[curves] MQV

Michael Hamburg mike at shiftleft.org
Wed May 14 17:41:14 PDT 2014


On May 14, 2014, at 4:38 PM, Trevor Perrin <trevp at trevp.net> wrote:
> I think Certicom's US filings were in 1995 so should expire in 2015,
> which isn't that bad [1].
> 
> But IBM filed on HMQV, which I think doesn't expire till 2025 [2].

I skimmed the HMQV patent, partly to see whether it reads on MQV-related PAKE augmentation.
I think that there’s a good chance that it doesn’t read on PAKE augmentation, because all the
top-level claims specify that:
...
there exists no secret shared between said verifier and said signer that serves as a basis
for any argument in any of said F1, F2, F3, and F4
...
which is not true of a PAKE.

> So the original MQV is perhaps the closest to being feasible.  Are the
> enhancements in HMQV and successors that important?  I guess I should
> read that paper…

In addition to defeating the known (minor but not completely insignificant) attacks on MQV itself,
the HMQV paper makes the key exchange kosher by, eg, not using the x-coordinate of points
without passing them through a hash function first.  This is required for security proofs even in
edgy models like GapDH.

— Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/curves/attachments/20140514/b6b8fd47/attachment.html>


More information about the Curves mailing list