Attack on “ Strong Di ffi e-Hellman-DSA KE ” and Improvement

In this paper, we do a cryptanalyse of the so called “Strong Diffie-Hellman-DSA Key Exchange (briefly: SDHDSA-KE)” and after we propose “Strong Diffie-Hellman-Exponential-Schnnor Key Exchange (briefly: SDH-XSKE)” which is an improvement for efficiency and security. SDH-XS-KE protocol is secure against Session State Reveal (SSR) attacks, Key independency attacks, Unknown-key share (UKS) attacks and Key-Compromise Impersonation (KCI) attacks. Furthermore, SDH-XS-KE has Perfect Forward Secrecy (PFS) property and a key confirmation step. The new proposition is not vulnerable to Disclosure to ephemeral or long-term Diffie-Hellman exponents. We design our protocol in finite groups therefore this protocol can be implemented in elliptic curves.


Introduction
Diffie-Hellman (DH) protocol (Diffie & Hellman, 1976) is the most popular key exchange protocol.Since the basic protocol is vulnerable to a large class of attacks against protocols, many proposals were done to improve the security of DH protocol (see Nyberg & Rueppel, 1994;Krawczyk, 2005).But, most of the proposals have been broken or shown to suffer from weaknesses.
In 2007, in IEEE Communications letters journal (see Jeong, Kwon, & Lee, 2007), Jeong et al. prove that the previous scheme is insecure against session state reveal attack.After, the authors propose the "Strong Diffie-Hellman-DSA Key Exchange" (briefly: SDH-DSA-KE) where the mutual authentication is done by DSA signatures but it use 5 exponents and is vulnerable to some attacks.
In this paper, we propose a cryptanalyse of SDH-DSA-KE by showing that it is insecure against KCI attacks and is vulnerable to Disclosure to ephemeral and long-term CDH exponents.After, we propose "Strong Diffie-Hellman-Exponential-Schnorr Key Exchange" (briefly: SDH-XS-KE) which is an improvement of SDH-DSA-KE for efficiency and security.Our protocol use 4 exponents and is secure against Session State Reveal (SSR) attacks, Key independency attacks, Unknown-key share (UKS) attacks and Key-Compromise Impersonation (KCI) attacks.Furthermore, SDH-XS-KE has Perfect Forward Secrecy (PFS) property.For the mutual authentication, instead of DSA signatures, we use a modified Exponential Schnorr protocol.
Note that SDH-DSA-KE was designed only over Z/pZ but our protocol is designed over an arbitrary finite (multiplicative) group therefore our protocol can be implemented in elliptic curves.

Discrte Logarithm Problem
The Discrete Logarithm Problem (DLP) is the following: given a finite group G of order n and a cyclic subgroup g of prime order q generated by g.If y Rand ←− g , find the integer x, 0 ≤ x ≤ q − 1, such that g x = y.The Computational Diffie-Hellman Problem (CDH) is the following: given a finite group G of order n and a cyclic subgroup g of prime order q generated by g.If y = g a Rand ←− g and z = g b Rand ←− g , find the group element g ab .

Diffie-Hellman Key Exchange
The key exchange Diffie-Hellman protocol was developed in 1976 and published in the paper: New directions in cryptography.

Diffie-Hellman Protocol
Public data: G a finite group, and g a cyclic subgroup of G generated by g with prime order q.
• A selects an integer a such that 1 < a < q − 1, keeps it secret and sends g a to B.
• B selects an integer b such that 1 < b < q − 1, keeps it secret and sends g b to A.

Exponential Schnorr Identification Protocol
Let G be a multiplicative group and g a cyclic subgroup of prime order q with generator g ∈ G.The secret key sk is an integer x in [1, q].Put y = g x , the public key pk is (G, g, y).
Let G be a multiplicative group and g a cyclic subgroup of prime order q with generator g ∈ G.
In this protocol the prover is P and the verifier is V.
The secret key sk of P is an integer x in [1, q].Put y = g x , the public key pk of P is (G, g, y).
(1) V chooses a random w Rand ←−]1, q[ and sends the "challenge" W = g w to P.
(2) P chooses a random v Rand ←−]1, q[ and sends V = g v to V.
(4) P computes s = v + xe (mod q) and sends S = W s to V.
It is known that this protocol is a proof of the ability of V to compute CDH(y, V) for any value V ∈ G.Moreover, the protocol is zero-knowledge against a verifier V that chooses e at random (while V may be chosen arbitrarily).

Security Notions
Let us recall some security notions used in key exchange protocols.
(1) Key independency.This is a stronger notion of security and means that session keys are computationaly independent from each other.
(2)Session state reveal attack.The protocols providing security against session state reveal attacks maintain the secrecy of session keys even when an adversary is able to obtain the random numbers used to make the session keys.
(3) Perfect forward secrecy (PFS).a key-exchange protocol is said to have the PFS property if the leakage of the long-term key of a party does not compromise the security of session keys established by that party and erased from memory before the leakage occurred.
(4) Resistance to key-compromise impersonation (KCI) attacks.it provides the assurance that sessions established by a party Alice while not being actively controlled by the attacker, remain secure even if her private key is learned by the attacker.
(5) The case of Diffie-Hellman key exchange protocol (see Krawczyk, 2005).Consider a session (id A , id B , V A = g v A , V B = g v B ) between two parties A and B with the following pair of private/public key (x A , g x A ) and (x B , g x B ); the computation of the session key involves the four secret values x A , x B , v A , v B .Obviously the disclosure of {x A , v A }, or {x B , v B }, allows the attacker to learn the session key.
For the secure of the communication between A and B, one must prove that the disclosure of any other pair of values (except {x A , v A } and {x B , v B }) in the set {x A , x B , v A , v B } is insufficient for the attacker to success in any kind of attack.This includes the cases in that the attacker learns: • {x A , x B } and try to compute the session key of old sessions: this is the PFS property; • {v A , v B } : this follows from the security to State reveal attack; • {x A , v B } or {x B , v A } : this follows from the security to KCI attacks; • g x A x B without learning (x A , x B ): this follows from the security of the disclosure of long-term DH exponents; • g v A v B , without learning {v A , v B }: this follows from the security of the disclosure of ephemeral DH exponents.

SDH-DSA-KE Protocol
Let us recall the design of the Strong DH-DSA key exchange protocol.
Let p, q be two sufficiently large primes such q divides p − 1 and g ∈ Z/pZ is an element of order q.Let H: {0, 1} * → Z/qZ be a hash function.
We assume that Alice (respectively: Bob) has a pair of private/public key (x A , y A = g x A ) (respectively: (x B , y B = g x B ) ).

1) Alice generates v A Rand
←− ]1, q[, computes m A = g v A mod p and sends m A to Bob.
2) A mod p = g v A v B mod p, DH2 = y x A B mod p = g x A x B mod q and deduce the key.We have the same result if the attacker knows (x B and v A ), Hence this protocol is vulnerable to Key-Compromise Impersonation (KCI) attack.

Disclosure to Ephemeral or Long-Term CDH Exponents
In SDH-DSA-KE protocol, the keys are computed as: K AB = H 1 (A||B||DH1||DH2) and K BA = H 1 (B||A||DH1||DH2).Therefore, in this protocol the value DH2 = g x A x B mod p serves as a long-term shared key between parties Alice and Bob, and therefore its disclosure suffices for impersonating Alice to Bob, and vice versa.
We will see that for our improvement, the disclosure of DH2 = g x A x B mod p does not allow impersonation Alice or Bob.

Design of SDH-XS-KE Protocol
In our protocol the mutual authentications is done via a modified Exponential Schnorr protocol where each party challenge his public key.
3.2.1 KCI Attack on SDH-DSA-KETheorem 3.1 SDH-DSA-KE is insecure against Key-Compromise Impersonation (KCI) attack.Proof.Assume that the attacker knows x A and v B , since y B = g x B mod p and m A = g v A mod p are public then the attacker can easily compute DH1 = m v B