[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Summary of key derivation thread

To: Scott Fluhrer <sfluhrer@cisco.com>
Subject: Re: Summary of key derivation thread
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 10 Dec 2002 23:53:56 +0200 (IST)
cc: IPsec WG <ipsec@lists.tislabs.com>
In-Reply-To: <4.3.2.7.2.20021210134008.01a61ff8@mira-sjcm-3.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

You are surely right.
This still gives you a "bit" in the entropy sense since it leaks 
the value of a Boolean predicate on the key (which, in particular,
suffices to distinguish the DH key from random).

Thanks for the correction.

Hugo

On Tue, 10 Dec 2002, Scott Fluhrer wrote:

> At 12:09 PM 12/10/2002, Hugo Krawczyk wrote:
> >What the hashing is meant to do is to avoid further shortcut attacks that
> >would leak information on the key at much less than the 2^70 cost of
> >fully breaking the DH exchange (e.g., if you use a generator of the
> >group Zp* as your DH basis and do not hash the key then you can find the
> >lsb of g^xy in less than a millisecond.
> 
> Nit: what you can find in less than a millisecond is the lsb of xy (or 
> equivalently, whether g^xy is a quadratic residue).  This does not give you 
> the setting of any particular bit in g^xy.
> 
> --
> scott
>

References:
- Re: Summary of key derivation thread
  - From: Scott Fluhrer <sfluhrer@cisco.com>

Prev by Date: Re: Summary of key derivation thread
Next by Date: Re: Summary of key derivation thread
Prev by thread: Re: Summary of key derivation thread
Next by thread: Re: Summary of key derivation thread
Index(es):
- Date
- Thread