Hi All, I'm working on an implementation of FHMQV. The math works out and a shared secret is derived by both parties.
HFMQV is Fully Hashed MQV, and applies a hash function at key points to remediate information leakage. One of those points is just before the shared secret is output. In classical Diffie-Hellman, the shared secret size is that of an element over the field. If using, for example, NIST P-521, the element's size would be 66 bytes. However, because the shared secret (an element) is hashed, the size is reduced to blocksize of the hash. If using SHA-512, that means the secret is 64 bytes. My question: since I cannopt find a reference implementation, what is the size of the shared under FHMQV? Should I use the element's size (66) and repeatedly apply the hash and take the leftmost l-bits (similar to a KDF)? Or should the shared secret size be reduced to that of the hash's block size (64)? In either case, I believe the same amount of information is present. But if using the first method (leftmost l-bits), it might appear more bits are present due to iteratively applying the hash function (if security levels are a concern). As I have thought about it, I'm inclined to go with the hash's block size. Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
