Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
"D. J. Bernstein" <djb@cr.yp.to> Sat, 29 October 2005 22:52 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVzYi-0000uN-3J; Sat, 29 Oct 2005 18:52:20 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVzYg-0000uI-Jv for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 18:52:18 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA29153 for <cfrg@ietf.org>; Sat, 29 Oct 2005 18:52:01 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EVzmX-0001dJ-5I for cfrg@ietf.org; Sat, 29 Oct 2005 19:06:38 -0400
Received: (qmail 60478 invoked by uid 1016); 29 Oct 2005 22:52:36 -0000
Date: Sat, 29 Oct 2005 22:52:36 -0000
Message-ID: <20051029225236.60468.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
References: <21357237.1130598518366.JavaMail.root@elwamui-karabash.atl.sa.earthlink.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
John Kelsey writes: > I think the thing you're both missing here is the ways these > primitives can be attacked. Hash functions are easier to attack, > because in general, you can't assume any secrets from the attacker, No. The thing you're missing here---see the subject line---is that we are talking about how to build key-derivation functions. When MD5 or SHA-256 or an AES-based function is used to derive keys, there _is_ an input kept secret from the attacker, namely a Diffie-Hellman g^xy. The security of a key-derivation function is _not_ equivalent to collision resistance. It is _not_ equivalent to the PRF property. It is _not_ equivalent to universality, randomness extraction, etc. All of these are interesting topics, but they are distractions from the topic at hand, namely key derivation. Certainly the cryptographic community has had some spectacular failures to design collision-resistant hash functions. But secure key derivation is a completely different problem. Statements such as ``many of our hash functions aren't collision-resistant, so they aren't safe key-derivation functions'' are obviously silly. You're adding to the confusion if you use the ambiguous word ``secure'' and say things like ``secure hash functions are hard to design'' rather than ``collision-resistant hash functions are hard to design.'' People saying things like ``secure hash functions are hard to design, so we can't use hash functions for key derivation'' don't seem to realize that they're bouncing between two completely different security notions. ---D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Re: Cfrg Digest, Vol 16, Issue 43 John Kelsey
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein