Cryptology ePrint Archive: Report 2007/191

Deniable Internet Key-Exchange

Andrew C. C. Yao, Frances F. Yao, Yunlei Zhao, Bin Zhu

Abstract: In this work, we develop a family of protocols for deniable Internet Key-Exchange (IKE) with the following properties:

1. item Highly practical efficiency, and conceptual simplicity and clarity.

2. Forward and concurrent (non-malleable) deniability against adversaries with arbitrary auxiliary inputs, and better privacy protection of players' roles.

3. Provable security in the Canetti-Krawczyk post-specified-peer model, and maintenance of essential security properties not captured by the Canetti-Krawczyk security model.

4. Compatibility with the widely deployed and standardized SIGMA (i.e., the basis of IKEv2) and (H)MQV protocols, when parties possess DL public-keys.

Our protocols could potentially serve, in part, as either the underlying basis or a useful alternative for the next generation of IKE (i.e., IKEv3) of IPsec (in particular, when deniability is desired). In view of the wide deployment and use of IKE and increasing awareness of privacy protection (especially for E-commerce over Internet), this work is naturally of practical interest.

Category / Keywords: cryptographic protocols /

Publication Info: Rump session presentation at Eurocrypt 2007

Date: received 23 May 2007, last revised 21 Jun 2007

Contact author: ylzhao at fudan edu cn

Available format(s): PDF | BibTeX Citation

Note: This work was ever given by Yunlei Zhao as a internal technical report during visiting prof. Andrew Yao and prof. Xiaoyun Wang at Tsinghua university in March 2006. This work can be traced back to an internal technical report at Fudan university, July 2005.


Update records:

4 June 2007: ``the general weakness on SW-KE" is added;

14-15 June 2007: more detailed clarifications on SW-KE are added (including ``on provable concurrent security", ``effective reflection attacks", ``explicitly checking non-one of Y", ``on key-confirmation", etc), in a devoted effort to provide clarifications on questions from prof. Stinson and Wu;

21 June, 2007: some additional clarificationsare on our deniable IKE added, including in particular the note on the multiple roles of NMZK_(B, y), the note on privacy protection of players' roles, the note on resistancethat against UKS attacks even with long-term secret-key compromise.

Version: 20070622:040307 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]