On May 14, 2014, at 4:38 PM, Trevor Perrin <[email protected]> wrote:
> I think Certicom's US filings were in 1995 so should expire in 2015,
> which isn't that bad [1].
>
> But IBM filed on HMQV, which I think doesn't expire till 2025 [2].
I skimmed the HMQV patent, partly to see whether it reads on MQV-related PAKE
augmentation.
I think that there’s a good chance that it doesn’t read on PAKE augmentation,
because all the
top-level claims specify that:
...
there exists no secret shared between said verifier and said signer that serves
as a basis
for any argument in any of said F1, F2, F3, and F4
...
which is not true of a PAKE.
> So the original MQV is perhaps the closest to being feasible. Are the
> enhancements in HMQV and successors that important? I guess I should
> read that paper…
In addition to defeating the known (minor but not completely insignificant)
attacks on MQV itself,
the HMQV paper makes the key exchange kosher by, eg, not using the x-coordinate
of points
without passing them through a hash function first. This is required for
security proofs even in
edgy models like GapDH.
— Mike
_______________________________________________
Curves mailing list
[email protected]
https://moderncrypto.org/mailman/listinfo/curves
