Eric Rescorla wrote, on July 1: > There's an interesting paper up on eprint now: > http://eprint.iacr.org/2005/205 > > Another look at HMQV > Alfred Menezes ... > In this paper we demonstrate that HMQV is insecure by presenting > realistic attacks in the Canetti-Krawczyk model that recover a > victim's static private key. We propose HMQV-1, a patched > version of HMQV that resists our attacks (but does not have any > performance advantages over MQV). We also identify the fallacies > in the security proof for HMQV, critique the security model, and > raise some questions about the assurances that proofs in this > model can provide. > > Obviously, this is of inherent interest, but it also plays a part > in the ongoing debate about the importance of proof as a technique > for evaluating cryptographic protocols.
I notice that Hugo Krawczyk has now responded by updating his HMQV paper at http://eprint.iacr.org/2005/176. The details are a little complicated; basicaly he agrees with Menezes about some things but disagrees on others. However he then goes on to address the underlying issue, the nature and use of proofs of security. [Krawczyk writes:] "A personal perspective. I would like to thank Alfred Menezes for identifying the oversight in the HCR proof and the need for group membership verification in the one-pass protocol. At the same time, I must strongly disagree with the attempt in  to discredit the effort of the cryptographic community dedicated to improving our understanding and design of protocols. True, we make mistakes (and I do not justify my own); and proofs (even if correct) are never stronger than the model and assumptions they are based on. But with all its imperfection, this form of analysis is an essential tool for gaining confidence in the soundness of a cryptographic design. Moreover, as clearly shown here, the proof process itself serves as a guide in choosing the right design elements. "At a time when we demand the best (almost perfect) security from basic encryption and hash functions, and having witnessed the effects of initially-mild attacks, we can only hope that the applied-cryptography community and its representing standard bodies will see formal analysis as a requirement, and main source of confidence, when adopting protocols for wide use. These analyses can (and must) be verified by the community at large (in contrast, ad-hoc designs do not even provide the 'luxury' of judging well-defined security properties). This is all the more significant in the case of a protocol such as MQV which is not only intended for wide commercial use but also to protect 'classified or mission critical national security information'." [End of Krawczyk comments] The question of the usefulness and value of proof techniques in cryptography will continue to be debated. Hugo Krawczyk is going to present his HMQV technique at Crypto next month, so perhaps there will be additional discussion there. Hal Finney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]