On 5/14/14, Watson Ladd <[email protected]> wrote: > On Wed, May 14, 2014 at 2:38 PM, Robert Ransom <[email protected]> > wrote: >> On 5/14/14, Trevor Perrin <[email protected]> wrote: >>> Anyone know what the best version of MQV is? (HMQV, FHMQV, CMQV, SMQV, >>> TMQV, >>> ??) > [cut] >> >> I don't see a good reason to use Schnorr's identification protocol >> instead of DH authentication, even now that Schnorr's protocol is >> legal to use. > > There is a reason: the Schnorr protocol involves a fixed base > exponentiation to a random exponent, while DH authentication involves > a variable base exponentiation to a fixed exponent. If you are willing > to burn ROM on a table with limited RAM and low CPU power, the Schnorr > protocol is more efficient on the prover side.
* Schnorr identification requires a minimum of two messages in each direction (the verifier must commit to the challenge at the beginning of the protocol), which adds both complexity and latency to the protocol. * Schnorr identification requires that the prover implement both arithmetic routines modulo the group order and a verification routine for some commitment scheme (preferably hash-based, for performance reasons). That's most of the code needed for a (more generally useful) signature system. If the main goal is performance, Schnorr identification is strictly worse than a signed ephemeral DH public key. If the main goal is deniability, DH authentication is simpler and still faster than Schnorr identification (because it does not require the extra round trip). Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
