Filters








35 Hits in 1.1 sec

Quantum Key Distribution in the Classical Authenticated Key Exchange Framework [article]

Michele Mosca and Douglas Stebila and Berkant Ustaoglu
2012 arXiv   pre-print
Key establishment is a crucial primitive for building secure channels: in a multi-party setting, it allows two parties using only public authenticated communication to establish a secret session key which can be used to encrypt messages. But if the session key is compromised, the confidentiality of encrypted messages is typically compromised as well. Without quantum mechanics, key establishment can only be done under the assumption that some computational problem is hard. Since digital
more » ... ce digital communication can be easily eavesdropped and recorded, it is important to consider the secrecy of information anticipating future algorithmic and computational discoveries which could break the secrecy of past keys, violating the secrecy of the confidential channel. Quantum key distribution (QKD) can be used generate secret keys that are secure against any future algorithmic or computational improvements. QKD protocols still require authentication of classical communication, however, which is most easily achieved using computationally secure digital signature schemes. It is generally considered folklore that QKD when used with computationally secure authentication is still secure against an unbounded adversary, provided the adversary did not break the authentication during the run of the protocol. We describe a security model for quantum key distribution based on traditional classical authenticated key exchange (AKE) security models. Using our model, we characterize the long-term security of the BB84 QKD protocol with computationally secure authentication against an eventually unbounded adversary. By basing our model on traditional AKE models, we can more readily compare the relative merits of various forms of QKD and existing classical AKE protocols. This comparison illustrates in which types of adversarial environments different quantum and classical key agreement protocols can be secure.
arXiv:1206.6150v1 fatcat:vrjks6glnvdrxjqmaiiptkvhoe

Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols [chapter]

Berkant Ustaoglu
2009 Lecture Notes in Computer Science  
The security is carried using Menezes and Ustaoglu [19] model which takes into account our observation in relation to timing.  ... 
doi:10.1007/978-3-642-04642-1_16 fatcat:o5fadgsmezbm5ehtdaofpwmnx4

Reusing Static Keys in Key Agreement Protocols [chapter]

Sanjit Chatterjee, Alfred Menezes, Berkant Ustaoglu
2009 Lecture Notes in Computer Science  
Ustaoglu, "Comparing the pre-and post-specified peer models for key agreement", Information Security and Privacy -ACISP 2008, Lecture Notes in Computer Science, 5107 (2008), 53-68. [20] NIST, SKIPJACK  ... 
doi:10.1007/978-3-642-10628-6_3 fatcat:5won3rndsbd3toy2maahtgzkqm

Towards Denial-of-Service-Resilient Key Agreement Protocols [chapter]

Douglas Stebila, Berkant Ustaoglu
2009 Lecture Notes in Computer Science  
Denial of service resilience is an important practical consideration for key agreement protocols in any hostile environment such as the Internet. There are well-known models that consider the security of key agreement protocols, but denial of service resilience is not considered as part of these models. Many protocols have been argued to be denial-of-service-resilient, only to be subsequently broken or shown ineffective. In this work we propose a formal definition of denial of service
more » ... f service resilience, a model for secure authenticated key agreement, and show how security and denial of service resilience can be considered in a common framework, with a particular focus on client puzzles. The model accommodates a variety of techniques for achieving denial of service resilience, and we describe one such technique by exhibiting a denial-of-service-resilient secure authenticated key agreement protocol. Our approach addresses the correct integration of denial of service countermeasures with the key agreement protocol to prevent hijacking attacks that would otherwise render the countermeasures irrelevant.
doi:10.1007/978-3-642-02620-1_27 fatcat:y3g3lnqvnvd43jbg6fecz5snj4

Invalid-curve attacks on (hyper)elliptic curve cryptosystems

Berkant Ustaoglu, Koray Karabina
2010 Advances in Mathematics of Communications  
We extend the notion of an invalid-curve attack from elliptic curves to genus 2 hyperelliptic curves. We also show that invalid singular (hyper)elliptic curves can be used in mounting invalid-curve attacks on (hyper)elliptic curve cryptosystems, and make quantitative estimates of the practicality of these attacks. We thereby show that proper key validation is necessary even in cryptosystems based on hyperelliptic curves. As a byproduct, we enumerate the isomorphism classes of genus g
more » ... genus g hyperelliptic curves over a finite field by a new counting argument that is simpler than the previous methods. 2000 Mathematics Subject Classification: 94A60.
doi:10.3934/amc.2010.4.307 fatcat:raf62pwtkvgunbkd7wf2jgfae4

Strongly Secure Authenticated Key Exchange without NAXOS' Approach [chapter]

Minkyu Kim, Atsushi Fujioka, Berkant Ustaoğlu
2009 Lecture Notes in Computer Science  
LaMacchia, Lauter and Mityagin [15] proposed the extended Canetti-Krawczyk (eCK) model and an AKE protocol, called NAXOS. Unlike previous security models, the adversary in the eCK model is allowed to obtain ephemeral secret information related to the test session, which makes the security proof difficult. To overcome this NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X; more precisely X = g H(x,a) . As a result, no one is able to query
more » ... ne is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. In other words, the discrete logarithm of an ephemeral public key, which is typically the ephemeral secret, is hidden via an additional random oracle. In this paper, we show that it is possible to construct eCK-secure protocol without the NAXOS' approach by proposing two eCK-secure protocols. One is secure under the GDH assumption and the other under the CDH assumption; their efficiency and security assurances are comparable to the well-known HMQV [12] protocol. Furthermore, they are at least as secure as protocols that use the NAXOS' approach but unlike them and HMQV, the use of the random oracle is minimized and restricted to the key derivation function.
doi:10.1007/978-3-642-04846-3_12 fatcat:5avzaqy3drfhznblqmaix2kkoa

Anonymity and one-way authentication in key exchange protocols

Ian Goldberg, Douglas Stebila, Berkant Ustaoglu
2012 Designs, Codes and Cryptography  
The Canetti-Krawczyk post-specified peer model [CK02] and Menezes-Ustaoglu model [MU09] encompass key exchange protocols in which the identity of the peer may not be available at the onset of the protocol  ... 
doi:10.1007/s10623-011-9604-z fatcat:tgxqgbvrszedpj2rxfkizlf2di

A Generic Variant of NIST's KAS2 Key Agreement Protocol [chapter]

Sanjit Chatterjee, Alfred Menezes, Berkant Ustaoglu
2011 Lecture Notes in Computer Science  
We propose a generic three-pass key agreement protocol that is based on a certain kind of trapdoor one-way function family. When specialized to the RSA setting the generic protocol yields the so-called KAS2 scheme that has recently been standardized by NIST. On the other hand, when specialized to the discrete log setting, we obtain a new protocol which we call DH2. An interesting feature of DH2 is that parties can use different groups (e.g., different elliptic curves). The generic protocol also
more » ... neric protocol also has a hybrid implementation, where one party has an RSA key pair and the other party has a discrete log key pair. The security of KAS2 and DH2 is analyzed in an appropriate modification of the extended Canetti-Krawczyk security model.
doi:10.1007/978-3-642-22497-3_23 fatcat:lhue4ocbuvcwnkzwbznwcgk7ni

Integrating identity-based and certificate-based authenticated key exchange protocols

Berkant Ustaoğlu
2011 International Journal of Information Security  
Ustaoglu (B)  ...  Cert-Cert variant The protocol described in this section was first described in Ustaoglu [24] .  ...  ID-ID variant The protocol described in this section was first described in Fujioka, Suzuki, and Ustaoglu [12] .  ... 
doi:10.1007/s10207-011-0136-3 fatcat:6awtwuwixbgb3nmggxsmrrccui

On reusing ephemeral keys in Diffie-Hellman key agreement protocols

Alfred Menezes, Berkant Ustaoglu
2010 International Journal of Applied Cryptography  
A party may choose to reuse ephemeral public keys in a Diffie-Hellman key agreement protocol in order to reduce its computational workload or to mitigate against denial-of-service attacks. In this note we highlight the danger of reusing ephemeral keys if domain parameters are not appropriately selected or if public keys are not appropriately validated.
doi:10.1504/ijact.2010.038308 fatcat:xnd6475otbcktclo4o6i5noct4

Quantum Key Distribution in the Classical Authenticated Key Exchange Framework [chapter]

Michele Mosca, Douglas Stebila, Berkant Ustaoğlu
2013 Lecture Notes in Computer Science  
Key establishment is a crucial primitive for building secure channels in a multi-party setting. Without quantum mechanics, key establishment can only be done under the assumption that some computational problem is hard. Since digital communication can be easily eavesdropped and recorded, it is important to consider the secrecy of information anticipating future algorithmic and computational discoveries which could break the secrecy of past keys, violating the secrecy of the confidential
more » ... onfidential channel. Quantum key distribution (QKD) can be used generate secret keys that are secure against any future algorithmic or computational improvements. QKD protocols still require authentication of classical communication, although existing security proofs of QKD typically assume idealized authentication. It is generally considered folklore that QKD when used with computationally secure authentication is still secure against an unbounded adversary, provided the adversary did not break the authentication during the run of the protocol. We describe a security model for quantum key distribution extending classical authenticated key exchange (AKE) security models. Using our model, we characterize the long-term security of the BB84 QKD protocol with computationally secure authentication against an eventually unbounded adversary. By basing our model on traditional AKE models, we can more readily compare the relative merits of various forms of QKD and existing classical AKE protocols. This comparison illustrates in which types of adversarial environments different quantum and classical key agreement protocols can be secure.
doi:10.1007/978-3-642-38616-9_9 fatcat:l4gnur73xbbmzozlnt5lluk4zy

Modeling Leakage of Ephemeral Secrets in Tripartite/Group Key Exchange [chapter]

Mark Manulis, Koutarou Suzuki, Berkant Ustaoglu
2010 Lecture Notes in Computer Science  
Menezes and Ustaoglu [31] extended the timing of the information leakage. All these developments were within the framework of two-party key exchange.  ... 
doi:10.1007/978-3-642-14423-3_2 fatcat:qpf2va3w6zc7rpgd4st26q2qvy

Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

Berkant Ustaoglu
2007 Designs, Codes and Cryptography  
LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the well-known Canetti-Krawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a one-pass protocol. On the other hand MQV does not have a security proof, and the HMQV security proof is extremely complicated. This paper
more » ... licated. This paper proposes a new authenticated key agreement protocol, called CMQV ('Combined' MQV), which incorporates design principles from MQV, HMQV and NAXOS. The new protocol achieves the efficiency of HMQV and admits a natural one-pass variant. Moreover, we present a simple and intuitive proof that CMQV is secure in the LaMacchia-Lauter-Mityagin model.
doi:10.1007/s10623-007-9159-1 fatcat:jbydlss54baw7bjeribhkgmwii

Comparing the pre- and post-specified peer models for key agreement

Alfred Menezes, Berkant Ustaoglu
2009 International Journal of Applied Cryptography  
In the pre-specified peer model for key agreement, it is assumed that a party knows the identifier of its intended communicating peer when it commences a protocol run. On the other hand, a party in the post-specified peer model for key agreement does not know the identifier of its communicating peer at the outset, but learns the identifier during the protocol run. In this paper we compare the security assurances provided by the Canetti-Krawczyk security definitions for key agreement in the
more » ... reement in the pre-and post-specified peer models. We give examples of protocols that are secure in one model but insecure in the other. We also enhance the Canetti-Krawczyk security models and definitions to encompass a class of protocols that are executable and secure in both the pre-and post-specified peer models.
doi:10.1504/ijact.2009.023472 fatcat:rfx3uszmpja4demogh2z3nvvcy

Sufficient Condition for Ephemeral Key-Leakage Resilient Tripartite Key Exchange [chapter]

Atsushi Fujioka, Mark Manulis, Koutarou Suzuki, Berkant Ustaoğlu
2012 Lecture Notes in Computer Science  
So far the only implicitly authenticated 3KE protocol that provably fulfills this goal is by Manulis, Suzuki, and Ustaoglu [31] . Ephemeral Key Leakage.  ...  efficiency properties of the original protocol and strengthened its security towards resilience against leakage of ephemeral (session-dependent) secrets was proposed recently by Manulis, Suzuki, and Ustaoglu  ...  This example essentially explains the construction behind the oneround 3KE protocol by Manulis, Suzuki, and Ustaoglu [31] . p (1) = (u 0 + Du 1 )(v 0 + v 1 )(w 0 + w 1 ), p (2) = (u 0 + u 1 )(v 0 + Ev  ... 
doi:10.1007/978-3-642-31448-3_2 fatcat:spypyoicgffsvc3surkhdx6l7y
« Previous Showing results 1 — 15 out of 35 results