The YAK is a public-key authenticated

key-agreement protocol In cryptography, a key-agreement protocol is a protocol whereby two or more parties can agree on a key in such a way that both influence the outcome. If properly done, this precludes undesired third parties from forcing a key choice on the agreeing ...

, proposed by Feng Hao in 2010. It is claimed to be the simplest authenticated key exchange protocol among the related schemes, including

MQV MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modifie ...

, HMQV,

Station-to-Station protocol In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie–Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie–Hellman, w ...

SSL SSL may refer to: Entertainment * RoboCup Small Size League, robotics football competition * ''Sesame Street Live'', a touring version of the children's television show * StarCraft II StarLeague, a Korean league in the video game Natural language ...

/ TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a

Public Key Infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facil ...

to distribute authentic public keys to the communicating parties. The security of YAK is disputed (see below and the

talk page MediaWiki is a free and open-source wiki software. It is used on Wikipedia and almost all other Wikimedia websites, including Wiktionary, Wikimedia Commons and Wikidata; these sites define a large part of the requirement set for MediaWiki. ...

Description

Two parties, Alice and Bob, agree on a group

G

with generator

g

of prime order

q

in which the discrete log problem is hard. Typically a

Schnorr group A Schnorr group, proposed by Claus P. Schnorr, is a large prime-order subgroup of \mathbb_p^\times, the multiplicative group of integers modulo p for some prime A prime number (or a prime) is a natural number greater than 1 that is not a pr ...

is used. In general, YAK can use any prime order group that is suitable for public key cryptography, including

elliptic curve cryptography Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide e ...

. Let

g^a

be Alice's long-term public key and

g^b

be Bob's. The protocol executes in one round: Alice selects

x \in_\text

, q-1 The comma is a punctuation mark that appears in several variants in different languages. It has the same shape as an apostrophe or single closing quotation mark () in many typefaces, but it differs from them in being placed on the baseline ...

/math> and sends out

g^x

together with a

zero-knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...

(using for example Schnorr non-interactive zero-knowledge proof as described in RFC 8235) for the proof of the exponent

x

. Similarly, Bob selects

y \in_\text

/math> and sends out

g^

together with a

for the proof of the exponent

y

. Here, the notation

\in_\text

denotes ''an element selected randomly with uniform probability''. The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received

s. Alice then computes

K = (g^ g^) ^ = g^

. Similarly, Bob computes

K = (g^ g^) ^  = g^

. With the same keying material

K

, Alice and Bob can derive a session key using a

cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography: * the probability of a particular n-bit output ...

\kappa = H(K)

Security properties

The use of well-established zero-knowledge proof primitives such as Schnorr's scheme greatly simplifies the security proofs. Given that the underlying

zero knowledge proof In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true while the prover avoids conveying any additional information a ...

primitive is secure, the YAK protocol aims to satisfy the following properties. # Private key security – An attacker cannot learn the user's static private key even if he is able to learn all session-specific secrets in any compromised session. #

Forward secrecy In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key e ...

– Session keys that were securely established in the past uncorrupted sessions will remain incomputable in the future even when both users' static private keys are disclosed. # Session key security – An attacker cannot compute the session key if he impersonates a user but has no access to the user's private key. The security claims in the original YAK paper are based on the

Computational Diffie-Hellman assumption Computation is any type of arithmetic or non-arithmetic calculation that follows a well-defined model (e.g., an algorithm). Mechanical or electronic devices (or, historically, people) that perform computations are known as ''computers''. An esp ...

in a

random oracle model In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time tha ...

Cryptanalysis

In 2015, Toorani mentioned that "the YAK protocol lacks joint key control and perfect forward secrecy attributes and is vulnerable to some attacks including unknown key-share and key-replication attacks" to which Hao has a different opinion. In 2020, Mohammad mentioned that YAK protocol cannot withstand the known key security attack which leads to a new key compromise impersonation attack where an adversary is allowed to reveal both the shared static secret key between two parties and the ephemeral private key of the initiator. The author also proposed an improved protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism that provides entity authentication and key confirmation. The author showed that the proposed protocol is secure in the proposed formal security model under the gap Diffie‐Hellman assumption and the random oracle assumption. Moreover, the security of the proposed protocol and attacks on the YAK protocol were verified by the Scyther tool. {{cite journal, last=Mohammad, first=Zeyad, date=11 March 2020, url=https://onlinelibrary.wiley.com/doi/full/10.1002/dac.4386, title=Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther, journal=International Journal of Communication Systems, volume=33, issue=9, pages=e4386, doi=10.1002/dac.4386, issn=1099-1131 Mohammad's paper is discussed in the

References

Cryptographic protocols