[curves] MQV

[Robert Ransom]

On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV,
> ??)

I assume that anything with “MQV” in its name is patented, so I've
only looked at the original MQV, and only cursorily (just enough to
verify that ‘Ace’ doesn't look anything like MQV).

My recommendations would be:

* If you are willing to implement and use a signature scheme, have the
server sign a (DH public key, time interval) certificate and send it.

* If you are willing to require that authentication public keys live
in the same group as the forward-secrecy keypairs, and don't want to
use signatures, consider ‘Ace’ (a variant of the 1986 ‘MTI/C0’
protocol described in the original MQV paper).  (‘Ace’ can be modified
to perform mutual authentication by replacing the client's X_1
ephemeral keypair with a long-term authentication keypair.)

* If you don't want to use signatures and you don't want to do
authentication in the same group as forward secrecy, use a
straightforward DH authentication protocol (like e.g. ntor or what
you've called ‘Triple-DH’).

I don't see a good reason to use Schnorr's identification protocol
instead of DH authentication, even now that Schnorr's protocol is
legal to use.


Robert Ransom