IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

"D. J. Bernstein" <djb@cr.yp.to> Fri, 28 October 2005 22:15 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcVO-0005ri-1C; Fri, 28 Oct 2005 18:15:22 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcVK-0005py-EQ for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 18:15:19 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA23141 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:15:01 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EVcix-00070P-Vo for cfrg@ietf.org; Fri, 28 Oct 2005 18:29:25 -0400
Received: (qmail 15041 invoked by uid 1016); 28 Oct 2005 22:15:39 -0000
Date: Fri, 28 Oct 2005 22:15:39 -0000
Message-ID: <20051028221539.15039.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
References: <200510281711.j9SHBI9f005644@taverner.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7d33c50f3756db14428398e2bdedd581
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David Wagner writes:
> Another possibility -- which I would have more confidence in at the
> moment -- is to use a block cipher based PRF such as AES-OMAC.

You can turn AES into a hash function by applying, e.g., Luby-Rackoff
plus Miyaguchi-Preneel. Using this hash function to derive keys is then
identical to using AES to derive keys.

Or you can use Whirlpool, a more efficient AES-style hash function.
Using Whirlpool to derive keys isn't exactly the same as applying AES,
but it's based on the same design principles.

In other words, there's no justification for the religious notion that
``encryption functions'' are safe while ``hash functions'' are to be
avoided. Sure, MD5 is a disaster, but 4-round AES is a disaster for the
same reasons. If you want to know whether a primitive is safe, you have
to look at the details of the primitive; the high-level packaging is
almost irrelevant.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email