Modular invariant theory

The YAK is a public-key authenticated key agreement protocol.^[1] It is considered the simplest among the related protocols, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties. The author suggests that YAK may be unencumbered by patent.

Description

Two parties, Alice and Bob, agree on a group ${\displaystyle G}$ with generator ${\displaystyle g}$ of prime order ${\displaystyle q}$ in which the discrete log problem is hard. Typically a Schnorr group is used. In general, YAK can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography. Let ${\displaystyle g^a}$ be Alice's long-term public key and ${\displaystyle g^b}$ be Bob's. The protocol executes in one round.

One round: Alice selects ${\displaystyle x{\in }_R[0,q-1]}$ and sends out ${\displaystyle g^x}$ together with a zero-knowledge proof (using for example Schnorr signature) for the proof of the exponent ${\displaystyle x}$. Similarly, Bob selects ${\displaystyle y{\in }_R[0,q-1]}$ and sends out ${\displaystyle g^y}$ together with a zero-knowledge proof for the proof of the exponent ${\displaystyle y}$.

The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received zero-knowledge proofs. Alice then computes ${\displaystyle K=(g^y{g}^b{)}^{x+a}=g^{(x+a)(y+b)}}$. Similarly, Bob computes ${\displaystyle K=(g^x{g}^a{)}^{y+b}=g^{(x+a)(y+b)}}$. With the same keying material ${\displaystyle K}$, Alice and Bob can derive a session key using a cryptographic hash function: ${\displaystyle \kappa =H(K)}$.

Security properties

Given that the underlying zero knowledge proof primitive is secure, the YAK protocol is proved to fulfill the following properties.

1. Private key security - An attacker cannot learn the user's static private key even if he is able to learn all session specific secrets in any compromised session.
2. Full forward secrecy - Session keys that were securely established in the past uncorrupted sessions will remain incomputable in the future even when both users' static private keys are disclosed.
3. Session key security - An attacker cannot compute the session key if he impersonates a user but has no access to the user's private key.

References

External links

• On Robust Key Agreement Based on Public Key Authentication (Full Paper)