[13682] in cryptography@c2.net mail archive
Security of DH key exchange
daemon@ATHENA.MIT.EDU (Jaap-Henk Hoepman)
Fri Jun 20 13:34:56 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
From: Jaap-Henk Hoepman <jhh@cs.kun.nl>
Date: Fri, 20 Jun 2003 11:02:36 +0200
In practice the following method of exchanging keys using DH is used, to ensure
bit security of the resulting session key. If alice and bob exchange g^a and
g^b, the session key is defined as h(g^{ab}). This is mentioned in many
textbooks, but i can't find a reference to a paper discussing the security of
this in the following sense. If g^a etc. are computed over a field F of order
p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given g^a and
g^b indistinguishable from a randomly selected session key k? (where
indistinguishable would mean that the advantage of the adversary of
distinguishing h(g^{ab}) from k is negligible in _n_).
References to this are much appreciated.
Regards,
Jaap-Henk
--
Jaap-Henk Hoepman | I've got sunshine in my pockets
Dept. of Computer Science | Brought it back to spray the day
University of Nijmegen | Gry "Rocket"
(w) www.cs.kun.nl/~jhh | (m) jhh@cs.kun.nl
(t) +31 24 36 52710/531532 | (f) +31 24 3653137
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
