I`ve read multiple times that it is not safe to use the shared key resulted from DH key exchange directly and that you need to do a KDF or hash over it and then use the result as a key. Why is it not safe to use the shared key directly?
Asked
Active
Viewed 40 times
0
-
Do you have a link to an example? Besides security a reason might be to adjust for different length requirements or possible bias in the binary format of the result. – tylo May 25 '21 at 06:49
-
may be this is the dupe Decisional Diffie-Hellman: compute Legendre symbol of $g^{ab}$ from $g^a$ and $g^b$? – kelalaka May 25 '21 at 06:50
-
Thank you very much! – Ciprian Florin May 25 '21 at 06:58
-
Also, see 1.1. on this The Decision Die-Hellman Problem by Dan Boneh – kelalaka May 25 '21 at 07:20
-
A more interesting question would be: for a group of order multiple of a prime $q>2^{255}$, would it be computationally possible to distinguish from random the low-order $\left\lceil\log_2 q\right\rceil-128$ bits of the shared secret? – fgrieu May 25 '21 at 07:23