[curves] MQV

Johannes Merkle johannes.merkle at secunet.com
Thu May 15 04:21:16 PDT 2014

Watson Ladd wrote on 14.05.2014 23:44:
> On Wed, May 14, 2014 at 2:38 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
>> On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
>>> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV,
>>> ??)
> [cut]
>> I don't see a good reason to use Schnorr's identification protocol
>> instead of DH authentication, even now that Schnorr's protocol is
>> legal to use.
> There is a reason: the Schnorr protocol involves a fixed base
> exponentiation to a random exponent, while DH authentication involves
> a variable base exponentiation to a fixed exponent. If you are willing
> to burn ROM on a table with limited RAM and low CPU power, the Schnorr
> protocol is more efficient on the prover side.

In addition, this exponentiation can be done in advance (pre-computation). The online computation is extremely fast.


More information about the Curves mailing list