On the Security of the Standardized MQV Protocol and Its Based Evolution Protocols

Abstract

The MQV is an authenticated key agreement protocol which does not use any one-way hash functions in its block design, and it is standardized in (IEEE, ANSI, and ISO). However, its two-pass form cannot withstand an unknown key share attack. Krawczyk proposed a hashed version of MQV (HMQV) to overcome the attack on MQV, but HMQV is vulnerable to small subgroup attacks. LaMacchia et al presented a strong security definition for authenticated key exchange protocol as extended Canetti-Krawczyk (eCK) to catch new attacks from a strong adversary. Ustaoglu proposed a hashed ephemeral private key with static private key of HMQV (CMQV) to have a security proof in eCK. Sarr et al showed key compromise impersonation and man-in-the-middle attacks on HMQV under revealing a signature of Diffie-Hellman of public keys and proposed fully HMQV (FHMQV) and strengthen MQV (SMQV) to overcome those attacks. In this study, we show the known key security attack on the MQV protocol and its variants (MQV, HMQV, CMQV, FHMQV, eFHMQV and SMQV) protocols, if both ephemeral private keys and the ephemeral session key equation are revealed by an extremely adversary; the extremely adversary is able to obtain the shared static key between two-party participants. As consequence, we show the shared static-key compromise impersonation attack on the MQV protocol and its evolutions protocols. Moreover, we show that the MTI/A(0) key agreement protocol cannot withstand key compromise impersonation attacks against stronger adversary revelation attacks.