Abstract
This paper proposes an efficient two-pass protocol for authenticated key agreement in the asymmetric (public-key) setting. The protocol is based on Diffie-Hellman key agreement and can be modified to work in an arbitrary finite group and, in particular, elliptic curve groups. Two modifications of this protocol are also presented: a one-pass authenticated key agreement protocol suitable for environments where only one entity is on-line, and a three-pass protocol in which key confirmation is additionally provided. Variants of these protocols have been standardized in IEEE P1363 [17], ANSI X9.42 [2], ANSI X9.63 [4] and ISO 15496-3 [18], and are currently under consideration for standardization and by the U.S. government's National Institute for Standards and Technology [30].
Similar content being viewed by others
References
R. Anderson and S. Vaudenay, Minding your p's and q's, '96, Lecture Notes in Computer Science, Vol. 1163, Springer-Verlag (1996) pp. 26–35.
ANSI X9.42, Agreement of Symmetric Algorithm Keys Using Diffie-Hellman (2001).
ANSI X9.62, The Elliptic Curve Digital Signature Algorithm (ECDSA) (1999).
ANSI X9.63, Elliptic Curve Key Agreement and Key Transport Protocols (2001).
M. Bellare, R. Canetti and H. Krawczyk, Keying hash functions for message authentication, '96, Lecture Notes in Computer Science, Vol. 1109, Springer-Verlag (1996) pp. 1–15.
M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authentication and key exchange protocols, In Proceedings of the 30th Annual ACM Symposium on the Theory of Computing (1998) pp. 419–428.
M. Bellare and P. Rogaway, Entity authentication and key distribution, '93, Lecture Notes in Computer Science, Vol. 773, Springer-Verlag (1994) pp. 232–249.
S. Blake-Wilson, D. Johnson and A. Menezes, Key agreement protocols and their security analysis, In Proceedings of the sixth IMA International Conference on Cryptography and Coding, Lecture Notes in Computer Science, Vol. 1355, Springer-Verlag (1997) pp. 30–45.
M. Burmester, On the risk of opening distributed keys, '94, Lecture Notes in Computer Science, Vol. 839, Springer-Verlag (1994) pp. 308–317.
R. Canetti and H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, Advances in Cryptology- Eurocrypt 2001, Lecture Notes in Computer Science, Vol. 2045, Springer-Verlag (2001) pp. 453–474.
D. Chaum, J.-H. Evertse and J. van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations, '87, Lecture Notes in Computer Science, Vol. 304, Springer-Verlag (1988) pp. 127–141.
Y. Desmedt and M. Burmester, Towards practical 'proven secure' authenticated key distribution, 1st ACM Conference on Computer and Communications Security (1993) pp. 228–231.
W. Diffie and M. Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. 22 (1976) pp. 644–654.
W. Diffie, P. van Oorschot and M.Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, Vol. 2 (1992) pp. 107–125.
G. Frey and H. Rück, A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves, Mathematics of Computation, Vol. 62 (1994) pp. 865–874.
K. C. Goss, Cryptographic method and apparatus for public key exchange with authentication, U.S. patent 4,956,865, September 11 (1990).
IEEE P1363-2000, Standard Specifications for Public-Key Cryptography (2000).
ISO/IEC 15946-3, Information Technology- Security Techniques- Cryptographic Techniques Based on Elliptic Curves, Part 3; Key Establishment (2002).
D. Johnson, Contribution to ANSI X9F1 working group (1997).
M. Just and S. Vaudenay, Authenticated multi-party key agreement, '96, Lecture Notes in Computer Science, Vol. 1163, Springer-Verlag (1996) pp. 36–49.
B. Kaliski, Contribution to ANSI X9F1 and IEEE P1363 working groups, June (1998).
B. Kaliski, An unknown key-share attack on the MQV key agreement protocol, ACM Transactions on Information and System Security, Vol. 4 (2001) pp. 275–288.
C. Lim and P. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, '97, Lecture Notes in Computer Science, Vol. 1294, Springer-Verlag (1997) pp. 249–263.
T. Matsumoto,Y. Takashima and H. Imai, Onseeking smart public-key distribution systems, The Transactions of the IECE of Japan, Vol. E69 (1986) pp. 99–106.
A. Menezes, T. Okamoto and S. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field, IEEE Transactions on Information Theory, Vol. 39 (1993) pp. 1639–1646.
A. Menezes, M. Qu and S. Vanstone, Key agreement and the need for authentication, Presentation at PKS '95, Toronto, Canada, November (1995).
C. Mitchell, M. Ward and P. Wilson, Key control in key agreement protocols. Electronics Letters, Vol. 34 (1998) pp. 980–981.
National Institute of Standards and Technology, Secure Hash Standard (SHS), FIPS Publication 180-1, April (1995).
National Institute of Standards and Technology, Digital signature standard, FIPS Publication 186-2, (1999).
National Institute of Standards and Technology, Second key management workshop, November (2001).
National Security Agency, SKIPJACK and KEA algorithm specification, Version 2.0, May 29 (1998).
S. Pohlig and M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transactions on Information Theory, Vol. 24 (1978) pp. 106–110.
J. Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, Vol. 32 (1978) pp. 918–924.
T. Satoh and K. Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves, Commentarii Mathematici Universitatis Sancti Pauli, Vol. 47 (1998) pp. 81–92.
I. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p, Mathematics of Computation, Vol. 67 (1998) pp. 353–356.
V. Shoup, On formal models for secure key exchange, available from Theory of Cryptography Library, http://philby.ucsd.edu/cryptolib, April 1999. Revised November (1999).
N. Smart, The discrete logarithm problem on elliptic curves of trace one, Journal of Cryptology, Vol. 12 (1999) pp. 193–196.
J. Solinas, Low-weight binary representations for pairs of integers, Technical Report CORR 2001-48, Department of C&O, University of Waterloo (2001).
P. van Oorschot and M. Wiener, On Diffie-Hellman key agreement with short exponents, '96, Lecture Notes in Computer Science, Vol. 1070, Springer-Verlag (1996) pp. 332–343.
Y. Yacobi, A key distribution paradox, '90, Lecture Notes in Computer Science, Vol. 537, Springer-Verlag (1991) pp. 268–273.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Law, L., Menezes, A., Qu, M. et al. An Efficient Protocol for Authenticated Key Agreement. Designs, Codes and Cryptography 28, 119–134 (2003). https://doi.org/10.1023/A:1022595222606
Issue Date:
DOI: https://doi.org/10.1023/A:1022595222606