Modified Key Agreement Protocol Based On The Digital Signature Standard
Indexing terms: Public key, Digital signature
Arazi proposed a scheme to integrate a key exchange protocol into the DSS (digital
signature standard) to authenticate two public keys exchanged between two users and then one
corresponding secret session key can be shared by two parties based on the Diffie-Hellman publickey distribution scheme.
Later, Nyberg and Rueppel pointed out a weakness in the Arazi
protocol: if one secret session key is compromised then the others will be disclosed as well. This
letter proposes a modified key agreement protocol based on the DSS.
Introduction:
Diffie and Hellman [1] proposed the well-known public-key distribution scheme based on the discrete
logarithm problem in 1976 to enable two parties to establish a common secret session key based on their exchanged
public keys. But their scheme did not provide authentication mechanism for the exchanged public keys. In 1985,
ElGamal [2] proposed a digital signature scheme based on the discrete logarithm problem. The ElGamal signature
scheme can provide an authenticated mechanism for distributing the public keys.
In 1993, Arazi [3] proposed a scheme to integrate a key exchange protocol into the DSS (digital signature
standard) [4] to authenticate the public keys. Later, Nyberg and Rueppel [5] pointed out a weakness in the Arazi
protocol: if one secret session key is compromised then the others will be disclosed as well. This letter proposes a
modified key agreement protocol based on the DSS.
Instead of distributing a single public key in each
communication session, we propose to distributing multiple public keys in each session.
There are some public information that should be agreed to by all users.
that h
-
p = a large prime modulus, where 2
-
q = a prime divisor of p-1, where 2
-
 , where = h
(p-1)/q
-
(p-1)/q
511
159
<p<2
<q<2
512
.
160
.
mod p, h is a random integer with 1hp -1
mod p >1.
xi = a secret key for user i, where 2
159
< xi < 2
160
.
-
yi = a corresponding public key for user i, where y i =
-
H= the secure hash function (SHA) proposed by the NIST.
xi
mod p.
{p, q,  , yi} are public values and {xi} is each user's secret key.
Modified key agreement protocol:
We assume that user A wants to share three secret session keys with user B. Then,
(i) User A randomly selects two secret integers, v1 and v2 [1, q-1] and computes
v
mA1= 1 mod p
v
mA2= 2 mod p
rA=(mA1mA2 mod p) mod q
sA=(v1+v2)-1[H(mA1, mA2)+xArA] mod q
1
such
and sends (mA1, mA2, sA) to B.
(ii) User B randomly selects two secret integers, w1 and w2 [1, q-1] and computes
w
mB1= 1 mod p
w
mB2= 2 mod p
rB=(mB1mB2 mod p) mod q
sB=(w1+w2)-1[H(mB1, mB2)+xBrB] mod q
and sends (mB1, mB2, sB) to A.
(iii) User A computes
rB=(mB1mB2 mod p) mod q
verifies the DSS-signature (rB, sB) of the message (mB1, mB2). Then computes the shared secret keys as
v
KAB1= mB1 1 mod p
v
KAB2= mB2 2 mod p
v
KAB3= mB1 2 mod p.
(iv) User B computes
rA=(mA1mA2 mod p) mod q
verifies the DSS-signature (rA, sA) of the message (mA1, mA2). Then computes the shared secret keys as
w
KAB1= mA1 1 mod p
w
KAB2= mA2 2 mod p
w
KAB3= mA2 1 mod p
Security:
Let us follow the known-key attack proposed by Nyberg and Rueppel [5] to examine the security of the
modified scheme. We have
v w
KAB1=  1 1 mod p,
v w
KAB2=  2 2 mod p and
v w
KAB3=  2 1 mod p,
where
v1+v2=sA-1[H(mA1, mA2)+xArA] mod q,
w1+w2=sB-1[H(mB1, mB2)+xBrB] mod q.
Hence, by multiplying the above two equations, we obtain
v1w1+v1w2+v2w1+v2w2=sA-1sB-1[H(mA1, mA2)H(mB1, mB2)
+H(mA1, mA2)xBrB+H(mB1, mB2)xArA
+xArAxBrB] mod q.
From above equation, we obtain
v w s s
H(mA1, mA2)H(mB1, mB2)
(KAB1 KAB2 KAB3  1 2 ) A B= 
H(mA1, mA2)(rB)
H(mB1, mB2)(rA)
yB
yA
x x (r r )
( A B) A B mod p.
2
v w
Under known-key attack, since  1 2 has never been used as the secret session key, all quantities in this equation
v w
x x
except two values,  1 2 and  A B , are publicly known or sent between the parties. Thus, the proposed known-
key attack cannot work successfully in our modified scheme.
Conclusion:
We have proposed a key agreement protocol based on the DSS. This protocol allows to exchange n pairs
of public keys between two users and to establish n2-1 secret session keys.
Lein Harn
Nov. 22, 1994
(Computer Science Telecommunications Program, University of Missouri - Kansas City, MO 64110, USA)
References
1.
Diffie, W. and Hellman, M. E.,: 'New directions in cryptography', IEEE Trans., IT-22, (6), 1976, pp. 644-654.
2.
ElGamal, T.,: 'A public key cryptosystem and signature scheme based on discrete logarithms', IEEE Trans. on
Info. Theory, Vol. IT-31, No, 4, July, 1985, pp. 469-472.
3.
Arazi, A.,: 'Integrating a key cryptosystem into the digital signature standard', Electron. Lett., 29, (11), 1993,
pp. 966-967.
4.
'The digital signature standard', Comm. ACM 35, No. 7, 1992, pp. 36-40.
5.
Nyberg, K. and Rueppel, R. A.,: 'Weaknesses in some recent key agreement protocols', Electron. Lett.,
30, (1), 1994, pp. 26-27.
3