#### DMCA

## New Security Results on Encrypted Key Exchange (2004)

Venue: | In PKC ’04, LNCS |

Citations: | 53 - 11 self |

### Citations

1644 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... to the NULL value. Since this hash function is seen as a random oracle, the only way for the client to solve this “puzzle” is to run through all possible prefixed strings and query the random oracle =-=[4]-=-. Later in practice this function is instantiated using specific functions derived from standard hash functions such as SHA1. Once the client has found such a proof of computational effort, it sends i... |

436 | Encrypted Key Exchange: Password-based protocols secure against dictionary attacks.
- Bellovin, Merritt
- 1992
(Show Context)
Citation Context ... a low-quality string chosen from a relatively small dictionary (i.e. 4 decimal digits). The seminal work in this area is the Encrypted Key Exchange (EKE) protocol proposed by Bellovin and Merritt in =-=[5, 6]-=-. EKE is a classical Diffie-Hellman key exchange wherein the two flows are encrypted using the password as a common symmetric key. This encryption primitive can be instantiated via either a password-k... |

402 | Authenticated Key Exchange Secure against Dictionary Attacks,
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ...raphers have indeed began to analyze the AuthA protocol in an ideal model of computation wherein a hash function is modeled via a random function and a block cipher is modeled via random permutations =-=[2, 5, 8]-=-. These analyses have provided useful arguments in favor of AuthA, but do not guarantee that AuthA is secure in the real world. They only show that AuthA is secure against generic attacks that do not ... |

342 |
How to construct pseudo-Random permutations from pseudo-random functions (abstract
- Luby, Rackoff
(Show Context)
Citation Context ...f AuthA. One should indeed note that the ideal-cipher model seems to be a stronger model than the random-oracle one. Even if one knows constructions to build random permutations from random functions =-=[12]-=-, they cannot be used to build ideal ciphers from random oracles. The difference here comes from the fact that the inner functions (random oracles) are available to the adversary. It could compute pla... |

191 | Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman.
- Boyko, MacKenzie, et al.
- 2000
(Show Context)
Citation Context ...etric cipher or a mask generation function computed as the product of the message with a hash of the password. This efficient structure of EKE has been more recently instantiated in different ways in =-=[7]-=- (with the PPK and the PAK schemes) and with AuthA, considered for standardization by the IEEE P1363 Standard working group on public-key cryptography [3]. The AuthA instantiation with a single mask g... |

152 | Augmented Encrypted Key Exchange: a passwordbased protocol secure against dictionary attacks and password file compromise.
- Bellovin, Merritt
- 1993
(Show Context)
Citation Context ... a low-quality string chosen from a relatively small dictionary (i.e. 4 decimal digits). The seminal work in this area is the Encrypted Key Exchange (EKE) protocol proposed by Bellovin and Merritt in =-=[5, 6]-=-. EKE is a classical Diffie-Hellman key exchange wherein the two flows are encrypted using the password as a common symmetric key. This encryption primitive can be instantiated via either a password-k... |

112 | OAEP reconsidered.
- Shoup
- 2001
(Show Context)
Citation Context ...tions (number of Send-queries) to the number of passwords. Proof. In this proof, we incrementally define a sequence of games starting at the real game G0 and ending up at G5. We use the Shoup’s lemma =-=[13]-=- to bound the probability of each event in these games. Game G0: This is the real protocol, in the random-oracle model. We are interested in the two following events: – S0 (for semantic security), whi... |

105 |
Client puzzles: A cryptographic defense against connection depletion attacks.
- Juels, Brainard
- 1999
(Show Context)
Citation Context ...er side, as well as the storage of any states, after that the initiator of the connection has been identified as being a legitimate client. Roughly speaking, the server sends to the client a “puzzle” =-=[11]-=- to solve which will require from the client to perform multiple cryptographic computations while the server can easily and efficiently check that the solution is correct. Related Work. The IEEE P1363... |

103 | On memory-bound functions for fighting spam.
- Dwork, Goldberg, et al.
- 2003
(Show Context)
Citation Context ...computational power. One approach to counter the latter threat is to make the client compute some form of proof of computational effort, using a “puzzle” [11], also more recently used by Dwork et al. =-=[9]-=- to discourage spam. The present paper builds on that latter concept. 3 2 The OMDHKE Protocol: One-Mask Diffie-Hellman Key Exchange The arithmetic is in a finite cyclic group G = 〈g〉 of order a ℓ-bit ... |

49 | The AuthA protocol for password-based authenticated key exchange
- BELLARE, ROGAWAY
(Show Context)
Citation Context ...ard working group on password-based public key cryptography, similar to the security results for PAK [7]. We have indeed presented a new compact and “elegant” proof of security for the AuthA protocol =-=[3]-=- when the symmetricencryption primitive is instantiated using a mask generation function, which extends our previous work when the symmetric-encryption primitive is assumed to behave like an ideal cip... |

47 | Security Proofs for an Efficient Password-based Key Exchange.
- Bresson, Chevassut, et al.
- 2003
(Show Context)
Citation Context ...raphers have indeed began to analyze the AuthA protocol in an ideal model of computation wherein a hash function is modeled via a random function and a block cipher is modeled via random permutations =-=[2, 5, 8]-=-. These analyses have provided useful arguments in favor of AuthA, but do not guarantee that AuthA is secure in the real world. They only show that AuthA is secure against generic attacks that do not ... |

22 |
secure key exchange for internet protocols
- Efficient
- 2002
(Show Context)
Citation Context ...llare et al. security model (but also of MDHKE in the appendix), that is less prone to errors. Several works have already focused on designing mechanisms to protect against DoS attacks. Aiello et al. =-=[1]-=- treat the amount of Perfect Forward-Secrecy (PFS) as an engineering parameter that can be traded off against resistance to DoS attacks. DoS-resistance is achieved by saving the “state” of the current... |