International Association for Cryptologic Research (IACR)
Abstract
Message authentication and key exchange are two of the most basic tasks of
cryptography. Solutions based on public-key infrastructure (PKI) are
prevalent. Still, the state of the art in composable security analysis of
PKI-based authentication and key exchange is somewhat unsatisfactory.
Specifically, existing treatments either (a)~make the unrealistic assumption
that the PKI is accessible only within the confines of the protocol itself,
thus failing to capture real-world PKI-based authentication, or (b)~impose
often-unnecessary requirements---such as strong on-line
non-transferability---on candidate protocols, thus ruling out natural
candidates.
We give a modular and universally composable analytical framework for PKI-based
message authentication and key exchange protocols. This framework guarantees
security even when the PKI is pre-existing and globally available, without
being unnecessarily restrictive. Specifically, we model PKI as a global set-up
functionality within the \emph{Global~UC} security model [Canetti \etal, TCC
2007] and relax the ideal authentication and key exchange functionalities
accordingly. We then demonstrate the security of basic signature-based
authentication and key exchange protocols. Our modeling makes minimal security
assumptions on the PKI in use; in particular, ``knowledge of the secret key\u27\u27
is not needed