Eric Rescorla wrote, on July 1:
> There's an interesting paper up on eprint now:
>       Another look at HMQV
>       Alfred Menezes
>       In this paper we demonstrate that HMQV is insecure by presenting
>       realistic attacks in the Canetti-Krawczyk model that recover a
>       victim's static private key. We propose HMQV-1, a patched
>       version of HMQV that resists our attacks (but does not have any
>       performance advantages over MQV). We also identify the fallacies
>       in the security proof for HMQV, critique the security model, and
>       raise some questions about the assurances that proofs in this
>       model can provide.
> Obviously, this is of inherent interest, but it also plays a part
> in the ongoing debate about the importance of proof as a technique
> for evaluating cryptographic protocols.

I notice that Hugo Krawczyk has now responded by updating his HMQV paper
at  The details are a little complicated;
basicaly he agrees with Menezes about some things but disagrees on others.
However he then goes on to address the underlying issue, the nature and
use of proofs of security.

[Krawczyk writes:]

   "A personal perspective. I would like to thank Alfred Menezes for
   identifying the oversight in the HCR proof and the need for group
   membership verification in the one-pass protocol. At the same time, I
   must strongly disagree with the attempt in [32] to discredit the
   effort of the cryptographic community dedicated to improving our
   understanding and design of protocols. True, we make mistakes (and I
   do not justify my own); and proofs (even if correct) are never
   stronger than the model and assumptions they are based on. But with
   all its imperfection, this form of analysis is an essential tool for
   gaining confidence in the soundness of a cryptographic design.
   Moreover, as clearly shown here, the proof process itself serves as a
   guide in choosing the right design elements.
   "At a time when we demand the best (almost perfect) security from
   basic encryption and hash functions, and having witnessed the effects
   of initially-mild attacks, we can only hope that the
   applied-cryptography community and its representing standard bodies
   will see formal analysis as a requirement, and main source of
   confidence, when adopting protocols for wide use. These analyses can
   (and must) be verified by the community at large (in contrast, ad-hoc
   designs do not even provide the 'luxury' of judging well-defined
   security properties). This is all the more significant in the case of
   a protocol such as MQV which is not only intended for wide commercial
   use but also to protect 'classified or mission critical national
   security information'."

[End of Krawczyk comments]

The question of the usefulness and value of proof techniques in
cryptography will continue to be debated.  Hugo Krawczyk is going to
present his HMQV technique at Crypto next month, so perhaps there will
be additional discussion there.

Hal Finney

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to