Security of DH key exchange

Anton Stiglic astiglic at okiok.com
Fri Jun 20 14:33:47 EDT 2003


----- Original Message ----- 
From: "Jaap-Henk Hoepman" <jhh at cs.kun.nl>
To: <cryptography at metzdowd.com>
Sent: Friday, June 20, 2003 5:02 AM
Subject: Security of DH key exchange


>
> In practice the following method of exchanging keys using DH is used, to
ensure
> bit security of the resulting session key. If alice and bob exchange g^a
and
> g^b, the session key is defined as h(g^{ab}). This is mentioned in many
> textbooks, but i can't find a reference to a paper discussing the security
of
> this in the following sense. If g^a etc. are computed over a field F of
order
> p, and h hashes F to {0,1}^n, under which conditions is h(g^{ab}) given
g^a and
> g^b indistinguishable from a randomly selected session key k? (where
> indistinguishable would mean that the advantage of the adversary of
> distinguishing h(g^{ab}) from k is negligible in _n_).

I don't know of any references that will explain this explicitly, but the
reasoning is simple:  You model h as a random oracle, which would imply that
if the minimum entropy of g^(ab) is at least n bits, then h(g^{ab}) will be
indistinguishable from a value chosen randomly for the set of n-bit strings.

For information on general about DH, you can look at the following
manuscript:
http://crypto.cs.mcgill.ca/~stiglic/Papers/dhfull.pdf

--Anton



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list