Abstract:



Session-state reveal is stronger than Ephemeral-key reveal: 
Breaking the NAXOS protocol


Cas J.F. Cremers



In the papers Stronger Security of Authenticated Key Exchange 
[LLM07, LLM06], a new security model for key exchange 
protocols is proposed. The new model is suggested to be at 
least as strong as previous models for key exchange protocols. 
In particular, the model includes a new notion of an Ephemeral 
Key Reveal adversary query, which is claimed in [LLM06, Oka07, 
Ust08] to be at least as strong as existing definitions of the 
Session-state Reveal query. We show that for some protocols, 
Session-state Reveal is strictly stronger than Ephemeral Key 
Reveal. In particular, we show that the NAXOS protocol from 
[LLM07, LLM06] does not meet its security requirements if the 
Session-state Reveal query is allowed in the security model.