On 5/14/14, Trevor Perrin <[email protected]> wrote: > Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, > ??)
I assume that anything with “MQV” in its name is patented, so I've only looked at the original MQV, and only cursorily (just enough to verify that ‘Ace’ doesn't look anything like MQV). My recommendations would be: * If you are willing to implement and use a signature scheme, have the server sign a (DH public key, time interval) certificate and send it. * If you are willing to require that authentication public keys live in the same group as the forward-secrecy keypairs, and don't want to use signatures, consider ‘Ace’ (a variant of the 1986 ‘MTI/C0’ protocol described in the original MQV paper). (‘Ace’ can be modified to perform mutual authentication by replacing the client's X_1 ephemeral keypair with a long-term authentication keypair.) * If you don't want to use signatures and you don't want to do authentication in the same group as forward secrecy, use a straightforward DH authentication protocol (like e.g. ntor or what you've called ‘Triple-DH’). I don't see a good reason to use Schnorr's identification protocol instead of DH authentication, even now that Schnorr's protocol is legal to use. Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
