Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols

Both the "eCK" model, by LaMacchia, Lauter and Mityagin, and the "CK01" model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a SessionStateReveal query to learn session-specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an EphemeralKeyReveal query to access all ephemeral private input required to carry session computations. SessionStateReveal cannot be issued against the test session; by contrast EphemeralKeyReveal can be used against the test session under certain conditions. On the other hand, it is not obvious how EphemeralKeyReveal compares to SessionStateReveal . Thus it is natural to ask which model is more useful and practically relevant. While formally the models are not comparable, we show that recent analyses utilizing SessionStateReveal and EphemeralKeyReveal have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if these values are exposed.

[1]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[2]  David Cash,et al.  The Twin Diffie-Hellman Problem and Applications , 2008, EUROCRYPT.

[3]  Cas J. F. Cremers Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol , 2009, ACNS.

[4]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[5]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[6]  Kenneth G. Paterson,et al.  Efficient One-Round Key Exchange in the Standard Model , 2008, ACISP.

[7]  Hassan M. Elkamchouchi,et al.  An efficient protocol for authenticated key agreement , 2011, 2011 28th National Radio Science Conference (NRSC).

[8]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[9]  Berkant Ustaoglu,et al.  Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS , 2008, Des. Codes Cryptogr..

[10]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[11]  Reihaneh Safavi-Naini,et al.  Information Security and Privacy, 11th Australasian Conference, ACISP 2006, Melbourne, Australia, July 3-5, 2006, Proceedings , 2006, ACISP.

[12]  Nigel P. Smart,et al.  Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings , 2008, EUROCRYPT.

[13]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[14]  David A. Basin,et al.  From Dolev-Yao to Strong Adaptive Corruption: Analyzing Security in the Presence of Compromising Adversaries , 2009, IACR Cryptol. ePrint Arch..

[15]  Tatsuaki Okamoto,et al.  Authenticated Key Exchange and Key Encapsulation in the Standard Model , 2007, ASIACRYPT.

[16]  Je Hong Park,et al.  Authenticated Key Exchange Secure under the Computational Diffie-Hellman Assumption , 2008, IACR Cryptol. ePrint Arch..

[17]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[18]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[19]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[20]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[21]  Alfred Menezes,et al.  Security arguments for the UM key agreement protocol in the NIST SP 800-56A standard , 2008, ASIACCS '08.

[22]  Jooyoung Lee,et al.  An Efficient Authenticated Key Exchange Protocol with a Tight Security Reduction , 2008, IACR Cryptol. ePrint Arch..

[23]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[24]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[25]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[26]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[27]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[28]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[29]  David M'Raïhi,et al.  Batch exponentiation: a fast DLP-based signature generation strategy , 1996, CCS '96.

[30]  Alfred Menezes,et al.  Comparing the pre- and post-specified peer models for key agreement , 2009, Int. J. Appl. Cryptogr..

[31]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[32]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.