1

enter image description here

This is from Dan Boneh's Coursera Lectures - Week 6 - Constructions. https://www.coursera.org/learn/crypto/lecture/nTRhL/constructions

Here he picks a random x from X. And then Hashes X to get the session key k from K
k = H(x).

Why not just pick a random k from K instead of first picking x from X & then hashing it to get k? What is the necessity of the Hashing function here?

user93353
  • 2,191
  • 3
  • 23
  • 43
  • @kelalaka - What is the problem if it's used both in F & E? – user93353 Jan 26 '21 at 07:18
  • Sorry I've misread the eq. This is like RSA-KEM. One reason, the key is needed to be larger than the required and $F$ may not be secure sending small keys directly as RSA ( you need padding). Whereas RSA-KEM can be used without padding and the all key material should be used with KDF ( better than hashing, or see KDF-1 poormans KDF) – kelalaka Jan 26 '21 at 07:24
  • I guess it plays a role only in the security reduction, where modelling the hash as a random oracle (and programming it) is key. – ckamath Jan 26 '21 at 08:00
  • Suppose you pick a random k: what do you do with y then? Do you set y to F(pk,k) directly? I'd suggest you try it and go through the security analysis to see why it's not clear anymore how to prove security of the resulting scheme. – Geoffroy Couteau Jan 27 '21 at 21:52

0 Answers0