$$\textsf {TOPAS}$$ 2-pass key exchange with full perfect forward secrecy and optimal communication complexity

Abstract

We present Transmission optimal protocol with active security (\(\textsf {TOPAS}\)), the first key agreement protocol with optimal communication complexity (message size and number of rounds) that provides security against fully active adversaries. The size of the protocol messages and the computational costs to generate them are comparable to the basic Diffie-Hellman protocol over elliptic curves (which is well-known to only provide security against passive adversaries). Session keys are indistinguishable from random keys—even under reflection and key compromise impersonation attacks. What makes \(\textsf {TOPAS}\)stand out is that it also features a security proof of full perfect forward secrecy (PFS), where the attacker can actively modify messages sent to or from the test-session. The proof of full PFS relies on two new extraction-based security assumptions. It is well-known that existing implicitly-authenticated 2-message protocols like \(\textsf {HMQV}\)cannot achieve this strong form of (full) security against active attackers (Krawczyk, Crypto’05). This makes \(\textsf {TOPAS}\)the first key agreement protocol with full security against active attackers that works in prime-order groups while having optimal message size. We also present a variant of our protocol, \(\textsf {TOPAS+}\), which, under the Strong Diffie-Hellman assumption, provides better computational efficiency in the key derivation phase. Finally, we present a third protocol termed \(\textsf {FACTAS}\)(for factoring-based protocol with active security) which has the same strong security properties as \(\textsf {TOPAS}\)and \(\textsf {TOPAS+}\)but whose security is solely based on the factoring assumption in groups of composite order (except for the proof of full PFS).