watsonbladd at gmail.com
Wed May 14 17:51:00 PDT 2014
On Wed, May 14, 2014 at 5:11 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 5/14/14, Watson Ladd <watsonbladd at gmail.com> wrote:
>> On Wed, May 14, 2014 at 2:38 PM, Robert Ransom <rransom.8774 at gmail.com>
>>> On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
>>>> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV,
>>> I don't see a good reason to use Schnorr's identification protocol
>>> instead of DH authentication, even now that Schnorr's protocol is
>>> legal to use.
>> There is a reason: the Schnorr protocol involves a fixed base
>> exponentiation to a random exponent, while DH authentication involves
>> a variable base exponentiation to a fixed exponent. If you are willing
>> to burn ROM on a table with limited RAM and low CPU power, the Schnorr
>> protocol is more efficient on the prover side.
> * Schnorr identification requires a minimum of two messages in each
> direction (the verifier must commit to the challenge at the beginning
> of the protocol), which adds both complexity and latency to the
Patent US4995082 seems to describe the following protocol in claim 1
where V wants to verify P has identity Y=g^x:
P->V: g^r with r random.
(Yes, that is a plus sign)
There is no hash function, and this is three messages, not four.
Because this is a fixed-base I can precompute a large table and do
only additions. (I can also use signed-bit encodings, etc).
What you seem to propose is the following:
This is one message shorter, but requires a hash function and does a
variable-base exponentiation. If we drop the hash function, we have
exposed a static DH oracle, and so interaction-based attacks become a
possibility. It has the advantage of not requiring a random number
generator on constrained hardware.
Which to use is likely to depend on exact details. With more gates
your protocol saves on interactions and avoids a tricky bit of
hardware, at the cost of computational performance. Your protocol also
winds up with a shared key, which is useful to have, while the Schnorr
protocol does not. If gate count matters significantly, I have a RNG
from somewhere (and the power for it), and only need to do identity
verification, Schnorr wins out. If the RNG is uncertain, then your
protocol is a good idea.
More information about the Curves