Security Proof of ”Efficient and Leakage-Resilient Authenticated Key Transport Protocol Based on RSA”

Abstract. In this paper, we prove the security of the RSA-AKE protocol [9] in the random oracle model. The proof states that the RSA-AKE protocol is secure against an adversary who gets the client’s stored secret or the server’s RSA private key. 1 To our best knowledge, the RSA-AKE protocol is the most efficient among their kinds (i.e., RSA and password based AKE protocols). The other security properties and efficiency measurements of the RSA-AKE protocol remain the same as in [9]. 1 The protocol is the same as [9], but we corrected the security proof partially. The attacks appeared in [10] are no longer available in the proof since the adversary has access to either the client’s stored secret or the server’s private key, not both of them. 2 1 The Model and Security Definitions In this section we introduce an extended model building on [1, 5] and security definitions for the LR-AKE security and perfect forward secrecy. We denote by C and S two parties that participate in a key exchange protocol P. Each of them may have several instances called oracles involved in distinct, possibly concurrent, executions of P where w