message independence. Individual flows of a protocol run between two honest entities are unrelated. Each attribute may be thought of as desirable for either AK or AKC protocols, or both. For example, we will argue in §5 that flaws in AKC protocols that exploit known session keys are a much more serious weakness than such flaws in AK protocols without key confirmation. Similarly, message independence is more desirable in AK protocols; conceptually AKC protocols inherently contain some message dependence. Finally we mention that in some applications it may be desirable to demonstrate that a protocol is provably an agreement. Informally this means that neither party is able to affect the choice of key. In reality however, one entity selects its contribution to the key before the other, therefore enabling the other entity to test various selections of its contribution by calculating what the agreed key will be. To formalize this, we could say that this trial-and-error procedure is effectively the best way for either entity to effect the choice of key. While we will not discuss this further, heuristic arguments suggest that our protocols achieve such an agreement property.
message independence. Both the AK protocols proposed attain message independence — that is in a bona fide run of the protocols, the individual flows are unrelated. The AKC protocols, on the other hand, do not achieve message independence. This is unsurprising, since by definition the goal of key confirmation is similar to the goal of entity authentication. Flows sent by j in a protocol with such a goal necessarily contain information specific to this particular run which has been selected by i in order to prevent replay attacks. Thus while our AKC protocols do not achieve message independence, it appears that such a property is inherent to all protocols that achieve key confirmation.
