<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div>Just looking at this description, a (very) minor comment is that each party needs to not only keep the static key secure, but also to keep S (a static value) secret. If S is revealed, the effect is equivalent to having the long-term private key revealed
within the context of two-party communication. In addition, you may also need to include the user identities somewhere (to prevent unknown key sharing attacks), either in the key exchange flows or in the key derivation. If you take all these into account,
you will probably come to something similar to Naxos. </div>
<div><br>
</div>
<div>In 2010, I wrote a paper published at FC'10 (<a href="https://eprint.iacr.org/2010/136.pdf">https://eprint.iacr.org/2010/136.pdf</a>) and described a different approach. Rather than listing triple DH in separate terms, I argued it may be better to merge
them in just one term as follows (G is the base point, a,b are static keys and a', b' are ephemeral):</div>
<div><br>
</div>
<div>Alice -> Bob: a'G, ZKP{a'} </div>
<div>Bob -> Alice: b'G, ZKP{b'}</div>
<div><br>
</div>
<div>K = KDF( (a+a') (b+b') G ). </div>
<div><br>
</div>
<div>Although it uses ZKP (Schnorr in particular), the overall efficiency is comparable to that in NAXOS (see Table 1 on p. 9 in the above link), but the protocol is simpler and neater. Personally, I prefer simplicity than complexity.</div>
<div><br>
</div>
<div>There is also short summary of the protocol at <a href="http://en.wikipedia.org/wiki/YAK_%28cryptography%29">http://en.wikipedia.org/wiki/YAK_%28cryptography%29</a></div>
<div><br>
</div>
<div>Cheers,</div>
<div>Feng</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>William Whyte <<a href="mailto:wwhyte@securityinnovation.com">wwhyte@securityinnovation.com</a>><br>
<span style="font-weight:bold">Date: </span>Tue, 8 Apr 2014 22:31:55 -0400<br>
<span style="font-weight:bold">To: </span>Tony Arcieri <<a href="mailto:bascule@gmail.com">bascule@gmail.com</a>>, "<a href="mailto:curves@moderncrypto.org">curves@moderncrypto.org</a>" <<a href="mailto:curves@moderncrypto.org">curves@moderncrypto.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [curves] Forward secrecy with "triple Diffie-Hellman"<br>
</div>
<div><br>
</div>
<div>
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">My understanding, though I’m having trouble tracking down the reference at the moment, is that standard ephemeral-static DH has good properties and
takes one less exponentiation:</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> S = aB = bA</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> S’ = a’B’ = b’A’</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> K = KDF (S || S’)</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">Do you have a reason to prefer the triple version?
</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">This version is defined in X9.42 as dhHybrid1, and X9.42 contains various security claims about the properties of this approach, but it was written
in 2003 and analysis has got more rigorous since then so there may be more up-to-date statements about it.
</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">Cheers</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; ">William</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125); font-family: Calibri, sans-serif; "> </span></p>
<p class="MsoNormal"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "> Curves [mailto:<a href="mailto:curves-bounces@moderncrypto.org">curves-bounces@moderncrypto.org</a>]
<b>On Behalf Of </b>Tony Arcieri<br>
<b>Sent:</b> Tuesday, April 08, 2014 9:18 PM<br>
<b>To:</b> <a href="mailto:curves@moderncrypto.org">curves@moderncrypto.org</a><br>
<b>Subject:</b> [curves] Forward secrecy with "triple Diffie-Hellman"</span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Trevor described this idea to me once and I haven't really seen it written down anywhere. It's an alternative to something like the CurveCP handshake for a transport encryption protocol which provides forward secrecy by deriving a unique
session key each time using ephemeral D-H keys. It couples authentication to confidentiality in ways that might bother some, but at the same time is incredibly simple and I think that's an advantage in and of itself.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Let's say Alice has the following elliptic curve D-H keys:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">a: long-lived private key</p>
</div>
<div>
<p class="MsoNormal">A: long-lived public key<br clear="all">
</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Alice will also generate a' and A' for each session, which are short-lived session keys.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Bob likewise has b, B , b', and B' respectively.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Alice can do:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> a * B' || a' * B' || a' * B</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">(The "*" character here represents Curve25519 scalar multiplication)</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Bob can do the reciprocal operation and derive the same shared secret string:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> b * A' || b' * A' || b' * A</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">These secret strings can then be used as input to a KDF to create a session key.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">If these keys haven't been tampered with in-flight, Alice and Bob should derive the same session key, and can authenticate each other via their long-lived public keys.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Does this seem correct, and if so, does anyone know of any literature on this approach?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal">-- <br>
Tony Arcieri</p>
</div>
</div>
</div>
</div>
</div>
_______________________________________________ Curves mailing list <a href="mailto:Curves@moderncrypto.org">
Curves@moderncrypto.org</a> <a href="https://moderncrypto.org/mailman/listinfo/curves">
https://moderncrypto.org/mailman/listinfo/curves</a> </span>
</body>
</html>