RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
"Simon Blake-Wilson" <sblakewilson@bcisse.com> Thu, 27 October 2005 14:58 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EV9DC-0005ms-QX; Thu, 27 Oct 2005 10:58:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EV9DA-0005mn-Qs for cfrg@megatron.ietf.org; Thu, 27 Oct 2005 10:58:36 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA05463 for <cfrg@ietf.org>; Thu, 27 Oct 2005 10:58:20 -0400 (EDT)
Received: from 209-204-118-122.sniparpa.net ([209.204.118.122] helo=bcisse.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EV9QX-0005AL-QT for cfrg@ietf.org; Thu, 27 Oct 2005 11:12:27 -0400
Received: from simon (toronto-HSE-ppp4155111.sympatico.ca [70.51.121.119]) by bcisse.com; Thu, 27 Oct 2005 10:57:04 -0400
From: Simon Blake-Wilson <sblakewilson@bcisse.com>
To: 'David Wagner' <daw-usenet@taverner.CS.Berkeley.EDU>, cfrg@ietf.org
Subject: RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Thu, 27 Oct 2005 10:56:55 -0400
Message-ID: <0a3001c5db06$b29e6960$0200a8c0@simon>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
MIME-Version: 1.0
In-Reply-To: <200510270552.j9R5qgY9015527@taverner.CS.Berkeley.EDU>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b22590c27682ace61775ee7b453b40d3
Cc:
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1848924551=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Hi David,
> Let D be a source distribution with min-entropy >= m.
> Let S be a sampling algorithm: a randomized algorithm so that
> the output of S() is computationally indistinguishable from
> D, and so that S() is efficient.
>
> Let H be a random oracle.
> (Note: S is not permitted to invoke H, so S is independent of H.)
>
> Let F be a KDF algorithm. Namely, F is an algorithm that
> uses an oracle (H) and accepts two inputs (K,X) and produces
> an output (Y). Let R be a random function mapping X to Y.
>
> Say that F is a (t,q,e)-secure KDF for S if for all
> adversaries A running in time at most t and making at most q
> queries, Adv A <= e, where
> Adv A = |Pr[K <- S(); A^{F(K,.),H}=1] - Pr[A^{R(.),H}=1]|
> where q counts the number of queries to A's first oracle.
>
> Also we have the notion of a scheme F that is a
> (t,q,e)-secure KDF for some class of distributions (e.g., for
> all distributions with min-entropy >= m).
>
> The chosen-input queries correspond to cases where the
> attacker controls the auxiliary inputs X and somehow manages
> to learn the session key (e.g., it leaks; it is
> cryptanalyzed; an endpoint is hacked).
This seems like the best attempt at a definition that I've seen. My only
thought is whether an attacker should also get access to something like an
F(f(K),.)) oracle. For example in the case of an ephemeral-static DH
protocol where the recipient has a static public key g^x and the legimate
peer contributes an ephemeral public key g^y, an attacker may be able to
to at some point impersonate a legimate peer and send (g^y)^2 and
subsequently learn the session key computed by the recipient using
S=g^2xy. Allowing the attacker access to an F(f(K),.) oracle for any
f:S->S, f \neq 1 of the attacker choice somehow simulates this
possibility. (I suspect formalizing f and how the attacker specifies it
gets messy, but this does seem like a vaguely realistic required property
in some cases.)
Best regards. Simon
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- [Cfrg] Re: Extractors/KDF definition and goal csjutla
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti