Paper 2024/361
Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation
Abstract
Weak forward secrecy (wFS) of authenticated key exchange (AKE) protocols is a passive variant of (full) forward secrecy (FS). A natural mechanism to upgrade from wFS to FS is the use of key confirmation messages which compute a message authentication code (MAC) over the transcript. Unfortunately, Gellert, Gjøsteen, Jacobson and Jager (GGJJ, CRYPTO 2023) show that this mechanism inherently incurs a loss proportional to the number of users, leading to an overall non-tight reduction, even if wFS was established using a tight reduction. Inspired by GGJJ, we propose a new notion, called one-way verifiable weak forward secrecy (OW-VwFS), and prove that OW-VwFS can be transformed tightly to FS using key confirmation in the random oracle model (ROM). To implement our generic transformation, we show that several tightly wFS AKE protocols additionally satisfy our OW-VwFS notion tightly. We highlight that using the recent lattice-based protocol from Pan, Wagner, and Zeng (CRYPTO 2023) can give us the first lattice-based tightly FS AKE via key confirmation in the classical random oracle model. Besides this, we also obtain a Decisional-Diffie-Hellman-based protocol that is considerably more efficient than the previous ones. Finally, we lift our study on FS via key confirmation to the quantum random oracle model (QROM). While our security reduction is overall non-tight, it matches the best existing bound for wFS in the QROM (Pan, Wagner, and Zeng, ASIACRYPT 2023), namely, it is square-root- and session-tight. Our analysis is in the multi-challenge setting, and it is more realistic than the single-challenge setting as in Pan et al..
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- A minor revision of an IACR publication in EUROCRYPT 2024
- Keywords
- Authenticated key exchangeforward secrecykey confirmationtight security(quantum) random oracles.
- Contact author(s)
-
jiaxin pan @ uni-kassel de
driepel @ ucsd edu
runzhi zeng @ ntnu no - History
- 2024-03-01: approved
- 2024-02-28: received
- See all versions
- Short URL
- https://ia.cr/2024/361
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/361, author = {Jiaxin Pan and Doreen Riepel and Runzhi Zeng}, title = {Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/361}, year = {2024}, url = {https://eprint.iacr.org/2024/361} }