Paper 2013/555

Key Exchange with Unilateral Authentication: Composable Security Definition and Modular Protocol Design

Ueli Maurer, Björn Tackmann, and Sandro Coretti

Abstract

Key exchange with unilateral authentication (short: unilateral key exchange) is an important primitive in practical security protocols; a prime example is the widely deployed TLS protocol, which is usually run in this mode. Unilateral key-exchange protocols are employed in a client-server setting where only the server has a certified public key. The client is then authenticated by sending credentials via a connection that is secured with the key obtained from the protocol. Somewhat surprisingly and despite its importance in practical scenarios, this type of key exchange has received relatively little attention in the cryptographic literature compared to the type with mutual authentication. In this work, we follow the constructive cryptography paradigm of Maurer and Renner (ICS 2011) to obtain a (composable) security definition for key-exchange protocols with unilateral authentication: We describe a "unilateral key" resource and require from a key-exchange protocol that it constructs this resource in a scenario where only the server is authenticated. One main advantage of this approach is that it comes with strong composition guarantees: Any higher-level protocol proven secure with respect to the unilateral key resource remains secure if the key is obtained using a secure unilateral key-exchange protocol. We then describe a simple protocol based on any CPA-secure KEM and prove that it constructs a unilateral key (previous protocols in this setting relied on a CCA-secure KEM). The protocol design and our security analysis are fully modular and allow to replace a sub-protocol $\pi$ by a different sub-protocol $\pi'$ by only proving security of the sub-protocol $\pi'$; the composition theorem immediately guarantees that the security of the modified full protocol is maintained. In particular, one can replace the KEM by a sub-protocol based on Diffie-Hellman, obtaining a protocol that is similar to the A-DHKE protocol proposed by Shoup. Moreover, our analysis is simpler because the actual key-exchange part of the protocol can be analyzed in a simple three-party setting; we show that the extension to the multi-party setting follows generically. Compared to the TLS handshake protocol, the "de facto" standard for unilateral key exchange on the Internet, our protocol is more efficient (only two messages) and is based on weaker assumptions.

Note: References and minor corrections.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
key exchangeconstructive cryptography
Contact author(s)
bjoernt @ inf ethz ch
History
2014-01-23: revised
2013-09-04: received
See all versions
Short URL
https://ia.cr/2013/555
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/555,
      author = {Ueli Maurer and Björn Tackmann and Sandro Coretti},
      title = {Key Exchange with Unilateral Authentication: Composable Security Definition and Modular Protocol Design},
      howpublished = {Cryptology ePrint Archive, Paper 2013/555},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/555}},
      url = {https://eprint.iacr.org/2013/555}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.