Vulnerabilities of generalized MQV key agreement protocol without using one-way hash functions

The MQV protocol is the first authenticated key agreement protocol which uses a digital signature to sign Diffie–Hellman public keys without using any one-way hash functions. Based on the MQV protocol, Harn and Lin proposed an authenticated multiple-key agreement protocol that enables two parties to establish multiple common secret keys in a single protocol run. But the protocol was subsequently found to be flawed. Tseng proposed a new generalized MQV key agreement protocol without using one-way hash functions to overcome the weaknesses of Harn–Lin's protocol. Recently, Shao showed that Teng's protocol is insecure against signature forgery attacks and then proposed an improved authenticated multiple-key agreement protocol to resist the attacks. In this paper we show that Shao's protocol is vulnerable to unknown key-share attacks. We also point out its another potential weakness.