One-Round Authenticated Key Exchange with Strong Forward Secrecy in the Standard Model against Constrained Adversary

摘要

Forward secrecy (FS) is a central security requirement of authenticated key exchange (AKE). Especially, strong FS (sFS) is desirable because it can guarantee security against a very realistic attack scenario that an adversary is allowed to be active in the target session. However, most of AKE schemes cannot achieve sFS, and currently known schemes with sFS are only proved in the random oracle model. In this paper, we propose a generic construction of AKE protocol with sFS in the standard model against a constrained adversary. The constraint is that session-specific intermediate computation results (i.e., session state) cannot be revealed to the adversary for achieving sFS, that is shown to be inevitable by Boyd and Gonzalez Nieto. However, our scheme maintains weak FS (wFS) if session state is available to the adversary. Thus, our scheme satisfies one of strongest security definitions, the CK~+ model, which includes wFS and session state reveal. The main idea to achieve sFS is to use signcryption KEM while the previous CK~+ secure construction uses ordinary KEM. We show a possible instantiation of our construction from Diffie-Hellman problems.