References Digital signature sclzenies .for D@-Hellman public keys: The Dif- fie-Hellman public is r = ak mod p, where k is a secret ran- 1 SHAPIRO. J.M.: ’Embedded image coding using zerotrees of wavelet dom integer within [ I, p - 21 privately selected by the signer, p is a coefficients‘. IEEE Trans. Signal Process,.., 1993, 41, pp. 3445-3462 large prime and a is a primitive number in G%). We can call 2 SAID.A., and PEARLMAN, W.A.: ‘A new fast alld effickllt image these random parameters, k and r, short-term private key and codec based on set partitioning in hierarchical trees’, IEEE Trans. Circuits Sysr. Video Technol., 1996, 6, pp. 1 15 short-term public key, respectively. To sign this Diffie-Hellman 3 CHAI, BING-BING, VASS. J., and ZFIUANG.XINHUA: ‘Significance- public key i’, the signer needs to use the long-teiiii private key x linked connected component analysis for wavclct image coding’, and the long-term public key y = axmod p. IEEE Tuns. huge Process., 1999, 8, (O), pp. 114-784 We list four signature variants for signing Diffie-Hellman public 4 XIONG, ZIXIANG, RAMCHANDRAN. K., and ORCHARD, M.T.: ‘Space- keys from [9]. These variants are the most efficient variants since frequency quantization for wavelet image coding’, IEEE Twns. each permutes four parameters {r, s, k, .x} directly. The signer huge Process.. 1991, 6, (5), pp. 611-693 needs to use its short-tenn and long-term secret keys, k and x, to generate the signature s for the Diffie-Hellman public key Y. How- ever, the verifier can use the signer’s long-term public key y to ver- ify the signature s for r. (See [9] for detailed discussions.) We point out that the MQV key agreement protocol in [7] actually used one Authenticated key agreement without of the variants in Table 1. using one-way hash functions Table 1: Signature variants L. Harn and H.-Y. Lin Signature cquation Signature vcrification rx = k + s mod 17 - 1 v‘ = r.ns mod n The MQV key agreement protocol has been adopted by the IEEE P1363 Committee Lo become a standard. The MQV protocol used a digital signature to sign the Diffie-Hellman public keys without x = rk + s modp - I y = r’clJ mod p using any one-way function. Here, the MQV protocol is generalised in three respects. First. signature variants for Diffie- Hellman public keys developed previously are employed in the new protocol. Secondly, two communication entities are allowed Key agreement protocols: In the following discussion we assume to establish multiple secret keys in a single round oC message that A and B want to establish a secret key(s) using the key agree- cxchange. Thirdly, the key computations are simplified. ment protocol. Thc short-term secret key and short-term public kcy for A are kA and r,, and the long-term secret key and long- Introduction: Difie and Hellman [l] proposed in 1976 the well- term public key for A are x,,, and yA. Similarly, B has kB, r,, x, known public-key distribution scheme based on the discrete loga- and y,. The following key agreement protocol enables A and B to rithm problem to enable two parties to establish a common sccrct est&lish an authenticatcd secret key K. session key based on their exchanged public keys; however, their (i) A generatcs a random short-term secret key lcA and its corre- original scheme still requires an channel to sponding public key r.4, and computes the signature s, based on exchangc the public keys. Since then, several proto- any variant as listed in Table 1. A sends {ra, sA, cevto/,,)} to B, cols [2, 31, which use digital signatures of the exchanged public whcrc cert(yA) is the public-key certificate of y,i signed by a keys to provide authentication, have been proposed. In these pro- trusted party. tocols, the Diffie-Hellman public keys are treated as messages and (ii) Similarly, B generates kB, r,, sB and sends {rR, sR, cert(yB)} to one-way hash values of these public keys are computed. Digital A. signatures need to be generated based on these one-way hash val- (iii) A verifies Y, based on the signature sB and B’s public key yB. ; otherwise forgery can be easily achieved. Thcn A computes the key K = rgkR mod p. However, there exists a major difference of security assumptions (iv) Similarly, B verifies r, based on the signature sA and As pub- between digital signature schemes and conventional one-way hash lic key y,. Then B computes the shared secret key K = rp mod p. functions. The security assumption of most signature schemes are based on some well-known computational problems, such as the Possible attaelcs: One drawback of the above protocol is that it problem [4] and the factoring problem. The does not offer perfect forward secrecy [12], i.e. if an adversary complexities of these problems have been well studied and the dif- learns one shared secret key they can deduce all shared secret keys ficulties of solving them are recognised. In contrast, the security of between A and B. We illustrate this attack in the following discus- a one-way hash function is based on the complexity of analysing a sion. simplc iterated function. A one-way hash function may seem very Assume that the protocol uses x = rk + s modp - 1 to sign each difficult to analyse at the beginning, hut it may turn out to be vul- Diffie-Hcllman public key. We then have the following two equa- nerable to some special attacks later, e.g. recent advancement in tions: cryptanalytic research has found that MD5 is at the edge of iisk- ing successful cryptanalytic attack [SI. Instead of overall security z,+ =r.~kn+s~niodp--land~~=r~k~+s~rriodp-l relying on the weaker assumption of the signature scheme and the By multiplying these two equations, we obtain one-way hash function, it would be more secure to have a key dis- tribution without using one-way hash functions. JAZB = rakal.nkt,+raIcasB+sArBkB+sAsB Iriodp-1 The MQV key agreement protocol proposed by Menezes er U/. In other words, [6] in 1995 is probably the first key agreement protocol that uti- lised a signature for the Diffie-Hellman public key without using a KAH= (I(‘A‘B)(l.~A”D)(I,~;iSA)(CySAStl)mod one-way hash function. The MQV key agreement protocol has been adopted to become a standard in the IEEE P1363 committee where KAn= ax~Zemod p is the long-term shared secret key. [7]. In 1998, we published a key agreement protocol 181 that gener- Assume that the adversary knows one short-term shared secret key alised the MQV protocol in three respects. First, signature vari- K. The adversary can then solve the long-term shared secret key ants for Diffie-Hehnan public keys developed in 1997 [Y] are K,, from the above equation since the other parameters are all employed in the protocol. Secondly, we allowed two communica- known. Thus, the adversary can solve all other shared secret keys tion entities to establish multiple secret keys in one round of inter- based on the same equation. action. Thirdly, we simplified the key computations. Two attacks [lo, 111 on this key agreement protocol were found Impvoved protocol: In the two-pass MQV key agreement protocol, recently. In this Letter, we attempt to show that these two attacks instead of using K = ak-rk~= r3 = I.&modp as the shared secret can casily be avoided by modifying the signature signing equation. key, it llSeS K = @A~E+,@A = yprA *B = yj~ypmodp as the We point out here that this modification does not increase compu- sharcd secret key. The MQV protocol can provide perfect forward tations. The main body of th~sLetter is almost the same as [8] secrecy. except that we have modified the signature signing and verification Here, we want to propose an efficient protocol that enables A equations. and B to share multiple secret keys in one round of message ELECTRONICS LETTERS 70th May2007 Vol. 37 No. IO 629

Authorized licensed use limited to: University of Missouri. Downloaded on February 10, 2009 at 14:42 from IEEE Xplore. Restrictions apply. exchange. For simplicity, we assume that A and B want to share (iii) This protocol allows two communication parties to share mul- four secrets. tiple secret keys in two-pass interaction. (i) A generates two random short-term secret keys, kA, and kA,, (iv) The computation for shared secret keys is simpler than the and two corresponding public keys, r,, and rA2,rA, < rA2.Then, A MQV protocol. computes the signature SA for {rAlr rAz} based on any signature variant as listed in Table 1. For example, A ObtdinS s, by solving 0 IEE 2001 14 March 2001 the following equation Electronics Letters Online No: 20010441 DOI: 10.1049/el:20010441 1A = TA, kA1 TAzkAz mod p - 1 + + SA L. Harn (Department of Computer Networking, University of Missouri, Kansas City, MO 64110, USA) A sends {r,,,, ?Az, SA, certfjA)}to B, where certb,,) is the public- key certificate of yA signed by a trusted pruty. H.-Y. Lin (Computer Science Department. State University, San Marcos. CA 92096-0001, USA) (ii) Similarly, B generates kBl, kB,, r,,, rB2, sB and sends {r,,, r,,, s,, s,, certfj,)} to A. (iii) A verifies {r,,, I,,} based on the signature sB and Bs public References key yBby checking DIFFIE, w., and HELLMAN, M.E.: ‘New directions in ’, IEEE Trans. InJ: Theory, 1976, IT-22, (6), pp. 644-654 ARAZI, A.: ‘Integrating a key into the digital signature Then A computes the shared secret keys as standard, Electron. Lett., 1993, 29, (ll), pp. 966-967 NYBERG, K., and RUEPPEL, R.A.: ‘Message recovery for signature KI = rg,A1 mod p scheme based on the discrete logarithm problem’. Proc. Eurocrypt ’94, May 1994, pp. 175-190 K2 &A2 = mod p ELGAMAL, T.: ‘A public-key cryptosystem and a signature scheme 173 = &A1 mod p based on discrete logarithms’, IEEE Trans. In$ Theory, 1985, IT- 31, pp. 469412 K4 = mod p DOBBERT1N.H.: ‘The status Of MD5 after a recent attack’, CryptoBytes, 1996, 2, (2), pp. 1-6 (iv) Similarly, B computes CI‘A,~A,modp first and verifies {rAl,rA2}. MENEZES, A.J., QU, M., and VANSTONE, s.A.: ‘Some key agreement Then, B computes the shared secret keys as protocols providing implicit authentication’. 2nd Workshop Selected Areas in Cryptography, 1995 Kl = B1 mod p IEEE P1363/Editorial Contribution (Draft). In http:// hi = ri,B1 mod p stdsbbs.ieee.org/groups/l363/edcont.html HARN, L., and LIN, H.Y.: ‘An authenticated key agreement protocol = P!&B~mod p without using one-way function’. Proc. 8th Nat. Conf. Information Security, Kaohsiung, Taiwan, May 1998, pp. 155-160 K4 = ri2B~mod p HARN, L.: ‘Digital signatures for Diffie-Hellman public keys without using one-way function‘, Electron. Lett., 1997, 33, (2), pp. 125-126 Discussion: We point out here that we have modified the original 10 YEN, s.M., and JOYE, M.: ‘Improved authenticated multiple-key protocol [8] in signature signing and verification equations. Two agreement protocol’, Electron. Lett., 1998, 34, (18), pp. 1738-1739 recent attacks [IO, 111 on the original protocol cannot work suc- 11 wu, T.s.,HE, w.H., and HSU, c.L.: ‘Security of authenticated multiple- cessfully in this modified protocol. This modified protocol does key agreement protocols’, Electron. Lett., 1999, 35, (5), pp. 391- not increase any computational load and the key agreement proto- 392 col does not involve any additional one-way hash function. 12 LIM, C.H , and LEE, P.J.: ‘Security of interactive DSA batch verification’, Electron. Letr., 1994, 30, (19), pp. 1592-1593 The signatures, xA and x,, satisfy the following equations as

ZA = TA, kA, + TA, k~~ + SA mod p - 1 and TR = T.B~~B~+ rBzkBz + ss mod p - 1 By multiplying these two equations together, we obtain on improved user efficient XAXB = rA1rB1kAlkBIf rAlrBzkAlk8, + TAISgk^Al blind signatures + ‘rA2rR1kAzkB1 f 1.AzTB2k,4*kR2 + rA2sUkA2 + SATBlkBl + sArg,kB2 + SASE mod p - 1 (2-1. Fan and C.-L. Lei In other words, we have Shao proposed a scheme baed on the Fan-Lei scheme. It is shown here that Shao’s scheme is not secure. Also, Shao claimed that the Fan-Lei scheme is not really blind, however this claim is demonstrated as not being true.

If the adversary knows four consecutive shared secret keys, he can Introduction: In 1996, Fan and Lei proposed a blind signature solve the long-term shared secret KAB.Thus, to achieve the perfect scheme based on quadratic residues (QRs) [l], and they also pre- forward secrecy, we should litourselves to use only three out of sented an enhanced version of the scheme to reduce the computa- the four shared secret keys. The protocol can be generalised to tion for requesters or users [2]. In [3], Shao proposed a blind

enable A and B to share n2 ~ 1 secrets if each user computes and signature scheme based on the Fan-Lei scheme [2]. However, we sends n Difie-Hellman public keys in each pass. Since each user find that Shao’s scheme cannot withstand Pollard-Schnorr attacks only needs to generate (verify) one signature for n different Diffie- [4]. Besides, Shao claimed that the Fan-Lei blind signature scheme

Hellman public keys to establish n2 ~ 1 shared secret keys, this [2] is not really blind. In this Letter, we also show that Shao’s new protocol is very efficient. claim is not truc.

Conclusion: We have proposed an authenticated key agreement Attacks on Shao’s blind signature scheme: Shao proposed a blind protocol that utilises a digital signature to authenticate Diffie- signature scheme based on the Fan-Lei scheme in [3]. We show Hellman public keys. We summarise features in this new protocol that Pollard-Schnorr attacks [4] are valid on Shao’s scheme as fol- as follows: lows. In the scheme of [3], the tuple (c, s) is a signature of m and (i) Since we integrate the Diffie-Hellman public key in the signa- they can be verified by checking if ture scheme, this approach reduces overall computation. H(m.)n2((r2 1) = 1 mod n (ii) Since the protocol does not use any one-way hash function, the + (1) security assumption relies solely on solving the discrete logarithm An attacker can choose a message m and then derive (w,y) in poly- problem. nomial time such that 630 ELECTRONICS LETTERS 10th May2001 Vol. 37 No. 10

Authorized licensed use limited to: University of Missouri. Downloaded on February 10, 2009 at 14:42 from IEEE Xplore. Restrictions apply.