[curves] Forward secrecy with "triple Diffie-Hellman"

Trevor Perrin trevp at trevp.net
Tue Apr 8 20:17:36 PDT 2014


On Tue, Apr 8, 2014 at 7:48 PM, Douglas Stebila <stebila at qut.edu.au> wrote:
> NIST SP-800-56a goes over a range of ephemeral-static DH combinations and is a bit more recent.

What William describes is "unified model" in SP800-56A.  It lacks
resistance to "key compromise impersonation" - if I get your private
key, I can impersonate anyone else to you.

Doing a pair of ephemeral-static DHs (Kudla-Paterson, KEA/KEA+, etc.)
for a mutually-authenticated key agreement resists this.  Adding the
3rd ephemeral-ephemeral DH (mentioned by Kudla-Paterson, similar to
NAXOS) adds forward secrecy if both static keys are revealed.


Trevor


More information about the Curves mailing list