International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation

Authors:
Jiaxin Pan , University of Kassel, Kassel, Germany
Doreen Riepel , University of California San Diego, La Jolla, USA
Runzhi Zeng , Norwegian University of Science and Technology, Trondheim, Norway
Download:
DOI: 10.1007/978-3-031-58754-2_3 (login may be required)
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2024
Abstract: Weak forward secrecy (wFS) of authenticated key exchange (AKE) protocols is a passive variant of (full) forward secrecy (FS). A natural mechanism to upgrade from wFS to FS is the use of key confirmation messages which compute a message authentication code (MAC) over the transcript. Unfortunately, Gellert, Gjøsteen, Jacobson and Jager (GGJJ, CRYPTO 2023) show that this mechanism inherently incurs a loss proportional to the number of users, leading to an overall non-tight reduction, even if wFS was established using a tight reduction. Inspired by GGJJ, we propose a new notion, called one-way verifiable weak forward secrecy (OW-VwFS), and prove that OW-VwFS can be transformed tightly to FS using key confirmation in the random oracle model (ROM). To implement our generic transformation, we show that several tightly wFS AKE protocols additionally satisfy our OW-VwFS notion tightly. We highlight that using the recent lattice-based protocol from Pan, Wagner, and Zeng (CRYPTO 2023) can give us the first lattice-based tightly FS AKE via key confirmation in the classical random oracle model. Besides this, we also obtain a Decisional-Diffie-Hellman-based protocol that is considerably more efficient than the previous ones. Finally, we lift our study on FS via key confirmation to the quantum random oracle model (QROM). While our security reduction is overall non-tight, it matches the best existing bound for wFS in the QROM (Pan, Wagner, and Zeng, ASIACRYPT 2023), namely, it is square-root- and session-tight. Our analysis is in the multi-challenge setting, and it is more realistic than the single-challenge setting as in Pan et al..
BibTeX
@inproceedings{eurocrypt-2024-33887,
  title={Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-031-58754-2_3},
  author={Jiaxin Pan and Doreen Riepel and Runzhi Zeng},
  year=2024
}