1 MQV and HMQV in IEEE P1363 William Whyte, Hugo Krawczyk, Alfred Menezes

2 Background IEEE Std includes MQV –Also approved in X9.63 and by NIST for use in key exchange Since issued, HMQV has been proposed –Addresses perceived weaknesses in MQV –Provides proof of security –Submitted to P1363 for consideration for inclusion in 1363 revision Hugo has provided full specification in standards format Would be as alternative to, not replacement for, MQV Aim of today –Understand differences between protocols –Begin to discuss criteria for including additional techniques Down the road –Techniques will be included in standard as result of WG evote.

3 Technical background (Thanks to Hugo for original slides) –(Any errors in the editing process are Williams) Notation: G= of prime order q; g in supergroup G (eg. EC, Z* p ) Alices PK is A=g a and Bobs is B=g b

4 MQV Exchange ephemeral DH values, X=g x, Y=g y Calculate –d=LSB(X), e=LSB(Y) –where LSB(X)= 2L + X mod 2L for L=|q|/2 (this is the ½ exponentiation) Both compute σ=g (x+da)(y+eb) as σ = (YB e ) x+da = (XA d ) y+eb –Actual computation of σ involves co-factor h=|G|/q σ = (YB e ) x+da = (XA d ) y+eb σ = (σ) h Session key is K=KDF(σ)

5 HMQV Both compute σ=g (x+da)(y+eb) as σ = (YB e ) x+da = (XA d ) y+eb –d=H(X,Bob) e=H(Y,Alice) (here H outputs |q|/2 bits) Session key K=H(σ) Differences with MQV –Definition of d, e: binds ids, randomizes representation –H(σ): integral (and essential) part of the protocol (OW,RO) HMQV = Hashed MQV (note: 2.5 exponentiations)

6 Claimed differences HMQV does not require Proof of Possession for public keys because it binds the identity to the calculation using H HMQV does not require use of co-factor or other test for prime order of ephemeral keys UNLESS ephemeral private keys are more vulnerable to leakage than long-term keys –Cofactor for ECMQV is typically 4; cofactor for DLMQV is large HMQV has proof of security in RO model