[curves] MQV

Feng Hao feng.hao at newcastle.ac.uk
Wed May 14 15:39:19 PDT 2014

Maybe 3-pass MQV?

2-pass MQV has been shown to be subject to Unknown Key Sharing attack.

In 3-pass MQV, so long as the explicit key confirmation function includes
user identities (not all MQV standards documents seem to do that), then
the UKS attack won't work. No one seems to have found other attacks. One
downside is that it requires one more pass than (implicitly authenticated)
2-pass AKE counterparts, so round efficiency degrades a bit.

However, patent can be a major obstacle for using MQV.


On 14/05/2014 20:04, "Trevor Perrin" <trevp at trevp.net> wrote:

>Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV,
>TMQV, ??)
>Curves mailing list
>Curves at moderncrypto.org

More information about the Curves mailing list