The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most e#cient of all known authenticated Di#e-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying "the next generation cryptography to protect US government information".

In this paper we study security definitions for authenticated key exchange (AKE) protocols.

Abstract. KEA is a Diffie-Hellman based key-exchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap Diffie-Hellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C. 1

Abstract. The main application of cryptography is the establishment of secure channels. The most classical way to achieve this goal is definitely the use of variants of the signed Diffie-Hellman protocol. It applies a signature algorithm on the flows of the basic Diffie-Hellman key exchange, in order to achieve authentication. However, signature-less authenticated key exchange have numerous advantages, and namely from the efficiency point of view. They are thus well-suited for some constrained environments. On the other hand, this efficiency comes at the cost of some uncertainty about the actual security. This paper focuses on the two most famous signature-less authenticated key exchange protocols, MTI/C0 and MQV. While the formal security of MTI/C0 has never been studied, results for the plain MQV protocol are still debated. We point out algorithmic assumptions on which some security proofs can be built in the random oracle model. The stress is put on implementation aspects that must be properly dealt with in order to obtain the expected security. Some formalizations about authenticated key exchange, and the generic model, are of independent interest. Key words: Key Exchange, MTI, MQV, Diffie-Hellman, Security Proof. 1

We examine the role of session key construction in provablysecure key establishment protocols. We revisit an ID-based key establishment protocol due to Chen & Kudla (2003) and an ID-based protocol 2P-IDAKA due to McCullagh & Barreto (2005). Both protocols carry proofs of security in a weaker variant of the Bellare & Rogaway (1993) model where the adversary is not allowed to make any Reveal query.

Key agreement protocols are a fundamental building block for ensuring authenticated and private communications between two parties over an insecure network. This paper focuses on key agreement protocols in the asymmetric authentication model, wherein parties hold a public/private key pair. In particular, we consider a type of known key attack called key compromise impersonation that may occur once the adversary has obtained the private key of an honest party. This attack

Abstract. We observe that the definitions of security in the computational complexity proof models of Bellare & Rogaway (1993) and Canetti & Krawczyk (2001) require two partners in the presence of a malicious adversary to accept the same session key, which we term a key sharing requirement. We then revisit the Bellare–Rogaway three-party key distribution (3PKD) protocol and the Jeong–Katz–Lee two-party authenticated key exchange protocol T S2, which carry claimed proofs of security in the Canetti & Krawczyk (2001) model and the Bellare & Rogaway (1993) model respectively. We reveal previously unpublished flaws in these protocols where we demonstrate that both protocols fail to satisfy the definition of security in the respective models. We present a new 3PKD protocol as an improvement with a proof of security in the Canetti & Krawczyk (2001) model and a simple fix to the specification of protocol T S2. We also identify several variants of the key sharing requirement and present a brief discussion. 1

The Unified Model (UM) key agreement protocol is an efficient Diffie-Hellman scheme that has been included in many cryptographic standards, most recently in the NIST SP 800-56A standard. The UM protocol is believed to possess all important security attributes including key authentication and secrecy, resistance to unknown key-share attacks, forward secrecy, resistance to known-session key attacks, and resistance to leakage of ephemeral private keys, but is known to succumb to key-compromise impersonation attacks. In this paper we present a strengthening of the Canetti-Krawczyk security definition for key agreement that captures resistance to all important attacks that have been identified in the literature with the exception of key-compromise impersonation attacks. We then present a reductionist security proof that the UM protocol satisfies this new definition in the random oracle model under the Gap Diffie-Hellman assumption.

In this paper, we present a new authenticated key exchange(AKE) protocol, called NETS, and prove its security in the extended Canetti-Krawczyk model under the random oracle assumption and the gap Diffie-Hellman(GDH) assumption. Our protocol enjoys a simple and tight security reduction compared to those of HMQV and CMQV without using the Forking Lemma. Each session of the NETS protocol requires only three exponentiations per party, which is comparable to the efficiency of MQV, HMQV and CMQV.

We show a general framework for constructing password-based authenticated key exchange protocols with optimal round complexity — one message per party, sent simultaneously — in the standard model, assuming the existence of a common reference string. When our framework is instantiated using bilinear-map cryptosystems, the resulting protocol is also (reasonably) efficient. Somewhat surprisingly, our framework can be adapted to give protocols (still in the standard model) that are universally composable while still using only one (simultaneous) round.