IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 17:08 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXim-0004aW-PF; Fri, 28 Oct 2005 13:08:52 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXik-0004a0-VN for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 13:08:51 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA29064 for <cfrg@ietf.org>; Fri, 28 Oct 2005 13:08:30 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVXwH-0003aN-5j for cfrg@ietf.org; Fri, 28 Oct 2005 13:22:52 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SH8T29005574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 10:08:29 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SH8TMm005570; Fri, 28 Oct 2005 10:08:29 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510281708.j9SH8TMm005570@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 10:08:29 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf4fa59384e76e63313391b70cd0dd25
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan Bernstein writes:
>David Wagner writes:
>> The Leftover Hash Lemma requires that
>> the 2-universal hash be chosen randomly.  You have specified a scheme
>> where we use a single hash function that has been fixed in advance --
>> but then the Leftover Hash Lemma is not applicable.
>
>The hash function has to be chosen randomly, and has to be independent
>of all the other random choices in the protocol, but this doesn't mean
>that the choice has to wait until the last possible moment! A single
>random hash function can be standardized and reused for many keys.

The hash function also has to be independent of the adversary's choices.
If you pick and reveal the hash function first, and the adversary chooses
their values afterwards (and those values are processed with the hash
function you picked), all bets are off.  Did I get that right?

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email