Strongly Secure Authenticated Key Exchange without NAXOS’ Approach

  • Minkyu Kim
  • Atsushi Fujioka
  • Berkant Ustaoğlu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5824)


LaMacchia, Lauter and Mityagin [15] proposed the extended Canetti-Krawczyk (eCK) model and an AKE protocol, called NAXOS. Unlike previous security models, the adversary in the eCK model is allowed to obtain ephemeral secret information related to the test session, which makes the security proof difficult. To overcome this NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X; more precisely X = g H(x,a). As a result, no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. In other words, the discrete logarithm of an ephemeral public key, which is typically the ephemeral secret, is hidden via an additional random oracle.

In this paper, we show that it is possible to construct eCK-secure protocol without the NAXOS’ approach by proposing two eCK-secure protocols. One is secure under the GDH assumption and the other under the CDH assumption; their efficiency and security assurances are comparable to the well-known HMQV [12] protocol. Furthermore, they are at least as secure as protocols that use the NAXOS’ approach but unlike them and HMQV, the use of the random oracle is minimized and restricted to the key derivation function.


AKE eCK model NAXOS’ approach trapdoor test 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Bao, F., Deng, R.H., Zhu, H.: Variations of diffie-hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003)Google Scholar
  3. 3.
    Bellare, M., Palacio, A.: The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 110–125. Springer, Heidelberg (1993)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: STOC 1995, pp. 57–66 (1995)Google Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Minimizing the use of random oracles in authenticated encryption schemes. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 1–16. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Cash, D., Kiltz, E., Shoup, V.: The twin diffie-hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Diffie, W., Hellman, H.: New directions in cryptography. IEEE transactions of Information Theory 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Huang, H., Cao, Z.: Strongly secure authenticated key exchange protocol based on computational Diffie-Hellman problem. In: Inscrypt 2008 (2008)Google Scholar
  12. 12.
    Krawczyk, H.: HMQV: A high-performance secure diffie-hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28, 119–134 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1994)Google Scholar
  15. 15.
    LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Lee, J., Park, J.: Authenticated key exchange secure under the computational Diffie-Hellman assumption,
  17. 17.
    Lee, J., Park, C.: An efficient key exchange protocol with a tight security reduction,
  18. 18.
    M’Raïhi, D., Naccache, D.: Batch exponentiation: a fast DLP-based signature generation strategy. In: CCS 1996: Proceedings of the 3rd ACM conference on Computer and communications security, pp. 58–61 (1993)Google Scholar
  19. 19.
    Menezes, A.: Another look at HMQV. Journal of Mathematical Cryptology 1(1), 47–64 (2007)zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of applied cryptography, Florida, USA. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  21. 21.
    Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Okamoto, T.: Authenticated key exchange and key encapsulation in the standard model. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 474–484. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Okamoto, T., Pointcheval, D.: The Gap-Problems: A new class of problems for the security of cryptographic schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  24. 24.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. J. of Cryptology 13(3), 361–396 (2000)zbMATHCrossRefGoogle Scholar
  25. 25.
    Ustaoğlu, B.: Obtaining a secure and efficient key agreement protocol for (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3), 329–342 (2008),
  26. 26.
    Wu, J., Ustaoğlu, B.: Efficient Key Exchange with Tight Security Reduction, Technical Report CACR 2009-23, University of Waterloo (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Minkyu Kim
    • 1
  • Atsushi Fujioka
    • 2
  • Berkant Ustaoğlu
    • 2
  1. 1.ISaC and Department of Mathematical SciencesSeoul National UniversitySeoulKorea
  2. 2.NTT Information Sharing Platform LaboratoriesTokyoJapan

Personalised recommendations