This paper gives the first bit security result for the elliptic curve Diffie–Hellman key exchange protocol for elliptic curves defined over prime fields. About 5/6 of the most significant bits of the x-coordinate of the Diffie–Hellman key are as hard to compute as the entire key. A similar result can be derived for the 5/6 lower bits. The paper also generalizes and improves the result for ellip...

The Weil and Tate pairings are a popular new gadget in cryptography and have found many applications, including identity-based cryptography. In particular, the pairings have been used for key exchange protocols. This paper studies the bit security of keys obtained using protocols based on pairings (that is, we show that obtaining certain bits of the common key is as hard as computing the entire...

This document describes how the Elliptic Curve Digital Signature Algorithm (ECDSA) may be used as the authentication method within the Internet Key Exchange (IKE) and Internet Key Exchange version 2 (IKEv2) protocols. ECDSA may provide benefits including computational efficiency, small signature sizes, and minimal bandwidth compared to other available digital signature methods. This document ad...

Section 2 introduces some clcmcntary mathematical concepts that will be used throughout the paper. Section 3 specifics the necessary assumptions and initializations for the method proposed here. Section 4 describes the key exchange protocol. Section 5 prcscnts a variation of the key exchange algorithm, which yields the signature schcmc. In Section b, a number of attacks to the key cxchangc and ...

In the paper “Stronger Security of Authenticated Key Exchange” [11, 12], a new security model for authenticated key exchange protocols (eCK) is proposed. The new model is suggested to be at least as strong as previous models for key exchange protocols, such as the CK model [5, 10]. The model includes a new notion of an EphemeralKeyReveal adversary query, which is claimed in e. g. [11, 17, 18] t...

The Internet Key Exchange protocol version 2 (IKEv2) does not allow secure peer authentication when using short credential strings, i.e., passwords. Several proposals have been made to integrate passwordauthentication protocols into IKE. This document provides an adaptation of Password Authenticated Connection Establishment (PACE) to the setting of IKEv2 and demonstrates the advantages of this ...

Security models for two-party authenticated key exchange (AKE) protocols have developed over time to provide security even when the adversary learns certain secret keys. In this work, we advance the modelling of AKE protocols by considering more granular, continuous leakage of long-term secrets of protocol participants: the adversary can adaptively request arbitrary leakage of long-term secrets...

This document defines an Experimental Protocol for the Internet community. This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet ...

Electronic auction is popular due to rapid development of Internet technology. However, the identity and privacy of bidders are facing an insecure environment. Hence, a secure trade-off environment which can protect the privacy of bidders is necessary for auction. However, it never emerges as a reasonable and complete solution for the auction center to control the bidder’s privacy from contempo...

In this paper we show how the NRL Protocol Analyzer, a special-purpose formal methods tool designed for the veri cation of cryptographic protocols, was used in the analysis of the Internet Key Exchange (IKE) protocol. We describe some of the challenges we faced in analyzing IKE, which speci es a set of closely related subprotocols, and we show how this led to a number of improvements to the Ana...