Hi Trevor:
It all depends on what one wishes to optimize for. Lots of variants
depend on assumptions on attack models (e.g., ephemeral key exposure,
etc.). What deployment use case do you have in mind and what properties
do you seek? It could even be that the original version has benefits in
practice, depending on implementation platform constraints (here, I am
referring to some key agreement use cases with sensors (as part of
network join process), where being able to get rid of hash functions has
merit and where, e.g., differentiating secure storage for long-term and
ephemeral keying material is less relevant, although jeopardizing
provability).
Apologies for not have a crisp answer right away :(. I may have the
chance to revisit this later in more detail, perhaps early June.
BTW - now is your chance to sign up as CFRG co-chair
Best regards, Rene
On 5/14/2014 3:04 PM, Trevor Perrin wrote:
Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, ??)
Trevor
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
--
email: [email protected] | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
