Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
John Wilkinson <wilkjohn@gmail.com> Sat, 29 October 2005 18:11 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVvAS-0000LB-17; Sat, 29 Oct 2005 14:11:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVvAQ-0000Ks-HH for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 14:10:58 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA15336 for <cfrg@ietf.org>; Sat, 29 Oct 2005 14:10:40 -0400 (EDT)
Received: from wproxy.gmail.com ([64.233.184.192]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVvOD-0002Ko-Jb for cfrg@ietf.org; Sat, 29 Oct 2005 14:25:15 -0400
Received: by wproxy.gmail.com with SMTP id i21so315018wra for <cfrg@ietf.org>; Sat, 29 Oct 2005 11:10:55 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=epaN+KaMkV7Y5uN38IOl+czprKz2rfFmga20LaON/wviKmqmiFPtF8QsV4cBiPuUIwPduyQAIKSqo9EKdfpqfrxHwnzH4r62o5gP6rLxXPQk0xMLOz/1pH7gibDRTbkIbBm5Nn9cNZo/qiyLCnUxNhHjUc8ygVAw8KVlEbDuX/c=
Received: by 10.65.35.8 with SMTP id n8mr283296qbj; Sat, 29 Oct 2005 11:10:55 -0700 (PDT)
Received: from ?10.0.1.2? ( [141.154.76.225]) by mx.gmail.com with ESMTP id f13sm401847qba.2005.10.29.11.10.54; Sat, 29 Oct 2005 11:10:55 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v734)
In-Reply-To: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
References: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <39E6645F-CC55-4833-A895-6C6A5027C2E4@gmail.com>
Content-Transfer-Encoding: 7bit
From: John Wilkinson <wilkjohn@gmail.com>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Date: Sat, 29 Oct 2005 14:10:56 -0400
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
I suspect that Dr. Bernstein's will claim that the following two KDF's are equivalent, from a provable security perspective: KDF1: Ki = CMAC-AES256(SHA256(x),i), where x is the shared secret, SHA256(x) is used as the key to CMAC, and i is a counter used as the message input to CMAC. KDF2: Ki = SHA256(i,x), where i is a counter, x is the shared secret, and (i,x) represents the concatenation of i and x. I suppose he's correct in the sense that for KDF1 we need to assume that the output of SHA256(x) is uniformly distributed and random for CMAC to retain its proven properties as a PRF. If we're willing to assume that SHA256(x) is uniform and random, then I don't see why we can't assume that SHA256(i,x) is also uniform and random, in which case we might as well use KDF2. KDF1 may "feel" more secure, but it seems to me to be akin to double encrypting with, say, AES and RC6. You might gain some security over using AES alone, but it seems an expensive way to do so. I guess it all comes down to how much confidence we place in our cryptographic primitives, and to what extent we desire to "overengineer" our higher level protocols to compensate for any potential weaknesses in the primitives. -John On Oct 29, 2005, at 12:25 PM, David Wagner wrote: > Dan Bernstein writes: > >> David Wagner writes: >> >>> Dan Bernstein writes: >>> >>>> You can turn AES into a hash function by applying, e.g., Luby- >>>> Rackoff >>>> plus Miyaguchi-Preneel. Using this hash function to derive keys >>>> is then >>>> identical to using AES to derive keys. >>>> >>> Is it? I don't see it. AES-OMAC(K,X) is provably secure (as a >>> PRF) assuming >>> >> >> Irrelevant. I said nothing about PRFs. I said that using a particular >> hash function to derive keys is exactly the same as using AES to >> derive >> keys. >> > > Sure. I know you said that. But what you said looked wrong to me, > or at least, I couldn't see any reason why it would be true. I was > hoping someone would explain. > > As far as I can tell, the M-P scheme you mention computes a different > function than the OMAC scheme I described, and they will have > different > security properties. So, I don't know what you mean by "exactly the > same", but it doesn't seem to mean "computes the same outputs" or > "secure > under the same assumptions". If you think differently, I'd welcome an > explanation or elaboration. > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein