Paper 2005/205

Another look at HMQV

Alfred Menezes

Abstract

HMQV is a `hashed variant' of the MQV key agreement protocol. It was recently introduced by Krawczyk, who claimed that HMQV has very significant advantages over MQV: (i) a security proof under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations. In this paper we demonstrate that HMQV is insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim's static private key. We propose HMQV-1, a patched version of HMQV that resists our attacks (but does not have any performance advantages over MQV). We also identify the fallacies in the security proof for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide.

Note: See the last page of the paper for a list of updates.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Also available at http://anotherlook.ca
Contact author(s)
ajmeneze @ uwaterloo ca
History
2011-08-15: last of 8 revisions
2005-06-30: received
See all versions
Short URL
https://ia.cr/2005/205
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2005/205,
      author = {Alfred Menezes},
      title = {Another look at HMQV},
      howpublished = {Cryptology ePrint Archive, Paper 2005/205},
      year = {2005},
      note = {\url{https://eprint.iacr.org/2005/205}},
      url = {https://eprint.iacr.org/2005/205}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.