KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David McGrew writes:
>Okay, I got carried away and wrote up the following definition and
>goal for a key derivation function (KDF) which seems appropriate and
>also seems amenable to reduction-based security proofs.  Comments welcome.

I'm afraid I don't think this is the right formulation.  Your definition
is only relevant to practice if we assume that our source of secret
inputs has a certain special class of distributions: namely, that some
fixed number of bit positions will be uniformly random and independent
of everything else.  In many settings this is not realistic.

Consider, for example, using a Diffie-Hellman shared secret g^{xy}
as your secret input.  This does not come from your special class of
distributions, since there is no bit position that is independent of
all others.  Thus proving that a candidate KDF meets your definition
will not be sufficient to show that the KDF can be safely used with
Diffie-Hellman shared secrets.  The problem is pervasive and not limited
to Diffie-Hellman.

I gave a competing definition that I find more useful in practice, and
that is easy to achieve in the random oracle model, and that guarantees
the KDF will be secure and useful when applied to any secret input
whose distribution satisifies a few weak conditions (high min-entropy,
independence from the hash, efficiently samplable).  I can spell it out
more precisely if you like, though I don't think there would be anything
especially new or surprising in a more detailed statement.  The only
bad news is that my competing definition seems to require that the KDF
use random oracles, but in my opinion that's not the end of the world.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg