Abstract. In this paper, we consider the problem of mutually authenticated key exchanges between a low-power client and a powerful server. We show how the Jakobsson-Pointcheval scheme proposed recently [15] can be compromised using a variant of interleaving attacks. We also propose a new scheme for achieving mutually authenticated key exchanges. The protocol is proven correct within a variant of Bellare-Rogaway model [3,4]. This protocol gives the same scalability as other publickey based authenticated key exchange protocols but with much higher efficiency and fewer messages. It only takes 20 msec total computation time on a PalmPilot and has only three short messages exchanged during the protocol.
Duncan S. Wong, Agnes Hui Chan