Author
Anton Mityagin
Other affiliations: University of California, San Diego, University of California, Los Angeles, Weizmann Institute of Science
Bio: Anton Mityagin is an academic researcher from Microsoft. The author has contributed to research in topics: Authenticated Key Exchange & Key (cryptography). The author has an hindex of 17, co-authored 40 publications receiving 1345 citations. Previous affiliations of Anton Mityagin include University of California, San Diego & University of California, Los Angeles.
Papers
More filters
••
01 Nov 2007TL;DR: In this paper, a more compact, integrated, and comprehensive formulation of the Canetti-Krawczyk security model for authenticated key exchange (AKE) protocols is presented.
Abstract: Recent work by Krawczyk [12] and Menezes [16] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols In this paper we focus on security models for authenticated key exchange (AKE) protocols We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the Canetti-Krawczyk model Some of these additional attacks have already been considered by Krawczyk [12] In an attempt to bring these attacks within the scope of the security model we extend the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary Our contribution is a more compact, integrated, and comprehensive formulation of the security model We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries
608 citations
•
TL;DR: In this article, it was shown that allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so that the notion of security that most message authentication schemes are proven to meet does not guarantee their security in practice.
Abstract: This paper points out that, contrary to popular belief, allowing a message authentication adversary multiple verification attempts towards forgery is not equivalent to allowing it a single one, so that the notion of security that most message authentication schemes are proven to meet does not guarantee their security in practice. We then show, however, that the equivalence does hold for strong unforgeability. Based on this we recover security of popular classes of message authentication schemes such as MACs (including HMAC and PRF-based MACs) and CWschemes. Furthermore, in many cases we do so with a tight security reduction, so that in the end the news we bring is surprisingly positive given the initial negative result. Finally, we show analogous results for authenticated encryption.
125 citations
••
01 Dec 2002TL;DR: This paper analyses the security of a new key exchange protocol proposed in [3], which is based on mutually learning neural networks, and shows that it can be broken in three different ways, and thus it is completely insecure.
Abstract: In this paper we analyse the security of a new key exchange protocol proposed in [3], which is based on mutually learning neural networks. This is a new potential source for public key cryptographic schemes which are not based on number theoretic functions, and have small time and memory complexities. In the first part of the paper we analyse the scheme, explain why the two parties converge to a common key, and why an attacker using a similar neural network is unlikely to converge to the same key. However, in the second part of the paper we show that this key exchange protocol can be broken in three different ways, and thus it is completely insecure.
119 citations
••
24 Apr 2006TL;DR: It is proved that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked.
Abstract: KEA is a Diffie-Hellman based key-exchange protocol developed by NSA which provides mutual authentication for the parties. It became publicly available in 1998 and since then it was neither attacked nor proved to be secure. We analyze the security of KEA and find that the original protocol is susceptible to a class of attacks. On the positive side, we present a simple modification of the protocol which makes KEA secure. We prove that the modified protocol, called KEA+, satisfies the strongest security requirements for authenticated key-exchange and that it retains some security even if a secret key of a party is leaked. Our security proof is in the random oracle model and uses the Gap Diffie-Hellman assumption. Finally, we show how to add a key confirmation feature to KEA+ (we call the version with key confirmation KEA+C) and discuss the security properties of KEA+C.
85 citations
••
11 Jul 2005TL;DR: This work defines the security of AOS, presents concrete AOS schemes, and proves their security under standard assumptions, and finds that despite its simple definition, AOS is equivalent to Hierarchical Identity-based Signatures (HIBS) through efficient and security-preserving reductions.
Abstract: We present a new primitive – Append-only Signatures (AOS) – with the property that any party given an AOS signature Sig[M1] on message M1 can compute Sig[M1 || M2] for any message M2, where M1 || M2 is the concatenation of M1 and M2. We define the security of AOS, present concrete AOS schemes, and prove their security under standard assumptions. In addition, we find that despite its simple definition, AOS is equivalent to Hierarchical Identity-based Signatures (HIBS) through efficient and security-preserving reductions. Finally, we show direct applications of AOS to problems in network security. Our investigations indicate that AOS is both useful in practical applications and worthy of further study as a cryptographic primitive.
58 citations
Cited by
More filters
••
07 Dec 2008TL;DR: The first proof-of-retrievability schemes with full proofs of security against arbitrary adversaries in the strongest model, that of Juels and Kaliski, are given.
Abstract: In a proof-of-retrievability system, a data storage center convinces a verifier that he is actually storing all of a client's data. The central challenge is to build systems that are both efficient and provably secure--that is, it should be possible to extract the client's data from any prover that passes a verification check. In this paper, we give the first proof-of-retrievability schemes with full proofs of security against arbitrary adversaries in the strongest model, that of Juels and Kaliski. Our first scheme, built from BLS signatures and secure in the random oracle model, has the shortest query and response of any proof-of-retrievability with public verifiability. Our second scheme, which builds elegantly on pseudorandom functions (PRFs) and is secure in the standard model, has the shortest response of any proof-of-retrievability scheme with private verifiability (but a longer query). Both schemes rely on homomorphic properties to aggregate a proof into one small authenticator value.
1,156 citations
•
TL;DR: This work considers two possible notions of authenticity for authenticated encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relates them to the standard notions of privacy IND-CCA and NM-CPA by presenting implications and separations between all notions considered.
Abstract: An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them (when coupled with IND-CPA) to the standard notions of privacy (IND-CCA,NM-CPA) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making blackbox use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”
774 citations
••
01 Oct 2001TL;DR: The Internet is going mobile and wireless, perhaps quite soon, with a number of diverse technologies leading the charge, including, 3G cellular networks based on CDMA technology, a wide variety of what is deemed 2.5G cellular technologies (e.g., EDGE, GPRS and HDR), and IEEE 802.11 wireless local area networks (WLANs).
Abstract: At some point in the future, how far out we do not exactly know, wireless access to the Internet will outstrip all other forms of access bringing the freedom of mobility to the way we access the we...
615 citations
••
01 Nov 2007TL;DR: In this paper, a more compact, integrated, and comprehensive formulation of the Canetti-Krawczyk security model for authenticated key exchange (AKE) protocols is presented.
Abstract: Recent work by Krawczyk [12] and Menezes [16] has highlighted the importance of understanding well the guarantees and limitations of formal security models when using them to prove the security of protocols In this paper we focus on security models for authenticated key exchange (AKE) protocols We observe that there are several classes of attacks on AKE protocols that lie outside the scope of the Canetti-Krawczyk model Some of these additional attacks have already been considered by Krawczyk [12] In an attempt to bring these attacks within the scope of the security model we extend the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary Our contribution is a more compact, integrated, and comprehensive formulation of the security model We then introduce a new AKE protocol called NAXOS and prove that it is secure against these stronger adversaries
608 citations
••
TL;DR: In this paper, the authors consider two possible notions of authenticity for authenticated encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NMCPA, and provide proofs for the cases where the answer is "yes" and counter-examples for the answer "no".
Abstract: An authenticated encryption scheme is a symmetric encryption scheme whose goal is to provide both privacy and integrity. We consider two possible notions of authenticity for such schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them, when coupled with IND-CPA (indistinguishability under chosen-plaintext attack), to the standard notions of privacy IND-CCA and NM-CPA (indistinguishability under chosen-ciphertext attack and nonmalleability under chosen-plaintext attack) by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by “generic composition,” meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC, MAC-then-encrypt, and Encrypt-then-MAC. For each of these and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming that the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is “yes” and counter-examples for the cases where the answer is “no.”
586 citations