MQV

From Wikipedia, the free encyclopedia

MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie-Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV).

MQV was initially proposed by Menezes, Qu and Vanstone in 1995. It was modified with Law and Solinas in 1998. There are one-, two- and three-pass variants.

MQV is incorporated in the public-key standard IEEE P1363.

Some variants of MQV are claimed in patents assigned to Certicom .

MQV has some weaknesses that were fixed by HMQV in 2005 ; see , , for an alternative viewpoint.

ECMQV has been dropped from the National Security Agency's Suite B set of cryptographic standards.

Both MQV and HMQV have weaknesses, that are fixed in the FHMQV protocol (see )

Description

Alice has a key pair (A,a) with A her public key and a her private key and Bob has the key pair (B,b) with B his public key and b his private key.

In the following ${\bar {R}}$ has the following meaning. Let $R=(x,y)$ be a point on an elliptic curve. Then ${\bar {R}}=(x\,{\bmod \,}2^{L})+2^{L}$ where $L=\left\lceil {\frac {\lfloor \log _{{2}}n\rfloor +1}{2}}\right\rceil$ and n is the order of the used generator point P. So ${\bar {R}}$ are the first L bits of the x coordinate of R.

Step	Operation
1	Alice generates a key pair (X,x) by generating randomly x and calculating X=xP with P a point on an elliptic curve.
2	Bob generates a key pair (Y,y) in the same way as Alice.
3	Now, Alice calculates $S_{a}=x+{\bar {X}}a$ and sends X to Bob.
4	Bob calculates $S_{b}=y+{\bar {Y}}b$ and sends Y to Alice.
5	Alice calculates $K=h\cdot S_{a}(Y+{\bar {Y}}B)$ and Bob calculates $K=h\cdot S_{b}(X+{\bar {X}}A)$ where h is the cofactor (see Elliptic curve cryptography: domain parameters).
6	The communication of secret $K$ was successful. A key for a symmetric-key algorithm can be derived from K.

Note: for the algorithm to be secure some checks have to be performed. See Hankerson et al.

Correctness

Bob calculates: $K=h\cdot S_{b}(X+{\bar {X}}A)=h\cdot S_{b}(xP+{\bar {X}}aP)=h\cdot S_{b}(x+{\bar {X}}a)P=h\cdot S_{b}S_{a}P$ .

Alice calculates: $K=h\cdot S_{a}(Y+{\bar {Y}}B)=h\cdot S_{a}(yP+{\bar {Y}}bP)=h\cdot S_{a}(y+{\bar {Y}}b)P=h\cdot S_{b}S_{a}P$ .

So the keys K are indeed the same with $K=h\cdot S_{b}S_{a}P$

References

Kaliski, B. S., Jr (2001). "An unknown key-share attack on the MQV key agreement protocol". ACM Trans. Inf. Syst. Secur. 4 (3): 275–288. doi:10.1145/501978.501981.
Law, L.; Menezes, A.; Qu, M.; Solinas, J.; Vanstone, S. (2003). "An Efficient Protocol for Authenticated Key Agreement". Des. Codes Cryptography 28 (2): 119–134. doi:10.1023/A:1022595222606.
Leadbitter, P. J.; Smart, N. P. (2003). "Analysis of the Insecurity of ECMQV with Partially Known Nonces". Information Security. 6th International Conference, ISC 2003, Bristol, UK, October 1–3, 2003. Proceedings. Lecture Notes in Computer Science 2851. pp. 240–251. doi:10.1007/10958513_19. ISBN 978-3-540-20176-2.
A. Menezes, M. Qu, and S. Vanstone, Some new key agreement protocols providing implicit authentication, Preproceedings of Workshops on Selected Areas in Cryptography (1995).
Hankerson, D.; Vanstone, S.; Menezes, A. (2004). Guide to Elliptic Curve Cryptography. Springer Professional Computing. New York: Springer. doi:10.1007/b97644. ISBN 0-387-95273-X.

External links

v t e Public-key cryptography

Algorithms	Benaloh Blum–Goldwasser Cayley–Purser CEILIDH Cramer–Shoup Damgård–Jurik DH DSA EPOC ECDH ECDSA EKE ElGamal signature scheme GMR Goldwasser–Micali HFE IES Lamport McEliece Merkle–Hellman MQV Naccache–Stern Naccache–Stern knapsack cryptosystem NTRUEncrypt NTRUSign Paillier Rabin RSA Okamoto–Uchiyama Schnorr Schmidt–Samoa SPEKE SRP STS Three-pass protocol XTR

Theory	Discrete logarithm Elliptic curve cryptography RSA problem

Standardization	CRYPTREC IEEE P1363 NESSIE NSA Suite B

Topics	Digital signature OAEP Fingerprint PKI Web of trust Key size

v t e Cryptography

History of cryptography Cryptanalysis Cryptography portal Outline of cryptography

Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.

MQV

Description

Correctness

See also

References

External links