The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying “the next generation cryptography to protect US government information”. One question that has not been settled so far is whether the protocol can be proven secure in a rigorous model of key-exchange security. In order to provide an answer to this question we analyze the MQV protocol in the Canetti-Krawczyk model of key exchange. Unfortunately, we show that MQV fails to a variety of attacks in this model that invalidate its basic security as well as many of its stated security goals. On the basis of these findings, we present HMQV, a carefully designed variant of MQV, that provides the same superb performance and functionality of the original protocol but for which all the MQV’s security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption. We base the design and proof of HMQV on a new form of “challenge-response signatures”, derived from the Schnorr identification scheme, that have the property that both the challenger and signer can compute the same signature; the former by having chosen the challenge and the latter by knowing the private signature key.

References in zbMATH (referenced in 61 articles , 1 standard article )

Showing results 1 to 20 of 61.
Sorted by year (citations)

1 2 3 4 next

  1. Yang, Zheng; Li, Shuangqing: On security analysis of an after-the-fact leakage resilient key exchange protocol (2016)
  2. Fujioka, Atsushi; Suzuki, Koutarou; Xagawa, Keita; Yoneyama, Kazuki: Strongly secure authenticated key exchange from factoring, codes, and lattices (2015)
  3. Hamburg, Mike: Decaf: eliminating cofactors through point compression (2015)
  4. Yau, Wei-Chuen; Phan, Raphael C.-W.: Cryptanalysis of a chaotic map-based password-authenticated key agreement protocol using smart cards (2015)
  5. Zhang, Lei: Certificateless one-pass and two-party authenticated key agreement protocol and its extensions (2015)
  6. Choo, Kim-Kwang Raymond; Nam, Junghyun; Won, Dongho: A mechanical approach to derive identity-based protocols from Diffie-Hellman-based protocols (2014)
  7. Goldberg, Ian; Stebila, Douglas; Ustaoglu, Berkant: Anonymity and one-way authentication in key exchange protocols (2013)
  8. Chatterjee, Sanjit; Menezes, Alfred; Sarkar, Palash: Another look at tightness (2012)
  9. Fujioka, Atsushi; Suzuki, Koutarou; Xagawa, Keita; Yoneyama, Kazuki: Strongly secure authenticated key exchange from factoring, codes, and lattices (2012)
  10. Li, Hui; Wu, Chuankun: CMQV+: an authenticated key exchange protocol from CMQV (2012)
  11. Camenisch, Jan; Krenn, Stephan; Shoup, Victor: A framework for practical universally composable zero-knowledge protocols (2011)
  12. Fujioka, Atsushi; Suzuki, Koutarou: Designing efficient authenticated key exchange resilient to leakage of ephemeral secret keys (2011)
  13. Halevi, Shai; Krawczyk, Hugo: One-pass HMQV and asymmetric key-wrapping (2011)
  14. Huang, Hai: Strongly secure one round authenticated key exchange protocol with perfect forward security (2011)
  15. Huang, Hai; Cao, Zhenfu: Blake-Wilson, Johnson & Menezes protocol revisited (2011)
  16. Lindell, Yehuda: Highly-efficient universally-composable commitments based on the DDH assumption (2011)
  17. Nam, Junghyun; Paik, Juryon; Won, Dongho: A security weakness in Abdalla et al.’s generic construction of a group key exchange protocol (2011)
  18. Pan, Jiaxin; Wang, Libin: TMQV: a strongly eck-secure Diffie-Hellman protocol without gap assumption (2011)
  19. Tang, Qiang; Chen, Liqun: Extended KCI attack against two-party key establishment protocols (2011)
  20. Yang, Guomin; Tan, Chik How: Certificateless public key encryption: a new generic construction and two pairing-free schemes (2011)

1 2 3 4 next