Composability and On-Line Deniability of Authentication

Dodis, Yevgeniy; Katz, Jonathan; Smith, Adam; Walfish, Shabsi

doi:10.1007/978-3-642-00457-5_10

Cited by 44 publications

(52 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Implicit DAKE schemes, such as those from Cremers and Feltz [CF11], from Yao and Zhao [YZ13], and 3-DH [Ope13d], all lack online repudiation because they include non-repudiable (and thus non-simulatable) signatures. The scheme introduced as Φ dre by Walfish in his Ph.D. thesis [Wal08], and later reiterated in a publication by Dodis et al [DKSW09], does satisfy all of our requirements for a DAKE; we discuss this protocol in greater depth in Section 3.6.…”

Section: Deniable Authenticated Key Exchangesmentioning

confidence: 99%

Deniable Key Exchanges for Secure Messaging

Unger

Goldberg

2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Section: Deniable Authenticated Key Exchangesmentioning

confidence: 99%

Deniable Key Exchanges for Secure Messaging

Unger

Goldberg

2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

“…Ideally, the advantage should be small for any efficient D and A and where the simulator's efficiency characteristics are close to the one of the adversary. We note that there are even stronger versions, called online deniability [DKSW09] where the distinguisher can communicate with the malicious party resp. the simulator while the protocol is executed.…”

Section: Defining Deniabilitymentioning

confidence: 99%

The PACE|AA Protocol for Machine Readable Travel Documents, and Its Security

Bender

Dagdelen

Fischlin

et al. 2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. We discuss an efficient combination of the cryptographic protocols adopted by the International Civil Aviation Organization (ICAO) for securing the communication of machine readable travel documents and readers. Roughly, in the original protocol the parties first run the Password-Authenticated Connection Establishment (PACE) protocol to establish a shared key and then the reader (optionally) invokes the Active Authentication (AA) protocol to verify the passport's validity. Here we show that by carefully re-using some of the secret data of the PACE protocol for the AA protocol one can save one exponentiation on the passports's side. We call this the PACE|AA protocol. We then formally prove that this more efficient combination not only preserves the desirable security properties of the two individual protocols but also increases privacy by preventing misuse of the challenge in the Active Authentication protocol. We finally discuss a solution which allows deniable authentication in the sense that the interaction cannot be used as a proof towards third parties.

show abstract

“…A recent paper [2] gives a detailed evaluation of the energy costs of interactive and non-interactive key exchange protocols in the ID-based and PKI settings for wireless communications with a jamming adversary, demonstrating that significant energy savings can be made by adopting a non-interactive approach to key establishment. Its non-interactive nature makes NIKE an abstract building block that is qualitatively different from interactive key exchange: e.g., to achieve deniable authentication, [3] explicitly requires a non-interactive key exchange. But NIKE can also be used as a basis for interactive key exhange [4,5,6]: for example, in [5], the authors use the shared key in a MAC to authenticate an exchange of ephemeral Diffie-Hellman values.…”

Section: Introductionmentioning

confidence: 99%

“…The model for NIKE in [10] is similar to, and presumably inspired by, the early work of Shoup [16] on interactive key exchange, where capturing so-called PKI attacks, also known as rogue-key attacks, was intrinsic to the security modelling. This modelling approach is referred to elsewhere in the literature as the plain setting (see [20,21] and the references therein) or the bare PKI setting [3]. The CKS model is certainly more challenging than settings where proofs of knowledge or proofs of possession of private keys are assumed to be given during registration, or where the adversary must reveal its secret key directly (as with the knowledge of secret key assumption used in [22,23]).…”

Section: Introductionmentioning

confidence: 99%

“…Certainly this problem could be solved instead by appealing to a suitable gap-DH assumption. We show how 3 Concretely, since shared keys do not depend on party identities in the unhashed DH-NIKE, an adversary A can (a) register the key g x of an honest party Alice as its own key, and (b) ask for the shared key between A and another honest party Bob with key g y . This immediately yields the shared key g xy between Alice and Bob.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Non-Interactive Key Exchange

Freire

Hofheinz

Kiltz

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Non-interactive key exchange (NIKE) is a fundamental but much-overlooked cryptographic primitive. It appears as a major contribution in the ground-breaking paper of Diffie and Hellman, but NIKE has remained largely unstudied since then. In this paper, we provide different security models for this primitive and explore the relationships between them. We then give constructions for secure NIKE in the Random Oracle Model based on the hardness of factoring and in the standard model based on the hardness of a variant of the decisional Bilinear Diffie Hellman Problem for asymmetric pairings. We also study the relationship between NIKE and public key encryption (PKE), showing that a secure NIKE scheme can be generically converted into an IND-CCA secure PKE scheme. This conversion also illustrates the fundamental nature of NIKE in public key cryptography.

show abstract

Composability and On-Line Deniability of Authentication

Cited by 44 publications

References 34 publications

Deniable Key Exchanges for Secure Messaging

Deniable Key Exchanges for Secure Messaging

The PACE|AA Protocol for Machine Readable Travel Documents, and Its Security

Non-Interactive Key Exchange

Contact Info

Product

Resources

About