IETF Logo Mail Archive

Re: [Cfrg] uniform random distribution in ECDH public key

"David McGrew (mcgrew)" <mcgrew@cisco.com> Tue, 14 August 2012 18:26 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E7221F876A for <cfrg@ietfa.amsl.com>; Tue, 14 Aug 2012 11:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.513
X-Spam-Level:
X-Spam-Status: No, score=-110.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpdD8Y5JO9So for <cfrg@ietfa.amsl.com>; Tue, 14 Aug 2012 11:26:37 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id AE35D21F86B5 for <cfrg@irtf.org>; Tue, 14 Aug 2012 11:26:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=1074; q=dns/txt; s=iport; t=1344968795; x=1346178395; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=Y5t0pRIsCN+9mdRL0rQvX2v4L/f7zV/sTqaG4TIKXqQ=; b=FU3LstYD+3KkhHS3wmoI6wU1TxaNUUtvVtiq1w0XoOk7TGmVhDnDZyJd Ufas8jYQbFfhY45uGUxeui5h8e653JXLHUdRr7CtNd6Oan8huDtr3yjRn nVnGbgptZI1NNythW8kppom4C9lR8GwezH+x3TyXqJIqwLHzMariwwWI5 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EACWXKlCtJXHB/2dsb2JhbABFuhyBB4IiAQQBAQEPASc0HQEIDig3CyUCBAESCRmHawuYHaB7kTYDlUuOKoFmgl8
X-IronPort-AV: E=Sophos;i="4.77,768,1336348800"; d="scan'208";a="111558940"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 14 Aug 2012 18:26:35 +0000
Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7EIQZ3W021921 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 18:26:35 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.159]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 13:26:34 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] uniform random distribution in ECDH public key
Thread-Index: AQHNekb92R2TNl0fjUq9ua4MtNyB0ZdZsN6A
Date: Tue, 14 Aug 2012 18:26:34 +0000
Message-ID: <CC500FDA.A36D4%mcgrew@cisco.com>
In-Reply-To: <502A928A.7090003@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.228]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005
x-tm-as-result: No--31.490000-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1A581EA350DA6949B36CC6971349981F@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Cfrg] uniform random distribution in ECDH public key
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 18:26:37 -0000

Hi Bob,

On 8/14/12 2:01 PM, "Robert Moskowitz" <rgm-sec@htt-consult.com> wrote:

>I understand from RFC 6090 and 5869 that the secret key produced from an
>ECDH exchange is not uniformly randomly distributed and that is why we
>have the 'Extract' phase in HKDF.  Got that.
>
>This question is about the public key, g^j:
>
>I understand that like j, it must be a point on the curve, thus if the
>curve is p-256, both j and g^j are 256 bits long.  But is g^j uniformly
>randomly distributed like j is suppose to be?

Something quick to add to what Scott said.   Note that j is uniformly
random when considered as an integer between 1 and the group order; it is
not uniformly random when considered as a bit string.

David

>
>Side question:  I am still unclear on the length of the exchanged secret
>(g^j)^k, is it 256 bits (for p-256) or larger (perhaps 512 bits)?
>
>Thank you for helping me get all this straight.
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email