On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols

  • Alfred Menezes
  • Berkant Ustaoglu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4329)


HMQV is a hashed variant of the MQV key agreement protocol proposed by Krawczyk at CRYPTO 2005. In this paper, we present some attacks on HMQV and MQV that are successful if public keys are not properly validated. In particular, we present an attack on the two-pass HMQV protocol that does not require knowledge of the victim’s ephemeral private keys. The attacks illustrate the importance of performing some form of public-key validation in Diffie-Hellman key agreement protocols, and furthermore highlight the dangers of relying on security proofs for discrete-logarithm protocols where a concrete representation for the underlying group is not specified.


Elliptic Curve Discrete Logarithm Monic Polynomial Security Proof Underlying Group 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ANSI X9.42, Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, American National Standards Institute (2003)Google Scholar
  2. 2.
    ANSI X9.63, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, American National Standards Institute (2001)Google Scholar
  3. 3.
    Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Bangerter, E., Camenisch, J., Maurer, U.: Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden order. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 154–171. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Biehl, I., Meyer, B., Müller, V.: Differential fault analysis on elliptic curve cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001), Full version available at:
  7. 7.
    Chen, L., Cheng, Z., Smart, N.: Identity-based key agreement protocols from pairings, Cryptology ePrint Archive: Report 2006/199, Available at:
  8. 8.
    FIPS 186-2, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, National Institute of Standards and Technology (2000)Google Scholar
  9. 9.
    IEEE Std 1363-2000, Standard Specifications for Public-Key Cryptography (2000)Google Scholar
  10. 10.
    Kaliski, B.: An unknown key-share attack on the MQV key agreement protocol. ACM Transactions on Information and System Security 4, 275–288 (2001)CrossRefGoogle Scholar
  11. 11.
    Knuth, D.: Seminumerical Algorithms. In: Art of Computer Programming, 3rd edn., vol. 2, Addison-Wesley, Reading (1997)Google Scholar
  12. 12.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. Full version of [12], Available at:
  14. 14.
    Krawczyk, H.: HMQV in IEEE P1363, submission to the IEEE P1363 working group (July 7, 2006), Available at:
  15. 15.
    Kunz-Jacques, S., Martinet, G., Poupard, G., Stern, J.: Cryptanalysis of an efficient proof of knowledge of discrete logarithm. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 27–43. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Designs, Codes and Cryptography 28, 119–134 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Leadbitter, P., Smart, N.: Analysis of the insecurity of ECMQV with partially known nonces. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 240–251. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Lim, C., Lee, P.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)Google Scholar
  19. 19.
    Menezes, A.: Another look at HMQV. Journal of Mathematical Cryptology (to appear), Available at:
  20. 20.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  21. 21.
    Menezes, A., Wu, Y.-H.: The discrete logarithm problem in GL(n,q). Ars Combinatoria 47, 23–32 (1998)MathSciNetGoogle Scholar
  22. 22.
    Naccache, D., Smart, N., Stern, J.: Projective coordinates leak. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 257–267. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. Journal of Cryptology 13, 361–396 (2000)zbMATHCrossRefGoogle Scholar
  24. 24.
    Pollard, J.: Monte Carlo methods for index computation mod p. Mathematics of Computation 32, 918–924 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Schoof, R.: Elliptic curves over finite fields and the computation of square roots mod p. Mathematics of Computation 44, 483–494 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Smart, N.: The exact security of ECIES in the generic group model. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 73–84. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    SP 800-56A. Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, National Institute of Standards and Technology (March 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Alfred Menezes
    • 1
  • Berkant Ustaoglu
    • 1
  1. 1.Department of Combinatorics & OptimizationUniversity of Waterloo 

Personalised recommendations