While reading the paper on the SIGMA: the ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols (Krawczyk,2003), I noticed that in the "full-fledge" protocol section on page 24, the author says "Very importantly, the protocols should separate the functions of DH exponentials and freshness nonces into different elements".
I have a few questions based on this:
- Why can the DH exponentials NOT be used for freshness during key exchange protocols?
- Based on my reading on NIST SP800-56A, this protocol is similar to C(2e, 2s) scheme with a bilateral key confirmation. In the NIST schemes, however, while producing the MAC tags for key confirmation, it appears that the ephemeral public key is used for freshness. Why is it okay here but not in the SIGMA protocol?
If I’m conflating the two protocols, I’d like to understand the differences in SIGMA vs the NIST scheme that allows the ephemeral public key to be used for freshness in one case but not the other.