A generic variant of NIST's KAS2 key agreement protocol

Authors:
Sanjit Chatterjee;Alfred Menezes;Berkant Ustaoglu
Affiliations:
Indian Institute of Science, India;University of Waterloo, Canada;Sabanci University, Turkey
Venue:
ACISP'11 Proceedings of the 16th Australasian conference on Information security and privacy
Year:
2011

Citing 9
Cited 1

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

EUROCRYPT '01 Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques: Advances in Cryptology
Authenticated Multi-Party Key Agreement

ASIACRYPT '96 Proceedings of the International Conference on the Theory and Applications of Cryptology and Information Security: Advances in Cryptology
The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes

PKC '01 Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
Efficient One-Round Key Exchange in the Standard Model

ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
One-round key exchange in the standard model

International Journal of Applied Cryptography
Reusing Static Keys in Key Agreement Protocols

INDOCRYPT '09 Proceedings of the 10th International Conference on Cryptology in India: Progress in Cryptology
Stronger security of authenticated key exchange

ProvSec'07 Proceedings of the 1st international conference on Provable security
About the security of MTI/C0 and MQV

SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
Security analysis of KEA authenticated key exchange protocol

PKC'06 Proceedings of the 9th international conference on Theory and Practice of Public-Key Cryptography

Authenticated key exchange with entities from different settings and varied groups

ProvSec'12 Proceedings of the 6th international conference on Provable Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose a generic three-pass key agreement protocol that is based on a certain kind of trapdoor one-way function family. When specialized to the RSA setting, the generic protocol yields the so-called KAS2 scheme that has recently been standardized by NIST. On the other hand, when specialized to the discrete log setting, we obtain a new protocol which we call DH2. An interesting feature of DH2 is that parties can use different groups (e.g., different elliptic curves). The generic protocol also has a hybrid implementation, where one party has an RSA key pair and the other party has a discrete log key pair. The security of KAS2 and DH2 is analyzed in an appropriate modification of the extended Canetti-Krawczyk security model.