Paper 2024/361

Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation

Jiaxin Pan, University of Kassel, Kassel, Germany
Doreen Riepel, University of California San Diego, La Jolla, USA
Runzhi Zeng, Norwegian University of Science and Technology, Trondheim, Norway

Weak forward secrecy (wFS) of authenticated key exchange (AKE) protocols is a passive variant of (full) forward secrecy (FS). A natural mechanism to upgrade from wFS to FS is the use of key confirmation messages which compute a message authentication code (MAC) over the transcript. Unfortunately, Gellert, Gjøsteen, Jacobson and Jager (GGJJ, CRYPTO 2023) show that this mechanism inherently incurs a loss proportional to the number of users, leading to an overall non-tight reduction, even if wFS was established using a tight reduction. Inspired by GGJJ, we propose a new notion, called one-way verifiable weak forward secrecy (OW-VwFS), and prove that OW-VwFS can be transformed tightly to FS using key confirmation in the random oracle model (ROM). To implement our generic transformation, we show that several tightly wFS AKE protocols additionally satisfy our OW-VwFS notion tightly. We highlight that using the recent lattice-based protocol from Pan, Wagner, and Zeng (CRYPTO 2023) can give us the first lattice-based tightly FS AKE via key confirmation in the classical random oracle model. Besides this, we also obtain a Decisional-Diffie-Hellman-based protocol that is considerably more efficient than the previous ones. Finally, we lift our study on FS via key confirmation to the quantum random oracle model (QROM). While our security reduction is overall non-tight, it matches the best existing bound for wFS in the QROM (Pan, Wagner, and Zeng, ASIACRYPT 2023), namely, it is square-root- and session-tight. Our analysis is in the multi-challenge setting, and it is more realistic than the single-challenge setting as in Pan et al..

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in EUROCRYPT 2024
Authenticated key exchangeforward secrecykey confirmationtight security(quantum) random oracles.
Contact author(s)
jiaxin pan @ uni-kassel de
driepel @ ucsd edu
runzhi zeng @ ntnu no
2024-03-01: approved
2024-02-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jiaxin Pan and Doreen Riepel and Runzhi Zeng},
      title = {Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation},
      howpublished = {Cryptology ePrint Archive, Paper 2024/361},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.