International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security

Xiangyu Liu
Shengli Liu
Dawu Gu
Jian Weng
DOI: 10.1007/978-3-030-64834-3_27
Search ePrint
Search Google
Presentation: Slides
Abstract: We propose a generic construction of 2-pass authenticated key exchange (AKE) scheme with explicit authentication from key encapsulation mechanism (KEM) and signature (SIG) schemes. We improve the security model due to Gjosteen and Jager [Crypto2018] to a stronger one. In the strong model, if a replayed message is accepted by some user, the authentication of AKE is broken. We define a new security notion named ''IND-mCPA with adaptive reveals'' for KEM. When the underlying KEM has such a security and SIG has unforgeability with adaptive corruptions, our construction of AKE equipped with counters as states is secure in the strong model, and stateless AKE without counter is secure in the traditional model. We also present a KEM possessing tight ''IND-mCPA security with adaptive reveals'' from the Computation Diffie-Hellman assumption in the random oracle model. When the generic construction of AKE is instantiated with the KEM and the available SIG by Gjosteen and Jager [Crypto2018], we obtain the first practical 2-pass AKE with tight security and explicit authentication. In addition, the integration of the tightly IND-mCCA secure KEM (derived from PKE by Han et al. [Crypto2019]) and the tightly secure SIG by Bader et al. [TCC2015] results in the first tightly secure 2-pass AKE with explicit authentication in the standard model.
Video from ASIACRYPT 2020
  title={Two-Pass Authenticated Key Exchange with Explicit Authentication and Tight Security},
  booktitle={Advances in Cryptology - ASIACRYPT 2020},
  author={Xiangyu Liu and Shengli Liu and Dawu Gu and Jian Weng},