Eric Rescorla wrote, on July 1:
> There's an interesting paper up on eprint now:
> http://eprint.iacr.org/2005/205
>
> Another look at HMQV
> Alfred Menezes
...
> In this paper we demonstrate that HMQV is insecure by presenting
> realistic attacks in the Canetti-Krawczyk model that recover a
> victim's static private key. We propose HMQV-1, a patched
> version of HMQV that resists our attacks (but does not have any
> performance advantages over MQV). We also identify the fallacies
> in the security proof for HMQV, critique the security model, and
> raise some questions about the assurances that proofs in this
> model can provide.
>
> Obviously, this is of inherent interest, but it also plays a part
> in the ongoing debate about the importance of proof as a technique
> for evaluating cryptographic protocols.
I notice that Hugo Krawczyk has now responded by updating his HMQV paper
at http://eprint.iacr.org/2005/176. The details are a little complicated;
basicaly he agrees with Menezes about some things but disagrees on others.
However he then goes on to address the underlying issue, the nature and
use of proofs of security.
[Krawczyk writes:]
"A personal perspective. I would like to thank Alfred Menezes for
identifying the oversight in the HCR proof and the need for group
membership verification in the one-pass protocol. At the same time, I
must strongly disagree with the attempt in [32] to discredit the
effort of the cryptographic community dedicated to improving our
understanding and design of protocols. True, we make mistakes (and I
do not justify my own); and proofs (even if correct) are never
stronger than the model and assumptions they are based on. But with
all its imperfection, this form of analysis is an essential tool for
gaining confidence in the soundness of a cryptographic design.
Moreover, as clearly shown here, the proof process itself serves as a
guide in choosing the right design elements.
"At a time when we demand the best (almost perfect) security from
basic encryption and hash functions, and having witnessed the effects
of initially-mild attacks, we can only hope that the
applied-cryptography community and its representing standard bodies
will see formal analysis as a requirement, and main source of
confidence, when adopting protocols for wide use. These analyses can
(and must) be verified by the community at large (in contrast, ad-hoc
designs do not even provide the 'luxury' of judging well-defined
security properties). This is all the more significant in the case of
a protocol such as MQV which is not only intended for wide commercial
use but also to protect 'classified or mission critical national
security information'."
[End of Krawczyk comments]
The question of the usefulness and value of proof techniques in
cryptography will continue to be debated. Hugo Krawczyk is going to
present his HMQV technique at Crypto next month, so perhaps there will
be additional discussion there.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
