[Cfrg] KDF: Randomness extraction vs. key expansion
David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 20:47 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVb8J-0007NS-Iq; Fri, 28 Oct 2005 16:47:27 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVb8I-0007N6-5I for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 16:47:26 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18349 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:47:09 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVbLu-0004XU-I5 for cfrg@ietf.org; Fri, 28 Oct 2005 17:01:32 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SKlC9V011272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 13:47:12 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SKlCVG011268; Fri, 28 Oct 2005 13:47:12 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282047.j9SKlCVG011268@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] KDF: Randomness extraction vs. key expansion
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 13:47:12 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Ran Canetti writes: >A remark on randomness extraction: Randomness extraction becomes >significantly easier if the extracting function has some public random input >that is independent from the secret value. In many situations such public >randomness is readily available (eg, take the nonces used in the exchange). Hey, that's a clever idea. I hadn't heard that one before. But does it really work? Can we safely use the nonces "as-is"? What's got me worried is that one of the nonces could have been chosen by an attacker. See my previous email for some example scenarios where everything breaks if the adversary can choose the value of the public randomness. Perhaps you mean that we should hash the concatenation of the nonces? In the random oracle model, that sounds like it should work, but then we're back to the random oracle model again (where we can already solve this problem without needing public random inputs). And I don't see how to combine nonces securely in the absence of the random oracle model. Maybe we could have both parties commit to their nonce, then once the commitments are revealed, have both parties open the commitments, and use the xor of the nonces are our public randomness (taking care to avoid reflection and malleability attacks). But I doubt that many existing protocols are already doing this, and it sounds like it might be a somewhat annoying change to have to make to an existing protocol. Is there any analysis of how to make some idea like this work, without using the random oracle model? (I'm finding this to be a fascinating discussion, by the way...) _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] KDF: Randomness extraction vs. key expansi… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] On using ROs for analyzing randomness extr… canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Bill Sommerfeld
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Nicolas Williams
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti