Scientific knowledge map · Paper #68
Short Concurrent Covert Authenticated Key Exchange (Short cAKE)
2023 · 29th Annual International Conference on the Theory and Applications of Cryptology and Information Security (ASIACRYPT)
- Theory
- Applied
- protocol
Research question
What does the paper try to establish?
Can members of a credentialed group establish independent authenticated keys in many concurrent sessions while making the protocol traffic and even the fact of group participation indistinguishable from random beacon strings?
Central answer
What is the proposed answer?
Short cAKE combines covert identity escrow and a covert KEM inside a UC functionality. Each party sends one simultaneous 351-byte message, and the construction derives a key only when both parties hold valid, non-revoked group credentials. The security theorem is conditional on the modeled components and assumptions, including static corruption and random-oracle-based building blocks; later compromise does not preserve past-session participation covertness.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence Medium
-
The complete chapter defines the UC target, components, protocol, theorem statements, and cost analysis, but defers proof and implementation details to the full version and has no independent verification represented here.
Concurrent UC model and cAKE functionality Covert KEM construction and security theorem Short cAKE protocol and UC realization Full-version proofs and proof-of-concept material - Auditability High
-
A complete public archive copy, IACR full-version route, and official DOI make the protocol, assumptions, and formal claims directly inspectable.
Covert AKE problem, contributions, and efficiency summary Full-version proofs and proof-of-concept material Official publication identity - Production provenance Medium
-
Named authorship, publication identity, and public manuscript versions are documented; author roles, revision lineage, proof-tool use, and artifact-version history are not.
Covert AKE problem, contributions, and efficiency summary Official publication identity - External scrutiny Medium
-
ASIACRYPT publication establishes venue review, but public reports, independent proof checking, implementation reproduction, and correction history were not located.
Official publication identity - Reception Low
-
The dated OpenAlex snapshot located 2 citations. Under the author-defined rule, 0 through 8 located citations is Low; citation count does not measure correctness.
Dated citation-count snapshot - Contribution significance High
-
The source combines concurrent UC covertness, group credential controls, one simultaneous flow, and short concrete messages in one protocol result; the assessment remains pending author verification.
Covert AKE problem, contributions, and efficiency summary Concurrent UC model and cAKE functionality Short cAKE protocol and UC realization
Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
Short concurrent covert AKE
A one-flow group-authenticated key-exchange protocol whose UC goal includes hiding protocol execution and participant credentials within random-looking beacon traffic under concurrent execution.
Covert AKE problem, contributions, and efficiency summary-
question Research question
research questionCan covert AKE simultaneously achieve concurrent composability, group membership and revocation checks, independent session keys, short messages, and no visible protocol marker?
Covert AKE problem, contributions, and efficiency summary Concurrent UC model and cAKE functionality -
contribution Central construction
proved conditionallyCombine a covert identity-escrow mechanism and a covert KEM so that both credential checks must succeed before either party derives the session key, while each transmitted string remains distributed like a beacon string to outsiders.
Construction overview, components, and limitations Short cAKE protocol and UC realization -
model UC functionality and adversary formalized
The functionality represents a group manager, member credentials, revocation, concurrent sessions, authentication, key independence, and covert transcripts under static corruptions.
Concurrent UC model and cAKE functionality-
security goal Transcript and identity covertness
definedBefore successful mutual recognition, observable protocol strings should be indistinguishable from the ambient random-beacon distribution and should not reveal a party's group token or membership.
Covert AKE problem, contributions, and efficiency summary Concurrent UC model and cAKE functionality -
security goal Authenticated independent keys
definedHonest parties accepting the same session obtain a shared key only for valid, non-revoked credentials, and concurrent sessions obtain independent keys under the ideal functionality.
Concurrent UC model and cAKE functionality
-
-
protocol Short cAKE protocol constructed
Each party simultaneously sends one compound message containing the commitment and sender/receiver material needed for covert credential escrow and covert encapsulation, then locally combines both acceptance conditions before deriving a key.
Construction overview, components, and limitations Short cAKE protocol and UC realization-
protocol component Covert identity escrow
constructedA group credential is committed and tested without exposing it to non-members; revocation information is included in the local decision.
Commitments, SPHF, credentials, and covert primitives Short cAKE protocol and UC realization -
protocol component Covert key encapsulation
constructedThe CKEM is compiled from Sigma-protocol, trapdoor-commitment, and smooth-projective-hash ingredients in the random-oracle model, with properties designed for same-statement concurrency and postponed statements.
Commitments, SPHF, credentials, and covert primitives Covert KEM construction and security theorem -
property One simultaneous flow and short messages
analytically derivedEach party sends one 351-byte message consisting of four DDH-group elements and two type-3 pairing-curve points; the paper reports roughly a tenfold size reduction over its prior comparison point.
Covert AKE problem, contributions, and efficiency summary Short cAKE protocol and UC realization
-
-
claim group Security and efficiency results theorem backed
The source states separate conditional security results for the CKEM compiler and for the composed cAKE realization, together with operation counts.
Covert KEM construction and security theorem Short cAKE protocol and UC realization-
theorem Covert KEM theorem
proved conditionallyTheorem 5.1 establishes the required CKEM security from the listed commitment, proof, hash, and random-oracle assumptions under the theorem's concurrency conditions.
Covert KEM construction and security theorem -
theorem UC realization theorem
proved conditionallyTheorem 6.1 states that the composed protocol realizes the defined cAKE functionality when the covert identity-escrow and CKEM components satisfy their required properties.
Short cAKE protocol and UC realization -
claim Per-party computation
analytically derivedThe proceedings analysis reports 14 exponentiations in total, including ten fixed-base and four variable-base operations, plus 4+n pairings for a group parameter n.
Covert AKE problem, contributions, and efficiency summary Short cAKE protocol and UC realization
-
-
evidence group Evidence structure
formal with deferred detailsThe chapter gives the UC functionality, component definitions, concrete construction, theorem statements, and analytical costs; it directs readers to the IACR full version for deferred proofs and proof-of-concept implementation details.
Concurrent UC model and cAKE functionality Covert KEM construction and security theorem Short cAKE protocol and UC realization Full-version proofs and proof-of-concept material -
limitation group Scope and limitations explicitly bounded
The result is conditional on a trusted credential lifecycle and specific cryptographic models; its covertness guarantee does not automatically survive later endpoint compromise.
Construction overview, components, and limitations Concurrent UC model and cAKE functionality-
limitation Static corruption and no forward covertness
model boundedThe analysis uses static corruption. Later compromise may reveal that a party participated in past sessions even when session-key security remains, so forward privacy of participation is outside the claim.
Construction overview, components, and limitations Concurrent UC model and cAKE functionality -
limitation Credential and random-oracle assumptions
assumption dependentA group manager must issue credentials and distribute revocation state securely, and the CKEM compiler relies on random-oracle and group assumptions; these are prerequisites rather than guarantees of cAKE itself.
Commitments, SPHF, credentials, and covert primitives Covert KEM construction and security theorem -
limitation Proceedings chapter defers implementation detail
evidence boundaryThe represented 35-page chapter gives analytical costs but sends readers to the full ePrint for proof-of-concept measurements; no independent deployment or side-channel evaluation is established here.
Covert AKE problem, contributions, and efficiency summary Full-version proofs and proof-of-concept material
-
-
artifact group Auditable resources
source availableA complete public proceedings copy, IACR full-version record, and official DOI expose the protocol and its formal context. No public source-code repository was located in this audit.
Covert AKE problem, contributions, and efficiency summary Full-version proofs and proof-of-concept material Official publication identity -
scrutiny External scrutiny
venue reviewedASIACRYPT publication establishes venue scrutiny, but public reports, independent implementation reproduction, proof verification, correction, or adversarial follow-up were not located.
Official publication identity -
lineage Protocol lineage
documentedShort cAKE compresses earlier covert AKE directions by combining covert credential recognition and encapsulation under a composable concurrent-session model.
Covert AKE problem, contributions, and efficiency summary Construction overview, components, and limitations
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Covert AKE problem, contributions, and efficiency summary Abstract and Section 1, PDF pages 1-6
- Construction overview, components, and limitations Technical overview, PDF pages 6-9
- Concurrent UC model and cAKE functionality Section 3, PDF pages 10-16
- Commitments, SPHF, credentials, and covert primitives Section 4, PDF pages 16-25
- Covert KEM construction and security theorem Section 5, PDF pages 25-28, including Theorem 5.1
- Short cAKE protocol and UC realization Section 6, PDF pages 28-31, including Theorem 6.1
- Full-version proofs and proof-of-concept material IACR ePrint 2023/1418, cited by the proceedings chapter for deferred details
- Official publication identity ASIACRYPT 2023, DOI 10.1007/978-981-99-8742-9_3
- Dated citation-count snapshot OpenAlex cited_by_count was 2 when accessed 2026-07-11