Taxonomical Security Consideration of Authenticated Key Exchange Resilient to Intermediate Computation Leakage

摘要

SMQV authenticated key exchange scheme was stated to be secure against leakage of intermediate computations, i.e., secure in the seCK model. However, in this paper, we show errors in the security proof of SMQV. The found errors proceed from a failure in a simulation of leakage of intermediate computations. Moreover, we identify flaws in the security proofs of the underlying building tools of both SMQV and FHMQV, showing that both SMQV and FH-MQV are not proven secure even in the traditional CK model. Then, we consider the cause of difficulty to prove security in the seCK model and classify previous Dime-Hellman type authenticated key exchange schemes in the sense of achievable security levels. As a result, unfortunately, known schemes fall into hard to prove or insecure. Accordingly, we suggest that Diffie-Hellman type schemes provably secure in the seCK model are hard (or highly subtle) to achieve. Therefore, this paper clarifies the technical limitations (or high subtleties) of Diffie-Hellman type schemes for achieving provable security in the seCK model against leakage of intermediate computations.