The YAK is a public-key authenticated key agreement protocol. It is considered the simplest among the related protocols, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties. The author suggests that YAK may be unencumbered by patent.
Two parties, Alice and Bob, agree on a group with generator of prime order in which the discrete log problem is hard. Typically a Schnorr group is used. In general, YAK can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography. Let be Alice's long-term public key and be Bob's. The protocol executes in one round.
One round: Alice selects and sends out together with a zero-knowledge proof (using for example Schnorr signature) for the proof of the exponent . Similarly, Bob selects and sends out together with a zero-knowledge proof for the proof of the exponent .
The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received zero-knowledge proofs. Alice then computes . Similarly, Bob computes . With the same keying material , Alice and Bob can derive a session key using a cryptographic hash function: .
Given that the underlying zero knowledge proof primitive is secure, the YAK protocol is proved to fulfill the following properties.
- Private key security - An attacker cannot learn the user's static private key even if he is able to learn all session specific secrets in any compromised session.
- Full forward secrecy - Session keys that were securely established in the past uncorrupted sessions will remain incomputable in the future even when both users' static private keys are disclosed.
- Session key security - An attacker cannot compute the session key if he impersonates a user but has no access to the user's private key.
- F. Hao, On Robust Key Agreement Based on Public Key Authentication. Proceedings of the 14th International Conference on Financial Cryptography and Data Security, Tenerife, Spain, LNCS 6052, pp. 383-390, Jan, 2010.