IETF Logo Mail Archive

[Cfrg] Fwd: Hash-Based Key Derivation (fwd)

David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 22:23 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcdA-0002En-Bl; Fri, 28 Oct 2005 18:23:24 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcd8-0002Ea-CL for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 18:23:22 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA23586 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:23:05 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVcql-0007F0-RK for cfrg@ietf.org; Fri, 28 Oct 2005 18:37:29 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SMN84F014345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 15:23:08 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SMN8Si014341; Fri, 28 Oct 2005 15:23:08 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282223.j9SMN8Si014341@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 15:23:08 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 97adf591118a232206bdb5a27b217034
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan Bernstein writes:
>David Wagner writes:
>> Another possibility -- which I would have more confidence in at the
>> moment -- is to use a block cipher based PRF such as AES-OMAC.
>
>You can turn AES into a hash function by applying, e.g., Luby-Rackoff
>plus Miyaguchi-Preneel. Using this hash function to derive keys is then
>identical to using AES to derive keys.

Is it?  I don't see it.  AES-OMAC(K,X) is provably secure (as a PRF)
assuming only that AES is a secure PRP.  Is your M-P + L-R hash KDF
provably secure under the same assumption?  I don't see why it would be.

In general, the schemes that build a hash function out of a block cipher
generally make much stronger assumptions about the block cipher:

  - In theory, if you want to prove something about such hash modes,
  you generally have to work in the ideal cipher model (the analog to
  the random oracle model); assuming only that the block cipher is a
  secure PRP (the standard model) gets you roughly nowhere.

  - In practice, such hash modes put a lot more stress on the key
  schedule than encryption or PRF modes do.  For instance, there are
  real-world block ciphers that appear to be highly secure when used
  for encryption, MACs, or PRFs, yet are totally insecure when using in
  a standard hashing mode.  TEA is a favorite example along these
  lines.  RMAC is another fantastic example.

>In other words, there's no justification for the religious notion that
>``encryption functions'' are safe while ``hash functions'' are to be
>avoided.

It's not religion.  There is a difference between PRP/PRF assumptions
and ideal cipher/random oracle model "assumptions".

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email