Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman Protocols

  • Berkant Ustaoglu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5848)


Both the “eCK” model, by LaMacchia, Lauter and Mityagin, and the “CK01” model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a SessionStateReveal query to learn session-specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an EphemeralKeyReveal query to access all ephemeral private input required to carry session computations. SessionStateReveal cannot be issued against the test session; by contrast EphemeralKeyReveal can be used against the test session under certain conditions. On the other hand, it is not obvious how EphemeralKeyReveal compares to SessionStateReveal. Thus it is natural to ask which model is more useful and practically relevant.

While formally the models are not comparable, we show that recent analyses utilizing SessionStateReveal and EphemeralKeyReveal have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if these values are exposed.


Key agreement protocols leaking ephemeral secrets postponed ephemeral key derivation pseudo-static keys 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Basin, D., Cremers, C.J.F.: From Dolev-Yao to strong adaptive corruption: Analyzing security in the presence of compromising adversaries. Cryptology ePrint Archive, Report 2009/079 (2009),
  2. 2.
    Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: CCS 1993: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM, New York (1993)CrossRefGoogle Scholar
  5. 5.
    Bello, L.: Debian open ssl predictable random number generator. Technical report, (2008) (retreived on February 10, 2008),
  6. 6.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  7. 7.
    Boyd, C., Cliff, Y., González Nieto, J.M., Paterson, K.: Efficient one-round key exchange in the standard model. In: Mu, et al. (eds.) [23], pp. 69–83,
  8. 8.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Cash, D.M., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman Problem and Applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  10. 10.
    Cremers, C.J.F.: Session-state reveal is stronger than ephemeral key reveal: Attacking the NAXOS key exchange protocol. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) Applied Cryptography and Network Security, 7th International Conference, ACNS 2009. LNCS, vol. 5536, pp. 20–33. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Goldberg, I., Wagner, D.: Netscape ssl implementation cracked! Technical report, UC Berkeley (September 1995) (retreived on February 10, 2008),
  12. 12.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, Report 2006/073 (2006),
  14. 14.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  15. 15.
    Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28(2), 119–134 (2003)CrossRefMathSciNetzbMATHGoogle Scholar
  17. 17.
    Lee, J., Park, C.S.: An efficient authenticated key exchange protocol with a tight security reduction. Cryptology ePrint Archive, Report 2008/345 (2008),
  18. 18.
    Lee, J., Park, J.H.: Authenticated key exchange secure under the computational Diffie-Hellman assumption. Cryptology ePrint Archive, Report 2008/344 (2008),
  19. 19.
    Menezes, A., Ustaoglu, B.: Comparing the pre- and post-specified peer models for key agreement. In: Mu, et al. (eds.) [23], pp. 53–68Google Scholar
  20. 20.
    Menezes, A., Ustaoglu, B.: Security arguments for the UM key agreement protocol in the NIST SP800-56A standard. In: Abe, M., Gligor, V. (eds.) ASIACCS 2008: Proceedings of the 2008 ACM symposium on Information, computer and communications security, pp. 261–270. ACM, New York (2008)CrossRefGoogle Scholar
  21. 21.
    Menezes, A., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  22. 22.
    M’Raïhi, D., Naccache, D.: Batch exponentiation: a fast dlp-based signature generation strategy. In: Gong, L., Stern, J. (eds.) CCS 1996: Proceedings of the 3rd ACM conference on Computer and communications security, pp. 58–61. ACM, New York (1996)CrossRefGoogle Scholar
  23. 23.
    Mu, Y., Susilo, W., Seberry, J. (eds.): ACISP 2008. LNCS, vol. 5107. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  24. 24.
    NIST National Institute of Standards and Technology. Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (March 2007), (last accessed July 2009)
  25. 25.
    Okamoto, T.: Authenticated key exchange and key encapsulation in the standard model. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 474–484. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  26. 26.
    Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)Google Scholar
  27. 27.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
  28. 28.
    Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3), 329–342 (2008)CrossRefMathSciNetGoogle Scholar
  29. 29.
    Ustaoglu, B.: Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols (extended version). Cryptology ePrint Archive, Report 2009/353 (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Berkant Ustaoglu
    • 1
  1. 1.NTT Information Sharing Platform Laboratories 

Personalised recommendations