SAS-Based Authenticated Key Agreement

  • Sylvain Pasini
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)


Key agreement protocols are frequently based on the Diffie-Hellman protocol but require authenticating the protocol messages in two ways. This can be made by a cross-authentication protocol. Such protocols, based on the assumption that a channel which can authenticate short strings is available (SAS-based), have been proposed by Vaudenay. In this paper, we survey existing protocols and we propose a new one. Our proposed protocol requires three moves and a single SAS to be authenticated in two ways. It is provably secure in the random oracle model. We can further achieve security with a generic construction (e.g. in the standard model) at the price of an extra move. We discuss applications such as secure peer-to-peer VoIP.


  1. [BR93]
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1993)Google Scholar
  2. [ČČH06]
    Čagalj, M., Čapkun, S., Hubaux, J.-P.: Key agreement in peer- to- peer wireless networks. Proceedings of the IEEE, Special Issue in Security and Cryptography 94(2), 467–478 (2006)Google Scholar
  3. [CGH98]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology revisited (preliminary version). In: STOC 1998: Proceedings of the thirtieth annual ACM symposium on Theory of computing, May 1998, pp. 209–218. ACM Press, New York (1998)CrossRefGoogle Scholar
  4. [CS02]
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 45. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory, IT- 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  6. [DSS00]
    Digital signature standard (DSS). Federal Information Processing Standard, Publication 186-2, U.S. Department of Commerce, National Institute of Standards and Technology (2000)Google Scholar
  7. [GMN04]
    Gehrmann, C., Mitchell, C.J., Nyberg, K.: Manual authentication for wireless devices. RSA Cryptobytes 7(1), 29–37 (2004)Google Scholar
  8. [GN01]
    Gehrmann, C., Nyberg, K.: Enhancements to Bluetooth baseband security. In: Nordsec 2001, Copenhagen, Denmark (November 2001)Google Scholar
  9. [GN04]
    Gehrmann, C., Nyberg, K.: Security in personal area networks. Security for Mobility, 191–230 (2004)Google Scholar
  10. [Hoe04]
    Hoepman, J.-H.: The ephemeral pairing problem. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 212–226. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. [Kra94]
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
  12. [LAN05]
    Laur, S., Asokan, N., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. Cryptology ePrint Archive, Report 2005/424 (2005),
  13. [MY04]
    MacKenzie, P., Yang, K.: On simulation-sound trapdoor commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. [PV06]
    Pasini, S., Vaudenay, S.: An optimal non-interactive message authentication protocol. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 280–294. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  16. [Sti91]
    Stinson, D.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992)Google Scholar
  17. [Sti94]
    Stinson, D.: Universal hashing and authentication codes. Designs, Codes and Cryptography 4, 369–380 (1994)MathSciNetCrossRefMATHGoogle Scholar
  18. [Vau05]
    Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. [Vau06]
    Vaudenay, S.: On Bluetooth repairing: Key agreement based on symmetric-key cryptography. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 1–9. Springer, Heidelberg (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sylvain Pasini
    • 1
  • Serge Vaudenay
    • 1
  1. 1.EPFLLausanneSwitzerland

Personalised recommendations