Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the well-known Canetti-Krawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a one-pass protocol. On the other hand MQV does not have a security proof, and the HMQV security proof is extremely complicated. This paper proposes a new authenticated key agreement protocol, called CMQV (‘Combined’ MQV), which incorporates design principles from MQV, HMQV and NAXOS. The new protocol achieves the efficiency of HMQV and admits a natural one-pass variant. Moreover, we present a relatively simple and intuitive proof that CMQV is secure in the LaMacchia-Lauter-Mityagin model.

[1]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[2]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[3]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[4]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[5]  Alfred Menezes,et al.  Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol , 1999, Public Key Cryptography.

[6]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[7]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[8]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[9]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[10]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[11]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[12]  Mihir Bellare,et al.  The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols , 2004, CRYPTO.

[13]  Colin Boyd,et al.  Examining Indistinguishability-Based Proof Models for Key Establishment Protocols , 2005, ASIACRYPT.

[14]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[15]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[16]  David Pointcheval,et al.  About the Security of MTI/C0 and MQV , 2006, SCN.

[17]  Alfred Menezes,et al.  On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols , 2006, INDOCRYPT.

[18]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[19]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[20]  D. Pointcheval,et al.  About the Security of MTI / C 0 and MQV , 2022 .