1788:"public key". With the knowledge of this "public key", a user is able to pass all verification steps in HMQV and is fully "authenticated" in the end. This contradicts the common understanding that "authentication" in an authenticated key exchange protocol is defined based on proving the knowledge of a private key. In this case, the user is "authenticated" but without having a private key (in fact, the private key does not exist). This issue is not applicable to MQV. The second attack exploits the self-communication mode, which is explicitly supported in HMQV to allow a user to communicate with himself using the same public key certificate. In this mode, HMQV is shown to be vulnerable to an unknown key-share attack. To address the first attack, Hao proposed to perform public key validations in 2) and 3) separately, as initially suggested by Menezes. However, this change would diminish the efficiency advantages of HMQV over MQV. To address the second attack, Hao proposed to include additional identities to distinguish copies of self, or to disable the self-communication mode.
3211:
1784:). However, instead of validating the long-term and ephemeral public keys in 2) and 3) respectively as two separate operations, Krawczyk proposed to validate them together in one combined operation during the key exchange process. This would save cost. With the combined public key validation in place, Menezes's attack would be prevented. The revised HMQV could still claim to be more efficient than MQV.
1608:
another user but is tricked into believing that he shares the key with a different user. In 2006, Menezes and
Ustaoglu proposed to address this attack by including user identities in the key derivation function at the end of the MQV key exchange. The explicit key confirmation process remains optional.
1791:
Hao's two attacks were discussed by members of the IEEE P1363 working group in 2010. However, there was no consensus on how HMQV should be revised. As a result, the HMQV specification in the IEEE P1363 D1-pre draft was unchanged, but the standardisation of HMQV in IEEE P1363 has stopped progressing
1607:
specification). In 2001, Kaliski presented an unknown key-share attack that exploited the missing identities in the MQV key exchange protocol. The attack works against implicitly authenticated MQV that does not have explicit key confirmation. In this attack, the user establishes a session key with
1787:
In 2010, Hao presented two attacks on the revised HMQV (as specified in the IEEE P1363 D1-pre draft). The first attack exploits the fact that HMQV allows any data string other than 0 and 1 to be registered as a long-term public key. Hence, a small subgroup element is allowed to be registered as a
1772:
In 2005, Menezes first presented a small subgroup confinement attack against HMQV. This attack exploits the exact missing of public key validations in 2) and 3). It shows that when engaged with an active attacker, the HMQV protocol leaks information about the user's long-term private key, and
1611:
In 2005, Krawczyk proposed a hash variant of MQV, called HMQV. The HMQV protocol was designed to address
Kaliski's attack (without mandating explicit key confirmation), with the additional goals of achieving provable security and better efficiency. HMQV made three changes to MQV:
1602:
The original MQV protocol does not include user identities of the communicating parties in the key exchange flows. User identities are only included in the subsequent explicit key confirmation process. However, explicit key confirmation is optional in MQV (and in the
1519:
1318:
1759:
Removing the mandatory requirement in MQV that a certificate authority (CA) must verify the proof-of-possession of the user's private key during the public key registration. In HMQV, the CA merely needs to check the submitted public key is not 0 or
1763:
Removing the mandatory requirement in MQV that a user must verify whether the received ephemeral public key is a valid public key (known as public key validation). In HMQV, a user merely needs to check the received ephemeral public key is not 0 or
1768:
HMQV claims to be superior to MQV in performance because it dispenses with the operations in 2) and 3) above, which are mandatory in MQV. The HMQV paper provides "formal security proofs" to support that dispensing with these operations is safe.
440:
1773:
depending on the underlying cryptographic group setting, the entire private key may be recovered by the attacker. Menezes proposed to address this attack by at least mandating public key validations in 2) and 3).
378:
1325:
1124:
1029:
963:
2151:
1831:
1593:
849:
750:
1714:
1664:
509:
267:
305:
691:
582:
195:
123:
1777:
631:
41:
scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary
1754:
1734:
1541:
1105:
1081:
1049:
889:
869:
790:
770:
651:
602:
533:
480:
460:
235:
215:
163:
143:
3191:
3021:
2311:
2636:
383:
2346:
2094:
Proceedings of the 14th
International Conference on Financial Cryptography and Data Security, Tenerife, Spain, LNCS 6052, pp. 383–390, Jan, 2010.
2764:
2859:
2759:
1962:
Menezes, Alfred; Ustaoglu, Berkant (2006-12-11). "On the
Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols".
1781:
2488:
2667:
2661:
64:
in 1995. It was later modified in joint work with Laurie Law and Jerry
Solinas. There are one-, two- and three-pass variants.
2785:
2339:
2272:
2205:
2024:
1987:
310:
3244:
1514:{\displaystyle K=h\cdot S_{a}(Y+{\bar {Y}}B)=h\cdot S_{a}(yP+{\bar {Y}}bP)=h\cdot S_{a}(y+{\bar {Y}}b)P=h\cdot S_{b}S_{a}P}
1313:{\displaystyle K=h\cdot S_{b}(X+{\bar {X}}A)=h\cdot S_{b}(xP+{\bar {X}}aP)=h\cdot S_{b}(x+{\bar {X}}a)P=h\cdot S_{b}S_{a}P}
1052:
2403:
2852:
2471:
2428:
2189:
2393:
3239:
2383:
2332:
2246:
968:
902:
2547:
2461:
2408:
3070:
3001:
2572:
2456:
2845:
2713:
2646:
1546:
3186:
3141:
2944:
2810:
2703:
2552:
2466:
2388:
2181:
1801:
803:
704:
3065:
2562:
2451:
2433:
1919:
Kaliski, Burton S. Jr. (August 2001). "An
Unknown Key-share Attack on the MQV Key Agreement Protocol".
1669:
1619:
3181:
2815:
2795:
1966:. Lecture Notes in Computer Science. Vol. 4329. Springer, Berlin, Heidelberg. pp. 133–147.
2698:
2255:
1905:
3171:
3161:
3016:
2754:
2525:
2306:
1867:
3166:
3156:
2949:
2909:
2902:
2887:
2882:
2708:
2355:
1084:
30:
485:
243:
2954:
2897:
2790:
2641:
2580:
2515:
2250:
1868:"Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography"
3214:
3060:
3006:
2656:
2413:
2370:
1892:
272:
1113:
Note: for the algorithm to be secure some checks have to be performed. See
Hankerson et al.
3176:
3100:
2567:
2378:
664:
555:
168:
96:
607:
8:
2929:
2673:
3045:
3029:
2971:
2520:
2443:
2423:
2418:
2398:
2278:
2188:. 6th International Conference, ISC 2003, Bristol, UK, October 1–3, 2003. Proceedings.
2168:
2129:
2071:
1944:
1848:
1739:
1719:
1526:
1090:
1066:
1034:
874:
854:
775:
755:
636:
587:
518:
465:
445:
220:
200:
148:
128:
38:
3105:
3095:
2961:
2780:
2723:
2651:
2537:
2268:
2201:
2063:
2020:
1983:
1936:
1616:
Including the user identities in the key exchange flows: more specifically, letting
2172:
2133:
2075:
1948:
1852:
3040:
2892:
2626:
2260:
2193:
2160:
2121:
2053:
2012:
1975:
1967:
1928:
1871:
1840:
2282:
435:{\displaystyle L=\left\lceil {\frac {\lceil \log _{2}n\rceil }{2}}\right\rceil }
3115:
3035:
2991:
2934:
2919:
2238:
2234:
2146:
2142:
1826:
1822:
61:
57:
46:
27:
2164:
1876:
1844:
3233:
3196:
3151:
3110:
3090:
2981:
2939:
2914:
2216:
2067:
1940:
34:
3146:
2986:
2976:
2966:
2924:
2868:
2820:
2800:
2225:
2184:(2003). "Analysis of the Insecurity of ECMQV with Partially Known Nonces".
2109:
42:
2125:
1932:
3125:
2718:
2595:
2112:(2001). "An unknown key-share attack on the MQV key agreement protocol".
2058:
2041:
82:
2297:
HMQV: A High-Performance Secure Diffie–Hellman
Protocol by Hugo Krawczyk
2197:
2016:
1971:
3085:
3055:
3050:
3011:
2744:
2476:
2089:
2011:. Lecture Notes in Computer Science. Vol. 3621. pp. 546–566.
1604:
68:
1979:
3075:
2498:
3120:
3080:
2805:
2739:
2610:
2605:
2600:
2503:
2481:
2264:
1776:
In 2006, in response to
Menezes's attack, Krawczyk revised HMQV in
75:
2301:
2296:
2218:
Some new key agreement protocols providing implicit authentication
2004:
2631:
2590:
2149:(2003). "An Efficient Protocol for Authenticated Key Agreement".
1866:
Barker, Elaine; Chen, Lily; Roginsky, Allen; Smid, Miles (2013).
1829:(2003). "An Efficient Protocol for Authenticated Key Agreement".
2996:
2749:
2585:
2542:
2510:
2493:
337:
2215:
Menezes, Alfred J.; Qu, Minghua; Vanstone, Scott A. (2005).
81:
ECMQV has been dropped from the
National Security Agency's
2090:
On Robust Key Agreement Based on Public Key Authentication
2678:
2005:"HMQV: A High-Performance Secure Diffie–Hellman Protocol"
2232:
2226:
2nd Workshop on Selected Areas in Cryptography (SAC '95)
74:
Some variants of MQV are claimed in patents assigned to
373:{\displaystyle {\bar {R}}=(x\,{\bmod {\,}}2^{L})+2^{L}}
3022:
Cryptographically secure pseudorandom number generator
1865:
2307:
An Efficient Protocol for Authenticated Key Agreement
1742:
1722:
1672:
1622:
1549:
1529:
1328:
1127:
1093:
1069:
1037:
971:
905:
877:
857:
806:
778:
758:
707:
667:
639:
610:
590:
558:
521:
488:
468:
448:
386:
313:
275:
246:
223:
203:
171:
151:
131:
99:
2316:
2140:
2114:
ACM Transactions on Information and System Security
1921:
ACM Transactions on Information and System Security
1820:
1748:
1728:
1708:
1658:
1587:
1535:
1513:
1312:
1099:
1075:
1043:
1023:
957:
883:
863:
843:
784:
764:
744:
685:
645:
625:
596:
576:
527:
503:
474:
454:
434:
372:
299:
261:
229:
209:
189:
157:
137:
117:
2214:
3231:
2179:
1961:
67:MQV is incorporated in the public-key standard
1053:Elliptic curve cryptography: domain parameters
2853:
2340:
2245:. Springer Professional Computing. New York:
1756:are identities of Alice and Bob respectively.
1024:{\displaystyle K=h\cdot S_{b}(X+{\bar {X}}A)}
958:{\displaystyle K=h\cdot S_{a}(Y+{\bar {Y}}B)}
419:
400:
2354:
2860:
2846:
2347:
2333:
2254:
2057:
1875:
462:is the order of the used generator point
341:
335:
165:her private key and Bob has the key pair
2312:MQV and HMQV in IEEE P1363 (power point)
2002:
2108:
2039:
1964:Progress in Cryptology - INDOCRYPT 2006
1918:
3232:
307:be a point on an elliptic curve. Then
2841:
2328:
2668:Naccache–Stern knapsack cryptosystem
2243:Guide to Elliptic Curve Cryptography
2192:. Vol. 2851. pp. 240–251.
2009:Advances in Cryptology – CRYPTO 2005
1588:{\displaystyle K=h\cdot S_{b}S_{a}P}
844:{\displaystyle S_{b}=y+{\bar {Y}}b}
745:{\displaystyle S_{a}=x+{\bar {X}}a}
13:
14:
3256:
2290:
2228:. Ottawa, Canada. pp. 22–32.
2190:Lecture Notes in Computer Science
1955:
1709:{\displaystyle {\bar {Y}}=H(Y,A)}
1659:{\displaystyle {\bar {X}}=H(X,B)}
3210:
3209:
2867:
515:bits of the first coordinate of
85:set of cryptographic standards.
2699:Discrete logarithm cryptography
2102:
1780:to IEEE P1363 (included in the
269:has the following meaning. Let
71:and NIST's SP800-56A standard.
3071:Information-theoretic security
2082:
2040:Menezes, Alfred (2007-01-01).
2033:
1996:
1912:
1859:
1814:
1703:
1691:
1679:
1653:
1641:
1629:
1597:
1473:
1464:
1449:
1427:
1415:
1397:
1375:
1366:
1351:
1272:
1263:
1248:
1226:
1214:
1196:
1174:
1165:
1150:
1116:
1018:
1009:
994:
952:
943:
928:
832:
733:
680:
668:
653:a point on an elliptic curve.
571:
559:
495:
354:
329:
320:
294:
282:
253:
184:
172:
112:
100:
88:
56:MQV was initially proposed by
1:
1807:
49:groups, where it is known as
2714:Non-commutative cryptography
1083:was successful. A key for a
1063:The communication of secret
16:Public-key exchange protocol
7:
3245:Elliptic curve cryptography
3187:Message authentication code
3142:Cryptographic hash function
2945:Cryptographic hash function
2811:Identity-based cryptography
2704:Elliptic-curve cryptography
1802:Elliptic curve cryptography
1795:
552:Alice generates a key pair
10:
3261:
3066:Harvest now, decrypt later
693:in the same way as Alice.
504:{\displaystyle {\bar {R}}}
262:{\displaystyle {\bar {R}}}
51:elliptic curve MQV (ECMQV)
3205:
3182:Post-quantum cryptography
3134:
2875:
2837:
2816:Post-quantum cryptography
2773:
2765:Post-Quantum Cryptography
2732:
2691:
2619:
2561:
2442:
2369:
2362:
2324:
2320:
1877:10.6028/NIST.SP.800-56Ar2
1543:are indeed the same with
661:Bob generates a key pair
3172:Quantum key distribution
3162:Authenticated encryption
3017:Random number generation
3240:Key-agreement protocols
3167:Public-key cryptography
3157:Symmetric-key algorithm
2950:Key derivation function
2910:Cryptographic primitive
2903:Authentication protocol
2888:Outline of cryptography
2883:History of cryptography
2709:Hash-based cryptography
2356:Public-key cryptography
2165:10.1023/A:1022595222606
2152:Des. Codes Cryptography
2145:; Qu, M.; Solinas, J.;
2046:Mathematical Cryptology
1845:10.1023/A:1022595222606
1832:Des. Codes Cryptography
1825:; Qu, M.; Solinas, J.;
1782:IEEE P1363 D1-pre draft
1085:symmetric-key algorithm
584:by generating randomly
300:{\displaystyle R=(x,y)}
2955:Secure Hash Algorithms
2898:Cryptographic protocol
2042:"Another look at HMQV"
1900:Cite journal requires
1750:
1730:
1710:
1660:
1589:
1537:
1523:So the shared secrets
1515:
1314:
1101:
1077:
1045:
1025:
959:
885:
865:
845:
786:
766:
746:
701:Now, Alice calculates
687:
647:
627:
598:
578:
529:
505:
476:
456:
436:
374:
301:
263:
231:
211:
191:
159:
139:
119:
45:, and, in particular,
3061:End-to-end encryption
3007:Cryptojacking malware
2371:Integer factorization
2126:10.1145/501978.501981
2003:Krawczyk, H. (2005).
1933:10.1145/501978.501981
1751:
1731:
1711:
1661:
1590:
1538:
1516:
1315:
1102:
1078:
1051:is the cofactor (see
1046:
1026:
960:
886:
866:
846:
787:
767:
747:
688:
686:{\displaystyle (Y,y)}
648:
628:
599:
579:
577:{\displaystyle (X,x)}
530:
506:
477:
457:
437:
375:
302:
264:
232:
212:
192:
190:{\displaystyle (B,b)}
160:
140:
120:
118:{\displaystyle (A,a)}
93:Alice has a key pair
3177:Quantum cryptography
3101:Trusted timestamping
2302:Another look at HMQV
2186:Information Security
2059:10.1515/jmc.2007.004
1740:
1720:
1670:
1620:
1547:
1527:
1326:
1125:
1091:
1087:can be derived from
1067:
1035:
969:
903:
875:
855:
804:
776:
756:
705:
665:
637:
626:{\displaystyle X=xP}
608:
588:
556:
519:
486:
466:
446:
384:
311:
273:
244:
221:
201:
169:
149:
129:
97:
2930:Cryptographic nonce
2674:Three-pass protocol
2198:10.1007/10958513_19
2180:Leadbitter, P. J.;
2017:10.1007/11535218_33
1972:10.1007/11941378_11
965:and Bob calculates
217:his public key and
145:her public key and
24:Menezes–Qu–Vanstone
3046:Subliminal channel
3030:Pseudorandom noise
2972:Key (cryptography)
2444:Discrete logarithm
1746:
1726:
1706:
1656:
1585:
1533:
1511:
1322:Alice calculates:
1310:
1097:
1073:
1041:
1021:
955:
881:
861:
841:
782:
762:
742:
683:
643:
623:
594:
574:
525:
501:
472:
452:
432:
370:
297:
259:
227:
207:
187:
155:
135:
115:
3227:
3226:
3223:
3222:
3106:Key-based routing
3096:Trapdoor function
2962:Digital signature
2833:
2832:
2829:
2828:
2781:Digital signature
2724:Trapdoor function
2687:
2686:
2404:Goldwasser–Micali
2274:978-0-387-95273-4
2207:978-3-540-20176-2
2110:Kaliski, B. S. Jr
2026:978-3-540-28114-6
1989:978-3-540-49767-7
1749:{\displaystyle B}
1729:{\displaystyle A}
1682:
1632:
1536:{\displaystyle K}
1467:
1418:
1369:
1266:
1217:
1168:
1111:
1110:
1100:{\displaystyle K}
1076:{\displaystyle K}
1044:{\displaystyle h}
1012:
946:
899:Alice calculates
884:{\displaystyle Y}
864:{\displaystyle n}
835:
785:{\displaystyle X}
765:{\displaystyle n}
736:
646:{\displaystyle P}
597:{\displaystyle x}
528:{\displaystyle R}
498:
475:{\displaystyle P}
455:{\displaystyle n}
426:
323:
256:
240:In the following
237:his private key.
230:{\displaystyle b}
210:{\displaystyle B}
158:{\displaystyle a}
138:{\displaystyle A}
60:, Minghua Qu and
3252:
3213:
3212:
3041:Insecure channel
2893:Classical cipher
2862:
2855:
2848:
2839:
2838:
2670:
2571:
2566:
2526:signature scheme
2429:Okamoto–Uchiyama
2367:
2366:
2349:
2342:
2335:
2326:
2325:
2322:
2321:
2318:
2317:
2286:
2258:
2229:
2223:
2211:
2176:
2137:
2096:
2086:
2080:
2079:
2061:
2037:
2031:
2030:
2000:
1994:
1993:
1959:
1953:
1952:
1916:
1910:
1909:
1903:
1898:
1896:
1888:
1886:
1884:
1879:
1863:
1857:
1856:
1818:
1755:
1753:
1752:
1747:
1735:
1733:
1732:
1727:
1715:
1713:
1712:
1707:
1684:
1683:
1675:
1665:
1663:
1662:
1657:
1634:
1633:
1625:
1594:
1592:
1591:
1586:
1581:
1580:
1571:
1570:
1542:
1540:
1539:
1534:
1520:
1518:
1517:
1512:
1507:
1506:
1497:
1496:
1469:
1468:
1460:
1448:
1447:
1420:
1419:
1411:
1396:
1395:
1371:
1370:
1362:
1350:
1349:
1319:
1317:
1316:
1311:
1306:
1305:
1296:
1295:
1268:
1267:
1259:
1247:
1246:
1219:
1218:
1210:
1195:
1194:
1170:
1169:
1161:
1149:
1148:
1121:Bob calculates:
1106:
1104:
1103:
1098:
1082:
1080:
1079:
1074:
1050:
1048:
1047:
1042:
1030:
1028:
1027:
1022:
1014:
1013:
1005:
993:
992:
964:
962:
961:
956:
948:
947:
939:
927:
926:
890:
888:
887:
882:
870:
868:
867:
862:
850:
848:
847:
842:
837:
836:
828:
816:
815:
791:
789:
788:
783:
771:
769:
768:
763:
751:
749:
748:
743:
738:
737:
729:
717:
716:
692:
690:
689:
684:
652:
650:
649:
644:
632:
630:
629:
624:
604:and calculating
603:
601:
600:
595:
583:
581:
580:
575:
538:
537:
534:
532:
531:
526:
510:
508:
507:
502:
500:
499:
491:
481:
479:
478:
473:
461:
459:
458:
453:
441:
439:
438:
433:
431:
427:
422:
412:
411:
398:
379:
377:
376:
371:
369:
368:
353:
352:
343:
342:
325:
324:
316:
306:
304:
303:
298:
268:
266:
265:
260:
258:
257:
249:
236:
234:
233:
228:
216:
214:
213:
208:
196:
194:
193:
188:
164:
162:
161:
156:
144:
142:
141:
136:
124:
122:
121:
116:
3260:
3259:
3255:
3254:
3253:
3251:
3250:
3249:
3230:
3229:
3228:
3219:
3201:
3130:
2871:
2866:
2825:
2769:
2733:Standardization
2728:
2683:
2666:
2615:
2563:Lattice/SVP/CVP
2557:
2438:
2384:Blum–Goldwasser
2358:
2353:
2293:
2275:
2256:10.1.1.331.1248
2233:Hankerson, D.;
2221:
2208:
2105:
2100:
2099:
2087:
2083:
2038:
2034:
2027:
2001:
1997:
1990:
1960:
1956:
1917:
1913:
1901:
1899:
1890:
1889:
1882:
1880:
1864:
1860:
1819:
1815:
1810:
1798:
1741:
1738:
1737:
1721:
1718:
1717:
1674:
1673:
1671:
1668:
1667:
1624:
1623:
1621:
1618:
1617:
1600:
1576:
1572:
1566:
1562:
1548:
1545:
1544:
1528:
1525:
1524:
1502:
1498:
1492:
1488:
1459:
1458:
1443:
1439:
1410:
1409:
1391:
1387:
1361:
1360:
1345:
1341:
1327:
1324:
1323:
1301:
1297:
1291:
1287:
1258:
1257:
1242:
1238:
1209:
1208:
1190:
1186:
1160:
1159:
1144:
1140:
1126:
1123:
1122:
1119:
1092:
1089:
1088:
1068:
1065:
1064:
1036:
1033:
1032:
1004:
1003:
988:
984:
970:
967:
966:
938:
937:
922:
918:
904:
901:
900:
876:
873:
872:
856:
853:
852:
827:
826:
811:
807:
805:
802:
801:
800:Bob calculates
777:
774:
773:
757:
754:
753:
728:
727:
712:
708:
706:
703:
702:
666:
663:
662:
638:
635:
634:
609:
606:
605:
589:
586:
585:
557:
554:
553:
520:
517:
516:
490:
489:
487:
484:
483:
467:
464:
463:
447:
444:
443:
407:
403:
399:
397:
393:
385:
382:
381:
364:
360:
348:
344:
340:
336:
315:
314:
312:
309:
308:
274:
271:
270:
248:
247:
245:
242:
241:
222:
219:
218:
202:
199:
198:
170:
167:
166:
150:
147:
146:
130:
127:
126:
98:
95:
94:
91:
17:
12:
11:
5:
3258:
3248:
3247:
3242:
3225:
3224:
3221:
3220:
3218:
3217:
3206:
3203:
3202:
3200:
3199:
3194:
3192:Random numbers
3189:
3184:
3179:
3174:
3169:
3164:
3159:
3154:
3149:
3144:
3138:
3136:
3132:
3131:
3129:
3128:
3123:
3118:
3116:Garlic routing
3113:
3108:
3103:
3098:
3093:
3088:
3083:
3078:
3073:
3068:
3063:
3058:
3053:
3048:
3043:
3038:
3036:Secure channel
3033:
3027:
3026:
3025:
3014:
3009:
3004:
2999:
2994:
2992:Key stretching
2989:
2984:
2979:
2974:
2969:
2964:
2959:
2958:
2957:
2952:
2947:
2937:
2935:Cryptovirology
2932:
2927:
2922:
2920:Cryptocurrency
2917:
2912:
2907:
2906:
2905:
2895:
2890:
2885:
2879:
2877:
2873:
2872:
2865:
2864:
2857:
2850:
2842:
2835:
2834:
2831:
2830:
2827:
2826:
2824:
2823:
2818:
2813:
2808:
2803:
2798:
2793:
2788:
2783:
2777:
2775:
2771:
2770:
2768:
2767:
2762:
2757:
2752:
2747:
2742:
2736:
2734:
2730:
2729:
2727:
2726:
2721:
2716:
2711:
2706:
2701:
2695:
2693:
2689:
2688:
2685:
2684:
2682:
2681:
2676:
2671:
2664:
2662:Merkle–Hellman
2659:
2654:
2649:
2644:
2639:
2634:
2629:
2623:
2621:
2617:
2616:
2614:
2613:
2608:
2603:
2598:
2593:
2588:
2583:
2577:
2575:
2559:
2558:
2556:
2555:
2550:
2545:
2540:
2535:
2530:
2529:
2528:
2518:
2513:
2508:
2507:
2506:
2501:
2491:
2486:
2485:
2484:
2479:
2469:
2464:
2459:
2454:
2448:
2446:
2440:
2439:
2437:
2436:
2431:
2426:
2421:
2416:
2411:
2409:Naccache–Stern
2406:
2401:
2396:
2391:
2386:
2381:
2375:
2373:
2364:
2360:
2359:
2352:
2351:
2344:
2337:
2329:
2315:
2314:
2309:
2304:
2299:
2292:
2291:External links
2289:
2288:
2287:
2273:
2265:10.1007/b97644
2230:
2212:
2206:
2177:
2159:(2): 119–134.
2138:
2120:(3): 275–288.
2104:
2101:
2098:
2097:
2081:
2032:
2025:
1995:
1988:
1954:
1927:(3): 275–288.
1911:
1902:|journal=
1858:
1839:(2): 119–134.
1812:
1811:
1809:
1806:
1805:
1804:
1797:
1794:
1778:the submission
1766:
1765:
1761:
1757:
1745:
1725:
1705:
1702:
1699:
1696:
1693:
1690:
1687:
1681:
1678:
1655:
1652:
1649:
1646:
1643:
1640:
1637:
1631:
1628:
1599:
1596:
1584:
1579:
1575:
1569:
1565:
1561:
1558:
1555:
1552:
1532:
1510:
1505:
1501:
1495:
1491:
1487:
1484:
1481:
1478:
1475:
1472:
1466:
1463:
1457:
1454:
1451:
1446:
1442:
1438:
1435:
1432:
1429:
1426:
1423:
1417:
1414:
1408:
1405:
1402:
1399:
1394:
1390:
1386:
1383:
1380:
1377:
1374:
1368:
1365:
1359:
1356:
1353:
1348:
1344:
1340:
1337:
1334:
1331:
1309:
1304:
1300:
1294:
1290:
1286:
1283:
1280:
1277:
1274:
1271:
1265:
1262:
1256:
1253:
1250:
1245:
1241:
1237:
1234:
1231:
1228:
1225:
1222:
1216:
1213:
1207:
1204:
1201:
1198:
1193:
1189:
1185:
1182:
1179:
1176:
1173:
1167:
1164:
1158:
1155:
1152:
1147:
1143:
1139:
1136:
1133:
1130:
1118:
1115:
1109:
1108:
1096:
1072:
1061:
1057:
1056:
1040:
1020:
1017:
1011:
1008:
1002:
999:
996:
991:
987:
983:
980:
977:
974:
954:
951:
945:
942:
936:
933:
930:
925:
921:
917:
914:
911:
908:
897:
893:
892:
880:
860:
840:
834:
831:
825:
822:
819:
814:
810:
798:
794:
793:
781:
761:
741:
735:
732:
726:
723:
720:
715:
711:
699:
695:
694:
682:
679:
676:
673:
670:
659:
655:
654:
642:
622:
619:
616:
613:
593:
573:
570:
567:
564:
561:
550:
546:
545:
542:
524:
511:are the first
497:
494:
471:
451:
430:
425:
421:
418:
415:
410:
406:
402:
396:
392:
389:
367:
363:
359:
356:
351:
347:
339:
334:
331:
328:
322:
319:
296:
293:
290:
287:
284:
281:
278:
255:
252:
226:
206:
186:
183:
180:
177:
174:
154:
134:
114:
111:
108:
105:
102:
90:
87:
62:Scott Vanstone
58:Alfred Menezes
47:elliptic curve
39:Diffie–Hellman
15:
9:
6:
4:
3:
2:
3257:
3246:
3243:
3241:
3238:
3237:
3235:
3216:
3208:
3207:
3204:
3198:
3197:Steganography
3195:
3193:
3190:
3188:
3185:
3183:
3180:
3178:
3175:
3173:
3170:
3168:
3165:
3163:
3160:
3158:
3155:
3153:
3152:Stream cipher
3150:
3148:
3145:
3143:
3140:
3139:
3137:
3133:
3127:
3124:
3122:
3119:
3117:
3114:
3112:
3111:Onion routing
3109:
3107:
3104:
3102:
3099:
3097:
3094:
3092:
3091:Shared secret
3089:
3087:
3084:
3082:
3079:
3077:
3074:
3072:
3069:
3067:
3064:
3062:
3059:
3057:
3054:
3052:
3049:
3047:
3044:
3042:
3039:
3037:
3034:
3031:
3028:
3023:
3020:
3019:
3018:
3015:
3013:
3010:
3008:
3005:
3003:
3000:
2998:
2995:
2993:
2990:
2988:
2985:
2983:
2982:Key generator
2980:
2978:
2975:
2973:
2970:
2968:
2965:
2963:
2960:
2956:
2953:
2951:
2948:
2946:
2943:
2942:
2941:
2940:Hash function
2938:
2936:
2933:
2931:
2928:
2926:
2923:
2921:
2918:
2916:
2915:Cryptanalysis
2913:
2911:
2908:
2904:
2901:
2900:
2899:
2896:
2894:
2891:
2889:
2886:
2884:
2881:
2880:
2878:
2874:
2870:
2863:
2858:
2856:
2851:
2849:
2844:
2843:
2840:
2836:
2822:
2819:
2817:
2814:
2812:
2809:
2807:
2804:
2802:
2799:
2797:
2794:
2792:
2789:
2787:
2784:
2782:
2779:
2778:
2776:
2772:
2766:
2763:
2761:
2758:
2756:
2753:
2751:
2748:
2746:
2743:
2741:
2738:
2737:
2735:
2731:
2725:
2722:
2720:
2717:
2715:
2712:
2710:
2707:
2705:
2702:
2700:
2697:
2696:
2694:
2690:
2680:
2677:
2675:
2672:
2669:
2665:
2663:
2660:
2658:
2655:
2653:
2650:
2648:
2645:
2643:
2640:
2638:
2635:
2633:
2630:
2628:
2625:
2624:
2622:
2618:
2612:
2609:
2607:
2604:
2602:
2599:
2597:
2594:
2592:
2589:
2587:
2584:
2582:
2579:
2578:
2576:
2574:
2569:
2564:
2560:
2554:
2551:
2549:
2546:
2544:
2541:
2539:
2536:
2534:
2531:
2527:
2524:
2523:
2522:
2519:
2517:
2514:
2512:
2509:
2505:
2502:
2500:
2497:
2496:
2495:
2492:
2490:
2487:
2483:
2480:
2478:
2475:
2474:
2473:
2470:
2468:
2465:
2463:
2460:
2458:
2455:
2453:
2450:
2449:
2447:
2445:
2441:
2435:
2434:Schmidt–Samoa
2432:
2430:
2427:
2425:
2422:
2420:
2417:
2415:
2412:
2410:
2407:
2405:
2402:
2400:
2397:
2395:
2394:Damgård–Jurik
2392:
2390:
2389:Cayley–Purser
2387:
2385:
2382:
2380:
2377:
2376:
2374:
2372:
2368:
2365:
2361:
2357:
2350:
2345:
2343:
2338:
2336:
2331:
2330:
2327:
2323:
2319:
2313:
2310:
2308:
2305:
2303:
2300:
2298:
2295:
2294:
2284:
2280:
2276:
2270:
2266:
2262:
2257:
2252:
2248:
2244:
2240:
2236:
2231:
2227:
2220:
2219:
2213:
2209:
2203:
2199:
2195:
2191:
2187:
2183:
2178:
2174:
2170:
2166:
2162:
2158:
2154:
2153:
2148:
2144:
2139:
2135:
2131:
2127:
2123:
2119:
2115:
2111:
2107:
2106:
2095:
2091:
2085:
2077:
2073:
2069:
2065:
2060:
2055:
2051:
2047:
2043:
2036:
2028:
2022:
2018:
2014:
2010:
2006:
1999:
1991:
1985:
1981:
1977:
1973:
1969:
1965:
1958:
1950:
1946:
1942:
1938:
1934:
1930:
1926:
1922:
1915:
1907:
1894:
1878:
1873:
1869:
1862:
1854:
1850:
1846:
1842:
1838:
1834:
1833:
1828:
1824:
1817:
1813:
1803:
1800:
1799:
1793:
1789:
1785:
1783:
1779:
1774:
1770:
1762:
1758:
1743:
1723:
1700:
1697:
1694:
1688:
1685:
1676:
1650:
1647:
1644:
1638:
1635:
1626:
1615:
1614:
1613:
1609:
1606:
1595:
1582:
1577:
1573:
1567:
1563:
1559:
1556:
1553:
1550:
1530:
1521:
1508:
1503:
1499:
1493:
1489:
1485:
1482:
1479:
1476:
1470:
1461:
1455:
1452:
1444:
1440:
1436:
1433:
1430:
1424:
1421:
1412:
1406:
1403:
1400:
1392:
1388:
1384:
1381:
1378:
1372:
1363:
1357:
1354:
1346:
1342:
1338:
1335:
1332:
1329:
1320:
1307:
1302:
1298:
1292:
1288:
1284:
1281:
1278:
1275:
1269:
1260:
1254:
1251:
1243:
1239:
1235:
1232:
1229:
1223:
1220:
1211:
1205:
1202:
1199:
1191:
1187:
1183:
1180:
1177:
1171:
1162:
1156:
1153:
1145:
1141:
1137:
1134:
1131:
1128:
1114:
1094:
1086:
1070:
1062:
1059:
1058:
1054:
1038:
1015:
1006:
1000:
997:
989:
985:
981:
978:
975:
972:
949:
940:
934:
931:
923:
919:
915:
912:
909:
906:
898:
895:
894:
878:
858:
838:
829:
823:
820:
817:
812:
808:
799:
796:
795:
779:
759:
739:
730:
724:
721:
718:
713:
709:
700:
697:
696:
677:
674:
671:
660:
657:
656:
640:
620:
617:
614:
611:
591:
568:
565:
562:
551:
548:
547:
543:
540:
539:
536:
522:
514:
492:
469:
449:
428:
423:
416:
413:
408:
404:
394:
390:
387:
365:
361:
357:
349:
345:
332:
326:
317:
291:
288:
285:
279:
276:
250:
238:
224:
204:
181:
178:
175:
152:
132:
109:
106:
103:
86:
84:
79:
77:
72:
70:
65:
63:
59:
54:
52:
48:
44:
40:
37:based on the
36:
35:key agreement
32:
29:
28:authenticated
25:
21:
3147:Block cipher
2987:Key schedule
2977:Key exchange
2967:Kleptography
2925:Cryptosystem
2869:Cryptography
2821:OpenPGP card
2801:Web of trust
2532:
2457:Cramer–Shoup
2242:
2235:Vanstone, S.
2217:
2185:
2182:Smart, N. P.
2156:
2150:
2147:Vanstone, S.
2117:
2113:
2103:Bibliography
2093:
2084:
2049:
2045:
2035:
2008:
1998:
1963:
1957:
1924:
1920:
1914:
1893:cite journal
1881:. Retrieved
1861:
1836:
1830:
1827:Vanstone, S.
1816:
1790:
1786:
1775:
1771:
1767:
1610:
1601:
1522:
1321:
1120:
1112:
512:
239:
92:
80:
73:
66:
55:
50:
43:finite group
23:
19:
18:
3135:Mathematics
3126:Mix network
2791:Fingerprint
2755:NSA Suite B
2719:RSA problem
2596:NTRUEncrypt
2239:Menezes, A.
2143:Menezes, A.
1823:Menezes, A.
1598:MQV vs HMQV
1117:Correctness
89:Description
3234:Categories
3086:Ciphertext
3056:Decryption
3051:Encryption
3012:Ransomware
2745:IEEE P1363
2363:Algorithms
1980:11147/4782
1808:References
1605:IEEE P1363
891:to Alice.
871:and sends
772:and sends
544:Operation
69:IEEE P1363
3076:Plaintext
2251:CiteSeerX
2141:Law, L.;
2068:1862-2984
1941:1094-9224
1821:Law, L.;
1680:¯
1630:¯
1560:⋅
1486:⋅
1465:¯
1437:⋅
1416:¯
1385:⋅
1367:¯
1339:⋅
1285:⋅
1264:¯
1236:⋅
1215:¯
1184:⋅
1166:¯
1138:⋅
1010:¯
982:⋅
944:¯
916:⋅
833:¯
734:¯
496:¯
420:⌉
414:
401:⌈
321:¯
254:¯
3215:Category
3121:Kademlia
3081:Codetext
3024:(CSPRNG)
3002:Machines
2806:Key size
2740:CRYPTREC
2657:McEliece
2611:RLWE-SIG
2606:RLWE-KEX
2601:NTRUSign
2414:Paillier
2247:Springer
2241:(2004).
2173:27921095
2134:15388065
2088:F. Hao,
2076:15540513
1949:15388065
1883:15 April
1853:27921095
1796:See also
792:to Bob.
429:⌉
395:⌈
76:Certicom
31:protocol
26:) is an
2876:General
2652:Lamport
2632:CEILIDH
2591:NewHope
2538:Schnorr
2521:ElGamal
2499:Ed25519
2379:Benaloh
1792:since.
851:modulo
752:modulo
83:Suite B
2997:Keygen
2774:Topics
2750:NESSIE
2692:Theory
2620:Others
2477:X25519
2283:720546
2281:
2271:
2253:
2204:
2171:
2132:
2074:
2066:
2023:
1986:
1947:
1939:
1851:
1716:where
1031:where
380:where
3032:(PRN)
2586:Kyber
2581:BLISS
2543:SPEKE
2511:ECMQV
2504:Ed448
2494:EdDSA
2489:ECDSA
2419:Rabin
2279:S2CID
2222:(PDF)
2169:S2CID
2130:S2CID
2072:S2CID
2052:(1).
1945:S2CID
1849:S2CID
633:with
541:Step
482:. So
197:with
125:with
2786:OAEP
2760:CNSA
2637:EPOC
2482:X448
2472:ECDH
2269:ISBN
2202:ISBN
2064:ISSN
2021:ISBN
1984:ISBN
1937:ISSN
1906:help
1885:2018
1736:and
1666:and
442:and
33:for
2796:PKI
2679:XTR
2647:IES
2642:HFE
2573:SIS
2568:LWE
2553:STS
2548:SRP
2533:MQV
2516:EKE
2467:DSA
2452:BLS
2424:RSA
2399:GMR
2261:doi
2194:doi
2161:doi
2122:doi
2054:doi
2013:doi
1976:hdl
1968:doi
1929:doi
1872:doi
1841:doi
1055:).
405:log
338:mod
20:MQV
3236::
2627:AE
2462:DH
2277:.
2267:.
2259:.
2249:.
2237:;
2224:.
2200:.
2167:.
2157:28
2155:.
2128:.
2116:.
2092:.
2070:.
2062:.
2048:.
2044:.
2019:.
2007:.
1982:.
1974:.
1943:.
1935:.
1923:.
1897::
1895:}}
1891:{{
1870:.
1847:.
1837:28
1835:.
1764:1.
1760:1.
1107:.
1060:6
896:5
797:4
698:3
658:2
549:1
535:.
78:.
53:.
2861:e
2854:t
2847:v
2570:/
2565:/
2348:e
2341:t
2334:v
2285:.
2263::
2210:.
2196::
2175:.
2163::
2136:.
2124::
2118:4
2078:.
2056::
2050:1
2029:.
2015::
1992:.
1978::
1970::
1951:.
1931::
1925:4
1908:)
1904:(
1887:.
1874::
1855:.
1843::
1744:B
1724:A
1704:)
1701:A
1698:,
1695:Y
1692:(
1689:H
1686:=
1677:Y
1654:)
1651:B
1648:,
1645:X
1642:(
1639:H
1636:=
1627:X
1583:P
1578:a
1574:S
1568:b
1564:S
1557:h
1554:=
1551:K
1531:K
1509:P
1504:a
1500:S
1494:b
1490:S
1483:h
1480:=
1477:P
1474:)
1471:b
1462:Y
1456:+
1453:y
1450:(
1445:a
1441:S
1434:h
1431:=
1428:)
1425:P
1422:b
1413:Y
1407:+
1404:P
1401:y
1398:(
1393:a
1389:S
1382:h
1379:=
1376:)
1373:B
1364:Y
1358:+
1355:Y
1352:(
1347:a
1343:S
1336:h
1333:=
1330:K
1308:P
1303:a
1299:S
1293:b
1289:S
1282:h
1279:=
1276:P
1273:)
1270:a
1261:X
1255:+
1252:x
1249:(
1244:b
1240:S
1233:h
1230:=
1227:)
1224:P
1221:a
1212:X
1206:+
1203:P
1200:x
1197:(
1192:b
1188:S
1181:h
1178:=
1175:)
1172:A
1163:X
1157:+
1154:X
1151:(
1146:b
1142:S
1135:h
1132:=
1129:K
1095:K
1071:K
1039:h
1019:)
1016:A
1007:X
1001:+
998:X
995:(
990:b
986:S
979:h
976:=
973:K
953:)
950:B
941:Y
935:+
932:Y
929:(
924:a
920:S
913:h
910:=
907:K
879:Y
859:n
839:b
830:Y
824:+
821:y
818:=
813:b
809:S
780:X
760:n
740:a
731:X
725:+
722:x
719:=
714:a
710:S
681:)
678:y
675:,
672:Y
669:(
641:P
621:P
618:x
615:=
612:X
592:x
572:)
569:x
566:,
563:X
560:(
523:R
513:L
493:R
470:P
450:n
424:2
417:n
409:2
391:=
388:L
366:L
362:2
358:+
355:)
350:L
346:2
333:x
330:(
327:=
318:R
295:)
292:y
289:,
286:x
283:(
280:=
277:R
251:R
225:b
205:B
185:)
182:b
179:,
176:B
173:(
153:a
133:A
113:)
110:a
107:,
104:A
101:(
22:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.