[PDF] Top 20 A Note on Post-Quantum Authenticated Key Exchange from Supersingular Isogenies

... Communication costs, expressed in terms of bytes in Table 1, only include cryptography-related content. That is, for simplification purposes, they do not take into account some additional informa- tion that is needed in ... See full document

... nauthenticated key exchange protocol with RSA/ECDSA signature to achieve ...discards quantum-insecure ...pre-shared key is a very practical and efficient approach as point- ed out in ... See full document

... the post-quantum supersingular isogeny Diffie-Hellman key exchange (SIDH) and the supersingular isogeny key encapsulation (SIKE) protocols for 32-bit ARMv7-A processors ... See full document

... This asymmetry might seem like a curious but minor inconvenience: the participants just need to decide who is Alice and who is Bob before each key exchange. More importantly, though, this asymmetry is ... See full document

... ring-LWE-based key exchange protocol corresponding to LPR public key encryption and gave a reconciliation mechanism for direct approximate key agreement which relies on both most significant ... See full document

... hybrid key exchange has however foremost been driven by industry ...hybrid key exchange cipher suite named CECPQ1 which combined elliptic curve Diffie–Hellman (ECDH) and the ... See full document

... implicit key authentication, high efficiency, and without using any explicit entity authentication techniques ...to post-quantum cryptography, ... See full document

... The quantum secure supersingular isogeny Diffie-Hellman (SIDH) key exchange is a promising candidate in NIST’s on-going post- quantum standardization ...other ... See full document

... cryptosystems from discrete logarithm and/or factorization in- tractability assumptions would be totally broken by the emergence of quantum computers, ...the post-quantum era, it is impor- ... See full document

... over supersingular curves ...AKE from basic primitives like IND-CCA encryption/KEMs, MACs, PRFs etc, including the schemes proposed by Boyd, Cliff, Nieto and Paterson [BCNP09] (abbreviated as BC- NP ... See full document

... one-round authenticated group key exchange protocols from newly employed cryptographic invariant maps (CIMs): one is secure in the quantum random oracle model and the other resists ... See full document

... server’s DH-component Y , consequently losing server’s ID-privacy. The core au- thentication mechanism of TLS1.3 is based on the SIGMA scheme [25], which is also briefly described in Appendix A. For presentation ... See full document

... private key related to its identity for signing. In key exchange, each server sends the client its public key for encryption with its identity-based signature on ...public key of the ... See full document

... secret key which can be used for encryption/authentication of messages, or a public key which can be used for encryption/signing of ...password-based authenticated key exchange (PAKE), ... See full document

... password-authenticated key exchange (fPAKE), which solves exactly this ...secure key agreement as long as the two pass-strings are “close” for some notion of ... See full document

... unknown key share (UKS) attacks, key compromise impersonation (KCI) attacks, and disclosure of DH ...secret key and ephemeral private key and permits the exposure of ephemeral private ... See full document

... symmetric key with the metadata server (which acts as the ...is authenticated once to the KDC for a fixed period of time but may be allowed access to multiple storage devices governed by the KDC within that ... See full document

... The key exchange protocol of Diffie and Hellman [15] is undoubtedly the single most influential concept in the history of modern cryptography, and though more than forty year old, it continues to see new ... See full document

... The significant advantage of our instantiations in the StdM is reasonable assumption. First, HMQV satisfies the same security model as our construction. However, it requires the KEA1 assumption and relies on ROs. Since ... See full document

... sonates one of the communication parties in order to use the service he wishes. In our protocol, the adver- sary can successfully impersonate any one communi- cation party only if he has the pre-shared password. However, ... See full document