Atsushi Fujioka

Strongly Secure Authenticated Key Exchange without NAXOS' Approach

LaMacchia, Lauter and Mityagin [15] proposed the extended Canetti-Krawczyk (eCK) model and an AKE protocol, called NAXOS. Unlike previous security models, the adversary in the eCK model is allowed to obtain ephemeral secret information related to the test session, which makes the security proof difficult. To overcome this NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X ; more precisely X = g H (x ,a ). As a result, no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. In other words, the discrete logarithm of an ephemeral public key, which is typically the ephemeral secret, is hidden via an additional random oracle. n nIn this paper, we show that it is possible to construct eCK-secure protocol without the NAXOS approach by proposing two eCK-secure protocols. One is secure under the GDH assumption and the other under the CDH assumption; their efficiency and security assurances are comparable to the well-known HMQV [12] protocol. Furthermore, they are at least as secure as protocols that use the NAXOS approach but unlike them and HMQV, the use of the random oracle is minimized and restricted to the key derivation function.

Designing efficient authenticated key exchange resilient to leakage of ephemeral secret keys

We investigate a sufficient condition for constructing authenticated key exchange (AKE) protocols which satisfy security in the extended Canetti-Krawczyk (eCK) model proposed by LaMacchia, Lauter and Mityagin. To the best of our knowledge, this is the first approach for providing secure protocols based on the condition. With this condition, we propose a construction of two-pass AKE protocols, and the resulting two-pass AKE protocols are constructed with a single static key and a single ephemeral. In addition, the security proof does not require the Forking Lemma, which degrades the security of a protocol relative to the security of the underlying problem where it is used in the security proof. Therefore, these imply that the protocols constructed with the condition have an advantage in efficiency such as sizes of storage and communication data. The security of the resulting protocols is proved under the gap Diffie-Hellman assumption in the random oracle model.

Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism

This paper discusses how to realize practical post-quantum authenticated key exchange (AKE) with strong security, i.e., CK+ security (Krawczyk, CRYPTO 2005). It is known that strongly secure post-quantum AKE protocols exist on a generic construction from IND-CCA secure key encapsulation mechanisms (KEMs) in the standard model.n However, when it is instantiated with existing IND-CCA secure post-quantum KEMs, resultant AKE protocols are far from practical in communication complexity. We propose a generic construction of AKE protocols from OW-CCA secure KEMs and prove CK+ security of the protocols in the random oracle model. We exploit the random oracle and instantiate AKE protocols from various assumptions; DDH, gap DH, CDH, factoring, RSA, DCR, (ring-)LWE, McEliece one-way, NTRU one-way, subset sum, multi-variate quadratic systems, and more. For example, communication costs of our lattice-based scheme is approximately 14 times lower than the previous instantiation (for 128-bit security). Also, in the case of code-based scheme, it is approximately 25 times lower.

Strongly secure authenticated key exchange from factoring, codes, and lattices

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security proposed by Krawczyk (we call it the

Ephemeral key leakage resilient and efficient ID-AKEs that can share identities, private and master keys

{mathrm {CK}}^+

Predicate-based authenticated key exchange resilient to ephemeral key leakage

CK+ model), which includes resistance to advanced attacks. However, the security proof is given under the random oracle model. We propose a generic construction of AKE from a key encapsulation mechanism (KEM). The construction is based on a chosen-ciphertext secure KEM, and the resultant AKE protocol is

Sufficient condition for identity-based authenticated key exchange resilient to leakage of secret keys

{mathrm {CK}}^+