Some Theoretical Conditions for Menezes-Qu-Vanstone Key Agreement to Provide Implicit Key Authentication

Menezes–Qu–Vanstone key agreement (MQV) is intended to provide implicit key authentication (IKA) and several other security objectives. MQV is approved and specified in five standards. This report focuses on the IKA of two-pass MQV, without key confirmation. Arguably, implicit key authentication is the most essential security objective in authenticated key agreement. The report examines various necessary or sufficient formal conditions under which MQV may provide IKA. Incidentally, this report defines, relies on, and inter-relates various conditions on the key deriviation function and Diffie–Hellman groups. While it should be expected that most such definitions and results are already well-known, a reader interested in these topics may be interested in this report as kind a kind of review, even if they have no interest in MQV whatsoever. Caution: this report is a work in progress. It may contain serious omissions and errors. Readers should verify any proofs before relying upon them, as always, but perhaps more so than is usual.