Menezes on HQMV
Eric Rescorla
ekr at rtfm.com
Fri Jul 1 11:57:50 EDT 2005
There's an interesting paper up on eprint now:
http://eprint.iacr.org/2005/205
Another look at HMQV
Alfred Menezes
HMQV is a `hashed variant' of the MQV key agreement protocol. It
was recently introduced by Krawczyk, who claimed that HMQV has
very significant advantages over MQV: (i) a security proof under
reasonable assumptions in the (extended) Canetti-Krawczyk model
for key exchange; and (ii) superior performance in some
situations.
In this paper we demonstrate that HMQV is insecure by presenting
realistic attacks in the Canetti-Krawczyk model that recover a
victim's static private key. We propose HMQV-1, a patched
version of HMQV that resists our attacks (but does not have any
performance advantages over MQV). We also identify the fallacies
in the security proof for HMQV, critique the security model, and
raise some questions about the assurances that proofs in this
model can provide.
Obviously, this is of inherent interest, but it also plays a part
in the ongoing debate about the importance of proof as a technique
for evaluating cryptographic protocols.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list