Cryptology ePrint Archive: Report 2011/051

Towards Strong Adaptive Corruption Security of Authenticated Key Exchange

Zheng Yang

Abstract: In this paper we study strong adaptive corruption security definitions for authenticated key exchange (AKE) protocols. Many recent protocols for Authenticated Key Exchange have been proven correct in the CK01 or eCK security model. The new model is suggested to be at least as strong as previous models for authenticated key exchange protocols. However, we observe that there are several kinds of attacks on existing AKE protocols that beyond the current class of security definitions which further reveal the shortcomings in security proofs in related AKE security models, in particular concerning the protocols under eCK model. Since the two models are not formally comparable, we discuss the ambiguities of existing security definitions and then provide a general framework for defining AKE security when involve strong adversary capabilities. In which we formulate the timing of the authentication, key generation and key confirmation, for different classes of AKE protocols. In addition, we propose a new two-pass AKE protocol called $\Sigma^y$ as an instance, which is proven secure in our proposed strong security definitions, under random oracle model and GDH assumption. In this protocol we show that our the proposed model, would also be a helpful guidance to design a secure protocol under strong adversary model. The intuition is generic: we embed the global unique identifier for unique-pairwise matching sessions into the key materials, before submitting to final key deviation function.

Category / Keywords: Security model, Authenticated Key Exchange, SessionState, Ephemeral Key, Key Compromise Impersonation, Unknown Key Share, Matching Sessions

Date: received 26 Jan 2011, last revised 5 Mar 2011, withdrawn 18 Jun 2011

Contact author: zheng yang at rub de

Available format(s): (-- withdrawn --)

Version: 20110618:130952 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]