On Wed, Nov 20, 2013 at 08:36:30AM -0800, Watson Ladd wrote:
Is it just me, or is this protocol MQV with the client generating a fake long term key?
Well yeah sort of, but the "details" are crucial. In "Improving efficiency and simplicity of Tor circuit establishment and hidden services" (available on www.syverson.org or the anonbib) Lasse and I and presented a similar protocol and explicitly described how the similarity to and basis in MQV was a hopeful indicator that it was sound. But we didn't do a proper security analysis (in any model) in that paper, leaving that for future work. These authors found a vulnerability in that protocol, improved on it, and proved their protocol secure.
-Paul