Integrating A Key Distribution Procedure Into The Digital Signature Standard B. Arazi Electronics Letters Vol. 29, No. 11, Pg May 1993 Adviser: Min-Shiang Hwang Student: CSONGK ( 鍾松剛 ) Weaknesses In Some Recent Key Agreement Protocols K. Nyberg, R.A. Rueppel Electronics Letters Vol. 30, No. 1, Pg January 1994 Integrating Diffie-Hellman Key Exchange Into The Digital Signature Algorithm (DSA) Lein Harn, M. Mehta, W.-J. Hsin IEEE Communications Letters Vol. 8, No. 3, Pg March 2004

The Motivations (Arazi, 1993) The DSS is only suitable to generate signatures on documents which are also transmitted in clear  The distribution of secret keys by DSS is ruled out The DH can not authenticate the actual involved parties Solution: Join them up!!

Review of DSA Select two primes  p (2 L-1 < p < 2 L ), 512 ≦ L ≦ 1024  q (2 159 < q < ) Compute g = h (p-1)/q mod p >1 y = g x mod p, {p, q, g, y} are public value and {x} is user’s private key r = (g k mod p) mod q s =[k -1 (H(m)+xr)] mod q a = (s’) -1 mod q, u1 = [H(m’)a] mod q, u2 = (r’a) mod q b = [(g u1 * y u2 ) mod p] mod q If b = r’, the signature is verified m, r, s Alice Bob

Review to DH Deffie-Hellman: Select p and g, P is a large prime, g is a generator with order p-1 in Alice Bob Select xSelect y mAmA mBmB K1=K2

Arazi’s system Alice Bob Public key y A = g x A mod p Randomly select a secret v m A = g v mod p r A = m A mod q s A = v -1 [H(m A ) + x A r A ] mod q Public key y B = g x B mod p Randomly select a secret w m B = g w mod p r B = m B mod q s B = w -1 [H(m B ) + x B r B ] mod q m A, s A m B, s B Verification: r B = m B mod q a = (s B ) -1, u1 = H(m B )˙a, u2 = r B ˙a b = [(g u1 * y B u2 ) mod p] mod q = g H(m B ) ˙w [H(m B ) + x B r B ] -1 ˙g x B (r B ˙ w [H(m B ) + x B r B ] -1 ) = g [ H(m B )+x B r B ] ˙w ˙ [H(m B ) + x B r B ] -1 = [g w mod p] mod q = r B K = m B v = m A w mod p

Known key attack (Nyberg et al. 1994) Except K and g x A x B mod p, all quantities are publicly known If K is know, g x A x B mod p can be easily computed and vice versa

Harn et al.’s scheme One-round protocol  Support non-interactive protocol Secure transmission Two-round protocol  Provide authenticated key exchange for interactive communications Thee-round protocol  Provide authenticated, key confirmation and non- playback key exchange

Three-round protocol : y A = g x A mod p : y B = g x B mod p Shared key Not sent

Security analysis (known key attack 1/2)

Known key attack 2/2 K AB and K BA I can compute g x A x B g x A x B K AB OR K BA I face discrete logarithm problem to obtain another shared secret key However, if

Summary of contribution Provide multiple secret keys, one for each direction  Conforms with most standard protocols, e.g. SSL and IPSec The shared key is included in the signature equation  Prevent known key attack and key replay attack Three-round protocol achieves key confirmation  Prevent unknown key-share attack