Paper 2001/040

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

Ran Canetti and Hugo Krawczyk


We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels; and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two main classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques. Further contributions of the paper include the formalization of ``secure channels'' in the context of key-exchange protocols, and establishing sufficient conditions on the symmetric encryption and authentication functions to realize these channels.

Available format(s)
Publication info
Published elsewhere. An extended abstract of this work appears in the proceedings of Eurocrypt 2001, LNCS Vol. 2045.
Key ExchangeSecure ChannelsCryptographic Protocols
Contact author(s)
hugo @ ee technion ac il
2001-05-17: received
Short URL
Creative Commons Attribution


      author = {Ran Canetti and Hugo Krawczyk},
      title = {Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels},
      howpublished = {Cryptology ePrint Archive, Paper 2001/040},
      year = {2001},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.