Authors: Alfred Menezes, Berkant Ustaoglu
Addresses: Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Ontario N2L 3G1, Canada. ' Okamoto Research Laboratory, NTT Information Sharing Platform Laboratories, 3-9-11, Midori-cho Musashino-shi, Tokyo 180-8585, Japan
Abstract: A party may choose to reuse ephemeral public keys in a Diffie-Hellman key agreement protocol in order to reduce its computational workload or to mitigate against denial-of-service attacks. In this note, we show that small-subgroup attacks can be successfully launched on some Diffie-Hellman protocols that reuse ephemeral keys if domain parameters are not appropriately selected or if public keys are not appropriately validated.
Keywords: key agreement protocols; Diffie-Hellman; ephemeral public keys; cryptography; computational workload; denial-of-service attacks; ephemeral key reuse; domain parameter selection; public key validation.
International Journal of Applied Cryptography, 2010 Vol.2 No.2, pp.154 - 158
Received: 08 Nov 2008
Accepted: 25 Jul 2009
Published online: 28 Jan 2011 *