Another look at HMQV

@inproceedings{Menezes2007AnotherLA,
  title={Another look at HMQV},
  author={Alfred Menezes},
  booktitle={Journal of Mathematical Cryptology},
  year={2007},
  url={https://api.semanticscholar.org/CorpusID:15540513}
}
It is demonstrated that the HMQV protocols are insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim's static private key.
View via Publisher
degruyter.com
93 Citations
Highly Influential Citations
10
Background Citations
55
Methods Citations
16
Results Citations
3

93 Citations

On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

This paper presents an attack on the two-pass HMQV protocol that does not require knowledge of the victim's ephemeral private keys, and illustrates the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols.

A Complementary Analysis of the (s)YZ and DIKE Protocols

A secure, efficient, and deniable protocol, geared to the post peer specified model is proposed, and it is shown that the (s)YZ protocols do not achieve their claimed CK$_\text{HMQV}$ security or computational fairness.

Improving the Security of the HMQV Protocol Using Tamper-Proof Hardware

This paper formally proves that the most efficient one-round implicitly authenticated key exchange protocol, HMQV, achieves full PFS under the physical assumption of regarding the existence of tamper-proof hardware.

HMQV: A High-Performance Secure Diffie-Hellman Protocol

HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.

Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

A new authenticated key agreement protocol, called CMQV (‘Combined’ MqV), which incorporates design principles from MQV, HMQV and NAXOS and admits a natural one-pass variant is proposed.

Stronger Security of Authenticated Key Exchange

This work extends the Canetti-Krawczyk model for AKE security by providing significantly greater powers to the adversary and introduces a new AKE protocol called NAXOS to prove that it is secure against these stronger adversaries.

A Diffie-Hellman Key Exchange Protocol Without Random Oracles

This paper suggests an efficient authenticated Diffie-Hellman key exchange protocol providing the same functionalities and security of HMQV without random oracles, which does not require any expensive signature and encryption schemes.

A Secure and Efficient Authenticated Diffie-Hellman Protocol

Using these schemes, the Fully Hashed MQV protocol is proposed, which preserves the performance and security attributes of the (H)MQV protocols and resists the attacks presented.

Designing Efficient Authenticated Key Exchange Resilient to Leakage of Ephemeral Secret Keys

This work investigates a sufficient condition for constructing authenticated key exchange (AKE) protocols which satisfy security in the extended Canetti-Krawczyk (eCK) model and proposes a construction of two-pass AKE protocols, which are proved under the gap Diffie-Hellman assumption in the random oracle model.

Authenticated Key Agreement Protocols: Security Models, Analyses, and Designs. (Protocoles d'échanges de clefs authentifiés : modèles de sécurité, analyses et constructions)

It is shown how impersonation and man in the middle attacks can be performed against the (C, H)MQV(–C) protocols when some session specific information leakages happen and a strong security model is proposed which encompasses the eCK one.
...

37 References

HMQV: A High-Performance Secure Diffie-Hellman Protocol

HMQV is presented, a carefully designed variant of MQV that provides the same superb performance and functionality of the original protocol but for which all the MqV's security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.

Analysis of the Insecurity of ECMQV with Partially Known Nonces

This paper presents the first lattice attack on an authenticated key agreement protocol, which does not use a digital signature algorithm to produce the authentication, and reduces the security from O(q 1/2 ) down to O( q 1/4 ) when partial knowledge of the nonces is given.

Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

A formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that allows for simple modular proofs of security is presented.

Why Provable Security Matters?

Concerns about methods from provable security, that had been developped for the last twenty years within the research community, and the fact that proofs themselves need time to be validated through public discussion was somehow overlooked are discussed.

Universally Composable Notions of Key Exchange and Secure Channels

While the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols and provides new definitions of secure-channels protocols with similarly strong composability properties.

Authenticated Key Exchange Secure against Dictionary Attacks

Correctness for the idea at the center of the Encrypted Key-Exchange protocol of Bellovin and Merritt is proved: it is proved security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract)

This framework provides a sound formalization for the authentication problem and suggests simple and attractive design principles for general authentication and key exchange protocols and construct and prove the security of simple and practical Authentication and key-exchange protocols.

SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols

The SIGMA protocols provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures, and are specifically designed to ensure sound cryptographic key exchange while providing a variety of features and trade-offs required in practical scenarios.

Security Analysis of IKE's Signature-Based Key-Exchange Protocol

A security analysis of the Diffie-Hellman key-exchange protocol authenticated with digital signatures used by the Internet Key Exchange (IKE) standard is presented, based on an adaptation of the key-Exchange model to the setting where peers identities are not necessarily known or disclosed from the start of the protocol.

An unknown key-share attack on the MQV key agreement protocol

The MQV key agreement protocol is shown in its basic form to be vulnerable to an unknown key-share attack, and the attack is noteworthy in the principles it illustrates about protocol design.