[curves] MQV

Rene Struik rstruik.ext at gmail.com
Wed May 14 13:04:29 PDT 2014

Hi Trevor:

It all depends on what one wishes to optimize for. Lots of variants 
depend on assumptions on attack models (e.g., ephemeral key exposure, 
etc.). What deployment use case do you have in mind and what properties 
do you seek? It could even be that the original version has benefits in 
practice, depending on implementation platform constraints (here, I am 
referring to some key agreement use cases with sensors (as part of 
network join process), where being able to get rid of hash functions has 
merit and where, e.g., differentiating secure storage for long-term and 
ephemeral keying material is less relevant, although jeopardizing 

Apologies for not have a crisp answer right away :(. I may have the 
chance to revisit this later in more detail, perhaps early June.

BTW - now is your chance to sign up as CFRG co-chair

Best regards, Rene

On 5/14/2014 3:04 PM, Trevor Perrin wrote:
> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, ??)
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves

email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363

More information about the Curves mailing list