IETF Logo Mail Archive

Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David McGrew <mcgrew@cisco.com> Wed, 26 October 2005 13:41 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUlX8-0007Ex-9L; Wed, 26 Oct 2005 09:41:38 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUlX6-0007Bt-9B for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 09:41:36 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA20087 for <cfrg@ietf.org>; Wed, 26 Oct 2005 09:41:21 -0400 (EDT)
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUlkH-0001xQ-04 for cfrg@ietf.org; Wed, 26 Oct 2005 09:55:13 -0400
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-1.cisco.com with ESMTP; 26 Oct 2005 06:41:27 -0700
X-IronPort-AV: i="3.97,253,1125903600"; d="scan'208"; a="669395624:sNHT25931888"
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j9QDeivB019204 for <cfrg@ietf.org>; Wed, 26 Oct 2005 06:41:25 -0700 (PDT)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 26 Oct 2005 06:41:21 -0700
Received: from [192.168.1.100] ([10.32.254.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 26 Oct 2005 06:41:20 -0700
In-Reply-To: <BF6F14C4-1D41-45F1-8E97-926AC3E5F96A@cisco.com>
References: <01ad01c5d99a$bbe11ad0$0200a8c0@simon> <BF6F14C4-1D41-45F1-8E97-926AC3E5F96A@cisco.com>
Mime-Version: 1.0 (Apple Message framework v734)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <558CA1A4-C430-4678-A5CE-B43B009A5B68@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Wed, 26 Oct 2005 06:41:19 -0700
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-OriginalArrivalTime: 26 Oct 2005 13:41:21.0071 (UTC) FILETIME=[F30AABF0:01C5DA32]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 856eb5f76e7a34990d1d457d8e8e5b7f
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On Oct 25, 2005, at 3:04 PM, David McGrew wrote:
>
> Here's a challenge for the day: design a KDF that provably meets
> this security goal, based on a PRP and/or collision-resistant hash.

To continue the tradition of replying to one's own email, here's a  
better challenge: show a KDF design that's secure in the random  
oracle model, but which is not secure in the reduction-based model.

Here's an idea of how to do it: assume a conventional hash-based KDF,  
and then assume that the hash h(R || M) is distinguishable from a  
random function with advantage A(q) after q queries, with R unknown  
and fixed and M chosen.  Then for some value of q, the KDF isn't  
secure in the reduction-based model, but of course it is still secure  
in the random oracle model.  (Yeah, I know it's contrived ;-)

David

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email