Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

Abstract

We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK\(^{w}\) and eCK-PFS. The eCK\(^{w}\) model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCK\(^{w}\) adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCK\(^{w}\) to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCK\(^{w}\), which we call eCK\(^{\text {passive}}\). We show that, given a two-message Diffie–Hellman type protocol secure in eCK\(^{\text {passive}}\), our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.