Skip to main content
SpringerLink
Log in
Book cover

International Conference on Cryptology in Africa

AFRICACRYPT 2016: Progress in Cryptology – AFRICACRYPT 2016 pp 207–224Cite as

On the Security of the (F)HMQV Protocol

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9646))

Abstract

The HMQV protocol is under consideration for IEEE P1363 standardization. We provide a complementary analysis of the HMQV protocol. Namely, we point a Key Compromise Impersonation (KCI) attack showing that the two and three pass HMQV protocols cannot achieve their security goals. Next, we revisit the FHMQV building blocks, design and security arguments; we clarify the security and efficiency separation between HMQV and FHMQV, showing the advantages of FHMQV over HMQV.

A.P. Sarr—Partially supported by the CEA–MITIC.

P. Elbaz–Vincent—Partially supported by the LabEx PERSYVAL–Lab (ANR–11–LABX–0025–01).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    This is to date the best sieving algorithm for discrete logarithm over a prime field.

  2. 2.

    It takes few seconds on a i7–4790K to find such primes.

  3. 3.

    To launch this phase in the two–pass HMQV, the attacker has simply to wait, for instance, that \(\hat{B}\) uses the key to authenticate some value he/she knows.

  4. 4.

    Their abstract starts with “HMQV is one of the most efficient (provably secure) authenticated key–exchange protocols based on public–key cryptography, and is widely standardized.” To date, we are not aware of any standardization body which has already adopted the HMQV protocol.

  5. 5.

    These implementation approaches are not the only possible, however they seem to be common enough in real word to be considered in the model.

  6. 6.

    There is no dynamic key registration query in the eCK model [19]; the adversary is only allowed to select dishonest parties before starting its game. Dynamic key registration permits the adversary to select the parties it sets as dishonest after having seen their behaviour; this is an advantage for the adversary, and does not affect the comparability between the seCK and the eCK models.

  7. 7.

    Given the work [8], the Claim 1 from [21] about the formal incomparability between \(\text {CK}_\text {FHMQV}\) and the \(\text {CK}_\text {HMQV}\) models is trivial.

References

  1. Barker, E., Barker, W., Burr, W., Polk, W., Smid, M.: NIST Special Publication 800–57 Recommendation for Key Management - Part 1: General (Revision 3), (see also the draft of Revision 4 at http://tinyurl.com/qdluuqj)

  2. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 390–399. ACM (2006)

    Google Scholar 

  3. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Chapter  Google Scholar 

  4. Boyd, C., Cremers, C., Feltz, M., Paterson, K.G., Poettering, B., Stebila, D.: ASICS: authenticated key exchange security incorporating certification systems. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 381–399. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Boyd, C., Cremers, C., Feltz, M., Paterson, K.G., Poettering, B., Stebila, D.: ASICS: authenticated key exchange security incorporating certification systems. Cryptology ePrint Archive: Report 2013/398 (2013)

    Google Scholar 

  6. Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Chalkias, K., Baldimtsi, F., Hristu-Varsakelis, D., Stephanides, G.: Two types of key-compromise impersonation attacks against one-pass key establishment protocols. In: Filipe, J., Obaidat, M.S. (eds.) E-business and Telecommunications. Communications in Computer and Information Science, vol. 23, pp. 227–238. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  8. Cremers, C.: Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 80–91. ACM (2011)

    Google Scholar 

  9. Cremers, C., Feltz, M.: Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal. Des. Codes Crypt. 74(1), 183–218 (2013). Springer

    Article  MathSciNet  MATH  Google Scholar 

  10. Cullinan, J., Hajir, F.: Primes of prescribed congruence class in short intervals. Integers 12, A56 (2012). De Gruyter

    MathSciNet  MATH  Google Scholar 

  11. Ellison, W., Ellison, F.: Prime Numbers. Wiley and Hermann Editions, New York (1985)

    MATH  Google Scholar 

  12. Gopalakrishnan, K., Thériault, N., Yao, C.Z.: Solving discrete logarithms from partial knowledge of the key. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 224–237. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  13. Gordon, D.M.: Discrete logarithms in GF(P) using the number field sieve. SIAM J. Discrete Math. 6(1), 124–138 (1993). SIAM

    Article  MathSciNet  MATH  Google Scholar 

  14. Güneysu T., Pfeiffer G., Paar C., Schimmler M.: Three years of evolution: cryptanalysis with COPACOBANA. In: Workshop Record of Special-Purpose Hardware for Attacking Cryptographic Systems–SHARCS 2009 (2009)

    Google Scholar 

  15. Huq, N.: PoS RAM Scraper Malware: Past, Present, and Future. A Trend Micro Research Paper (2014). http://tinyurl.com/jcwc8wz

  16. Krawczyk, H.: HMQV: a hight performance secure diffie-hellman protocol. Cryptology ePrint Archive, Report 2005/176 (2005)

    Google Scholar 

  17. Krawczyk, H.: HMQV in IEEE P1363. Submission to the IEEE P1363 working group. http://tinyurl.com/opjqknd

  18. Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., Rupp, A., Schimmler, M.: How to break DES for € 8,980. In: International Workshop on Special-Purpose Hardware for Attacking Cryptographic Systems – SHARCS 2006, Cologne, April 2006

    Google Scholar 

  19. LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  20. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003). Springer

    Article  MathSciNet  MATH  Google Scholar 

  21. Liu, S., Sakurai, K., Weng, J., Zhang, F., Zhao, Y.: Security model and analysis of FHMQV, revisited. In: Lin, D., Xu, S., Yung, M. (eds.) Inscrypt 2013. LNCS, vol. 8567, pp. 255–269. Springer, Heidelberg (2014)

    Google Scholar 

  22. Menezes, A.: Another look at HMQV. J. Math. Cryptology 1(1), 47–64 (2007). De Gruyter

    Article  MathSciNet  MATH  Google Scholar 

  23. Menezes, A.: Another Look at HMQV. Cryptology ePrint Archive: Report 2005/205 (2005)

    Google Scholar 

  24. Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Odlyzko, A.M.: Discrete logarithms in finite fields and their cryptographic significance. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 224–314. Springer, Heidelberg (1985)

    Chapter  Google Scholar 

  26. Sarr, A.P., Elbaz-Vincent, P., Bajard, J.-C.: A secure and efficient authenticated diffie–hellman protocol. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 83–98. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  27. Sarr, A.P., Elbaz-Vincent, P., Bajard, J.C.: A Secure and Efficient Authenticated Diffie-Hellman Protocol. Cryptology ePrint Archive: Report 2009/408 (2009)

    Google Scholar 

  28. Sarr, A.P., Elbaz-Vincent, P., Bajard, J.-C.: A new security model for authenticated key agreement. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 219–234. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  29. Schirokauer, O.: Using number fields to compute logarithms in finite fields. Math. Comput. 69(231), 1267–1283 (2000). AMS

    Article  MathSciNet  MATH  Google Scholar 

  30. Thomé, E.: Théorie algorithmique des nombres et applications à la cryptanalyse de primitives cryptographiques. Habilitation to conduct research. Université de Lorraine, p. 218 (2012). https://hal.inria.fr/tel-00765982

  31. Trend Labs Security Intelligence Blog: RawPOS Technical Brief, April 2015. http://tinyurl.com/joyazja

  32. VISA Data Security Alert: Debugging Software Memory–Parsing Vulnerability (2008). http://tinyurl.com/joyazja

  33. VISA Data Security Alert: Targeted Hospitality Sector Vulnerabilities (2009). http://tinyurl.com/nnpsl3a

  34. VISA Data Security Alert: Retail Merchants Targeted by Memory-Parsing Malware (2013). http://tinyurl.com/j3duvlg

Download references

Author information

Authors and Affiliations

  1. Laboratoire ACCA, Université Gaston Berger de Saint–Louis, Saint Louis, Senegal

    Augustin P. Sarr

  2. Institut Fourier – CNRS, Université Grenoble Alpes, Grenoble, France

    Philippe Elbaz–Vincent

Authors
  1. Augustin P. Sarr
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philippe Elbaz–Vincent
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Augustin P. Sarr .

Editor information

Editors and Affiliations

  1. Ecole Normale Supérieure, Paris, France

    David Pointcheval

  2. University of Caen, Caen, France

    Abderrahmane Nitaj

  3. Al Akhawayn University in Ifrane, Ifrane, Morocco

    Tajjeeddine Rachidi

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Sarr, A.P., Elbaz–Vincent, P. (2016). On the Security of the (F)HMQV Protocol. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2016. AFRICACRYPT 2016. Lecture Notes in Computer Science(), vol 9646. Springer, Cham. https://doi.org/10.1007/978-3-319-31517-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31517-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31516-4

  • Online ISBN: 978-3-319-31517-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation