Compact and unforgeable key establishment over an ATM network

Authenticated session key establishment is a central issue in network security. This paper addresses the question of whether we can design a compact, efficient and authenticated key establishment protocol that has the following two properties: (1) each message exchanged between two participants can be transferred in a short packet such as an ATM cell whose payload has only 384 bits, and (2) messages that carry key materials are unforgeable and nonrepudiatable without the involvement of a trusted key distribution center. We discuss why the answer to this question is negative if one follows the currently standard approach to key establishment, namely employing secret/public key encryption and, possibly, digital signature. We then present a number of protocols that represent a positive answer to the question. Our protocols are all based on a cryptographic primitive called “signcryption” that fulfils both the functions of digital signature and public key encryption with a cost far smaller than that required by “digital signature followed by encryption”