IETF Logo Mail Archive

RE: [Cfrg] Fwd: Hash-Based Key Derivation

"Simon Blake-Wilson" <sblakewilson@bcisse.com> Tue, 25 October 2005 21:01 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUVuu-0003sc-WC; Tue, 25 Oct 2005 17:01:09 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUVut-0003pf-Lf for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 17:01:07 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA13735 for <cfrg@ietf.org>; Tue, 25 Oct 2005 17:00:52 -0400 (EDT)
Received: from 209-204-118-122.sniparpa.net ([209.204.118.122] helo=bcisse.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUW7t-0001eG-9H for cfrg@ietf.org; Tue, 25 Oct 2005 17:14:35 -0400
Received: from simon (toronto-HSE-ppp4164842.sympatico.ca [70.51.159.198]) by bcisse.com; Tue, 25 Oct 2005 16:59:47 -0400
From: Simon Blake-Wilson <sblakewilson@bcisse.com>
To: 'David Wagner' <daw-usenet@taverner.CS.Berkeley.EDU>, cfrg@ietf.org
Subject: RE: [Cfrg] Fwd: Hash-Based Key Derivation
Date: Tue, 25 Oct 2005 16:59:44 -0400
Message-ID: <030101c5d9a7$075bcdf0$0200a8c0@simon>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
In-Reply-To: <200510251948.j9PJm1xj018562@taverner.CS.Berkeley.EDU>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5d7a7e767f20255fce80fa0b77fb2433
Cc:
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0725762835=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Thanks David ... interesting stuff. You clearly have a clear idea of what
you think a KDF does in terms of security, but I guess I'd still like to
see a convincing formal defintion. (I guess this is hard to do since
"convincing" implies that the definition somehow helps convert an insecure
key establishment protocol into a secure one.)

Also if making random oracle model assumptions is OK, then the definition
in the I-D is also likely to be good, isn't it? For example, won't H(S|X)
also be a good KDF if H is assumed to be a random oracle?

Best regards. Simon

> -----Original Message-----
> From: cfrg-bounces@ietf.org [mailto:cfrg-bounces@ietf.org] On
> Behalf Of David Wagner
> Sent: Tuesday, October 25, 2005 3:48 PM
> To: cfrg@ietf.org
> Subject: [Cfrg] Fwd: Hash-Based Key Derivation
>
>
> Simon Blake-Wilson writes:
> >Is there a proof somewhere that pre-hashing then MACing makes a good
> >KDF?
>
> In the random oracle model, it is easy to prove that
> pre-hashing then applying a PRF makes a good PRF.  In other words, let
>     F'(S,X) = F(H(S),X)
> where F is a PRF (when its key-input is uniformly
> distributed) and H is a random oracle.  Then F' is a PRF,
> even when its secret-input S is not uniformly distributed, so
> long as S has sufficient min-entropy.  Finally, the latter is
> all you need to build a good KDF.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email