Maybe 3-pass MQV? 2-pass MQV has been shown to be subject to Unknown Key Sharing attack.
In 3-pass MQV, so long as the explicit key confirmation function includes user identities (not all MQV standards documents seem to do that), then the UKS attack won't work. No one seems to have found other attacks. One downside is that it requires one more pass than (implicitly authenticated) 2-pass AKE counterparts, so round efficiency degrades a bit. However, patent can be a major obstacle for using MQV. Feng On 14/05/2014 20:04, "Trevor Perrin" <[email protected]> wrote: >Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, >TMQV, ??) > > >Trevor >_______________________________________________ >Curves mailing list >[email protected] >https://moderncrypto.org/mailman/listinfo/curves _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
