[cryptography] FHMQV Shared Secret Size (Element vs Hash size)

Jeffrey Walton noloader at gmail.com
Thu Feb 2 17:17:14 EST 2012

On Thu, Feb 2, 2012 at 3:53 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> Hi All,
> I'm working on an implementation of FHMQV. The math works out and a
> shared secret is derived by both parties.
> HFMQV is Fully Hashed MQV, and applies a hash function at key points
> to remediate information leakage. One of those points is just before
> the shared secret is output.
> In classical Diffie-Hellman, the shared secret size is that of an
> element over the field. If using, for example, NIST P-521, the
> element's size would be 66 bytes. However, because the shared secret
> (an element) is hashed, the size is reduced to blocksize of the hash.
> If using SHA-512, that means the secret is 64 bytes.
> My question: since I cannopt find a reference implementation, what is
> the size of the shared under FHMQV? Should I use the element's size
> (66) and repeatedly apply the hash and take the leftmost l-bits
> (similar to a KDF)? Or should the shared secret size be reduced to
> that of the hash's block size (64)?
> In either case, I believe the same amount of information is present.
> But if using the first method (leftmost l-bits), it might appear more
> bits are present due to iteratively applying the hash function (if
> security levels are a concern). As I have thought about it, I'm
> inclined to go with the hash's block size.
I re-read Sarr, Elbaz–Vincent, and Bajard's paper. Its pretty clear
the shared secret depends on the block size of the hash rather than
the size of the field element.

More information about the cryptography mailing list