Re: [Cfrg] Fwd: Hash-Based Key Derivation
Daniel Brown <DBrown@certicom.com> Tue, 25 October 2005 22:45 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUXYL-0003AI-SM; Tue, 25 Oct 2005 18:45:57 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUXYK-0003AD-GN for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 18:45:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA20271 for <cfrg@ietf.org>; Tue, 25 Oct 2005 18:45:40 -0400 (EDT)
Received: from host50.foretec.com ([65.246.255.50] helo=mx2.foretec.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUXlM-00051M-QH for cfrg@ietf.org; Tue, 25 Oct 2005 18:59:25 -0400
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by mx2.foretec.com with smtp (Exim 4.24) id 1EUXYF-0004k2-MB for cfrg@ietf.org; Tue, 25 Oct 2005 18:45:51 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id E74A410182927; Tue, 25 Oct 2005 18:40:47 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12337-07; Tue, 25 Oct 2005 18:40:37 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 7FFD510182923; Tue, 25 Oct 2005 18:40:37 -0400 (EDT)
In-Reply-To: <200510252139.j9PLdKrj021462@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OF6920E74B.B9F1D7D5-ON852570A5.0078E703-852570A5.007CA309@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Tue, 25 Oct 2005 18:41:37 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/25/2005 06:41:35 PM, Serialize complete at 10/25/2005 06:41:35 PM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2e8fc473f5174be667965460bd5288ba
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2142993860=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
David Wagner wrote on 10/25/2005 05:39:20 PM: > The random oracle model is a heavyweight tool -- but this is heavyweight > problem. I'm not sure why you feel it is a lightweight problem. Indeed, > there is NO known solution to this problem in the standard model. If you > start with a secret value that is not known to be uniformly distributed, > but is only known to have high min-entropy, then the only (provably secure) > way I know of to get a good key out of it is to use a random oracle. > > (For others who are reading, by 'this problem' I mean the problem of > taking a secret input that is known only to have high min-entropy and > turning it into a pseudorandom value that can be used as a key. A random > oracle solves this problem, as long as we assume that the distribution > that that the secret comes from is efficiently samplable and has high > min-entropy and its distribution is independent of the random oracle.) > I proposed an informal argument to ANSI X9F1, who were dealing this very same issue. I'm not sure if it's rigorous, or even if it is, whether it would be tight enough to give a useful result. * * * * Let H be a collision-resistant hash. (Maybe this is too informal or too unlikely for some people.) Let D be an adversary that defines a distribution S, efficiently sampleable, with some requisite level of min-entropy, such that D has a signficant advantage of distinguishing H(s) from random R, where s is drawn from S and R is a random bit string of the same length as R. Use D in algorithm C that finds a collision in H faster than expected, as follows. Obtain t samples s_1, ..., s_t of S, for a choice of t to be determined, and check for a collision among H(s_1), ..., H(s_t). This sequence is more likely to have a collision a sequence of random bit strings H_1, ..., H_t of length hashlen, for the following reasons. Let T be the set of bit strings of length hashlen, that D reports are from H(s) and not a random string R. The set T is smaller than the set of all bit strings, for otherwise D would always report H(s) and have zero advantage. Because D has a positive advantage the outputs H(s_1), ..., H(s_t) are more likely to be in T, than not. These sample values therefore have some bias towards T, which increases the likelihood of finding a collision compared to random strings. Some examples may illustrate. Suppose that the last bit of H was 0, if given an input from S. Then D could distingish H from random with advantage 1/2. (Computing this as (1/2 + 1/4)*2 - 1, so advantage ranges from 0 to 1.) Algorithm C can finds a collision in H as though the hashlen were one bit shorter. If D is a more powerful distinguisher, then C may be a better collision finder. For example, that the last 10 bits of H are 0 given an input from S, then D has advantage 1 - 2^(10), and collision-resistance of H is 10 bits less than expected. Generally, if D has advantage d, then C finds collisions lg(1-d) bits better than expected. Admittedly, for small d, then this is insignificant. Of course, an adequate amount of min-entropy in S is of course required to make much less likely that there is no collision in the set s_1, ..., s_t than in the set H(s_1),...,H(s_t), for otherwise the collision in the latter set may not be a collision in the hash.
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein