[curves] Mutual-auth Ace (was Re: MQV)
trevp at trevp.net
Wed May 14 23:43:25 PDT 2014
On Wed, May 14, 2014 at 7:48 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
>> Maybe, but other protocols resist KCI.
> If you want that feature in a mutual-authentication protocol,
Since resisting KCI is a design goal of MQV and descendants, it would
be nice to have in an alternative IMO.
> could use CDH(P, A, Y_1) + CDH(P, X_1, B) + CDH(P, Y_1, Y_2) as the
> secret input to the KDF.
That's cool!, if it's secure it seems like a better extension of Ace
to mutual-auth. It's similar to TripleDH but each party has 2
ephemerals instead of 1, and the 3 ECDHs are added together before
being hashed into a session key. (Also similar to MTI/A0 with an
ephemeral-ephemeral op added.)
But it could be faster than TripleDH because you could use Shamir's
trick to compute the sum of the 3 ECDHs.
Assuming MQV is ~2x faster than TripleDH:
- 1.5 variable-base ops, 1 fixed-base (MQV) vs
- 3 variable-base ops, 1 fixed-base (TripleDH)
I wonder how close to MQV speed this could get?:
- 1 variable-base triple-op, 2 fixed-base
More information about the Curves