Talk:YAK (cryptography)

Zm2020 added the following paper to show the attacks on YAK and an improved version of YAK. However, only an abstract is provided. A proper discussion on this paper is needed to establish the relevance and validity of its result.

''Mohammad, Zeyad (11 March 2020). "Cryptanalysis and improvement of the YAK protocol with formal security proof and security verification via Scyther". International Journal of Communication Systems. 33 (9): e4386. doi:10.1002/dac.4386. ISSN 1099-1131.''

In this paper, Mohammad described three attacks on YAK.


 * The first attack is called the "session corruption attack". For this attack, Mohammad defines a formal model and an EphemeralSharedSecretReveal function which simply returns the raw material for a session key. In this attack, the two users perform a YAK key exchange as normal and derive a session key. After the key is derived, the attacker merely calls the EphemeralSharedSecretReveal function defined in the model to obtain the session key. Thus, Mohammad concludes that “the YAK protocol cannot withstand session corruption attacks”.


 * The second attack is called "Know Key Security Resilience" (KKS‐R). In this attack, the attacker calls the same EphemeralSharedSecretReveal function as before to obtain the raw material for the session key and calls another EphemeralKeyReveal function to obtain ephemeral private keys. Based on the returned results, the attacker is able to obtain the shared static key ($$g^{ab}$$). Thus, Mohammad concludes that "the YAK protocol cannot withstand KKS‐R attack".


 * The third attack is called the “shared static‐KCI attack". In this attack, the attacker calls an EphemeralKeyReveal function to obtain ephemeral private keys, which together with the shared static key ($$g^{ab}$$) obtained in the KKS-R attack, allows the attacker to compute a session key. Thus, Mohammad concludes "the YAK protocol cannot withstand the shared static‐KCI attacks."

To prevent the above attacks, Mohammad proposed to modify the Schnorr non-interactive zero-knowledge proof used in YAK to a different one (Figure 3 in Mohammad's paper). Briefly, the modified Schnorr non-interactive zero-knowledge proof works as follows. Let $$x \in_R Z_p^*$$ and $$v_A \in_R Z_p^*$$. $$X = (A \cdot g)^x$$, $$V_A = g^{H_1(v_A, a)}$$. To prove the knowledge of $$x$$, Alice sends $$V_A$$ and $$r_A = H_1(v_A, a) - (a + (ax + x)h)$$, where $$a$$ is Alice’s the long-term private key, $$h$$ is a hash of several public values. $$H_1$$ and $$H_2$$ are defined by Mohammad as random oracles to map inputs into a value in $$Z_q^*$$.

It should be clear that in the above modified Schnorr scheme, $$x$$ and $$H_1(v_A, a)$$ are ephemeral secrets in a session. Once these session-specific ephemeral secrets are revealed (allowed in an e-CK model), an attacker is able to trivially compute the long-term private key, hence completely breaking the system.

To sum up, the attacks and the countermeasure proposed in Mohammad's paper don't appear to be valid despite it being a peer-reviewed publication. Reference to this paper should be removed from the Wikipedia page, or alternatively, the attacks and the countermeasure described in this paper should be fully expanded to justify the relevance and validity. Fh240 (talk) 19:25, 18 April 2021 (UTC)