[curves] MQV

Robert Ransom rransom.8774 at gmail.com
Wed May 14 17:11:07 PDT 2014

On 5/14/14, Watson Ladd <watsonbladd at gmail.com> wrote:
> On Wed, May 14, 2014 at 2:38 PM, Robert Ransom <rransom.8774 at gmail.com>
> wrote:
>> On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
>>> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV,
>>> TMQV,
>>> ??)
> [cut]
>> I don't see a good reason to use Schnorr's identification protocol
>> instead of DH authentication, even now that Schnorr's protocol is
>> legal to use.
> There is a reason: the Schnorr protocol involves a fixed base
> exponentiation to a random exponent, while DH authentication involves
> a variable base exponentiation to a fixed exponent. If you are willing
> to burn ROM on a table with limited RAM and low CPU power, the Schnorr
> protocol is more efficient on the prover side.

* Schnorr identification requires a minimum of two messages in each
direction (the verifier must commit to the challenge at the beginning
of the protocol), which adds both complexity and latency to the

* Schnorr identification requires that the prover implement both
arithmetic routines modulo the group order and a verification routine
for some commitment scheme (preferably hash-based, for performance
reasons).  That's most of the code needed for a (more generally
useful) signature system.

If the main goal is performance, Schnorr identification is strictly
worse than a signed ephemeral DH public key.  If the main goal is
deniability, DH authentication is simpler and still faster than
Schnorr identification (because it does not require the extra round

Robert Ransom

More information about the Curves mailing list