mike at shiftleft.org
Wed May 14 13:50:47 PDT 2014
From a brief look, my guess would be SMQV, though FHMQV is also a possibility.
I’m skeptical of the “NAXOS trick”; it seems to me that it adds security in proof models, but not in the real world. So no NAXOS or CMQV. TMQV adds complexity and computation for what looks like mostly just a better security assumption, which doesn’t seem like a huge win to me, though maybe it’s worthwhile. The orthodox MQV protocols (HMQV, FHMQV, SMQV) all have about the same performance. You might as well throw everything into the hash function, since that seems like it could conceivably be helpful, and costs almost no performance or complexity, so FHMQV and SMQV seem better than HMQV on those grounds. Between the two, the SMQV guys argue that theirs is marginally better for side-channel resistance and for smart cards, and I don’t see a downside or a reason to doubt their arguments, so I’m guessing SMQV is the best option.
I don’t know about the patents. If there are patent concerns on one or the other, that probably outweighs these relatively minor differences.
On May 14, 2014, at 1:04 PM, Rene Struik <rstruik.ext at gmail.com> wrote:
> Hi Trevor:
> It all depends on what one wishes to optimize for. Lots of variants depend on assumptions on attack models (e.g., ephemeral key exposure, etc.). What deployment use case do you have in mind and what properties do you seek? It could even be that the original version has benefits in practice, depending on implementation platform constraints (here, I am referring to some key agreement use cases with sensors (as part of network join process), where being able to get rid of hash functions has merit and where, e.g., differentiating secure storage for long-term and ephemeral keying material is less relevant, although jeopardizing provability).
> Apologies for not have a crisp answer right away :(. I may have the chance to revisit this later in more detail, perhaps early June.
> BTW - now is your chance to sign up as CFRG co-chair
> Best regards, Rene
> On 5/14/2014 3:04 PM, Trevor Perrin wrote:
>> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, ??)
>> Curves mailing list
>> Curves at moderncrypto.org
> email: rstruik.ext at gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
> Curves mailing list
> Curves at moderncrypto.org
More information about the Curves