Security model and analysis of fhmqv, Revisited

Shengli Liu, Kouichi Sakurai, Jian Weng, Fangguo Zhang, Yunlei Zhao, Yunlei Zhao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Citations (Scopus)

Abstract

HMQV is one of the most efficient (provably secure) authenticated key-exchange protocols based on public-key cryptography, and is widely standardized. In spite of its seemingly conceptual simplicity, the HMQV protocol was actually very delicately designed. The provable security of HMQV is conducted in the Canetti-Krawczyk framework (CK-framework, in short), which is quite complicated and lengthy with many subtleties actually buried there. However, lacking a full recognition of the precise yet subtle interplay between HMQV protocol structure and provable security can cause misunderstanding of the HMQV design, and can cause potential flawed design and analysis of HMQV protocol variants. In this work, we explicitly make clear the interplay between HMQV protocol structure and provable security, showing the delicate design of HMQV. We then re-examine the security model and analysis of a recently proposed HMQV protocol variant, specifically, the FHMQV protocol proposed by Sarr et al. in [25]. We clarify the relationship between the traditional CK-framework and the CK-FHMQV security model proposed for FHMQV, and show that CK-HMQV and CK-FHMQV are incomparable. Finally, we make a careful investigation of the CDH-based analysis of FHMQV in the CK-FHMQV model, which was considered to be one of the salient advantages of FHMQV. We identify that the CDH-based security analysis of FHMQV is actually flawed. The flaws identified in the security proof of FHMQV just stem from lacking a full realization of the precise yet subtle interplay, as clarified in this work, between HMQV protocol structure and provable security.

Original languageEnglish
Title of host publicationInformation Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers
EditorsMoti Yung, Dongdai Lin, Shouhuai Xu, Moti Yung
PublisherSpringer Verlag
Pages255-269
Number of pages15
ISBN (Electronic)9783319120867
DOIs
Publication statusPublished - Jan 1 2014
Event9th China International Conference on Information Security and Cryptology, Inscrypt 2013 - Guangzhou, China
Duration: Nov 27 2013Nov 30 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8567
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other9th China International Conference on Information Security and Cryptology, Inscrypt 2013
CountryChina
CityGuangzhou
Period11/27/1311/30/13

Fingerprint

Security Model
Security Analysis
Provable Security
Public key cryptography
Defects
Authenticated Key Exchange
Public Key Cryptography
Security Proof
Simplicity

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Liu, S., Sakurai, K., Weng, J., Zhang, F., Zhao, Y., & Zhao, Y. (2014). Security model and analysis of fhmqv, Revisited. In M. Yung, D. Lin, S. Xu, & M. Yung (Eds.), Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers (pp. 255-269). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8567). Springer Verlag. https://doi.org/10.1007/978-3-319-12087-4_16

Security model and analysis of fhmqv, Revisited. / Liu, Shengli; Sakurai, Kouichi; Weng, Jian; Zhang, Fangguo; Zhao, Yunlei; Zhao, Yunlei.

Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. ed. / Moti Yung; Dongdai Lin; Shouhuai Xu; Moti Yung. Springer Verlag, 2014. p. 255-269 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 8567).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Liu, S, Sakurai, K, Weng, J, Zhang, F, Zhao, Y & Zhao, Y 2014, Security model and analysis of fhmqv, Revisited. in M Yung, D Lin, S Xu & M Yung (eds), Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 8567, Springer Verlag, pp. 255-269, 9th China International Conference on Information Security and Cryptology, Inscrypt 2013, Guangzhou, China, 11/27/13. https://doi.org/10.1007/978-3-319-12087-4_16
Liu S, Sakurai K, Weng J, Zhang F, Zhao Y, Zhao Y. Security model and analysis of fhmqv, Revisited. In Yung M, Lin D, Xu S, Yung M, editors, Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. Springer Verlag. 2014. p. 255-269. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-12087-4_16
Liu, Shengli ; Sakurai, Kouichi ; Weng, Jian ; Zhang, Fangguo ; Zhao, Yunlei ; Zhao, Yunlei. / Security model and analysis of fhmqv, Revisited. Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers. editor / Moti Yung ; Dongdai Lin ; Shouhuai Xu ; Moti Yung. Springer Verlag, 2014. pp. 255-269 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{4eeb68761bf941e09e4a3082ddd90fba,
title = "Security model and analysis of fhmqv, Revisited",
abstract = "HMQV is one of the most efficient (provably secure) authenticated key-exchange protocols based on public-key cryptography, and is widely standardized. In spite of its seemingly conceptual simplicity, the HMQV protocol was actually very delicately designed. The provable security of HMQV is conducted in the Canetti-Krawczyk framework (CK-framework, in short), which is quite complicated and lengthy with many subtleties actually buried there. However, lacking a full recognition of the precise yet subtle interplay between HMQV protocol structure and provable security can cause misunderstanding of the HMQV design, and can cause potential flawed design and analysis of HMQV protocol variants. In this work, we explicitly make clear the interplay between HMQV protocol structure and provable security, showing the delicate design of HMQV. We then re-examine the security model and analysis of a recently proposed HMQV protocol variant, specifically, the FHMQV protocol proposed by Sarr et al. in [25]. We clarify the relationship between the traditional CK-framework and the CK-FHMQV security model proposed for FHMQV, and show that CK-HMQV and CK-FHMQV are incomparable. Finally, we make a careful investigation of the CDH-based analysis of FHMQV in the CK-FHMQV model, which was considered to be one of the salient advantages of FHMQV. We identify that the CDH-based security analysis of FHMQV is actually flawed. The flaws identified in the security proof of FHMQV just stem from lacking a full realization of the precise yet subtle interplay, as clarified in this work, between HMQV protocol structure and provable security.",
author = "Shengli Liu and Kouichi Sakurai and Jian Weng and Fangguo Zhang and Yunlei Zhao and Yunlei Zhao",
year = "2014",
month = "1",
day = "1",
doi = "10.1007/978-3-319-12087-4_16",
language = "English",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "255--269",
editor = "Moti Yung and Dongdai Lin and Shouhuai Xu and Moti Yung",
booktitle = "Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers",
address = "Germany",

}

TY - GEN

T1 - Security model and analysis of fhmqv, Revisited

AU - Liu, Shengli

AU - Sakurai, Kouichi

AU - Weng, Jian

AU - Zhang, Fangguo

AU - Zhao, Yunlei

AU - Zhao, Yunlei

PY - 2014/1/1

Y1 - 2014/1/1

N2 - HMQV is one of the most efficient (provably secure) authenticated key-exchange protocols based on public-key cryptography, and is widely standardized. In spite of its seemingly conceptual simplicity, the HMQV protocol was actually very delicately designed. The provable security of HMQV is conducted in the Canetti-Krawczyk framework (CK-framework, in short), which is quite complicated and lengthy with many subtleties actually buried there. However, lacking a full recognition of the precise yet subtle interplay between HMQV protocol structure and provable security can cause misunderstanding of the HMQV design, and can cause potential flawed design and analysis of HMQV protocol variants. In this work, we explicitly make clear the interplay between HMQV protocol structure and provable security, showing the delicate design of HMQV. We then re-examine the security model and analysis of a recently proposed HMQV protocol variant, specifically, the FHMQV protocol proposed by Sarr et al. in [25]. We clarify the relationship between the traditional CK-framework and the CK-FHMQV security model proposed for FHMQV, and show that CK-HMQV and CK-FHMQV are incomparable. Finally, we make a careful investigation of the CDH-based analysis of FHMQV in the CK-FHMQV model, which was considered to be one of the salient advantages of FHMQV. We identify that the CDH-based security analysis of FHMQV is actually flawed. The flaws identified in the security proof of FHMQV just stem from lacking a full realization of the precise yet subtle interplay, as clarified in this work, between HMQV protocol structure and provable security.

AB - HMQV is one of the most efficient (provably secure) authenticated key-exchange protocols based on public-key cryptography, and is widely standardized. In spite of its seemingly conceptual simplicity, the HMQV protocol was actually very delicately designed. The provable security of HMQV is conducted in the Canetti-Krawczyk framework (CK-framework, in short), which is quite complicated and lengthy with many subtleties actually buried there. However, lacking a full recognition of the precise yet subtle interplay between HMQV protocol structure and provable security can cause misunderstanding of the HMQV design, and can cause potential flawed design and analysis of HMQV protocol variants. In this work, we explicitly make clear the interplay between HMQV protocol structure and provable security, showing the delicate design of HMQV. We then re-examine the security model and analysis of a recently proposed HMQV protocol variant, specifically, the FHMQV protocol proposed by Sarr et al. in [25]. We clarify the relationship between the traditional CK-framework and the CK-FHMQV security model proposed for FHMQV, and show that CK-HMQV and CK-FHMQV are incomparable. Finally, we make a careful investigation of the CDH-based analysis of FHMQV in the CK-FHMQV model, which was considered to be one of the salient advantages of FHMQV. We identify that the CDH-based security analysis of FHMQV is actually flawed. The flaws identified in the security proof of FHMQV just stem from lacking a full realization of the precise yet subtle interplay, as clarified in this work, between HMQV protocol structure and provable security.

UR - http://www.scopus.com/inward/record.url?scp=84909638553&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84909638553&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-12087-4_16

DO - 10.1007/978-3-319-12087-4_16

M3 - Conference contribution

AN - SCOPUS:84909638553

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 255

EP - 269

BT - Information Security and Cryptology - 9th International Conference, Inscrypt 2013, Revised Selected Papers

A2 - Yung, Moti

A2 - Lin, Dongdai

A2 - Xu, Shouhuai

A2 - Yung, Moti

PB - Springer Verlag

ER -