[cryptography] FHMQV Shared Secret Size (Element vs Hash size)

Jeffrey Walton noloader at gmail.com
Thu Feb 2 15:53:18 EST 2012

Hi All,

I'm working on an implementation of FHMQV. The math works out and a
shared secret is derived by both parties.

HFMQV is Fully Hashed MQV, and applies a hash function at key points
to remediate information leakage. One of those points is just before
the shared secret is output.

In classical Diffie-Hellman, the shared secret size is that of an
element over the field. If using, for example, NIST P-521, the
element's size would be 66 bytes. However, because the shared secret
(an element) is hashed, the size is reduced to blocksize of the hash.
If using SHA-512, that means the secret is 64 bytes.

My question: since I cannopt find a reference implementation, what is
the size of the shared under FHMQV? Should I use the element's size
(66) and repeatedly apply the hash and take the leftmost l-bits
(similar to a KDF)? Or should the shared secret size be reduced to
that of the hash's block size (64)?

In either case, I believe the same amount of information is present.
But if using the first method (leftmost l-bits), it might appear more
bits are present due to iteratively applying the hash function (if
security levels are a concern). As I have thought about it, I'm
inclined to go with the hash's block size.


More information about the cryptography mailing list