[Resource Topic] 2002/145: Cryptanalysis of MQV with partially known nonces

Welcome to the resource topic for 2002/145

Cryptanalysis of MQV with partially known nonces

Authors: P. J. Leadbitter, N. P. Smart


In this paper we present the first lattice attack on an authenticated
key agreement protocol, which does not use a digital signature algorithm
to produce the authentication.
We present a two stage attack on MQV in which one party may recover
the other party’s static private key from partial knowledge of the nonces
from several runs of the protocol.
The first stage reduces the attack to a hidden number problem which
is partially solved by considering a closest vector problem and using
Babai’s algorithm.
This stage is closely related to the attack of Nguyen and Shparlinski
on DSA but is complicated by a non-uniform distribution
of multipliers.
The second stage recovers the rest of the key using the baby-step/giant-step
algorithm or Pollard’s Lambda algorithm and runs in time O(q^{1/4}).
The attack has been proven to work with high probability and validated
We have thus reduced the security from O(q^{1/2}) down to O(q^{1/4})
when partial knowledge of the nonces is given.

ePrint: https://eprint.iacr.org/2002/145

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .