Strengthening the security of authenticated key exchange against bad randomness

Journal article

Recent history has revealed that many random number generators (RNGs) used in cryptographic algorithms and protocols were not providing appropriate randomness, either by accident or on purpose. Subsequently, researchers have proposed new algorithms and protocols that are less dependent on the RNG. One exception is that all prominent authenticated key exchange (AKE) protocols are insecure given bad randomness, even when using good long-term keying material. We analyse the security of AKE protocols in the presence of adversaries that can perform attacks based on chosen randomness, i.e., attacks in which the adversary controls the randomness used in protocol sessions. We propose novel stateful protocols, which modify memory shared among a user’s sessions, and show in what sense they are secure against this worst case randomness failure. We develop a stronger security notion for AKE protocols that captures the security that we can achieve under such failures, and prove that our main protocol is correct in this model. Our protocols make substantially weaker assumptions on the RNG than existing protocols.

Authors: Feltz, M; Cremers, C

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Springer Verlag
• Journal: Designs, Codes and Cryptography
• Volume: 86
• Issue: 3
• Pages: 481-516
• Publication date: 2017-02-13
• Acceptance date: 2017-01-24
• DOI: 10.1007/s10623-017-0337-5
• EISSN: 1573-7586
• ISSN: 0925-1022
• Keywords: chosen randomness; stateful protocols; authenticated key exchange (AKE); stateless protocols; security models