On the Limits of Authenticated Key Exchange Security with an Application to Bad Randomness

State-of-the-art authenticated key exchange (AKE) protocols are proven secure in game-based security models. These models have considerably evolved in strength from the originalBellare-Rogaway model. However, so far only informal impossibility results, which suggestthat no protocol can be secure against stronger adversaries, have been sketched. At the sametime, there are many different security models being used, all of which aim to model thestrongest possible adversary. In this paper we provide the first systematic analysis of thelimits of game-based security models. Our analysis reveals that different security goals can beachieved in different relevant classes of AKE protocols. From our formal impossibility results,we derive strong security models for these protocol classes and give protocols that are securein them. In particular, we analyse the security of AKE protocols in the presence of adversarieswho can perform attacks based on chosen randomness, in which the adversary controls therandomness used in protocol sessions. Protocols that do not modify memory shared amongsessions, which we call stateless protocols, are insecure against chosen-randomness attacks.We propose novel stateful protocols that provide resilience even against this worst caserandomness failure, thereby weakening the security assumptions required on the randomnumber generator.