Menezes on Krawczyk on MQV

| Comments (3) | TrackBacks (5) |
A recent paper by Menezes on eprint under the innocuous title of "Another Look at HMQV" hides a fairly brutal cryptographic smackdown:
HMQV is a `hashed variant' of the MQV [Menezes, Qu, Vanstone -- EKR] key agreement protocol. It was recently introduced by Krawczyk, who claimed that HMQV has very significant advantages over MQV: (i) a security proof under reasonable assumptions in the (extended) Canetti-Krawczyk model for key exchange; and (ii) superior performance in some situations.

In this paper we demonstrate that HMQV is insecure by presenting realistic attacks in the Canetti-Krawczyk model that recover a victim's static private key. We propose HMQV-1, a patched version of HMQV that resists our attacks (but does not have any performance advantages over MQV). We also identify the fallacies in the security proof for HMQV, critique the security model, and raise some questions about the assurances that proofs in this model can provide.

You'll want to remember this one next time someone tries to tell you you should throw away your perfectly good protocol and replace it with something that's "provably secure".

5 TrackBacks

Listed below are links to blogs that reference this entry: Menezes on Krawczyk on MQV.

TrackBack URL for this entry:

air flight Read More

TITLE: phentermine URL: IP: BLOG NAME: phentermine DATE: 09/20/2005 08:57:23 AM Read More

Having sex with sister from Www incest taboo porn com on November 11, 2005 10:10 AM

Dog fuck windows media Crack password zoofilia Animal sex eels sample clips Beastiality xxx bbs Read More

sticker simultaneity stayed?Kinnickinnic cite intramuscular macho pain medication Read More


Not only does Menezes (the M of MQV) show that Krawczyk's "improvement" on MQV has serious problems, he argues that Krawczyk's critique of MQV that led him to make the changes was fatally flawed: "We conclude that the analysis performed in [Krawczyk] did not uncover any new weaknesses in MQV."

However Hugo Krawczyk is a very smart guy and I expect that we have not heard the last of this issue.

An addendum, I just noticed that Hugo Krawczyk is scheduled to present his HMQV at the Crypto 05 conference in Santa Barbara next month. That should be a good opportunity to hear his response to Menezes, unless he's just going to stand up and say "never mind".

On further investigation I find that Krawczyk has already responded to Menezes by modifying his HMQV paper on the IACR eprint archive at The details are a little complicated, basically he agrees with Menezes about some things but disagrees on others. However he then goes on to address the real issue, the nature and use of proofs of security:

"A personal perspective. I would like to thank Alfred Menezes for identifying the oversight in the HCR proof and the need for group membership verification in the one-pass protocol. At the same time, I must strongly disagree with the attempt in [32] to discredit the effort of the cryptographic community dedicated to improving our understanding and design of protocols. True, we make mistakes (and I do not justify my own); and proofs (even if correct) are never stronger than the model and assumptions they are based on. But with all its imperfection, this form of analysis is an essential tool for gaining confidence in the soundness of a cryptographic design. Moreover, as clearly shown here, the proof process itself serves as a guide in choosing the right design elements.

"At a time when we demand the best (almost perfect) security from basic encryption and hash functions, and having witnessed the effects of initially-mild attacks, we can only hope that the applied-cryptography community and its representing standard bodies will see formal analysis as a requirement, and main source of confidence, when adopting protocols for wide use. These analyses can (and must) be verified by the community at large (in contrast, ad-hoc designs do not even provide the “luxury” of judging well-defined security properties). This is all the more significant in the case of a protocol such as MQV which is not only intended for wide commercial use but also to protect 'classified or mission critical national security information'."

Leave a comment