In this paper we demonstrate that HMQV is insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim's static private key. We propose HMQV-1, a patched version of HMQV that resists our attacks (but does not have any performance advantages over MQV). We also identify the fallacies in the security proof for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide.
Category / Keywords: Publication Info: Also available at http://anotherlook.ca Date: received 29 Jun 2005, last revised 15 Aug 2011 Contact author: ajmeneze at uwaterloo ca Available format(s): PDF | BibTeX Citation Note: See the last page of the paper for a list of updates. Version: 20110815:115558 (All versions of this report) Short URL: ia.cr/2005/205 Discussion forum: Show discussion | Start new discussion