Truncating ZZ

Liqiang(Larry) Zhu lzhu at
Mon Sep 27 15:28:59 EDT 2004


I just got an email from Dan Boneh that it is a mis-interpretation of
his paper that it is safe to truncate the ZZ and get the shared key. he
suggested to hash the ZZ, not just truncate it.

This is because the paper shows that sqrt(log(p)) bits are hard to
compute, but it doesn't prove that these sqrt(log(p)) are
indistinguishable from random.  For crypto application you need the
shared key to be random, not just hard to compute.

I am requesting the permission from Dan to forward his full email to
this DL.

One thing I did not understand and I did not ask (and which is now
irreverent) is that what do the MSB sqrt(log(p)) bits mean if ZZ is all
zeros, I would imagine that is possible.

-- Larry

More information about the krbdev mailing list