research-article

Composability of bellare-rogaway key exchange protocols

Authors:

Christina Brzuska,

Bogdan Warinschi,

Stephen C. WilliamsAuthors Info & Claims

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Pages 51 - 62

https://doi.org/10.1145/2046707.2046716

Published: 17 October 2011 Publication History

Abstract

In this paper we examine composability properties for the fundamental task of key exchange. Roughly speaking, we show that key exchange protocols secure in the prevalent model of Bellare and Rogaway can be composed with arbitrary protocols that require symmetrically distributed keys. This composition theorem holds if the key exchange protocol satisfies an additional technical requirement that our analysis brings to light: it should be possible to determine which sessions derive equal keys given only the publicly available information. What distinguishes our results from virtually all existing work is that we do not rely, neither directly nor indirectly, on the simulation paradigm. Instead, our security notions and composition theorems exclusively use a game-based formalism.We thus avoid several undesirable consequences of simulation-based security notions and support applicability to a broader class of protocols. In particular, we offer an abstract formalization of game-based security that should be of independent interest in other investigations using game-based formalisms.

References

[1]

M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). In IFIP TCS, volume 1872 of LNCS, pages 3--22. Springer, 2000.

Digital Library

[2]

M. Backes, B. Pfitzmann, and M. Waidner. The reactive simulatability (rsim) framework for asynchronous systems. Information and Computation, 205(12):1685--1720, 2007.

Digital Library

[3]

M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated key exchange secure against dictionary attacks. In EUROCRYPT 2000, pages 139--155. Springer LNCS 1807, 2000.

Digital Library

[4]

M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO 1993, pages 232--249. Springer Berlin / Heidelberg LNCS 773, 1993.

Digital Library

[5]

M. Bellare and P. Rogaway. Provably secure session key distribution: the three party case. In STOC 1995, pages 57--66. ACM, 1995.

Digital Library

[6]

S. Blake-Wilson, D. Johnson, and A. Menezes. Key agreement protocols and their security analysis. In IMA International Conference on Cryptography and Coding, pages 30--45. Springer, 1997.

Digital Library

[7]

R. Canetti. Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143--202, 2000.

Digital Library

[8]

R. Canetti and H. Krawczyk. Analysis of Key Exchange Protocols and Their Use for Building Secure Channels. In EUROCRYPT 2001, pages 453--474. Springer LNCS 2045, 2001.

Digital Library

[9]

R. Canetti and H. Krawczyk. Universally Composable Notions of Key Exchange and Secure Channels. In EUROCRYPT 2002, pages 337--351. Springer LNCS 2332, 2002.

Digital Library

[10]

Ö. Dagdelen and M. Fischlin. Security analysis of the extended access control protocol for machine readable travel documents. In ISC, volume 6531 of LNCS, pages 54--68. Springer, 2010.

Digital Library

[11]

A. Datta, A. Derek, J. Mitchell, and B. Warinschi. Computationally sound compositional logic for key exchange protocols. In CSFW, pages 321--334. IEEE Computer Society, 2006.

Digital Library

[12]

A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, and M. Turuani. Probabilistic Polynomial-time Semantics for a Protocol Security Logic. In ICALP 2005, pages 16--29. Springer LNCS 3580, 2005.

Digital Library

[13]

T. Dierks and C. Allen. The TLS Protocol Version 1.2, 2006. RFC 4346.

[14]

M. Fischlin. Pseudorandom function tribe ensembles based on one-way permutations: Improvements and applications. In EUROCRYPT, pages 432--445. Springer, 1999.

Digital Library

[15]

R. Küsters. Simulation-based security with inexhaustible interactive turing machines. In CSFW, pages 309--320. IEEE Computer Society, 2006.

Digital Library

[16]

R. Küsters and M. Tuengerthal. Composition Theorems Without Pre-Established Session Identifiers. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011). ACM Press, 2011. To appear.

Digital Library

[17]

B. LaMacchia, K. Lauter, and A. Mityagin. Stronger security of authenticated key exchange. eprint: http://eprint.iacr.org/2006/073, 2006.

[18]

V. Shoup. On formal models for secure key exchange. eprint: http://eprint.iacr.org/1999/012, 1999.

[19]

T. Ylonen and C. Lonvick. The Secure Shell (SSH) Transport Layer Protocol, 2006. RFC 4253.

Cited By

Tiepelt MMartin CMaeurer N(2024)Post-Quantum Ready Key Agreement for AviationIACR Communications in Cryptology10.62056/aebn2isfgOnline publication date: 9-Apr-2024
https://doi.org/10.62056/aebn2isfg
Cong KEldefrawy KSmart NTerner B(2024)The Key Lattice Framework for Concurrent Group MessagingApplied Cryptography and Network Security10.1007/978-3-031-54773-7_6(133-162)Online publication date: 5-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-54773-7_6
Günther FTshibumbu Mukendi M(2023)Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00051(773-796)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00051
Show More Cited By

Index Terms

Composability of bellare-rogaway key exchange protocols
1. Theory of computation

Recommendations

Multi-Stage Key Exchange and the Case of Google's QUIC Protocol
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

The traditional approach to build a secure connection is to run a key exchange protocol and, once the key has been established, to use this key afterwards in a secure channel protocol. The security of key exchange and channel protocols, and to some ...
Universally composable three-party password-authenticated key exchange with contributiveness

Three-party password-authenticated key exchange 3PAKE allows two clients, each sharing a password with a trusted server, to establish a session key with the help of the server. It is a quite practical mechanism for establishing secure channels in a ...
Efficient three-party key exchange protocols with round efficiency

Recently, Guo et al. discovered some security flaws of the simple three-party key exchange protocol proposed by Lu and Cao, and proposed an improved protocol. Independently, Chung and Ku also showed some weaknesses of Lu and Cao's protocol, and provided ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

October 2011

742 pages

ISBN:9781450309486

DOI:10.1145/2046707

General Chair:
Yan Chen
Northwestern University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17 - 21, 2011

Illinois, Chicago, USA

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
584
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tiepelt MMartin CMaeurer N(2024)Post-Quantum Ready Key Agreement for AviationIACR Communications in Cryptology10.62056/aebn2isfgOnline publication date: 9-Apr-2024
https://doi.org/10.62056/aebn2isfg
Cong KEldefrawy KSmart NTerner B(2024)The Key Lattice Framework for Concurrent Group MessagingApplied Cryptography and Network Security10.1007/978-3-031-54773-7_6(133-162)Online publication date: 5-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-54773-7_6
Günther FTshibumbu Mukendi M(2023)Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00051(773-796)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00051
Kebande V(2023)Extended-Chacha20 Stream Cipher With Enhanced Quarter Round FunctionIEEE Access10.1109/ACCESS.2023.332461211(114220-114237)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3324612
Arriaga AŠala PŠkrobot M(2023)Wireless-Channel Key ExchangeTopics in Cryptology – CT-RSA 202310.1007/978-3-031-30872-7_26(672-699)Online publication date: 19-Apr-2023
https://doi.org/10.1007/978-3-031-30872-7_26
Celi SHoyland JStebila DWiggers T(2022)A Tale of Two Models: Formal Verification of KEMTLS via TamarinComputer Security – ESORICS 202210.1007/978-3-031-17143-7_4(63-83)Online publication date: 24-Sep-2022
https://doi.org/10.1007/978-3-031-17143-7_4
Diemert DJager T(2021)On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World DeploymentsJournal of Cryptology10.1007/s00145-021-09388-x34:3Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1007/s00145-021-09388-x
Dowling BFischlin MGünther FStebila D(2021)A Cryptographic Analysis of the TLS 1.3 Handshake ProtocolJournal of Cryptology10.1007/s00145-021-09384-134:4Online publication date: 30-Jul-2021
https://doi.org/10.1007/s00145-021-09384-1
Jager TKiltz ERiepel DSchäge S(2021)Tightly-Secure Authenticated Key Exchange, RevisitedAdvances in Cryptology – EUROCRYPT 202110.1007/978-3-030-77870-5_5(117-146)Online publication date: 17-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-030-77870-5_5
Poettering BRösler PSchwenk JStebila D(2021)SoK: Game-Based Security Models for Group Key ExchangeTopics in Cryptology – CT-RSA 202110.1007/978-3-030-75539-3_7(148-176)Online publication date: 11-May-2021
https://doi.org/10.1007/978-3-030-75539-3_7
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents