Abstract. We prove secure a concrete and practical two-round authenticated message exchange protocol which reflects the authentication mechanisms for web services discussed in various standardization documents. The protocol consists of a single client request and a subsequent server response and works under the realistic assumptions that the responding server is long-lived, has bounded memory, and may be reset occasionally. The protocol is generic in the sense that it can be used to implement securely any service based on authenticated message exchange, because request and response can carry arbitrary payloads. Our security analysis is a computational analysis in the Bellare-Rogaway style and thus provides strong guarantees; it is novel from a technical point of view since we extend the Bellare-Rogaway framework by timestamps and payloads with signed parts. 1

Juels and Weis (building on prior work of Hopper and Blum) propose and analyze two shared-key authentication protocols --- HB and HB --- whose extremely low computational cost makes them attractive for low-cost devices such as radio-frequency identification (RFID) tags. Security of these protocols is based on the conjectured hardness of the "learning parity with noise" (LPN) problem: the HB protocol is proven secure against a passive (eavesdropping) adversary, while the HB protocol is proven secure against active attacks.

In this paper, we propose an extremely simple identification protocol and prove its security using the Knowledge-of-Exponent Assumption (KEA). We also discuss the applicability of KEA in various protocol settings as well. Recently, doubts have been raised about applying KEA in some protocols where an adversary has auxiliary inputs. However, we suggest that KEA is applicable in these cases. We present two variants of KEA, Generalized KEA (GKEA) and Auxiliary-Input KEA (AI-KEA), to clarify the proper use of KEA. 1

Abstract: In the paper we study parallel key exchange among multiple parties. The status of parallel key exchange can be depicted by a key graph. In a key graph, a vertex represents a party and an edge represents a relation of two parties who are to share a key. We first propose a security model for a key graph, which extends the Bellare-Rogaway model for two-party key exchange. Next, we clarify the relations among the various security notions of key exchange. Finally, we construct an efficient key exchange protocol for a key graph using the randomness re-use technique. Our protocol establishes the multiple keys corresponding to all edges of a key graph in a single session. The security of our protocol is proven in the standard model.

Abstract The Guillou-Quisquater (GQ) and Schnorr identification schemes are amongst the most efficient and best-known Fiat-Shamir follow-ons, but the question of whether they can be proven secure against impersonation under active attack has remained open. This paper provides such a proof for GQ based on the assumed security of RSA under one more inversion, an extension of the usual onewayness assumption that was introduced in [5]. It also provides such a proof for the Schnorr scheme based on a corresponding discrete-log related assumption. These are the first security proofs for these schemes under assumptions related to the underlying one-way functions. Both results extend to establish security against impersonation under concurrent attack.

In this paper, first we discuss the security model for deterministic challenge-response identification protocols. For such protocols, we are able to simplify the CR2 security model in [2] which captures concurrent attacks and reset attacks. Then we propose an extremely simple identification protocol and prove that its CR2 security is equivalent to the hardness of the Strong Diffie-Hellman problem.

Abstract. Typical security models used for proving security of deployed cryptographic primitives do not allow adversaries to rewind or reset honest parties to an earlier state. Thus, it is common to see cryptographic protocols rely on the assumption that fresh random numbers can be continually generated. In this paper, we argue that because of the growing popularity of virtual machines and, specifically, their state snapshot and revert features, the security of cryptographic protocols proven under these assumptions is called into question. We focus on public-key encryption security in a setting where resetting is possible and random numbers might be reused. We show that existing schemes and security models are insufficient in this setting. We then provide new formal security models and show that making a simple and efficient modification to any existing PKE scheme gives us security under our new models. 1