We show that while the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SK-security guarantees the security of the key for any application that desires to set-up secret keys between pairs of parties. We also provide new definitions of secure-channels protocols with similarly strong composability properties, and show that SK-security suffices for obtaining these definitions.
To obtain these results we use the recently proposed framework of "universally composable (UC) security." We also use a new tool, called "non-information oracles," which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishability-based definitions such as SK-security and more powerful, simulation-based definitions, such as UC-security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a full-fledged multi-session key-exchange protocol to the (simpler) analysis of individual, stand-alone, key-exchange sessions.
Category / Keywords: cryptographic protocols / Key Exchange, Cryptographic Protocols, Proofs of Security, Publication Info: Extended abstract of this work appears in the proceedings of Eurocrypt 2002. Date: received 13 May 2002 Contact author: canetti at watson ibm com Available formats: Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation Version: 20020514:200902 (All versions of this report) Discussion forum: Show discussion | Start new discussion