Unilaterally-authenticated key exchange

Yevgeniy Dodis, Dario Fiore

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Key Exchange (KE), which enables two parties (e.g., a client and a server) to securely establish a common private key while communicating over an insecure channel, is one of the most fundamental cryptographic primitives. In this work, we address the setting of unilaterally-authenticated key exchange (UAKE), where an unauthenticated (unkeyed) client establishes a key with an authenticated (keyed) server. This setting is highly motivated by many practical uses of KE on the Internet, but received relatively little attention so far. Unlike the prior work, defining UAKE by downgrading a relatively complex definition of mutually authenticated key exchange (MAKE), our definition follows the opposite approach of upgrading existing definitions of public key encryption (PKE) and signatures towards UAKE. As a result, our new definition is short and easy to understand. Nevertheless, we show that it is equivalent to the UAKE definition of Bellare-Rogaway (when downgraded from MAKE), and thus captures a very strong and widely adopted security notion, while looking very similar to the simple “one-oracle” definition of traditional PKE/signature schemes. As a benefit of our intuitive framework, we show two exactly-as-you-expect (i.e., having no caveats so abundant in the KE literature!) UAKE protocols from (possibly interactive) signature and encryption. By plugging various one- or two-round signature and encryption schemes, we derive provably-secure variants of various well-known UAKE protocols (such as a unilateral variant of SKEME with and without perfect forward secrecy, and Shoup’s A-DHKE-1), as well as new protocols, such as the first 2-round UAKE protocol which is both (passively) forward deniable and forward-secure. To further clarify the intuitive connections between PKE/Signatures and UAKE, we define and construct stronger forms of (necessarily interactive) PKE/Signature schemes, called confirmed encryption and confidential authentication, which, respectively, allow the sender to obtain confirmation that the (keyed) receiver output the correct message, or to hide the content of the message being authenticated from anybody but the participating (unkeyed) receiver. Using confirmed PKE/confidential authentication, we obtain two concise UAKE protocols of the form: “send confirmed encryption/confidential authentication of a random key K.”

Original languageEnglish (US)
Title of host publicationFinancial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers
PublisherSpringer Verlag
Pages542-560
Number of pages19
Volume10322 LNCS
ISBN (Print)9783319709710
DOIs
StatePublished - Jan 1 2017
Event21st International Conference on Financial Cryptography and Data Security, FC 2017 - Sliema, Malta
Duration: Apr 3 2017Apr 7 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10322 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other21st International Conference on Financial Cryptography and Data Security, FC 2017
CountryMalta
CitySliema
Period4/3/174/7/17

Fingerprint

Authenticated Key Exchange
Cryptography
Public Key Encryption
Encryption
Key Exchange
Authentication
Network protocols
Signature
Signature Scheme
Servers
Intuitive
Receiver
Server
Internet

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Dodis, Y., & Fiore, D. (2017). Unilaterally-authenticated key exchange. In Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers (Vol. 10322 LNCS, pp. 542-560). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10322 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-70972-7_31

Unilaterally-authenticated key exchange. / Dodis, Yevgeniy; Fiore, Dario.

Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers. Vol. 10322 LNCS Springer Verlag, 2017. p. 542-560 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10322 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y & Fiore, D 2017, Unilaterally-authenticated key exchange. in Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers. vol. 10322 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10322 LNCS, Springer Verlag, pp. 542-560, 21st International Conference on Financial Cryptography and Data Security, FC 2017, Sliema, Malta, 4/3/17. https://doi.org/10.1007/978-3-319-70972-7_31
Dodis Y, Fiore D. Unilaterally-authenticated key exchange. In Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers. Vol. 10322 LNCS. Springer Verlag. 2017. p. 542-560. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-70972-7_31
Dodis, Yevgeniy ; Fiore, Dario. / Unilaterally-authenticated key exchange. Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers. Vol. 10322 LNCS Springer Verlag, 2017. pp. 542-560 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{6d2ea9feae6045a49218e3f5397ef247,
title = "Unilaterally-authenticated key exchange",
abstract = "Key Exchange (KE), which enables two parties (e.g., a client and a server) to securely establish a common private key while communicating over an insecure channel, is one of the most fundamental cryptographic primitives. In this work, we address the setting of unilaterally-authenticated key exchange (UAKE), where an unauthenticated (unkeyed) client establishes a key with an authenticated (keyed) server. This setting is highly motivated by many practical uses of KE on the Internet, but received relatively little attention so far. Unlike the prior work, defining UAKE by downgrading a relatively complex definition of mutually authenticated key exchange (MAKE), our definition follows the opposite approach of upgrading existing definitions of public key encryption (PKE) and signatures towards UAKE. As a result, our new definition is short and easy to understand. Nevertheless, we show that it is equivalent to the UAKE definition of Bellare-Rogaway (when downgraded from MAKE), and thus captures a very strong and widely adopted security notion, while looking very similar to the simple “one-oracle” definition of traditional PKE/signature schemes. As a benefit of our intuitive framework, we show two exactly-as-you-expect (i.e., having no caveats so abundant in the KE literature!) UAKE protocols from (possibly interactive) signature and encryption. By plugging various one- or two-round signature and encryption schemes, we derive provably-secure variants of various well-known UAKE protocols (such as a unilateral variant of SKEME with and without perfect forward secrecy, and Shoup’s A-DHKE-1), as well as new protocols, such as the first 2-round UAKE protocol which is both (passively) forward deniable and forward-secure. To further clarify the intuitive connections between PKE/Signatures and UAKE, we define and construct stronger forms of (necessarily interactive) PKE/Signature schemes, called confirmed encryption and confidential authentication, which, respectively, allow the sender to obtain confirmation that the (keyed) receiver output the correct message, or to hide the content of the message being authenticated from anybody but the participating (unkeyed) receiver. Using confirmed PKE/confidential authentication, we obtain two concise UAKE protocols of the form: “send confirmed encryption/confidential authentication of a random key K.”",
author = "Yevgeniy Dodis and Dario Fiore",
year = "2017",
month = "1",
day = "1",
doi = "10.1007/978-3-319-70972-7_31",
language = "English (US)",
isbn = "9783319709710",
volume = "10322 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "542--560",
booktitle = "Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers",
address = "Germany",

}

TY - GEN

T1 - Unilaterally-authenticated key exchange

AU - Dodis, Yevgeniy

AU - Fiore, Dario

PY - 2017/1/1

Y1 - 2017/1/1

N2 - Key Exchange (KE), which enables two parties (e.g., a client and a server) to securely establish a common private key while communicating over an insecure channel, is one of the most fundamental cryptographic primitives. In this work, we address the setting of unilaterally-authenticated key exchange (UAKE), where an unauthenticated (unkeyed) client establishes a key with an authenticated (keyed) server. This setting is highly motivated by many practical uses of KE on the Internet, but received relatively little attention so far. Unlike the prior work, defining UAKE by downgrading a relatively complex definition of mutually authenticated key exchange (MAKE), our definition follows the opposite approach of upgrading existing definitions of public key encryption (PKE) and signatures towards UAKE. As a result, our new definition is short and easy to understand. Nevertheless, we show that it is equivalent to the UAKE definition of Bellare-Rogaway (when downgraded from MAKE), and thus captures a very strong and widely adopted security notion, while looking very similar to the simple “one-oracle” definition of traditional PKE/signature schemes. As a benefit of our intuitive framework, we show two exactly-as-you-expect (i.e., having no caveats so abundant in the KE literature!) UAKE protocols from (possibly interactive) signature and encryption. By plugging various one- or two-round signature and encryption schemes, we derive provably-secure variants of various well-known UAKE protocols (such as a unilateral variant of SKEME with and without perfect forward secrecy, and Shoup’s A-DHKE-1), as well as new protocols, such as the first 2-round UAKE protocol which is both (passively) forward deniable and forward-secure. To further clarify the intuitive connections between PKE/Signatures and UAKE, we define and construct stronger forms of (necessarily interactive) PKE/Signature schemes, called confirmed encryption and confidential authentication, which, respectively, allow the sender to obtain confirmation that the (keyed) receiver output the correct message, or to hide the content of the message being authenticated from anybody but the participating (unkeyed) receiver. Using confirmed PKE/confidential authentication, we obtain two concise UAKE protocols of the form: “send confirmed encryption/confidential authentication of a random key K.”

AB - Key Exchange (KE), which enables two parties (e.g., a client and a server) to securely establish a common private key while communicating over an insecure channel, is one of the most fundamental cryptographic primitives. In this work, we address the setting of unilaterally-authenticated key exchange (UAKE), where an unauthenticated (unkeyed) client establishes a key with an authenticated (keyed) server. This setting is highly motivated by many practical uses of KE on the Internet, but received relatively little attention so far. Unlike the prior work, defining UAKE by downgrading a relatively complex definition of mutually authenticated key exchange (MAKE), our definition follows the opposite approach of upgrading existing definitions of public key encryption (PKE) and signatures towards UAKE. As a result, our new definition is short and easy to understand. Nevertheless, we show that it is equivalent to the UAKE definition of Bellare-Rogaway (when downgraded from MAKE), and thus captures a very strong and widely adopted security notion, while looking very similar to the simple “one-oracle” definition of traditional PKE/signature schemes. As a benefit of our intuitive framework, we show two exactly-as-you-expect (i.e., having no caveats so abundant in the KE literature!) UAKE protocols from (possibly interactive) signature and encryption. By plugging various one- or two-round signature and encryption schemes, we derive provably-secure variants of various well-known UAKE protocols (such as a unilateral variant of SKEME with and without perfect forward secrecy, and Shoup’s A-DHKE-1), as well as new protocols, such as the first 2-round UAKE protocol which is both (passively) forward deniable and forward-secure. To further clarify the intuitive connections between PKE/Signatures and UAKE, we define and construct stronger forms of (necessarily interactive) PKE/Signature schemes, called confirmed encryption and confidential authentication, which, respectively, allow the sender to obtain confirmation that the (keyed) receiver output the correct message, or to hide the content of the message being authenticated from anybody but the participating (unkeyed) receiver. Using confirmed PKE/confidential authentication, we obtain two concise UAKE protocols of the form: “send confirmed encryption/confidential authentication of a random key K.”

UR - http://www.scopus.com/inward/record.url?scp=85039164213&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85039164213&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-70972-7_31

DO - 10.1007/978-3-319-70972-7_31

M3 - Conference contribution

SN - 9783319709710

VL - 10322 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 542

EP - 560

BT - Financial Cryptography and Data Security - 21st International Conference, FC 2017, Revised Selected Papers

PB - Springer Verlag

ER -