Skip to main content
Springer Nature Link
Log in

Computational Security Analysis of the Full EDHOC Protocol

  • Conference paper
  • First Online:
Topics in Cryptology – CT-RSA 2024 (CT-RSA 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14643))

Included in the following conference series:

Abstract

Ephemeral Diffie-Hellman Over COSE (EDHOC) is designed to be a compact and lightweight authenticated key exchange protocol, providing mutual authentication, forward secrecy, and identity protection. EDHOC aims at being suitable for low-power networks such as cellular IoT, 6TiSCH, and LoRaWAN. In this paper, we perform a security analysis of the last draft of EDHOC (draft \(23\)). We analyse the full protocol including its four different authentication methods. Our results show that the security of the authenticated key exchange in EDHOC depends essentially on that of the authenticated encryption algorithm used during that phase. Finally, we provide more precise estimates of the computational security bounds for all authentication methods in EDHOC so that meaningful choices of quantitative parameters can be done to instantiate the protocol securely.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Note that our model does not give the adversary the ability to register its own (malicious) keys, contrary to [15, 16].

  2. 2.

    Informally, the “consistency” (defined by Krawczyk in [24]) guarantees a binding between a session key and the two parties involved in the protocol run. In the security model we use, the \(\textsf{Sound}\) predicate guarantees (when true) this property.

References

  1. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  2. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  3. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25

    Chapter  Google Scholar 

  4. Blake-Wilson, S., Johnson, D., Menezes, A.: Key agreement protocols and their security analysis. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0024447

    Chapter  Google Scholar 

  5. Bruni, A., Sahl Jørgensen, T., Grønbech Petersen, T., Schürmann, C.: Formal verification of ephemeral diffie-hellman over cose (edhoc). In: Cremers, C., Lehmann, A. (eds.) Security Standardisation Research, pp. 21–36 (2018)

    Google Scholar 

  6. Cheval, V., Jacomme, C., Kremer, S., Künnemann, R.: SAPIC+: protocol verifiers of the world, unite! In: Butler, K.R.B., Thomas, K. (eds.) USENIX Security 2022, pp. 3935–3952. USENIX Association (2022)

    Google Scholar 

  7. Connectivity Standards Alliance: Zigbee specification

    Google Scholar 

  8. Cottier, B., Pointcheval, D.: Security analysis of the EDHOC protocol (2022). https://doi.org/10.48550/arXiv.2209.03599

  9. Davis, H., Günther, F.: Tighter proofs for the SIGMA and TLS 1.3 key exchange protocols. In: Sako, K., Tippenhauer, N.O. (eds.) ACNS 2021. LNCS, vol. 12727, pp. 448–479. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_18

    Chapter  Google Scholar 

  10. Degabriele, J.P., Govinden, J., Günther, F., Paterson, K.G.: The security of ChaCha20-Poly1305 in the multi-user setting. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1981–2003. ACM Press (2021)

    Google Scholar 

  11. Diemert, D., Jager, T.: On the tight security of TLS 1.3: theoretically sound cryptographic parameters for real-world deployments. J. Cryptol. 34(3), 30 (2021)

    Article  MathSciNet  Google Scholar 

  12. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976). https://doi.org/10.1109/TIT.1976.1055638

    Article  MathSciNet  Google Scholar 

  13. Ferreira, L.: Computational security analysis of the full EDHOC protocol. Cryptology ePrint Archive (2024)

    Google Scholar 

  14. Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193–1204. ACM Press (2014)

    Google Scholar 

  15. Günther, F., Mukendi, M.I.T.: Careful with MAc-then-SIGn: a computational analysis of the EDHOC lightweight authenticated key exchange protocol. Cryptology ePrint Archive, Report 2022/1705 (2022)

    Google Scholar 

  16. Günther, F., Mukendi, M.I.T.: Careful with MAc-then-SIGn: A computational analysis of the EDHOC lightweight authenticated key exchange protocol. In: 8th IEEE European Symposium on Security and Privacy, EuroS &P 2023 (2023)

    Google Scholar 

  17. Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., Díaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 568–587. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_31

    Chapter  Google Scholar 

  18. Hoang, V.T., Tessaro, S., Thiruvengadam, A.: The multi-user security of GCM, revisited: tight bounds for nonce randomization. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1429–1440. ACM Press (2018)

    Google Scholar 

  19. IETF: IPv6 over the TSCH mode of IEEE 802.15.4e (6tisch) (2021)

    Google Scholar 

  20. Jacomme, C., Kremer, S., Künnemann, R.: A comprehensive, formal and automated analysis of the EDHOC protocol. In: 32nd USENIX Security Symposium (USENIX Security 23) (2023)

    Google Scholar 

  21. Jonsson, J.: On the security of CTR + CBC-MAC. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 76–93. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_7

    Chapter  Google Scholar 

  22. Kim, J., et al.: Scrutinizing the vulnerability of ephemeral Diffie-Hellman over COSE (EDHOC) for IoT environment using formal approaches. Mob. Inf. Syst. 2021, 1–18 (2021)

    Google Scholar 

  23. Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF) (2010). RFC 5869

    Google Scholar 

  24. Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_24

    Chapter  Google Scholar 

  25. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  26. Norrman, K., Sundararajan, V., Bruni, A.: Formal analysis of EDHOC key establishment for constrained IoT devices. In: di Vimercati, S.D.C., Samarati, P. (eds.) Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021, pp. 210–221. SCITEPRESS (2021)

    Google Scholar 

  27. Ouafi, K., Phan, R.C.W.: Traceable privacy of recent provably-secure RFID protocols. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 479–489. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68914-0_29

    Chapter  Google Scholar 

  28. Rescorla, E., Barnes, R., Tschofenig, H.: Compact TLS 1.3 (2023)

    Google Scholar 

  29. Rescorla, E., Tschofenig, H., Modadugu, N.: The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 (2022)

    Google Scholar 

  30. Schäge, S., Schwenk, J., Lauer, S.: Privacy-preserving authenticated key exchange and the case of IKEv2. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 567–596. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45388-6_20

    Chapter  Google Scholar 

  31. Selander, G., Mattsson, J., Palombini, F., Seitz, L.: Object Security for Constrained RESTful Environments (OSCORE) (2019). RFC 8613

    Google Scholar 

  32. Selander, G., Preuß Mattsson, J., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC) – draft-ietf-lake-edhoc-23 (2024)

    Google Scholar 

  33. Selander, G., Preuß Mattsson, J., Serafin, L., Tiloca, M., Vučinić, M.: Traces of EDHOC (2023)

    Google Scholar 

  34. Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004)

    Google Scholar 

  35. Sigfox: Sigfox connected objects: Radio specifications (2023). rev. 1.7

    Google Scholar 

  36. Sornin, N.: LoRaWAN 1.1 Specification (2017). LoRa Alliance, version 1.1

    Google Scholar 

  37. Sornin, N., Luis, M., Eirich, T., Kramp, T.: LoRaWAN Specification (2016). LoRa Alliance, version 1.0

    Google Scholar 

  38. Transforma Insights: IoT connections in 2030: 4 billion LPWA, 468 million 5G (non-mMTC), and 4% of cellular using private networks (2021)

    Google Scholar 

  39. Transforma Insights: Global IoT connections to hit 29.4 billion in 2030 (2022)

    Google Scholar 

  40. Vucinic, M., Selander, G., Mattsson, J.P., Watteyne, T.: Lightweight authenticated key exchange with EDHOC. Computer 55(4), 94–100 (2022)

    Article  Google Scholar 

Download references

Acknowledgements

The author thanks the reviewers for their valuable remarks. This work was partly supported by the French ANR MobiS5 project (ANR18-CE-39-0019-02).

Author information

Authors and Affiliations

  1. Orange Innovation, Applied Crypto Group, Caen, France

    Loïc Ferreira

Authors
  1. Loïc Ferreira
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Loïc Ferreira .

Editor information

Editors and Affiliations

  1. University of Klagenfurt, Klagenfurt, Austria

    Elisabeth Oswald

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ferreira, L. (2024). Computational Security Analysis of the Full EDHOC Protocol. In: Oswald, E. (eds) Topics in Cryptology – CT-RSA 2024. CT-RSA 2024. Lecture Notes in Computer Science, vol 14643. Springer, Cham. https://doi.org/10.1007/978-3-031-58868-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58868-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58867-9

  • Online ISBN: 978-3-031-58868-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics