Related-Key Attacks on Signature-based Authenticated Key Establishment Protocols

We describe impersonation attacks on SIGMA, SIG-DH, and TS3-1 protocols with related keys. The attacks use an attack on the signature with related keys (for example, ECDSA). Attacks differ in adversary capabilities caused by the synthesis principles of protocols: the use of the initiator's identifier as part of the signed message and as part of the first message requires the adversary to have the capability to force an identifier upon registration; the use of the responder's public ephemeral key as part of the signed message requires the adversary to have the capability to compromise future public ephemeral keys.