[Cfrg] Re: [saag] KDF: Randomness extraction vs. key expansion
canetti <canetti@watson.ibm.com> Sat, 29 October 2005 04:46 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EViba-0006dm-I1; Sat, 29 Oct 2005 00:46:10 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVibW-0006dc-JZ for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 00:46:08 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA10314 for <cfrg@ietf.org>; Sat, 29 Oct 2005 00:45:49 -0400 (EDT)
Received: from igw2.watson.ibm.com ([129.34.20.6]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVipD-0007f3-3o for cfrg@ietf.org; Sat, 29 Oct 2005 01:00:16 -0400
Received: from sp1n294en1.watson.ibm.com (sp1n294en1.watson.ibm.com [129.34.20.40]) by igw2.watson.ibm.com (8.12.11/8.13.1/8.13.1-2005-04-25 igw) with ESMTP id j9T4lkVw018722; Sat, 29 Oct 2005 00:47:46 -0400
Received: from sp1n294en1.watson.ibm.com (localhost [127.0.0.1]) by sp1n294en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_2) with ESMTP id j9T4jrn39026; Sat, 29 Oct 2005 00:45:53 -0400
Received: from mgsmtp00.watson.ibm.com (mgsmtp00.watson.ibm.com [9.2.40.58]) by sp1n294en1.watson.ibm.com (8.11.7-20030924/8.11.7/01-14-2004_1) with ESMTP id j9T4jqN40136; Sat, 29 Oct 2005 00:45:52 -0400
Received: from prf.watson.ibm.com (prf.watson.ibm.com [9.2.16.112]) by mgsmtp00.watson.ibm.com (8.12.11/8.12.11/2005/09/01) with ESMTP id j9T4jp2J013476; Sat, 29 Oct 2005 00:45:51 -0400
Received: from localhost (canetti@localhost) by prf.watson.ibm.com (AIX5.1/8.11.6p2/8.11.0/03-06-2002) with ESMTP id j9T4jpG31780; Sat, 29 Oct 2005 00:45:51 -0400
Date: Sat, 29 Oct 2005 00:45:50 -0400
From: canetti <canetti@watson.ibm.com>
To: Bill Sommerfeld <sommerfeld@sun.com>
In-Reply-To: <1130533119.7684.133.camel@thunk>
Message-ID: <Pine.A41.4.58.0510290017050.30282@prf.watson.ibm.com>
References: <Pine.A41.4.58.0510281538050.38438@prf.watson.ibm.com> <1130533119.7684.133.camel@thunk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: saag@mit.edu, cfrg@ietf.org
Subject: [Cfrg] Re: [saag] KDF: Randomness extraction vs. key expansion
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Bill, Thanks for the good questions. See inline: On Fri, 28 Oct 2005, Bill Sommerfeld wrote: > On Fri, 2005-10-28 at 15:48, canetti wrote: > > * Randomness extraction: taking an input with "high computational entropy" > > and generating from it a pseudorandom value. > > > > * Key expansion: taking a short pseudorandom value and extending it to a > > longer pseudorandom value, here the output length is variable anddepends > > on the application. > > Some plumbing-level questions: > > you suggested that random nonces should go into the first stage. would > non-random context/identity inputs go there, too? Yes. But indeed not for the purpose of randomness extraction. eg, the identities are useful for binding the generated key to the identitied of the peers. In general, the first stage should do whatever is necessary to get an initial seed of fixed length (say, 128 or 160 bits) that is pseudorandom for anyone except the two peers, and is bound to the correct peer identity within each one of the peers. > > and: would it ever be appropriate to use multiple stages of key > expansion? Yes, that could ofcourse happen. But the requirements from all levels of key expansion are the same: take a fixed-length pseudorandom key and expand it to a long-enough pseudorandom value. This is in fact another motivation for separating randomness extraction from key expansion. All these levels of key expansion already get a pseudorandom key, so they dont need the full power of the KDF proposed in the I-D. Ran > > for instance: > > [diffie-hellman] -> [randomness extraction] -> [key expansion] -> (A, B, > C) > > A -> [key expansion] -> (A1, A2, A3) > B -> [key expansion] -> (B1, B2, B3) > C -> [key expansion] -> (C1, C2, C3) > > - Bill > > > > > > > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] KDF: Randomness extraction vs. key expansi… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] On using ROs for analyzing randomness extr… canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Bill Sommerfeld
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… canetti
- [Cfrg] KDF: Randomness extraction vs. key expansi… David Wagner
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … canetti
- [Cfrg] Re: [saag] KDF: Randomness extraction vs. … Nicolas Williams
- Re: [Cfrg] KDF: Randomness extraction vs. key exp… D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … D. J. Bernstein
- Re: [saag] Re: [Cfrg] KDF: Randomness extraction … canetti