IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

John Wilkinson <wilkjohn@gmail.com> Sat, 29 October 2005 18:11 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVvAS-0000LB-17; Sat, 29 Oct 2005 14:11:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVvAQ-0000Ks-HH for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 14:10:58 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA15336 for <cfrg@ietf.org>; Sat, 29 Oct 2005 14:10:40 -0400 (EDT)
Received: from wproxy.gmail.com ([64.233.184.192]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVvOD-0002Ko-Jb for cfrg@ietf.org; Sat, 29 Oct 2005 14:25:15 -0400
Received: by wproxy.gmail.com with SMTP id i21so315018wra for <cfrg@ietf.org>; Sat, 29 Oct 2005 11:10:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=epaN+KaMkV7Y5uN38IOl+czprKz2rfFmga20LaON/wviKmqmiFPtF8QsV4cBiPuUIwPduyQAIKSqo9EKdfpqfrxHwnzH4r62o5gP6rLxXPQk0xMLOz/1pH7gibDRTbkIbBm5Nn9cNZo/qiyLCnUxNhHjUc8ygVAw8KVlEbDuX/c=
Received: by 10.65.35.8 with SMTP id n8mr283296qbj; Sat, 29 Oct 2005 11:10:55 -0700 (PDT)
Received: from ?10.0.1.2? ( [141.154.76.225]) by mx.gmail.com with ESMTP id f13sm401847qba.2005.10.29.11.10.54; Sat, 29 Oct 2005 11:10:55 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v734)
In-Reply-To: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
References: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <39E6645F-CC55-4833-A895-6C6A5027C2E4@gmail.com>
Content-Transfer-Encoding: 7bit
From: John Wilkinson <wilkjohn@gmail.com>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Date: Sat, 29 Oct 2005 14:10:56 -0400
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

I suspect that Dr. Bernstein's will claim that the following two  
KDF's are equivalent, from a provable security perspective:

KDF1: Ki = CMAC-AES256(SHA256(x),i), where x is the shared secret,  
SHA256(x) is used as the key to CMAC, and i is a counter used as the  
message input to CMAC.

KDF2: Ki = SHA256(i,x), where i is a counter, x is the shared secret,  
and (i,x) represents the concatenation of i and x.

I suppose he's correct in the sense that for KDF1 we need to assume  
that the output of SHA256(x) is uniformly distributed and random for  
CMAC to retain its proven properties as a PRF. If we're willing to  
assume that SHA256(x) is uniform and random, then I don't see why we  
can't assume that SHA256(i,x) is also uniform and random, in which  
case we might as well use KDF2.

KDF1 may "feel" more secure, but it seems to me to be akin to double  
encrypting with, say, AES and RC6. You might gain some security over  
using AES alone, but it seems an expensive way to do so. I guess it  
all comes down to how much confidence we place in our cryptographic  
primitives, and to what extent we desire to "overengineer" our higher  
level protocols to compensate for any potential weaknesses in the  
primitives.

-John

On Oct 29, 2005, at 12:25 PM, David Wagner wrote:

> Dan Bernstein writes:
>
>> David Wagner writes:
>>
>>> Dan Bernstein writes:
>>>
>>>> You can turn AES into a hash function by applying, e.g., Luby- 
>>>> Rackoff
>>>> plus Miyaguchi-Preneel. Using this hash function to derive keys  
>>>> is then
>>>> identical to using AES to derive keys.
>>>>
>>> Is it?  I don't see it.  AES-OMAC(K,X) is provably secure (as a  
>>> PRF) assuming
>>>
>>
>> Irrelevant. I said nothing about PRFs. I said that using a particular
>> hash function to derive keys is exactly the same as using AES to  
>> derive
>> keys.
>>
>
> Sure.  I know you said that.  But what you said looked wrong to me,
> or at least, I couldn't see any reason why it would be true.  I was
> hoping someone would explain.
>
> As far as I can tell, the M-P scheme you mention computes a different
> function than the OMAC scheme I described, and they will have  
> different
> security properties.  So, I don't know what you mean by "exactly the
> same", but it doesn't seem to mean "computes the same outputs" or  
> "secure
> under the same assumptions".  If you think differently, I'd welcome an
> explanation or elaboration.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email