Diffie-Hellman and the Rivest Shamir interlock protocol?

Question

So Diffie-Hellman is subject to a MITM attack where two parties exchange:

X = g^x mod n and Y = g^y mod n.

Now presumably this can be protected against by using the Rivest Shamir interlock protocol where we split a message into two pieces and exchange them bit by bit. What I want to know is how we can split g^x mod n into two pieces for usage with Rivest Shamir?

Answer 1

Have you actually read the paper by Rivest and Shamir? It explains quite well what the protocol is for and the scenario that it's designed for:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.159.1673&rep=rep1&type=pdf

I don't see how this is very applicable to Diffie-Hellman, since the point of the protocol is to authenticate public keys not to actually generate private keys.

If you're just interested in implementing Diffie-Hellman, then you need to choose a concrete group for your DH implementation and a bit encoding for its elements. In practice, you do not actually use the direct bit encoding of your group element as a key, but you apply a randomness extractor that gives you a bit string that you'll use as your key.

Randomness extractors are quite tricky, but there are some recent papers on them which you can easily find with google.