Beyond eCK: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal

We show that it is possible to achieve perfect forward secrecy in two-message key exchange (KE) protocols that satisfy even stronger security properties than provided by the extended Canetti-Krawczyk (eCK) security model. In particular, we consider perfect forward secrecy in the presence of adversaries that can reveal the long-term secret keys of the actor of a session and reveal ephemeral secret keys. We propose two new game-based security models for KE protocols. First, we formalize a slightly stronger variant of the eCK security model that we call eCK. Second, we integrate perfect forward secrecy into eCK, which gives rise to the even stronger eCK-PFS model. We propose a securitystrengthening transformation (i. e., a compiler) between our new models. Given a two-message Diffie-Hellman type protocol secure in eCK, our transformation yields a two-message protocol that is secure in eCK-PFS. As an example, we show how our transformation can be applied to the NAXOS protocol.