Paper 2019/519

Security in the Presence of Key Reuse: Context-Separable Interfaces and their Applications

Christopher Patton
Thomas Shrimpton
Abstract

Key separation is often difficult to enforce in practice. While key reuse can be catastrophic for security, we know of a number of cryptographic schemes for which it is provably safe. But existing formal models, such as the notions of joint security (Haber-Pinkas, CCS ’01) and agility (Acar et al., EUROCRYPT ’10), do not address the full range of key-reuse attacks—in particular, those that break the abstraction of the scheme, or exploit protocol interactions at a higher level of abstraction. This work attends to these vectors by focusing on two key elements: the game that codifies the scheme under attack, as well as its intended adversarial model; and the underlying interface that exposes secret key operations for use by the game. Our main security experiment considers the implications of using an interface (in practice, the API of a software library or a hardware platform such as TPM) to realize the scheme specified by the game when the interface is shared with other unspecified, insecure, or even malicious applications. After building up a definitional framework, we apply it to the analysis of two real-world schemes: the EdDSA signature algorithm and the Noise protocol framework. Both provide some degree of context separability, a design pattern for interfaces and their applications that aids in the deployment of secure protocols.

Note: The latest version notes several bugs pointed out by Joseph Jaeger.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A major revision of an IACR publication in CRYPTO 2019
Keywords
Key-reuseAPIsDiffie-HellmanEdDSANoise
Contact author(s)
chrispatton+eprint @ gmail com
History
2025-04-09: last of 6 revisions
2019-05-20: received
See all versions
Short URL
https://ia.cr/2019/519
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2019/519,
      author = {Christopher Patton and Thomas Shrimpton},
      title = {Security in the Presence of Key Reuse: Context-Separable Interfaces and their Applications},
      howpublished = {Cryptology {ePrint} Archive, Paper 2019/519},
      year = {2019},
      url = {https://eprint.iacr.org/2019/519}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.