HCR for key negotiation

Watson Ladd watsonbladd at gmail.com
Wed May 3 17:55:53 UTC 2006

On 5/2/06, Nick Mathewson <nickm at freehaven.net> wrote:
> On Tue, May 02, 2006 at 07:07:56PM -0400, Watson Ladd wrote:
> > First some background:
> > The NSA's Suit B uses a key negotiation mutual authentication method
> MQV.
> > This method was found to be insecure, and so HMQV was created. HMQV uses
> a
> > signature protocol called HCR twice in one exchange to generate a key.
> > can prove identy of one endpoint and negotiate a key in a two message
> > exchange with great efficiency for both sides.
> > In Tor the current key generation method is quite expensive. Would it be
> > possible to change to HCR to improve efficency?
> Looks promising; we should see if this is standing in 5 years or so.

Its been proved equivalent in difficulty to CDH, but some more analysis
would be a good idea.

For now, however, this doesn't look like a mature protocol to me.  HCR
> signatures appear to be introduced in the same paper as HMQV, which
> was published in last year's Crypto [1].  A cursory Google search
> shows some results (of what importance, I can't say) against HMQV and
> HCR, with patches to those protocols in a proposed 'HMQV-1' that isn't
> any faster than HMQV [2].

The NSA doesn't think so, but AES is now showing signs of weakness.

Moreover, it seems likely that HMQV is covered by the same patents as
> MQV [3], which I believe are still in force.

In any case, I'd want to see a lot more analysis and research on these
> systems before we used them in the real world; just because something
> was been published in last year's Crypto doesn't mean it's secure.

Agreed. We don't want another MacGuiffen(proposed in the morning, dead in
the afternoon).

[1] http://eprint.iacr.org/2005/176.pdf
> [2] http://eprint.iacr.org/2005/205.pdf
> [3] http://www.certicom.com/index.php?action=ip,protocol
> yrs,
> --
> Nick Mathewson

"Those who would give up Essential Liberty to purchase a little Temporary
Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20060503/3d454af3/attachment.htm>

More information about the tor-talk mailing list