The Twist-AUgmented Technique for Key Exchange

  • Olivier Chevassut
  • Pierre-Alain Fouque
  • Pierrick Gaudry
  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)


Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, formal proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to deriving other keys. Whereas this is a quite simple tool, it is not easy to use in practice –or it is easy to misuse it–.

In addition, in many standards, the acronym PRF (Pseudo-Random Functions) is used for several tasks, and namely the randomness extraction. While randomness extractors and pseudo-random functions are a priori distinct tools, we first study whether such an application is correct or not. We thereafter study the case of \(\mathbb{Z}^{*}_{p}\) where p is a safe-prime and the case of elliptic curve since in IPSec for example, only these two groups are considered. We present very efficient and provable randomness extraction techniques for these groups under the DDH assumption. In the special case of elliptic curves, we present a new technique —the so-called ’Twist-AUgmented’ technique— which exploits specific properties of some elliptic curves, and avoids the need of any randomness extractor. We finally compare the efficiency of this method with other solutions.


Hash Function Elliptic Curve Elliptic Curf Random Oracle Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Barak, B., Halevi, S.: An architecture for robust pseudo-random generation and applications to /dev/random. In: Proc. of ACM CCS. ACM, New York (2005)Google Scholar
  3. 3.
    Barak, B., Shaltiel, R., Tromer, E.: True Random Number Generators Secure in a Changing Environment. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 166–180. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure against Dictionary Attacks. In: Proc. of the Symposium on Security and Privacy, pp. 72–84. IEEE, Los Alamitos (1992)Google Scholar
  5. 5.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proc. of ACM CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  7. 7.
    Möller, B.: A Public-Key Encryption Scheme with Pseudo-Random Ciphertexts. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 335–351. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Boyd, C., Montague, P., Nguyen, K.: Elliptic Curve Based Password Authenticated Key Exchange Protocols. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 487–501. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Canetti, R., Dodis, Y., Halevi, S., Kushilevitz, E., Sahai, A.: Exposure-Resilient Functions and All-Or-Nothing Transforms. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 453–469. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Chevassut, O., Fouque, P.A., Gaudry, P., Pointcheval, D.: Key Derivation and Randomness Extraction. ePrint Report 2005/061, Available at:
  11. 11.
    Chevassut, O., Fouque, P.A., Gaudry, P., Pointcheval, D.: The Twist- Augmented Technique for Key Exchange. Full version available at http://,
  12. 12.
    Dang, Q., Polk, T.: Hash-Based Key Derivation. draft-dang-nistkdf-00.txt., Available at
  13. 13.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory, IT- 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Dodis, Y.: Exposure-Resilient Cryptography. PhD Thesis, MIT (August 2000)Google Scholar
  15. 15.
    Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Dodis, Y., Sahai, A., Smith, A.: On perfect and adaptive security in exposure-resilient cryptography. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 301–324. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Gennaro, R., Krawczyk, H., Rabin, T.: Secure Hashed Diffie-Hellman over Non- DDH Groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 361–381. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (1998)Google Scholar
  19. 19.
    Håstad, J., Impagliazzo, R., Levin, L., Luby, M.: A Pseudorandom Generator from any One-Way Function. SIAM Journal of Computing 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Impagliazzo, I., Levin, L., Luby, M.: Pseudo-Random Generation from One-Way Functions. In: Proc. of the 21st STOC, pp. 12–24. ACM Press, New York (1989)Google Scholar
  21. 21.
    Impagliazzo, I., Zuckerman, D.: How to Recycle Random Bits. In: Proc. of the 30th Annual IEEE FOCS, pp. 248–253 (1989)Google Scholar
  22. 22.
    Kaliski, B.: One-Way Permutations on Elliptic Curves. Journal of Cryptology 3(3), 187–199 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Kamp, J., Zuckerman, D.: Deterministic Extractors for Bit-Fixing Sources and Exposure-Resilient Cryptography. In: Proc. of the 44th Annual IEEE Symposium on Foundations of Computer Science (2003)Google Scholar
  24. 24.
    Kaufman, C.: The Internet Key Exchange (IKEv2) Protocol. INTERNET DRAFT draft-ietf-ipsec-ikev2-17.txt, September 23 (2004), Available at
  25. 25.
    Montgomery, P.L.: An FFT Extension of the Elliptic Curve Method of Factorization. PhD thesis, University of California – Los Angeles (1992)Google Scholar
  26. 26.
    Santha, M., Vazirani, U.V.: Generating quasi-random sequences from semirandom sources. J. of Computer and System Sciences 63, 612–626 (1986)zbMATHGoogle Scholar
  27. 27.
    Schoof, R.: Counting Points on Elliptic Curves over Finite Fields. J. Théor. Nombres Bordeaux 7, 219–254 (1995)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Shaltiel, R.: Recent developments in Extractors. Bulletin of the European Association for Theoretical Computer Science 77, 67–95 (2002), Available at: MathSciNetzbMATHGoogle Scholar
  29. 29.
    Shoup, V.: A Proposal for an ISO Standard for Public-Key Encryption, ISO/IEC JTC 1/SC27 (December 2001)Google Scholar
  30. 30.
    Shoup, V.: OAEP Reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Shoup, V.: A Computational Introduction to Number Theory Algebra. Cambridge University Press, Cambridge (2005), Freely available at: CrossRefzbMATHGoogle Scholar
  32. 32.
    Shoup, V.: Sequences of Games: A Tool for Taming Complexity in Security Proofs (2004), Available at:
  33. 33.
    Silverman, J.H.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, Heidelberg (1986)zbMATHGoogle Scholar
  34. 34.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, OpenSSL. version 0.9.7e (January 1999)Google Scholar
  35. 35.
    Trevisan, L., Vadhan, S.: Extracting Randomness from Samplable Distributions. In: Proc. of the 41st Annual IEEE FOCS (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Olivier Chevassut
    • 1
  • Pierre-Alain Fouque
    • 2
  • Pierrick Gaudry
    • 3
  • David Pointcheval
    • 2
  1. 1.Lawrence Berkeley National Lab.BerkeleyUSA
  2. 2.CNRS-École normale supérieureParisFrance
  3. 3.CNRS-LORIANancyFrance

Personalised recommendations