About the Security of MTI/C0 and MQV

  • Sébastien Kunz-Jacques
  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4116)


The main application of cryptography is the establishment of secure channels. The most classical way to achieve this goal is definitely the use of variants of the signed Diffie-Hellman protocol. It applies a signature algorithm on the flows of the basic Diffie-Hellman key exchange, in order to achieve authentication. However, signature-less authenticated key exchange have numerous advantages, and namely from the efficiency point of view. They are thus well-suited for some constrained environments. On the other hand, this efficiency comes at the cost of some uncertainty about the actual security.

This paper focuses on the two most famous signature-less authenticated key exchange protocols, MTI/C0 and MQV. While the formal security of MTI/C0 has never been studied, results for the plain MQV protocol are still debated. We point out algorithmic assumptions on which some security proofs can be built in the random oracle model. The stress is put on implementation aspects that must be properly dealt with in order to obtain the expected security.

Some formalizations about authenticated key exchange, and the generic model, are of independent interest.


Key Exchange MTI MQV Diffie-Hellman Security Proof 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Chevassut, O., Pointcheval, D.: One-Time Verifier-Based Encrypted Key Exchange. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 47–64. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-Based Authenticated Key Exchange in the Three-Party Setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular Approach to the design and Analysis of Authentication and Key Exchange Protocols (extended abstract). In: STOC 1998, pp. 419–428. ACM Press, New York (1998)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES Modes of operation. In: Proceedings of the 38th Symposium of Foundations of Computer Science, pp. 394–403. IEEE Computer Society Press, Los Alamitos (1997)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated Key Exchange Secure against Dictionary Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, p. 139. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press, New York (1993)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  8. 8.
    Blake-Wilson, S., Johnson, D., Menezes, A.: Key Agreement Protocols and their Security Analysis. In: Darnell, M.J. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 30–45. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Blake-Wilson, S., Menezes, A.: Authenticated Diffie-Hellman Key Agreement Protocols. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 339–361. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably Authenticated Group Diffie-Hellman Key Exchange. In: ACM Conference on Computer and Communications Security, pp. 255–264. ACM Press, New York (2001)Google Scholar
  12. 12.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory (1976)Google Scholar
  14. 14.
    Diffie, W., van Oorschot, P., Wiener, M.: Authentication and Authenticated Key Exchanges. Design, Codes and Cryptography 2(2), 107–125 (1992)CrossRefGoogle Scholar
  15. 15.
    Jeong, I.R., Katz, J., Lee, D.H.: One-Round Protocols for Two-Party Authenticated Key Exchange. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 220–232. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Kaliski Jr., B.S.: An Unknown Key-share Attack on the MQV Key Agreement Protocol. ACM Trans. Inf. Syst. Secur. 4(3), 275–288 (2001)CrossRefGoogle Scholar
  17. 17.
    Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Lauter, K., Mityagin, A.: Security Analysis of KEA Authenticated Key Exchange. Cryptology ePrint archive, Report, 2005/265, Available at:
  19. 19.
    Matsumoto, T., Takashima, Y., Imai, H.: On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan E69, 99–106 (1986)Google Scholar
  20. 20.
    Menezes, A., Qu, M., Vanstone, S.: Some New Key Agreement Protocols Providing Mutual Implicit Authentication. In: Workshop on Selected Areas in Cryptography (SAC 1995), pp. 22–32 (1995)Google Scholar
  21. 21.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  22. 22.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology 13(3), 361–396 (2000)zbMATHCrossRefGoogle Scholar
  23. 23.
    Schwartz, J.T.: Fast Probabilistic Algorithms for Verification of Polynomial Identities. J. ACM 27(4), 701–717 (1980)zbMATHCrossRefGoogle Scholar
  24. 24.
    Shoup, V.: Lower Bounds for Discrete Logarithms and Related Problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)Google Scholar
  25. 25.
    Shoup, V.: OAEP reconsidered (extended Abstract). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Shoup, V.: A proposal for an iso standard for public key encryption, Cryptology ePrint report 2001/112 (2001)Google Scholar
  27. 27.
    Standard for Efficient Cryptography Website,

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sébastien Kunz-Jacques
    • 1
    • 2
  • David Pointcheval
    • 1
  1. 1.École normale supérieureParisFrance
  2. 2.DCSSI Crypto LabParis 07 SPFrance

Personalised recommendations