OAKE: a new family of implicitly authenticated diffie-hellman protocols

Cryptographic algorithm standards play an important role both to the practice of information security and to cryptography theory research. Among them, the KEA and OPACITY (KEA/OPACITY, in short) protocols, and the MQV and HMQV ((H)MQV, in short) protocols, are a family of implicitly authenticated Diffie-Hellman key-exchange (IA-DHKE) protocols that are among the most efficient authenticated key-exchange protocols known and are widely standardized. In this work, from some new design insights, we develop a new family of practical IA-DHKE protocols, referred to as OAKE (standing for "optimal authenticated key-exchange" in brief). We show that the OAKE protocol family combines, in essence, the advantages of both (H)MQV and KEA/OPACITY, while saving from or alleviating the disadvantages of them both.

[1]  Kenneth G. Paterson,et al.  Deniable Authenticated Key Establishment for Internet Protocols , 2003, Security Protocols Workshop.

[2]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Toshiaki Tanaka,et al.  On the Existence of 3-Round Zero-Knowledge Protocols , 1998, CRYPTO.

[4]  Alexander W. Dent,et al.  The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model , 2006, IACR Cryptol. ePrint Arch..

[5]  Thilo Mie,et al.  Polylogarithmic two-round argument systems , 2008, J. Math. Cryptol..

[6]  Yael Tauman Kalai,et al.  Improved Online/Offline Signature Schemes , 2001, CRYPTO.

[7]  Yael Tauman Kalai,et al.  Overcoming the Hole in the Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage , 2010, 2010 IEEE 51st Annual Symposium on Foundations of Computer Science.

[8]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[9]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[10]  Liqun Chen,et al.  Identity based authenticated key agreement protocols from pairings , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[11]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[12]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[13]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[14]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[15]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[16]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[17]  Ivan Damgård,et al.  Secure Two-Party Computation with Low Communication , 2012, IACR Cryptol. ePrint Arch..

[18]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[19]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[20]  Hugo Krawczyk HMQV in IEEE P1363 , 2006 .

[21]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[22]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[23]  Ran Canetti,et al.  On the Random-Oracle Methodology as Applied to Length-Restricted Signature Schemes , 2004, TCC.

[24]  Generator Ground Protection An American National Standard , 1985 .

[25]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[26]  Allison Bishop,et al.  Achieving Leakage Resilience through Dual System Encryption , 2011, TCC.

[27]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[28]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[29]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[30]  Mihir Bellare,et al.  Towards Plaintext-Aware Public-Key Encryption Without Random Oracles , 2004, ASIACRYPT.

[31]  Ran Canetti,et al.  Extractable Perfectly One-Way Functions , 2008, ICALP.

[32]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[33]  Jonathan Katz,et al.  Composability and On-Line Deniability of Authentication , 2009, TCC.

[34]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[35]  Ran Canetti,et al.  Security and composition of cryptographic protocols: a tutorial (part I) , 2006, SIGA.

[36]  Emmanuel Bresson,et al.  Securing group key exchange against strong corruptions , 2008, ASIACCS '08.

[37]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[38]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[39]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[40]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.

[41]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[42]  David M'Raïhi,et al.  Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard , 1994, EUROCRYPT.

[43]  Serge Fehr,et al.  Perfect NIZK with Adaptive Soundness , 2007, TCC.

[44]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[45]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[46]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[47]  Hideki Imai,et al.  ON SEEKING SMART PUBLIC-KEY-DISTRIBUTION SYSTEMS. , 1986 .

[48]  Colin Boyd,et al.  Protocols for Key Establishment and Authentication , 2003 .

[49]  Rosario Gennaro,et al.  New Approaches for Deniable Authentication , 2005, CCS '05.

[50]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[51]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[52]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[53]  David Pointcheval,et al.  Password-Authenticated Group Key Agreement with Adaptive Security and Contributiveness , 2009, AFRICACRYPT.

[54]  Daniel M. Gordon,et al.  A Survey of Fast Exponentiation Methods , 1998, J. Algorithms.

[55]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[56]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[57]  Hugo Krawczyk,et al.  Deniable authentication and key exchange , 2006, CCS '06.

[58]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[59]  Yehuda Lindell,et al.  Secure Computation without Agreement , 2002, DISC.

[60]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[61]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[62]  Chris J. Mitchell,et al.  Key control in key agreement protocols , 1998 .

[63]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[64]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[65]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[66]  권태경,et al.  SSL Protocol 기반의 서버인증 , 2003 .

[67]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[68]  Manoj Prabhakaran,et al.  Resource Fairness and Composability of Cryptographic Protocols , 2006, Journal of Cryptology.

[69]  Kenneth G. Paterson,et al.  Modular Security Proofs for Key Agreement Protocols , 2005, ASIACRYPT.

[70]  Yunlei Zhao,et al.  A New Family of Practical Non-Malleable Protocols , 2011, IACR Cryptol. ePrint Arch..

[71]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[72]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[73]  Shafi Goldwasser,et al.  Delegation of Computation without Rejection Problem from Designated Verifier CS-Proofs , 2011, IACR Cryptol. ePrint Arch..

[74]  Yunlei Zhao,et al.  Deniable Internet Key Exchange , 2010, ACNS.

[75]  David Pointcheval,et al.  A New Key Exchange Protocol Based on MQV Assuming Public Computations , 2006, SCN.

[76]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[77]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[78]  Alfred Menezes,et al.  On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols , 2006, INDOCRYPT.

[79]  Ran Canetti,et al.  Towards a Theory of Extractable Functions , 2009, TCC.

[80]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[81]  Yu Chen,et al.  The n-Diffie-Hellman Problem and Its Applications , 2011, ISC.

[82]  Graham A. Jullien,et al.  Complexity and Fast Algorithms for Multiexponentiations , 2000, IEEE Trans. Computers.

[83]  Chanathip Namprempre,et al.  From Identification to Signatures Via the Fiat–Shamir Transform: Necessary and Sufficient Conditions for Security and Forward-Security , 2008, IEEE Transactions on Information Theory.

[84]  Hugo Krawczyk,et al.  One-Pass HMQV and Asymmetric Key-Wrapping , 2011, IACR Cryptol. ePrint Arch..

[85]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[86]  Boaz Barak,et al.  How to go beyond the black-box simulation barrier , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[87]  Hugo Krawczyk,et al.  Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead , 2010, ACNS.

[88]  Jung Hee Cheon,et al.  Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma , 2008, CCS.

[89]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[90]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[91]  Ivan Damgård,et al.  Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks , 1991, CRYPTO.

[92]  Tatu Ylonen,et al.  SSH Transport Layer Protocol , 1996 .

[93]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[94]  Ueli Maurer,et al.  Diffie-Hellman Oracles , 1996, CRYPTO.