[curves] MQV
Johannes Merkle
johannes.merkle at secunet.com
Thu May 15 04:21:16 PDT 2014
Watson Ladd wrote on 14.05.2014 23:44:
> On Wed, May 14, 2014 at 2:38 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
>> On 5/14/14, Trevor Perrin <trevp at trevp.net> wrote:
>>> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV,
>>> ??)
> [cut]
>>
>> I don't see a good reason to use Schnorr's identification protocol
>> instead of DH authentication, even now that Schnorr's protocol is
>> legal to use.
>
> There is a reason: the Schnorr protocol involves a fixed base
> exponentiation to a random exponent, while DH authentication involves
> a variable base exponentiation to a fixed exponent. If you are willing
> to burn ROM on a table with limited RAM and low CPU power, the Schnorr
> protocol is more efficient on the prover side.
>
In addition, this exponentiation can be done in advance (pre-computation). The online computation is extremely fast.
--
Johannes
More information about the Curves
mailing list