Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
David McGrew <mcgrew@cisco.com> Wed, 26 October 2005 13:20 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUlCV-0002xb-Tj; Wed, 26 Oct 2005 09:20:19 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUlCT-0002or-V6 for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 09:20:17 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA19091 for <cfrg@ietf.org>; Wed, 26 Oct 2005 09:20:02 -0400 (EDT)
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUlPc-0001Nj-KL for cfrg@ietf.org; Wed, 26 Oct 2005 09:33:54 -0400
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 26 Oct 2005 06:20:07 -0700
X-IronPort-AV: i="3.97,253,1125903600"; d="scan'208"; a="224073152:sNHT26277640"
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id j9QDJr8q029642; Wed, 26 Oct 2005 06:20:00 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 26 Oct 2005 06:20:03 -0700
Received: from [192.168.1.100] ([10.32.254.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 26 Oct 2005 06:20:02 -0700
In-Reply-To: <200510260025.j9Q0Pdn4026118@taverner.CS.Berkeley.EDU>
References: <200510260025.j9Q0Pdn4026118@taverner.CS.Berkeley.EDU>
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <27010A5C-7C50-468A-A7F3-819D0025EEAE@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Wed, 26 Oct 2005 06:20:02 -0700
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
X-Mailer: Apple Mail (2.734)
X-OriginalArrivalTime: 26 Oct 2005 13:20:03.0063 (UTC) FILETIME=[F94A2070:01C5DA2F]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 14582b0692e7f70ce7111d04db3781c8
Content-Transfer-Encoding: 7bit
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Hi David, On Oct 25, 2005, at 5:25 PM, David Wagner wrote: > David Wagner writes: > >>> Sure, the random oracle model and KDFs based on it are well >>> accepted. It would be nice to get something based on a reduction- >>> based proof, though. >>> >> >> I don't see how to get there without the random oracle if we want >> to be general purpose. >> > > Sorry to respond to my own email, but-- > > It just occurred to me that I had a mental block here, and I wrote > too quickly. I think what I said is not correct in full generality. > I believe that techniques from the extractors literature (e.g., the > Leftover Hashing Lemma) can be used to build provably secure KDFs > in the > standard (reduction-based) model, as long as you are willing to put up > with randomized KDFs. It is only deterministic KDF schemes where the > random oracle assumption seems to be necessary. I was hoping this would be the case, though I didn't know enough about extractors. And of course I was hoping to find something deterministic, and AFAICT the extractor-based approach can't provide it. > > The simplest randomized construction is to let UH(.,.) be a 2- > universal > hash, pick R randomly, publish R, and use UH(R,S) as your key, where > S is the secret input. This is a KDF with no auxiliary inputs. If we > wanted auxiliary inputs, presumably we can use F(UH(R,S),X), where > F is > a PRF and X is an auxiliary input. There are 2-universal hashes > that are > provably secure in the standard model, without even needing any > unproven > cryptographic assumptions. This works so long as you have sufficient > min-entropy in S, though you need to set the parameters correctly. > Also, it does end up being wasteful of entropy: if I recall correctly, > you need 2x or 3x times as much entropy as you might naively think, > so in this sense it is much worse than the random oracle scheme. That's interesting; it could potentially harm the utility an extractor-based KDF. Can you point to something in the literature which explains the inefficiency? > > One practical problem with randomized KDFs is that it can be a little > tricky to figure out how to pick R. Agreed, and a KDF wouldn't be very useful if it were difficult to use in protocols. > If two parties want to agree on a > session key, derived using the KDF, they both need the same value > of R. > The obvious thing is to have R be chosen by one party and then sent in > the clear to the other. That works if R was chosen honestly. > However, > if R is chosen maliciously by one of the parties, I think everything > could blow up and all security could be lost. In some settings > there is > only one party, so this might not be an issue. In two-party settings, > there are still things you can do, but it might take some careful > thought > to figure out how to deal with this issue. I agree that caution is needed, but I'm not sure that this is such a problem. If we assume that Alice doesn't reveal a secret key, then it seems safe to assume that she will honestly choose the KDF- randomizer used to derive that key. Has anyone studied this? Seems like a result in either direction (showing a practical use of a randomized KDF, or showing security problems with their use in conventional protocols) would be interesting. > > I'm afraid I'm not a deep expert on the subject of extractors. I know > that there are other subscribers to CFRG who can say more. I hope > they'll chime in. > > But the above practical issues make me think that there are important > advantages to deterministic KDFs, and these advantages are probably > significant enough that it is reasonable to put up with the random > oracle > model in exchange. > Yes, well put. David _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- [Cfrg] Re: Extractors/KDF definition and goal csjutla
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti