On Tue, Apr 8, 2014 at 7:48 PM, Douglas Stebila <[email protected]> wrote: > NIST SP-800-56a goes over a range of ephemeral-static DH combinations and is > a bit more recent.
What William describes is "unified model" in SP800-56A. It lacks resistance to "key compromise impersonation" - if I get your private key, I can impersonate anyone else to you. Doing a pair of ephemeral-static DHs (Kudla-Paterson, KEA/KEA+, etc.) for a mutually-authenticated key agreement resists this. Adding the 3rd ephemeral-ephemeral DH (mentioned by Kudla-Paterson, similar to NAXOS) adds forward secrecy if both static keys are revealed. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
