[Cfrg] uniform random distribution in ECDH public key

Robert Moskowitz <rgm-sec@htt-consult.com> Tue, 14 August 2012 18:02 UTC

Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1909021F876D for <cfrg@ietfa.amsl.com>; Tue, 14 Aug 2012 11:02:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LLgezxOrNuOk for <cfrg@ietfa.amsl.com>; Tue, 14 Aug 2012 11:02:25 -0700 (PDT)
Received: from klovia.htt-consult.com (klovia.htt-consult.com [208.83.67.149]) by ietfa.amsl.com (Postfix) with ESMTP id 5272F21F8773 for <cfrg@irtf.org>; Tue, 14 Aug 2012 11:02:25 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by klovia.htt-consult.com (Postfix) with ESMTP id E570962A79 for <cfrg@irtf.org>; Tue, 14 Aug 2012 18:01:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at localhost
Received: from klovia.htt-consult.com ([127.0.0.1]) by localhost (klovia.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iezs00MAOIyd for <cfrg@irtf.org>; Tue, 14 Aug 2012 14:01:49 -0400 (EDT)
Received: from lx120e.htt-consult.com (nc4010.htt-consult.com [208.83.67.156]) (Authenticated sender: rgm-sec@htt-consult.com) by klovia.htt-consult.com (Postfix) with ESMTPSA id 8214E62A71 for <cfrg@irtf.org>; Tue, 14 Aug 2012 14:01:49 -0400 (EDT)
Message-ID: <502A928A.7090003@htt-consult.com>
Date: Tue, 14 Aug 2012 14:01:46 -0400
From: Robert Moskowitz <rgm-sec@htt-consult.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120717 Thunderbird/14.0
MIME-Version: 1.0
To: cfrg@irtf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [Cfrg] uniform random distribution in ECDH public key
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2012 18:02:26 -0000

I understand from RFC 6090 and 5869 that the secret key produced from an 
ECDH exchange is not uniformly randomly distributed and that is why we 
have the 'Extract' phase in HKDF.  Got that.

This question is about the public key, g^j:

I understand that like j, it must be a point on the curve, thus if the 
curve is p-256, both j and g^j are 256 bits long.  But is g^j uniformly 
randomly distributed like j is suppose to be?

Side question:  I am still unclear on the length of the exchanged secret 
(g^j)^k, is it 256 bits (for p-256) or larger (perhaps 512 bits)?

Thank you for helping me get all this straight.