We show that one-pass HMQV (which we call HOMQV) is a perfect fit for this type of applications in terms of security, efficiency and flexibility. It offers server authentication if the server has its own public key, and degenerates down to the standardized DHIES encryption scheme if the server does not have a public key. The performance difference between the unauthenticated DHIES and the authenticated HOMQV is very minimal (essentially for free for the server and only 1/2 exponentiation for the client). We provide a formal analysis of the protocol's security showing many desirable properties such as sender's forward-secrecy and resilience to compromise of ephemeral data. When adding a DEM part (as needed for key-wrapping) it yields a secure signcryption scheme (equivalently a UC-secure messaging protocol).
The combination of security, flexibility, and efficiency, makes HOMQV a very desirable protocol for asymmetric key wrapping, one that we believe should be incorporated into implementations and standards
Category / Keywords: cryptographic protocols / Key wrapping, key exchange, signcryption Publication Info: Conference version: PKC'2011. Date: received 20 Dec 2010, last revised 22 Dec 2010 Contact author: hugo at ee technion ac il Available format(s): PDF | BibTeX Citation Version: 20101222:170805 (All versions of this report) Short URL: ia.cr/2010/638 Discussion forum: Show discussion | Start new discussion