An Efficient Protocol for Authenticated Key Agreement
 Laurie Law,
 Alfred Menezes,
 Minghua Qu,
 Jerry Solinas,
 Scott Vanstone
 … show all 5 hide
Abstract
This paper proposes an efficient twopass protocol for authenticated key agreement in the asymmetric (publickey) setting. The protocol is based on DiffieHellman key agreement and can be modified to work in an arbitrary finite group and, in particular, elliptic curve groups. Two modifications of this protocol are also presented: a onepass authenticated key agreement protocol suitable for environments where only one entity is online, and a threepass protocol in which key confirmation is additionally provided. Variants of these protocols have been standardized in IEEE P1363 [17], ANSI X9.42 [2], ANSI X9.63 [4] and ISO 154963 [18], and are currently under consideration for standardization and by the U.S. government's National Institute for Standards and Technology [30].
 R. Anderson and S. Vaudenay, Minding your p's and q's, '96, Lecture Notes in Computer Science, Vol. 1163, SpringerVerlag (1996) pp. 26–35.
 ANSI X9.42, Agreement of Symmetric Algorithm Keys Using DiffieHellman (2001).
 ANSI X9.62, The Elliptic Curve Digital Signature Algorithm (ECDSA) (1999).
 ANSI X9.63, Elliptic Curve Key Agreement and Key Transport Protocols (2001).
 M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication, '96, Lecture Notes in Computer Science, Vol. 1109, SpringerVerlag (1996) pp. 1–15.
 M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing (1998) pp. 419–428.
 M. Bellare and P. Rogaway, Entity authentication and key distribution, '93, Lecture Notes in Computer Science, Vol. 773, SpringerVerlag (1994) pp. 232–249.
 S. BlakeWilson, D. Johnson and A. Menezes, Key agreement protocols and their security analysis, In Proceedings of the sixth IMA International Conference on Cryptography and Coding, Lecture Notes in Computer Science, Vol. 1355, SpringerVerlag (1997) pp. 30–45.
 M. Burmester, On the risk of opening distributed keys, '94, Lecture Notes in Computer Science, Vol. 839, SpringerVerlag (1994) pp. 308–317.
 R. Canetti and H. Krawczyk, Analysis of keyexchange protocols and their use for building secure channels, Advances in Cryptology Eurocrypt 2001, Lecture Notes in Computer Science, Vol. 2045, SpringerVerlag (2001) pp. 453–474.
 D. Chaum, J.H. Evertse and J. van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations, '87, Lecture Notes in Computer Science, Vol. 304, SpringerVerlag (1988) pp. 127–141.
 Y. Desmedt and M. Burmester, Towards practical 'proven secure' authenticated key distribution, 1st ACM Conference on Computer and Communications Security (1993) pp. 228–231.
 W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. 22 (1976) pp. 644–654.
 W. Diffie, P. van Oorschot and M.Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, Vol. 2 (1992) pp. 107–125.
 G. Frey and H. Rück, A remark concerning mdivisibility and the discrete logarithm in the divisor class group of curves, Mathematics of Computation, Vol. 62 (1994) pp. 865–874.
 K. C. Goss, Cryptographic method and apparatus for public key exchange with authentication, U.S. patent 4,956,865, September 11 (1990).
 IEEE P13632000, Standard Specifications for PublicKey Cryptography (2000).
 ISO/IEC 159463, Information Technology Security Techniques Cryptographic Techniques Based on Elliptic Curves, Part 3; Key Establishment (2002).
 D. Johnson, Contribution to ANSI X9F1 working group (1997).
 M. Just and S. Vaudenay, Authenticated multiparty key agreement, '96, Lecture Notes in Computer Science, Vol. 1163, SpringerVerlag (1996) pp. 36–49.
 B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 working groups, June (1998).
 B. Kaliski, An unknown keyshare attack on the MQV key agreement protocol, ACM Transactions on Information and System Security, Vol. 4 (2001) pp. 275–288.
 C. Lim and P. Lee, A key recovery attack on discrete logbased schemes using a prime order subgroup, '97, Lecture Notes in Computer Science, Vol. 1294, SpringerVerlag (1997) pp. 249–263.
 T. Matsumoto,Y. Takashima and H. Imai, Onseeking smart publickey distribution systems, The Transactions of the IECE of Japan, Vol. E69 (1986) pp. 99–106.
 A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, Vol. 39 (1993) pp. 1639–1646.
 A. Menezes, M. Qu and S. Vanstone, Key agreement and the need for authentication, Presentation at PKS '95, Toronto, Canada, November (1995).
 C. Mitchell, M. Ward and P. Wilson, Key control in key agreement protocols. Electronics Letters, Vol. 34 (1998) pp. 980–981.
 National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS Publication 1801, April (1995).
 National Institute of Standards and Technology, Digital signature standard, FIPS Publication 1862, (1999).
 National Institute of Standards and Technology, Second key management workshop, November (2001).
 National Security Agency, SKIPJACK and KEA algorithm specification, Version 2.0, May 29 (1998).
 S. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, Vol. 24 (1978) pp. 106–110.
 J. Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, Vol. 32 (1978) pp. 918–924.
 T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Commentarii Mathematici Universitatis Sancti Pauli, Vol. 47 (1998) pp. 81–92.
 I. Semaev, Evaluation of discrete logarithms in a group of ptorsion points of an elliptic curve in characteristic p, Mathematics of Computation, Vol. 67 (1998) pp. 353–356.
 V. Shoup, On formal models for secure key exchange, available from Theory of Cryptography Library, http://philby.ucsd.edu/cryptolib, April 1999. Revised November (1999).
 N. Smart, The discrete logarithm problem on elliptic curves of trace one, Journal of Cryptology, Vol. 12 (1999) pp. 193–196.
 J. Solinas, Lowweight binary representations for pairs of integers, Technical Report CORR 200148, Department of C&O, University of Waterloo (2001).
 P. van Oorschot and M. Wiener, On DiffieHellman key agreement with short exponents, '96, Lecture Notes in Computer Science, Vol. 1070, SpringerVerlag (1996) pp. 332–343.
 Y. Yacobi, A key distribution paradox, '90, Lecture Notes in Computer Science, Vol. 537, SpringerVerlag (1991) pp. 268–273.
 Title
 An Efficient Protocol for Authenticated Key Agreement
 Journal

Designs, Codes and Cryptography
Volume 28, Issue 2 , pp 119134
 Cover Date
 20030301
 DOI
 10.1023/A:1022595222606
 Print ISSN
 09251022
 Online ISSN
 15737586
 Publisher
 Kluwer Academic Publishers
 Additional Links
 Topics
 Keywords

 DiffieHellman
 authenticated key agreement
 key confirmation
 elliptic curves
 Industry Sectors
 Authors

 Laurie Law ^{(1)}
 Alfred Menezes ^{(2)}
 Minghua Qu ^{(3)}
 Jerry Solinas ^{(4)}
 Scott Vanstone ^{(2)}
 Author Affiliations

 1. National Security Agency, 9800 Savage Road, Suite 6511, Ft, George G. Meade, MD, 207556511, USA
 2. Dept. of C&O, University of Waterloo, Waterloo, Ontario, Canada, N2L 3G1
 3. Certicom Research, 5520 Explorer Drive, 4th Floor, Mississauga, Ontario, Canada, L4W 5L1
 4. National Security Agency, 9800 Savage Road, Suite 6511, Ft. George G. Meade, MD, 207556511, USA