Security of DH key exchange
Jaap-Henk Hoepman
jhh at cs.kun.nl
Fri Jun 20 05:02:36 EDT 2003
In practice the following method of exchanging keys using DH is used, to ensure
bit security of the resulting session key. If alice and bob exchange g^a and
g^b, the session key is defined as h(g^{ab}). This is mentioned in many
textbooks, but i can't find a reference to a paper discussing the security of
this in the following sense. If g^a etc. are computed over a field F of order
p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given g^a and
g^b indistinguishable from a randomly selected session key k? (where
indistinguishable would mean that the advantage of the adversary of
distinguishing h(g^{ab}) from k is negligible in _n_).
References to this are much appreciated.
Regards,
Jaap-Henk
--
Jaap-Henk Hoepman | I've got sunshine in my pockets
Dept. of Computer Science | Brought it back to spray the day
University of Nijmegen | Gry "Rocket"
(w) www.cs.kun.nl/~jhh | (m) jhh at cs.kun.nl
(t) +31 24 36 52710/531532 | (f) +31 24 3653137
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list