IETF Logo Mail Archive

Re: [Cfrg] On using ROs for analyzing randomness extraction functions

John Wilkinson <wilkjohn@gmail.com> Mon, 31 October 2005 18:22 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EWeJ1-0000Uo-0l; Mon, 31 Oct 2005 13:22:51 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EWeIy-0000Ue-9S for cfrg@megatron.ietf.org; Mon, 31 Oct 2005 13:22:48 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25547 for <cfrg@ietf.org>; Mon, 31 Oct 2005 13:22:29 -0500 (EST)
Received: from xproxy.gmail.com ([66.249.82.206]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EWeXB-0005Ox-NP for cfrg@ietf.org; Mon, 31 Oct 2005 13:37:31 -0500
Received: by xproxy.gmail.com with SMTP id t13so947733wxc for <cfrg@ietf.org>; Mon, 31 Oct 2005 10:22:44 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:from:subject:date:to:x-mailer; b=bkUFn4Vqo3Fz+1dt6sEDAD6Tx2ni4C0GjB1/R7A7eKYOA0Sz+Wqat7xmML6NCk2wJG+7DBl2qkNKmYBFVVdm/SfCIwlOsOh+k75Kq7QbOvPKVxt2YhVnPN1oSO7miPs3Nq0EeNzyf7zuQ/FhJlHK8vrc6plYJytky2Y5XeLNJ7Y=
Received: by 10.65.192.11 with SMTP id u11mr393000qbp; Mon, 31 Oct 2005 10:22:43 -0800 (PST)
Received: from ?10.0.1.2? ( [141.154.76.225]) by mx.gmail.com with ESMTP id e11sm1776262qbc.2005.10.31.10.22.43; Mon, 31 Oct 2005 10:22:43 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v734)
In-Reply-To: <20051031181050.30808.qmail@cr.yp.to>
References: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU> <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com> <5719CDC5-3557-4E5F-9E82-9342BC8685ED@gmail.com> <20051031054127.21824.qmail@cr.yp.to> <E3D2B4ED-668C-4A71-97D6-BCD61F414920@gmail.com> <20051031181050.30808.qmail@cr.yp.to>
Message-Id: <7D5CF428-3FD3-40CE-A05D-4E1A22CC7068@gmail.com>
From: John Wilkinson <wilkjohn@gmail.com>
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Date: Mon, 31 Oct 2005 13:22:38 -0500
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.9 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0861507606=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On Oct 31, 2005, at 1:10 PM, D. J. Bernstein wrote:

> John Wilkinson writes:
>
>> 2.3) K_i = PRF( UH( R, SV ), i || context )
>> 2.3 seems to be the only one that offers security in the standard  
>> model,
>>
>
> You've been misled. That construction does _not_ guarantee secure key
> derivation under standard assumptions.

OK, clearly I'm in way over my head, but isn't that what the  
discussion about the Leftover Hash Lemma was about? Doesn't that  
lemma guarantee that UH(R,SV) is delta-uniform when R is chosen  
independently of SV? And if the output of UH is delta-uniform, then  
isn't the PRF secure under standard assumptions? I know this falls  
far short of a real proof, but, as I said, I'm in over my head here.

-John


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email