IETF Logo Mail Archive

[Cfrg] KDF: Randomness extraction vs. key expansion

David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 20:47 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVb8J-0007NS-Iq; Fri, 28 Oct 2005 16:47:27 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVb8I-0007N6-5I for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 16:47:26 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA18349 for <cfrg@ietf.org>; Fri, 28 Oct 2005 16:47:09 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVbLu-0004XU-I5 for cfrg@ietf.org; Fri, 28 Oct 2005 17:01:32 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SKlC9V011272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 13:47:12 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SKlCVG011268; Fri, 28 Oct 2005 13:47:12 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282047.j9SKlCVG011268@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] KDF: Randomness extraction vs. key expansion
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 13:47:12 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Ran Canetti writes:
>A remark on randomness extraction: Randomness extraction becomes
>significantly easier if the extracting function has some public random input
>that is independent from the secret value. In many situations such public
>randomness is readily available (eg, take the nonces used in the exchange).

Hey, that's a clever idea.  I hadn't heard that one before.

But does it really work?  Can we safely use the nonces "as-is"?
What's got me worried is that one of the nonces could have been chosen
by an attacker.  See my previous email for some example scenarios where
everything breaks if the adversary can choose the value of the public
randomness.

Perhaps you mean that we should hash the concatenation of the nonces?
In the random oracle model, that sounds like it should work, but then
we're back to the random oracle model again (where we can already solve
this problem without needing public random inputs).  And I don't see
how to combine nonces securely in the absence of the random oracle model.

Maybe we could have both parties commit to their nonce, then once
the commitments are revealed, have both parties open the commitments,
and use the xor of the nonces are our public randomness (taking care
to avoid reflection and malleability attacks).  But I doubt that many
existing protocols are already doing this, and it sounds like it might
be a somewhat annoying change to have to make to an existing protocol.

Is there any analysis of how to make some idea like this work, without
using the random oracle model?

(I'm finding this to be a fascinating discussion, by the way...)

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email