Andrew Chi-Chih Yao,Yunlei Zhao

DOI: https://doi.org/10.1145/2508859.2516695

2013-01-01

Abstract:Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in short) are a family of implicitly authenticated Diffie-Hellman key-exchange (DHKE) protocols that are among the most efficient and are widely standardized. In this work, from some new perspectives and under some new design rationales, and also inspired by the security analysis of HMQV, we develop a new family of practical implicitly authenticated DHKE (IA-DHKE) protocols, which enjoy notable performance among security, efficiency, privacy, fairness and easy deployment. We make detailed comparisons between our new protocols and (H)MQV, showing that the newly developed protocols outperform HMQV in most aspects. Very briefly speaking, we achieve: • The most efficient provably secure IA-DHKE protocol to date, and the first online-optimal provably secure IA-DHKE protocols. • The first IA-DHKE protocol that is provably secure, resilience to the leakage of DH components and exponents, under merely standard assumptions without additionally relying on the knowledge-of-exponent assumption (KEA). • The first provably secure privacy-preserving and computationally fair IA-DHKE protocol, with privacy-preserving properties of reasonable deniability and post-ID computability and the property of session-key computational fairness. Guided by our new design rationales, in this work we also formalize and introduce some new concept, say session-key computational fairness (as a complement to session-key security), to the literature.

Yangguang Tian,Guomin Yang,Yi Mu,Kaitai Liang,Yong Yu

DOI: https://doi.org/10.1007/978-3-319-47422-9_13

2017-01-01

International Journal of Foundations of Computer Science

Abstract:Attribute-based authenticated key exchange (AB-AKE) is a useful primitive that allows a group of users to establish a shared secret key and at the same time enables fine-grained access control. A straightforward approach to design an AB-AKE protocol is to extend a key exchange protocol using attribute-based authentication technique. However, insider security is a challenge security issue for AB-AKE in the multi-party setting and cannot be solved using the straightforward approach. In addition, many existing key exchange protocols for the multi-party setting (e.g., the well-known Burmester-Desmedt protocol) require multiple broadcast rounds to complete the protocol. In this paper, we propose a novel one-round attribute-based key exchange (OAKE) protocol in the multi-party setting. We define the formal security models, including session key security and insider security, for OAKE, and prove the security of the proposed protocol under some standard assumptions in the random oracle model.

Jiang Zhang,Zhenfeng Zhang,Jintai Ding,Michael Snook,Oezguer Dagdelen

DOI: https://doi.org/10.1007/978-3-662-46803-6_24

2015-01-01

Abstract:In this paper, we present a practical and provably secure two-pass AKE protocol from ideal lattices, which is conceptually simple and has similarities to the Diffie-Hellman based protocols such as HMQV (CRYPTO 2005) and OAKE (CCS 2013). Our protocol does not rely on other cryptographic primitives—in particular, it does not use signatures—simplifying the protocol and resting the security solely on the hardness of the ring learning with errors problem. The security is proven in the Bellare-Rogaway model with weak perfect forward secrecy. We also give a one-pass variant of our two-pass protocol, which might be appealing in specific applications. Several concrete choices of parameters are provided, and a proof-of-concept implementation shows that our protocols are indeed practical.

Yuxin Xia,Jie Zhang,Ka Lok Man,Yuji Dong

DOI: https://doi.org/10.1016/j.jnca.2024.104071

IF: 7.574

2024-01-01

Journal of Network and Computer Applications

Abstract:Authenticated Key Exchange (AKE) has been playing a significant role in ensuring communication security. However, in some Multi-access Edge Computing (MEC) scenarios where a moving end-node switchedly connects to a sequence of edge-nodes, it is costly in terms of time and computing resources to repeatedly run AKE protocols between the end-node and each edge-node. Moreover, the cloud needs to be involved to assist the authentication between them, which goes against MEC’s purpose of bringing cloud services from cloud to closer to end-user. To address the above problems, this paper proposes a new type of AKE, named as Handover Authenticated Key Exchange (HAKE). In HAKE, an earlier AKE procedure handovers authentication materials and some parameters to its temporally next AKE procedure, thereby saving resources and reducing the participation of remote cloud. Following the framework of HAKE, we propose a concrete HAKE protocol based on Elliptic Curve Diffie–Hellman (ECDH) key exchange and ratcheted key exchange. Then we verify its security via Burrows-Abadi-Needham (BAN) logic and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Finally, we evaluate and test its performance. The results show that the HAKE protocol achieves security goals and reduces communication and computation costs compared to similar protocols.

Jianjie Zhao,Dawu Gu

DOI: https://doi.org/10.1016/j.jss.2010.07.010

2010-01-01

Abstract:Constructing a secure key exchange protocol is one of the most challenging problems in information security. We propose a provably secure two-round two-party authenticated key exchange (2AKE) protocol based on the well-studied CDH assumption in eCK model to provide the strongest definition of security for key exchange protocol when using the matching session to define the partnership. The underlying hardness assumption (CDH assumption) of our protocol is weaker than these of four other provably secure 2AKE protocols in CK model or eCK model and the computational cost of our protocol is reasonable. We also present a three-round variant of our protocol to realize key conformation.

Xiangyu Liu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-31368-4_24

2023-01-01

Abstract:(Asymmetric) Password-based Authenticated Key Exchange ((a)PAKE) protocols allow two parties establish a session key with a pre-shared low-entropy password. In this paper, we show how Encrypted Key Exchange (EKE) compiler [Bellovin and Merritt, S &P 1992] meets tight security in the Universally Composable (UC) framework. We propose a strong 2DH variant of EKE, denoted by 2DH-EKE, and prove its tight security in the UC framework based on the CDH assumption. The efficiency of 2DH-EKE is comparable to the original EKE, with only $$O(\lambda )$$ bits growth in communication ( $$\lambda $$ the security parameter), and two (resp., one) extra exponentiation in computation for client (resp., server). We also develop an asymmetric PAKE scheme 2DH-aEKE from 2DH-EKE. The security reduction loss of 2DH-aEKE is N, the total number of client-server pairs. With a meta-reduction, we formally prove that such a factor N is inevitable in aPAKE. Namely, our 2DH-aEKE meets the optimal security loss. As a byproduct, we further apply our technique to PAKE protocols like SPAKE2 and PPK in the relaxed UC framework, resulting in their 2DH variants with tight security from the CDH assumption.

Shaoquan Jiang,Yeow Meng Chee,San Ling,Huaxiong Wang,Chaoping Xing

DOI: https://doi.org/10.1016/j.ic.2022.104866

IF: 1.24

2022-01-01

Information and Computation

Abstract:A deniable secure key exchange protocol allows two parties to agree on a common secret while achieving two seemingly contradictory functionalities: authentication and deniability. The former requires each party to confirm the identity of the other while the latter requires any attacker (e.g., participant or eavesdropper) be unable to prove to a third party an honest party's participation. Designing an efficient secure key exchange with deniability is a challenging problem. In this paper, we first formalize the deniability model by requiring information theoretic deniability with an eavesdropping attack. The information theoretic deniability has the advantage that it can hold forever without any computational assumption. An eavesdropping attack (Di Raimondo et al., CCS'06) allows an attacker to apply eavesdropped transcripts into an active attack session. This gives an attacker more power to make the victim undeniable as he does not know the randomness of the transcript. We then propose an efficient, provably deniable secure framework of key exchange. Our deniability holds non-adaptively in the eavesdropping model. However, if we consider a model without an eavesdropping attack (which is practical in many scenarios), then our framework is proven adaptively deniable. This is important since no previous key exchange protocols can satisfy our adaptive and information theoretical deniability. We give a concrete realization for our framework that is more efficient than SKEME (Krawczyk, NDSS'96).

Xiangyu Liu,Shengli Liu,Dawu Gu,Jian Weng

2020-01-01

Abstract:We propose a generic construction of 2-pass authenticated key exchange (AKE) scheme with explicit authentication from key encapsulation mechanism (KEM) and signature (SIG) schemes. We improve the security model due to Gjosteen and Jager [Crypto2018] to a stronger one. In the strong model, if a replayed message is accepted by some user, the authentication of AKE is broken. We define a new security notion named “IND-mCPA with adaptive reveals” for KEM. When the underlying KEM has such a security and SIG has unforgeability with adaptive corruptions, our construction of AKE equipped with counters as states is secure in the strong model, and stateless AKE without counter is secure in the traditional model. We also present a KEM possessing tight “IND-mCPA security with adaptive reveals” from the Computation Diffie-Hellman assumption in the random oracle model. When the generic construction of AKE is instantiated with the KEM and the available SIG by Gjosteen and Jager [Crypto2018], we obtain the first practical 2-pass AKE with tight security and explicit authentication. In addition, the integration of the tightly IND-mCCA secure KEM (derived from PKE by Han et al. [Crypto2019]) and the tightly secure SIG by Bader et al. [TCC2015] results in the first tightly secure 2-pass AKE with explicit authentication in the standard model.

Zheng Yang,Shuangqing Li

DOI: https://doi.org/10.1016/j.ipl.2015.08.006

IF: 0.851

2016-01-01

Information Processing Letters

Abstract:In this paper, we revisit the security result of an authenticated key exchange (AKE) scheme proposed in AsiaCCS'14 by Alawatugoda, Stebila and Boyd (which is referred to as ASB scheme). The ASB scheme is proved to be secure in a new bounded (continuous) after-the-fact leakage extended Canetti–Krawczyk (B(C)AFL-eCK) model without random oracles, where the B(C)AFL-eCK is extended from the eCK model. However we disprove their security results. We first show an attack against ASB scheme in the eCK model. This also implies that the insecurity of ASB scheme in the B(C)AFL-eCK model. Secondly we point out that the security of ASB scheme is incorrectly reduced to DDH assumption. A solution is proposed to fix the problem of ASB scheme with minimum changes, which yields a new ASB' scheme. We prove the eCK security of ASB' in the random oracle model under Gap Diffie–Hellman assumption.

NI Liang,CHEN Gong-liang,LI Jian-hua

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2013.089

2013-01-01

Abstract:Authenticated key agreement(AKA) protocol should capture desirable security properties as many as possible.As a formal method recently proposed to design and analyze tw o-party AKA protocols,the eCK model is currently receiving more and more attention,and the exact security guarantees that can be provided by this model are w orthy of in-depth research.Hence,the relationship betw een the eCK model and the basic desirable security properties for AKA protocols is analyzed in detail.The conclusions indicate that AKA protocols w ith provable security in the eCK model capture most basic desirable security properties.Thereafter,the advantages and disadvantages of the eCK model are also summarized.

Jintai Ding,Saed Alsayigh,Jean Lancrenon,R. Saraswathy,Michael Snook

DOI: https://doi.org/10.1007/978-3-319-52153-4_11

2017-01-01

Abstract:Authenticated Key Exchange (AKE) is a cryptographic scheme with the aim to establish a high-entropy and secret session key over a insecure communications network. Password-Authenticated Key Exchange (PAKE) assumes that the parties in play share a simple password, which is cheap and human-memorable and is used to achieve the authentication. PAKEs are practically relevant as these features are extremely appealing in an age where most people access sensitive personal data remotely from more-and-more pervasive hand-held devices. Theoretically, PAKEs allow the secure computation and authentication of a high-entropy piece of data using a low-entropy string as a starting point. In this paper, we apply the recently proposed technique introduced in [19] to construct two lattice-based PAKE protocols enjoying a very simple and elegant design that is an parallel extension of the class of Random Oracle Model (ROM)-based protocols PAK and PPK [13,41], but in the lattice-based setting. The new protocol resembling PAK is three-pass, and provides mutual explicit authentication, while the protocol following the structure of PPK is two-pass, and provides implicit authentication. Our protocols rely on the Ring-Learning-with-Errors (RLWE) assumption, and exploit the additive structure of the underlying ring. They have a comparable level of efficiency to PAK and PPK, which makes them highly attractive. We present a preliminary implementation of our protocols to demonstrate that they are both efficient and practical. We believe they are suitable quantum safe replacements for PAK and PPK.

Ou Ruan,Yuanyuan Zhang,Mingwu Zhang,Jing Zhou,Lein Harn

DOI: https://doi.org/10.1109/jsyst.2017.2685524

IF: 4.802

2018-01-01

IEEE Systems Journal

Abstract:Authenticated key exchange (AKE) scheme is one of the most widely used cryptographic primitives in practice, even in the Internet-of-Things (IoT) environments. In order to resist side-channel attacks, several works have been proposed for defining leakage-resilient (LR) security models and constructing LR-AKE protocols. However, all these LR-AKE schemes employed the traditional X.509 certificate-based public-key infrastructure authentication framework, where the online transmission and verification of the public-key certificate are the major drawbacks. In this paper, we first propose a general framework for constructing identity-based AKE protocols in the bounded after-the-fact LR extended-Canetti–Krawczyk security model, and show a formal proof in the standard model. Our proposed scheme offers a flexible approach to simplify the certificate management. Moreover, our result could be extended to the bounded-retrieval model, yielding the first LR-AKE protocol in this model.

You Lyu,Shengli Liu,Shuai Han,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-22969-5_8

2022-01-01

Abstract:Privacy-Preserving Authenticated Key Exchange (PPAKE) provides protection both for the session keys and the identity information of the involved parties. In this paper, we introduce the concept of robustness into PPAKE. Robustness enables each user to confirm whether itself is the target recipient of the first round message in the protocol. With the help of robustness, a PPAKE protocol can successfully avoid the heavy redundant communications and computations caused by the ambiguity of communicants in the existing PPAKE, especially in broadcast channels. We propose a generic construction of robust PPAKE from key encapsulation mechanism (KEM), digital signature (SIG), message authentication code (MAC), pseudo-random generator (PRG) and symmetric encryption (SE). By instantiatingKEM, MAC, PRG from theDDHassumption and SIG from the CDH assumption, we obtain a specific robust PPAKE scheme in the standard model, which enjoys forward security for session keys, explicit authentication and forward privacy for user identities. Thanks to the robustness of our PPAKE, the number of broadcast messages per run and the computational complexity per user are constant, and in particular, independent of the number of users in the system.

Mojahed Mohamed,Xiaofen Wang,Xiaosong Zhang

DOI: https://doi.org/10.1007/978-3-319-28910-6_22

2016-01-01

OALib

Abstract:Design Secure Authenticated Key Exchange (AKE) protocol without NAXOS approach is remaining as an open problem. NAXOS approach [4] is used to hide the ephemeral secret key from an adversary even if the adversary in somehow may obtain the ephemeral secret key. Using NAXOS approach will cause two main drawbacks: (i) leaking of the static secret key which will be utilized in computing the exponent of the ephemeral public key; (ii) maximization of using random oracle when applying to the exponent of the ephemeral public key and session key derivation. In this paper, we present another AKE-secure without NAXOS approach based on decision linear assumption in the random oracle model. We fasten our security using games sequences tool which gives tight security for our protocol.

Wen Yu Kon,Jefferson Chu,Kevin Han Yong Loh,Obada Alia,Omar Amer,Marco Pistoia,Kaushik Chakraborty,Charles Lim

2024-09-25

Abstract:Data privacy and authentication are two main security requirements for remote access and cloud services. While QKD has been explored to address data privacy concerns, oftentimes its use is separate from the client authentication protocol despite implicitly providing authentication. Here, we present a quantum authentication key expansion (QAKE) protocol that (1) integrates both authentication and key expansion within a single protocol, and (2) provides key recycling property -- allowing all authentication keys to be reused. We analyse the security of the protocol in a QAKE framework adapted from a classical authentication key exchange (AKE) framework, providing separate security conditions for authentication and data privacy. An experimental implementation of the protocol, with appropriate post-selection, was performed to demonstrate its feasibility.

Quantum Physics

Xiaoyan Yang,Han Jiang,Qiuliang Xu,Mengbo Hou,Xiaochao Wei,Minghao Zhao,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/trustcom.2016.0124

2016-01-01

Abstract:Anonymous password-based authenticated key exchange (APAKE) protocols are a topic of ongoing research interest. However, the security of existing APAKE protocols is generally provided in the random oracle model, and in these protocols, passwords are stored in cleartext on the server. However, proofs of security in the random oracle model do not necessarily imply security in the real world. Recent high profile incidents also indicate the real risk of a server being compromised and information stored on the server leaked. Verifier-based password-authenticated key exchange (VPAKE) protocols have been identified as a viable solution to overcome such limitations. In this paper, we propose a novel verifier-based anonymous password-authenticated key exchange (VAPAKE) protocol constructed using smooth projective hashing function. The proposed protocol only involves two-round interactions for mutual implicit authentication. We then prove the security of the protocol in the standard model.

Guomin Yang,Duncan S. Wong,Xiaotie Deng

DOI: https://doi.org/10.1007/11496137_23

2005-01-01

Abstract:The Canetti-Krawczyk (CK) model uses resuable modular components to construct indistinguishability-based key exchange protocols. The reusability of modular protocol components makes it easier to construct and prove new protocols when compared with other provably secure approaches. In this paper, we build an efficient anonymous and authenticated key exchange protocol for roaming by using the modular approach under the CK-model. Our protocol requires only four message flows and uses only standard cryptographic primitives. We also propose a one-pass counter based MT-authenticator and show its security under the assumption that there exists a MAC which is secure against chosen message attack.

Christopher Battarbee,Christoph Striecks,Ludovic Perret,Sebastian Ramacher,Kevin Verhaeghe

2024-11-07

Abstract:Authenticated Key Exchange (AKE) between any two entities is one of the most important security protocols available for securing our digital networks and infrastructures. In PQCrypto 2023, Bruckner, Ramacher and Striecks proposed a novel hybrid AKE (HAKE) protocol, dubbed Muckle+, that is particularly useful in large quantum-safe networks consisting of a large number of nodes. Their protocol is hybrid in the sense that it allows key material from conventional and post-quantum primitives, as well as from quantum key distribution, to be incorporated into a single end-to-end shared key. To achieve the desired authentication properties, Muckle+ utilizes post-quantum digital signatures. However, available instantiations of such signatures schemes are not yet efficient enough compared to their post-quantum key-encapsulation mechanism (KEM) counterparts, particularly in large networks with potentially several connections in a short period of time. To mitigate this gap, we propose Muckle# that pushes the efficiency boundaries of currently known HAKE constructions. Muckle# uses post-quantum key-encapsulating mechanisms for implicit authentication inspired by recent works done in the area of Transport Layer Security (TLS) protocols, particularly, in KEMTLS (CCS'20). We port those ideas to the HAKE framework and develop novel proof techniques on the way. Due to our novel KEM-based approach, the resulting protocol has a slightly different message flow compared to prior work that we carefully align with the HAKE framework and which makes our changes to the Muckle+ non-trivial.

Cryptography and Security,Quantum Physics

Andrew C. Yao,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-13708-2_20

2010-01-01

Abstract:In this work, we develop a family of non-malleable and deniable Diffie-Hellman key-exchange (DHKE) protocols, named deniable Internet key-exchange (DIKE). The newly developed DIKE protocols are of conceptual clarity, provide much remarkable privacy protection to protocol participants, and are of highly practical (online) efficiency.For the security of the DIKE protocols, we formulate the notion of tag-based robust non-malleability (TBRNM) for DHKE protocols, which ensures robust non-malleability for DHKE protocols against concurrent man-in-the-middle (CMIM) adversaries and particularly implies concurrent forward deniability for both protocol participants. We show that the TBRNM security and the session-key security (SK-security) in accordance with the Canetti-Krawczyk framework are mutually complementary, thus much desirable to have DHKE protocols that enjoy both of them simultaneously. We prove our DIKE protocol indeed satisfies both (privacy preserving) TBRNM security and SK-security (with post-specified peers). The TBRNM analysis is based on a variant of the knowledge-of-exponent assumption (KEA), called concurrent KEA assumption introduced and clarified in this work, which might be of independent interest.

You Lyu,Shengli Liu

DOI: https://doi.org/10.1007/978-3-031-50594-2_21

2024-01-01

Abstract:In two-message authenticated key exchange (AKE), it is necessary for the initiator to keep a round state after sending the first round-message, because he/she has to derive his/her session key after receiving the second round-message. Up to now almost all two-message AKEs constructed from public-key encryption (PKE) only achieve weak security which does not allow the adversary obtaining the round state. How to support state reveal to obtain a better security called IND-AA security has been an open problem proposed by Hovelmann et al. (PKC 2020). In this paper, we solve the open problem with a generic construction of two-message AKE from any CCA-secure Tagged Key Encapsulation Mechanism (TKEM). Our AKE supports state reveal and achieves IND-AA security. Given the fact that CCA-secure public-key encryption (PKE) implies CCA-secure TKEM, our AKE can be constructed from any CCA-secure PKE with proper message space. The abundant choices for CCA-secure PKE schemes lead to many IND-AA secure AKE schemes in the standard model. Moreover, following the online-extractability technique in recent work by Don et al. (Eurocrypt 2022), we can extend the Fujisaki-Okamoto transformation to transform any CPA-secure PKE into a CCA-secure Tagged KEM in QROM. Therefore, we obtain the first generic construction of IND-AA secure two-message AKE from CPA-secure PKE in QROM. This construction does not need any signature scheme, and this result is especially helpful in the post-quantum world, since the current quantum-secure PKE schemes are much more efficient than their signature counterparts.