Paper 2009/288

Efficient Key Exchange with Tight Security Reduction

Jiang Wu and Berkant Ustaoglu


In this paper, we propose two authenticated key exchange (AKE) protocols, SMEN and SMEN−, which have efficient online computation and tight security proof in the extended Canetti-Krawczyk (eCK) model. SMEN takes 1.25 exponentiations in online computation, close to that (1.17 exponentiations) of the most efficient AKEs MQV and its variants HMQV and CMQV. SMEN has a security reduction as tight as that of NAXOS, which is the first AKE having a tight security reduction in the eCK model. As a comparison, MQV does not have a security proof; both HMQV and CMQV have a highly non-tight security reduction, and HMQV needs a non-standard assumption; NAXOS takes 2.17 exponentiations in online computation; NETS, a NAXOS variant, takes two online exponentiations in online computation. SMEN simultaneously achieves online efficiency and a tight security proof at a cost of 0.17 more exponentiations in offline computation and the restriction that one party is not allowed to establish a key with itself. SMEN− takes 1.29 exponentiations in online computation, but SMEN− does not use the static private key to compute the ephemeral public key (as does in SMEN, NAXOS, CMQV, and NETS), and hence reduces the risk of leaking the static private key.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
authenticated key exchange
Contact author(s)
j32wu @ cs uwaterloo ca
ustaoglu berkant @ lab ntt co jp
2009-06-16: received
Short URL
Creative Commons Attribution


      author = {Jiang Wu and Berkant Ustaoglu},
      title = {Efficient Key Exchange with Tight Security Reduction},
      howpublished = {Cryptology ePrint Archive, Paper 2009/288},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.