YAK (cryptography)

The YAK is a public-key authenticated key-agreement protocol, proposed by Feng Hao in 2010. It is claimed to be the simplest authenticated key exchange protocol among the related schemes, including MQV, HMQV, Station-to-Station protocol, SSL/TLS etc. The authentication is based on public key pairs. As with other protocols, YAK normally requires a Public Key Infrastructure to distribute authentic public keys to the communicating parties. The security of YAK is disputed (see below and the talk page).

Description
Two parties, Alice and Bob, agree on a group $$G$$ with generator $$g$$ of prime order $$q$$ in which the discrete log problem is hard. Typically a Schnorr group is used. In general, YAK can use any prime order group that is suitable for public key cryptography, including elliptic curve cryptography. Let $$g^a$$ be Alice's long-term public key and $$g^b$$ be Bob's. The protocol executes in one round:

Alice selects $$x \in_\text{R} [0, q-1]$$ and sends out $$g^x$$ together with a zero-knowledge proof (using for example Schnorr non-interactive zero-knowledge proof as described in RFC 8235) for the proof of the exponent $$x$$. Similarly, Bob selects $$y \in_\text{R} [0, q-1]$$ and sends out $$g^{y}$$ together with a zero-knowledge proof for the proof of the exponent $$y$$. Here, the notation $$\in_\text{R}$$ denotes an element selected randomly with uniform probability.

The above communication can be completed in one round as neither party depends on the other. When it finishes, Alice and Bob verify the received zero-knowledge proofs. Alice then computes $$K = (g^{y} g^{b}) ^ {x + a}= g^{(x + a) (y + b)}$$. Similarly, Bob computes $$K = (g^{x} g^{a}) ^ {y + b} = g^{(x + a) (y + b)}$$. With the same keying material $$K$$, Alice and Bob can derive a session key using a cryptographic hash function: $$\kappa = H(K)$$.

Security properties
The use of well-established zero-knowledge proof primitives such as Schnorr's scheme greatly simplifies the security proofs. Given that the underlying zero knowledge proof primitive is secure, the YAK protocol aims to satisfy the following properties.


 * 1) Private key security – An attacker cannot learn the user's static private key even if he is able to learn all session-specific secrets in any compromised session.
 * 2) Forward secrecy – Session keys that were securely established in the past uncorrupted sessions will remain incomputable in the future even when both users' static private keys are disclosed.
 * 3) Session key security – An attacker cannot compute the session key if he impersonates a user but has no access to the user's private key.

The security claims in the original YAK paper are based on the Computational Diffie-Hellman assumption in a random oracle model.

Cryptanalysis
In 2015, Toorani mentioned that "the YAK protocol lacks joint key control and perfect forward secrecy attributes and is vulnerable to some attacks including unknown key-share and key-replication attacks" to which Hao has a different opinion.

In 2020, Mohammad mentioned that YAK protocol cannot withstand the known key security attack which leads to a new key compromise impersonation attack where an adversary is allowed to reveal both the shared static secret key between two parties and the ephemeral private key of the initiator. The author also proposed an improved protocol to remedy these attacks and the previous attacks mentioned by Toorani on the YAK protocol, and the proposed protocol uses a verification mechanism that provides entity authentication and key confirmation. The author showed that the proposed protocol is secure in the proposed formal security model under the gap Diffie‐Hellman assumption and the random oracle assumption. Moreover, the security of the proposed protocol and attacks on the YAK protocol were verified by the Scyther tool. Mohammad's paper is discussed in the talk page.