MQV

From Wikipedia, the free encyclopedia
Jump to: navigation, search

MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie-Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV).

MQV was initially proposed by Menezes, Qu and Vanstone in 1995. It was modified with Law and Solinas in 1998. There are one-, two- and three-pass variants.

MQV is incorporated in the public-key standard IEEE P1363.

Some variants of MQV are claimed in patents assigned to Certicom.[1]

MQV has some weaknesses that were fixed by HMQV in 2005.[2] A few articles[3][4] offered alternative viewpoint.

ECMQV has been dropped from the National Security Agency's Suite B set of cryptographic standards.

Description[edit]

Alice has a key pair (A,a) with A her public key and a her private key and Bob has the key pair (B,b) with B his public key and b his private key.

In the following \bar{R} has the following meaning. Let R = (x,y) be a point on an elliptic curve. Then \bar{R} = (x\, \bmod\, 2^L) + 2^L where L = \left \lceil \frac{\lfloor \log_{2} n \rfloor + 1}{2} \right \rceil and n is the order of the used generator point P. So \bar{R} are the first L bits of the x coordinate of R.

Step Operation
1 Alice generates a key pair (X,x) by generating randomly x and calculating X=xP with P a point on an elliptic curve.
2 Bob generates a key pair (Y,y) in the same way as Alice.
3 Now, Alice calculates S_a = x + \bar{X} a and sends X to Bob.
4 Bob calculates  S_b = y + \bar{Y} b and sends Y to Alice.
5 Alice calculates K = h \cdot S_a (Y + \bar{Y}B) and Bob calculates K = h \cdot S_b (X + \bar{X}A) where h is the cofactor (see Elliptic curve cryptography: domain parameters).
6 The communication of secret K was successful. A key for a symmetric-key algorithm can be derived from K.

Note: for the algorithm to be secure some checks have to be performed. See Hankerson et al.

Correctness[edit]

Bob calculates: K = h \cdot S_b (X + \bar{X}A) = h \cdot S_b (xP + \bar{X}aP) = h \cdot S_b (x + \bar{X}a)P = h \cdot S_b S_a P .

Alice calculates: K = h \cdot S_a (Y + \bar{Y}B) = h \cdot S_a (yP + \bar{Y}bP) = h \cdot S_a (y + \bar{Y}b)P = h \cdot S_b S_a P .

So the keys K are indeed the same with K = h \cdot S_b S_a P

See also[edit]

References[edit]

  1. ^ US patent 8675869, Herbert Anthony Little, Matthew John Campagna, Scott Alexander Vanstone, Daniel Richard L. Brown, "Incorporating data into an ECDSA signature component", issued 2014-3-18 
  2. ^ Krawczyk, H. (2005). "Advances in Cryptology – CRYPTO 2005". Lecture Notes in Computer Science 3621. pp. 546–566. doi:10.1007/11535218_33. ISBN 978-3-540-28114-6.  |chapter= ignored (help)
  3. ^ Koblitz, Neal (2007). "The Uneasy Relationship Between Mathematics and Cryptography". Notices of the AMS 54 (8): 972–979. 
  4. ^ "Letters to the Editor". Notices of the AMS 54 (11): 1454–1456. 2007. 

Bibliography[edit]

External links[edit]