Key establishment protocols are used for distributing shared keying material in a secure manner. In 1995, Bellare and Rogaway presented a three-party server-based key distribution (3PKD) protocol. But the protocol was recently found insecure and then was fixed by Raymond Choo et al.. But forward-secrecy is not considered in the revised protocol. In this paper, we demonstrate that it is not forw...

Correct authenticated decryption requires the receiver to buffer the decrypted message until the authenticity check has been performed. In high-speed networks, which must handle large message frames at low latency, this behavior becomes practically infeasible. This paper proposes CCA-secure on-line ciphers as a practical alternative to AE schemes since the former provide some defense against ma...

We provide the first hardware implementation of AEZ, a third-round candidate to the CAESAR competition for authenticated encryption. Complex, optimized for software, and impossible to implement in a single pass, AEZ poses significant obstacles for any hardware realization. Still, we find that a hardware implementation of AEZ is quite feasible. On Xilinx Virtex-6 FPGAs, our single-core design ha...

Password-based key exchange schemes are designed to provide entities communicating over a public network, and sharing a (short) password only, with a session key (e.g, the key is used for data integrity and/or confidentiality). The focus of the present paper is on the analysis of very efficient schemes that have been proposed to the IEEE P1363 Standard working group on password-based authentica...

We present the notion of PROG-KDM security for public-key encryption schemes. This security notion captures both KDM security and revealing of secret keys (key corruptions) in a single definition. This is achieved by requiring the existence of a simulator that can program ciphertexts when a secret key is revealed, i.e., the simulator can delay the decision what plaintext is contained in what ci...

Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing...

In this paper we introduce a new type of attack, called nonlinear invariant attack. As application examples, we present new attacks that are able to distinguish the full versions of the (tweakable) block ciphers Scream, iScream and Midori64 in a weak-key setting. Those attacks require only a handful of plaintext-ciphertext pairs and have minimal computational costs. Moreover, the nonlinear inva...

We present the Protected-IV construction (PIV) a simple, modular method for building variable-input-length tweakable ciphers. At our level of abstraction, many interesting design opportunities surface. For example, an obvious pathway to building beyond birthday-bound secure tweakable ciphers with performance competitive with existing birthday-bound-limited constructions. As part of our design s...

At the recent AES Modes of Operation Conference, several modes of operation were proposed for using a block cipher to provide both con dentiality and authentication. These modes require only a little more work than the cost of encryption alone, and come with proofs of security. However, these modes require the entire message to be sent in encrypted form. This can cause problems in situations wh...

This paper presents an efficient password-based authenticated encrypted group key agreement protocol immune to dictionary attack under the computation Diffie-Hellman (CDH) assumption. In a password-based key agreement protocol, the users only share a human-memorable low entropy password; and using this low-entropy password, the users can agree upon a high-entropy session key which they may use ...