Re: DH group exchange (Re: SSH key algorithm updates)

[nisse%lysator.liu.se@localhost (Niels Möller)]

"Mark D. Baushke" <mdb%juniper.net@localhost> writes:

> Given that OpenSSH is using group16 with sha2-256 preserves 128 bits of
> security,

How do you reason about that halving, from 256 to 128? For the key
expansion, I'd expect that you can count very close to 256 bits of
entropy in the generated keys (assuming the secret dh values were
generated randomly).

Now, you will start to get some repeated session keys, i.e., collisions,
after about 2^128 sessions. But that has little to do with the hash
function: if we had a crypto system which for each session generated a
256-bit session key from a truly random source, we'd also get collisions
after about 2^128 sessions. But I think the conventional way to assign a
security level to such a system is 2^256 (the difficuly of exhaustive
key search), not 2^128.

Am I missing something?

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.