MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie-Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV).
MQV is incorporated in the public-key standard IEEE P1363.
Some variants of MQV are claimed in patents assigned to Certicom.
MQV has some weaknesses that were fixed by HMQV in 2005. A few articles offered alternative viewpoints. It is now known that HMQV is vulnerable to a KCI attack when ephemeral public keys are not validated
ECMQV has been dropped from the National Security Agency's Suite B set of cryptographic standards.
Alice has a key pair with her public key and her private key and Bob has the key pair with his public key and his private key.
In the following has the following meaning. Let be a point on an elliptic curve. Then where and is the order of the used generator point . So are the first L bits of the first coordinate of .
|1||Alice generates a key pair by generating randomly and calculating with a point on an elliptic curve.|
|2||Bob generates a key pair in the same way as Alice.|
|3||Now, Alice calculates and sends X to Bob.|
|4||Bob calculates and sends Y to Alice.|
|5||Alice calculates and Bob calculates where h is the cofactor (see Elliptic curve cryptography: domain parameters).|
|6||The communication of secret was successful. A key for a symmetric-key algorithm can be derived from K.|
Note: for the algorithm to be secure some checks have to be performed. See Hankerson et al.
Bob calculates: .
Alice calculates: .
So the keys K are indeed the same with
- Krawczyk, H. (2005). "HMQV: A High-Performance Secure Diffie-Hellman Protocol". Advances in Cryptology – CRYPTO 2005. Lecture Notes in Computer Science. 3621. pp. 546–566. doi:10.1007/11535218_33. ISBN 978-3-540-28114-6.
- Koblitz, Neal (2007). "The Uneasy Relationship Between Mathematics and Cryptography" (PDF). Notices of the AMS. 54 (8): 972–979.
- "Letters to the Editor" (PDF). Notices of the AMS. 54 (11): 1454–1456. 2007.
- Kaliski, B. S., Jr (2001). "An unknown key-share attack on the MQV key agreement protocol". ACM Trans. Inf. Syst. Secur. 4 (3): 275–288. doi:10.1145/501978.501981.
- Law, L.; Menezes, A.; Qu, M.; Solinas, J.; Vanstone, S. (2003). "An Efficient Protocol for Authenticated Key Agreement". Des. Codes Cryptography. 28 (2): 119–134. doi:10.1023/A:1022595222606.
- Leadbitter, P. J.; Smart, N. P. (2003). "Analysis of the Insecurity of ECMQV with Partially Known Nonces". Information Security. 6th International Conference, ISC 2003, Bristol, UK, October 1–3, 2003. Proceedings. Lecture Notes in Computer Science. 2851. pp. 240–251. doi:10.1007/10958513_19. ISBN 978-3-540-20176-2.
- Menezes, Alfred J.; Qu, Minghua; Vanstone, Scott A. (2005). Some new key agreement protocols providing implicit authentication (PDF). 2nd Workshop on Selected Areas in Cryptography (SAC '95). Ottawa, Canada. pp. 22–32.
- Hankerson, D.; Vanstone, S.; Menezes, A. (2004). Guide to Elliptic Curve Cryptography. Springer Professional Computing. New York: Springer. doi:10.1007/b97644. ISBN 0-387-95273-X.
- = On the Security of the (F)HMQV Protocol by Sarr and Elbaz-Vincent =
- A Secure and Efficient Authenticated Diffie–Hellman Protocol by Sarr, Elbaz-Vincent, and Bajard
- HMQV: A High-Performance Secure Diffie–Hellman Protocol by Hugo Krawczyk
- Another look at HMQV
- An Efficient Protocol for Authenticated Key Agreement
- MQV and HMQV in IEEE P1363 (power point)