# Another look at HMQV

@inproceedings{Menezes2007AnotherLA, title={Another look at HMQV}, author={Alfred Menezes}, booktitle={J. Math. Cryptol.}, year={2007} }

The HMQV protocols are 'hashed variants' of the MQV key agreement protocols. They were introduced at CRYPTO 2005 by Krawczyk, who claimed that the HMQV protocols have very significant advantages over their MQV counterparts: (i) security proofs under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that the HMQV protocols are insecure by presenting realistic attacks in the Canetti…

## Topics from this paper

## 91 Citations

On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

- Computer ScienceINDOCRYPT
- 2006

This paper presents an attack on the two-pass HMQV protocol that does not require knowledge of the victim's ephemeral private keys, and illustrates the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols.

A Complementary Analysis of the (s)YZ and DIKE Protocols

- Computer ScienceAFRICACRYPT
- 2012

A secure, efficient, and deniable protocol, geared to the post peer specified model is proposed, and it is shown that the (s)YZ protocols do not achieve their claimed CK$_\text{HMQV}$ security or computational fairness.

Improving the Security of the HMQV Protocol Using Tamper-Proof Hardware

- Computer ScienceSecureComm
- 2014

This paper formally proves that the most efficient one-round implicitly authenticated key exchange protocol, HMQV, achieves full PFS under the physical assumption of regarding the existence of tamper-proof hardware.

HMQV: A High-Performance Secure Diffie-Hellman Protocol

- Computer ScienceCRYPTO
- 2005

HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.

Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

- Computer Science, MathematicsDes. Codes Cryptogr.
- 2008

A new authenticated key agreement protocol, called CMQV (‘Combined’ MqV), which incorporates design principles from MQV, HMQV and NAXOS and admits a natural one-pass variant is proposed.

Stronger Security of Authenticated Key Exchange

- Computer ScienceProvSec
- 2007

This work extends the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary and introduces a new AKE protocol called NAXOS to prove that it is secure against these stronger adversaries.

A Diffie-Hellman Key Exchange Protocol Without Random Oracles

- Computer ScienceCANS
- 2006

This paper suggests an efficient authenticated Diffie-Hellman key exchange protocol providing the same functionalities and security of HMQV without random oracles, which does not require any expensive signature and encryption schemes.

A Secure and Efficient Authenticated Diffie-Hellman Protocol

- Computer ScienceEuroPKI
- 2009

Using these schemes, the Fully Hashed MQV protocol is proposed, which preserves the performance and security attributes of the (H)MQV protocols and resists the attacks presented.

Designing Efficient Authenticated Key Exchange Resilient to Leakage of Ephemeral Secret Keys

- Computer ScienceCT-RSA
- 2011

This work investigates a sufficient condition for constructing authenticated key exchange (AKE) protocols which satisfy security in the extended Canetti-Krawczyk (eCK) model and proposes a construction of two-pass AKE protocols, which are proved under the gap Diffie-Hellman assumption in the random oracle model.

On robust key agreement based on public key authentication

- Computer Science
- 2014

This paper critically analyze several authenticated key agreement protocols and uncover various theoretical and practical flaws and presents two new attacks on the Hashed Menezes-Qu-Vanstone HMQV protocol, which is currently being standardized by IEEE P1363.

## References

SHOWING 1-10 OF 50 REFERENCES

HMQV: A High-Performance Secure Diffie-Hellman Protocol

- Computer ScienceCRYPTO
- 2005

HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.

Analysis of the Insecurity of ECMQV with Partially Known Nonces

- Computer ScienceISC
- 2003

This paper presents the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, and reduces the security from O(q 1/2 ) down to O( q 1/4 ) when partial knowledge of the nonces is given.

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

- Computer ScienceEUROCRYPT
- 2001

A formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that allows for simple modular proofs of security is presented.

Why Provable Security Matters?

- Mathematics, Computer ScienceEUROCRYPT
- 2003

Concerns about methods from provable security, that had been developped for the last twenty years within the research community, and the fact that proofs themselves need time to be validated through public discussion was somehow overlooked are discussed.

Universally Composable Notions of Key Exchange and Secure Channels

- Computer ScienceEUROCRYPT
- 2002

While the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols and provides new definitions of secure-channels protocols with similarly strong composability properties.

Authenticated Key Exchange Secure against Dictionary Attacks

- Computer ScienceEUROCRYPT
- 2000

Correctness for the idea at the center of the Encrypted Key-Exchange protocol of Bellovin and Merritt is proved: it is proved security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract)

- Computer ScienceSTOC '98
- 1998

This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols and construct and prove the security of simple and practical Authentication and key-exchange protocols.

SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols

- Computer ScienceCRYPTO
- 2003

The SIGMA protocols provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and trade-offs required in practical scenarios.

An Efficient Protocol for Authenticated Key Agreement

- Mathematics, Computer ScienceDes. Codes Cryptogr.
- 2003

This paper proposes an efficient two-pass protocol for authenticated key agreement in the asymmetric (public-key) setting. The protocol is based on Diffie-Hellman key agreement and can be modified to…

Security Analysis of IKE's Signature-Based Key-Exchange Protocol

- Computer ScienceCRYPTO
- 2002

A security analysis of the Diffie-Hellman key-exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard is presented, based on an adaptation of the key-Exchange model to the setting where peers identities are not necessarily known or disclosed from the start of the protocol.