Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. In [17], Osaki and Iwata showed that the UCC-then-CBC key wrapping scheme, a key wrapping scheme that uses the UCC hash function and CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. Furthermore, we consider the scheme that incorporates the use of headers. To handle such a setting, we generalize the previous definition of the UCC hash function to the variable input length setting and to take the header as its input, and show an efficient construction that meets the definition.

LaMacchia, Lauter and Mityagin [19] proposed a novel security definition for authenticate key exchange (AKE) that gives an adversary the power to obtain ephemeral information regarding a target test session. To demonstrate feasibility of secure protocols in the new definition, henceforth called eCK, the authors described a protocol called NAXOS. NAXOS combines an ephemeral private key x with a static private key a to generate an ephemeral public key X (more precisely in what we call the NAXOS' approach X = gH(x,a)). Thus no one is able to query the discrete logarithm of X without knowing both the ephemeral and static private keys. This idea is crucial in the security argument to guard against leaked ephemeral secrets belonging to the test session. Another important assumption is the gap assumption that allows the protocol to remain secure even in the presence of malicious insiders. Both ideas have been successfully used in creating various protocols secure in the eCK model. In this paper, we construct two eCK-secure protocols without the above mentioned ideas. KFU1 is secure under the GDH assumption without using the NAXOS' approach. KFU2 builds upon KFU1 and drops the gap requirement, thus it is secure under the CDH assumption. Efficiency and security of the proposed protocols are comparable to the well-known HMQV [15] protocol. Furthermore, unlike HMQV and NAXOS the use of the random oracle in KFU1 and KFU2 is restricted to the key derivation function making them more suitable for practical applications.

An anonymous password-authenticated key exchange (PAKE) protocol is designed to provide both password-only authentication and client anonymity against a semi-honest server, who honestly follows the protocol. In INDOCRYPT2008, Yang and Zhang [26] proposed a new anonymous PAKE (NAPAKE) protocol and its threshold (D-NAPAKE) which they claimed to be secure against insider attacks. In this paper, we first show that the D-NAPAKE protocol [26] is completely insecure against insider attacks unlike their claim. Specifically, only one legitimate client can freely impersonate any subgroup of clients (the threshold t > 1) to the server. After giving a security model that captures insider attacks, we propose a threshold anonymous PAKE (called, TAP+) protocol which provides security against insider attacks. Moreover, we prove that the TAP+ protocol has semantic security of session keys against active attacks as well as insider attacks under the computational Diffie-Hellman problem, and provides client anonymity against a semi-honest server, who honestly follows the protocol. Finally, several discussions are followed: 1) We also show another threshold anonymous PAKE protocol by applying our RATIONALE to the non-threshold anonymous PAKE (VEAP) protocol [23]; and 2) We give the efficiency comparison, security consideration and implementation issue of the TAP+ protocol.

Authenticated encryption schemes are very useful for private and authenticated communication. In 2010, Rasslan and Youssef showed that the Hwang et al.'s authenticated encryption scheme is not secure by presenting a message forgery attack. However, Rasslan and Youssef did not give how to solve the security issue. In this letter, we give an improvement of the Hwang et al.'s scheme. The improved scheme not only solves the security issue of the original scheme, but also maintains its efficiency.

In this paper, we propose two authenticated key exchange(AKE) protocols and prove their security in the extended Canetti-Krawczyk model. The first protocol, called NAXOS+, is obtained by slightly modifying the NAXOS protocol proposed by LaMacchia, Lauter and Mityagin [15]. We prove its security under the Computational Diffie-Hellman (CDH) assumption by using the trapdoor test introduced in [6]. To the authors' knowledge, this is the first AKE protocol which is secure under the CDH assumption in the eCK model. The second protocol, called NETS, enjoys a simple and tight security reduction compared to existing schemes including HMQV and CMQV without using the Forking Lemma. Since each session of the NETS protocol requires only three exponentiations per party, its efficiency is also comparable to MQV, HMQV and CMQV.

Secure channels can be realized by an authenticated key exchange (AKE) protocol that generates authenticated session keys between the involving parties. In, Shin et al., proposed a new kind of AKE (RSA-AKE) protocol whose goal is to provide high efficiency and security against leakage of stored secrets as much as possible. Let us consider more powerful attacks where an adversary completely controls the communications and the stored secrets (the latter is denoted by "replacement" attacks). In this paper, we first show that the RSA-AKE protocol is no longer secure against such an adversary. The main contributions of this paper are as follows: (1) we propose an RSA-based leakage-resilient AKE (RSA-AKE2) protocol that is secure against active attacks as well as replacement attacks; (2) we prove that the RSA-AKE2 protocol is secure against replacement attacks based on the number theory results; (3) we show that it is provably secure in the random oracle model, by showing the reduction to the RSA one-wayness, under an extended model that covers active attacks and replacement attacks; (4) in terms of efficiency, the RSA-AKE2 protocol is comparable to in the sense that the client needs to compute only one modular multiplication with pre-computation; and (5) we also discuss about extensions of the RSA-AKE2 protocol for several security properties (i.e., synchronization of stored secrets, privacy of client and solution to server compromise-impersonation attacks).

Tseng et al. proposed two efficient authenticated encryption schemes with message linkages for message flows. Hwang et al. (IEICE Trans. Inf. and Syst., Vol. E89-D, No. 4, April 2006) presented a forgery attack against these two schemes and proposed an improvement that they claim resists such attacks. In this paper, we show that the improved authenticated encryption schemes proposed by Hwang et al. are not secure by presenting another message forgery attack against these improved schemes.

Security and privacy of wireless sensor networks are key research issues recently. Most existing researches regarding wireless sensor networks security consider homogenous sensor networks. To achieve better security and performance, we adopt a heterogeneous wireless sensor network (HWSN) model that consists of physically different types of sensor nodes. This paper presents a secure message distribution scheme with configurable privacy for HWSNs, which takes advantage of powerful high-end sensor nodes. The scheme establishes a message distribution topology in an efficient and secure manner. The sensor node only need generate one signature for all the messages for all the users, which can greatly save the communication and computation cost of the sensor node. On the other hand, the user can only know the messages that let him know based on a pre-set policy, which can meet the requirement of the privacy. We show that the scheme has small bandwidth requirements and it is resilient against the node compromise attack.

An anonymous password-authenticated key exchange (anonymous PAKE) protocol is designed to provide both password-only authentication and user anonymity against a semi-honest server, who follows the protocol honestly. Very recently, Yang and Zhang have proposed a new anonymous PAKE (NAPAKE) protocol that is claimed efficient compared to the previous constructions. In this paper, we propose a very-efficient anonymous PAKE (called, VEAP) protocol that provides the most efficiency among their kinds in terms of computation and communication costs. The VEAP protocol guarantees semantic security of session keys in the random oracle model under the chosen target CDH problem, and unconditional user anonymity against a semi-honest server. If the pre-computation is allowed, both the user and the server are required to compute only one modular exponentiation, respectively. Surprisingly, this is the same computation cost of the well-known Diffie-Hellman protocol that does not provide authentication at all. In addition, we extend the VEAP protocol in two ways: the first is designed to reduce the communication costs of the VEAP protocol and the second shows that stripping off anonymity parts from the VEAP protocol results in a new PAKE protocol.

The purpose of this paper is to study sender authenticated key agreements by a third party, which uses the received parameters to verify the fact that a sender of a message knows his long-term private key. In particular, we propose a standard model for the protocol among three entities for the first time. The security of this protocol depends on the difficulty of solving two new problems related to one-way isomorphisms and the decision co-bilinear Diffie-Hellman problem on multiplicative cyclic groups. It is the first time that the security of a key agreement has been formally proven by using negligible probability. We believe that our contribution gives many applications in the cryptographic community.

In this paper, we raise a question about existence of secure password-based authenticated key exchange against leakage of internal states (i.e., the passwords and session-specific private information). Toward this question, first, we classify six models of adversary's capabilities about leakage. Next, as a result of considerations for 2-party PAKE, we find two negative answers, but also find a positive answer. More specifically, we show that there exists no scheme which is secure in strong leakage models, but we also show that there exists a scheme which is secure in weak leakage models. Also, we consider the case of 3-party setting which is a special setting of password-based authenticated key exchange, and we find similar impossibilities as 2-party setting.

This letter proposes an identity-based authenticated key agreement protocol. Different from available comparable ones, the new protocol realizes implicit authentication without bilinear pairings which makes it more efficient. The security of proposed protocol can be reduced to the standard Computational Diffie-Hellman problem. Two variants of the protocol are also given, with one achieving the security-efficiency trade-off and the other providing authenticated key agreement between users of different domains.

In 2004, Choi et al. proposed an ID-based authenticated group key agreement. Unfortunately, their protocol was found to be vulnerable to the insider attacks by Zhang, Chen and Shim. To prevent insider attacks, Shim presented a modification of Choi et al.'s protocol. In this letter, we first show that Shim's modification is still insecure against insider attacks. We then present a modification of Choi et al.'s protocol that resists insider attacks. The counter-measure uses an ID-based signature on transcripts in order to bind them in a session. This prevents any replay of transcripts. Especially, by applying ID-based batch verification, the proposed one still consists of two rounds and is computationally efficient.

Both mutual authentication and generation of session keys can be accomplished by an authenticated key exchange (AKE) protocol. Let us consider the following situation: (1) a client, who communicates with many different servers, remembers only one password and has insecure devices (e.g., mobile phones or PDAs) with very-restricted computing power and built-in memory capacity; (2) the counterpart servers have enormous computing power, but they are not perfectly secure against various attacks (e.g., virus or hackers); (3) neither PKI (Public Key Infrastructures) nor TRM (Tamper-Resistant Modules) is available. The main goal of this paper is to provide security against the leakage of stored secrets as well as to attain high efficiency on client's side. For those, we propose an efficient and leakage-resilient RSA-based AKE (RSA-AKE) protocol suitable for the above situation whose authenticity is based on password and another secret. In the extended model where an adversary is given access to the stored secret of client, we prove that its security of the RSA-AKE protocol is reduced tightly to the RSA one-wayness in the random oracle model. We also show that the RSA-AKE protocol guarantees several security properties (e.g., security of password, multiple sever scenario with only one password, perfect forward secrecy and anonymity). To our best knowledge, the RSA-AKE protocol is the most efficient, in terms of both computation costs of client and communication costs, over the previous AKE protocols of their kind (using password and RSA).

Recently, Choi et al. proposed an ID-based authenticated group key agreement with bilinear maps. Subsequently, Zhang and Chen showed that the protocol does not provide authenticity as claimed by replaying transcripts of the past session. To prevent those replay attacks, they suggest adding a time parameter to the message being signed. However, despite of such a modification, we show that the protocol is still insecure against insider colluding attacks without replaying transcripts of the past session.

Password-based authenticated key exchange protocols are more convenient and practical, since users employ human-memorable passwords that are simpler to remember than cryptographic secret keys or public/private keys. Abdalla, Fouque, and Pointcheval proposed the password-based authenticated key exchange protocol in a 3-party model (GPAKE) in which clients trying to establish a secret do not share a password between themselves but only with a trusted server. On the other hand, Canetti presented a general framework, which is called universally composable (UC) framework, for representing cryptographic protocols and analyzing their security. In this framework, the security of protocols is maintained under a general protocol composition operation called universal composition. Canetti also proved a UC composition theorem, which states that the definition of UC-security achieves the goal of concurrent general composition. A server must manage all the passwords of clients when the 3-party password-based authenticated key exchange protocols are realized in large-scale networks. In order to resolve this problem, we propose a hierarchical hybrid authenticated key exchange protocol (H2AKE). In H2AKE, forwarding servers are located between each client and a distribution server, and the distribution server sends the client an authentication key via the forwarding servers. In H2AKE, public/private keys are used between servers, while passwords are also used between clients and forwarding servers. Thus, in H2AKE, the load on the distribution server can be distributed to the forwarding servers concerning password management. In this paper, we define hierarchical hybrid authenticated key exchange functionality. H2AKE is the universal form of the hierarchical (hybrid) authenticated key exchange protocol, which includes a 3-party model, and it has the characteristic that the construction of the protocol can flexibly change according to the situation. We also prove that H2AKE is secure in the UC framework with the security-preserving composition property.

Recently, Dutta and Barua proposed provably secure constant round authenticated group key agreement protocols in dynamic scenario. In this letter, we show that their Leave Protocol does not provide forward secrecy, that is, a leaving user can still obtain the new session key used in subsequent sessions.

Hirose and Yoshida proposed an authenticated key agreement protocol based on the intractability of the Computational Diffie-Hellman problem. Recently, Hirose and Matsuura pointed out that Hirose and Yoshida's protocol is vulnerable to Denial-of-Service (DoS) attacks. And they proposed two key agreement protocols which are resistant to the DoS attacks. Their protocols are the first authenticated key agreement protocols resistant to both the storage exhaustion attack and the CPU exhaustion attack. In this paper we show that Hirose and Matsuura's DoS-resistant key agreement protocols and Hirose and Yoshida's key agreement protocol are vulnerable to impersonation attacks. We make suggestions for improvements.

SOBER-128 is a stream cipher designed by Rose and Hawkes in 2003. It can be also used for generating Message Authentication Codes (MACs) and an authenticated encryption. The developers claimed that it is difficult to forge MACs generated by both functions of SOBER-128, though, the security assumption in the proposal paper is not realistic in some instances. In this paper, we examine the security of these message authentication mechanisms of SOBER-128 under security channel model. As a result, we show that both a MAC generation and an authenticated encryption are vulnerable against differential cryptanalysis. The success probabilities of the MAC forgery attack are estimated at 2-6 and 2-27 respectively. In addition, we show that some secret bits are revealed if a key is used many times.

In 2002, Zhu et al. proposed a password authenticated key exchange protocol based on RSA such that it is efficient enough to be implemented on most of the target low-power devices such as smart cards and low-power Personal Digital Assistants in imbalanced wireless networks. Recently, YEH et al. claimed that Zhu et al.'s protocol not only is insecure against undetectable on-line password guessing attack but also does not achieve explicit key authentication. Thus they presented an improved version. Unfortunately, we find that YEH et al.'s password guessing attack does not come into existence, and that their improved protocol is vulnerable to off-line dictionary attacks. In this paper we describe our observation in details, and also comment for the original protocol on how to achieve explicit key authentication as well as resist against other existent attacks.