On Wed, May 14, 2014 at 7:48 PM, Robert Ransom <[email protected]> wrote: > On 5/14/14, Trevor Perrin <[email protected]> wrote: >> >> Maybe, but other protocols resist KCI. > > If you want that feature in a mutual-authentication protocol,
Since resisting KCI is a design goal of MQV and descendants, it would be nice to have in an alternative IMO. > you > could use CDH(P, A, Y_1) + CDH(P, X_1, B) + CDH(P, Y_1, Y_2) as the > secret input to the KDF. That's cool!, if it's secure it seems like a better extension of Ace to mutual-auth. It's similar to TripleDH but each party has 2 ephemerals instead of 1, and the 3 ECDHs are added together before being hashed into a session key. (Also similar to MTI/A0 with an ephemeral-ephemeral op added.) But it could be faster than TripleDH because you could use Shamir's trick to compute the sum of the 3 ECDHs. Assuming MQV is ~2x faster than TripleDH: - 1.5 variable-base ops, 1 fixed-base (MQV) vs - 3 variable-base ops, 1 fixed-base (TripleDH) I wonder how close to MQV speed this could get?: - 1 variable-base triple-op, 2 fixed-base Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
