Results 1 - 10
of
31
Identity-based Key Agreement Protocols from Pairings
, 2006
"... In recent years, a large number of identity-based key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reve ..."
Abstract
-
Cited by 59 (5 self)
- Add to MetaCart
In recent years, a large number of identity-based key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a built-in decisional function in this type of protocols.
Examining Indistinguishability-Based Proof Models for Key Establishment Protocols (Full version available from http: //eprint.iacr.org/2005/270
, 2005
"... Abstract. We examine various indistinguishability-based proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof m ..."
Abstract
-
Cited by 57 (10 self)
- Add to MetaCart
(Show Context)
Abstract. We examine various indistinguishability-based proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, identify several subtle differences between these variants and models, and compare the relative strengths of the notions of security between the models. For each of the pair of relations between the models (either an implication or a non-implication), we provide proofs or counter-examples to support the observed relations. We also reveal a drawback with the original formulation of the Bellare, Pointcheval, & Rogaway (2000) model, whereby the Corrupt query is not allowed. 1
Another Look at HMQV
- IACR Eprint archive
, 2005
"... Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended ..."
Abstract
-
Cited by 31 (1 self)
- Add to MetaCart
(Show Context)
Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim’s static private key. We propose HMQV-1, patched versions of the HMQV protocols that resists our attacks (but do not have any performance advantages over MQV). We also identify some fallacies in the security proofs for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide. 1.
Comparing the pre- and post-specified peer models for key agreement
- ACISP 2008. LNCS
, 2008
"... In the pre-specified peer model for key agreement, it is assumed that a party knows the identifier of its intended communicating peer when it commences a protocol run. On the other hand, a party in the post-specified peer model for key agreement does not know the identifier of its communicating pee ..."
Abstract
-
Cited by 20 (3 self)
- Add to MetaCart
In the pre-specified peer model for key agreement, it is assumed that a party knows the identifier of its intended communicating peer when it commences a protocol run. On the other hand, a party in the post-specified peer model for key agreement does not know the identifier of its communicating peer at the outset, but learns the identifier during the protocol run. In this paper we compare the security assurances provided by the Canetti-Krawczyk security definitions for key agreement in the pre- and post-specified peer models. We give examples of protocols that are secure in one model but insecure in the other. We also enhance the Canetti-Krawczyk security models and definitions to encompass a class of protocols that are executable and secure in both the pre- and post-specified peer models.
On the relations between noninteractive key distribution, identity-based encryption and trapdoor discrete log groups. Cryptology ePrint Archive, Report 2007/453
, 2007
"... Abstract. This paper investigates the relationships between identity-based non-interactive key distribution (ID-NIKD) and identity-based encryption (IBE). It provides a new security model for ID-NIKD, and a generic construction that converts a secure ID-NIKD scheme into a secure IBE scheme. This con ..."
Abstract
-
Cited by 18 (2 self)
- Add to MetaCart
(Show Context)
Abstract. This paper investigates the relationships between identity-based non-interactive key distribution (ID-NIKD) and identity-based encryption (IBE). It provides a new security model for ID-NIKD, and a generic construction that converts a secure ID-NIKD scheme into a secure IBE scheme. This conversion is used to explain the relationship between the ID-NIKD scheme of Sakai, Ohgishi and Kasahara and the IBE scheme of Boneh and Franklin. The paper then explores the construction of ID-NIKD and IBE schemes from general trapdoor discrete log groups. Two different concrete instantiations for such groups provide new, provably secure ID-NIKD and IBE schemes. These schemes are suited to applications in which the Trusted Authority is computationally well-resourced, but clients performing encryption/decryption are highly constrained. Keywords: Identity-based encryption; identity-based non-interactive key distribution; trapdoor discrete logs. 1
Deniable Authentication and Key Exchange
- Proceedings of the 13th ACM conference on Computer and communications security. 400–409
, 2006
"... Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable key-exchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchan ..."
Abstract
-
Cited by 15 (1 self)
- Add to MetaCart
Abstract. We extend the definitional work of Dwork, Naor and Sahai from deniable authentication to deniable key-exchange protocols. We then use these definitions to prove the deniability features of SKEME and SIGMA, two natural and efficient protocols which serve as basis for the Internet Key Exchange (IKE) protocol. The two protocols require distinct approaches to their deniability analysis, hence highlighting important definitional issues as well as necessitating different tools in the analysis. SKEME is an encryption-based protocol for which we prove full deniability based on the plaintext awareness of the underlying encryption scheme. Interestingly SKEME’s deniability is possibly the first “natural ” application which essentially requires plaintext awareness (until now this notion has been mainly used as a tool for proving chosen-ciphertext security); in particular this use of plaintext awareness is not tied to the random oracle model. SIGMA, on the other hand, uses non-repudiable signatures for authentication and hence cannot be proven to be fully deniable. Yet we are able to prove a weaker, but meaningful, “partial deniability ” property: a party may not be able to deny that it was “alive ” at some point in time but can fully deny the contents of its communications and the identity of its interlocutors. We remark that the deniability of SKEME and SIGMA holds in a concurrent setting and does not essentially rely on the random oracle model.
Security of two-party identity-based key agreement
- Vaudenay (Eds.), Progress in Cryptology – Mycrypt 2005, Malaysia, Kuala Lumpur
, 2005
"... This is the author’s version of a work that was submitted/accepted for pub-lication in the following source: ..."
Abstract
-
Cited by 14 (5 self)
- Add to MetaCart
(Show Context)
This is the author’s version of a work that was submitted/accepted for pub-lication in the following source:
Okamoto-Tanaka revisited: fully authenticated Diffie-Hellman with minimal overhead
- In
"... Abstract. The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resul ..."
Abstract
-
Cited by 14 (0 self)
- Add to MetaCart
(Show Context)
Abstract. The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resulted in some remarkable protocols, e.g., MQV, where the protocol’s communication cost is identical to that of the basic DHP and the computation overhead is small. Unfortunately, MQV and similar 2-message “implicitly authenticated ” protocols do not achieve full security against active attacks since they cannot provide forward secrecy (PFS), a major security goal of DHP, against active attackers. In this paper we investigate the question of whether one can push the limits of authenticated DHPs even further, namely, to achieve communication complexity as in the original DHP (two messages with a single group element per message), maintain low computational overhead, and yet achieve full PFS against active attackers in a provable way. We answer this question in the affirmative by resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol [32]. We present a variant of the protocol (denoted mOT) which achieves the above minimal communication, incurs a computational overhead relative to the basic DHP that is practically negligible, and yet achieves full provable key agreement security, including PFS, against active attackers. Moreover, due to the identity-based properties of mOT, even the sending of certificates (typical for authenticated DHPs) can be avoided in the protocol. As additional contributions, we apply our analysis to prove the security of a recent multi-domain extension of the Okamoto-Tanaka protocol by Schridde et al. and show how to adapt mOT to the (non id-based) certificate-based setting.
Non-Interactive Key Exchange ⋆
"... Abstract Non-interactive key exchange (NIKE) is a fundamental but much-overlooked cryptographic primitive. It appears as a major contribution in the ground-breaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models fo ..."
Abstract
-
Cited by 13 (2 self)
- Add to MetaCart
(Show Context)
Abstract Non-interactive key exchange (NIKE) is a fundamental but much-overlooked cryptographic primitive. It appears as a major contribution in the ground-breaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models for this primitive and explore the relationships between them. We then give constructions for secure NIKE in the Random Oracle Model based on the hardness of factoring and in the standard model based on the hardness of a variant of the decisional Bilinear Diffie Hellman Problem for asymmetric pairings. We also study the relationship between NIKE and public key encryption (PKE), showing that a secure NIKE scheme can be generically converted into an IND-CCA secure PKE scheme. This conversion also illustrates the fundamental nature of NIKE in public key cryptography.
BECAN: A Bandwidth- Efficient Cooperative Authentication Scheme for Filtering Injected False Data in Wireless Sensor Networks
- 9] X. Li et al., “Side Channel Monitoring: Packet Drop Attack Detection in Wireless Ad Hoc Networks,” Proc
, 2011
"... Abstract—Injecting false data attack is a well known serious threat to wireless sensor network, for which an adversary reports bogus information to sink causing error decision at upper level and energy waste in en-route nodes. In this paper, we propose a novel bandwidth-efficient cooperative authent ..."
Abstract
-
Cited by 10 (3 self)
- Add to MetaCart
Abstract—Injecting false data attack is a well known serious threat to wireless sensor network, for which an adversary reports bogus information to sink causing error decision at upper level and energy waste in en-route nodes. In this paper, we propose a novel bandwidth-efficient cooperative authentication (BECAN) scheme for filtering injected false data. Based on the random graph characteristics of sensor node deployment and the cooperative bit-compressed authentication technique, the proposed BECAN scheme can save energy by early detecting and filtering the majority of injected false data with minor extra overheads at the en-route nodes. In addition, only a very small fraction of injected false data needs to be checked by the sink, which thus largely reduces the burden of the sink. Both theoretical and simulation results are given to demonstrate the effectiveness of the proposed scheme in terms of high filtering probability and energy saving. Index Terms—Wireless sensor network, injecting false data attack, random graph, cooperative bit-compressed authentication. 1
