## Another Look at HMQV (2005)

### Cached

### Download Links

Venue: | IACR Eprint archive |

Citations: | 18 - 1 self |

### BibTeX

@ARTICLE{Menezes05anotherlook,

author = {Alfred Menezes},

title = {Another Look at HMQV},

journal = {IACR Eprint archive},

year = {2005},

volume = {2005},

pages = {2005}

}

### OpenURL

### Abstract

Abstract. The HMQV protocols are ‘hashed variants ’ of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim’s static private key. We propose HMQV-1, patched versions of the HMQV protocols that resists our attacks (but do not have any performance advantages over MQV). We also identify some fallacies in the security proofs for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide. 1.

### Citations

676 | B.: Differential power analysis
- Kocher, Jaffe, et al.
- 1999
(Show Context)
Citation Context ...t kinds of secret-information leakage, e.g., partial information about the static private key that may be obtainable through side-channel attacks that analyze powersANOTHER LOOK AT HMQV 9 consumption =-=[24]-=- or electromagnetic radiation [1]. An example of an attack on MQV (and HMQV-1) that is not considered in the Canetti-Krawczyk model is the sidechannel attack of Leadbitter and Smart [29] (cf. §2.2.4) ... |

469 | Entity Authentication and Key Distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...ion. In a series of papers, Canetti and Krawczyk [14, 15, 16] carefully developed security models and definitions for key establishment. Their model corrected shortcomings in previous attempts (e.g., =-=[9, 11, 7, 36]-=-), and at present is widely accepted as being the ‘right’ one. In the Canetti-Krawczyk model, the attacker controls all communications between honest parties. Through ‘corrupt’, ‘session-key’ and ‘sta... |

316 | Authenticated key exchange secure against dictionary attacks
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ... It was observed in [26, 27] that no two-pass key agreement protocol can achieve ‘full’ forward secrecy. This observation is thus not specific to MQV, and in any case was already well known (e.g. see =-=[8, 35]-=-). Summary. Of the seven weaknesses and explicit attacks on the MQV protocols reported in [26, 27], the first three are non-attacks and in fact were incorrectly addressed in the HMQV protocols, leadin... |

306 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...rder t > q; for DSA-like parameters, Banks and Shparlinski [5] showed that such an element X exists with non-negligible probability. Upon receiving Xs from ˆ B, Â can use the Pohlig-Hellman algorithm =-=[32]-=- to determine 11 This answers the question posed in Remark 4.5 of [27] about the security of XCR in the face of ephemeral private key revelations.sANOTHER LOOK AT HMQV 11 s ′ = ⌊s⌋t. Since t > q, we h... |

283 | Security Arguments for Digital Signatures and Blind Signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ...r the security proof of the XCR signature scheme. (Recall that this is the first step of the HMQV security proof.) The XCR security proof takes place in the random oracle model, and the forking lemma =-=[33]-=- is invoked. The result in [27], based on the analysis of the forking lemma in [33], is that the existence of an attacker who works in time at most T, presents at most Q queries to an l-bit hash funct... |

266 | H.: Analysis of Key–Exchange Protocols and Their Use for Building Secure Channels. Cryptology ePrint Archive, Report 2001/040
- Canetti, Krawczyk
- 2001
(Show Context)
Citation Context .... In a recent paper (see [26] and the expanded version [27]), Krawczyk undertook the ambitious task of trying to prove the security of the MQV protocols in the Canetti-Krawczyk model for key exchange =-=[14, 15, 16]-=-. This model provides a formal security definition by carefully specifying the capabilities and goals of an attacker. Krawczyk’s analysis of MQV [26, 27] resulted in his concluding that “...MQV falls ... |

265 | Authentication and authenticated key exchanges
- Diffie, Oorschot, et al.
- 1992
(Show Context)
Citation Context ...process is called ‘embedded’ public-key validation in [28]. 2.4. Unknown-key share attack on one-pass HMQV-1. In an unknown-key share (UKS) attack, first formulated by Diffie, van Oorschot and Wiener =-=[17]-=-, an adversary interferes with Â’s and ˆ B’s communications. The result is that Â and ˆB still compute the same session key. However, even though Â correctly believes the key is shared with ˆ B, ˆ B m... |

257 | Selecting Cryptographic Key Sizes
- Lenstra, Verheul
- 2001
(Show Context)
Citation Context ... that the main group G is an order-q subgroup of the multiplicative group Z ∗ p. Then for XCR to be assured an 80-bit security level one would have to select roughly a 354-bit q and a 7000-bit p (see =-=[30]-=-). Such parameter sizes would be too inefficient to be used in practice. On the other hand, if we insist on efficiency and use 1024-bit p and 160-bit q, then the security proof only guarantees that fo... |

232 |
Monte Carlo methods for index computation (mod p
- Pollard
- 1978
(Show Context)
Citation Context ...d Smart 8 [29] (see also [31]) to find the f/2 most significant bits of b; here f is the bitlength of q. The remaining f/2 bits of b can then be found in O(q 1/4 ) steps using Pollard’s lambda method =-=[34]-=-. 2.2.5. Attacks on three-pass HMQV. The attacks on three-pass HMQV are similar to the ones on two-pass HMQV in §2.2.3 and §2.2.4 except that a session-key query is not needed. This is because Â learn... |

225 | A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract
- Bellare, Canetti, et al.
- 1998
(Show Context)
Citation Context ...ion. In a series of papers, Canetti and Krawczyk [14, 15, 16] carefully developed security models and definitions for key establishment. Their model corrected shortcomings in previous attempts (e.g., =-=[9, 11, 7, 36]-=-), and at present is widely accepted as being the ‘right’ one. In the Canetti-Krawczyk model, the attacker controls all communications between honest parties. Through ‘corrupt’, ‘session-key’ and ‘sta... |

137 | Key agreement protocols and their security analysis
- Blake-Wilson, Johnson, et al.
- 1997
(Show Context)
Citation Context ...ion. In a series of papers, Canetti and Krawczyk [14, 15, 16] carefully developed security models and definitions for key establishment. Their model corrected shortcomings in previous attempts (e.g., =-=[9, 11, 7, 36]-=-), and at present is widely accepted as being the ‘right’ one. In the Canetti-Krawczyk model, the attacker controls all communications between honest parties. Through ‘corrupt’, ‘session-key’ and ‘sta... |

113 | HMQV: A high-performance secure diffie-hellman protocol
- Krawczyk
- 2005
(Show Context)
Citation Context ...f the MQV protocols has been intensively studied since 1995. However, until recently there was no attempt to ‘prove’ that the protocols actually meet their security objectives. In a recent paper (see =-=[26]-=- and the expanded version [27]), Krawczyk undertook the ambitious task of trying to prove the security of the MQV protocols in the Canetti-Krawczyk model for key exchange [14, 15, 16]. This model prov... |

113 | An efficient protocol for authenticated key agreement - Law, Menezes, et al. - 2003 |

104 | Universally composable notions of key exchange and secure channels - Canetti, Krawczyk - 2002 |

73 | personal communication
- Brown
- 2010
(Show Context)
Citation Context ...f the attacker can also learn the r least significant bits of the corresponding numbers y, then she can compute the f/2 most significant bits of b using the Leadbitter-Smart lattice attack. Dan Brown =-=[13]-=- found the following ‘large subgroup attack’ on XCR in the case where exponents y + eb are reduced modulo q. The attacker Â selects an element X ∈ G ′ of smooth order t > q; for DSA-like parameters, B... |

73 | SIGMA: the SIGn-and-MAc approach to authenticated Diffie– Hellman and its use in the IKE protocols
- KRAWCZYK
(Show Context)
Citation Context ...wczyk model did not cover resistance to KCI attacks, and hence protocols proved secure in the model have to be examined on a case-by-case basis for KCI resistance. For example, the ISO [14] and SIGMA =-=[25]-=- protocols would appear to resist KCI attacks, while the Boyd-Mao-Paterson [12] protocol does not. This deficiency in the Canetti-Krawczyk model has apparently been addressed by Krawczyk [27]. Another... |

70 | Authenticated multi-party key agreement
- Just, Vaudenay
(Show Context)
Citation Context ...curity attributes which are not adequately addressed by the model. As an example, consider the case of key-compromise impersonation (KCI) attacks. In these attacks, first studied by Just and Vaudenay =-=[21]-=-, the adversary learns a party Â’s static private key and then tries to impersonate another honest party ˆ B to Â. Resistance to KCI attacks is important in situations where an attacker wishes to obta... |

66 | The Insecurity of the Digital Signature Algorithm with Partially Known Nonces
- Nguyen, Shparlinski
(Show Context)
Citation Context ...austive search, thereby obtaining the r least significant bits of s. After repeating this procedure a few times (e.g., 30 times), Â can use the lattice attack of Leadbitter and Smart 8 [29] (see also =-=[31]-=-) to find the f/2 most significant bits of b; here f is the bitlength of q. The remaining f/2 bits of b can then be found in O(q 1/4 ) steps using Pollard’s lambda method [34]. 2.2.5. Attacks on three... |

61 | Another look at provable security
- Menezes
(Show Context)
Citation Context ...security engineers should not be mesmerized by claims of provable security, nor should they be intimidated by technical proofs. Above all, the results of the present paper validate the main thesis of =-=[23]-=- that the field of provable security is as much an art as a science. Acknowledgements I would like to thank Dan Brown, Darrel Hankerson, Ann Hibner Koblitz, Neal Koblitz, and Scott Vanstone for their ... |

55 | Security analysis of IKE’s signature-based key-exchange protocol
- CANETTI, 2002a
(Show Context)
Citation Context .... In a recent paper (see [26] and the expanded version [27]), Krawczyk undertook the ambitious task of trying to prove the security of the MQV protocols in the Canetti-Krawczyk model for key exchange =-=[14, 15, 16]-=-. This model provides a formal security definition by carefully specifying the capabilities and goals of an attacker. Krawczyk’s analysis of MQV [26, 27] resulted in his concluding that “...MQV falls ... |

38 | Practice-oriented provable-security
- Bellare
- 1998
(Show Context)
Citation Context ...es examining the reasonableness of the stated assumptions, and performing a concrete security analysis. The next paragraph elaborates on this last point. About ten years ago, Bellare and Rogaway (see =-=[6]-=-) developed the notion of “practice-oriented provable security”. As a result of their work there was a greater awareness of the need to quantify the aforementioned ‘additional effort’ expended in a se... |

35 |
On Formal Models for Secure Key Exchange (version 4). Manuscript, November 15
- Shoup
- 1999
(Show Context)
Citation Context |

33 |
An Unknown Key-Share Attack on the MQV Key Agreement Protocol
- Kaliski
- 2001
(Show Context)
Citation Context ... believes that the key is shared with a third party Ĉ �∈ {Â, ˆ B}. One-pass HMQV-1 succumbs to the following online UKS attack; such attacks were first mounted by Kaliski on the two-pass MQV protocol =-=[22]-=-. Party Â transmits the message ( Â, ˆ B, X) and computes the session key K = H(Bx+da ). The message is intercepted by the adversary Ĉ, who selects an arbitrary integer u ∈ [1, q−1] and computes X ′ =... |

27 | Key agreement using statically keyed authenticators
- Boyd, Mao, et al.
- 2004
(Show Context)
Citation Context ... secure in the model have to be examined on a case-by-case basis for KCI resistance. For example, the ISO [14] and SIGMA [25] protocols would appear to resist KCI attacks, while the Boyd-Mao-Paterson =-=[12]-=- protocol does not. This deficiency in the Canetti-Krawczyk model has apparently been addressed by Krawczyk [27]. Another deficiency of the Canetti-Krawczyk model is that it does not account for the s... |

22 |
Public Key Cryptography for the Financial Services Industry: Elliptic Curve KeyAgreement and Key Transport Protocols, working draft
- 63
- 2000
(Show Context)
Citation Context ... about the assurances that proofs in this model can provide. 1. Introduction The MQV protocols [28] are a family of efficient Diffie-Hellman authenticated protocols that have been widely standardized =-=[2, 3, 19, 20, 37]-=-. The two-pass protocol in this family (which is what the term “the MQV protocol” sometimes refers to) provides implicit key authentication. A three-pass variant adds key confirmation, thus providing ... |

20 |
Validation of elliptic curve public keys
- Antipa, Brown, et al.
(Show Context)
Citation Context ...curve groups, we have noted that the cofactor h is very small, and sometimes h = 1, so the attack as described above will generally fail. However, Â has the option of mounting an invalid-curve attack =-=[4]-=- which we describe next. Suppose that G ′ = E(L) where E is an elliptic curve defined over a finite field L. The attacker selects an elliptic curve E ′ defined over L whose Weierstrass equation y 2 +a... |

11 | Why provable security matters
- Stern
- 2003
(Show Context)
Citation Context ...ness. This step is notoriously difficult since the proofs are typically long, complicated, and often poorly written. History has shown that subtle flaws may take years to be discovered. Indeed, Stern =-=[38]-=- has proposed adding a validation step to any security proof: Also, the fact that proofs themselves need time to be validated through public discussion was somehow overlooked. Finally, one should care... |

10 |
Differential fault analysis on elliptic curve cryptosystems
- Biehl, Meyer, et al.
- 2000
(Show Context)
Citation Context ...xy+a3y = x 3 +a2x 2 +a4x+a6 differs from E’s only in the coefficient a6, and such that the order of E ′ (L) contains a prime factor t of the desired size. Then, as observed by Biehl, Meyer and Müller =-=[10]-=-, the usual formulas for adding points in E(L) do not involve a6 and thus are identical to the formulas for adding points in E ′ (L). If Â selects order-t points X, A ∈ E′ (L) and ˆ B does not check w... |

8 |
The EM Side-Channel(s). Cryptographic Hardware and Embedded Systems
- Agrawal, Archambeault, et al.
- 2003
(Show Context)
Citation Context ...age, e.g., partial information about the static private key that may be obtainable through side-channel attacks that analyze powersANOTHER LOOK AT HMQV 9 consumption [24] or electromagnetic radiation =-=[1]-=-. An example of an attack on MQV (and HMQV-1) that is not considered in the Canetti-Krawczyk model is the sidechannel attack of Leadbitter and Smart [29] (cf. §2.2.4) whereby a static private key b ca... |

4 |
Evaluation of Security Level of Cryptography
- Rogaway, Bellare, et al.
- 2001
(Show Context)
Citation Context ... It was observed in [26, 27] that no two-pass key agreement protocol can achieve ‘full’ forward secrecy. This observation is thus not specific to MQV, and in any case was already well known (e.g. see =-=[8, 35]-=-). Summary. Of the seven weaknesses and explicit attacks on the MQV protocols reported in [26, 27], the first three are non-attacks and in fact were incorrectly addressed in the HMQV protocols, leadin... |

3 |
Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, American National Standards Institute
- 42
- 2001
(Show Context)
Citation Context ... about the assurances that proofs in this model can provide. 1. Introduction The MQV protocols [28] are a family of efficient Diffie-Hellman authenticated protocols that have been widely standardized =-=[2, 3, 19, 20, 37]-=-. The two-pass protocol in this family (which is what the term “the MQV protocol” sometimes refers to) provides implicit key authentication. A three-pass variant adds key confirmation, thus providing ... |

3 |
P.: Analysis of the Insecurity of ECMQV with Partially Known Nonces
- Leadbitter, Smart
- 2003
(Show Context)
Citation Context ...ine ⌊s⌋t by exhaustive search, thereby obtaining the r least significant bits of s. After repeating this procedure a few times (e.g., 30 times), Â can use the lattice attack of Leadbitter and Smart 8 =-=[29]-=- (see also [31]) to find the f/2 most significant bits of b; here f is the bitlength of q. The remaining f/2 bits of b can then be found in O(q 1/4 ) steps using Pollard’s lambda method [34]. 2.2.5. A... |

2 |
Special Publication 800-56, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
- SP
- 2005
(Show Context)
Citation Context ... about the assurances that proofs in this model can provide. 1. Introduction The MQV protocols [27] are a family of efficient Diffie-Hellman authenticated protocols that have been widely standardized =-=[2, 3, 18, 19, 36]-=-. The two-pass protocol in this family (which is what the term “the MQV protocol” sometimes refers to) provides implicit key authentication. A three-pass variant adds key confirmation, thus providing ... |

1 |
Integers with a large smooth divisor”, preprint
- Banks, Shparlinski
- 2005
(Show Context)
Citation Context ...‘large subgroup attack’ on XCR in the case where exponents y + eb are reduced modulo q. The attacker Â selects an element X ∈ G ′ of smooth order t > q; for DSA-like parameters, Banks and Shparlinski =-=[5]-=- showed that such an element X exists with non-negligible probability. Upon receiving Xs from ˆ B, Â can use the Pohlig-Hellman algorithm [32] to determine 11 This answers the question posed in Remark... |