We show that by reintroducing signatures, it is possible to satisfy both a very strong key-exchange security notion, which we call eCK-PFS, as well as a strong form of deniability, in one-round key exchange protocols. Our security notion for key exchange is stronger than, e.g., the extended-CK model, and captures perfect forward secrecy. Our notion of deniability, which we call peer-and-time deniability, is stronger than that offered by, e.g., the SIGMA protocol.
We propose a concrete protocol and prove that it satisfies our definition of key-exchange security in the random oracle model as well as peer-and-time deniability. The protocol combines a signed-Diffie-Hellman message exchange with an MQV-style key computation, and offers a remarkable combination of advanced security properties.
Category / Keywords: cryptographic protocols / Key Exchange, Perfect Forward Secrecy, Deniability, PKI Date: received 6 Jun 2011, last revised 26 Oct 2011 Contact author: cas cremers at inf ethz ch Available format(s): PDF | BibTeX Citation Version: 20111026:145204 (All versions of this report) Short URL: ia.cr/2011/300