One-Pass HMQV and Asymmetric Key-Wrapping

  • Shai Halevi
  • Hugo Krawczyk
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6571)

Abstract

Consider the task of asymmetric key-wrapping, where a key-management server encrypts a cryptographic key under the public key of a client. When used in storage and access-control systems, it is often the case that the server has no knowledge about the client (beyond its public key) and no means of coordinating with it. For example, a wrapped key used to encrypt a backup tape may be needed many years after wrapping, when the server is no longer available, key-wrapping standards have changed, and even the security requirements of the client might have changed. Hence we need a flexible mechanism that seamlessly supports different options depending on what the original server was using and the current standards and requirements.

We show that one-pass HMQV (which we call HOMQV) is a perfect fit for this type of applications in terms of security, efficiency and flexibility. It offers server authentication if the server has its own public key, and degenerates down to the standardized DHIES encryption scheme if the server does not have a public key. The performance difference between the unauthenticated DHIES and the authenticated HOMQV is very minimal (essentially for free for the server and only 1/2 exponentiation for the client). We provide a formal analysis of the protocol’s security showing many desirable properties such as sender’s forward-secrecy and resilience to compromise of ephemeral data. When adding a DEM part (as needed for key-wrapping) it yields a secure signcryption scheme (equivalently a UC-secure messaging protocol).

The combination of security, flexibility, and efficiency, makes HOMQV a very desirable protocol for asymmetric key wrapping, one that we believe should be incorporated into implementations and standards.

References

  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: The oracle diffie-hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Canetti, R.: Universally Composable Security: A New paradigm for Cryptographic Protocols. In: 42nd Annual Symposium on Foundations of Computer Science FOCS 2001, pp. 136–145. IEEE, Los Alamitos (2001)Google Scholar
  3. 3.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Canetti, R., Krawczyk, H.: Security Analysis of IKE’s Signature-Based Key-Exchange Protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Dent, A.W.: Hybrid Cryptography. ePrint archive 2004/210 (2004), http://eprint.iacr.org/
  6. 6.
    Dent, A.W.: Hybrid Signcryption Schemes with Insider Security. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 253–266. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Dent, A.W.: Hybrid Signcryption Schemes with Outsider Security. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 203–217. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Gennaro, R., Halevi, S.: More on Key Wrapping. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 53–70. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Gjøsteen, K., Kråkmo, L.: Universally Composable Signcryption. In: López, J., Samarati, P., Ferrer, J. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 346–353. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Gorantla, M., Boyd, C., González Nieto, J.: On the Connection Between Signcryption and One-Pass Key Establishment. In: Galbraith, S. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 277–301. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Halevi, S., Krawczyk, H.: One-pass HMQV and asymmetric key-wrapping. Cryptology ePrint Archive, Report 2010/638 (2010), http://eprint.iacr.org/
  12. 12.
    IEEE 1363a-2004: Standard Specifications for Public Key CryptographyGoogle Scholar
  13. 13.
    Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005), http://eprint.iacr.org/ Google Scholar
  14. 14.
    Menezes, A.: Another Look at HMQV (2005), http://eprint.iacr.org/2005/205
  15. 15.
    Menezes, A., Van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  16. 16.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Shoup, V.: ISO 18033-2: An emerging standard for public-key encryption, http://shoup.net/iso/
  18. 18.
    Zheng, Y.: Digital signcryption or how to achieve cost (Signature & encryption) < < cost(Signature) + cost(Encryption). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Shai Halevi
    • 1
  • Hugo Krawczyk
    • 1
  1. 1.IBM ResearchUSA

Personalised recommendations