Less is More: Relaxed Yet Composable Security Notions for Key Exchange
Although they do not suffer from clear attacks, various key agreement protocols (for example that used within the TLS protocol) are deemed as insecure by existing security models for key exchange. The reason is that the derived keys are used within the key exchange step, violating the usual key indistinguishability requirement. In this paper, the authors propose a new security definition for key exchange protocols that offers two important benefits. Their notion is weaker than the more established ones, and thus allows the analysis of a larger class of protocols. Furthermore, security in the sense that they define enjoys rather general composability properties. In addition, their composability properties are derived within game based formalisms, and do not appeal to any simulation based paradigm.