IETF Logo Mail Archive

[Cfrg] Fwd: Hash-Based Key Derivation (fwd)

David Wagner <daw@cs.berkeley.edu> Sat, 29 October 2005 16:25 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVtWH-0001UW-Ex; Sat, 29 Oct 2005 12:25:25 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVtWF-0001UL-I8 for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 12:25:23 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA09277 for <cfrg@ietf.org>; Sat, 29 Oct 2005 12:25:06 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVtk2-0007ke-ET for cfrg@ietf.org; Sat, 29 Oct 2005 12:39:39 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9TGPFYk007154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 29 Oct 2005 09:25:15 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9TGPFPn007150; Sat, 29 Oct 2005 09:25:15 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
To: cfrg@ietf.org
Date: Sat, 29 Oct 2005 09:25:15 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan Bernstein writes:
>David Wagner writes:
>> Dan Bernstein writes:
>> > You can turn AES into a hash function by applying, e.g., Luby-Rackoff
>> > plus Miyaguchi-Preneel. Using this hash function to derive keys is then
>> > identical to using AES to derive keys.
>> Is it?  I don't see it.  AES-OMAC(K,X) is provably secure (as a PRF) assuming
>
>Irrelevant. I said nothing about PRFs. I said that using a particular
>hash function to derive keys is exactly the same as using AES to derive
>keys.

Sure.  I know you said that.  But what you said looked wrong to me,
or at least, I couldn't see any reason why it would be true.  I was
hoping someone would explain.

As far as I can tell, the M-P scheme you mention computes a different
function than the OMAC scheme I described, and they will have different
security properties.  So, I don't know what you mean by "exactly the
same", but it doesn't seem to mean "computes the same outputs" or "secure
under the same assumptions".  If you think differently, I'd welcome an
explanation or elaboration.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email