Re: [Cfrg] uniform random distribution in ECDH public key
"David McGrew (mcgrew)" <mcgrew@cisco.com> Tue, 14 August 2012 18:26 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E7221F876A for <cfrg@ietfa.amsl.com>; Tue, 14 Aug 2012 11:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.513
X-Spam-Level:
X-Spam-Status: No, score=-110.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpdD8Y5JO9So for <cfrg@ietfa.amsl.com>; Tue, 14 Aug 2012 11:26:37 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id AE35D21F86B5 for <cfrg@irtf.org>; Tue, 14 Aug 2012 11:26:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=1074; q=dns/txt; s=iport; t=1344968795; x=1346178395; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=Y5t0pRIsCN+9mdRL0rQvX2v4L/f7zV/sTqaG4TIKXqQ=; b=FU3LstYD+3KkhHS3wmoI6wU1TxaNUUtvVtiq1w0XoOk7TGmVhDnDZyJd Ufas8jYQbFfhY45uGUxeui5h8e653JXLHUdRr7CtNd6Oan8huDtr3yjRn nVnGbgptZI1NNythW8kppom4C9lR8GwezH+x3TyXqJIqwLHzMariwwWI5 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EACWXKlCtJXHB/2dsb2JhbABFuhyBB4IiAQQBAQEPASc0HQEIDig3CyUCBAESCRmHawuYHaB7kTYDlUuOKoFmgl8
X-IronPort-AV: E=Sophos;i="4.77,768,1336348800"; d="scan'208";a="111558940"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 14 Aug 2012 18:26:35 +0000
Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q7EIQZ3W021921 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 14 Aug 2012 18:26:35 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.159]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0298.004; Tue, 14 Aug 2012 13:26:34 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] uniform random distribution in ECDH public key
Thread-Index: AQHNekb92R2TNl0fjUq9ua4MtNyB0ZdZsN6A
Date: Tue, 14 Aug 2012 18:26:34 +0000
Message-ID: <CC500FDA.A36D4%mcgrew@cisco.com>
In-Reply-To: <502A928A.7090003@htt-consult.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.1.120420
x-originating-ip: [10.117.10.228]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19112.005
x-tm-as-result: No--31.490000-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1A581EA350DA6949B36CC6971349981F@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Cfrg] uniform random distribution in ECDH public key
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 18:26:37 -0000
Hi Bob, On 8/14/12 2:01 PM, "Robert Moskowitz" <rgm-sec@htt-consult.com> wrote: >I understand from RFC 6090 and 5869 that the secret key produced from an >ECDH exchange is not uniformly randomly distributed and that is why we >have the 'Extract' phase in HKDF. Got that. > >This question is about the public key, g^j: > >I understand that like j, it must be a point on the curve, thus if the >curve is p-256, both j and g^j are 256 bits long. But is g^j uniformly >randomly distributed like j is suppose to be? Something quick to add to what Scott said. Note that j is uniformly random when considered as an integer between 1 and the group order; it is not uniformly random when considered as a bit string. David > >Side question: I am still unclear on the length of the exchanged secret >(g^j)^k, is it 256 bits (for p-256) or larger (perhaps 512 bits)? > >Thank you for helping me get all this straight. > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] uniform random distribution in ECDH public… Robert Moskowitz
- Re: [Cfrg] uniform random distribution in ECDH pu… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] uniform random distribution in ECDH pu… Robert Moskowitz
- Re: [Cfrg] uniform random distribution in ECDH pu… David McGrew (mcgrew)
- Re: [Cfrg] uniform random distribution in ECDH pu… Robert Moskowitz
- Re: [Cfrg] uniform random distribution in ECDH pu… Robert Moskowitz
- Re: [Cfrg] uniform random distribution in ECDH pu… Vadym Fedyukovych
- Re: [Cfrg] uniform random distribution in ECDH pu… Dan Harkins
- Re: [Cfrg] uniform random distribution in ECDH pu… David Jacobson
- Re: [Cfrg] uniform random distribution in ECDH pu… Dan Brown
- Re: [Cfrg] uniform random distribution in ECDH pu… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] uniform random distribution in ECDH pu… Dan Brown
- Re: [Cfrg] uniform random distribution in ECDH pu… Blumenthal, Uri - 0668 - MITLL
- Re: [Cfrg] uniform random distribution in ECDH pu… Dan Brown
- Re: [Cfrg] uniform random distribution in ECDH pu… David Jacobson