Should shared secret be hashed (SHA-256) in ECDH?

Asked Nov 20 '22 at 10:22

Active Nov 20 '22 at 10:22

Viewed 148 times

FIDO2 uses ECDH (elliptic curve diffie hellman) for key agreement. However, in its sequence diagram, I see they hash the shared secret using SHA-256. Is there any specific reason to use the hash instead of the shared secret itself?

Here is the FIDO sequence diagram: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/img/fido-2.0-clientpin.png

asked Nov 20 '22 at 10:22

Mohammad Siavashi

1,192
2
17
48

1

This is not about programming or development, but see https://crypto.stackexchange.com/questions/51070/is-the-openssl-implementation-of-ecdh-missing-something https://crypto.stackexchange.com/questions/30367/ecdh-security-when-no-kdf-is-used https://crypto.stackexchange.com/questions/55895/distribution-of-randomness-in-elliptic-curve-diffie-hellman-shared-secret and nearby https://crypto.stackexchange.com/questions/10660/why-must-curve25519-shared-secret-be-hashed – dave_thompson_085 Nov 20 '22 at 10:54
Thanks for the links. It seems that revealing some bits of x may reveal y for free in some cases. Hence, they use a KDF such as SHA-256 to hide the bits. – Mohammad Siavashi Nov 20 '22 at 11:45

Should shared secret be hashed (SHA-256) in ECDH?

0 Answers0