• Journal of Information Processing Systems
• /
• v.6 no.3
• /
• pp.335-346
• /
• 2010

The present study investigates the difficulty of solving the mathematical problem, namely the DLP (Discrete Logarithm Problem) for ephemeral keys. The DLP is the basis for many public key cryptosystems. The ephemeral keys are used in such systems to ensure security. The DLP defined on a prime field $Z^*_p of random prime is considered in the present study. The most effective method to solve the DLP is the ICM (Index Calculus Method). In the present study, an efficient way of computing the DLP for ephemeral keys by using a new variant of the ICM when the factors of p-1 are known and small is proposed. The ICM has two steps, a pre-computation and an individual logarithm computation. The pre-computation step is to compute the logarithms of a subset of a group and the individual logarithm step is to find the DLP using the precomputed logarithms. Since the ephemeral keys are dynamic and change for every session, once the logarithms of a subset of a group are known, the DLP for the ephemeral key can be obtained using the individual logarithm step. Therefore, an efficient way of solving the individual logarithm step based on the newly proposed precomputation method is presented and the performance is analyzed using a comprehensive set of experiments. The ephemeral keys are also solved by using other methods, which are efficient on random primes, such as the Pohlig-Hellman method, the Van Oorschot method and the traditional individual logarithm step. The results are compared with the newly proposed individual logarithm step of the ICM. Also, the DLP of ephemeral keys used in a popular password key exchange protocol known as Chang and Chang are computed and reported to launch key recovery attack.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.5
• /
• pp.765-777
• /
• 2022

The SABER algorithm, a PKE/KEM algorithm presented in NIST PQC Standardization Round 3, is an algorithm based on the Module-LWR problem among lattice-based problems and has a Meta-PKE structure. At this time, the secret information used in the encryption process is called a ephemeral key, and in this paper, the ephemeral key reuse attack using the Meta-PKE structure is described. For each parameter satisfying the security strengths required by NIST, we present a detailed analysis of the previous studies attacked using 4, 6, and 6 queries, and improve them, using only 3, 4, and 4 queries. In addition, we introduce how to reduce the computational complexity of recovering ephemeral keys with a single query from the brute-force complexity on the n-dimension lattice, 2^7.91×n, 2^10.51×n, 2^12.22×n to 2^4.91×n, 2^6.5×n, 2^6.22×n, for each parameter, and present the results and limitations.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.10 no.11
• /
• pp.5639-5653
• /
• 2016

Security models for key exchange protocols have been researched for years, however, lots of them only focus on what secret can be compromised but they do not differentiate the timing of secrets compromise, such as the extended Canetti-Krawczyk (eCK) model. In this paper, we propose a new security model for key exchange protocols which can not only consider what keys can be compromised as well as when they are compromised. The proposed security model is important to the security proof of the key exchange protocols with forward secrecy (either weak forward secrecy (wFS) or strong forward secrecy (sFS)). In addition, a new kind of key compromise impersonation (KCI) attacks which is called strong key compromise impersonation (sKCI) attack is proposed. Finally, we provide a new one-round key exchange protocol called mOT+ based on mOT protocol. The security of the mOT+ is given in the new model. It can provide the properties of sKCI-resilience and sFS and it is secure even if the ephemeral key reveal query is considered.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.18 no.3
• /
• pp.3-8
• /
• 2008

Ephemeral data are easily revealed if state specific information is stored in insecure memory or a random number generator is corrupted. In this letter, we show that Nam et al.'s group key agreement scheme, which is an improvement of Bresson et al.'s scheme, is not secure against session-state reveal attacks. We then propose an improvement to fix the security flaw.

• Journal of Environmental Science International
• /
• v.21 no.10
• /
• pp.1171-1179
• /
• 2012

Headwaters initiate material export to downstream environments. A nested headwater study examined the flux of dissolved constituents and water from a perennial stream and four ephemeral/intermittent streams in the Upper Gulf Coastal Plain of Mississippi. Water was collected during storm and baseflow conditions. Multiple linear regression was used to model constituent concentration and calculate flux. Event was the major source of water discharged from the ephemeral and intermittent streams however, baseflow was the major source for water discharged by the perennial stream during events. The perennial stream had an area weighted average yields of 10.1, 0.01, 1.03, 0.65 kg/ha/yr of DON (dissolved organic nitrogen), $NO_3^-$-N, $NH_4^+$-N and $PO_4^{-3}$, respectively while large variabilities existed between the ephemeral and intermittent streams. These findings highlight the importance of headwaters in protecting the low order drainage basins as a key to water quality within perennial streams.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.9
• /
• pp.91-101
• /
• 2012

Key exchange protocols are essential for building a secure communication channel over an insecure open network. In particular, password-based key exchange protocols are designed to work when user authentication is done via the use of passwords. But, passwords are easy for human beings to remember, but are low entropy and thus are subject to dictionary attacks. Recently, Zhao and Gu proposed a new server-aided protocol for password-based key exchange. Zhao and Gu's protocol was claimed to be provably secure in a formal adversarial model which captures the notion of leakage of ephemeral secret keys. In this paper, we mount a replay attack on Zhao and Gu's protocol and thereby show that unlike the claim of provable security, the protocol is not secure against leakage of ephemeral secret keys. Our result implies that Zhao and Gu's proof of security for the protocol is invalid.

• Journal of the Institute of Electronics Engineers of Korea SP
• /
• v.47 no.1
• /
• pp.139-149
• /
• 2010

Random scalar countermeasures, which carry out the scalar multiplication by the ephemeral secret key, against the differential power analysis of ECIES and ECDH have been known to be secure against various power analyses. However, if an attacker can find this ephemeral key from the one power signal, these countermeasures can be analyzed. In this paper, we propose a new power attack method which can do this analysis. Proposed attack method can be accomplished while an attacker compares the elliptic curve doubling operations and we use the principle component analysis in order to ease this comparison. When we have actually carried out the proposed power analysis, we can perfectly eliminate the error of existing function for the comparison and find a private key from this elimination of the error.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.4
• /
• pp.161-168
• /
• 2003

We discuss the security of two famous password authenticated key exchange protocols, EKE2 and PAK. We introduce ′insider assisted attack′ Based on this assumption we point out weakness of the security of EKE2 and PAK protocols. More precisely, when the legitimate user wants to find other user′s password, called "insider-assisted attacker", the attacker can find out many ephemeral secrets of the server and then after monitoring on line other legitimate user and snatching some messages, he can guess a valid password of the user using the previous information. Of course for this kind of attack there are some constraints. Here we present a full description of the attack and point out that on the formal model, one should be very careful in describing the adversary′s behavior.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.3
• /
• pp.531-546
• /
• 2015

A non-interactive key exchange protocol provides an efficiency of overall system by eliminating additional communication. However, traditional non-interactive key exchange protocols without updating a private key fail to provide forward secrecy, since there is no usage of ephemeral key for randomness of session key. In 2012, Sang et al. proposed a certificateless non-interactive key exchange(CL-NIKE) protocol, but they do not prove the security of the protocol and it does not provide forward secrecy. In this paper, we propose a new CL-NIKE protocol and it's security model. Then we prove the proposed protocol is secure under the security model based on DBDH(Decision Bilinear Diffie-Hellman) assumption. Moreover, we propose a CL-NIKE protocol with forward secrecy which updates user's private key by using multilinear map and prove it's security.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.1
• /
• pp.41-50
• /
• 2010

This paper proposes a mutual identification and session key exchange scheme in secure vehicular communication based on the group signature. In VANETs, security requirements such as authentication, conditional privacy, non-repudiation, and confidentiality are required to satisfy various vehicular applications. However, existing VANET security methods based on the group signature do not support a mutual identification and session key exchange for data confidentiality. The proposed scheme allows only one credential to authenticate ephemeral Diffie-Hellman parameters generated every key exchange session. Our scheme provides a robust key exchange and reduces storage and communication overhead. The proposed scheme also satisfies security requirements for various application services in VANETs.