Re: [Cfrg] On using ROs for analyzing randomness extraction functions

Perhaps this is the discussion topic I should have replied to with my  
questions about Bernstein and Wagner's non-NIST KDF discussion. I  
apologize for any confusion I may have caused on the other topic.

Perhaps some will think it is only of academic interest, but I, for  
one, would be very interested in continuing the discussion on KDFs  
that can minimize, or avoid entirely, our reliance on the RO  
assumption for hash functions. So, in the interest of having a  
suitable target to throw darts at, what, if anything, is wrong with  
the following proposal, and does anything like it already exist as a  
standard or write-up?

1. Assume that there has already been an authenticated DH key  
exchange (details and caveats to be fleshed out later), resulting in  
the sharing of the secret g^xy between Alice and Bob.

2. To extract "computational entropy" (or whatever term is most  
correct) from g^xy, Alice and Bob each use, as specified by their  
protocol, the fixed universal hash function H(g^xy), where H(m) is  
defined as:

H(m) := m*x^256 mod x^256 + x^10 + x^5 + x^2 + 1

Where m is interpreted as a polynomial in x, with coefficients modulo 2.

3. H(g^xy) can then be used directly for further communications, if  
only 256-bits of key material are required, or H(g^xy) can be used as  
the key to a PRF (say, HMAC-SHA256 or CMAC-AES256) to derive more key  
material.

Such a construction would seem to be efficient and practical, and  
avoids any reliance on random oracles, so, something must be wrong  
with it. :)

-John

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg