Integratining Diffie-Hellman Key Exchange into the Digital Signature Algorithm (DSA) Source: IEEE Communications Letters, Vol. 8, No. 3, March 2004 Authors: Lein Harn, Manish Mehta, Wen-Jung Hsin Speaker: Yu-Wei Su Date:

Outline 1. Introduction 2. Concept & Goal 3. Proposed protocols 4. Conclusion

1. Introduction 1-1. Key Exchange 1-2. Diffie-Hellman Algorithm 1-3. Digital Signature 1-4. DSA

1-1. Key Exchange ● Symmetric Encryption ● Alice & Bob calculate a session key to communicate Session Key; k EK() DK() Alice Bob

1-2. Diffie-Hellman Algorithm Parameters (1/4) common parameters: g, n: two large primes private parameters: a: random number, choice by Alice b: random number, choice by Bob

Operating Flow (2/4) Session key = gab mod n ga mod n gb mod n Alice calculate ((gb mod n)a mod n), result is (gab mod n) Bob calculate ((ga mod n)b mod n), result is (gab mod n) Session key = gab mod n

Example (3/4) n = 11, g = 2 a = 4 ga mod n = 24 mod 11 = 5 b = 8 gb mod n = 28 mod 11 = 3 => Alice : (gb mod n)a mod 11 = 34 mod 11 = 4 Bob: (ga mod n)b mod 11 = 58 mod 11 = 4 Session key = 4

The Computational Diffie-Hellman Assumption(CDH assumption) (4/4) ● Eve receives (ga mod n) and (gb mod n) in the channel. ● It is very hard to calculate (gab mod n).

1-3. Digital Signature ● Non-repudiation ● Based on asymmetric scheme message message f(message) ps: f() is a digital signature algorithm.

1-4. Digital Signature Algorithm(DSA) 1-4-1. Preview Used in Digital Signature Standard(DSS) Proposed by NIST Published in FIPS PUB 186-x http://www.itl.nist.gov/fipspubs

Parameters (1/3) Global parameters: p: a prime number, |p| = 512 ~ 1024 (bits), multiple of 64 q: a 160-bit prime factor of (p-1) h: 1< h < p-1 g = (h(p-1)/q) mod p H(): a hash function, ex: SHA-1 Sender’s Private Parameter: x, random integer with 0 < x < q

Parameters (2/3) Sender’s Public Parameter: y = gx mod p m: message Per-Message Secret Parameter: k: random integer with 0 < k < q

Signing & Verifying (3/3) Signing (Sender) : r = (gk mod p) mod q s = [k-1(H(m) + xr)] mod q => signature = (r,s) Verifying (Receiver) : w = (s’)-1 mod q u1 = [H(m’)w] mod q u2 = (r’)w mod q v = [(gu1yu2) mod p] mod q Test v ?= r’ ps: s’ & r’ are received by receiver which corresponding s & r.

2.Concept & Goal 2-1. DH + DSA Diffie-Hellman Algorithm + Digital Signature Algorithm = Take (ga mod p) as message in DSA

2-2. Three Models One-round protocol Two-round protocol Three-round protocol

3. Proposed protocol 3-1. Parameters User A, B: two users in protocol YA, XA: a key pair, public key & private key of user A in DSA, authenticated. YA = gXA mod p YB, XB: a key pair, public key & private key of user B in DSA, authenticated. YB = gXB mod p Other parameters are corresponding in DSA KAB: session key from A to B

3-2. One-round protocol (1/2) Step 1(User A): Select kA Let mA = gkA mod p Let KAB = (YB)kA mod p (= gxBkA mod p) Calculate rA = (gkA mod p) mod q Calculate sA = [kA-1(mA||KAB) + XArA] mod q Sent (mA,sA) to User B

One-round protocol (2/2) Step 2(User B): Receive mA,sA from User A Imply rA = mA mod q Imply KAB = (mA)xB mod p (= gkAxB mod p) Verify (rA,sA) of (mA||KAB) After Step 2, A & B obtain a session key: KAB = gkAxB mod p

3-3. Two-round protocol (1/2) Step 1, Step 2 are the same as one-round protocol. Step 3(User B): (just take B as A) Select kB Let mB = gkB mod p Let KBA = (YA)kB mod p (= gxAkB mod p) Calculate rB = (gkB mod p) mod q Calculate sB = [kB-1(mB||KBA) + XBrB] mod q Sent (mB,sB) to User A

Two-round protocol (2/2) Step 4(User A): (just take A as B) Receive mB,sB from User B Imply rB = mB mod q Imply KBA = (mB)xA mod p (= gkBxA mod p) Verify (rB,sB) of (mB||KBA) After Step 4, A & B obtain two session keys: KAB = gkAxB mod p KBA = gkBxA mod p

3-4. Three-round protocol (1/2) Step 1(User A): Select kA Let mA = gkA mod p Sent mA to User B Step 2(User B): Imply KAB = (mA)xB mod p (= gkAxB mod p) Select kB Let mB = gkB mod p Let KBA = (YA)kB mod p (= gxAkB mod p) Calculate rB = (gkB mod p) mod q Calculate sB = [kB-1(mB||KBA||KAB) + XBrB] mod q Sent (mB,sB) to User A

Three-round protocol (2/2) Step 3(User A): Let KAB = (YB)kA mod p (= gxBkA mod p) Imply rB = mB mod q Imply KBA = (mB)xA mod p (= gkBxA mod p) Verify (rB,sB) of (mB||KBA||KAB) Calculate rA = (gkA mod p) mod q Calculate sA = [kA-1(H(mA||KAB||KBA) + xArA)] mod q Sent sA to User B Step 4(User B): Imply rA = mA mod q Verify (rA,sA) of (mA||KAB||KBA)

4. Conclusion Authentication & Efficient