Date Added: Mar 2011
Many recent Key Exchange (KE) protocols have been proven secure in the CK, CK-HMQV, or eCK security models. The exact relation between these security models, and hence the relation between the security guarantees provided by the protocols, is unclear. The authors show first that the CK, CK-HMQV, and eCK security models are formally incomparable. Second, they show that these models are also practically incomparable, by providing for each model attacks on protocols from the literature that are not considered by the other models. Third, their analysis enables one to find previously unreported flaws in protocol security proofs from the literature. They identify the causes of these flaws and show how they can be avoided.