Schnorr-Like Identification Scheme Resistant to Malicious Subliminal Setting of Ephemeral Secret

“…We propose an extension to HMQV (applicable to similar 2-party protocols) which protects against the eKCI attack and which does not destroy the protocol deniability property: for the initiator and subsequently for the responder. We use for that purpose the modified Schnorr identification scheme [19], which is secure even if the ephemeral secrets of parties are compromised. To the best of our knowledge it is the first proposition of this kind for AKE protocols so far.…”

“…The proposition exchanges the cryptographic building blocks, preserving the construction design, but as the original version, it is still eKCI vulnerable. It is an interesting open question how this particular postquantum HMQV construction can be improved, as the modification based on [19] proposed in our paper is also vulnerable to quantum attacks. There are also approaches for a partial leakage of cryptographic material and bad randomness.…”

“…Please note, additionally, that in the context of immunizing AKE protocols to eKCI attacks, the construction [41], which follows up the paper [19] and is a modification of Okamoto identification scheme, can be also taken into consideration as the authentication layer: as it is deniable and resistant to ephemeral values leakage and setup.…”

“…We discuss how that approach breaks the deniability of the original HMQV. In Section 4 we propose a solution to the eKCI attack on HMQV based on the modified Schnorr authentication protocol from [19]. We recall the original Schnorr authentication protocol, discuss its deniability property, and show that it is inadequate in setups where the ephemeral keys can be leaked.…”

“…However in our modified protocol (called mHMQV) we exchange the undeniable layer of BLS with the deniable layer of Schnorr-like protocol from [19]. Therefore our proposition mHMQV is deniable like original HMQV and is eKCI resistant like BLS-HMQV, with its two-layer composition.…”

Deniable Key Establishment Resistance against eKCI Attacks

“…We propose an extension to HMQV (applicable to similar 2-party protocols) which protects against the eKCI attack and which does not destroy the protocol deniability property: for the initiator and subsequently for the responder. We use for that purpose the modified Schnorr identification scheme [19], which is secure even if the ephemeral secrets of parties are compromised. To the best of our knowledge it is the first proposition of this kind for AKE protocols so far.…”

“…The proposition exchanges the cryptographic building blocks, preserving the construction design, but as the original version, it is still eKCI vulnerable. It is an interesting open question how this particular postquantum HMQV construction can be improved, as the modification based on [19] proposed in our paper is also vulnerable to quantum attacks. There are also approaches for a partial leakage of cryptographic material and bad randomness.…”

“…Please note, additionally, that in the context of immunizing AKE protocols to eKCI attacks, the construction [41], which follows up the paper [19] and is a modification of Okamoto identification scheme, can be also taken into consideration as the authentication layer: as it is deniable and resistant to ephemeral values leakage and setup.…”

“…We discuss how that approach breaks the deniability of the original HMQV. In Section 4 we propose a solution to the eKCI attack on HMQV based on the modified Schnorr authentication protocol from [19]. We recall the original Schnorr authentication protocol, discuss its deniability property, and show that it is inadequate in setups where the ephemeral keys can be leaked.…”

“…However in our modified protocol (called mHMQV) we exchange the undeniable layer of BLS with the deniable layer of Schnorr-like protocol from [19]. Therefore our proposition mHMQV is deniable like original HMQV and is eKCI resistant like BLS-HMQV, with its two-layer composition.…”

Deniable Key Establishment Resistance against eKCI Attacks

Anonymous Deniable Identification in Ephemeral Setup and Leakage Scenarios (Brief Announcement)

Identity-Based Signature Scheme Secure in Ephemeral Setup and Leakage Scenarios