[curves] MQV
Rene Struik
rstruik.ext at gmail.com
Wed May 14 13:04:29 PDT 2014
Hi Trevor:
It all depends on what one wishes to optimize for. Lots of variants
depend on assumptions on attack models (e.g., ephemeral key exposure,
etc.). What deployment use case do you have in mind and what properties
do you seek? It could even be that the original version has benefits in
practice, depending on implementation platform constraints (here, I am
referring to some key agreement use cases with sensors (as part of
network join process), where being able to get rid of hash functions has
merit and where, e.g., differentiating secure storage for long-term and
ephemeral keying material is less relevant, although jeopardizing
provability).
Apologies for not have a crisp answer right away :(. I may have the
chance to revisit this later in more detail, perhaps early June.
BTW - now is your chance to sign up as CFRG co-chair
Best regards, Rene
On 5/14/2014 3:04 PM, Trevor Perrin wrote:
> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, ??)
>
>
> Trevor
> _______________________________________________
> Curves mailing list
> Curves at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/curves
--
email: rstruik.ext at gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
More information about the Curves
mailing list