Stronger Security of Authenticated Key Exchange

In this paper we study security definitions for authenticated key exchange (AKE) protocols. We observe that there are several families of attacks on AKE protocols that lie outside the boundary of the current class of security definitions. In an attempt to bring these attacks within the scope of analysis we extend the AKE security definition to provide greater powers to the adversary. We provide a general framework for defining AKE security, which we call strong AKE security, such that existing security definitions occur as instances of the framework. We then introduce NAXOS, a new two-pass AKE protocol, and prove that it is secure in this stronger definition. In addition, we point out a new attack on the SIG-DH protocol by Canetti and Krawczyk. This attack is possible because of a subtle ambiguity in the Canetti-Krawczyk security definition. We demonstrate how the ambiguity may be resolved within the strong AKE security framework.