KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 22:04 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcKh-0001FZ-Is; Fri, 28 Oct 2005 18:04:19 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVcKe-0001FN-UY for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 18:04:17 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA22368 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:04:00 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVcYI-0006dK-5y for cfrg@ietf.org; Fri, 28 Oct 2005 18:18:23 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9SM43eJ013902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Oct 2005 15:04:03 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9SM43mw013898; Fri, 28 Oct 2005 15:04:03 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510282204.j9SM43mw013898@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Fri, 28 Oct 2005 15:04:03 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Dan Bernstein writes: >David Wagner writes: >> The hash function also has to be independent of the adversary's choices. > >No, that sort of assumption is always wrong for public hash functions. Exactly my point. I'm saying the assumption is necessary for provable security under the Leftover Hash Lemma; but as you say, the assumption is false for public hash functions. The obvious conclusion: public hash functions are generally incompatible with provable security under the Leftover Hash Lemma. Is there some flaw in this reasoning? >> If you pick and reveal the hash function first, and the adversary chooses >> their values afterwards (and those values are processed with the hash >> function you picked), all bets are off. Did I get that right? > >If you're trying to say that the attacker can perhaps produce non-random >behavior in the secret that he shares with you, that's true. In fact, he >always knows the entire value! But this has no relevance to his attempts >to determine the secret that you share with someone else. That's not what I'm concerned about. I'm not concerned about other sessions; I'm concerned about the very session that the adversary is participating in. Read this: http://www1.ietf.org/mail-archive/web/cfrg/current/msg01095.html That message gives scenarios where everything falls apart, because the adversary can choose some inputs to the KDF that make the session key *for this session* predictable. (One quick example: if the KDF is used to derive a MAC key that is used to authenticate the other party, then spoofing may become possible.) And no, it is not necessarily true that the adversary already knows the entire value of the secret that is supposedly "shared". There are protocols where if both parties are honest, then both parties will know the value of the shared secret -- but it is a security condition that if one participant tries to spoof someone else's identity, then that malicious participant does not learn the value of the "shared" secret. The URL quoted above gives examples. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- [Cfrg] Re: Extractors/KDF definition and goal csjutla
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti