Re: game hopping proof in password authenticated key exchange protocols

From: Nick Hopper (
Date: 10/18/05

Date: Tue, 18 Oct 2005 09:14:25 -0500

On Tue, 18 Oct 2005, chir0 wrote:

> Nowadays many protocols in the password authenticated key exchange
> protocol use a game hoppng method to prove their protocol's security.
> But I can't understand the way how to use that method. Is it a good
> method to the security proof?

This method of proof reduces the task of breaking, in your example, an
authenticated key exchange protocol, to efficiently solving one or more
simpler mathematical problems. Since these problems are simple to state
and many people have tried to solve them, such proofs give us some
assurance that the more complex task of breaking the key exchange protocol
is also unlikely to be solved.

> Is there anyone who can explain why game hopping method is efficient to
> prove a protocols
> or at least let me know where are reference papers or documents

Victor Shoup has an excellent introduction to writing proofs using this

And more examples of these types of proofs can be found in Goldwasser and
Bellare's lecture notes:

And if you are really interested in the complexity-theoretic
underpinnings, Goldreich's "Foundations of Cryptography" series are a
good source:

(There are fairly complete "fragments" that you can download for free if
you don't want to buy the volumes)


Relevant Pages

  • Re: Protocol Analysis
    ... Subject: Protocol Analysis ... Concerned about Web Application Security? ... testing and vulnerability management needs. ... most comprehensive solutions to meet your application security penetration ...
  • [fw-wiz] UNSUBSCRIBE
    ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ...
  • Re: 802.11i
    ... Access" and it is security "system" for wireless networks that employs ... While TKIP "Temporal Key Integrity Protocol" is actual protocol under ... safer to communicate using RC4 stream cipher, ... But that is WPA v1., which is done to be as an enhancement ...
  • RE: Ambiguities in TCP/IP - firewall bypassing
    ... T/TCP does indeed require multiple flags to be set ... simultaneously, however, it's also not a proven protocol. ... There's also a clear security issue with allowing one side of the ... standard TCP/IP it's relatively easy to spoof the source IP for the SYN ...
  • Re: how to secure my computer
    ... You can encrypt everything in IRC as ... well as in MSN, and there are ways to guarantee authenticity. ... which protocol you use to transmit your data. ... so they don't possibly have some ancient security problem. ...