----- Original Message -----
From: "Jaap-Henk Hoepman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, June 20, 2003 5:02 AM
Subject: Security of DH key exchange
>
> In practice the following method of exchanging keys using DH is used, to
ensure
> bit security of the resulting session key. If alice and bob exchange g^a
and
> g^b, the session key is defined as h(g^{ab}). This is mentioned in many
> textbooks, but i can't find a reference to a paper discussing the security
of
> this in the following sense. If g^a etc. are computed over a field F of
order
> p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given
g^a and
> g^b indistinguishable from a randomly selected session key k? (where
> indistinguishable would mean that the advantage of the adversary of
> distinguishing h(g^{ab}) from k is negligible in _n_).
I don't know of any references that will explain this explicitly, but the
reasoning is simple: You model h as a random oracle, which would imply that
if the minimum entropy of g^(ab) is at least n bits, then h(g^{ab}) will be
indistinguishable from a value chosen randomly for the set of n-bit strings.
For information on general about DH, you can look at the following
manuscript:
http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
