Please use this identifier to cite or link to this item: https://hdl.handle.net/11147/4784
 Title: Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols (extended version) Authors: Ustaoğlu, Berkant Keywords: Key agreement protocolsLeakage of ephemeral secretsDiffie-Hellman assumptionHMQVNAXOS' approach Issue Date: 2009 Publisher: International Association for Cryptologic Research Source: Ustaoğlu, B. (2009). Comparing SessionStateReveal and EphemeralKeyReveal for Diffie-Hellman protocols (extended version). Cryptology ePrint Archive, Report 2009/353. http://eprint.iacr.org/2009/353 Abstract: Both the eCK'' model, by LaMacchia, Lauter and Mityagin, and the CK01'' model, by Canetti and Krawczyk, address the effect of leaking session specific ephemeral data on the security of key establishment schemes. The CK01-adversary is given a \SessionStateReveal{} query to learn session specific private data defined by the protocol specification, whereas the eCK-adversary is equipped with an \RevealEphemeralKey{} query to access all ephemeral private input required to carry session computations. \SessionStateReveal{} \emph{cannot} be issued against the test session; by contrast \RevealEphemeralKey{} \emph{can} be used against the test session under certain conditions. On the other hand, it is not obvious how \RevealEphemeralKey{} compares to \SessionStateReveal{}. Thus it is natural to ask which model is more useful and practically relevant. While formally the models are not comparable, we show that recent analysis utilizing \SessionStateReveal{} and \RevealEphemeralKey{} have a similar approach to ephemeral data leakage. First we pinpoint the features that determine the approach. Then by examining common motives for ephemeral data leakage we conclude that the approach is meaningful, but does not take into account timing, which turns out to be critical for security. Lastly, for Diffie-Hellman protocols we argue that it is important to consider security when discrete logarithm values of the outgoing ephemeral public keys are leaked and offer a method to achieve security even if the values are exposed. Description: This is an extended version that includes security arguments and more elaborate comparison. URI: http://eprint.iacr.org/2009/353http://hdl.handle.net/11147/4784 Appears in Collections: Mathematics / MatematikScopus İndeksli Yayınlar Koleksiyonu / Scopus Indexed Publications CollectionWoS İndeksli Yayınlar Koleksiyonu / WoS Indexed Publications Collection

###### Files in This Item:
File Description SizeFormat

CORE Recommender

#### Page view(s)

33,574
checked on Jan 30, 2023