On 5/2/06, Nick Mathewson <[EMAIL PROTECTED]> wrote:
Its been proved equivalent in difficulty to CDH, but some more analysis would be a good idea.
The NSA doesn't think so, but AES is now showing signs of weakness.
Agreed. We don't want another MacGuiffen(proposed in the morning, dead in the afternoon).
On Tue, May 02, 2006 at 07:07:56PM -0400, Watson Ladd wrote:
> First some background:
> The NSA's Suit B uses a key negotiation mutual authentication method MQV.
> This method was found to be insecure, and so HMQV was created. HMQV uses a
> signature protocol called HCR twice in one exchange to generate a key. HCR
> can prove identy of one endpoint and negotiate a key in a two message
> exchange with great efficiency for both sides.
> In Tor the current key generation method is quite expensive. Would it be
> possible to change to HCR to improve efficency?
Looks promising; we should see if this is standing in 5 years or so.
Its been proved equivalent in difficulty to CDH, but some more analysis would be a good idea.
For now, however, this doesn't look like a mature protocol to me. HCR
signatures appear to be introduced in the same paper as HMQV, which
was published in last year's Crypto [1]. A cursory Google search
shows some results (of what importance, I can't say) against HMQV and
HCR, with patches to those protocols in a proposed 'HMQV-1' that isn't
any faster than HMQV [2].
The NSA doesn't think so, but AES is now showing signs of weakness.
Moreover, it seems likely that HMQV is covered by the same patents as
MQV [3], which I believe are still in force.
In any case, I'd want to see a lot more analysis and research on these
systems before we used them in the real world; just because something
was been published in last year's Crypto doesn't mean it's secure.
Agreed. We don't want another MacGuiffen(proposed in the morning, dead in the afternoon).
[1] http://eprint.iacr.org/2005/176.pdf
[2] http://eprint.iacr.org/2005/205.pdf
[3] http://www.certicom.com/index.php?action="">
yrs,
--
Nick Mathewson
--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety."
-- Benjamin Franklin