Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

Ustaoğlu, Berkant

doi:10.1007/s10623-007-9159-1

Cited by 124 publications

(94 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In NAXOS' approach no one is able to query the discrete logarithm of an ephemeral public key X without the pair (x, a); thus the discrete logarithm of X is hidden via an extra random oracle. Using NAXOS' approach many protocols [25,11,16,17] were argued secure in the eCK model under the random oracle assumption. In the standard model, the only (to our knowledge) eCK-secure protocol is due to Okamoto [22]; it uses pseudo-random functions instead of hash functions.…”

Section: Introductionmentioning

confidence: 99%

Strongly Secure Authenticated Key Exchange without NAXOS’ Approach

Kim

Fujioka

Ustaoğlu

2009

Advances in Information and Computer Security

View full text Add to dashboard Cite

Abstract. LaMacchia, Lauter and Mityagin [15] proposed the extended Canetti-Krawczyk (eCK) model and an AKE protocol, called NAXOS. Unlike previous security models, the adversary in the eCK model is allowed to obtain ephemeral secret information related to the test session, which makes the security proof difficult. To overcome this NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X; more precisely X = g H(x,a) . As a result, no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. In other words, the discrete logarithm of an ephemeral public key, which is typically the ephemeral secret, is hidden via an additional random oracle. In this paper, we show that it is possible to construct eCK-secure protocol without the NAXOS' approach by proposing two eCK-secure protocols. One is secure under the GDH assumption and the other under the CDH assumption; their efficiency and security assurances are comparable to the well-known HMQV [12] protocol. Furthermore, they are at least as secure as protocols that use the NAXOS' approach but unlike them and HMQV, the use of the random oracle is minimized and restricted to the key derivation function.

show abstract

Section: Introductionmentioning

confidence: 99%

Strongly Secure Authenticated Key Exchange without NAXOS’ Approach

Kim

Fujioka

Ustaoğlu

2009

Advances in Information and Computer Security

View full text Add to dashboard Cite

show abstract

“…These constructions are instantiated using existing schemes. In particular, we use existing OPKE protocols [26,32,22] to derive new signcryption KEMs with stronger security properties than the current signcryption KEMs. One of the main observations of our paper is that the security models for key establishment are stronger than those normally accepted for signcryption.…”

Section: Contributionsmentioning

confidence: 99%

“…The initial setup phase, the adversarial and communication models remain the same as defined for multi-pass key establishment protocols in the traditional public key setting. In independent work, Ustaoglu [32] defined a notion of freshness for OPKE protocols. We now present a slightly different notion.…”

Section: Security Model For Opkementioning

confidence: 99%

“…OPKE protocols proposed by Krawczyk [26], Ustaoglu [32] and Gorantla et al [22] can be used as signcryption KEMs secure in the insider confidentiality and outsider unforgeability notions. The new signcryption KEMs between the parties A and B in multi-user setting are presented in Figure 3.…”

Section: New Signcryption Kemsmentioning

confidence: 99%

“…We can also obtain signcryption KEMs from the OPKE protocols proposed by Ustaoglu [32] and Gorantla et al [22]. The one-pass CMQV protocol of Ustaoglu was proven secure in the eCK model described in Section 2.3 assuming random oracles.…”

Section: Security Of the New Kemsmentioning

confidence: 99%

See 2 more Smart Citations

On the Connection Between Signcryption and One-Pass Key Establishment

Gorantla

Boyd

Nieto

Cryptography and Coding

View full text Add to dashboard Cite

Abstract. Key establishment between two parties that uses only one message transmission is referred to as one-pass key establishment (OPKE). OPKE provides the opportunity for very efficient constructions, even though they will typically provide a lower level of security than the corresponding multi-pass variants. In this paper, we explore the intuitive connection between signcryption and OPKE. By establishing a formal relationship between these two primitives, we show that with appropriate security notions, OPKE can be used as a signcryption KEM and vice versa. In order to establish the connection we explore the definitions of security for signcryption (KEM) and give new and generalised definitions. By making our generic constructions concrete we are able to provide new examples of signcryption KEMs and an OPKE protocol.

show abstract

Authenticated key exchange protocol under computational Diffie–Hellman assumption from trapdoor test technique

Huang

2013

Int J Communication

View full text Add to dashboard Cite

This paper investigates authenticated key exchange (AKE) protocol under computational Diffie-Hellman assumption in the extended Canetti-Krawczyk model. The core technical component of our protocol is the trapdoor test technique, which is originally introduced to remove the gap Diffie-Hellman (GDH) assumption for the public key encryption schemes. Our contributions are twofold. First, we clarify some misunderstandings of the usage of the trapdoor test technique in AKE protocols showing its adaptation to the AKE protocols is not trivial. We point out some errors in some recent work which attempts to make use of the trapdoor test technique to remove GDH assumption. Second, based on trapdoor test technique, we propose an efficient extended Canetti-Krawczyk secure AKE protocol under computational Diffie-Hellman assumption instead of GDH assumption. Additionally, our protocol does not make use of NAXOS trick and has a tight reduction. In comparison with all existing AKE protocols with the properties as previously mentioned, our protocol with only three exponentiations is most efficient. the security on CDH assumption. Cash, Kiltz, and Shoup [3] proposed a new computational problem called twin Diffie-Hellman problem, at the heart of which is the 'trapdoor test', which is originally used to remove the gap assumption for the public key encryption schemes.Later, Huang et al. [4] first introduced this technique to remove the gap assumption for AKE protocol in eCK model. Some recent work [5,6] attempted to make use of the trapdoor test technique to construct eCK-secure AKE protocols under CDH assumption. However, there are several problems with the proofs, as will be discussed in section 3. Thus, we stress that the adaptation of the trapdoor test technique to the AKE protocols is not trivial and there are some pitfalls in the security proof. Actually, one of the purposes of this paper is to clarify the misusing of trapdoor test technique.Our Contributions This paper investigates eCK-secure AKE protocol under CDH assumption. Our contributions are twofold.First, the trapdoor test technique is a useful tool to remove the gap assumption in public key encryption schemes. Some people could think that it is trivial to adapt it to AKE protocols. However, we claim that this is not the case. We clarify some misunderstandings of the usage of the trapdoor test technique showing its adaptation to the AKE protocols is not trivial. We point out some errors in some recent work [5,6], which attempts to make use of the trapdoor test technique to remove gap assumption.Second, we proposes an efficient eCK-secure AKE protocol under CDH assumption. Additionally, our protocol does not make use of NAXOS trick ‡ and has a tight reduction. In comparison with all existing AKE protocols with the properties as previously mentioned, our protocol with only three exponentiations is most efficient.Our protocol requires the party to prove the knowledge of the static private key during the user registration phase, which was introduced earlier by Daisuke Moriy...

show abstract

Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

Cited by 124 publications

References 13 publications

Strongly Secure Authenticated Key Exchange without NAXOS’ Approach

Strongly Secure Authenticated Key Exchange without NAXOS’ Approach

On the Connection Between Signcryption and One-Pass Key Establishment

Authenticated key exchange protocol under computational Diffie–Hellman assumption from trapdoor test technique

Contact Info

Product

Resources

About