Another look at HMQV

The HMQV protocols are 'hashed variants' of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim's static private key. We propose HMQV-1, patched versions of the HMQV protocols that resists our attacks (but do not have any performance advantages over MQV). We also identify some fallacies in the security proofs for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide.

[1]  Igor E. Shparlinski,et al.  The Insecurity of the Digital Signature Algorithm with Partially Known Nonces , 2002, Journal of Cryptology.

[2]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[3]  Jacques Stern,et al.  Why Provable Security Matters? , 2003, EUROCRYPT.

[4]  Kenneth G. Paterson,et al.  Key Agreement Using Statically Keyed Authenticators , 2004, ACNS.

[5]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[6]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[7]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[8]  Alfred Menezes,et al.  Validation of Elliptic Curve Public Keys , 2003, Public Key Cryptography.

[9]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[10]  Burton S. Kaliski,et al.  An unknown key-share attack on the MQV key agreement protocol , 2001, ACM Trans. Inf. Syst. Secur..

[11]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[12]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[13]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[14]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Public Key Cryptography.

[15]  Mihir Bellare,et al.  Practice-Oriented Provable-Security , 1997, ISW.

[16]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[17]  Igor E. Shparlinski,et al.  INTEGERS WITH A LARGE SMOOTH DIVISOR , 2006 .

[18]  Alfred Menezes,et al.  Key Agreement Protocols and Their Security Analysis , 1997, IMACC.

[19]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[20]  M. Bellare,et al.  Evaluation of Security Level of Cryptography , 2001 .

[21]  Serge Vaudenay,et al.  Authenticated Multi-Party Key Agreement , 1996, ASIACRYPT.

[22]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[23]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[24]  Nigel P. Smart,et al.  Analysis of the Insecurity of ECMQV with Partially Known Nonces , 2003, ISC.

[25]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[26]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[27]  Matthew J. B. Robshaw,et al.  Essential Algebraic Structure within the AES , 2002, CRYPTO.

[28]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[29]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[30]  Martin E. Hellman,et al.  An improved algorithm for computing logarithms over GF(p) and its cryptographic significance (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[31]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[32]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..