[curves] Forward secrecy with "triple Diffie-Hellman"
Trevor Perrin
trevp at trevp.net
Tue Apr 8 20:17:36 PDT 2014
On Tue, Apr 8, 2014 at 7:48 PM, Douglas Stebila <stebila at qut.edu.au> wrote:
> NIST SP-800-56a goes over a range of ephemeral-static DH combinations and is a bit more recent.
What William describes is "unified model" in SP800-56A. It lacks
resistance to "key compromise impersonation" - if I get your private
key, I can impersonate anyone else to you.
Doing a pair of ephemeral-static DHs (Kudla-Paterson, KEA/KEA+, etc.)
for a mutually-authenticated key agreement resists this. Adding the
3rd ephemeral-ephemeral DH (mentioned by Kudla-Paterson, similar to
NAXOS) adds forward secrecy if both static keys are revealed.
Trevor
More information about the Curves
mailing list