Re: Summary of key derivation thread

[daw@mozart.cs.berkeley.edu (David Wagner)]

Uri Blumenthal  wrote:
>Ran Canetti wrote:
>> BTW, regrading going over 160 "bits of security". I agree that this is a
>> non-issue from a practical point of view. But for the paranoids who insist
>> on doing it, the best way would be to use a PRF with more security, such as
>> HMAC-SHA2, or any block cipher with long enough keys and block-size.
>
>It is an issue of convenience and of entropy loss. Regarding the
>latter - it
>doesn't make sense to expensively negotiate a kilobit of keying
>material and
>then reduce its entropy to 160 bits.

This objection has already been addressed on the list.  Those 1024
bits of Diffie-Hellman only have 160 bits of strength (160 bits of
"computational entropy"), hence you're not reducing security by hashing
it down to 160 bits.

Indeed, in some sense you are improving security by hashing the 1024-bit
Diffie-Hellman result down to a 160-bit security, just as Hugo's earlier
note pointed out.  Can I encourage you to re-read Hugo's earlier emails
on this topic?  I hope you will find them persuasive.  (I certainly did.)