Skip to main content
Springer Nature Link
Log in

On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

  • Conference paper
Progress in Cryptology - INDOCRYPT 2006 (INDOCRYPT 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4329))

Included in the following conference series:

Abstract

HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the two-pass HMQV protocol that does not require knowledge of the victim’s ephemeral private keys. The attacks illustrate the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols, and furthermore highlight the dangers of relying on security proofs for discrete-logarithm protocols where a concrete representation for the underlying group is not specified.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. ANSI X9.42, Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, American National Standards Institute (2003)

    Google Scholar 

  2. ANSI X9.63, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, American National Standards Institute (2001)

    Google Scholar 

  3. Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  4. Bangerter, E., Camenisch, J., Maurer, U.: Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 154–171. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  5. Biehl, I., Meyer, B., Müller, V.: Differential fault analysis on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  6. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001), Full version available at: http://eprint.iacr.org/2001/040/

  7. Chen, L., Cheng, Z., Smart, N.: Identity-based key agreement protocols from pairings, Cryptology ePrint Archive: Report 2006/199, Available at: http://eprint.iacr.org/2006/199

  8. FIPS 186-2, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, National Institute of Standards and Technology (2000)

    Google Scholar 

  9. IEEE Std 1363-2000, Standard Specifications for Public-Key Cryptography (2000)

    Google Scholar 

  10. Kaliski, B.: An unknown key-share attack on the MQV key agreement protocol. ACM Transactions on Information and System Security 4, 275–288 (2001)

    Article  Google Scholar 

  11. Knuth, D.: Seminumerical Algorithms. In: Art of Computer Programming, 3rd edn., vol. 2, Addison-Wesley, Reading (1997)

    Google Scholar 

  12. Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)

    Google Scholar 

  13. Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. Full version of [12], Available at: http://eprint.iacr.org/2005/176/

  14. Krawczyk, H.: HMQV in IEEE P1363, submission to the IEEE P1363 working group (July 7, 2006), Available at: http://grouper.ieee.org/groups/1363/P1363-Reaffirm/submissions/krawczyk-hmqv-spec.pdf

  15. Kunz-Jacques, S., Martinet, G., Poupard, G., Stern, J.: Cryptanalysis of an efficient proof of knowledge of discrete logarithm. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 27–43. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  16. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28, 119–134 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  17. Leadbitter, P., Smart, N.: Analysis of the insecurity of ECMQV with partially known nonces. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 240–251. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Lim, C., Lee, P.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)

    Google Scholar 

  19. Menezes, A.: Another look at HMQV. Journal of Mathematical Cryptology (to appear), Available at: http://eprint.iacr.org/2005/205/

  20. Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)

    Book  Google Scholar 

  21. Menezes, A., Wu, Y.-H.: The discrete logarithm problem in GL(n,q). Ars Combinatoria 47, 23–32 (1998)

    MathSciNet  Google Scholar 

  22. Naccache, D., Smart, N., Stern, J.: Projective coordinates leak. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 257–267. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  23. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13, 361–396 (2000)

    Article  MATH  Google Scholar 

  24. Pollard, J.: Monte Carlo methods for index computation mod p. Mathematics of Computation 32, 918–924 (1978)

    Article  MATH  MathSciNet  Google Scholar 

  25. Schoof, R.: Elliptic curves over finite fields and the computation of square roots mod p. Mathematics of Computation 44, 483–494 (1985)

    Article  MATH  MathSciNet  Google Scholar 

  26. Smart, N.: The exact security of ECIES in the generic group model. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 73–84. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  27. SP 800-56A. Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, National Institute of Standards and Technology (March 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Combinatorics & Optimization, University of Waterloo,  

    Alfred Menezes & Berkant Ustaoglu

Authors
  1. Alfred Menezes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Berkant Ustaoglu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Indian Statistical Institute, 205, B.T. Road, Kolkata, India

    Rana Barua

  2. Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, P.O. Box 513, 5600, Eindhoven, MB, Netherlands

    Tanja Lange

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Menezes, A., Ustaoglu, B. (2006). On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols. In: Barua, R., Lange, T. (eds) Progress in Cryptology - INDOCRYPT 2006. INDOCRYPT 2006. Lecture Notes in Computer Science, vol 4329. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11941378_11

Download citation

  • DOI: https://doi.org/10.1007/11941378_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-49767-7

  • Online ISBN: 978-3-540-49769-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics