International Association
for Cryptologic Research

Key exchange with unilateral authentication (short: unilateral key exchange)

is an important primitive in practical security protocols; a prime example is

the widely deployed TLS protocol, which is usually run in this mode.

Unilateral key-exchange protocols are employed in a client-server setting

where only the server has a certified public key. The client is then

authenticated by sending credentials via a connection that is secured with the

key obtained from the protocol. Somewhat surprisingly and despite its

importance in practical scenarios, this type of key exchange has received

relatively little attention in the cryptographic literature compared to the

type with mutual authentication.

In this work, we follow the constructive cryptography paradigm of Maurer and

Renner (ICS 2011) to obtain a (composable) security definition for

key-exchange protocols with unilateral authentication: We describe a

\"unilateral key\" resource and require from a key-exchange protocol that it

constructs this resource in a scenario where only the server is authenticated.

One main advantage of this approach is that it comes with strong composition

guarantees: Any higher-level protocol proven secure with respect to the

unilateral key resource remains secure if the key is obtained using a secure

unilateral key-exchange protocol.

We then describe a simple protocol based on any CPA-secure KEM and prove that

it constructs a unilateral key (previous protocols in this setting relied on a

CCA-secure KEM). The protocol design and our security analysis are fully

modular and allow to replace a sub-protocol $\\pi$ by a different sub-protocol

$\\pi\'$ by only proving security of the sub-protocol $\\pi\'$; the composition

theorem immediately guarantees that the security of the modified full protocol

is maintained. In particular, one can replace the KEM by a sub-protocol based

on Diffie-Hellman, obtaining a protocol that is similar to the A-DHKE protocol

proposed by Shoup. Moreover, our analysis is simpler because the actual

key-exchange part of the protocol can be analyzed in a simple three-party

setting; we show that the extension to the multi-party setting follows

generically.

Compared to the TLS handshake protocol, the \"de facto\" standard for unilateral

key exchange on the Internet, our protocol is more efficient (only two

messages) and is based on weaker assumptions.