Designs, Codes and Cryptography

, Volume 67, Issue 2, pp 245–269 | Cite as

Anonymity and one-way authentication in key exchange protocols



Key establishment is a crucial cryptographic primitive for building secure communication channels between two parties in a network. It has been studied extensively in theory and widely deployed in practice. In the research literature a typical protocol in the public-key setting aims for key secrecy and mutual authentication. However, there are many important practical scenarios where mutual authentication is undesirable, such as in anonymity networks like Tor, or is difficult to achieve due to insufficient public-key infrastructure at the user level, as is the case on the Internet today. In this work we are concerned with the scenario where two parties establish a private shared session key, but only one party authenticates to the other; in fact, the unauthenticated party may wish to have strong anonymity guarantees. We present a desirable set of security, authentication, and anonymity goals for this setting and develop a model which captures these properties. Our approach allows for clients to choose among different levels of authentication. We also describe an attack on a previous protocol of Øverlier and Syverson, and present a new, efficient key exchange protocol that provides one-way authentication and anonymity.


Key exchange One-way authentication Anonymity Tor network Protocols Security models 

Mathematics Subject Classification (2000)

94A60 Cryptography 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aiello W., Bellovin S.M., Blaze M., Canetti R., Ioannidis J., Keromytis A.D., Reingold O. (2004) Just Fast Keying: key agreement in a hostile Internet. ACM Trans. Inform. Syst. Secur. 7(2): 1–30. doi: 10.1145/996943.996946 CrossRefGoogle Scholar
  2. 2.
    Bellare M., Rogaway P.: Entity authentication and key distribution. In: Stinson D.R. (ed.) Advances in Cryptology—Proc. CRYPTO ’93, LNCS, vol. 773, pp. 232–249. Springer (1993). doi:10.1007/3-540-48329-2_21.
  3. 3.
    Bellare M., Pointcheval D., Rogaway P.: Authenticated key exchange secure against dictionary attacks. In: Preneel B. (ed.) Advances in Cryptology—Proc. EUROCRYPT 2000, LNCS, vol. 1807, pp. 139–155. Springer (2000). doi:10.1007/3-540-45539-6_11.
  4. 4.
    Bellovin S.M., Merritt M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings of the 1992 IEEE Computer Society Conference on Research in Security and Privacy. IEEE (1992). doi:10.1109/RISP.1992.213269.
  5. 5.
    Blake-Wilson S., Johnson D., Menezes A.: Key agreement protocols and their security analysis. In: Darnell M. (ed.) Cryptography and Coding—6th IMA International Conference, LNCS, vol. 1355. Springer (1997). doi:10.1007/BFb0024447.
  6. 6.
    Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann B. (ed.) Advances in Cryptology—Proc. EUROCRYPT 2001, LNCS, vol. 2045, pp. 453–474. Springer (2001). doi:10.1007/3-540-44987-6_28
  7. 7.
    Canetti R., Krawczyk H.: Security analysis of IKE’s signature based key-exchange protocol. In: Yung M. (ed.) Advances in Cryptology—Proc. CRYPTO 2002, LNCS, vol. 2442, pp. 27–52. Springer (2002). doi:10.1007/3-540-45708-9_10. Full version available as
  8. 8.
    Cheng Z., Chen L., Comley R., Tang Q.: Identity-based key agreement with unilateral identity privacy using pairings. In: Chen K., Deng R., Lai X., Zhou J. (eds.) Proc. Information Security Practice and Experience (ISPEC) 2006, LNCS, vol. 3903, pp. 202–213. Springer (2006). doi:10.1007/11689522_19.
  9. 9.
    Chien H.Y.: ID-based key agreement with anonymity for ad hoc networks. In: Huo T.W., Sha E., Guo M., Yang L., Shao Z. (eds.) Proc. Embedded and Ubiquitous Computing (EUC) 2007, LNCS, vol. 4808, pp. 333–345. Springer (2007). doi:10.1007/978-3-540-77092-3_29.
  10. 10.
    Chow S.S.M., Choo K.K.R.: Strongly-secure identity-based key agreement and anonymous extension. In: Garay J., Lenstra A., Mambo M., Peralta R. (eds.) Proc. 10th International Conference on Information Security Conference (ISC) 2007, LNCS, vol. 4779, pp. 203–220. Springer (2007). doi:10.1007/978-3-540-75496-1_14.
  11. 11.
    Di Raimondo M., Gennaro R., Krawczyk H.: Deniable authentication and key exchange. In: Wright R., De Capitani de Vimercati S., Shmatikov V. (eds.) Proc. 13th ACM Conference on Computer and Communications Security (CCS), pp. 400–409. ACM (2006). doi:10.1145/1180405.1180454.
  12. 12.
    Dierks T., Allen C.: The TLS protocol version 1.0 (1999). RFC 2246.
  13. 13.
    Dierks T., Rescorla E.: The Transport Layer Security (TLS) protocol version 1.2 (2008). RFC 5246.
  14. 14.
    Diffie W., Hellman M.E. (1976) New directions in cryptography. IEEE Trans. Inform. Theory 22(6): 644–654MathSciNetMATHCrossRefGoogle Scholar
  15. 15.
    Dingledine R., Mathewson N., Syverson P.: Tor: the second-generation onion router. In: Proc. 13th USENIX Security Symposium. The USENIX Association (2004).
  16. 16.
    Fiore D., Gennaro R., Smart N.P.: Constructing certificateless encryption and ID-based encryption from ID-based key agreement. In: Joye M., Miyaji A., Otsuka A. (eds.) Proc. Pairing-Based Cryptography (Pairing) 2010, LNCS, vol. 6487, pp. 167–186. Springer (2010). doi:10.1007/978-3-642-17455-1_11.
  17. 17.
    Goldberg I.: On the security of the Tor authentication protocol. In: Danezis G., Golle P. (eds.) Privacy Enhancing Technologies (PET) 2006, LNCS, vol. 4258, pp. 316–331. Springer (2006). doi:10.1007/11957454_18
  18. 18.
    Google: The Official Google Blog—search more securely with encrypted Google web search (2010).
  19. 19.
    Kate A., Zaverucha G.M., Goldberg I. (2010) Pairing-based onion routing with improved forward secrecy. ACM Trans. Inform. Syst. Secur. 13(4): 29. doi:10.1145/1880022.1880023 CrossRefGoogle Scholar
  20. 20.
    Krawczyk H.: SIGMA: The ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh D. (ed.) Advances in Cryptology—Proc. CRYPTO 2003, LNCS, vol. 2729, pp. 400–425. Springer (2003). doi:10.1007/b11817. Full version available as
  21. 21.
    Krawczyk H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Cramer R. (ed.) Advances in Cryptology—Proc. CRYPTO 2005, LNCS, vol. 3621, pp. 546–566. Springer (2005). doi:10.1007/11535218_33.
  22. 22.
    LaMacchia B., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. In: Susilo W., Liu J.K., Mu Y. (eds.) First International Conference on Provable Security (ProvSec) 2007, LNCS, vol. 4784, pp. 1–16. Springer (2007). doi:10.1007/978-3-540-75670-5_1.
  23. 23.
    Law L., Menezes A.J., Qu M., Solinas J., Vanstone S.: An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28, 119–134 (2003). doi:10.1023/A:1022595222606. Previously appeared as
  24. 24.
    Menezes A.J., Ustaoglu B.: Comparing the pre- and post-specified peer models for key agreement. Int. J. Appl. Cryptogr. 1(3), 236–250 (2009). doi:10.1504/IJACT.2009.023472.Google Scholar
  25. 25.
    Menezes A., van Oorschot P.C., Vanstone S.A. (1997) Handbook of Applied Cryptography. CRC Press, Boca Raton, FL, USAMATHGoogle Scholar
  26. 26.
    Morrissey P., Smart N.P., Warinschi B.: A modular security analysis of the TLS handshake protocol. In: Pieprzyk J. (ed.) Advances in Cryptology—Proc. ASIACRYPT 2008, LNCS, vol. 5350, pp. 55–73 (2008). doi:10.1007/978-3-540-89255-7_5.
  27. 27.
    M’Raïhi D., Naccache D.: Batch exponentiations: a fast DLP-based signature generation strategy. In: Gong L., Stern J. (eds.) CCS 1996: Proceedings of the 3rd ACM Conference on Computer and Communications Security, pp. 58–61. ACM (1996). doi:10.1145/238168.238187.
  28. 28.
    NIST National Institute of Standards and Technology: Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (2007).
  29. 29.
    NIST National Institute of Standards and Technology: Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography (2009).
  30. 30.
    OpenSSL Project, The: OpenSSL v1.0.0d (2011).
  31. 31.
    Øverlier L., Syverson P.: Improving efficiency and simplicity of Tor circuit establishment and hidden services. In: Privacy Enhancing Technologies, LNCS, vol. 4776, pp. 134–152. Springer (2007). doi:10.1007/978-3-540-75551-7_9.
  32. 32.
    Pfitzmann A., Hansen M.: A terminology for talking about privacy by data minimization: Anonymity, unlinkability, undetectability, unobservability, pseudonymity, and identity management (2010). V0.34.
  33. 33.
    Rahman S.M.M., Inomata A., Okamoto T., Mambo M., Okamoto E.: Anonymous secure communication in wireless mobile ad-hoc networks. In: Stajano F., Kim H.J., Chae J.S., Kim S.D. (eds.) Proc. International Converence on Ubiquitous Convergence Technology (ICUCT) 2006, LNCS, vol. 4412, pp. 140–149. Springer (2007). doi:10.1007/978-3-540-71789-8_15.
  34. 34.
    Shoup V.: On formal models for secure key exchange (version 4) (1999).
  35. 35.
    Singel R.: Charter to snoop on broadband customers’ web histories for ad networks (2008).
  36. 36.
    Slashdot: ISPs inserting ads into your pages (2007).
  37. 37.
    Tor Project: Homepage (2011).

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Ian Goldberg
    • 1
  • Douglas Stebila
    • 2
  • Berkant Ustaoglu
    • 3
  1. 1.Cheriton School of Computer ScienceUniversity of WaterlooWaterlooCanada
  2. 2.Information Security InstituteQueensland University of TechnologyBrisbaneAustralia
  3. 3.Faculty of Engineering and Natural SciencesSabanci UniversityIstanbulTurkey

Personalised recommendations