SAS-Based Authenticated Key Agreement

  • Sylvain Pasini
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3958)


Key agreement protocols are frequently based on the Diffie-Hellman protocol but require authenticating the protocol messages in two ways. This can be made by a cross-authentication protocol. Such protocols, based on the assumption that a channel which can authenticate short strings is available (SAS-based), have been proposed by Vaudenay. In this paper, we survey existing protocols and we propose a new one. Our proposed protocol requires three moves and a single SAS to be authenticated in two ways. It is provably secure in the random oracle model. We can further achieve security with a generic construction (e.g. in the standard model) at the price of an extra move. We discuss applications such as secure peer-to-peer VoIP.


Authentication Protocol Random Oracle Commitment Scheme Random Oracle Model Input Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [BR93]
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1993)Google Scholar
  2. [ČČH06]
    Čagalj, M., Čapkun, S., Hubaux, J.-P.: Key agreement in peer- to- peer wireless networks. Proceedings of the IEEE, Special Issue in Security and Cryptography 94(2), 467–478 (2006)Google Scholar
  3. [CGH98]
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology revisited (preliminary version). In: STOC 1998: Proceedings of the thirtieth annual ACM symposium on Theory of computing, May 1998, pp. 209–218. ACM Press, New York (1998)CrossRefGoogle Scholar
  4. [CS02]
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 45. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory, IT- 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  6. [DSS00]
    Digital signature standard (DSS). Federal Information Processing Standard, Publication 186-2, U.S. Department of Commerce, National Institute of Standards and Technology (2000)Google Scholar
  7. [GMN04]
    Gehrmann, C., Mitchell, C.J., Nyberg, K.: Manual authentication for wireless devices. RSA Cryptobytes 7(1), 29–37 (2004)Google Scholar
  8. [GN01]
    Gehrmann, C., Nyberg, K.: Enhancements to Bluetooth baseband security. In: Nordsec 2001, Copenhagen, Denmark (November 2001)Google Scholar
  9. [GN04]
    Gehrmann, C., Nyberg, K.: Security in personal area networks. Security for Mobility, 191–230 (2004)Google Scholar
  10. [Hoe04]
    Hoepman, J.-H.: The ephemeral pairing problem. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 212–226. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. [Kra94]
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)Google Scholar
  12. [LAN05]
    Laur, S., Asokan, N., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. Cryptology ePrint Archive, Report 2005/424 (2005),
  13. [MY04]
    MacKenzie, P., Yang, K.: On simulation-sound trapdoor commitments. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 382–400. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. [PV06]
    Pasini, S., Vaudenay, S.: An optimal non-interactive message authentication protocol. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 280–294. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MathSciNetCrossRefMATHGoogle Scholar
  16. [Sti91]
    Stinson, D.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992)Google Scholar
  17. [Sti94]
    Stinson, D.: Universal hashing and authentication codes. Designs, Codes and Cryptography 4, 369–380 (1994)MathSciNetCrossRefMATHGoogle Scholar
  18. [Vau05]
    Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. [Vau06]
    Vaudenay, S.: On Bluetooth repairing: Key agreement based on symmetric-key cryptography. In: Feng, D., Lin, D., Yung, M. (eds.) CISC 2005. LNCS, vol. 3822, pp. 1–9. Springer, Heidelberg (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sylvain Pasini
    • 1
  • Serge Vaudenay
    • 1
  1. 1.EPFLLausanneSwitzerland

Personalised recommendations