Computers

In the design of two-party key exchange it is common to rely on a Die-Hellman type hardness assumption in connection with elliptic curves. Unlike the case of nite elds, breaking multiple instances of the underlying hardness assumption is here considered substantially more expensive than breaking a single instance. Prominent protocols such as SPEKE [12] or J-PAKE [8, 9, 10] do not exploit this, and here we propose a password-authenticated key establishment where the security builds on the intractability of solving a specied number of instances v of the underlying computational problem. Such a design strategy seems particularly interesting when aiming at long-term security guarantees for a protocol, where expensive special purpose equipment might become available to an adversary. In this thesis, we give one protocol for the special case when v = 1 in the random oracle model, then we provide the generalized protocol in the random oracle model and a variant of the generalized protocol in the standard model for v being a polynomial of the security parameter `.