MQV (Menezes-Qu-Vanstone) is an authenticated protocol for key chords, based on the Diffie Hellman scheme. Like other authenticated Diffie Hellman schemas, MQV offers protection against an active attacker. The protocol can be modified in such a way that it works in any finite group, and especially in groups of elliptic curves, where it is known as the MQV elliptic curve (ECMQV). MQV`s key agreement is an improvement on the basic Diffie-Hellman hellman, which was designed to eliminate a man-in-the-middle attack. It is named after Menezes, Qu and Vanstone [MQV98]. The original paper is written for elliptic curve cryptography, but the protocol also works with discrete logarithms. Unfortunately, this can be related to patents. HMQV is a hoisted variant of the MQV-Key Agreement protocol proposed by Krawczyk at CRYPTO 2005. In this article, we present some attacks against HMQV and MQV that are successful if the public keys are not properly validated. In particular, we present an attack against the two-pass hmQV protocol that requires no knowledge of the victim`s ephemeral private keys. The attacks highlight the importance of public key validation in key Diffie-Hellman MEAs and also highlight security-related dangers for discrete logarithmal protocols that do not give concrete indication for the underlying group.
Some variants of MQV are used in patents granted to Certicom. Патенты на некоторые разновидности MQV принадлеезат компании Certicom [1]. Alice has a key pair ( A , a) {displaystyle (A,a) with A displaystyle A} her public key and a {displaystyle a} her private key and Bob has the key pair ( B , b) {displaystyle (B,b) with Bdisplaystyle B} her public key and b {displaystyle b} her private key. . The common secrets K {displaystyle K} are therefore indeed the same with K = h ⋅ S b S a P {displaystyle K=hcdot S_{b} S_{a} P} The original MQV protocol does not contain any user identity of the communicating parties in key exchange flows. User IDs are only included in the process of subsequent confirmation of explicit keys. However, explicit key confirmation is optional in the MQV specification (and in the IEEE P1363 specification). In 2001, Kaliski presented an unknown key-share attack that took advantage of missing identities in the MQV key exchange protocol.
[2] The attack works against implicitly authenticated MQVs that do not have explicit key confirmation. In this attack, the user creates a session key with another user, but is tricked into believing that they are sharing the key with another user. In 2006, Menezes and Ustaoglu proposed to remedy this attack by embedding user identities into the key guide function at the end of the MQV key exchange. [3] The process of explicitly confirming the key remains optional. . Оставшаяся часть вычислений приходится на умнозие на R a ̄ {displaystyle {bar {R_ {a}} или R b ̄ {displaystyle {bar R_ {b}}}. Стоит также учесть стоимость умножения на кофактор. Однако эта сложность (умножение на кофактор) зависит от размера группы. Для криптосистем, основанных на эллиптических кривых, данная сложность незначительна, так как кофактор обычно мал[2].
HMQV claims to be superior to MQV in performance, since it renounces the operations in 2) and 3) above, which are mandatory in MQV. The HMQV document provides « formal security credentials » to argue that the waiver of these operations is certain. Базовый протокол является привлекательным решением из-за нескольких причин : R ̄ displaystyle {bar {{R} } } has the following meaning. . . .