<br><br><div><span class="gmail_quote">On 5/2/06, <b class="gmail_sendername">Nick Mathewson</b> <<a href="mailto:nickm@freehaven.net">nickm@freehaven.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Tue, May 02, 2006 at 07:07:56PM -0400, Watson Ladd wrote:<br>> First some background:<br>> The NSA's Suit B uses a key negotiation mutual authentication method MQV.<br>> This method was found to be insecure, and so HMQV was created. HMQV uses a
<br>> signature protocol called HCR twice in one exchange to generate a key. HCR<br>> can prove identy of one endpoint and negotiate a key in a two message<br>> exchange with great efficiency for both sides.<br>> In Tor the current key generation method is quite expensive. Would it be
<br>> possible to change to HCR to improve efficency?<br><br>Looks promising; we should see if this is standing in 5 years or so.</blockquote><div><br>Its been proved equivalent in difficulty to CDH, but some more analysis would be a good idea.
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">For now, however, this doesn't look like a mature protocol to me. HCR<br>signatures appear to be introduced in the same paper as HMQV, which
<br>was published in last year's Crypto [1]. A cursory Google search<br>shows some results (of what importance, I can't say) against HMQV and<br>HCR, with patches to those protocols in a proposed 'HMQV-1' that isn't<br>any faster than HMQV [2].
</blockquote><div><br>The NSA doesn't think so, but AES is now showing signs of weakness.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Moreover, it seems likely that HMQV is covered by the same patents as<br>MQV [3], which I believe are still in force.</blockquote><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
In any case, I'd want to see a lot more analysis and research on these<br>systems before we used them in the real world; just because something<br>was been published in last year's Crypto doesn't mean it's secure.</blockquote>
<div><br>Agreed. We don't want another MacGuiffen(proposed in the morning, dead in the afternoon). <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
[1] <a href="http://eprint.iacr.org/2005/176.pdf">http://eprint.iacr.org/2005/176.pdf</a><br>[2] <a href="http://eprint.iacr.org/2005/205.pdf">http://eprint.iacr.org/2005/205.pdf</a><br>[3] <a href="http://www.certicom.com/index.php?action=ip,protocol">
http://www.certicom.com/index.php?action=ip,protocol</a><br><br>yrs,<br>--<br>Nick Mathewson<br><br><br></blockquote></div><br><br clear="all"><br>-- <br>"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety."
<br>-- Benjamin Franklin