, ? If no value is assigned to m 1 , m 2 )), S chooses d ? R {0, 1} l and sets ¯ H(X, Y, m 1 , m 2 ) = d (resp. ¯ H(Y, X, m 1 , m 2 ) = d); and if ? = CDH(XA d , Y B e ), S sets m 1 , m 2 ) = ?. (4) If A halts with a forgery ? 0 , X 0 , Y 0 , m 1 0 , m 2 0 , S verifies that the digests value ? 0 was queried from the random oracle, ) for some ? 0 , and that ? 0 = CDH
, From Dolev?Yao to Strong Adaptive Corruption: Analyzing Security in the Presence of Compromising Adversaries, Cryptology ePrint Archive, 2009.
, The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols, Lecture Notes in Computer Science, vol.3152, pp.273-289, 2004.
DOI : 10.1007/978-3-540-28628-8_17
, Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Cryptology ePrint Archive, 2001.
DOI : 10.1007/3-540-44987-6_28
, Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol, Lecture Notes in Computer Science, vol.5536, pp.20-33, 2009.
DOI : 10.1007/978-3-642-01957-9_2
, Solving Discrete Logarithms from Partial Knowledge of the Key, Lecture Notes in Computer Science, vol.4859, pp.224-237, 2007.
DOI : 10.1007/978-3-540-77026-8_17
, Guide to Elliptic Curve Cryptography, 2003.
, Information Technology ? Security techniques : Cryptography techniques based on elliptic curves ? Part 3 : Key Establishment, pp.9798-9801, 2002.
, HMQV: A High-Performance Secure Diffie-Hellman Protocol, Cryptology ePrint Archive Report, vol.176, 2005.
DOI : 10.1007/11535218_33
, About the Security of MTI/C0 and MQV, Lecture Notes in Computer Science, vol.4116, pp.156-172, 2006.
DOI : 10.1007/11832072_11
, Stronger Security of Authenticated Key Exchange, Lecture Notes in Computer Science, vol.4784, pp.1-16, 2007.
DOI : 10.1007/978-3-540-75670-5_1
, Analysis of the Insecurity of ECMQV with Partially Known Nonces, Lecture Notes in Computer Science, vol.2851, pp.240-251, 2003.
DOI : 10.1007/10958513_19
, Diffie-Hellman Oracles, Lecture Notes in Computer Science, vol.1109, pp.268-282, 1996.
DOI : 10.1007/3-540-68697-5_21
, Another look at HMQV, Mathematical Cryptology, vol.1, issue.1, pp.148-175, 2007.
DOI : 10.1515/JMC.2007.004
, On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols, Lecture Notes in Computer Science, vol.4329, pp.133-147, 2006.
DOI : 10.1007/11941378_11
, On reusing ephemeral keys in Diffie-Hellman key agreement protocols, International Journal of Applied Cryptography, vol.2, issue.2, 2008.
DOI : 10.1504/IJACT.2010.038308
, The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes, Lecture Notes in Computer Science, vol.1992, pp.104-118, 2001.
DOI : 10.1007/3-540-44586-2_8
, Les preuves de connaissances et leurs preuves de sécurité, 1996.
, Security Arguments for Digital Signatures and Blind Signatures, Journal of Cryptology, vol.13, issue.3, pp.361-396, 2000.
DOI : 10.1007/s001450010003
, Kangaroos, Monopoly and Discrete Logarithms, Journal of Cryptology, vol.13, issue.4, pp.437-447, 2000.
DOI : 10.1007/s001450010010
, Square-root Algorithms for the Discrete Logarithm Problem (A survey) Public Key Cryptography and Computational Number Theory, pp.283-301, 2001.
, On random walks for Pollard's rho method, Mathematics of Computation, vol.70, issue.234, pp.809-825, 2001.
DOI : 10.1090/S0025-5718-00-01213-8
, Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography, pp.329-342, 2008.
, Cryptanalysis and improvement of an elliptic curve Diffie-Hellman key agreement protocol, IEEE Communications Letters, vol.12, issue.2, pp.149-151, 2008.
DOI : 10.1109/LCOMM.2008.071307