[Cfrg] ElGamal Encryption, ECDH, and Uniformly Distributed keys
Robert Moskowitz <rgm-sec@htt-consult.com> Thu, 24 June 2010 12:18 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26DF03A6868 for <cfrg@core3.amsl.com>; Thu, 24 Jun 2010 05:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.2
X-Spam-Level:
X-Spam-Status: No, score=-1.2 tagged_above=-999 required=5 tests=[AWL=-0.460, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wV6mJS25-wxn for <cfrg@core3.amsl.com>; Thu, 24 Jun 2010 05:18:50 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by core3.amsl.com (Postfix) with ESMTP id 4D16A3A6838 for <cfrg@irtf.org>; Thu, 24 Jun 2010 05:18:50 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id E246C68B64 for <cfrg@irtf.org>; Thu, 24 Jun 2010 12:11:06 +0000 (UTC)
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bmmnV67VG94O for <cfrg@irtf.org>; Thu, 24 Jun 2010 08:10:58 -0400 (EDT)
Received: from nc2400.htt-consult.com (h155.home.htt [208.83.67.155]) (Authenticated sender: rgm-sec@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 0756968B41 for <cfrg@irtf.org>; Thu, 24 Jun 2010 08:10:58 -0400 (EDT)
Message-ID: <4C234D25.3020609@htt-consult.com>
Date: Thu, 24 Jun 2010 08:18:45 -0400
From: Robert Moskowitz <rgm-sec@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-2.fc12 Thunderbird/3.0.4
MIME-Version: 1.0
To: "'cfrg@irtf.org'" <cfrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [Cfrg] ElGamal Encryption, ECDH, and Uniformly Distributed keys
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jun 2010 12:18:51 -0000
draft-irtf-cfrg-kdf-uses-00.txt, amongst other sources, points out that DH derived keys are not uniformly distributed and need 'an extraction phase'. Yet ElGamal Encryption is doing an encryption step directly with its key. Of course there are various issues with ElGamal Encryption... Does ElGamal Encryption also 'suffer' from its key not being uniformly distrbuted? My question is looking for a source that covers the nature of the attack becuase the DH derived key is not uniformly distributed. I seem to recall one message pointing to a paper, but can't find it. How does the attack vary by the use of the key. For example the key is used to encrypt a uniformly distributed random number that will actually be used as a key. The key is used to encrypt a few hundred such random keys. Etc. Every where I have looked, including all of the text books I have only say, "DH is not uniformly distributed, its a problem."
- [Cfrg] ElGamal Encryption, ECDH, and Uniformly Di… Robert Moskowitz