HMQV: A High-Performance Secure Diffie-Hellman Protocol

(Extended Abstract)
  • Hugo Krawczyk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3621)


The MQV protocol of Law, Menezes, Qu, Solinas and Vanstone is possibly the most efficient of all known authenticated Diffie-Hellman protocols that use public-key authentication. In addition to great performance, the protocol has been designed to achieve a remarkable list of security properties. As a result MQV has been widely standardized, and has recently been chosen by the NSA as the key exchange mechanism underlying “the next generation cryptography to protect US government information”.

One question that has not been settled so far is whether the protocol can be proven secure in a rigorous model of key-exchange security. In order to provide an answer to this question we analyze the MQV protocol in the Canetti-Krawczyk model of key exchange. Unfortunately, we show that MQV fails to a variety of attacks in this model that invalidate its basic security as well as many of its stated security goals. On the basis of these findings, we present HMQV, a carefully designed variant of MQV, that provides the same superb performance and functionality of the original protocol but for which all the MQV’s security goals can be formally proved to hold in the random oracle model under the computational Diffie-Hellman assumption.

We base the design and proof of HMQV on a new form of “challenge-response signatures”, derived from the Schnorr identification scheme, that have the property that both the challenger and signer can compute the same signature; the former by having chosen the challenge and the latter by knowing the private signature key.


Signature Scheme Random Oracle Random Oracle Model Security Goal Perfect Forward Secrecy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, p. 143. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    American National Standard (ANSI) X9.42-2001, Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm CryptographyGoogle Scholar
  3. 3.
    American National Standard (ANSI) X9.63: Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport using Elliptic Curve CryptographyGoogle Scholar
  4. 4.
    Bellare, M., Palacio, A.: The Knowledge-of-Exponent Assumptions and 3-round Zero-Knowledge Protocols. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 273–289. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: First ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Blake-Wilson, S., Menezes, A.: Authenticated Diffie-Hellman Key Agreement Protocols. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, p. 339. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  8. 8.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key exchange protocols and their security analysis. In: 6th IMA International Conf. on Cryptography and Coding (1997)Google Scholar
  9. 9.
    Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Springer, Heidelberg (2003)Google Scholar
  10. 10.
    Canetti, R.: Universally Composable Security: A New paradigm for Cryptographic Protocols. In: 42nd FOCS (2001)Google Scholar
  11. 11.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001), Full version in CrossRefGoogle Scholar
  12. 12.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-based Key-Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 143. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Krawczyk, H.: Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 337. Springer, Heidelberg (2002), CrossRefGoogle Scholar
  14. 14.
    Damgård, I.: Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)Google Scholar
  15. 15.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Trans. Info. Theor. 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and authenticated key exchanges. In: Designs, Codes and Cryptography, vol. 2, pp. 107–125 (1992)Google Scholar
  17. 17.
    Dwork, C., Naor, M., Sahai, A.: Concurrent Zero-Knowledge. In: STOC 1998, pp. 409–418 (1998)Google Scholar
  18. 18.
    Hada, S., Tanaka, T.: On the Existence of 3-round Zero-Knowledge Protocols. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 408. Springer, Heidelberg (1998)Google Scholar
  19. 19.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (November 1998)Google Scholar
  20. 20.
    IEEE 1363-2000: Standard Specifications for Public Key CryptographyGoogle Scholar
  21. 21.
    ISO/IEC IS 15946-3 Information technology – Security techniques – Cryptographic techniques based on elliptic curves – Part 3: Key establishment (2002)Google Scholar
  22. 22.
    ISO/IEC IS 9798-3, Entity authentication mechanisms — Part 3: Entity authentication using asymmetric techniques (1993)Google Scholar
  23. 23.
    Jeong, I.R., Katz, J., Lee, D.H.: One-Round Protocols for Two-Party Authenticated Key Exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Kaliski, B.: An unknown key-share attack on the MQV key agreement protocol. ACM Transactions on Information and System Security (TISSEC) 4(3), 275–288 (2001)CrossRefGoogle Scholar
  25. 25.
    Katz, J.: Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656. Springer, Heidelberg (2003)Google Scholar
  26. 26.
    Krawczyk, H.: SKEME: A Versatile Secure Key Exchange Mechanism for Internet. In: 1996 Internet Society Symposium on Network and Distributed System Security, February 1996, pp. 114–127 (1996)Google Scholar
  27. 27.
    Krawczyk, H.: SIGMA: The ‘SiGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  28. 28.
    Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol (full version),
  29. 29.
    Krawczyk, H.: On the Security of Implicitly-Authenticated Diffie-Hellman Protocols (work in progress)Google Scholar
  30. 30.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient Protocol for Authenticated Key Agreement. Designs, Codes and Cryptography 28, 119–134 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  31. 31.
    Matsumoto, T., Takashima, Y., Imai, H.: On seeking smart public-key distribution systems. Trans. IECE of Japan E69(2), 99–106 (1986)Google Scholar
  32. 32.
    Maurer, U., Wolf, S.: Diffie-Hellman oracles. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 268–282. Springer, Heidelberg (1996)Google Scholar
  33. 33.
    Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing mutual implicit authentication. In: Second Workshop on Selected Areas in Cryptography (SAC 1995), pp. 22–32 (1995)Google Scholar
  34. 34.
    Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  35. 35.
    NIST Special Publication 800-56 (DRAFT): Recommendation on Key Establishment Schemes. Draft 2 (January 2003)Google Scholar
  36. 36.
    NSAs Elliptic Curve Licensing Agreement, presentation by Mr. John Stasak (Cryptography Office, National Security Agency) to the IETF’s Security Area Advisory Group (November 2004),
  37. 37.
    Okamoto, T., Pointcheval, D.: The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  38. 38.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. J. Cryptology 13, 361–396 (2000)zbMATHCrossRefGoogle Scholar
  39. 39.
    Rabin, M.O.: Digitalized Signatures. In: DeMillo, R., Dobkins, D., Jones, A., Lipton, R. (eds.) Foundations of Secure Computing, pp. 155–168. Academic Press, London (1978)Google Scholar
  40. 40.
    Shoup, V.: Lower Bounds for Discrete Logarithms and Related Problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)Google Scholar
  41. 41.
    Shoup, V.: On Formal Models for Secure Key Exchange, Theory of Cryptography Library (1999),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Hugo Krawczyk
    • 1
  1. 1.IBM T.J.Watson Research CenterYorktown HeightsUSA

Personalised recommendations