IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Wed, 26 October 2005 16:45 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUoPG-00033F-Ie; Wed, 26 Oct 2005 12:45:42 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUoPB-00030S-6D for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 12:45:40 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA06590 for <cfrg@ietf.org>; Wed, 26 Oct 2005 12:45:19 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUocI-0001K9-7p for cfrg@ietf.org; Wed, 26 Oct 2005 12:59:13 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9QGjO8Z024308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Oct 2005 09:45:24 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9QGjOk9024304; Wed, 26 Oct 2005 09:45:24 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510261645.j9QGjOk9024304@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Wed, 26 Oct 2005 09:45:24 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David McGrew writes:
>show a KDF design that's secure in the random  
>oracle model, but which is not secure in the reduction-based model.

KDF1(K,X):
1. If H(X)=SHA256(0), output K.
2. Otherwise, output H(K||X).

KDF2(K,X):
1. Try to parse X as the description of a circuit C.
2. If that succeeds, pick Z at random.  If H(Z)=C(Z), then output K.
3. Otherwise, output H(K||X).

KDF1 is secure in the random oracle model, but insecure when the
hash is instantiated by SHA256 (just choose X=0 to break it).

KDF2 is secure in the random oracle model, but insecure when the
hash is instantiated by any real hash function (just choose X to be
a description of the hash circuit to break it).

These are essentially the classic methods for separating the random
oracle model from the standard model.  As you can see, they both will
end up with a KDF construction that looks contrived and fishy.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email