A New Key Exchange Protocol Based on MQV Assuming Public Computations

  • Sébastien Kunz-Jacques
  • David Pointcheval
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4116)


Designing authenticated key exchange algorithms is a problem well understood in cryptography: there are established security models, and proposals proved secure in these models. However, models currently used assume that a honest entity involved in a key exchange is trusted as a whole. In many practical contexts, the entity is divided in an authentication device storing a private key and having low computing power, and a computing device, that performs part of the computations required by protocol runs. The computing device might be a PC connected to the Internet, and the authenticating device a smart card. In that case as well in many others, a compromise of the computing device is to be expected. We therefore propose a variant of the MQV and HMQV key exchange protocols secure in that context, unlike the original protocols. The security claim is supported by a proof in a model derived from the Canetti-Krawczyk one, which takes into account more general rogue behaviours of the computing device.


Smart Card Computing Device Random Oracle Mutual Authentication Random Oracle Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-Based Authenticated Key Exchange in the Three-Party Setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Béguin, P., Quisquater, J.-J.: Fast Server-Aided RSA Signatures Secure against Active Attacks. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 57–69. Springer, Heidelberg (1995)Google Scholar
  3. 3.
    Bellare, M., Canetti, R., Krawczyk, H.: A modular Approach to the design and Analysis of Authentication and Key Exchange Protocols (extended abstract). In: STOC 1998, pp. 419–428. ACM Press, New York (1998)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: A Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Diffie, W., Hellman, M.E.: New Directions in Cryptography. IEEE Transactions on Information Theory (1976)Google Scholar
  8. 8.
    Hohenberger, S., Lysyanskaya, A.: How to Securely Outsource Cryptographic Computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Kaliski Jr., B.S.: An Unknown Key-share Attack on the MQV Key Agreement Protocol. ACM Trans. Inf. Syst. Secur. 4(3), 275–288 (2001)CrossRefGoogle Scholar
  10. 10.
    Krawczyk, H.: SIGMA: The ‘SIGn-and-MAc’ Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Matsumoto, T., Kato, K., Imai, H.: Speeding up Secret Computations with Insecure Auxiliary Devices. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 497–506. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Matsumoto, T., Takashima, Y., Imai, H.: On Seeking Smart Public-key Distribution Systems. Transactions of the IECE of Japan E69, 99–106 (1986)Google Scholar
  14. 14.
    Menezes, A.: Another Look at HMQV. Cryptology ePrint archive, Report 2005/205, Available at:
  15. 15.
    Menezes, A., Qu, M., Vanstone, S.: Some New Key Agreement Protocols Providing Mutual Implicit Authentication. In: Workshop on Selected Areas in Cryptography (SAC 1995), pp. 22–32 (1995)Google Scholar
  16. 16.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  17. 17.
    Naccache, D., M’Raïhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be Improved? Complexity Trade-Offs with the Digital Signature Standard. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 77–85. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  18. 18.
    Nguyên, P.Q., Stern, J.: The Béguin-Quisquater Server-Aided RSA Protocol from Crypto 1995 is not Secure. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 372–379. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  19. 19.
    Nguyên, P.Q., Stern, J.: The Two Faces of Lattices in Cryptology. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 146–180. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Chevassut, O., Fouque, P.-A., Gaudry, P., Pointcheval, D.: Key Derivation and Randomness Extraction. Cryptology ePrint archive, Report 2005/061, Available at:
  21. 21.
    Pfitzmann, B., Waidner, M.: Attacks on Protocols for Server-Aided RSA Computation. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 153–162. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  22. 22.
    Pointcheval, D., Stern, J.: Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology 13(3), 361–369 (2000)zbMATHCrossRefGoogle Scholar
  23. 23.
    Shoup, V., Rubin, A.: Session Key Distribution Using Smart Cards. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 321–331. Springer, Heidelberg (1996)Google Scholar
  24. 24.
    Standard for Efficient Cryptography Website,

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sébastien Kunz-Jacques
    • 1
    • 2
  • David Pointcheval
    • 1
  1. 1.École normale supérieureParisFrance
  2. 2.DCSSI Crypto LabParis 07 SPFrance

Personalised recommendations