On Thu, Feb 2, 2012 at 3:53 PM, Jeffrey Walton <[email protected]> wrote:
> Hi All,
>
> I'm working on an implementation of FHMQV. The math works out and a
> shared secret is derived by both parties.
>
> HFMQV is Fully Hashed MQV, and applies a hash function at key points
> to remediate information leakage. One of those points is just before
> the shared secret is output.
>
> In classical Diffie-Hellman, the shared secret size is that of an
> element over the field. If using, for example, NIST P-521, the
> element's size would be 66 bytes. However, because the shared secret
> (an element) is hashed, the size is reduced to blocksize of the hash.
> If using SHA-512, that means the secret is 64 bytes.
>
> My question: since I cannopt find a reference implementation, what is
> the size of the shared under FHMQV? Should I use the element's size
> (66) and repeatedly apply the hash and take the leftmost l-bits
> (similar to a KDF)? Or should the shared secret size be reduced to
> that of the hash's block size (64)?
>
> In either case, I believe the same amount of information is present.
> But if using the first method (leftmost l-bits), it might appear more
> bits are present due to iteratively applying the hash function (if
> security levels are a concern). As I have thought about it, I'm
> inclined to go with the hash's block size.
I re-read Sarr, Elbaz–Vincent, and Bajard's paper. Its pretty clear
the shared secret depends on the block size of the hash rather than
the size of the field element.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
