IETF Logo Mail Archive

[Cfrg] Fwd: Hash-Based Key Derivation

David Wagner <daw@cs.berkeley.edu> Wed, 26 October 2005 16:53 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUoX9-0006rK-Kx; Wed, 26 Oct 2005 12:53:51 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUoX7-0006p6-26 for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 12:53:49 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA07026 for <cfrg@ietf.org>; Wed, 26 Oct 2005 12:53:32 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUokJ-0001bY-C1 for cfrg@ietf.org; Wed, 26 Oct 2005 13:07:27 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9QGrf0Y024643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Oct 2005 09:53:41 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9QGrf2W024639; Wed, 26 Oct 2005 09:53:41 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510261653.j9QGrf2W024639@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation
To: cfrg@ietf.org
Date: Wed, 26 Oct 2005 09:53:41 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Daniel Brown writes:
>A KDF should be "one-way" [...]
>certain PRFs can fail to be 1-way.

I believe a KDF only needs to be one-way in the sense that given
KDF(K,X) you cannot recover K.  (It does not need to be one-way in
the usual sense: it doesn't matter if given Y=KDF(K,X) you can recover
some other K' s.t. KDF(K',X)=Y, so long as K' reveals nothing about K.)

Assuming that is what you meant, every PRF is one-way in this sense.
If you could recover the key K from F(K,X), then you could distinguish
the PRF from random (just choose some other X' and confirm that on
input K' your oracle responds with F(K,X')).

So this is not an issue: the PRF requirement already implies all the
one-wayness properties that you might want a KDF to have.

>If the PRF is 
>the identity and the secret input is uniform and unpredictable, then the 
>output is indistinguishable (from random), so it seems to be a PRF.

If you mean F(K,X)=K, that's not a PRF.  The attack: Choose X, X'
distinct.  Send X and X' to your oracle, receiving Y and Y'.  If Y=Y',
then your oracle is a F(K,.) oracle; otherwise, your oracle is a random
function.  So you've distinguished F(K,.) from random.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email