Paper 2010/638

One-Pass HMQV and Asymmetric Key-Wrapping

Shai Halevi and Hugo Krawczyk

Abstract

Consider the task of asymmetric key-wrapping, where a key-management server encrypts a cryptographic key under the public key of a client. When used in storage and access-control systems, it is often the case that the server has no knowledge about the client (beyond its public key) and no means of coordinating with it. For example, a wrapped key used to encrypt a backup tape may be needed many years after wrapping, when the server is no longer available, key-wrapping standards have changed, and even the security requirements of the client might have changed. Hence we need a flexible mechanism that seamlessly supports different options depending on what the original server was using and the current standards and requirements. We show that one-pass HMQV (which we call HOMQV) is a perfect fit for this type of applications in terms of security, efficiency and flexibility. It offers server authentication if the server has its own public key, and degenerates down to the standardized DHIES encryption scheme if the server does not have a public key. The performance difference between the unauthenticated DHIES and the authenticated HOMQV is very minimal (essentially for free for the server and only 1/2 exponentiation for the client). We provide a formal analysis of the protocol's security showing many desirable properties such as sender's forward-secrecy and resilience to compromise of ephemeral data. When adding a DEM part (as needed for key-wrapping) it yields a secure signcryption scheme (equivalently a UC-secure messaging protocol). The combination of security, flexibility, and efficiency, makes HOMQV a very desirable protocol for asymmetric key wrapping, one that we believe should be incorporated into implementations and standards

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Conference version: PKC'2011.
Keywords
Key wrappingkey exchangesigncryption
Contact author(s)
hugo @ ee technion ac il
History
2010-12-22: revised
2010-12-21: received
See all versions
Short URL
https://ia.cr/2010/638
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2010/638,
      author = {Shai Halevi and Hugo Krawczyk},
      title = {One-Pass {HMQV} and Asymmetric Key-Wrapping},
      howpublished = {Cryptology {ePrint} Archive, Paper 2010/638},
      year = {2010},
      url = {https://eprint.iacr.org/2010/638}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.