On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the two-pass HMQV protocol that does not require knowledge of the victim's ephemeral private keys. The attacks illustrate the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols, and furthermore highlight the dangers of relying on security proofs for discrete-logarithm protocols where a concrete representation for the underlying group is not specified.

[1]  Alfred Menezes,et al.  Another look at HMQV , 2007, J. Math. Cryptol..

[2]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[3]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[4]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[5]  Serge Vaudenay Public Key Cryptography - PKC 2005, 8th International Workshop on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, January 23-26, 2005, Proceedings , 2005, Public Key Cryptography.

[6]  Nigel P. Smart,et al.  Analysis of the Insecurity of ECMQV with Partially Known Nonces , 2003, ISC.

[7]  Mihir Bellare Advances in Cryptology — CRYPTO 2000 , 2000, Lecture Notes in Computer Science.

[8]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[9]  Aggelos Kiayias,et al.  Public Key Cryptography - PKC 2006 , 2006, Lecture Notes in Computer Science.

[10]  William M. Daley,et al.  Digital Signature Standard (DSS) , 2000 .

[11]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[12]  Jacques Stern,et al.  Cryptanalysis of an Efficient Proof of Knowledge of Discrete Logarithm , 2006, Public Key Cryptography.

[13]  Ingrid Biehl,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems ( Extended Abstract ) , 2000 .

[14]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[15]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[16]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[17]  Liqun Chen,et al.  Identity-based key agreement protocols from pairings , 2017, International Journal of Information Security.

[18]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[19]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[20]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[21]  Jacques Stern,et al.  Projective Coordinates Leak , 2004, EUROCRYPT.

[22]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[23]  Liqun Chen,et al.  A Built-in Decisional Function and Security Proof of ID-based Key Agreement Protocols from Pairings , 2006, IACR Cryptol. ePrint Arch..

[24]  Hugo Krawczyk HMQV in IEEE P1363 , 2006 .

[25]  Colin Boyd,et al.  Cryptography and Coding , 1995, Lecture Notes in Computer Science.

[26]  Alfred Menezes,et al.  The Discrete Logarithm Problem in GL(n, q) , 1997, Ars Comb..

[27]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[28]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[29]  Nigel P. Smart The Exact Security of ECIES in the Generic Group Model , 2001, IMACC.

[30]  Ueli Maurer,et al.  Efficient Proofs of Knowledge of Discrete Logarithms and Representations in Groups with Hidden Order , 2005, Public Key Cryptography.

[31]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[32]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.