Unknown key-share attack

As defined by Blake-Wilson & Menezes (1999), an unknown key-share (UKS) attack on an authenticated key agreement (AK) or authenticated key agreement with key confirmation (AKC) protocol is an attack whereby an entity ${\displaystyle A}$ ends up believing she shares a key with ${\displaystyle B}$, and although this is in fact the case, ${\displaystyle B}$ mistakenly believes the key is instead shared with an entity ${\displaystyle E\neq A}$.

In other words, in a UKS, an opponent, say Eve, coerces honest parties Alice and Bob into establishing a secret key where at least one of Alice and Bob does not know that the secret key is shared with the other. For example, Eve may coerce Bob into believing he shares the key with Eve, while he actually shares the key with Alice. The “key share” with Alice is thus unknown to Bob.

References

• Blake-Wilson, S.; Menezes, A. (1999), "Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol", Public Key Cryptography (PDF), Lecture Notes in Computer Science, vol. 1560, Springer, pp. 154–170