@. Elseii-)-else-s-chooses-?-?-r-{0, ? If no value is assigned to m 1 , m 2 )), S chooses d ? R {0, 1} l and sets ¯ H(X, Y, m 1 , m 2 ) = d (resp. ¯ H(Y, X, m 1 , m 2 ) = d); and if ? = CDH(XA d , Y B e ), S sets m 1 , m 2 ) = ?. (4) If A halts with a forgery ? 0 , X 0 , Y 0 , m 1 0 , m 2 0 , S verifies that the digests value ? 0 was queried from the random oracle, ) for some ? 0 , and that ? 0 = CDH

D. Basin and C. Cremers, From Dolev?Yao to Strong Adaptive Corruption: Analyzing Security in the Presence of Compromising Adversaries, Cryptology ePrint Archive, 2009.

M. Bellare and A. Palacio, The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols, Lecture Notes in Computer Science, vol.3152, pp.273-289, 2004.
DOI : 10.1007/978-3-540-28628-8_17

R. Canetti and H. Krawczyk, Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Cryptology ePrint Archive, 2001.
DOI : 10.1007/3-540-44987-6_28

C. Cremers, Session-state Reveal Is Stronger Than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange Protocol, Lecture Notes in Computer Science, vol.5536, pp.20-33, 2009.
DOI : 10.1007/978-3-642-01957-9_2

K. Gopalakrishnan, N. Thériault, and C. Z. Yao, Solving Discrete Logarithms from Partial Knowledge of the Key, Lecture Notes in Computer Science, vol.4859, pp.224-237, 2007.
DOI : 10.1007/978-3-540-77026-8_17

D. Hankerson, A. Menezes, and S. Vanstone, Guide to Elliptic Curve Cryptography, 2003.

I. and I. Is, Information Technology ? Security techniques : Cryptography techniques based on elliptic curves ? Part 3 : Key Establishment, pp.9798-9801, 2002.

H. Krawczyk, HMQV: A High-Performance Secure Diffie-Hellman Protocol, Cryptology ePrint Archive Report, vol.176, 2005.
DOI : 10.1007/11535218_33

S. Kunz-jacques and D. Pointcheval, About the Security of MTI/C0 and MQV, Lecture Notes in Computer Science, vol.4116, pp.156-172, 2006.
DOI : 10.1007/11832072_11

B. Lamacchia, K. Lauter, and A. Mityagin, Stronger Security of Authenticated Key Exchange, Lecture Notes in Computer Science, vol.4784, pp.1-16, 2007.
DOI : 10.1007/978-3-540-75670-5_1

P. J. Leadbitter and N. P. Smart, Analysis of the Insecurity of ECMQV with Partially Known Nonces, Lecture Notes in Computer Science, vol.2851, pp.240-251, 2003.
DOI : 10.1007/10958513_19

U. M. Maurer and S. Wolf, Diffie-Hellman Oracles, Lecture Notes in Computer Science, vol.1109, pp.268-282, 1996.
DOI : 10.1007/3-540-68697-5_21

A. Menezes, Another look at HMQV, Mathematical Cryptology, vol.1, issue.1, pp.148-175, 2007.
DOI : 10.1515/JMC.2007.004

A. Menezes and B. Ustaoglu, On the Importance of Public-Key Validation in the MQV and HMQV Key Agreement Protocols, Lecture Notes in Computer Science, vol.4329, pp.133-147, 2006.
DOI : 10.1007/11941378_11

A. Menezes and B. Ustaoglu, On reusing ephemeral keys in Diffie-Hellman key agreement protocols, International Journal of Applied Cryptography, vol.2, issue.2, 2008.
DOI : 10.1504/IJACT.2010.038308

T. Okamoto and D. Pointcheval, The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes, Lecture Notes in Computer Science, vol.1992, pp.104-118, 2001.
DOI : 10.1007/3-540-44586-2_8

D. Pointcheval, Les preuves de connaissances et leurs preuves de sécurité, 1996.

D. Pointcheval and J. Stern, Security Arguments for Digital Signatures and Blind Signatures, Journal of Cryptology, vol.13, issue.3, pp.361-396, 2000.
DOI : 10.1007/s001450010003

J. M. Pollard, Kangaroos, Monopoly and Discrete Logarithms, Journal of Cryptology, vol.13, issue.4, pp.437-447, 2000.
DOI : 10.1007/s001450010010

E. Teske, Square-root Algorithms for the Discrete Logarithm Problem (A survey) Public Key Cryptography and Computational Number Theory, pp.283-301, 2001.

E. Teske, On random walks for Pollard's rho method, Mathematics of Computation, vol.70, issue.234, pp.809-825, 2001.
DOI : 10.1090/S0025-5718-00-01213-8

B. Ustaoglu, Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography, pp.329-342, 2008.

S. Wang, Z. Cao, M. A. Strangio, and L. Wang, Cryptanalysis and improvement of an elliptic curve Diffie-Hellman key agreement protocol, IEEE Communications Letters, vol.12, issue.2, pp.149-151, 2008.
DOI : 10.1109/LCOMM.2008.071307