Paper 2010/638

One-Pass HMQV and Asymmetric Key-Wrapping

Shai Halevi and Hugo Krawczyk


Consider the task of asymmetric key-wrapping, where a key-management server encrypts a cryptographic key under the public key of a client. When used in storage and access-control systems, it is often the case that the server has no knowledge about the client (beyond its public key) and no means of coordinating with it. For example, a wrapped key used to encrypt a backup tape may be needed many years after wrapping, when the server is no longer available, key-wrapping standards have changed, and even the security requirements of the client might have changed. Hence we need a flexible mechanism that seamlessly supports different options depending on what the original server was using and the current standards and requirements. We show that one-pass HMQV (which we call HOMQV) is a perfect fit for this type of applications in terms of security, efficiency and flexibility. It offers server authentication if the server has its own public key, and degenerates down to the standardized DHIES encryption scheme if the server does not have a public key. The performance difference between the unauthenticated DHIES and the authenticated HOMQV is very minimal (essentially for free for the server and only 1/2 exponentiation for the client). We provide a formal analysis of the protocol's security showing many desirable properties such as sender's forward-secrecy and resilience to compromise of ephemeral data. When adding a DEM part (as needed for key-wrapping) it yields a secure signcryption scheme (equivalently a UC-secure messaging protocol). The combination of security, flexibility, and efficiency, makes HOMQV a very desirable protocol for asymmetric key wrapping, one that we believe should be incorporated into implementations and standards

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Conference version: PKC'2011.
Key wrappingkey exchangesigncryption
Contact author(s)
hugo @ ee technion ac il
2010-12-22: revised
2010-12-21: received
See all versions
Short URL
Creative Commons Attribution


      author = {Shai Halevi and Hugo Krawczyk},
      title = {One-Pass HMQV and Asymmetric Key-Wrapping},
      howpublished = {Cryptology ePrint Archive, Paper 2010/638},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.