[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
At 12:09 PM 12/10/2002, Hugo Krawczyk wrote:
>What the hashing is meant to do is to avoid further shortcut attacks that
>would leak information on the key at much less than the 2^70 cost of
>fully breaking the DH exchange (e.g., if you use a generator of the
>group Zp* as your DH basis and do not hash the key then you can find the
>lsb of g^xy in less than a millisecond.
Nit: what you can find in less than a millisecond is the lsb of xy (or
equivalently, whether g^xy is a quadratic residue). This does not give you
the setting of any particular bit in g^xy.
--
scott