International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2010: Advances in Cryptology - ASIACRYPT 2010 pp 250-267

A Forward-Secure Symmetric-Key Derivation Protocol

How to Improve Classical DUKPT
  • Eric Brier
  • Thomas Peyrin
Conference paper

DOI: 10.1007/978-3-642-17373-8_15

Volume 6477 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Brier E., Peyrin T. (2010) A Forward-Secure Symmetric-Key Derivation Protocol. In: Abe M. (eds) Advances in Cryptology - ASIACRYPT 2010. ASIACRYPT 2010. Lecture Notes in Computer Science, vol 6477. Springer, Berlin, Heidelberg

Abstract

In this article, we study an interesting and very practical key management problem. A server shares a symmetric key with a client, whose memory is limited to R key registers. The client would like to send private messages using each time a new key derived from the original shared secret and identified with a public string sent together with the message. The server can only process N computations in order to retrieve the derived key corresponding to a given message. Finally, the algorithm must be forward-secure on the client side: even if the entire memory of the client has leaked, it should be impossible for an attacker to retrieve previously used communication keys. Given N and R, the total amount T of keys the system can handle should be as big as possible.

In practice such a forward-secure symmetric-key derivation protocol is very relevant, in particular in the payment industry where the clients are memory-constraint paying terminals and where distributing symmetric keys on field is a costly process. At the present time, one standard is widely deployed: the Derive Unique Key Per Transaction (DUKPT) scheme defined in ANSI X9.24. However, this algorithm is complicated to apprehend, not scalable and offers poor performances.

We provide here a new construction, Optimal-DUKPT (or O-DUKPT), that is not only simpler and more scalable, but also more efficient both in terms of client memory requirements and server computations when the total number of keys T is fixed. Finally, we also prove that our algorithm is optimal in regards to the client memory R / server computations N / number of keys T the system can handle.

Keywords

key managementkey derivationDUKPTforward-security
Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Eric Brier
    • 1
  • Thomas Peyrin
    • 1
  1. 1.IngenicoFrance