Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols

Authors:
Berkant Ustaoglu
Affiliations:
NTT Information Sharing Platform Laboratories,
Venue:
ProvSec '09 Proceedings of the 3rd International Conference on Provable Security
Year:
2009

Citing 19
Cited 16

Random oracles are practical: a paradigm for designing efficient protocols

CCS '93 Proceedings of the 1st ACM conference on Computer and communications security
Entity authentication and key distribution

CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Batch exponentiation: a fast DLP-based signature generation strategy

CCS '96 Proceedings of the 3rd ACM conference on Computer and communications security
Handbook of Applied Cryptography

Handbook of Applied Cryptography
An Efficient Protocol for Authenticated Key Agreement

Designs, Codes and Cryptography
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Key Agreement Protocols and Their Security Analysis

Proceedings of the 6th IMA International Conference on Cryptography and Coding
The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes

PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

Designs, Codes and Cryptography
Security arguments for the UM key agreement protocol in the NIST SP 800-56A standard

Proceedings of the 2008 ACM symposium on Information, computer and communications security
Comparing the Pre- and Post-specified Peer Models for Key Agreement

ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Efficient One-Round Key Exchange in the Standard Model

ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol

ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols

ProvSec '09 Proceedings of the 3rd International Conference on Provable Security
Stronger security of authenticated key exchange

ProvSec'07 Proceedings of the 1st international conference on Provable security
Authenticated key exchange and key encapsulation in the standard model

ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
The twin Diffie-Hellman problem and applications

EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
HMQV: a high-performance secure diffie-hellman protocol

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Security analysis of KEA authenticated key exchange protocol

PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography

Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols

ProvSec '09 Proceedings of the 3rd International Conference on Provable Security
Modeling leakage of ephemeral secrets in tripartite/group key exchange

ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
A new security model for authenticated key agreement

SCN'10 Proceedings of the 7th international conference on Security and cryptography for networks
Session-StateReveal is stronger than eCKs EphemeralKeyReveal: using automatic analysis to attack the NAXOS protocol

International Journal of Applied Cryptography
Security enhancement and modular treatment towards authenticated key exchange

ICICS'10 Proceedings of the 12th international conference on Information and communications security
Ephemeral key leakage resilient and efficient ID-AKEs that can share identities, private and master keys

Pairing'10 Proceedings of the 4th international conference on Pairing-based cryptography
Designing efficient authenticated key exchange resilient to leakage of ephemeral secret keys

CT-RSA'11 Proceedings of the 11th international conference on Topics in cryptology: CT-RSA 2011
Leakage resilient eCK-secure key exchange protocol without random oracles

Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Analysis and improvement of an authenticated key exchange protocol

ISPEC'11 Proceedings of the 7th international conference on Information security practice and experience
Taxonomical security consideration of authenticated key exchange resilient to intermediate computation leakage

ProvSec'11 Proceedings of the 5th international conference on Provable security
TMQV: a strongly eCK-secure Diffie-Hellman protocol without gap assumption

ProvSec'11 Proceedings of the 5th international conference on Provable security
Characterization of strongly secure authenticated key exchanges without NAXOS technique

IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
On forward secrecy in one-round key exchange

IMACC'11 Proceedings of the 13th IMA international conference on Cryptography and Coding
Sufficient condition for ephemeral key-leakage resilient tripartite key exchange

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
Strongly authenticated key exchange protocol from bilinear groups without random oracles

ProvSec'12 Proceedings of the 6th international conference on Provable Security
Exposure-resilient one-round tripartite key exchange without random oracles

ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Both the "eCK" model, by LaMacchia, Lauter and Mityagin, and the "CK01" model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a SessionStateReveal query to learn session-specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an EphemeralKeyReveal query to access all ephemeral private input required to carry session computations. SessionStateReveal cannot be issued against the test session; by contrast EphemeralKeyReveal can be used against the test session under certain conditions. On the other hand, it is not obvious how EphemeralKeyReveal compares to SessionStateReveal . Thus it is natural to ask which model is more useful and practically relevant. While formally the models are not comparable, we show that recent analyses utilizing SessionStateReveal and EphemeralKeyReveal have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if these values are exposed.