Paper 2017/853

Generic Forward-Secure Key Agreement Without Signatures

Cyprien de Saint Guilhem, Nigel P. Smart, and Bogdan Warinschi


We present a generic, yet simple and efficient transformation to obtain a forward secure authenticated key exchange protocol from a two-move passively secure unauthenticated key agreement scheme (such as standard Diffie--Hellman or Frodo or NewHope). Our construction requires only an IND-CCA public key encryption scheme (such as RSA-OAEP or a method based on ring-LWE), and a message authentication code. Particularly relevant in the context of the state-of-the-art of postquantum secu re primitives, we avoid the use of digital signature schemes: practical candidate post-quantum signature schemes are less accepted (and require more bandwidth) than candidate post-quantum public key encryption schemes. An additional feature of our proposal is that it helps avoid the bad practice of using long term keys certified for encryption to produce digital signatures. We prove the security of our transformation in the random oracle model.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MAJOR revision.ISC 2017
Contact author(s)
cyprien desaintguilhem @ bristol ac uk
nigel @ cs bris ac uk
bogdan @ cs bris ac uk
2017-09-10: revised
2017-09-09: received
See all versions
Short URL
Creative Commons Attribution


      author = {Cyprien de Saint Guilhem and Nigel P.  Smart and Bogdan Warinschi},
      title = {Generic Forward-Secure Key Agreement Without Signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2017/853},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.