Another look at HMQV

@inproceedings{Menezes2007AnotherLA,
  title={Another look at HMQV},
  author={Alfred Menezes},
  booktitle={J. Math. Cryptol.},
  year={2007}
}
  • A. Menezes
  • Published in J. Math. Cryptol. 2007
  • Computer Science
The HMQV protocols are 'hashed variants' of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti… 
On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols
TLDR
This paper presents an attack on the two-pass HMQV protocol that does not require knowledge of the victim's ephemeral private keys, and illustrates the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols.
A Complementary Analysis of the (s)YZ and DIKE Protocols
TLDR
A secure, efficient, and deniable protocol, geared to the post peer specified model is proposed, and it is shown that the (s)YZ protocols do not achieve their claimed CK$_\text{HMQV}$ security or computational fairness.
Improving the Security of the HMQV Protocol Using Tamper-Proof Hardware
TLDR
This paper formally proves that the most efficient one-round implicitly authenticated key exchange protocol, HMQV, achieves full PFS under the physical assumption of regarding the existence of tamper-proof hardware.
HMQV: A High-Performance Secure Diffie-Hellman Protocol
TLDR
HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.
Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS
TLDR
A new authenticated key agreement protocol, called CMQV (‘Combined’ MqV), which incorporates design principles from MQV, HMQV and NAXOS and admits a natural one-pass variant is proposed.
Stronger Security of Authenticated Key Exchange
TLDR
This work extends the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary and introduces a new AKE protocol called NAXOS to prove that it is secure against these stronger adversaries.
A Diffie-Hellman Key Exchange Protocol Without Random Oracles
TLDR
This paper suggests an efficient authenticated Diffie-Hellman key exchange protocol providing the same functionalities and security of HMQV without random oracles, which does not require any expensive signature and encryption schemes.
A Secure and Efficient Authenticated Diffie-Hellman Protocol
TLDR
Using these schemes, the Fully Hashed MQV protocol is proposed, which preserves the performance and security attributes of the (H)MQV protocols and resists the attacks presented.
Designing Efficient Authenticated Key Exchange Resilient to Leakage of Ephemeral Secret Keys
TLDR
This work investigates a sufficient condition for constructing authenticated key exchange (AKE) protocols which satisfy security in the extended Canetti-Krawczyk (eCK) model and proposes a construction of two-pass AKE protocols, which are proved under the gap Diffie-Hellman assumption in the random oracle model.
On robust key agreement based on public key authentication
TLDR
This paper critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws and presents two new attacks on the Hashed Menezes-Qu-Vanstone HMQV protocol, which is currently being standardized by IEEE P1363.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 50 REFERENCES
HMQV: A High-Performance Secure Diffie-Hellman Protocol
TLDR
HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.
Analysis of the Insecurity of ECMQV with Partially Known Nonces
TLDR
This paper presents the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, and reduces the security from O(q 1/2 ) down to O( q 1/4 ) when partial knowledge of the nonces is given.
Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels
TLDR
A formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that allows for simple modular proofs of security is presented.
Why Provable Security Matters?
  • J. Stern
  • Mathematics, Computer Science
    EUROCRYPT
  • 2003
TLDR
Concerns about methods from provable security, that had been developped for the last twenty years within the research community, and the fact that proofs themselves need time to be validated through public discussion was somehow overlooked are discussed.
Universally Composable Notions of Key Exchange and Secure Channels
TLDR
While the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols and provides new definitions of secure-channels protocols with similarly strong composability properties.
Authenticated Key Exchange Secure against Dictionary Attacks
TLDR
Correctness for the idea at the center of the Encrypted Key-Exchange protocol of Bellovin and Merritt is proved: it is proved security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.
A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract)
TLDR
This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols and construct and prove the security of simple and practical Authentication and key-exchange protocols.
SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols
TLDR
The SIGMA protocols provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and trade-offs required in practical scenarios.
An Efficient Protocol for Authenticated Key Agreement
This paper proposes an efficient two-pass protocol for authenticated key agreement in the asymmetric (public-key) setting. The protocol is based on Diffie-Hellman key agreement and can be modified to
Security Analysis of IKE's Signature-Based Key-Exchange Protocol
TLDR
A security analysis of the Diffie-Hellman key-exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard is presented, based on an adaptation of the key-Exchange model to the setting where peers identities are not necessarily known or disclosed from the start of the protocol.
...
1
2
3
4
5
...