Forward-Secure Authenticated Symmetric Key Exchange Protocol: New Security Model and Secure Construction

Abstract

While a lot of work has been done on the design and security analysis of PKI-based authenticated key exchange AKE protocols, very few exist in the symmetric key setting. The first provably secure symmetric AKE was proposed by Bellare and Rogaway BR in CRYPTO 1994 and so far this stands out as the most prominent one for symmetric key setting. In line with the significant progress done for PKI based system, we propose a stronger model than the BR model for symmetric key based system. We assume that the adversary can launch active attacks. In addition, the adversary can also obtain long term secret keys of the parties and the internal states of parties by getting access to their ephemeral secrets or internal randomness by means of appropriate oracle queries. The salient feature of our model is the way we handle active adversaries even in the test session. We also design a symmetric key AKE construction that is provably secure against active adversaries in our new model using weak primitives. Dodis et al. EUROCRYPT 2012 used weak Pseudo Random Functions wPRF and weak Almost-XOR Universal hash function family wAXU to design a three-pass one-sided authentication protocol in the symmetric key paradigm. A direct application of their techniques yields a four-pass two-round symmetric key AKE protocol with mutual authentication. Our construction uses particular instances of these weak primitives and introduces a novel technique called input-swapping to achieve a three-pass symmetric key AKE protocol with mutual authentication resisting active attacks even in the test session. Our construction is proven secure in the Random oracle Model under the DDH assumption.