Abstract
HMQV is one of the most efficient (provably secure) authenticated key-exchange protocols based on public-key cryptography, and is widely standardized. In spite of its seemingly conceptual simplicity, the HMQV protocol was actually very delicately designed. The provable security of HMQV is conducted in the Canetti-Krawczyk framework (CK-framework, in short), which is quite complicated and lengthy with many subtleties actually buried there. However, lacking a full recognition of the precise yet subtle interplay between HMQV protocol structure and provable security can cause misunderstanding of the HMQV design, and can cause potential flawed design and analysis of HMQV protocol variants. In this work, we explicitly make clear the interplay between HMQV protocol structure and provable security, showing the delicate design of HMQV. We then re-examine the security model and analysis of a recently proposed HMQV protocol variant, specifically, the FHMQV protocol proposed by Sarr et al. in [25]. We clarify the relationship between the traditional CK-framework and the CK-FHMQV security model proposed for FHMQV, and show that CK-HMQV and CK-FHMQV are incomparable. Finally, we make a careful investigation of the CDH-based analysis of FHMQV in the CK-FHMQV model, which was considered to be one of the salient advantages of FHMQV. We identify that the CDH-based security analysis of FHMQV is actually flawed. The flaws identified in the security proof of FHMQV just stem from lacking a full realization of the precise yet subtle interplay, as clarified in this work, between HMQV protocol structure and provable security.
Shengli Liu—Funded by Natural Science Foundation of China (No. 61170229, 61373153), Innovation Project (No.12ZZ021) of Shanghai Municipal Education Commission.
Kouichi Sakurai—Supported by Grant-in-Aid for Scientific Research KAKENHI-No.23650008 from the Japan Society for the Promotion of Science (JSPS).
Jian Weng—Funded by the National Science Foundation of China under Grant Nos. 61272413, 61133014 and 61272415, the Fok Ying Tung Education Foundation under Grant No. 131066, the Program for New Century Excellent Talents in University under Grant No. NCET-12-0680, and the R&D Foundation of Shenzhen Basic Research Project under Grant No. JC201105170617A.
Yunlei Zhao—Contact author, funded by the National Basic Research Program of China (973 Program) No. 2014CB340600, and National Natural Science Foundation of China Grant No. 61070248, and No. 61272012, Innovation Project (No.12ZZ013) of Shanghai Municipal Education Commission, and Joint Project of SKLOLS. Work partially done during his visiting Sakura-lab of Kyushu Univ. JAPAN with support by Invitation Programs for Foreign-based Researchers provided from NICT, JAPAN.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Actually, the FHMQV can be viewed as variant of a protocol proposed in [28], where \(d=h(\hat{A},A,\hat{B},B,X,Y)\) and \(e=h(d)\).
- 2.
In a cross-message attack, an adversary \(\fancyscript{A}\) concurrently interacts, as the responder, with \(\hat{A}\) (resp., \(\hat{B}\)) in the name of \(\hat{B}\) (resp., \(\hat{A}\)) in two sessions. After getting \(X\) and \(Y\) respectively as the first-round message in both of the two sessions, it sends \(Y\) (resp., \(X\)) to \(\hat{A}\) (resp., \(\hat{B}\)) as the second-round message in both of the two sessions. For the basic (H)MQV, both of the two players will output the same session-key in the two sessions but with role confusion.
- 3.
For IA-DHKE, this makes sense mainly when the test-session is held by a responder. Consider that the attacker first activates an initiator \(\hat{A}\) to get \(X\), and then suspends this session held by \(\hat{A}\) till finishing the test-session \((\hat{B},\hat{A},Y,X)\) run by \(\hat{B}\). If the session run by \(\hat{A}\) is never completed, the DH-exponent \(x\) can be exposed to adversary (while \(\hat{A}\) cannot be corrupted as the test-session is required to be between two uncorrupted players); but if later this session is completed and thus becomes matching to the test-session, it should be unexposed for the SK-security.
- 4.
It is clarified in [31] that the provable security of HMQV, in this case, actually does not allow the leakage of all the pre-computable secrecy values; for example, the pre-computable value \(y+eb\) or \(x+da\) is not allowed to be exposed for the provable security of HMQV in the CK-framework.
- 5.
Actually, the FHMQV can be viewed as variant of a protocol proposed in [28], where \(d=h(\hat{A},A,\hat{B},B,X,Y)\) and \(e=h(d)\).
- 6.
- 7.
According to our investigation, FHMQV might be proved secure under the stronger GDH assumption, with the underlying security proof, nevertheless, being significantly changed. But our result indicates that the CDH-based security proof of FHMQV, which was claimed in [25] as one of the major security advantages of FHMQV, is indeed flawed.
References
American National Standard (ANSI) X9.42-2001. Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography
American National Standard (ANSI) X9.42-2001. Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Elliptic Curve Cryptography
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)
Canetti, R.: Security and composition of cryptographic protocols: a tutorial. SIGACT News 37(3,4), 67–92 (2006)
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001). Available also from Cryptology ePrint Archive, Report No. 2001/040
Cremers, C.: Formally and practically relating the CK, CK-HMQV, and eCK security models for authenticated key exchange. Cryptology ePrint Archive, Report 2009/253, 2009. Extended abstract appears in AsiaCCS 2011
Damgård, I.B.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)
Dierks, T., Allen, C.: The TLS Protocol, Version 1.0. Request for Comments: 2246, January 1999
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
IEEE 1363–2000: Standard Specifications for Public Key Cryptography
ISO/IEC IS 15946–3. Information Technology - Security Techniques - Cryptographic Techniques Based on Elliptic Curves - Part 3: Key Establishment (2002)
ISO/IEC. Identification Cards Integrated Circuit Cards Programming Interface Part 6: Registration procedures for the authentication protocols for interoperability. Technical report ISO/IEC FDIS 24727–6, International Organization for Standardization, Geneva, Switzerland (2009)
Kaliski, B.: An unknown key-share attack on the MQV key agreement protocol. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 275–288 (2001)
Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)
Kaufman, C.: Internet Key Exchange (IKEv2) Protocol. INTERNET-DRAFT, The Internet Engineering Task Force (2002)
Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)
LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007)
Matsumoto, T., Takashima, Y., Imai, H.: On seeking smart public-key distribution systems. Trans. IECE Jpn. E69(2), 99–106 (1986)
Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing mutual implicit authentication. In: Second Workshop on Selected Areas in Cryptography (SAC’95) (1995)
Menezes, A., Ustaoglu, B.: On the importance of public-key validation in the MQV and HMQV key agreement protocols. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 133–147. Springer, Heidelberg (2006)
NIST Special Publication 800–56 (DRAFT): Recommendation on Key Establishment Schemes. Draft 2, January 2003
NSAs Elliptic Curve Licensing Agreement. Presentation by Mr. John Stasak (Cryptography Office, National Security Agency) to the IETF’s Security Area Advisory Group, November 2004
Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001)
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000)
Sarr, A.P., Elbaz-Vincent, P., Bajard, J.-C.: A secure and efficient authenticated Diffie–Hellman protocol. In: Martinelli, F., Preneel, B. (eds.) EuroPKI 2009. LNCS, vol. 6391, pp. 83–98. Springer, Heidelberg (2010)
SP 800–56 (DRAFT), Special Publication 800–56, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, National Institute of Standards and Technology, July 2005
Yao, A.C., Zhao, Y.: On-line Efficient, Deniable and Non-Malleable Key-Exchange Methods, Domestic patent (in Chinese), No. 200710047344.8, August 2007
Yao, A.C., Zhao, Y.: Method and Structure for Self-Sealed Joint Proof-of-Knowledge and Diffie-Hellman Key-Exchange Protocols. PCT Patent. August 2008. This is the PCT version of [27], with [27] serving as the priority reference
Yao, A.C., Zhao, Y.: Deniable internet key exchange. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 329–348. Springer, Heidelberg (2010)
Yao, A.C., Zhao, Y.: A New Family of Implicitly Authenticated Diffie-Hellman Protocols. Cryptology ePrint Archive: Report 2011/035
Yao, A.C., Zhao, Y.: OAKE: A new family of implicitly authenticated Diffie-Hellman protocols. ACM CCS (2013, to appear)
Yoneyama, K., Zhao, Y.: Taxonomical security consideration of authenticated key exchange resilient to intermediate computation leakage. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 348–365. Springer, Heidelberg (2011)
Acknowledgments
We are grateful to the anonymous referees for many helpful suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Liu, S., Sakurai, K., Weng, J., Zhang, F., Zhao, Y. (2014). Security Model and Analysis of FHMQV, Revisited. In: Lin, D., Xu, S., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2013. Lecture Notes in Computer Science(), vol 8567. Springer, Cham. https://doi.org/10.1007/978-3-319-12087-4_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-12087-4_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12086-7
Online ISBN: 978-3-319-12087-4
eBook Packages: Computer ScienceComputer Science (R0)