## On Formal Models for Secure Key Exchange (1999)

Citations: | 76 - 2 self |

### BibTeX

@TECHREPORT{Shoup99onformal,

author = {Victor Shoup and Victor Shoup},

title = {On Formal Models for Secure Key Exchange},

institution = {},

year = {1999}

}

### Years of Citing Articles

### OpenURL

### Abstract

A new formal security model for session key exchange protocols in the public key setting is proposed, and several efficient protocols are analyzed in this model. The relationship between this new model and previously proposed models is explored, and several interesting, subtle distinctions between static and adaptive adversaries are explored. We also give a brief account of anonymous users.

### Citations

2716 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...oit in the analysis of higher level protocols. 4 A Diffie-Hellman Based Protocol In this section we describe and analyze a protocol based on the well-known, unauthenticated DiffieHellman key exchange =-=[12]-=-. We call our proposed protocol DHKE. We first begin with a description of the protocol, followed by a discussion of the underlying intractability assumption (the Decisional Diffie-Hellman assumption)... |

1334 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...case of this using ElGamal encryption [15]. It seems unlikely that we can obtain a two pass protocol that is secure against adaptive user instance corruptions, at least without using "random orac=-=les" [5]-=-. We have not fully worked out the proper formulation of random oracles in the context of session key protocols. However, it seems that it should be possible to formulate and prove that if EKE-1 is mo... |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...discussions about the DDH. 4.3 Security Analysis of DHKE The security property for the signature schemes we require is existential unforgeability against adaptive chosen message attack, as defined in =-=[16]-=-. In the sequel, this is what we mean by a secure signature scheme. Theorem 1 Protocol DHKE is a secure key exchange protocol, assuming DDH, and assuming all the digital signatures schemes employed ar... |

465 | Entity authentication and key distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...led interleaving attacks which can arise when users are running several instances of a protocol in parallel. This work was in the symmetric key cryptography setting. Subsequently, Bellare and Rogaway =-=[4, 6]-=- proposed a formal model of security for authenticated key exchange protocols, again in the symmetric key cryptography setting, where there is an on-line key distribution center. Their model captured ... |

461 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ing Theorem to transform random group elements into random bit strings via a universal hash function. See [17, Chapter 8] for an exposition on the Entropy Smoothing Theorem. The reader is referred to =-=[10, 11, 18, 19]-=- for further applications of and discussions about the DDH. 4.3 Security Analysis of DHKE The security property for the signature schemes we require is existential unforgeability against adaptive chos... |

450 | Relations among notions of security for public-key encryption schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...e that the encryption scheme is non-malleable, which is equivalent to the notion of security against adaptive chosen ciphertext attack [14]. For more details on this notion of security, see the paper =-=[3]-=-. Theorem 2 Protocol EKE is a secure key exchange protocol, assuming secure signatures, and assuming the encryption scheme is non-malleable. We now prove this theorem. The basic structure of the proof... |

450 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ... 5.2 Security analysis of EKE To prove security, we need to assume that the encryption scheme is non-malleable, which is equivalent to the notion of security against adaptive chosen ciphertext attack =-=[14]-=-. For more details on this notion of security, see the paper [3]. Theorem 2 Protocol EKE is a secure key exchange protocol, assuming secure signatures, and assuming the encryption scheme is non-mallea... |

314 |
A Public-Key Cryptosystem and Signature Scheme Based on Discrete Logarithms
- Gamal
- 1985
(Show Context)
Citation Context ...n" flow, as in DHKE-3. If we do this, non-malleability is no longer necessary---semantic security is enough. In fact, protocols DHKE-n can be viewed as a special case of this using ElGamal encryp=-=tion [15]. It seems-=- unlikely that we can obtain a two pass protocol that is secure against adaptive user instance corruptions, at least without using "random oracles" [5]. We have not fully worked out the prop... |

264 | Authentication and authenticated key exchanges
- DIFFIE, OORSCHOT, et al.
- 1992
(Show Context)
Citation Context ...d it is not clear what implications these definitions have for higher-level protocols that use the session keys. The "station-to-station" protocol was introduced in the classic paper of Diff=-=ie, et al [13]-=-. This paper presents an authenticated key exchange protocol based on the basic, unauthenticated DiffieHellman key exchange protocol. The authors do a rather informal security analysis, and point out ... |

224 | A modular approach to the design and analysis of authentication and key-exchange protocols
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ...ity for authenticated key exchange protocols in a public key setting where the only trusted party is an off-line certification authority. Our work follows up on that of Bellare, Canetti, and Krawczyk =-=[2]-=-, which is grounded in the multi-party simulatability tradition (see, e.g., [1]). This approach seems very attractive, because it formulates security in terms of the service a session key protocol sho... |

209 | Provably secure session key distribution – the three party case
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ...subtle differences between security against static adversaries and adaptive adversaries, and connections between this security model, and the previously proposed security model of Bellare and Rogaway =-=[6]-=- (see also [8, 9]). We also give a brief account of anonymous users. In many situations, one of the two users in a key exchange protocol may not have a certificate. This can happen, for example, in SS... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ...ing Theorem to transform random group elements into random bit strings via a universal hash function. See [17, Chapter 8] for an exposition on the Entropy Smoothing Theorem. The reader is referred to =-=[10, 11, 18, 19]-=- for further applications of and discussions about the DDH. 4.3 Security Analysis of DHKE The security property for the signature schemes we require is existential unforgeability against adaptive chos... |

149 | Pseudorandomness and Cryptographic Applications - Luby - 1996 |

149 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
(Show Context)
Citation Context ...ing Theorem to transform random group elements into random bit strings via a universal hash function. See [17, Chapter 8] for an exposition on the Entropy Smoothing Theorem. The reader is referred to =-=[10, 11, 18, 19]-=- for further applications of and discussions about the DDH. 4.3 Security Analysis of DHKE The security property for the signature schemes we require is existential unforgeability against adaptive chos... |

136 | agreement protocol and their security analysis
- Blake-Wilson, Johnson, et al.
(Show Context)
Citation Context ...nces between security against static adversaries and adaptive adversaries, and connections between this security model, and the previously proposed security model of Bellare and Rogaway [6] (see also =-=[8, 9]-=-). We also give a brief account of anonymous users. In many situations, one of the two users in a key exchange protocol may not have a certificate. This can happen, for example, in SSL and SSH. Typica... |

135 |
Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority
- Beaver
- 1991
(Show Context)
Citation Context ...only trusted party is an off-line certification authority. Our work follows up on that of Bellare, Canetti, and Krawczyk [2], which is grounded in the multi-party simulatability tradition (see, e.g., =-=[1]-=-). This approach seems very attractive, because it formulates security in terms of the service a session key protocol should provide to a higher level protocol, rather than getting mired in the detail... |

119 | Publicly verifiable secret sharing
- Stadler
- 1996
(Show Context)
Citation Context ...istinguishable assuming DDH. Moreover, this property holds regardless of whether we consider one or both of g 1 ; g 2 random or fixed. This indistinguishability property was first observed by Stadler =-=[19]-=-. 4.2.2 Using the DDH In the sequel, we will need to use a stronger-looking version of the DDH, which in fact is implied by the DDH. First, it follows from the DDH, using a hybrid argument, that the t... |

52 | Systematic design of two-party authentication protocols - Bird, Gopal, et al. - 1993 |

5 | Entity authentication and key transport protocols employing asymmetric techniques - Blake-Wilson, Menezes - 1998 |