On Wed, May 14, 2014 at 2:38 PM, Robert Ransom <[email protected]> wrote: > On 5/14/14, Trevor Perrin <[email protected]> wrote: >> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, TMQV, >> ??) [cut] > > I don't see a good reason to use Schnorr's identification protocol > instead of DH authentication, even now that Schnorr's protocol is > legal to use.
There is a reason: the Schnorr protocol involves a fixed base exponentiation to a random exponent, while DH authentication involves a variable base exponentiation to a fixed exponent. If you are willing to burn ROM on a table with limited RAM and low CPU power, the Schnorr protocol is more efficient on the prover side. Sincerely, Watson Ladd > > > Robert Ransom > _______________________________________________ > Curves mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/curves -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
