research-article

OAKE: a new family of implicitly authenticated diffie-hellman protocols

Authors:
Andrew Chi-Chih Yao

Institute for Interdisciplinary Information Sciences,Tsinghua University, Beijing, China

Institute for Interdisciplinary Information Sciences,Tsinghua University, Beijing, China
View Profile

,
Yunlei Zhao

Software School, Fudan University & State Key Laboratory of Information Security, Shanghai, China

Software School, Fudan University & State Key Laboratory of Information Security, Shanghai, China
View Profile

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityNovember 2013Pages 1113–1128https://doi.org/10.1145/2508859.2516695

Published:04 November 2013Publication History

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 1113–1128

ABSTRACT

Cryptographic algorithm standards play an important role both to the practice of information security and to cryptography theory research. Among them, the KEA and OPACITY (KEA/OPACITY, in short) protocols, and the MQV and HMQV ((H)MQV, in short) protocols, are a family of implicitly authenticated Diffie-Hellman key-exchange (IA-DHKE) protocols that are among the most efficient authenticated key-exchange protocols known and are widely standardized. In this work, from some new design insights, we develop a new family of practical IA-DHKE protocols, referred to as OAKE (standing for "optimal authenticated key-exchange" in brief). We show that the OAKE protocol family combines, in essence, the advantages of both (H)MQV and KEA/OPACITY, while saving from or alleviating the disadvantages of them both.

References

M. Abdalla, J. H. An, M. Bellare, and C. Namprempre. From identification to signatures via Fiat-Shamir transform: Necessary and sufficient conditions for security and forward-security. IEEE Transactions on Information Theory, 54(8):3631--3646, 2008. Google ScholarDigital Library
M. Abe and S. Fehr. PerfectuppercaseNIZK with adaptive soundness. In TCC, pages 118--136, 2007. Google ScholarDigital Library
W. Aiello, S. M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. D. Keromytis, and O. Reingold. Just fast keying: Key agreement in a hostile internet. ACM Trans. Inf. Syst. Secur., 7(2):242--273, 2004. Google ScholarDigital Library
ANSI. 504--1: Information technology-generic identity command set, part 1: Card application command set.Google Scholar
ANSI. AmericanuppercaseNationaluppercaseStandard,uppercaseX9.42--2001.Google Scholar
B. Barak. How to go beyond the black-box simulation barrier. In FOCS, pages 106--115, 2001. Google ScholarDigital Library
E. Barker, D. Johnson, and M. Smid.uppercaseNIST special publication 800--56\uppercaseA: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography (revised).uppercaseTechnical report, 2007. Google ScholarDigital Library
M. Bellare, R. Canetti, and H. Krawczyk. Keying hash functions for message authentication. In CRYPTO, pages 1--15, 1996. Google ScholarDigital Library
M. Bellare and A. Palacio. The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In CRYPTO, pages 273--289, 2004.Google ScholarCross Ref
M. Bellare and A. Palacio. Towards plaintext-aware public-key encryption without random oracles. In ASIACRYPT, pages 48--62, 2004.Google ScholarCross Ref
M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62--73, 1993. Google ScholarDigital Library
E. Biham and A. Shamir. Differential fault analysis of secret key cryptosystems. In CRYPTO, pages 513--525, 1997. Google ScholarDigital Library
N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In ITCS, pages 326--349, 2012. Google ScholarDigital Library
S. Blake-Wilson, D. Johnson, and A. Menezes. Key agreement protocols and their security analysis. In IMA Int. Conf., pages 30--45, 1997. Google ScholarDigital Library
C. Boyd, Y. Cliff, J. M. G. Nieto, and K. G. Paterson. Efficient one-round key exchange in the standard model. In ACISP, pages 69--83, 2008. Google ScholarDigital Library
C. Boyd, W. Mao, and K. G. Paterson. Deniable authenticated key establishment for internet protocols. In Security Protocols Workshop, pages 255--271, 2003. Google ScholarDigital Library
C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment. ISBN 3--540--43107--1, Springer-Verlag. Google ScholarDigital Library
Z. Brakerski, Y. T. Kalai, J. Katz, and V. Vaikuntanathan. Overcoming the hole in the bucket: Public-key cryptography resilient to continual memory leakage. In FOCS, pages 501--510, 2010. Google ScholarDigital Library
R. Canetti. Security and composition of cryptographic protocols: a tutorial (part i). SIGACT News, 37(3):67--92, 2006. Google ScholarDigital Library
R. Canetti and R. R. Dakdouk. Extractable perfectly one-way functions. In ICALP (2), pages 449--460, 2008. Google ScholarDigital Library
R. Canetti and R. R. Dakdouk. Towards a theory of extractable functions. In TCC, pages 595--613, 2009. Google ScholarDigital Library
R. Canetti and H. Krawczyk. Analysis of key-exchange protocols and their use for building secure channels. In EUROCRYPT, pages 453--474, 2001. Google ScholarDigital Library
L. Chen and Y. Chen. The n-\uppercaseDiffie-\uppercaseHellman problem and its applications. In ISC, pages 119--134, 2011. Google ScholarDigital Library
L. Chen and C. Kudla. Identity based authenticated key agreement protocols from pairings. In CSFW, pages 219--233, 2003.Google ScholarCross Ref
C. Cremers. Examining indistinguishability-based security models for key exchange protocols: the case ofuppercaseCK,uppercaseCK-HMQV, and e\uppercaseCK. In ASIACCS, pages 80--91, 2011. Google ScholarDigital Library
C. J. F. Cremers. Session-state reveal is stronger than ephemeral key reveal: Attacking theuppercaseNAXOS authenticated key exchange protocol. In ACNS, pages 20--33, 2009. Google ScholarDigital Library
I. Damgård. Towards practical public key systems secure against chosen ciphertext attacks. In CRYPTO, pages 445--456, 1991. Google ScholarDigital Library
I. Damgård, S. Faust, and C. Hazay. Secure two-party computation with low communication. In TCC, pages 54--74, 2012. Google ScholarDigital Library
A. W. Dent. TheuppercaseCramer-\uppercaseShoup encryption scheme is plaintext aware in the standard model. In EUROCRYPT, pages 289--307, 2006. Google ScholarDigital Library
T. Dierks and C. Allen. The TLS Protocol, Version 1.0. Request for Comments: 2246, January 1999. Google ScholarDigital Library
W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644--654, 1976. Google ScholarDigital Library
W. Diffie, P. C. van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Des. Codes Cryptography, 2(2):107--125, 1992. Google ScholarDigital Library
V. S. Dimitrov, G. A. Jullien, and W. C. Miller. Complexity and fast algorithms for multiexponentiations. IEEE Trans. Computers, 49(2):141--147, 2000. Google ScholarDigital Library
Y. Dodis, J. Katz, A. Smith, and S. Walfish. Composability and on-line deniability of authentication. In TCC, pages 146--162, 2009. Google ScholarDigital Library
A. Freier, P. Karlton, and P. Kocher. The SSL Protocol, Version 3.0. INTERNET-DRAFT: draft-freier-ssl-version3-02.txt, November 1996.Google Scholar
R. Gennaro, H. Krawczyk, and T. Rabin. Okamoto-\uppercaseTanaka revisited: Fully authenticateduppercaseDiffie-\uppercaseHellman with minimal overhead. In ACNS, pages 309--328, 2010. Google ScholarDigital Library
S. Goldwasser, H. Lin, and A. Rubinstein. Delegation of computation without rejection problem from designated verifieruppercaseCS-proofs. IACR Cryptology ePrint Archive, 2011:456, 2011.Google Scholar
D. M. Gordon. A survey of fast exponentiation methods. J. Algorithms, 27(1):129--146, 1998. Google ScholarDigital Library
J. Groth. Short pairing-based non-interactive zero-knowledge arguments. In ASIACRYPT, pages 321--340, 2010.Google ScholarCross Ref
S. Hada and T. Tanaka. On the existence of 3-round zero-knowledge protocols. In CRYPTO, pages 408--423, 1998. Google ScholarDigital Library
J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: cold-boot attacks on encryption keys. Commun. ACM, 52(5):91--98, 2009. Google ScholarDigital Library
S. Halevi and H. Krawczyk. One-passuppercaseHMQV and asymmetric key-wrapping. In Public Key Cryptography, pages 317--334, 2011. Google ScholarDigital Library
D. Harkins and D. Carreal. Internet Key Exchange (IKE). RFC 2049, The Internet Engineering Task Force, November 1998.Google ScholarDigital Library
K. Hickman. The SSL Protocol. Online document: www.netscape.com/eng/security/SSL-2.html, Feburary 1995.Google Scholar
IEEE. 1363--2000: Standard specifications for public key cryptography.Google Scholar
ISO/IEC. 11770--3:2008 information technology - security techniques - key management - part 3: Mechanisms using asymmetric techniques.Google Scholar
ISO/IEC. 24727--6:2010 identification cards - integrated circuit card programming interfaces - part 6: Registration authority procedures for the authentication protocols for interoperability.Google Scholar
B. S. Kaliski. An unknown key-share attack on theuppercaseMQV key agreement protocol. ACM Trans. Inf. Syst. Secur., 4(3):275--288, 2001. Google ScholarDigital Library
C. Kaufman. Internet Key Exchange (IKEv2) Protocol. The Internet Engineering Task Force: INTERNET-DRAFT, October 2002.Google Scholar
H. Krawczyk.uppercaseSIGMA: The 'sign-and-mac' approach to authenticateduppercaseDiffie-\uppercaseHellman and its use in theuppercaseIKE-protocols. In CRYPTO, pages 400--425, 2003.Google Scholar
H. Krawczyk.uppercaseHMQV: A high-performance secureuppercaseDiffie-\uppercaseHellman protocol. In CRYPTO, pages 546--566, 2005. Google ScholarDigital Library
H. Krawczyk, K. G. Paterson, and H. Wee. On the security of theuppercaseTLS protocol: A systematic analysis. IACR Cryptology ePrint Archive, 2013:339, 2013.Google Scholar
C. Kudla and K. G. Paterson. Modular security proofs for key agreement protocols. In ASIACRYPT, pages 549--565, 2005. Google ScholarDigital Library
S. Kunz-Jacques and D. Pointcheval. A new key exchange protocol based onuppercaseMQV assuming public computations. In SCN, pages 186--200, 2006. Google ScholarDigital Library
B. A. LaMacchia, K. Lauter, and A. Mityagin. Stronger security of authenticated key exchange. In ProvSec, pages 1--16, 2007. Google ScholarDigital Library
K. Lauter and A. Mityagin. Security analysis ofuppercaseKEA authenticated key exchange protocol. In Public Key Cryptography, pages 378--394, 2006. Google ScholarDigital Library
A. B. Lewko, Y. Rouselakis, and B. Waters. Achieving leakage resilience through dual system encryption. In TCC, pages 70--88, 2011. Google ScholarDigital Library
T. Matsumoto, Y. Takashima, and H. Imai. On seeking smart public-key distribution systems. Trans. IECE of Japan, E69(2):99--106, 1986.Google Scholar
A. Menezes, M. Qu, and S. Vanstone. Some new key agreement protocols providing mutual implicit authentication. In SAC, pages 70--88, 1995.Google Scholar
A. Menezes and B. Ustaoglu. On the importance of public-key validation in theuppercaseMQV anduppercaseHMQV key agreement protocols. In INDOCRYPT, pages 133--147, 2006. Google ScholarDigital Library
A. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Google ScholarDigital Library
T. Mie. Polylogarithmic two-round argument systems. J. Mathematical Cryptology, 2(4):343--363, 2008.Google ScholarCross Ref
NIST. Special publication 800--56 (\uppercaseDRAFT): Recommendation on key establishment schemes,uppercaseDraft 2,uppercaseJanuary 2003.Google Scholar
NIST. S\uppercaseP 800--56 (\uppercaseDRAFT): Special publication 800--56, recommendation for pair-wise key establishment schemes using discrete logarithm cryptography,uppercaseJuly 2005.Google Scholar
NIST.uppercaseSKIPJACK anduppercaseKEA algorithm specifications. http://csrc.nist.org/encryption/skipjack/skipjack.pdf, 1998.Google Scholar
T. Okamoto and D. Pointcheval. The gap-problems: A new class of problems for the security of cryptographic schemes. In Public Key Cryptography, pages 104--118, 2001. Google ScholarCross Ref
D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. J. Cryptology, 13(3):361--396, 2000.Google ScholarDigital Library
M. D. Raimondo and R. Gennaro. New approaches for deniable authentication. In ACM Conference on Computer and Communications Security, pages 112--121, 2005. Google ScholarDigital Library
M. D. Raimondo, R. Gennaro, and H. Krawczyk. Deniable authentication and key exchange. In ACM Conference on Computer and Communications Security, pages 400--409, 2006. Google ScholarDigital Library
E. Saint, D. Fedronic, and S. Liu. Open Protocol for Access Control Identification and Ticketing with Privacy. Smart Card Alliance, July 2011. http://www.smartcardalliance.org/resources/pdf/\\ OPACITY\_Protocol\_3.7.pdf.Google Scholar
J. Stasak. NSAs Elliptic Curve Licensing Agreement. The IETF's Security Area Advisory Group, 2004.Google Scholar
A. C.-C. Yao and Y. Zhao. Deniable internet key exchange. In ACNS, pages 329--348, 2010. Google ScholarDigital Library
A. C.-C. Yao and Y. Zhao. A new family of practical non-malleable protocols. IACR Cryptology ePrint Archive, 2011:35, 2011.Google Scholar

Index Terms

OAKE: a new family of implicitly authenticated diffie-hellman protocols
1. General and reference
  1. Document types
    1. Computing standards, RFCs and guidelines
2. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques

Recommendations

A communication-efficient three-party password authenticated key exchange protocol

Three-party password authenticated key exchange (3PAKE) protocols allow two users (clients) to establish a session key through an authentication server over an insecure channel. Clients only share an easy-to-remember password with the trusted server. In ...
Read More
An Efficient Two-Party Identity-Based Key Exchange Protocol

A key exchange (or agreement) protocol is designed to allow two entities establishing a session key to encrypt the communication data over an open network. In 1990, Gunther proposed an identity-based key exchange protocol based on the difficulty of ...
Read More
Security weaknesses of authenticated key agreement protocols

In this paper, we analyze the protocols of Tan, Lim et al., Chen et al. and five protocols of Holbl et al. After the analysis, we found that Tan et al.@?s, Lim et al.@?s and two protocols of Holbl et al. are insecure against the impersonation attack and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
November 2013
1530 pages
ISBN:9781450324779
DOI:10.1145/2508859
General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 November 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authentication
key exchange
standards
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '13 Paper Acceptance Rate105of530submissions,20%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 32
  Total Citations
  View Citations
- 767
  Total Downloads
- Downloads (Last 12 months)13
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

OAKE: a new family of implicitly authenticated diffie-hellman protocols

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

A communication-efficient three-party password authenticated key exchange protocol

An Efficient Two-Party Identity-Based Key Exchange Protocol

Security weaknesses of authenticated key agreement protocols