Re: [Cfrg] uniform random distribution in ECDH public key

"Blumenthal, Uri - 0668 - MITLL" <> Fri, 24 August 2012 17:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E3D9A21F86E0 for <>; Fri, 24 Aug 2012 10:28:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fHRxp486rtWM for <>; Fri, 24 Aug 2012 10:28:46 -0700 (PDT)
Received: from (MX2.LL.MIT.EDU []) by (Postfix) with ESMTP id B7F4A21F8646 for <>; Fri, 24 Aug 2012 10:28:45 -0700 (PDT)
Received: from ( by (unknown) with ESMTP id q7OHSdhx017132; Fri, 24 Aug 2012 13:28:40 -0400
From: "Blumenthal, Uri - 0668 - MITLL" <>
To: Dan Brown <>, "" <>, "" <>
Date: Fri, 24 Aug 2012 13:12:16 -0400
Thread-Topic: [Cfrg] uniform random distribution in ECDH public key
Thread-Index: Ac2CG52z9szvPmQ+T3i/YBALZDcSWw==
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3428658737_160858436"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7855, 1.0.260, 0.0.0000 definitions=2012-08-24_06:2012-08-24, 2012-08-24, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=2 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001 definitions=main-1208240159
Subject: Re: [Cfrg] uniform random distribution in ECDH public key
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Aug 2012 17:28:47 -0000

On 8/23/12 8:27 , "Dan Brown" <> wrote:

>One general advantage: after hashing the shared secret is pseudorandom.

No it is not. Pseudorandomness of the output has not been a design
criteria of hash functions until the SHA3 competition.

>A second advantage, nonces and identifiers can be thrown into the hash
>input, for various gains, such as generating several keys, one for AES
>and for HMAC.

That holds and helps, though (again, until SHA3 is selected and deployed)
it is hard to tell how well (or otherwise) these extra bits get
"intermixed" or spread over in the output value.

>A third advantage, if the shared key is later revealed, then the hash
>prevents the calculation of the raw ECDH value

That holds, and is a nice property to have.

>----- Original Message -----
>From: David Jacobson []
>Sent: Thursday, August 23, 2012 01:17 AM
>To: <>
>Subject: Re: [Cfrg] uniform random distribution in ECDH public key
>On 08/14/2012 11:23 AM, Dan Harkins wrote:
>>    Hi Bob,
>> On Tue, August 14, 2012 11:01 am, Robert Moskowitz wrote:
>>> I understand from RFC 6090 and 5869 that the secret key produced from
>>> ECDH exchange is not uniformly randomly distributed and that is why we
>>> have the 'Extract' phase in HKDF.  Got that.
>>> This question is about the public key, g^j:
>>> I understand that like j, it must be a point on the curve, thus if the
>>> curve is p-256, both j and g^j are 256 bits long.  But is g^j uniformly
>>> randomly distributed like j is suppose to be?
>>    No, it's not. It's it's a special pair (x,y) that satisfy the
>> of the
>> curve:  y^2 = x^3 + ax + b. Not all pairs will satisfy that equation. I
>> believe about half of them will and about half won't.
>>    For x to be random, each number between 0 and p would have equal
>> probability. But that's not the case since about half won't.
>>> Side question:  I am still unclear on the length of the exchanged
>>> (g^j)^k, is it 256 bits (for p-256) or larger (perhaps 512 bits)?
>>    The result of an ECDH is an element in the group so it's also an
>> pair but the secret that you use in your KDF is the x coordinate of that
>> result. The y coordinate is discarded.
>>    regards,
>>    Dan.
>> _______________________________________________
>> Cfrg mailing list
>So now that we are into tutorial mode on this, I'd like to ask a
>question.  Standard procedure for Diffie-Hellman key exchange is to
>construct the session key from the X-coordinate by hashing.  Now suppose
>that I'm using the NIST P-256 curve and the symmetric encryption
>functions is AES-256.
>The number of possible shared key values is the order of the curve - 1
>(point at infinity isn't used), which is extremely close to 2^256.
>These points come in pairs, if there is a point at an X value, there are
>2, one at Y and the other -Y.  So essentially all X values occur with
>probability  very close to 2/2^256, which means that the X-coordinate
>after the DH procedure can be thought of as a source with 255 bits of
>min-entropy.  If we hash the X coordinate with SHA-256, we actually lose
>a little bit of entropy, since some X values will collide and produce
>some session key with probability higher than 2/2^256, lowering the
>So what is the advantage of the hash operation?
>Thank you,
>     --David Jacobson
>Cfrg mailing list
>This transmission (including any attachments) may contain confidential
>information, privileged material (including material protected by the
>solicitor-client or other applicable privileges), or constitute
>non-public information. Any use of this information by anyone other than
>the intended recipient is prohibited. If you have received this
>transmission in error, please immediately reply to the sender and delete
>this information from your system. Use, dissemination, distribution, or
>reproduction of this transmission by unintended recipients is not
>authorized and may be unlawful.
>Cfrg mailing list