Cryptology ePrint Archive: Report 2016/711

A Unilateral-to-Mutual Authentication Compiler for Key Exchange (with Applications to Client Authentication in TLS 1.3)

Hugo Krawczyk

Abstract: We study the question of how to build "compilers" that transform a unilaterally authenticated (UA) key-exchange protocol into a mutually-authenticated (MA) one. We present a simple and efficient compiler and characterize the UA protocols that the compiler upgrades to the MA model, showing this to include a large and important class of UA protocols. The question, while natural, has not been studied widely. Our work is motivated in part by the ongoing work on the design of TLS 1.3, specifically the design of the client authentication mechanisms including the challenging case of post-handshake authentication. Our approach supports the analysis of these mechanisms in a general and modular way, in particular aided by the notion of "functional security" that we introduce as a generalization of key exchange models and which may be of independent interest.

Category / Keywords: cryptographic protocols / TLS, key exchange, authentication

Date: received 18 Jul 2016, last revised 1 Sep 2016

Contact author: hugo at ee technion ac il

Available format(s): PDF | BibTeX Citation

Version: 20160901:224203 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]