Re: [Cfrg] Answers to HKDF questions
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 22 October 2009 23:09 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0F273A6830 for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:09:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s5u--1tRKTuB for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:09:44 -0700 (PDT)
Received: from mail-qy0-f192.google.com (mail-qy0-f192.google.com [209.85.221.192]) by core3.amsl.com (Postfix) with ESMTP id E45373A67C0 for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:09:43 -0700 (PDT)
Received: by qyk30 with SMTP id 30so5923238qyk.7 for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:09:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=057r5y8EikBpHh95WXPg3Pef2hBWsqWO9GyS/vJqsZI=; b=SGVIrAb8UJrbnfD3jelGPJwYPoSkAURtydQTbaa7IlpnwM4lAude1/RCf1nETFtBbn g77xJqMK4ECyeDOypdqvDSTqL0dr0+qXK29Rvq2BC1c5UQvLiWIJrzvaxrfqp8Jv0fdJ kRDg5FuOlXH2QI3mLGxsx2PYnVp8zFHpoT25o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=wbIDp21c2jvXRMa0wRfpfjDDDjQTp7OYx68rBR59Ig60KRi8QWXI/lWvbyjAKXmHQi 5j9B79KHX3Q23F/Ntt+trWoIP+6IYJWMUgAk/PEWfhFlBjnL7nRkJMssetjHd5Ah8Py9 GmyM+6KIw4xJHnRmFj5Gvun922TJvQMY1yo3c=
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.224.12.141 with SMTP id x13mr5003377qax.337.1256252992149; Thu, 22 Oct 2009 16:09:52 -0700 (PDT)
In-Reply-To: <46DFA920-54BF-4567-90AF-6742C8FAA5F2@zooko.com>
References: <e89b43830910211838x2e1ca67cgaf48d02cd4008710@mail.gmail.com> <46DFA920-54BF-4567-90AF-6742C8FAA5F2@zooko.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 22 Oct 2009 19:09:32 -0400
X-Google-Sender-Auth: 8a0efe9d1d7fe45a
Message-ID: <e89b43830910221609y75514633m8064d5b19d8d54e4@mail.gmail.com>
To: Zooko Wilcox-O'Hearn <zooko@zooko.com>
Content-Type: multipart/alternative; boundary="000feaeb3e6958608404768e31b6"
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 23:09:44 -0000
On Wed, Oct 21, 2009 at 11:01 PM, Zooko Wilcox-O'Hearn <zooko@zooko.com>wrote: > Dear Hugo Krawcyck: > > Thank you for the detailed answers. I still have a question about HMAC as > compared to other MACs. Feel free to point me to existing documents if they > answer my question. Suppose I were to instantiate HKDF with the keyed PRF > being a cipher based MAC such as Poly1305 instead of HMAC. Which of the > arguments for HKDF's security would still apply? > > To answer these questions I need to ask you some questions myself: Can you explain how do you plan to use poly1305 for KDF. Is it as an extractor, or for key expansion or both? You say as a "keyed PRF": how do you get a PRF out of your MAC and where does the key to the PRF come from? Are you going to use only the universal hash part of poly1305 or the whole construction? If the latter, where does the key for AES come from? In general a MAC function does not imply a good KDF. Even a good PRF does not. (If that was the case it would have been much easier to argue that HMAC is a good basis for KDF). If you give me more details on what you mean by your "MAC-based KDF" I can try to answer more specifically. Hugo
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions David McGrew
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Blumenthal, Uri
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- Re: [Cfrg] Answers to HKDF questions David McGrew
- [Cfrg] KDF==MAC? and: how about HKDF-Poly1305? Re… Zooko Wilcox-O'Hearn
- Re: [Cfrg] KDF==MAC? and: how about HKDF-Poly1305… David McGrew
- [Cfrg] Fwd: KDF==MAC? and: how about HKDF-Poly130… Hugo Krawczyk