[curves] MQV

Rene Struik rstruik.ext at gmail.com
Wed May 14 13:04:29 PDT 2014


Hi Trevor:

It all depends on what one wishes to optimize for. Lots of variants 
depend on assumptions on attack models (e.g., ephemeral key exposure, 
etc.). What deployment use case do you have in mind and what properties 
do you seek? It could even be that the original version has benefits in 
practice, depending on implementation platform constraints (here, I am 
referring to some key agreement use cases with sensors (as part of 
network join process), where being able to get rid of hash functions has 
merit and where, e.g., differentiating secure storage for long-term and 
ephemeral keying material is less relevant, although jeopardizing 
provability).

Apologies for not have a crisp answer right away :(. I may have the 
chance to revisit this later in more detail, perhaps early June.

BTW - now is your chance to sign up as CFRG co-chair

Best regards, Rene


On 5/14/2014 3:04 PM, Trevor Perrin wrote:
> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, ??)
>
>
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves


-- 
email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363



More information about the Curves mailing list