19 research outputs found
Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS (extended version)
Updated (extended) and corrected version; see "Errata" and "Revisions" in the appendix for a summary of changes.LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the well-known Canetti-Krawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a one-pass protocol. On the other hand MQV does not have a security proof, and the HMQV security proof is extremely complicated.
This paper proposes a new authenticated key agreement protocol, called CMQV (`Combined' MQV), which incorporates design principles from MQV, HMQV and NAXOS. The new protocol achieves the efficiency of HMQV and admits a natural one-pass variant. Moreover, we present a simple and intuitive proof that CMQV is secure in the LaMacchia-Lauter-Mityagin model
On the Security of the (F)HMQV Protocol
International audienceThe HMQV protocol is under consideration for IEEE P1363 standardization. We provide a complementary analysis of the HMQV protocol. Namely, we point a Key Compromise Impersonation (KCI) attack showing that the two and three pass HMQV protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments; we clarify the security and efficiency separation between HMQV and FHMQV, showing the advantages of FH-MQV over HMQV
An Elliptic Curve-based Signcryption Scheme with Forward Secrecy
An elliptic curve-based signcryption scheme is introduced in this paper that
effectively combines the functionalities of digital signature and encryption,
and decreases the computational costs and communication overheads in comparison
with the traditional signature-then-encryption schemes. It simultaneously
provides the attributes of message confidentiality, authentication, integrity,
unforgeability, non-repudiation, public verifiability, and forward secrecy of
message confidentiality. Since it is based on elliptic curves and can use any
fast and secure symmetric algorithm for encrypting messages, it has great
advantages to be used for security establishments in store-and-forward
applications and when dealing with resource-constrained devices.Comment: 13 Pages, 5 Figures, 2 Table
Key establishment --- security models, protocols and usage
Key establishment is the process whereby two or more parties derive a shared
secret, typically used for subsequent confidential communication. However,
identifying the exact security requirements for key establishment protocols is
a non-trivial task. This thesis compares, extends and merges existing security
definitions and models for key establishment protocols.
The primary focus is on two-party key agreement schemes in the public-key
setting. On one hand new protocols are proposed and analyzed in the existing
Canetti-Krawzcyk model. On the other hand the thesis develops a security model
and novel definition that capture the essential security attributes of the
standardized Unified Model key agreement protocol. These analyses lead to the
development of a new security model and related definitions that combine and
extend the Canetti-Krawzcyk pre- and post- specified peer models in terms of
provided security assurances.
The thesis also provides a complete analysis of a one-pass key establishment
scheme. There are security goals that no one-pass key establishment scheme can
achieve, and hence the two-pass security models and definitions need to be
adapted for one-pass protocols. The analysis provided here includes
the description of the required modification to the underlying security model.
Finally, a complete security argument meeting these altered conditions is
presented as evidence supporting the security of the one-pass scheme.
Lastly, validation and reusing short lived key pairs are related to
efficiency, which is a major objective in practice. The thesis considers the
formal implication of omitting validation steps and reusing short lived key
pairs. The conclusions reached support the generally accepted cryptographic
conventions that incoming messages should not be blindly trusted and extra
care should be taken when key pairs are reused
ASICS: Authenticated Key Exchange Security Incorporating Certification Systems
Most security models for authenticated key exchange (AKE) do not explicitly model the associated certification system, which includes the certification authority and its behaviour. However, there are several well-known and realistic attacks on AKE protocols which exploit various forms of malicious key registration and which therefore lie outside the scope of these models. We provide the first systematic analysis of AKE security incorporating certification systems. We define a family of security models that, in addition to allowing different sets of standard AKE adversary queries, also permit the adversary to register arbitrary bitstrings as keys. For this model family, we prove generic results that enable the design and verification of protocols that achieve security even if some keys have been produced maliciously. Our approach is applicable to a wide range of models and protocols; as a concrete illustration of its power, we apply it to the CMQV protocol in the natural strengthening of the eCK model to the ASICS setting
Authenticated Key Exchange Secure under the Computational Diffie-Hellman Assumption
In this paper, we present a new authenticated key exchange(AKE)
protocol and prove its security under the random oracle assumption
and the computational Diffie-Hellman(CDH) assumption. In the
extended Canetti-Krawczyk model, there has been no known AKE
protocol based on the CDH assumption. Our protocol, called NAXOS+,
is obtained by slightly modifying the NAXOS protocol proposed by
LaMacchia, Lauter and Mityagin. We establish a formal security proof
of NAXOS+ in the extended Canetti-Krawczyk model using as a main
tool the trapdoor test presented by Cash, Kiltz and Shoup
A Secure and Efficient Authenticated Diffie–Hellman Protocol
The Exponential Challenge Response (XRC) and Dual Exponential Challenge Response (DCR) signature schemes are the building blocks of the HMQV protocol. We propose a complementary analysis of these schemes; on the basis of this analysis we show how impersonation and man in the middle attacks can be mounted against the HMQV protocol when some session specific information leakages happen.
We define the Full Exponential Challenge Response (FXRC) and Full Dual Exponential Challenge Response (FDCR) signature schemes; using these schemes we propose the Fully Hashed MQV protocol (with security arguments), which preserves the remarkable performance of the (H)MQV protocols and resists the attacks we present
A New Family of Implicitly Authenticated Diffie-Hellman Protocols
Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in
short) are a family of implicitly authenticated Diffie-Hellman key-exchange (DHKE) protocols that are among the most efficient and are widely standardized. In this work, from some new perspectives
and under some new design rationales, and also inspired by the security analysis of HMQV, we develop a new family of practical implicitly authenticated DHKE (IA-DHKE) protocols, which enjoy
notable performance among security, efficiency, privacy, fairness and easy deployment. We make detailed comparisons between our new protocols and (H)MQV, showing that the newly developed
protocols outperform HMQV in most aspects. Very briefly speaking, we achieve:
1. The most efficient provably secure IA-DHKE protocol to date, and the first online-optimal provably secure IA-DHKE protocols.
2. The first IA-DHKE protocol that is provably secure, resilience to the leakage of DH components and exponents, under merely standard assumptions without additionally relying on the knowledge-of-exponent assumption (KEA).
3. The first provably secure privacy-preserving and computationally fair IA-DHKE protocol, with privacy-preserving properties of reasonable deniability and post-ID computability and the property
of session-key computational fairness.
Guided by our new design rationales, in this work we also formalize and introduce some new concept, say session-key computational fairness (as a complement to session-key security), to the literature