On the Security of Girault Key Agreement Protocols against Active Attacks

In 1991 Girault proposed a key agreement protocol based on his new idea of self-certified public key. Later Rueppel and Oorschot showed variants of the Girault scheme. All of these key agreement protocols inherit positive features of self-certified public key so that they can provide higher security and smaller communication overhead than key agreement protocols not based on self-certified public key. Even with such novel features, rigorous security of these protocols has not been made clear yet. In this paper, we give rigorous security analysis of the original and variants of Girault key agreement protocol under several kinds of active attacker models. In particular we show that protocols are either insecure or proven as secure as the Diffie-Hellman problem over Z_n with respect to the reduction among functions of computing them. Analyzed protocols include a new variant of 1-pass protocol. As opposed to the original 1-pass protocol, the new variant provides mutual implicit key authentication without increasing the number of passes.