I}}\). \(\mathcal {B}\) will not be able to explicitly check whether the session key was computed successfully, however, we will argue that the simulation is consistent by correctness of \({\textsf{AKE}}'_{}\) and the validity of the key confirmation tag. Thus, \(\mathcal {B}\) directly proceeds as described in \(\textsf{G}_{3}\). Whenever there exists a session with the same context, then the key confirmation tag must be the same as the one computed by that session, up to correctness of \({\textsf{AKE}}'_{}\). Thus the simulation is perfect except with probability \(S\cdot \delta \). Whenever there exists no (partially) matching session, \(\mathcal {B}\) needs to check whether \(\textsf{G}_\textsf{R}\) was already queried on the correct \(k\). For this it checks all random oracle queries that have output \(\pi _r\) provided by \(\mathcal {A}\). If such a query exists, it will be unique since we excluded collisions in the first game. \(\mathcal {B}\) checks whether the respective key of the query is the correct key using its oracle \(\textsc {KVer}\). If this is the case, we further distinguish two cases, based on whether the session still qualifies for a valid test session or not. If the peer of the session has not been corrupted yet, then this is a valid session and \(\mathcal {B}\) outputs \((\text {sID},k)\) as solution in its own game. Otherwise, it proceeds. Oracle \(\textsc {Der}_{\textsf{R}}\) is simulated similarly, looking at \(\textsf{G}_\textrm{I}\) instead of \(\textsf{G}_\textsf{R}\).
Oracle \(\textsc {Reveal}\) and \(\textsc {Corr}\) can be simulated in a straightforward way. The latter requires \(\mathcal {B}\) to query its own oracle \({\textsc {Corr}}'_{}\). Queries to \(\textsc {Test}\) will always return the real session key. Note that this is a perfect simulation since session keys are perfectly hidden unless \({\textsf{QueryRO}}\) happens in which case \(\mathcal {B}\) stops because it breaks \(\mathsf {OW\text {-}VwFS}\) security.
It remains to describe the simulation of random oracles. In Fig. 9 we give a description of \(\textsf{G}_\textsf{R}\). \(\textsf{G}_\textrm{I}\) and \(\textsf{H}\) are simulated in the same way. As in \(\textsf{G}_{3}\), \(\mathcal {B}\) first checks whether there exists an entry with the special symbol \(\diamond \). If this is the case, it finds the corresponding \(\text {sID}\) and uses the \(\textsc {KVer}\) oracle to check whether the key \(k\) provided by \(\mathcal {A}\) belongs to this session. Since \(\diamond \) is used to mark sessions that have a (partially) matching session, \(\mathcal {B}\) can always use this key to win the \(\mathsf {OW\text {-}VwFS}\) game. If there is no entry with \(\diamond \) but one with \(\oplus \), \(\mathcal {B}\) again queries the \(\textsc {KVer}\) oracle, but this time it updates the corresponding entry with the correct key (if \(\textsc {KVer}\) returns \(\textbf{true}\)). This way, \(\mathcal {B}\) can perfectly simulate non-test sessions. If none of these cases happen or \(\textsc {KVer}\) has returned \(\textbf{false}\), then \(\mathcal {B}\) proceeds as usual by lazy sampling.
This concludes the description of \(\mathcal {B}\). Note that if \({\textsf{QueryRO}}\) happens in game \(\textsf{G}_{3}\), i. e., there exists a random oracle query for a fresh and valid session with correct key \(k\), then \(\mathcal {B}\) wins game \(\mathsf {OW\text {-}VwFS}\). We get \(\Pr [{\textsf{QueryRO}}]\le \varepsilon ' + S\cdot \delta \).
Further, note that \(\mathcal {B}\) issues at most \((S+Q_{{\textsf{G}_\textrm{I}}}+Q_{{\textsf{G}_\textsf{R}}}+Q_{{\textsf{H}}})\) to \(\textsc {KVer}\) since we have excluded collisions of tags in the first game. The number of queries to all other oracles is preserved. This completes the proof of Theorem 1.
Based on \(\textsf{AKE}_{\textsf{KC}}\), we build a three-message AKE protocol \(\textsf{AKE}_{\textsf{stKC}}\) that is secure against state-reveal attacks (cf. Definition 2). Since \(\textsf{AKE}_{\textsf{stKC}}\) has a similar structure with \(\textsf{AKE}_{\textsf{KC}}\), we follow the notations used in defining \(\textsf{AKE}_{\textsf{KC}}\) (cf. Fig. 5). An overview of \(\textsf{AKE}_{\textsf{stKC}}\) is given in Fig. 10.
\(\textsf{AKE}_{\textsf{stKC}}\) uses the state-encryption technique [21, 30] to protect session states. Concretely, let \(\textsf{G}_{\textsf{st}\textrm{I}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textrm{I}}}\) and \(\textsf{G}_{\textsf{stR}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textsf{R}}}\) be two hash functions. We assume that any initiator session state of the underlying two-message AKE protocol \({\textsf{AKE}}'_{}\) can be encoded as a \(d_{\textrm{I}}\)-bit string and \(d_{\textsf{R}}= 2 \lambda \) (the length of key confirmation tag plus the length of session key derived by \({\textsf{AKE}}'_{}\)). \(\textsf{AKE}_{\textsf{stKC}}\) proceeds the same as \(\textsf{AKE}_{\textsf{KC}}\) except that (1) the long-term secret key of user \(i\) in \(\textsf{AKE}_{\textsf{stKC}}\) also include a uniformly random key \(\textsf{s}_{i} \in \{0,1\}^{\kappa }\), and (2) each session will sample a one-time key \(\textsf{IV}\) uniformly at random and encrypt the session state of \(\textsf{AKE}_{\textsf{KC}}\) via XORing with the one-time pad \(\textsf{G}_{\textsf{st}\textrm{I}}(\textsf{s}_{i}, \textsf{IV})\). Now the session state (that the adversary can reveal in the state-reveal AKE model) is \((\textsf{IV}, \varphi )\). Dashed parts in Fig. 10 shows how this technique works.
Correctness. Similar to \(\textsf{AKE}_{\textsf{KC}}\), the correctness of \(\textsf{AKE}_{\textsf{stKC}}\) follows directly from the correctness of \({\textsf{AKE}}'_{}\). If \({\textsf{AKE}}'_{}\) is \((1-\delta )\)-correct, then so is \(\textsf{AKE}_{\textsf{stKC}}\).
Security. In Theorem 2, we prove \(\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\) security of \(\textsf{AKE}_{\textsf{KC}}\) based on \(\mathsf {OW\text {-}VwFS\text {-}St}\) security of \({\textsf{AKE}}'_{}\) and modeling \(\textsf{G}_\textrm{I}\), \(\textsf{G}_\textsf{R}\), \(\textsf{H}\), \(\textsf{G}_{\textsf{st}\textrm{I}}\), and \(\textsf{G}_{\textsf{stR}}\) as random oracles. Here we sketch the proof idea. By using the state encryption technique, the adversary cannot learn the unencrypted states of the underlying two-message AKE, unless it reveals the encrypted session state and corrupts the owner of the session. But this makes the session invalid and thus, it cannot be tested. Therefore, for valid sessions, state-reveal queries do not give any advantage to the adversary, and thus we can use the proof idea of Theorem 1. The full proof of Theorem 2 is postponed to our full version [28, Appendix C].
Theorem 2
Let \({\textsf{AKE}}'_{}\) be \((1-\delta )\)-correct and have public keys with \(\gamma \) bits of entropy and messages with \(\alpha \) bits of entropy. Let \(\textsf{AKE}_{\textsf{stKC}}\) be as defined in Fig. 5, where \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}: \{0,1\}^*\rightarrow \{0,1\}^\lambda \), \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\), \(\textsf{G}_{\textsf{st}\textrm{I}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textrm{I}}}\),and \(\textsf{G}_{\textsf{stR}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textsf{R}}}\) are modeled as random oracles. For every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}},{Q}_{\textsc {St}})\text {-}\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\)-security of \(\textsf{AKE}_{\textsf{stKC}}\), there exists an adversary \(\mathcal {B}\) that breaks the \((t', \varepsilon ', \mu , S, {Q}_{\textsc {Cor}}, Q_{Ver}, S)\text {-}\mathsf {OW\text {-}VwFS\text {-}St}\) security of \({\textsf{AKE}}'_{}\) with \(t' \approx t\) and
where \(Q_\textsf{h}\) is the number of queries to the respective random oracle \(\textsf{h}\) and \(Q_{Ver}\le S+Q_{{\textsf{G}_\textrm{I}}}+Q_{{\textsf{G}_\textsf{R}}}+Q_{{\textsf{H}}}\).
6 Applying Our Results to Existing Protocols
We first show how to construct verifiable AKE from KEMs which gives us tight AKE with key confirmation and perfect forward secrecy from lattices and DDH. The advantage is that we do not have to consider random oracles and the proofs are comparably simpler than those of full AKE security. We then show how we can recover the optimal tightness bound for the \(\textsf {CCGJJ} \) protocol [10] using our modular transformation rather than that of [18].
6.1 AKE from KEMs
We provide results for KEM-based AKE secure without and with state reveal, where the former allows for weaker assumptions. The protocol, denoted by \(\textsf{AKE}'_\textsf{kem}\), to which we want to apply our compiler from the previous section is given in Fig. 11. Each party holds long-term keys of a KEM scheme \(\textsf{KEM}_{\textsf{1}}\) and in each session, an ephemeral key using \(\textsf{KEM}_{\textsf{0}}\) is exchanged. The session key then simply consists of three KEM keys. We also denote its variant with key confirmation by \(\textsf{AKE}_\textsf{kem}\) (i. e., combining Fig. 11 with Fig. 5) and the one resisting state reveals by \(\textsf{AKE}_\textsf{st,kem}\) (i. e., combining Fig. 11 with Fig. 10).
One-Way Security of KEM. Depending on whether the KEM is used for long-term keys or ephemeral keys and whether state reveals are allowed, we need a different variant of one-way security: multi-user one-way security under plaintext checking and ciphertext validity attacks without (\(\textsf{OW}\text {-}\textsf{PCVA}\)) or with corruptions (\(\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\)), and with corruptions and reveal queries (\(\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\textsf{R}\)). These notions are weaker variants of \(\textsf{OW}\text {-}\textsf{ChCCA}\) security from Pan, Wagner and Zeng [30] and are tightly implied by \(\textsf{OW}\text {-}\textsf{ChCCA}\). The formal security definitions are given in our full version [28, Appendix A].
Analysis of \(\textsf{AKE}'_\textsf{kem}\) and \(\textsf{AKE}_\textsf{kem}\). We prove that \(\textsf{AKE}'_\textsf{kem}\) protocol is a secure verifiable AKE protocol. When not considering state reveals, we can use weaker assumptions, namely \(\textsf{OW}\text {-}\textsf{PCVA}\) and \(\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\). We also prove security with state-reveals which uses the definition of \(\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\textsf{R}\) security. We then apply Theorem 1 resp. Theorem 2 to obtain \(\textsf{AKE}_\textsf{kem}\) which has full forward secrecy.
Correctness and Entropy. Let \(\textsf{KEM}_{\textsf{0}}\) be \((1-\delta _0)\)-correct and have public keys with \(\gamma _0\) bits of entropy and messages with \(\alpha _0\) bits of entropy. Let \(\textsf{KEM}_{\textsf{1}}\) be \((1-\delta _1)\)-correct and have public keys with \(\gamma _1\) bits of entropy and messages with \(\alpha _1\) bits of entropy. Then \(\textsf{AKE}'_\textsf{kem}\) is \((1-\delta _0-2\delta _1)\)-correct. Further, \(\textsf{AKE}'_\textsf{kem}\) has public keys with \(\gamma _1\) bits of entropy and messages with at least \(\min (\gamma _0,\alpha _0,\alpha _1-1)\) bits of entropy.
We now establish \(\mathsf {OW\text {-}VwFS}\) and \(\mathsf {OW\text {-}VwFS\text {-}St}\) security of \(\textsf{AKE}'_\textsf{kem}\) and defer the proofs to our full paper [28, Appendix D.1].
Lemma 1
For every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}}, Q_{Ver})\text {-}\mathsf {OW\text {-}VwFS}\) security of \(\textsf{AKE}'_\textsf{kem}\), there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) that break \((t_{1},\varepsilon _{1},S,S,S,Q_{Ver})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\) security of \(\textsf{KEM}_{\textsf{0}}\) and \((t_{2},\varepsilon _{2},\mu ,S,S,2Q_{Ver},{Q}_{\textsc {Cor}})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\) security of \(\textsf{KEM}_{\textsf{1}}\) with \(t_{1}\approx t_{2} \approx t\) and \(\varepsilon \le \varepsilon _{1} + \varepsilon _{2}\).
Lemma 2
For every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}},Q_{Ver},{Q}_{\textsc {St}})\text {-}\mathsf {OW\text {-}VwFS\text {-}St}\) security of \(\textsf{AKE}'_\textsf{kem}\), there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) that break \((t_{1},\varepsilon _{1},S,S,S,Q_{Ver},{Q}_{\textsc {St}})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\) security of \(\textsf{KEM}_{\textsf{0}}\) and \((t_{2},\varepsilon _{2},\mu ,S,S,2Q_{Ver},{Q}_{\textsc {Cor}},{Q}_{\textsc {St}})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\textsf{R}\) security of \(\textsf{KEM}_{\textsf{1}}\) with \(t_{1}\approx t_{2} \approx t\) and \(\varepsilon \le \varepsilon _{1} + \varepsilon _{2}\).
We now add key confirmation to \(\textsf{AKE}'_\textsf{kem}\) as described in Fig. 5 resp. Fig. 10. The following theorem then follows from combining Theorem 1 with Lemma 1 resp. Theorem 2 with Lemma 2.
Theorem 3
Let \(\textsf{KEM}_{\textsf{0}}\) be \((1-\delta _0)\)-correct and have public keys with \(\gamma _0\) bits of entropy and messages with \(\alpha _0\) bits of entropy. Let \(\textsf{KEM}_{\textsf{1}}\) be \((1-\delta _1)\)-correct and have public keys with \(\gamma _1\) bits of entropy and messages with \(\alpha _1\) bits of entropy. Let \(\textsf{AKE}_\textsf{kem}\) resp. \(\textsf{AKE}_\textsf{st,kem}\) be defined as described above by combining Fig. 11 with Fig. 5 resp. Fig. 10, where \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}: \{0,1\}^*\rightarrow \{0,1\}^\lambda \), \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\), \(\textsf{G}_{\textsf{st}\textrm{I}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textrm{I}}}\) and \(\textsf{G}_{\textsf{stR}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textsf{R}}}\) are modeled as random oracles. Let \(Q_\textsf{h}\) be the number of queries to the respective random oracle \(\textsf{h}\).
For any \(\mathcal {A}\) against the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}})\text {-}\textsf{IND}\text {-}\textsf{FS}\)-security of \(\textsf{AKE}_\textsf{kem}\), there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) that break \((t_{1},\varepsilon _{1},S,S,S,Q_{Ver})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\) security of \(\textsf{KEM}_{\textsf{0}}\) and \((t_{2},\varepsilon _{2},\mu ,S,S,2Q_{Ver},{Q}_{\textsc {Cor}})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\) security of \(\textsf{KEM}_{\textsf{1}}\), where \(Q_{Ver}\le S+Q_{{\textsf{G}_\textrm{I}}}+Q_{{\textsf{G}_\textsf{R}}}+Q_{{\textsf{H}}}\), with \(t_{1}\approx t_{2} \approx t\) and
Further, for every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}},{Q}_{\textsc {St}})\text {-}\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\)-security of \(\textsf{AKE}_\textsf{st,kem}\), there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) that break \((t_{1},\varepsilon _{1},S,S,S,Q_{Ver},{Q}_{\textsc {St}})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\) security of \(\textsf{KEM}_{\textsf{0}}\) and \((t_{2},\varepsilon _{2},\mu ,S,S,2Q_{Ver},{Q}_{\textsc {Cor}},{Q}_{\textsc {St}})\text {-}\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\textsf{R}\) security of \(\textsf{KEM}_{\textsf{1}}\), where \(Q_{Ver}\le S+Q_{{\textsf{G}_\textrm{I}}}+Q_{{\textsf{G}_\textsf{R}}}+Q_{{\textsf{H}}}\), with \(t_{1}\approx t_{2} \approx t\) and
Instantiation with Non-Committing KEM. We can use a non-committing KEM as defined in [21] to instantiate a verifiable AKE protocol very efficiently, e. g., from DDH (cf. protocol \(\textsf {JKRS} \) in Fig. 12). We can easily show that a non-committing KEM implies \(\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\textsf{R}\) security of that KEM. In our full version [28, Appendix A], we recall the formal definition of \(\textsf{NC}\text {-}\textsf{CCA}\) security for KEMs from [21] and show the implication. Adding key confirmation as described in Fig. 10 then yields protocol \(\mathsf {JKRS_{KC}} \).
Security of \(\mathsf {JKRS_{KC}} \). We now establish security of protocol \(\mathsf {JKRS_{KC}} \). Since the \(\textsf {JKRS} \) protocol is perfectly correct, so is \(\mathsf {JKRS_{KC}} \). Further, public keys and messages have \(\log (p)\) bits entropy. Security is based on the \(\textsf{DDH}\) assumption which asks to distinguish between \((g^x,g^y,g^{xy})\) and \((g^x,g^y,g^{z})\) for .
Theorem 4
Let \(\mathsf {JKRS_{KC}} \) be defined as in Fig. 12, where \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}: \{0,1\}^*\rightarrow \{0,1\}^\lambda \), \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\), \(\textsf{H}_0:\{0,1\}^*\rightarrow \textsf{KEM}_{\textsf{0}}.\mathcal {K}\), \(\textsf{H}_1:\{0,1\}^*\rightarrow \textsf{KEM}_{\textsf{1}}.\mathcal {K}\), \(\textsf{G}_{\textsf{st}\textrm{I}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textrm{I}}}\),and \(\textsf{G}_{\textsf{stR}}: \{0,1\}^{\kappa }\times \{0,1\}^{\kappa }\rightarrow \{0,1\}^{d_{\textsf{R}}}\) are modeled as random oracles.
For every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}},{Q}_{\textsc {St}})\text {-}\textsf{IND}\text {-}\textsf{FS}\text {-}\textsf{St}\)-security of \(\mathsf {JKRS_{KC}} \), there exists an adversary \(\mathcal {B}\) that breaks \((t',\varepsilon ')\text {-}\textsf{DDH}\) with \(t'\approx t\) and
where \(Q_\textsf{h}\) is the number of queries to the respective random oracle \(\textsf{h}\).
The theorem follows from [28, Theorem 6], Lemma 2 and Theorem 2 in combination with [21, Theorem 5], where the latter deals with the optimization that only one ciphertext is sent in the second round.
Instantiation from Lattices. We can also instantiate the KEM-based verifiable AKE protocol using lattices assumptions. The scheme \(\textsf{KEM}_{\textsf{LWE}}\) described in [30, Section 3] satisfies \(\textsf{OW}\text {-}\textsf{ChCCA}\) security which implies \(\textsf{OW}\text {-}\textsf{PCVA}\text {-}\textsf{C}\textsf{R}\) security. This gives us an AKE protocol with key confirmation from \(\textsf{LWE}\) secure in the random oracle model.
6.2 The \(\textsf {CCGJJ} \) Protocol and Its Isogeny-Based Variant
It is easy to see that the core protocol from Cohn-Gordon et al. (\(\textsf {CCGJJ} \)) [10] is a verifiable AKE protocol, ignoring the session key hash. For completeness, we provide a formal treatment in our full paper [28, Appendix F].
Isogeny-based AKE. The isogeny-based AKE protocol which was independently analyzed by de Kock, Gjøsteen and Veroni [23] and Kawashima et al. [22] follows the same blueprint as the \(\textsf {CCGJJ} \) protocol, relying on the group action structure of CSIDH [8] rather than prime-order groups. Thus, we also get an AKE protocol with key confirmation from isogenies, based on the same assumptions as the analysis in [22, 23]. This is particularly interesting because the only group action based and tightly-secure signature scheme supporting adaptive corruptions [29] is rather inefficient.
7 KEM-Based AKE with Key Confirmation in the QROM
We analyze FS via key confirmation in the quantum random oracle model (QROM). Following [31], we use IND-CCA-secure KEMs in the multi-user, multi challenge settings as building blocks. By the key confirmation technique, we lift the result of Pan, Wagner, and Zeng [31] to FS in the QROM. The work of Pan, Wagner, and Zeng only achieves weak FS in the QROM. Our result not only preserves the security loss of their protocol, but also achieves FS and allows multiple \(\textsc {Test}\) queries with single challenge bit, while [31] allows at most one single \(\textsc {Test}\) query.
The \(\textrm{MC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\) and \(\textrm{MUC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\) security definitions of KEMs are given in our full paper [28, Appendix A]. We use notations introduced in Sect. 5 to present our protocol \(\textsf{AKE}_\textsf{kem}\). Let \(\textsf{KEM}_{\textsf{1}}\) and \(\textsf{KEM}_{\textsf{0}}\) be two KEM schemes and \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}:\{0,1\}^*\rightarrow \{0,1\}^\lambda \), and \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\) be hash functions, where \(\lambda \) is the length of key confirmation tags and \(\mathcal {K}\) is the key space of \(\textsf{AKE}_\textsf{kem}\). An overview of our AKE construction \(\textsf{AKE}_\textsf{kem}\) is given in Fig. 13. \(\textsf{AKE}_\textsf{kem}\) is essentially the KEM-based AKE protocol in [31] adding key confirmation, namely, it is obtained from combining Fig. 11 and Fig. 5.
Correctness. The correctness of \(\textsf{AKE}_\textsf{kem}\) is due to \(\textsf{KEM}_{\textsf{1}}\) and \(\textsf{KEM}_{\textsf{0}}\). Each session of \(\textsf{AKE}_\textsf{kem}\) includes two ciphertexts of \(\textsf{KEM}_{\textsf{1}}\) and one ciphertext of \(\textsf{KEM}_{\textsf{0}}\). If \(\textsf{KEM}_{\textsf{1}}\) is \((1-\delta _{\textsf{1}})\)-correct and \(\textsf{KEM}_{\textsf{0}}\) is \((1-\delta _{\textsf{0}})\)-correct, then by the union bound, \(\textsf{AKE}_\textsf{kem}\) is \((1-2\delta _{\textsf{1}}- \delta _{\textsf{0}})\)-correct.
Security. We prove \(\textsf{IND}\text {-}\textsf{FS}\) security of \(\textsf{AKE}_\textsf{kem}\) based on the \(\textrm{MC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\) security of \(\textsf{KEM}_{\textsf{1}}\), the \(\textrm{MUC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\) security of \(\textsf{KEM}_{\textsf{0}}\), and modeling \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R},\) and \(\textsf{H}\) as quantum-accessible random oracles, as stated in Theorem 5. The proof of Theorem 5 is postponed to our full version [28, Appendix E].
Theorem 5
Let \(\textsf{KEM}_{\textsf{0}}\) be \((1-\delta _{\textsf{0}})\)-correct and have public keys with \({\gamma _{\textsf{0}}}\) bits of entropy and messages with \({\alpha _{\textsf{0}}}\) bits of entropy. Let \(\textsf{KEM}_{\textsf{1}}\) be \((1-\delta _{\textsf{1}})\)-correct and have public keys with \({\gamma _{\textsf{1}}}\) bits of entropy and messages with \({\alpha _{\textsf{1}}}\) bits of entropy. \(\mathcal {K}_{\textsf{0}}\) and \(\mathcal {K}_{\textsf{1}}\) are the KEM key spaces of \(\textsf{KEM}_{\textsf{0}}\) and \(\textsf{KEM}_{\textsf{1}}\), respectively.
Let \(\textsf{AKE}_\textsf{kem}\) be as defined in Fig. 13, where Let \(\textsf{G}_\textrm{I},\textsf{G}_\textsf{R}: \{0,1\}^*\rightarrow \{0,1\}^\lambda \) and \(\textsf{H}:\{0,1\}^*\rightarrow \mathcal {K}\). For every adversary \(\mathcal {A}\) that breaks the \((t,\varepsilon , \mu , S, T, {Q}_{\textsc {Cor}})\text {-}\textsf{IND}\text {-}\textsf{FS}\)-security of \(\textsf{AKE}_{\textsf{KC}}\), there exists an adversary \(\mathcal {B}_\textsf{0}\) that breaks the \((t'_\textsf{0}, \varepsilon '_{\textsf{0}}, S, S)\text {-}\textsf{MUC}\text {-}\textsf{IND}\text {-}\textsf{CCA}\) security of \(\textsf{KEM}_{\textsf{0}}\) and an adversary \(\mathcal {B}_\textsf{1}\) that breaks the \((t'_\textsf{1}, \varepsilon '_\textsf{1}, S)\text {-}\textsf{MC}\text {-}\textsf{IND}\text {-}\textsf{CCA}\) security of \(\textsf{KEM}_{\textsf{1}}\) with \(t'_\textsf{0}\approx t'_\textsf{1}\approx t\) and
where \(Q_{{\textsf{G}_\textrm{I}}},Q_{{\textsf{G}_\textsf{R}}}\) and \(Q_{{\textsf{H}}}\) are the number of quantum-superposition queries to \(\textsf{G}_\textrm{I}\), \(\textsf{G}_\textsf{R}\) and \(\textsf{H}\).
Remark 1
(Implicit Rejection). Following [31], when proving Theorem 5, we assume \(\textsf{KEM}_{\textsf{1}}\) and \(\textsf{KEM}_{\textsf{0}}\) have implicit rejection [5], namely, if the input ciphertext is invalid, then the decapsulation algorithm returns a pseudorandom KEM key. We use implicit-rejection KEM because it simplifies our AKE proof.
To adapt the proof of Theorem 5 to the one that uses explicit-rejection KEMs, we can add extra codes in the games sequence to deal with explicit rejections from KEM. Concretely, upon receiving an invalid KEM ciphertext, the session oracle (e.g., \(\textsc {Session}_{\textsf{R}}\), \(\textsc {Der}_{\textsf{R}}\), or \(\textsc {Der}_{\textsc {I}}\)) simply sets the session key as \(\text {``reject''}\) and returns \(\bot \). This can be tightly simulated by \(\textsf{MUC}\text {-}\textsf{IND}\text {-}\textsf{CCA}\) and \(\textsf{MC}\text {-}\textsf{IND}\text {-}\textsf{CCA}\) secure KEMs with explicit rejection, and thus the security bound in Theorem 5 also applies to explicit-rejection KEMs.
Remark 2
(Instantiations with LWE). In [31], Pan et al. proposed lattice-based instantiations of \(\textrm{MC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\)-secure KEM and \(\textrm{MUC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\)-secure KEM that have (almost-)tight reduction from the well-known Learning With Errors (LWE) problem in the QROM. Here we only discuss the security loss of these KEM schemes and give the final security loss of our AKE protocol instantiated with these KEM schemes.
Let \(\varepsilon _{\textsf{lwe}}\) be the best computational advantage against LWE assumptions and \(\lambda \) be the security parameter (which decides the security level, the length of message, etc.). The two KEM schemes proposed in [31] have asymptotic bounds \(\varepsilon '_\textsf{1}\le \varTheta (\lambda ) \cdot \varepsilon _{\textsf{lwe}}\) and \(\varepsilon '_{\textsf{0}}\le \varTheta (\lambda ) \cdot \varepsilon _{\textsf{lwe}}\), where \(\varepsilon '_\textsf{1}\) and \(\varepsilon '_{\textsf{0}}\) are the computational advantages against \(\textrm{MC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\) security and \(\textrm{MUC}\text {-}\textrm{IND}\text {-}\textrm{CCA}\) security of the KEM schemes in [31], respectively. By combining these bounds with the bounds given in Theorem 5, we have
where \(\varepsilon \) is the computational advantage against the resulting AKE protocol. This gives us a session-tight and square-root-tight (namely, does not suffer from the square-root security loss) LWE-based instantiation of AKE with full forward secrecy in the QROM.
Notes
- 1.
Their lattice-based protocol is almost tight (similar to [9]), since it needs to lose a factor of \(O(\lambda )\) to the LWE assumption, where \(\lambda \) is the security parameter. We call it tight as well, but specify the concrete loss in our theorems and proofs.
- 2.
- 3.
We define three different hash functions here which allows us to model them as independent random oracles. When instantiating the hash functions with the same function, one would need to use appropriate domain separation.
- 4.
Since we cannot check correctness efficiently in the reduction which we will build in the next step, we explicitly perform the test here for all sessions in \(\mathcal {S}\). However, if \(\mathcal {S}\) indeed contains two sessions, then by correctness, this key (and thus the outcome) will be the same.
References
Abdalla, M., Fouque, P.A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_6
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_18
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Bernstein, D.J., Persichetti, E.: Towards KEM unification. Cryptology ePrint Archive, Report 2018/526 (2018). https://eprint.iacr.org/2018/526
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_28
Castryck, W., Lange, T., Martindale, C., Panny, L., Renes, J.: CSIDH: an efficient post-quantum commutative group action. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part III. LNCS, vol. 11274, pp. 395–427. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-03332-3_15
Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_25
Cohn-Gordon, K., Cremers, C., Gjøsteen, K., Jacobsen, H., Jager, T.: Highly efficient key exchange protocols with optimal tightness. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 767–797. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-26954-8_25
Davis, H., Günther, F.: Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021, Part II. LNCS, vol. 12727, pp. 448–479. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-78375-4_18
Delpech de Saint Guilhem, C., Fischlin, M., Warinschi, B.: Authentication in key-exchange: definitions, relations and composition. In: Jia, L., Küsters, R. (eds.) CSF 2020 Computer Security Foundations Symposium, pp. 288–303. IEEE Computer Society Press (2020). https://doi.org/10.1109/CSF49147.2020.00028
Diemert, D., Gellert, K., Jager, T., Lyu, L.: More efficient digital signatures with tight multi-user security. In: Garay, J. (ed.) PKC 2021, Part II. LNCS, vol. 12711, pp. 1–31. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-75248-4_1
Diemert, D., Jager, T.: On the tight security of TLS 1.3: theoretically sound cryptographic parameters for real-world deployments. J. Cryptol. 34(3), 30 (2021). https://doi.org/10.1007/s00145-021-09388-x
Fischlin, M., Günther, F., Schmidt, B., Warinschi, B.: Key confirmation in key exchange: a formal treatment and implications for TLS 1.3. In: 2016 IEEE Symposium on Security and Privacy, pp. 452–469. IEEE Computer Society Press, May 2016. https://doi.org/10.1109/SP.2016.34
Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_17
Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCA-secure encryption without pairings. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_1
Gellert, K., Gjøsteen, K., Jacobsen, H., Jager, T.: On optimal tightness for key exchange with full forward secrecy via key confirmation. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-38551-3_10
Gjøsteen, K., Jager, T.: Practical and tightly-secure digital signatures and authenticated key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 95–125. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-96881-0_4
Hövelmanns, K., Kiltz, E., Schäge, S., Unruh, D.: Generic authenticated key exchange in the quantum random oracle model. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part II. LNCS, vol. 12111, pp. 389–422. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45388-6_14
Jager, T., Kiltz, E., Riepel, D., Schäge, S.: Tightly-secure authenticated key exchange, revisited. In: Canteaut, A., Standaert, F.X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 117–146. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-77870-5_5
Kawashima, T., Takashima, K., Aikawa, Y., Takagi, T.: An efficient authenticated key exchange from random self-reducibility on CSIDH. In: Hong, D. (ed.) ICISC 2020. LNCS, vol. 12593, pp. 58–84. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-68890-5_4
de Kock, B., Gjøsteen, K., Veroni, M.: Practical isogeny-based key-exchange with optimal tightness. In: Dunkelman, O., Jacobson Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 451–479. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-81652-0_18
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_33
LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (Nov (2007)
Liu, X., Liu, S., Gu, D., Weng, J.: Two-pass authenticated key exchange with explicit authentication and tight security. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part II. LNCS, vol. 12492, pp. 785–814. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-64834-3_27
Pan, J., Qian, C., Ringerud, M.: Signed (group) Diffie-Hellman key exchange with tight security. J. Cryptol. 35(4), 26 (2022). https://doi.org/10.1007/s00145-022-09438-y
Pan, J., Riepel, D., Zeng, R.: Key exchange with tight (full) forward secrecy via key confirmation. In: Cryptology ePrint Archive (2024)
Pan, J., Wagner, B.: Lattice-based signatures with tight adaptive corruptions and more. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022, Part II. LNCS, vol. 13178, pp. 347–378. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-030-97131-1_12
Pan, J., Wagner, B., Zeng, R.: Lattice-based authenticated key exchange with tight security. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-38554-4_20
Pan, J., Wagner, B., Zeng, R.: Tighter security for generic authenticated key exchange in the QROM. In: ASIACRYPT 2023. LNCS, Springer, Heidelberg (2023). https://doi.org/10.1007/978-981-99-8730-6_13, https://eprint.iacr.org/2023/1380
Unruh, D.: Revocable quantum timed-release encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 129–146. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_8
Acknowledgements
We thank the anonymous reviewers for their valuable comments on better motivating our works and comparisons with the related work. Doreen Riepel was supported in part by Bellare’s KACST grant. Jiaxin Pan was supported in part by the Research Council of Norway (RCN) under Project No. 324235, and Runzhi Zeng were supported by the same project from RCN.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Pan, J., Riepel, D., Zeng, R. (2024). Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14657. Springer, Cham. https://doi.org/10.1007/978-3-031-58754-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-58754-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58753-5
Online ISBN: 978-3-031-58754-2
eBook Packages: Computer ScienceComputer Science (R0)