Mind the Gap: Modular Machine-Checked Proofs of One-Round Key Exchange Protocols

  • Gilles Barthe
  • Juan Manuel Crespo
  • Yassine Lakhnech
  • Benedikt SchmidtEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9057)


Using EasyCrypt, we formalize a new modular security proof for one-round authenticated key exchange protocols in the random oracle model. Our proof improves earlier work by Kudla and Paterson (ASIACRYPT 2005) in three significant ways: we consider a stronger adversary model, we provide support tailored to protocols that utilize the \(\mathsf {Naxos}\) trick, and we support proofs under the Computational DH assumption not relying on Gap oracles. Furthermore, our modular proof can be used to obtain concrete security proofs for protocols with or without adversarial key registration. We use this support to investigate, still using EasyCrypt, the connection between proofs without Gap assumptions and adversarial key registration. For the case of honestly generated keys, we obtain the first proofs of the \(\mathsf {Naxos}\) and \(\mathsf {Nets}\) protocols under the Computational DH assumption. For the case of adversarial key registration, we obtain machine-checked and modular variants of the well-known proofs for \(\mathsf {Naxos}\), \(\mathsf {Nets}\), and \(\mathsf Naxos \text {}\)+.


Provable security Security protocols EasyCrypt Key exchange Interactive theorem proving 


  1. 1.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology 15(2), 103–127 (2002)zbMATHMathSciNetGoogle Scholar
  2. 2.
    Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F.: Certified computer-aided cryptography: efficient provably secure machine code from high-level implementations. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13: 20th Conference on Computer and Communications Security, pp. 1217–1230. ACM Press, November 2013Google Scholar
  3. 3.
    Barthe, G., Crespo, J.M., Grégoire, B., Kunz, C., Lakhnech, Y., Schmidt, B., Béguelin, S.Z.: Fully automated analysis of padding-based encryption in the computational model. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13: 20th Conference on Computer and Communications Security, pp. 1247–1260. ACM Press, November 2013Google Scholar
  4. 4.
    Barthe, G., Crespo, J.M., Lakhnech, Y., Schmidt, B.: Mind the gap: Modular machine-checked proofs of one-round key exchange protocols. Cryptology ePrint Archive 2015, (2015).
  5. 5.
    Barthe, G., Dupressoir, F., Grégoire, B., Kunz, C., Schmidt, B., Strub, P.-Y.: EasyCrypt: A Tutorial. In: Aldini, A., Lopez, J., Martinelli, F. (eds.) FOSAD VII. LNCS, vol. 8604, pp. 146–166. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  6. 6.
    Barthe, G., Grégoire, B., Heraud, S., Béguelin, S.Z.: Computer-aided security proofs for the working cryptographer. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 71–90. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  7. 7.
    Basin, D., Cremers, C.: Modeling and analyzing security in the presence of compromising adversaries. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 340–356. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract). In: 30th Annual ACM Symposium on Theory of Computing, pp. 419–428. ACM Press, May 1998Google Scholar
  9. 9.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 06: 13th Conference on Computer and Communications Security, pp. 390–399. ACM Press, October / November 2006Google Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  11. 11.
    Benton, N.: Simple relational correctness proofs for static analyses and program transformations. In: 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2004, pp. 14–25. ACM, New York (2004)Google Scholar
  12. 12.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.: Implementing tls with verified cryptographic security. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 445–459. IEEE (2013)Google Scholar
  13. 13.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  14. 14.
    Blanchet, B.: A computationally sound mechanized prover for security protocols. In: 2006 IEEE Symposium on Security and Privacy, pp. 140–154. IEEE Computer Society Press, May 2006Google Scholar
  15. 15.
    Blanchet, B.: Security protocol verification: Symbolic and computational models. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 3–29. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Boyd, C., Cremers, C., Feltz, M., Paterson, K.G., Poettering, B., Stebila, D.: ASICS: Authenticated key exchange security incorporating certification systems. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 381–399. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  17. 17.
    Brzuska, C., Smart, N.P., Warinschi, B., Watson, G.J.: An analysis of the EMV channel establishment protocol. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13: 20th Conference on Computer and Communications Security, pp. 373–386. ACM Press, November 2013Google Scholar
  18. 18.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  19. 19.
    Cash, D.M., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  20. 20.
    Choo, K.-K.R., Boyd, C., Hitchcock, Y.: Examining indistinguishability-based proof models for key establishment protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 585–604. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  21. 21.
    Cortier, V., Kremer, S., Warinschi, B.: A survey of symbolic methods in computational analysis of cryptographic systems. Journal of Automated Reasoning 46(3–4), 225–259 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  22. 22.
    Cremers, C.J.: Formally and practically relating the ck, ck-hmqv, and eck security models for authenticated key exchange. Cryptology ePrint Archive, Report 2009/253, (2009).
  23. 23.
    Cremers, C., Feltz, M.: Beyond eCK: Perfect forward secrecy under actor compromise and ephemeral-key reveal. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 734–751. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  24. 24.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Cryptography 2(2), 107–125 (1992)CrossRefGoogle Scholar
  25. 25.
    El Gamal, Taher: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In: Blakely, G.R., Chaum, David (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985) Google Scholar
  26. 26.
    Halevi, S.: A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181, (2005).
  27. 27.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  28. 28.
    Kaliski Jr., B.S.: An unknown key-share attack on the MQV key agreement protocol. ACM Transactions on Information and System Security (TISSEC) 4(3), 275–288 (2001)CrossRefGoogle Scholar
  29. 29.
    Kim, M., Fujioka, A., Ustaoğlu, B.: Strongly secure authenticated key exchange without naxos’ approach. In: Takagi, T., Mambo, M. (eds.) IWSEC 2009. LNCS, vol. 5824, pp. 174–191. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  30. 30.
    Krawczyk, H.: SIGMA: The ‘SIGn-and-MAc’ approach to authenticated diffie-hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  31. 31.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  32. 32.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: A systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  33. 33.
    Kudla, C., Paterson, K.G.: Modular security proofs for key agreement protocols. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  34. 34.
    Kudla, C.J.: Special Signature Schemes and Key Agreement Protocols. PhD thesis, University of London (2006)Google Scholar
  35. 35.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: Computer Security Foundations Symposium (CSF), pp. 157–171. IEEE (2009)Google Scholar
  36. 36.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  37. 37.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28(2), 119–134 (2003)CrossRefzbMATHMathSciNetGoogle Scholar
  38. 38.
    Lee, J., Park, C.S.: An efficient authenticated key exchange protocol with a tight security reduction. IACR Cryptology ePrint Archive 2008, 345 (2008)Google Scholar
  39. 39.
    Lee, J., Park, J.H.: Authenticated key exchange secure under the computational diffie-hellman assumption. Cryptology ePrint Archive, Report 2008/344, (2008).
  40. 40.
    Matsumoto, T., Takashima, Y.: On seeking smart public-key-distribution systems. IEICE TRANSACTIONS (1976–1990) 69, 99–106 (1986)Google Scholar
  41. 41.
    Menezes, A.: Another look at HMQV. Mathematical Cryptology JMC 1(1), 47–64 (2007)zbMATHMathSciNetGoogle Scholar
  42. 42.
    Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  43. 43.
    Okamoto, T., Pointcheval, D.: The gap-problems: A new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001: 4th International Workshop on Theory and Practice in Public Key Cryptography. Lecture Notes in Computer Science, vol. 1992, pp. 104–118. Springer, Feb. (2001)Google Scholar
  44. 44.
    Pan, J., Wang, L.: Tmqv: a strongly eck-secure diffie-hellman protocol without gap assumption. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 380–388. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  45. 45.
    Petullo, W.M., Zhang, X., Solworth, J.A., Bernstein, D.J., Lange, T.: MinimaLT: minimal-latency networking through better security. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13: 20th Conference on Computer and Communications Security, pp. 425–438. ACM Press, November 2013Google Scholar
  46. 46.
    Schmidt, B., Meier, S., Cremers, C., Basin, D.: Automated analysis of Diffie-Hellman protocols and advanced security properties. In: Computer Security Foundations Symposium (CSF), pp. 78–94. IEEE (2012)Google Scholar
  47. 47.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Gilles Barthe
    • 1
  • Juan Manuel Crespo
    • 1
    • 2
  • Yassine Lakhnech
    • 3
  • Benedikt Schmidt
    • 1
    Email author
  1. 1.IMDEA Software InstituteMadridSpain
  2. 2.FireEye GermanyDresdenGermany
  3. 3.University of Grenoble and VERIMAGGrenobleFrance

Personalised recommendations