On the Security of the (F)HMQV Protocol

The HMQV protocol is under consideration for IEEE P1363 standardization. We provide a complementary analysis of the HMQV protocol. Namely, we point a Key Compromise Impersonation KCI attack showing that the two and three pass HMQV protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments; we clarify the security and efficiency separation between HMQV and FHMQV, showing the advantages of FHMQV over HMQV.

[1]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[2]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[3]  Alfred Menezes,et al.  On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols , 2006, INDOCRYPT.

[4]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[5]  Jean-Claude Bajard,et al.  A New Security Model for Authenticated Key Agreement , 2010, SCN.

[6]  John Cullinan,et al.  Primes of Prescribed Congruence Class in Short Intervals , 2012, Integers.

[7]  Dimitrios Hristu-Varsakelis,et al.  Two Types of Key-Compromise Impersonation Attacks against One-Pass Key Establishment Protocols , 2007, ICETE.

[8]  Yunlei Zhao,et al.  Security Model and Analysis of FHMQV, Revisited , 2013, Inscrypt.

[9]  Andrew M. Odlyzko,et al.  Discrete Logarithms in Finite Fields and Their Cryptographic Significance , 1985, EUROCRYPT.

[10]  Emmanuel Thomé,et al.  Théorie algorithmique des nombres et applications à la cryptanalyse de primitives cryptographiques. (Algorithmic Number Theory and Applications to the Cryptanalysis of Cryptographical Primitives) , 2012 .

[11]  Oliver Schirokauer,et al.  Using number fields to compute logarithms in finite fields , 2000, Math. Comput..

[12]  Tim Güneysu,et al.  Three Years of Evolution : Cryptanalysis with COPACOBANA , 2009 .

[13]  Kenneth G. Paterson,et al.  ASICS: authenticated key exchange security incorporating certification systems , 2013, International Journal of Information Security.

[14]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[15]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[16]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[17]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[18]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[19]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[20]  Nicolas Thériault,et al.  Solving Discrete Logarithms from Partial Knowledge of the Key , 2007, INDOCRYPT.

[21]  Jean-Claude Bajard,et al.  A Secure and Efficient Authenticated Diffie-Hellman Protocol , 2009, EuroPKI.

[22]  Hugo Krawczyk HMQV in IEEE P1363 , 2006 .

[23]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[24]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2015, Des. Codes Cryptogr..