- Original Message -
From: Jaap-Henk Hoepman [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 20, 2003 5:02 AM
Subject: Security of DH key exchange
In practice the following method of exchanging keys using DH is used, to
ensure
bit security of the resulting session key. If alice and bob exchange g^a
and
g^b, the session key is defined as h(g^{ab}). This is mentioned in many
textbooks, but i can't find a reference to a paper discussing the security
of
this in the following sense. If g^a etc. are computed over a field F of
order
p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given
g^a and
g^b indistinguishable from a randomly selected session key k? (where
indistinguishable would mean that the advantage of the adversary of
distinguishing h(g^{ab}) from k is negligible in _n_).
I don't know of any references that will explain this explicitly, but the
reasoning is simple: You model h as a random oracle, which would imply that
if the minimum entropy of g^(ab) is at least n bits, then h(g^{ab}) will be
indistinguishable from a value chosen randomly for the set of n-bit strings.
For information on general about DH, you can look at the following
manuscript:
http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
--Anton
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
