[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of key derivation thread

To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: Summary of key derivation thread
From: Scott Fluhrer <sfluhrer@cisco.com>
Date: Tue, 10 Dec 2002 13:45:25 -0800
Cc: Russ Housley <housley@vigilsec.com>, ipsec@lists.tislabs.com, daw@mozart.cs.berkeley.edu
In-Reply-To: <Pine.GSO.4.21.0212101839450.4667-100000@ee.technion.ac.il>
References: <5.2.0.9.2.20021210075142.02a63088@mail.binhost.com>
Sender: owner-ipsec@lists.tislabs.com

At 12:09 PM 12/10/2002, Hugo Krawczyk wrote:
>What the hashing is meant to do is to avoid further shortcut attacks that
>would leak information on the key at much less than the 2^70 cost of
>fully breaking the DH exchange (e.g., if you use a generator of the
>group Zp* as your DH basis and do not hash the key then you can find the
>lsb of g^xy in less than a millisecond.

Nit: what you can find in less than a millisecond is the lsb of xy (or 
equivalently, whether g^xy is a quadratic residue).  This does not give you 
the setting of any particular bit in g^xy.

--
scott

Follow-Ups:
- Re: Summary of key derivation thread
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

References:
- Re: Summary of key derivation thread
  - From: Russ Housley <housley@vigilsec.com>
- Re: Summary of key derivation thread
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: Summary of key derivation thread
Next by Date: Re: Summary of key derivation thread
Prev by thread: Re: Summary of key derivation thread
Next by thread: Re: Summary of key derivation thread
Index(es):
- Date
- Thread