{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T04:30:45Z","timestamp":1778128245719,"version":"3.51.4"},"publisher-location":"Cham","reference-count":37,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319636962","type":"print"},{"value":"9783319636979","type":"electronic"}],"license":[{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2017,1,1]],"date-time":"2017-01-01T00:00:00Z","timestamp":1483228800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2017]]},"DOI":"10.1007\/978-3-319-63697-9_22","type":"book-chapter","created":{"date-parts":[[2017,8,1]],"date-time":"2017-08-01T04:07:12Z","timestamp":1501560432000},"page":"651-681","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":35,"title":["PRF-ODH: Relations, Instantiations, and Impossibility Results"],"prefix":"10.1007","author":[{"given":"Jacqueline","family":"Brendel","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Marc","family":"Fischlin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Felix","family":"G\u00fcnther","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Christian","family":"Janson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2017,8,2]]},"reference":[{"key":"22_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"143","DOI":"10.1007\/3-540-45353-9_12","volume-title":"Topics in Cryptology \u2014 CT-RSA 2001","author":"M Abdalla","year":"2001","unstructured":"Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143\u2013158. Springer, Heidelberg (2001). doi:10.1007\/3-540-45353-9_12"},{"key":"22_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-3-540-39927-8_28","volume-title":"Information and Communications Security","author":"F Bao","year":"2003","unstructured":"Bao, F., Deng, R.H., Zhu, H.F.: Variations of Diffie-Hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301\u2013312. Springer, Heidelberg (2003). doi:10.1007\/978-3-540-39927-8_28"},{"key":"22_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"602","DOI":"10.1007\/11818175_36","volume-title":"Advances in Cryptology - CRYPTO 2006","author":"M Bellare","year":"2006","unstructured":"Bellare, M.: New proofs for NMAC and HMAC: security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602\u2013619. Springer, Heidelberg (2006). doi:10.1007\/11818175_36"},{"key":"22_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"491","DOI":"10.1007\/3-540-39200-9_31","volume-title":"Advances in Cryptology \u2014 EUROCRYPT 2003","author":"M Bellare","year":"2003","unstructured":"Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491\u2013506. Springer, Heidelberg (2003). doi:10.1007\/3-540-39200-9_31"},{"key":"22_CR5","unstructured":"Bellare, M., Lysyanskaya, A.: Symmetric and dual PRFs from standard assumptions: a generic validation of an HMAC assumption. Cryptology ePrint Archive, Report 2015\/1198 (2015). http:\/\/eprint.iacr.org\/2015\/1198"},{"key":"22_CR6","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Assche, G.V.: The Keccak SHA-3 submission. Submission to NIST (Round 3) (2011). http:\/\/keccak.noekeon.org\/Keccak-submission-3.pdf"},{"key":"22_CR7","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/978-3-540-78967-3_11","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2008","author":"G Bertoni","year":"2008","unstructured":"Bertoni, G., Daemen, J., Peeters, M., Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181\u2013197. Springer, Heidelberg (2008). doi:10.1007\/978-3-540-78967-3_11"},{"key":"22_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1007\/978-3-662-44381-1_14","volume-title":"Advances in Cryptology \u2013 CRYPTO 2014","author":"K Bhargavan","year":"2014","unstructured":"Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-B\u00e9guelin, S.: Proving the TLS handshake secure (as it is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235\u2013255. Springer, Heidelberg (2014). doi:10.1007\/978-3-662-44381-1_14"},{"key":"22_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1007\/BFb0054117","volume-title":"Advances in Cryptology \u2014 EUROCRYPT\u201998","author":"D Boneh","year":"1998","unstructured":"Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59\u201371. Springer, Heidelberg (1998). doi:10.1007\/BFb0054117"},{"key":"22_CR10","doi-asserted-by":"crossref","unstructured":"Brendel, J., Fischlin, M.: Zero round-trip time for the extended access control protocol. Cryptology ePrint Archive, Report 2017\/060 (2017). http:\/\/eprint.iacr.org\/2017\/060","DOI":"10.1007\/978-3-319-66402-6_18"},{"key":"22_CR11","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"430","DOI":"10.1007\/11535218_26","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"J-S Coron","year":"2005","unstructured":"Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damg\u00e5rd revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430\u2013448. Springer, Heidelberg (2005). doi:10.1007\/11535218_26"},{"key":"22_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"54","DOI":"10.1007\/978-3-642-18178-8_6","volume-title":"Information Security","author":"\u00d6 Dagdelen","year":"2011","unstructured":"Dagdelen, \u00d6., Fischlin, M.: Security analysis of the extended access control protocol for machine readable travel documents. In: Burmester, M., Tsudik, G., Magliveras, S., Ili\u0107, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 54\u201368. Springer, Heidelberg (2011). doi:10.1007\/978-3-642-18178-8_6"},{"key":"22_CR13","unstructured":"Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246 (proposed standard), August 2008. http:\/\/www.ietf.org\/rfc\/rfc5246.txt. Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685, 7905, 7919"},{"key":"22_CR14","doi-asserted-by":"crossref","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. In: Ray, I., Li, N., Kruegel: C. (eds.) ACM CCS 2015, pp. 1197\u20131210. ACM Press, October 2015","DOI":"10.1145\/2810103.2813653"},{"key":"22_CR15","doi-asserted-by":"crossref","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 handshake protocol candidates. Cryptology ePrint Archive, Report 2015\/914 (2015). http:\/\/eprint.iacr.org\/2015\/914","DOI":"10.1145\/2810103.2813653"},{"key":"22_CR16","unstructured":"Dowling, B., Fischlin, M., G\u00fcnther, F., Stebila, D.: A cryptographic analysis of the TLS 1.3 draft-10 full and pre-shared key handshake protocol. Cryptology ePrint Archive, Report 2016\/081 (2016). http:\/\/eprint.iacr.org\/2016\/081"},{"key":"22_CR17","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F.: Multi-stage key exchange and the case of Google\u2019s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193\u20131204. ACM Press, November 2014","DOI":"10.1145\/2660267.2660308"},{"key":"22_CR18","doi-asserted-by":"crossref","unstructured":"Fischlin, M., G\u00fcnther, F.: Replay attacks on zero round-trip time: the case of the TLS 1.3 handshake candidates. In: 2017 IEEE European Symposium on Security and Privacy. IEEE, April 2017","DOI":"10.1109\/EuroSP.2017.18"},{"key":"22_CR19","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139012843","volume-title":"Mathematics of Public Key Cryptography","author":"SD Galbraith","year":"2012","unstructured":"Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)"},{"key":"22_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"93","DOI":"10.1007\/978-3-540-85174-5_6","volume-title":"Advances in Cryptology \u2013 CRYPTO 2008","author":"S Garg","year":"2008","unstructured":"Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93\u2013107. Springer, Heidelberg (2008). doi:10.1007\/978-3-540-85174-5_6"},{"issue":"2","key":"22_CR21","doi-asserted-by":"publisher","first-page":"281","DOI":"10.1137\/0217017","volume":"17","author":"S Goldwasser","year":"1988","unstructured":"Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281\u2013308 (1988)","journal-title":"SIAM J. Comput."},{"key":"22_CR22","unstructured":"International Civil Aviation Organization (ICAO): Machine Readable Travel Documents, Part 11, Security Mechanisms for MRTDs, 7th edn. Doc 9303 (2015)"},{"key":"22_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1007\/978-3-642-32009-5_17","volume-title":"Advances in Cryptology \u2013 CRYPTO 2012","author":"T Jager","year":"2012","unstructured":"Jager, T., Kohlar, F., Sch\u00e4ge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273\u2013293. Springer, Heidelberg (2012). doi:10.1007\/978-3-642-32009-5_17"},{"key":"22_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"339","DOI":"10.1007\/3-540-45311-3_32","volume-title":"Progress in Cryptology \u2014 INDOCRYPT 2001","author":"E Kiltz","year":"2001","unstructured":"Kiltz, E.: A tool box of cryptographic functions related to the Diffie-Hellman function. In: Rangan, C.P., Ding, C. (eds.) INDOCRYPT 2001. LNCS, vol. 2247, pp. 339\u2013349. Springer, Heidelberg (2001). doi:10.1007\/3-540-45311-3_32"},{"key":"22_CR25","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. RFC 2104 (Informational), February 1997. http:\/\/www.ietf.org\/rfc\/rfc2104.txt. Updated by RFC 6151","DOI":"10.17487\/rfc2104"},{"key":"22_CR26","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"546","DOI":"10.1007\/11535218_33","volume-title":"Advances in Cryptology \u2013 CRYPTO 2005","author":"H Krawczyk","year":"2005","unstructured":"Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546\u2013566. Springer, Heidelberg (2005). doi:10.1007\/11535218_33"},{"key":"22_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"631","DOI":"10.1007\/978-3-642-14623-7_34","volume-title":"Advances in Cryptology \u2013 CRYPTO 2010","author":"H Krawczyk","year":"2010","unstructured":"Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631\u2013648. Springer, Heidelberg (2010). doi:10.1007\/978-3-642-14623-7_34"},{"key":"22_CR28","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Eronen, P.: HMAC-based extract-and-expand key derivation function (HKDF). RFC 5869 (Informational), May 2010. https:\/\/rfc-editor.org\/rfc\/rfc5869.txt","DOI":"10.17487\/rfc5869"},{"key":"22_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"429","DOI":"10.1007\/978-3-642-40041-4_24","volume-title":"Advances in Cryptology \u2013 CRYPTO 2013","author":"H Krawczyk","year":"2013","unstructured":"Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429\u2013448. Springer, Heidelberg (2013). doi:10.1007\/978-3-642-40041-4_24"},{"key":"22_CR30","doi-asserted-by":"crossref","unstructured":"Krawczyk, H., Wee, H.: The OPTLS protocol and TLS 1.3. In: 2016 IEEE European Symposium on Security and Privacy, pp. 81\u201396. IEEE, March 2016","DOI":"10.1109\/EuroSP.2016.18"},{"key":"22_CR31","doi-asserted-by":"crossref","unstructured":"Li, X., Xu, J., Zhang, Z., Feng, D., Hu, H.: Multiple handshakes security of TLS 1.3 candidates. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, 22\u201326 May 2016, pp. 486\u2013505. IEEE Computer Society (2016)","DOI":"10.1109\/SP.2016.36"},{"key":"22_CR32","doi-asserted-by":"crossref","unstructured":"Lychev, R., Jero, S., Boldyreva, A., Nita-Rotaru, C.: How secure and quick is QUIC? Provable security and performance analyses. In: 2015 IEEE Symposium on Security and Privacy, pp. 214\u2013231. IEEE Computer Society Press, May 2015","DOI":"10.1109\/SP.2015.21"},{"key":"22_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"268","DOI":"10.1007\/3-540-68697-5_21","volume-title":"Advances in Cryptology \u2014 CRYPTO \u201996","author":"UM Maurer","year":"1996","unstructured":"Maurer, U.M., Wolf, S.: Diffie-Hellman oracles. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 268\u2013282. Springer, Heidelberg (1996). doi:10.1007\/3-540-68697-5_21"},{"key":"22_CR34","doi-asserted-by":"crossref","unstructured":"NIST: Federal Information Processing Standard 202, SHA-3 Standard: Permutation-based hash and extendable-output functions, August 2015. http:\/\/dx.doi.org\/10.6028\/NIST.FIPS.202","DOI":"10.6028\/NIST.FIPS.202"},{"key":"22_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/11593447_1","volume-title":"Advances in Cryptology - ASIACRYPT 2005","author":"P Paillier","year":"2005","unstructured":"Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1\u201320. Springer, Heidelberg (2005). doi:10.1007\/11593447_1"},{"key":"22_CR36","doi-asserted-by":"crossref","unstructured":"Rescorla, E.: The transport layer security (TLS) protocol version 1.3 - draft-ietf-tls-tls13-20, April 2017. https:\/\/tools.ietf.org\/html\/draft-ietf-tls-tls13-20","DOI":"10.17487\/RFC8446"},{"issue":"3","key":"22_CR37","doi-asserted-by":"publisher","first-page":"329","DOI":"10.1007\/s10623-007-9159-1","volume":"46","author":"B Ustaoglu","year":"2008","unstructured":"Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography 46(3), 329\u2013342 (2008)","journal-title":"Des. Codes Cryptography"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 CRYPTO 2017"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-63697-9_22","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,13]],"date-time":"2024-03-13T20:09:01Z","timestamp":1710360541000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-319-63697-9_22"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017]]},"ISBN":["9783319636962","9783319636979"],"references-count":37,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-63697-9_22","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017]]},"assertion":[{"value":"2 August 2017","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"CRYPTO","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual International Cryptology Conference","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Santa Barbara","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"USA","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2017","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20 August 2017","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 August 2017","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"37","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"crypto2017","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.iacr.org\/conferences\/crypto2017\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}