Cryptology ePrint Archive: Report 2017/256

A Framework for Universally Composable Diffie-Hellman Key Exchange

Ralf Kuesters and Daniel Rausch

Abstract: The analysis of real-world protocols, in particular key exchange protocols and protocols building on these protocols, is a very complex, error-prone, and tedious task. Besides the complexity of the protocols itself, one important reason for this is that the security of the protocols has to be reduced to the security of the underlying cryptographic primitives for every protocol time and again.

We would therefore like to get rid of reduction proofs for real-world key exchange protocols as much as possible and in many cases altogether, also for higher-level protocols which use the exchanged keys. So far some first steps have been taken in this direction. But existing work is still quite limited, and, for example, does not support Diffie-Hellman (DH) key exchange, a prevalent cryptographic primitive for real-world protocols.

In this paper, building on work by K{\"u}sters and Tuengerthal, we provide an ideal functionality in the universal composability setting which supports several common cryptographic primitives, including DH key exchange. This functionality helps to avoid reduction proofs in the analysis of real-world protocols and often eliminates them completely. We also propose a new general ideal key exchange functionality which allows higher-level protocols to use exchanged keys in an ideal way. As a proof of concept, we apply our framework to three practical DH key exchange protocols, namely ISO 9798-3, SIGMA, and OPTLS.

Category / Keywords: cryptographic protocols / universal composability, key exchange, Diffie-Hellmann, reduction proofs, IITM model

Original Publication (with major differences): S&P 2017

Date: received 16 Mar 2017, last revised 20 Mar 2017

Contact author: ralf kuesters at informatik uni-stuttgart de

Available format(s): PDF | BibTeX Citation

Version: 20170320:171009 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]