1 / 6

MQV and HMQV in IEEE P1363

MQV and HMQV in IEEE P1363. William Whyte, Hugo Krawczyk, Alfred Menezes. Background. IEEE Std 1363-2000 includes MQV Also approved in X9.63 and by NIST for use in key exchange Since 1363-2000 issued, HMQV has been proposed Addresses perceived weaknesses in MQV Provides proof of security

shaquana
Download Presentation

MQV and HMQV in IEEE P1363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MQV and HMQV in IEEE P1363 William Whyte, Hugo Krawczyk, Alfred Menezes

  2. Background • IEEE Std 1363-2000 includes MQV • Also approved in X9.63 and by NIST for use in key exchange • Since 1363-2000 issued, HMQV has been proposed • Addresses perceived weaknesses in MQV • Provides proof of security • Submitted to P1363 for consideration for inclusion in 1363 revision • Hugo has provided full specification in standards format • Would be as alternative to, not replacement for, MQV • Aim of today • Understand differences between protocols • Begin to discuss criteria for including additional techniques • Down the road • Techniques will be included in standard as result of WG evote.

  3. Technical background • (Thanks to Hugo for original slides) • (Any errors in the editing process are William’s) • Notation: G=<g> of prime order q; g in supergroup G’ (eg. EC, Z*p) • Alice’s PK is A=ga and Bob’s is B=gb

  4. MQV • Exchange ephemeral DH values, X=gx, Y=gy • Calculate • d=LSB(X), e=LSB(Y) • where LSB(X)= 2L + X mod 2L for L=|q|/2 (this is the ½ exponentiation) • Both compute σ=g(x+da)(y+eb) as σ = (YBe)x+da = (XAd)y+eb • Actual computation of σ involves co-factor h=|G’|/q • σ’ = (YBe)x+da = (XAd)y+eb • σ = (σ’)h • Session key is K=KDF(σ)

  5. HMQV • Both compute σ=g(x+da)(y+eb) as σ = (YBe)x+da = (XAd)y+eb • d=H(X,”Bob”) e=H(Y,”Alice”) (here H outputs |q|/2 bits) • Session key K=H(σ) • Differences with MQV • Definition of d, e: binds id’s, randomizes representation • H(σ): integral (and essential) part of the protocol (OW,RO) • “HMQV = Hashed MQV” (note: 2.5 exponentiations)

  6. Claimed differences • HMQV does not require Proof of Possession for public keys because it binds the identity to the calculation using H • HMQV does not require use of co-factor or other test for prime order of ephemeral keys UNLESS ephemeral private keys are more vulnerable to leakage than long-term keys • Cofactor for ECMQV is typically 4; cofactor for DLMQV is large • HMQV has proof of security in RO model

More Related