Universally Composable Notions of Key Exchange and Secure Channels

Ran Canetti and Hugo Krawczyk

Abstract

Recently, Canetti and Krawczyk (Eurocrypt 2001) formulated a notion of security for key-exchange (KE) protocols, called SK-security, and showed that this notion suffices for constructing secure channels. Their model and proofs, however, do not suffice for proving more general composability properties of SK-secure KE protocols. We show that while the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SK-security guarantees the security of the key for any application that desires to set-up secret keys between pairs of parties. We also provide new definitions of secure-channels protocols with similarly strong composability properties, and show that SK-security suffices for obtaining these definitions. To obtain these results we use the recently proposed framework of "universally composable (UC) security." We also use a new tool, called "non-information oracles," which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishability-based definitions such as SK-security and more powerful, simulation-based definitions, such as UC-security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a full-fledged multi-session key-exchange protocol to the (simpler) analysis of individual, stand-alone, key-exchange sessions.

Available format(s)
Category
Cryptographic protocols
Publication info
Published elsewhere. Extended abstract of this work appears in the proceedings of Eurocrypt 2002.
Keywords
Key ExchangeCryptographic ProtocolsProofs of Security
Contact author(s)
canetti @ watson ibm com
History
Short URL
https://ia.cr/2002/059

CC BY

BibTeX

@misc{cryptoeprint:2002/059,
author = {Ran Canetti and Hugo Krawczyk},
title = {Universally Composable Notions of Key Exchange and Secure Channels},
howpublished = {Cryptology ePrint Archive, Paper 2002/059},
year = {2002},
note = {\url{https://eprint.iacr.org/2002/059}},
url = {https://eprint.iacr.org/2002/059}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.