HCR for key negotiation

Nick Mathewson nickm at freehaven.net
Tue May 2 23:36:12 UTC 2006

On Tue, May 02, 2006 at 07:07:56PM -0400, Watson Ladd wrote:
> First some background:
> The NSA's Suit B uses a key negotiation mutual authentication method MQV.
> This method was found to be insecure, and so HMQV was created. HMQV uses a
> signature protocol called HCR twice in one exchange to generate a key. HCR
> can prove identy of one endpoint and negotiate a key in a two message
> exchange with great efficiency for both sides.
> In Tor the current key generation method is quite expensive. Would it be
> possible to change to HCR to improve efficency?

Looks promising; we should see if this is standing in 5 years or so.
For now, however, this doesn't look like a mature protocol to me.  HCR
signatures appear to be introduced in the same paper as HMQV, which
was published in last year's Crypto [1].  A cursory Google search
shows some results (of what importance, I can't say) against HMQV and
HCR, with patches to those protocols in a proposed 'HMQV-1' that isn't
any faster than HMQV [2].

Moreover, it seems likely that HMQV is covered by the same patents as
MQV [3], which I believe are still in force.

In any case, I'd want to see a lot more analysis and research on these
systems before we used them in the real world; just because something
was been published in last year's Crypto doesn't mean it's secure.

[1] http://eprint.iacr.org/2005/176.pdf
[2] http://eprint.iacr.org/2005/205.pdf
[3] http://www.certicom.com/index.php?action=ip,protocol

Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 654 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060502/39ae0c62/attachment.pgp>

More information about the tor-talk mailing list