Sufficient Condition for Ephemeral Key-Leakage Resilient Tripartite Key Exchange [chapter]

Atsushi Fujioka, Mark Manulis, Koutarou Suzuki, Berkant Ustaoğlu
2012 Lecture Notes in Computer Science  
Tripartite (Diffie-Hellman) Key Exchange (3KE), introduced by Joux (ANTS-IV 2000), represents today the only known class of group key exchange protocols, in which computation of unauthenticated session keys requires one round and proceeds with minimal computation and communication overhead. The first one-round authenticated 3KE version that preserved the unique efficiency properties of the original protocol and strengthened its security towards resilience against leakage of ephemeral
more » ... pendent) secrets was proposed recently by Manulis, Suzuki, and Ustaoglu (ICISC 2009). In this work we explore sufficient conditions for building such protocols. We define a set of admissible polynomials and show how their construction generically implies 3KE protocols with the desired security and efficiency properties. Our result generalizes the previous 3KE protocol and gives rise to many new authenticated constructions, all of which enjoy forward secrecy and resilience to ephemeral key-leakage under the gap Bilinear Diffie-Hellman assumption in the random oracle model. W. Susilo, Y. Mu, and J. Seberry (Eds.): ACISP 2012, LNCS 7372, pp. 15-28, 2012. c Springer-Verlag Berlin Heidelberg 2012 16 A. Fujioka et al. Tripartite Key Exchange. A powerful GKE subclass of tripartite KE (3KE) emerged with the use of pairings in the work of Joux [20] , where one communication round amongst three parties is sufficient to compute the session key. Each party communicates only one group element and performs one exponentiation and one pairing evaluation. The original protocol in [20] was unauthenticated and so efforts were taken to achieve protection against active attacks, without sacrificing the efficiency of the protocol. Adopting traditional authentication techniques such as digital signatures, as previously applied to unauthenticated 2KE Diffie-Hellman in [14] or GKE in [21, 13, 22] , would require at least two rounds of communication to prevent replay attacks. 3KE protocols with at least two communication rounds have also been known in other authentication settings, e.g. with passwords [2] . The only way to preserve one communication round with constant bit communication complexity from [20] is to resort to an implicitly authenticated solution, in which session key is derived through a mixing of static (long-term) and ephemeral (session-dependent) secrets. Many attempts to achieve such authentication in 3KE, e.g. [36, 4, 28, 27, 26] failed (as detailed in [31] ). So far the only implicitly authenticated 3KE protocol that provably fulfills this goal is by Manulis, Suzuki, and Ustaoglu [31] . Ephemeral Key Leakage. The security model from [31] , stated in a more general GKE setting, considers a very strong attacker, that may adaptively compromise static and ephemeral secret keys used in the protocol sessions (with the restriction that at least one key per participant remains secret). Leakage of ephemeral secrets, typically the exponent used in computing the ephyemeral Diffie-Hellman key, could be damaging for implicitly authenticated protocols, where for better efficiency one may desire to pre-compute store ephemeral public keys off-line. Even if ephemeral secret keys are chosen (and erased) within the protocol session, attacks exploiting side-channels may threaten their secrecy. In general, motivation for considering leakage of ephemeral secrets in KE protocols stems from 2KE domain, e.g. as first mentioned in [14, 24] and explicitly modeled in AKE-security definitions from [25, 37] . Various efforts towards construction of 2KE leakage-resilient protocols have been taken, e.g. [25, 34, 37, 33, 23, 18] . In general, modeling and designing ephemeral key-leakage resilient KE protocols should not be taken for granted -Cremers [16] demonstrated how various technical elements of 2KE models such as the notions of session ids and partnering as well as conditions for freshness of the test session may affect the strength of AKE-security definition with ephemeral key-leakage resilience, when it comes to comparability of models and 2KE protocols. The model in [31] is so-far the only GKE security model that focuses on ephemeral key-leakage in test sessions and has recently been applied in [38] , for the analysis of a two-round explicitly authenticated ephemeral key-leakage resilient GKE protocol. Sufficient Condition for Ephemeral Key-Leakage Resilience. Most of KE designs focus on concrete constructions, aiming to achieve particular security goals. Some goals can be obtained generically, using protocol compilers such
doi:10.1007/978-3-642-31448-3_2 fatcat:spypyoicgffsvc3surkhdx6l7y