[prev in list] [next in list] [prev in thread] [next in thread]
List: cryptography
Subject: Re: Security of DH key exchange
From: "Anton Stiglic" <astiglic () okiok ! com>
Date: 2003-06-20 18:33:47
[Download RAW message or body]
----- Original Message -----
From: "Jaap-Henk Hoepman" <jhh@cs.kun.nl>
To: <cryptography@metzdowd.com>
Sent: Friday, June 20, 2003 5:02 AM
Subject: Security of DH key exchange
>
> In practice the following method of exchanging keys using DH is used, to
ensure
> bit security of the resulting session key. If alice and bob exchange g^a
and
> g^b, the session key is defined as h(g^{ab}). This is mentioned in many
> textbooks, but i can't find a reference to a paper discussing the security
of
> this in the following sense. If g^a etc. are computed over a field F of
order
> p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given
g^a and
> g^b indistinguishable from a randomly selected session key k? (where
> indistinguishable would mean that the advantage of the adversary of
> distinguishing h(g^{ab}) from k is negligible in _n_).
I don't know of any references that will explain this explicitly, but the
reasoning is simple: You model h as a random oracle, which would imply that
if the minimum entropy of g^(ab) is at least n bits, then h(g^{ab}) will be
indistinguishable from a value chosen randomly for the set of n-bit strings.
For information on general about DH, you can look at the following
manuscript:
http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic