[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Summary of key derivation thread
You are surely right.
This still gives you a "bit" in the entropy sense since it leaks
the value of a Boolean predicate on the key (which, in particular,
suffices to distinguish the DH key from random).
Thanks for the correction.
Hugo
On Tue, 10 Dec 2002, Scott Fluhrer wrote:
> At 12:09 PM 12/10/2002, Hugo Krawczyk wrote:
> >What the hashing is meant to do is to avoid further shortcut attacks that
> >would leak information on the key at much less than the 2^70 cost of
> >fully breaking the DH exchange (e.g., if you use a generator of the
> >group Zp* as your DH basis and do not hash the key then you can find the
> >lsb of g^xy in less than a millisecond.
>
> Nit: what you can find in less than a millisecond is the lsb of xy (or
> equivalently, whether g^xy is a quadratic residue). This does not give you
> the setting of any particular bit in g^xy.
>
> --
> scott
>