[curves] Mutual-auth Ace (was Re: MQV)

Trevor Perrin trevp at trevp.net
Wed May 14 23:43:25 PDT 2014

On Wed, May 14, 2014 at 7:48 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
>> Maybe, but other protocols resist KCI.
> If you want that feature in a mutual-authentication protocol,

Since resisting KCI is a design goal of MQV and descendants, it would
be nice to have in an alternative IMO.

> you
> could use CDH(P, A, Y_1) + CDH(P, X_1, B) + CDH(P, Y_1, Y_2) as the
> secret input to the KDF.

That's cool!, if it's secure it seems like a better extension of Ace
to mutual-auth.  It's similar to TripleDH but each party has 2
ephemerals instead of 1, and the 3 ECDHs are added together before
being hashed into a session key.  (Also similar to MTI/A0 with an
ephemeral-ephemeral op added.)

But it could be faster than TripleDH because you could use Shamir's
trick to compute the sum of the 3 ECDHs.

Assuming MQV is ~2x faster than TripleDH:
 - 1.5 variable-base ops, 1 fixed-base (MQV) vs
 - 3 variable-base ops, 1 fixed-base (TripleDH)

I wonder how close to MQV speed this could get?:
 - 1 variable-base triple-op, 2 fixed-base


More information about the Curves mailing list