Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

摘要

We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCKw and eCK-PFS. The eCKw model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCKw adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCKw to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCKw, which we call eCK passive. We show that, given a two-message Diffie–Hellman type protocol secure in eCK passive, our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.