CK vs BR Key Exchange Security Models

Rdrr

11/8/22, 2:54 PM

I'm writing a paper on Authenticated Key Exchange Protocols. I've read Bellare and Rogway's seminal paper on the subject and I think I understand BR Model and I'm now reading Cenetti and Krawczyk's paper which aims to improve on it. I'm confused as to how the CK model is an improvement of the BR. As mentioned in the appendix of the CK paper, the BR paper phrases their analysis in terms of oracles. They mention a security flaw in the BR model but I need it thoroughly dumbed down.

In the definitions of (BR), the adversary points to an unexposed session of its choice, and receives a value $k_b$, where $k_0$ is the real session key of this session, $k_1$ is an independently chosen random value, and $b$ is a randomly chosen bit that is unknown the the adversary. The security requirement is that the adversary is unable to predict $b$ with non-neglible advantage over one half. The original version of these definitions requires that the adversary outputs its guess for $b$ immediately after it obtains the test value

This is largely fine and I include it to provide context for the part I don't get.

Consider your favourite secure key-exchange protocol $\pi$. Now add to the specifications of the protocol the following instruction for the party that completes the session establishment according to the protocol $\pi$: if at any point the party receives a message with the value $\mathrm{MAC}_\kappa(0)$, where $\mathrm{MAC}$ is a secure message authentication function and $\kappa$ is the established session key, then the party publicizes $\kappa$. However, the protocol never instructs any party to carry out such an instruction. As a result the protocol can be showed to pass the weakened definition. On the other hand, it is clear that such a protocol cannot be composed securely with an authentication application that uses the session key for MAC-ing information.

Doesn't the protocol directly tell the part to publish $\kappa$ if it receives $\mathrm{MAC}_\kappa(0)$? So, how is this protocol secure under the BR definition? How does CK eliminate this possibility?

0 + 0

key-exchange

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: CK vs BR Key Exchange Security Models

TH: โมเดลความปลอดภัยการแลกเปลี่ยนคีย์ CK กับ BR

RO: Modele de securitate pentru schimbul de chei CK vs BR

RU: Модели безопасности обмена ключами CK и BR

VI: Mô hình bảo mật trao đổi khóa CK và BR

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.