One-Pass HMQV and Asymmetric Key-Wrapping
Consider the task of asymmetric key-wrapping, where a key-management server encrypts a cryptographic key under the public key of a client. When used in storage and access-control systems, it is often the case that the server has no knowledge about the client (beyond its public key) and no means of coordinating with it. For example, a wrapped key used to encrypt a backup tape may be needed many years after wrapping, when the server is no longer available, key-wrapping standards have changed, and even the security requirements of the client might have changed. Hence we need a flexible mechanism that seamlessly supports different options depending on what the original server was using and the current standards and requirements.
We show that one-pass HMQV (which we call HOMQV) is a perfect fit for this type of applications in terms of security, efficiency and flexibility. It offers server authentication if the server has its own public key, and degenerates down to the standardized DHIES encryption scheme if the server does not have a public key. The performance difference between the unauthenticated DHIES and the authenticated HOMQV is very minimal (essentially for free for the server and only 1/2 exponentiation for the client). We provide a formal analysis of the protocol’s security showing many desirable properties such as sender’s forward-secrecy and resilience to compromise of ephemeral data. When adding a DEM part (as needed for key-wrapping) it yields a secure signcryption scheme (equivalently a UC-secure messaging protocol).
The combination of security, flexibility, and efficiency, makes HOMQV a very desirable protocol for asymmetric key wrapping, one that we believe should be incorporated into implementations and standards.
KeywordsReplay Attack Server Authentication Forward Secrecy Honest Party Signcryption Scheme
- 2.Canetti, R.: Universally Composable Security: A New paradigm for Cryptographic Protocols. In: 42nd Annual Symposium on Foundations of Computer Science FOCS 2001, pp. 136–145. IEEE, Los Alamitos (2001)Google Scholar
- 5.Dent, A.W.: Hybrid Cryptography. ePrint archive 2004/210 (2004), http://eprint.iacr.org/
- 11.Halevi, S., Krawczyk, H.: One-pass HMQV and asymmetric key-wrapping. Cryptology ePrint Archive, Report 2010/638 (2010), http://eprint.iacr.org/
- 12.IEEE 1363a-2004: Standard Specifications for Public Key CryptographyGoogle Scholar
- 14.Menezes, A.: Another Look at HMQV (2005), http://eprint.iacr.org/2005/205
- 17.Shoup, V.: ISO 18033-2: An emerging standard for public-key encryption, http://shoup.net/iso/
- 18.Zheng, Y.: Digital signcryption or how to achieve cost (Signature & encryption) < < cost(Signature) + cost(Encryption). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997)Google Scholar