University of Toledo
The authors consider Session Key Agreement (SKA) protocols operating in a public key infrastructure, with pre-specified peers that take no session ID as input, and output only a session key. Despite much work on SKA, they argue that there is no good definition of security for this (very natural) protocol syntax. The difficulty is that in this setting the adversary may not be able to tell which processes share a key, and thus which session keys may be revealed without trivializing the security condition. They consider security against adversaries that control all network traffic, can register arbitrary public keys, and can retrieve session keys.