Paper 2012/416

Beyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal

Cas Cremers and Michèle Feltz


We show that it is possible to achieve perfect forward secrecy in two-message or one-round key exchange (KE) protocols that satisfy even stronger security properties than provided by the extended Canetti-Krawczyk (eCK) security model. In particular, we consider perfect forward secrecy in the presence of adversaries that can reveal ephemeral secret keys and the long-term secret keys of the actor of a session (similar to Key Compromise Impersonation). We propose two new game-based security models for KE protocols. First, we formalize a slightly stronger variant of the eCK security model that we call eCKw. Second, we integrate perfect forward secrecy into eCKw, which gives rise to the even stronger eCK-PFS model. We propose a security-strengthening transformation (i.e., a compiler) between our new models. Given a two-message Diffie-Hellman type protocol secure in eCKw, our transformation yields a two-message protocol that is secure in eCK-PFS. As an example, we show how our transformation can be applied to the NAXOS protocol.

Note: V2.0 mainly addresses gap in proof.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Full version of the ESORICS 2012 paper
key exchangesecurity modelsprotocol transformationsperfect forward secrecyephemeral-key revealkey compromise impersonationactor compromise
Contact author(s)
mmc feltz @ gmail com
2017-12-08: last of 2 revisions
2012-08-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cas Cremers and Michèle Feltz},
      title = {Beyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal},
      howpublished = {Cryptology ePrint Archive, Paper 2012/416},
      year = {2012},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.