On the security of the ECKE-1N and EECKE-1N elliptic-curve key agreement protocols

In a recent paper published in the proceedings of the EBISS´09 conference, Mohammad and Chi-Chun Lo claim that protocol ECKE-1N is vulnerable to key compromise impersonation (KCI) attacks and ephemeral key leakage. They also present protocol EECKE-1N, a revised version of protocol ECKE-1N, which is supposedly more secure since it does not exhibit similar vulnerabilities. In this article we show that the results concerning the security properties of the ECKE-1N protocol described in the aforementioned work were not correctly established. In particular, the first attack against protocol ECKE-1N does not demonstrate its vulnerability to KCI attacks while the second attack cannot be successfully brought against the protocol under the assumptions of the formal security model considered by the authors. We also present protocol ECKE-1H, a stronger version of the ECKE-1N protocol, and prove its security in the extended Canetti-Krawczyck model of distributed computing introduced by Lamacchia et al.