A Secure and Efficient Authenticated Diffie–Hellman Protocol

Sarr, Augustin P.; Elbaz-Vincent, Philippe; Bajard, Jean-Claude

doi:10.1007/978-3-642-16441-5_6

Cited by 40 publications

(27 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In many DH protocols, (C, FH, H)MQV-C [18,33,29,14,15] and NAXOS(+,-C) [20,24,17], for instance, the computation of the intermediate results is more costly than that of the ephemeral public key. For these protocols, implementations efficiency is significantly enhanced when the ephemeral keys are computed on the device, while the intermediate results, which require expensive on-line computations and session keys are computed on the host machine.…”

Section: Stronger Securitymentioning

confidence: 99%

“…The eCK model does not consider leakages on intermediate results; and this makes many of the eCK secure protocols insecure in the seCK model. For instance, in the CMQV protocol (shown eCKsecure), an attacker which learns an ephemeral secret exponent in a session, can indefinitely impersonate the session owner; the same holds for the (H)MQV(-C) protocols [29,30]. It is not difficult to see that NAXOS cannot meet the seCK security definition.…”

Section: Proposition 1 Any Seck-secure Protocol Is Also An Eck-securmentioning

confidence: 99%

“…Compared to the CK HMQV model 5 [14], the reveal query definitions are enhanced in the seCK model to capture attacks based on intermediate result leakages. In the HMQV security arguments [14, subsection 7.4], the session state is defined to contain the ephemeral DH exponent 6 ; the HMQV protocol does not meet the seCK-security [29,30].…”

Section: Proposition 1 Any Seck-secure Protocol Is Also An Eck-securmentioning

confidence: 99%

“…We start with the following variants of the FXCR and FDCR signature schemes [29]. The security of the FXCR-1 and FDCR-1 schemes can be shown with arguments similar to that of the FXCR and FDCR schemes [29,30]. …”

Section: The Strengthened Mqv Protocolmentioning

confidence: 99%

“…This idle-time pre-computation seems common in practice [28] (and possible in both the (C, H)MQV and SMQV protocols). But, as (C, H)MQV is not ephemeral secret exponent leakage resilient [29,30], the ephemeral secret exponents (s A = x + da or s B = y + eb) cannot be used on the untrusted host machine. machine, after the ephemeral secret exponent is computed on the device.…”

Section: Remarkmentioning

confidence: 99%

See 4 more Smart Citations

A New Security Model for Authenticated Key Agreement

Sarr

Elbaz-Vincent

Bajard

2010

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The Canetti-Krawczyk (CK) and extended Canetti-Krawczyk (eCK) security models, are widely used to provide security arguments for key agreement protocols. We discuss security shades in the (e)CK models, and some practical attacks unconsidered in (e)CK-security arguments. We propose a strong security model which encompasses the eCK one. We also propose a new protocol, called Strengthened MQV (SMQV), which in addition to provide the same efficiency as the (H)MQV protocols, is particularly suited for distributed implementations wherein a tamper-proof device is used to store long-lived keys, while session keys are used on an untrusted host machine. The SMQV protocol meets our security definition under the Gap DiffieHellman assumption and the Random Oracle model.

show abstract

Section: Stronger Securitymentioning

confidence: 99%

Section: Proposition 1 Any Seck-secure Protocol Is Also An Eck-securmentioning

confidence: 99%

Section: Proposition 1 Any Seck-secure Protocol Is Also An Eck-securmentioning

confidence: 99%

Section: The Strengthened Mqv Protocolmentioning

confidence: 99%

Section: Remarkmentioning

confidence: 99%

See 3 more Smart Citations

A New Security Model for Authenticated Key Agreement

Sarr

Elbaz-Vincent

Bajard

2010

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

An authenticated, secure, and mutable multiple‐session‐keys protocol based on elliptic curve cryptography and text‐to‐image encryption algorithm

Abusukhon

Mohammad

Al-Thaher

2021

Concurrency and Computation

View full text Add to dashboard Cite

Summary Most of the key agreement protocols (e.g., Menezes–Qu–Vanstone [MQV] family) generate one common key per session. This leaves the session key vulnerable against various attacks. This article proposed an enhanced multiple session key (EMSK) protocol which is based on the elliptic curve Diffie–Hellman (ECDH), HMQV, and the YAK protocols. The EMSK generates multiple session keys per session. Unlike the MQV protocol, the EMSK needs only two messages to be exchanged in order to create nine session keys. However, the MQV requires 18 messages to be exchanged in order to produce these nine session keys. In EMSK, one of the session keys is used to encrypt the plaintext using the one‐time pad cipher. The encrypted message is then embedded in an RGB‐image in order to provide confidentiality service of communication. The EMSK is evaluated theoretically against various types of attacks and practically using the Scyther simulator. The results from the simulator showed that the EMSK protocol withstand various types of attacks on the MQV, HMQV, and the YAK protocols, and provided perfect forward secrecy. In addition, the EMSK provides a digital signature feature which validates the authenticity and integrity of a digital message using the zero knowledge prove.

show abstract

Authenticated key exchange protocol under computational Diffie–Hellman assumption from trapdoor test technique

Huang

2013

Int J Communication

View full text Add to dashboard Cite

This paper investigates authenticated key exchange (AKE) protocol under computational Diffie-Hellman assumption in the extended Canetti-Krawczyk model. The core technical component of our protocol is the trapdoor test technique, which is originally introduced to remove the gap Diffie-Hellman (GDH) assumption for the public key encryption schemes. Our contributions are twofold. First, we clarify some misunderstandings of the usage of the trapdoor test technique in AKE protocols showing its adaptation to the AKE protocols is not trivial. We point out some errors in some recent work which attempts to make use of the trapdoor test technique to remove GDH assumption. Second, based on trapdoor test technique, we propose an efficient extended Canetti-Krawczyk secure AKE protocol under computational Diffie-Hellman assumption instead of GDH assumption. Additionally, our protocol does not make use of NAXOS trick and has a tight reduction. In comparison with all existing AKE protocols with the properties as previously mentioned, our protocol with only three exponentiations is most efficient. the security on CDH assumption. Cash, Kiltz, and Shoup [3] proposed a new computational problem called twin Diffie-Hellman problem, at the heart of which is the 'trapdoor test', which is originally used to remove the gap assumption for the public key encryption schemes.Later, Huang et al. [4] first introduced this technique to remove the gap assumption for AKE protocol in eCK model. Some recent work [5,6] attempted to make use of the trapdoor test technique to construct eCK-secure AKE protocols under CDH assumption. However, there are several problems with the proofs, as will be discussed in section 3. Thus, we stress that the adaptation of the trapdoor test technique to the AKE protocols is not trivial and there are some pitfalls in the security proof. Actually, one of the purposes of this paper is to clarify the misusing of trapdoor test technique.Our Contributions This paper investigates eCK-secure AKE protocol under CDH assumption. Our contributions are twofold.First, the trapdoor test technique is a useful tool to remove the gap assumption in public key encryption schemes. Some people could think that it is trivial to adapt it to AKE protocols. However, we claim that this is not the case. We clarify some misunderstandings of the usage of the trapdoor test technique showing its adaptation to the AKE protocols is not trivial. We point out some errors in some recent work [5,6], which attempts to make use of the trapdoor test technique to remove gap assumption.Second, we proposes an efficient eCK-secure AKE protocol under CDH assumption. Additionally, our protocol does not make use of NAXOS trick ‡ and has a tight reduction. In comparison with all existing AKE protocols with the properties as previously mentioned, our protocol with only three exponentiations is most efficient.Our protocol requires the party to prove the knowledge of the static private key during the user registration phase, which was introduced earlier by Daisuke Moriy...

show abstract

A Secure and Efficient Authenticated Diffie–Hellman Protocol

Cited by 40 publications

References 18 publications

A New Security Model for Authenticated Key Agreement

A New Security Model for Authenticated Key Agreement

An authenticated, secure, and mutable multiple‐session‐keys protocol based on elliptic curve cryptography and text‐to‐image encryption algorithm

Authenticated key exchange protocol under computational Diffie–Hellman assumption from trapdoor test technique

Contact Info

Product

Resources

About