Authenticated Key Exchange and Key Encapsulation in the Standard Model

  • Tatsuaki Okamoto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4833)


This paper introduces a new paradigm to realize various types of cryptographic primitives such as authenticated key exchange and key encapsulation in the standard model under three standard assumptions: the decisional Diffie-Hellman (DDH) assumption, target collision resistant (TCR) hash functions and pseudo-random functions (PRFs). We propose the first (PKI-based) two-pass authenticated key exchange (AKE) protocol that is comparably as efficient as the existing most efficient protocols like MQV and that is secure in the standard model (under these standard assumptions), while the existing efficient two-pass AKE protocols such as HMQV, NAXOS and CMQV are secure in the random oracle model. Our protocol is shown to be secure in the (currently) strongest security definition, the extended Canetti-Krawczyk (eCK) security definition introduced by LaMacchia, Lauter and Mityagin. This paper also proposes a CCA-secure key encapsulation mechanism (KEM) under these assumptions, which is almost as efficient as the Kurosawa-Desmedt KEM. This scheme is also secure in a stronger security notion, the chosen public-key and ciphertext attack (CPCA) security. The proposed schemes in this paper are redundancy-free (or validity-check-free) and the implication is that combining them with redundancy-free symmetric encryption (DEM) will yield redundancy-free (e.g., MAC-free) CCA-secure hybrid encryption.


Hash Function Random Oracle Model Decryption Oracle Adaptive Choose Ciphertext Attack Hash Function Family 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abe, M., Gennaro, R., Kurosawa, K., Shoup, V., Tag-KEM/DEM, A.: New Framework for Hybrid Encryption and New Analysis of Kurosawa-Desmedt KEM, Adv. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 128–146. Springer, Heidelberg (2005)Google Scholar
  2. 2.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, Springer, Heidelberg (2001), Google Scholar
  3. 3.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33(1), 167–226 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Goldreich, O., Goldwasser, S., Micali, S.: How to Construct Random Functions. Journal of the ACM 33(4), 792–807 (1986)CrossRefMathSciNetGoogle Scholar
  5. 5.
    Hastad, J., Impagliazzo, R., Levin, L., Luby, M.: A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing, 28(4), 1364–1396 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, Springer, Heidelberg (2005), Google Scholar
  7. 7.
    Kurosawa, K., Desmedt, Y.: A New Paradigm of Hybrid Encryption Scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange, Cryptology ePrint Archive, Report, 2006/073 (2006),
  9. 9.
    Law, L., Menezes, A., Qu, M., Solinas, J., Van stone, S.: An efficient protocol for authenticated key agreement, Designs, Codes and Cryptography.  28, 119–134 (2003)Google Scholar
  10. 10.
    Menezes, A.: Another look at HMQV. Journal of Mathematical Cryptology 1, 148–175 (2007)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Matsumoto, T., Takashima, Y., Imai, H.: On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan E69, 99–106 (1986)Google Scholar
  12. 12.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 33–43. ACM Press, New York (1989)Google Scholar
  13. 13.
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pp. 387–394. ACM Press, New York (1990)Google Scholar
  14. 14.
    Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS, Cryptology ePrint Archive, Report, 2007 /123 (2007), Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Tatsuaki Okamoto
    • 1
  1. 1.NTTJapan

Personalised recommendations