MQV

MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV). MQV (Menezes–Qu–Vanstone) is an authenticated protocol for key agreement based on the Diffie–Hellman scheme. Like other authenticated Diffie–Hellman schemes, MQV provides protection against an active attacker. The protocol can be modified to work in an arbitrary finite group, and, in particular, elliptic curve groups, where it is known as elliptic curve MQV (ECMQV). MQV was initially proposed by Menezes, Qu and Vanstone in 1995. It was modified with Law and Solinas in 1998. There are one-, two- and three-pass variants. MQV is incorporated in the public-key standard IEEE P1363 and NIST's SP800-56A standard. Some variants of MQV are claimed in patents assigned to Certicom. ECMQV has been dropped from the National Security Agency's Suite B set of cryptographic standards. Alice has a key pair ( A , a ) {displaystyle (A,a)} with A {displaystyle A} her public key and a {displaystyle a} her private key and Bob has the key pair ( B , b ) {displaystyle (B,b)} with B {displaystyle B} his public key and b {displaystyle b} his private key. In the following R ¯ {displaystyle {ar {R}}} has the following meaning. Let R = ( x , y ) {displaystyle R=(x,y)} be a point on an elliptic curve. Then R ¯ = ( x mod 2 L ) + 2 L {displaystyle {ar {R}}=(x,{mod {,}}2^{L})+2^{L}} where L = ⌈ ⌊ log 2 ⁡ n ⌋ + 1 2 ⌉ {displaystyle L=leftlceil {frac {lfloor log _{2}n floor +1}{2}} ight ceil } and n {displaystyle n} is the order of the used generator point P {displaystyle P} . So R ¯ {displaystyle {ar {R}}} are the first L bits of the first coordinate of R {displaystyle R} .