The SIGMA Family of Key-Exchange Protocols

by Hugo Krawczyk

Summary: SIGMA is a family of cryptographic key-exchange protocols that provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures. SIGMA is designed to support a variety of features and trade-offs required in common practical scenarios (such as identity protection and reduced number of protocol rounds) as well as to enjoy sound cryptographic security. This design puts forth the "SIGn-and-MAc" (SIGMA, for short) approach that carefully combines the use of digital signatures and MAC functions to guarantee an authenticated binding between the Diffie-Hellman key and the identities of the parties to the exchange. This simple approach resolves security shortcomings found in previous protocols. The SIGMA protocols serve as the cryptographic basis for the signature-based modes of the standardized Internet Key Exchange (IKE) protocol, and its current revision IKE version 2.

History and Applications: SIGMA was first designed in 1995 and suggested by the author to the IPsec working group as a replacement to Photuris, an STS-based Diffie-Hellman exchange used at the time in the IPsec protocols, which suffered from some significant security flaws (see the IPsec mailing list, April-October 1995). SIGMA was eventually adopted into IKE, the successor of Photuris, which became the standard key exchange protocol for sharing keys between IPsec peers. IKE uses two variants of SIGMA in its "authentication with signature" modes (main and aggressive modes). In the last year, there was renewed interest in these protocols because of the plans to create a version 2 for IKE. Several proposals for this revision used SIGMA as their core cryptographic key-exchange, including the official WG document named IKEv2 and the JFKr protocol. Beyond these existing applications, SIGMA is very well suited (and well analyzed) for other applications that require an authenticated Diffie-Hellman exchange, especially when identity protection is sought or when the identity of the peer is not uniquely specified from the start of the protocol.

Papers: A paper presenting SIGMA and its cryptographic rationale is available ( abstract, postscript, pdf); a shorter version has been contributed to the proceedings of Crypto'03 (LNCS Series, Vol. 2729). The paper is intended to introduce the SIGMA protocols (and its IKE's applications) to a broad audience of protocol designers and security engineers, and emphasizes many subtleties surrounding the design of secure key-exchange protocols in general, and identity-protecting protocols in particular. The paper also points out to the strengths and weaknesses of previous protocols (such as STS, Photuris, and ISO) that motivated the design of SIGMA.
Click here for a PowerPoint presentation about SIGMA from the invited talk at Crypto'03 (it also includes a succint introduction to IPSec and IKE).
A formal analysis of the SIGMA protocol (and its IKE applications) in a complexity-theoretic setting appears in a companion paper (co-authored with Ran Canetti) presented at Crypto'02.