IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David McGrew <mcgrew@cisco.com> Tue, 25 October 2005 22:04 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUWuB-0004pp-55; Tue, 25 Oct 2005 18:04:27 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUWu9-0004pf-L6 for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 18:04:25 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA17981 for <cfrg@ietf.org>; Tue, 25 Oct 2005 18:04:10 -0400 (EDT)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUX79-0003q7-Id for cfrg@ietf.org; Tue, 25 Oct 2005 18:17:54 -0400
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-2.cisco.com with ESMTP; 25 Oct 2005 15:04:14 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id j9PM43Jp007967 for <cfrg@ietf.org>; Tue, 25 Oct 2005 15:04:12 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 15:04:06 -0700
Received: from [192.168.1.100] ([10.32.254.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 25 Oct 2005 15:04:05 -0700
In-Reply-To: <01ad01c5d99a$bbe11ad0$0200a8c0@simon>
References: <01ad01c5d99a$bbe11ad0$0200a8c0@simon>
Mime-Version: 1.0 (Apple Message framework v734)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Message-Id: <BF6F14C4-1D41-45F1-8E97-926AC3E5F96A@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Tue, 25 Oct 2005 15:04:03 -0700
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-OriginalArrivalTime: 25 Oct 2005 22:04:06.0011 (UTC) FILETIME=[04557CB0:01C5D9B0]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 538aad3a3c4f01d8b6a6477ca4248793
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org


Okay, I got carried away and wrote up the following definition and
goal for a key derivation function (KDF) which seems appropriate and
also seems amenable to reduction-based security proofs.  It may well
be the case that something like this exists in the literature (if so
please send me a pointer :-)  Comments welcome.

A KDF takes as input a bit string S such that l < len(S) < m, and an
integer L, and returns a bit string of length L.  Security is defined
using the following experiment:

     The adversary is given access to the oracle defined below, and is
     allowed precisely q queries. At the outset of the experiment, a
     bit B is chosen uniformly at random (and is hidden from the
     adversary).  If B = 0, then a bit string R of length l is chosen
     uniformly at random (and is hidden from the adversary).  The
     adversary is allowed to make queries in which she provides an
     input of the form X, Y, where X and Y are bit strings such that l
     < len(X) = len(Y) < m, and exactly l bits of Y are set to one.

     If B = 0, then each query is handled as follows.  The bit string S
     of length len(X) is formed by setting S_i = X_i if Y_i = 0, and
     setting S_i = R_i otherwise.  S is input to KDF, and the result is
     returned.

     If B = 1, then each query is handled by generating a bitstring
     of length L uniformly at random, and returning it.

     At the end of the experiment, the adversary returns a bit D
     that indicates her guess at the value of B.

We define the advantage the usual way:

     A = P[ D = 1 | B = 1 ] - P[ D = 1 | B = 0 ]

If the adversary's advantage can be bounded to a very small value
(e.g.  2^-80), then the KDF is secure.

We could make the adversary stronger by allowing her to choose which
bit of R goes into which position in S, or make her weaker by
requiring her to choose the same value of Y for each query.

A KDF that met this definition would be fairly idiot-proof.  It would
probably be useful in distilling entropy from a random source as well.

It would be even more interesting to consider cases in which the
attacker's uncertainty about S isn't just determined by a bit-mask.
For example, allow her to choose a value S' but then exor it with a
value chosen from a source with min-entropy l.

Here's a challenge for the day: design a KDF that provably meets
this security goal, based on a PRP and/or collision-resistant hash.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email