Authenticated key agreement
without using one-way hash
functions
Harn, L.; Lin, H.-Y.
Electronics Letters , Volume: 37 Issue:
10 , 10 May 2001
Presented by Bin-Cheng Tzeng
2002/10/01
1
Outlines
 Introduction
 Digital signature schemes for Diffie-
Hellman public keys
 Key agreement protocols
 Possible attacks
 Proposed protocol
 Conclusions
2
Introduction
 Diffie and Hellman proposed in 1976 the
public-key distribution scheme
 The scheme requires an authentication
channel to exchange the public keys
 Use digital signatures of the exchanged
public keys to provide authentication
3
Introduction
 The security assumption for most signature
schemes are based on some well-known
computational problems
 The security of a one-way hash function is
based on the complexity of analysing a
simple iterated function
 It would be more secure to have a key
distribution without using one-way hash
functions
4
Introduction
 The MQV key agreement protocol proposed
in 1995
 In 1998, authors published a key agreement
protocol
 Some attacks on this key agreement
protocol were found
 The attacks can easily be avoided by
modifying the signature signing equation
5
Digital signature schemes for
Diffie-Hellman public keys
 r = k mod p
 k and r : short-term private key and short-
term public key
 x : long-term private key
 y = x mod p : long-term public key
6
Key agreement protocols
 A sends {rA, sA, cert(yA)} to B
 B sends {rB, sB, cert(yB)} to A
 A verifies rB and computes the shared secret
key K  rBk A mod p
 B verifies rA and computes the shared secret
key K  rAk B mod p
7
Possible attack
 Does not offer perfect forward secrecy
 Assume that the protocol uses x = rk + s
x A xB
K


mod p
 AB
is the long-term shared
secret key
8
Proposed protocol
 Enables A and B to share multiple secret
keys in one round of message exchange
 To share four secrets :
A generates two random short-term secret
keys, kA1 and kA2 ,public keys rA1, rA2
signature sA for {rA1, rA2}
for example :
9
Proposed protocol(cont.)
 A sends {rA1, rA2, sA, cert(yA)} to B
 B does the same things
 A verifies {rB1, rB2}
 A computes the shared secret keys as
K1  r
k A1
B1
K3  r
k A1
B2
mod p
K2  r
mod p
mod p
K4  r
mod p
k A2
B1
k A2
B2
10
Proposed protocol(cont.)
 B verifies {rA1, rA2} and computes the
shared secret keys as
K1  r
k B1
A1
mod p
K2  r
mod p
K3  r
mod p
K4  r
mod p
k B1
A2
k B2
A1
k B2
A2
11
Discussion
 Have modified the original protocol in
signature signing and verification equations
 The attacks on the original protocol cannot
work successfully in this modified protocol
 This modified protocol does not increase
any computational load and does not
involve any additional one-way hash
function
12
Discussion(cont.)
 Multiplying these two equations together
13
Discussion(cont.)
 If the adversary knows four consecutive shared
secret keys, he can solve the long-term shared
secret KAB
 To achieve the perfect forward secrecy, limit
ourselves to use only three out of the four shared
secret keys
 The protocol can be generalised to enable A and B
to share n2-1 secrets if each user sends n DiffieHellman public keys in each pass
14
Conclusions
 The security assumption relies solely on
solving the discrete logarithm problem
 This protocol allows two parties to share
multiple secret keys in two-pass interaction
 The computation for shared secret keys is
simpler than the MQV protocol
15