[17624] in cryptography@c2.net mail archive
Re: Menezes on HQMV
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Fri Jul 8 15:24:17 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 03 Jul 2005 08:55:18 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
Reply-To: herzbea@macs.biu.ac.il
To: Eric Rescorla <ekr@rtfm.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <20050701161848.5735328503@sierra.rtfm.com>
Eric Rescorla wrote:
> There's an interesting paper up on eprint now:
> http://eprint.iacr.org/2005/205
>
> Another look at HMQV
> Alfred Menezes
...
> In this paper we demonstrate that HMQV is insecure by presenting
> realistic attacks in the Canetti-Krawczyk model that recover a
> victim's static private key. We propose HMQV-1, a patched
> version of HMQV that resists our attacks (but does not have any
> performance advantages over MQV). We also identify the fallacies
> in the security proof for HMQV, critique the security model, and
> raise some questions about the assurances that proofs in this
> model can provide.
>
> Obviously, this is of inherent interest, but it also plays a part
> in the ongoing debate about the importance of proof as a technique
> for evaluating cryptographic protocols.
From which it is easy to draw two contrdicting conclusions...
1. Proofs are useless, see how (even) Hugo got a flaw
2. Proofs are very useful, see how the presentation of a supposed-proof
led to improved analysis and realization that more work needs be done.
I vote for #2. Amir
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
