提出一种模块化的扩展Canetti-Krawczyk模型(简称meCK模型)以摆脱认证密钥交换协议对随机预言机的依赖,首先将认证密钥交换协议划分为秘密交换模块和密钥派生模块,并分别形式化定义其攻击者的能力与安全属性;然后综合上述模块得到认证密钥交换协议的模块化安全模型,并证明所提出的安全定义蕴涵原始的扩展Canetti-Krawczyk安全.借助协议模块化分析的思想,设计了一种高效且在标准模型下可证明安全的认证密钥交换协议(简称UPS协议).在meCK模型下,UPS协议的安全性可有效归约到伪随机函数簇、目标抗碰撞Hash函数簇和Gap Diffie-Hellman等标准密码学假设上.与其他标准模型下可证明安全的协议相比,UPS协议所需的密码学假设更弱、更标准,且指数运算次数降低了50%~67%.最后,UPS协议的构造与安全性验证了所提出的模块化方法的合理性和有效性,并解决了ProvSec'09上的一个公开问题.%We propose a modular extended Canetti-Krawczyk (eCK) named as meCK, in order to avoid the controversial random oracle assumption in the security proof of authenticated key exchange (AKE) protocols. Our model treats the AKE protocol as a secret exchange module and a key derivation module, and formalizes the adversarial capabilities and security properties. By composing the security of these two modules, we have the modular model and prove that it is stronger than the original eCK model. With the help of the modular approach, an efficient AKE protocol named as UPS is designed. UPS is provably meCK-secure under the existence of pseudo-random function family, target collision-resistant hash function family and the hardness of Gap Diffie-Hellman problem. Compared with the related works in standard model, UPS requires weaker and more standard cryptographic assumptions, and reduces 50%-67% group exponentiations. Finally, the design and security proof of UPS validate the effectiveness of our model, and solve an open problem in ProvSec'09.
展开▼
