On 5/14/14, Trevor Perrin <[email protected]> wrote: > On Wed, May 14, 2014 at 7:48 PM, Robert Ransom <[email protected]> > wrote: >> On 5/14/14, Trevor Perrin <[email protected]> wrote: >>> >>> Maybe, but other protocols resist KCI. >> >> If you want that feature in a mutual-authentication protocol, > > Since resisting KCI is a design goal of MQV and descendants, it would > be nice to have in an alternative IMO. > >> you >> could use CDH(P, A, Y_1) + CDH(P, X_1, B) + CDH(P, Y_1, Y_2) as the
Er. The last term should be CDH(P, X_2, Y_2). >> secret input to the KDF. > > That's cool!, if it's secure it seems like a better extension of Ace > to mutual-auth. It's similar to TripleDH but each party has 2 > ephemerals instead of 1, and the 3 ECDHs are added together before > being hashed into a session key. It does need a systematic security analysis. (It also needs a name -- “Mace”? “Deuce”? Insert random winged insect name here?) > (Also similar to MTI/A0 with an > ephemeral-ephemeral op added.) I thought Ace was similar to MTI/C0, not MTI/A0. Remember that the MTI protocol didn't specify to include the public keys in the KDF input. Ace is only secure if you hash all of the public keys along with the secret group element. (Otherwise, an attacker can MITM a connection, sending the client Y=0 and sending the server X_2=0. This allows two attacks: * The attacker can start a second connection to the same server, sending the same X_1 and X_2=0, and the server will open a second connection with the same symmetric key material, which is usually a disaster. (A nonce sent by the server and included in the hash would prevent this -- but anyone who does that would also hash the public keys in the first place.) * Setting those ephemeral keys to 0 removes forward secrecy for the connection; the attacker can then grab the server's long-term secret key s and decrypt the connection data.) > But it could be faster than TripleDH because you could use Shamir's > trick to compute the sum of the 3 ECDHs. > > Assuming MQV is ~2x faster than TripleDH: > - 1.5 variable-base ops, 1 fixed-base (MQV) vs > - 3 variable-base ops, 1 fixed-base (TripleDH) > > I wonder how close to MQV speed this could get?: > - 1 variable-base triple-op, 2 fixed-base Again, remember that in TripleDH and the Ace variants, the fixed-base exponentiations (to generate ephemeral keypairs) can be reused across multiple protocol runs *if* the parties which reuse their keys each contribute a nonce to the shared key. (This does make the protocol runs linkable, but that's often acceptable.) I suspect that that's not safe in MQV. Robert Ransom _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
