Designs, Codes and Cryptography

, Volume 46, Issue 3, pp 329–342 | Cite as

Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS

  • Berkant Ustaoglu


LaMacchia, Lauter and Mityagin recently presented a strong security definition for authenticated key agreement strengthening the well-known Canetti-Krawczyk definition. They also described a protocol, called NAXOS, that enjoys a simple security proof in the new model. Compared to MQV and HMQV, NAXOS is less efficient and cannot be readily modified to obtain a one-pass protocol. On the other hand MQV does not have a security proof, and the HMQV security proof is extremely complicated. This paper proposes a new authenticated key agreement protocol, called CMQV (‘Combined’ MQV), which incorporates design principles from MQV, HMQV and NAXOS. The new protocol achieves the efficiency of HMQV and admits a natural one-pass variant. Moreover, we present a relatively simple and intuitive proof that CMQV is secure in the LaMacchia-Lauter-Mityagin model.


Key agreement protocols MQV Provable security 

AMS Classification



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Antipa A., Brown D., Menezes A., Struik R., Vanstone S. (2003) Validation of elliptic curve public keys. Public Key Cryptography – PKC 2003, LNCS 2567: 211–223Google Scholar
  2. 2.
    Bellare M., Palacio A. (2004) The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols. Advances in Cryptology – CRYPTO 2004, LNCS 3152: 273–289MathSciNetGoogle Scholar
  3. 3.
    Bellare M., Pointcheval D., Rogaway P. (2001) Authenticated key exchange secure against dictionary attacks. Advances in Cryptol. – EUROCRYPT 2001, LNCS 1807: 139–155Google Scholar
  4. 4.
    Bellare M., Rogaway P. (1993) Entity authentication and key distribution. Advances in Cryptol. – CRYPTO ’93, LNCS 773: 110–125Google Scholar
  5. 5.
    Blake-Wilson S., Menezes A. (1999) Unknown key-share attacks on the station-to-station STS protocol. Public Key Cryptography – PKC ’99, LNCS 1560: 154–170Google Scholar
  6. 6.
    Canetti R., Krawczyk H.: Analysis of key-exchange protocols and their use for building secure channels. Advances in Cryptology – EUROCRYPT 2001, LNCS, vol. 2045, pp. 453–474, Full version available at (2001).
  7. 7.
    Choo K-K., Boyd C., Hitchcock Y. (2005) Examining indistinguishability-based proof models for key establishment protocols. Advances in Cryptology – ASIACRYPT 2005, LNCS 3788: 585–604CrossRefMathSciNetGoogle Scholar
  8. 8.
    Krawczyk H.: HMQV: A high-performance secure Diffie-Hellman protocol. Advances in Cryptology – CRYPTO 2005, LNCS, vol. 3621, pp. 546–566, Full version available at (2005).
  9. 9.
    Krawczyk H.: HMQV in IEEE P1363. submission to the IEEE P1363 working group, July 2006,
  10. 10.
    Kunz-Jacques S., Poincheval D. (2006) About the security of MTI/C0 and MQV. Security and Cryptography for Networks – SNC 2006, LNCS 4116: 156–172CrossRefGoogle Scholar
  11. 11.
    LaMacchia B., Lauter K., Mityagin A.: Stronger security of authenticated key exchange. ProvSec 2007, LNCS, vol. 4784, pp. 1–16, Preliminary version available at (2007).
  12. 12.
    Lauter K., Mityagin A. (2006) Security analysis of KEA authenticated key exchange. Public Key Cryptography – PKC 2006, LNCS 3958: 378–394CrossRefGoogle Scholar
  13. 13.
    Law L., Menezes A., Qu M., Solinas J., Vanstone S. (2003) An efficient protocol for authenticated key agreement. Des. Codes Cryptogr. 28: 119–134zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Lim C., Lee P. (1994) A key recovery attack on discrete log-based schemes using a prime order subgroup. Advances in Cryptology – CRYPTO ’94, LNCS 1294: 249–263MathSciNetGoogle Scholar
  15. 15.
    Menezes A. (2007) Another look at HMQV. J. Math. Cryptol. 1: 148–175MathSciNetGoogle Scholar
  16. 16.
    Menezes A., Ustaoglu B. (2006) On the importance of public-key validation in the MQV and HMQV key agreement protocols. Progress in Cryptology – INDOCRYPT 2006, LNCS 4329: 133–147CrossRefGoogle Scholar
  17. 17.
    Menezes A., van Oorschot P., Vanstone S.: Handbook of Applied Cryptography. CRC Press, Boca Raton, Florida, USA (1997).Google Scholar
  18. 18.
    Okamoto T., Pointcheval D. (2001) The Gap-Problems: a new class of problems for the security of cryptographic schemes. Public Key Cryptography – PKC 2001, LNCS 1992: 104–118MathSciNetGoogle Scholar
  19. 19.
    Poincheval D., Stern J. (2000) Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3): 361–396CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  1. 1.University of WaterlooWaterlooCanada

Personalised recommendations