Menezes on HQMV
Amir Herzberg
herzbea at macs.biu.ac.il
Sun Jul 3 02:55:18 EDT 2005
Eric Rescorla wrote:
> There's an interesting paper up on eprint now:
> http://eprint.iacr.org/2005/205
>
> Another look at HMQV
> Alfred Menezes
...
> In this paper we demonstrate that HMQV is insecure by presenting
> realistic attacks in the Canetti-Krawczyk model that recover a
> victim's static private key. We propose HMQV-1, a patched
> version of HMQV that resists our attacks (but does not have any
> performance advantages over MQV). We also identify the fallacies
> in the security proof for HMQV, critique the security model, and
> raise some questions about the assurances that proofs in this
> model can provide.
>
> Obviously, this is of inherent interest, but it also plays a part
> in the ongoing debate about the importance of proof as a technique
> for evaluating cryptographic protocols.
From which it is easy to draw two contrdicting conclusions...
1. Proofs are useless, see how (even) Hugo got a flaw
2. Proofs are very useful, see how the presentation of a supposed-proof
led to improved analysis and realization that more work needs be done.
I vote for #2. Amir
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list