Re: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)

"Dang, Quynh H. (Fed)" <> Thu, 14 May 2020 17:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 782D33A0CBD for <>; Thu, 14 May 2020 10:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.173, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9VMttUdonukj for <>; Thu, 14 May 2020 10:46:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9DE7A3A0C7E for <>; Thu, 14 May 2020 10:46:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=DfvaBKH4miwjcSUQ/lZ9O5Uq7IVHb2ZTUvsUW5gJWupBgmJBV99xIki6JVfoCtfDhMLB1puBTAT9vp9eoBSGJJFLjxY2c0nCf9SQw6HMSEDnF14n+1CjhRzc3Ss/NsauOx3dDb1Zx35E8mupkN7DsT8yw8EEOnN4MMtfcLyyGcKqwPbHLKSzkARq7Sqa2o4mucFfmYxjIlRFKwKazQYWUUHs6Sya3mfakcgLqtQJNXN73N+ReEgm5iwdA9/21T+w2SOp07I8/0YQSf8fEnwINqqFgUhCYU+2MWjYNxTUdjO/GvchAdXJ0wEw13F4dhJX7/EfKGJ9J2T9imHT7tyH0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pndIG9PCPB/ZNhcJ9LcqRJ9Tf+6n59chjkatzQTOEXY=; b=I4sKIsELwyKYsVSZjw5gG/D7Oe205vHE9xZdcBfP+HsOYoZxTcXptz/SqYJ5JC11VYoXJ7i4KC+10LqIjtTlBKJyNXq1BwI1LH9GI/Kh0X8GFK7ivEp/QuQZ0pLD0kngD0tzrN6sIY5h+AQIztA8+pxdVc5o0QivLqz1AX31GxPB6Sf75IXuyW2nEjAZbly3++p9es106dEdPJimFVqQCJVhhJ33Y57D7qu5iRo2iL3esuZhXpJxEu/4of6svO1yCJjdPRv5TVZHFAZjTt3FvvzSlX/5hFtbyaP+bw/06pG4rNxaQhDRvGCBfeSAeAQQGSIwjzkTRJcwuEzbzYyMZw==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pndIG9PCPB/ZNhcJ9LcqRJ9Tf+6n59chjkatzQTOEXY=; b=HQDZT8i19iSMgRoNnLBKGIalKdobBjaXuNY/nxZaCyCkMzNMTubcw0U1704wQJC3eTnhACqwtM6uV6jF5wGkGzxuLj6OJffzgrlaZPIaupitt0gBr+bM1zWaLQFMwTCvfKK7famD6KxREOLMgSAenSyoEKay/PCsKQ1xE5TSr0A=
Received: from (2603:10b6:a03:24b::12) by (2603:10b6:a03:246::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.26; Thu, 14 May 2020 17:46:23 +0000
Received: from ([fe80::91d8:62e0:40e6:15e]) by ([fe80::91d8:62e0:40e6:15e%2]) with mapi id 15.20.3000.016; Thu, 14 May 2020 17:46:23 +0000
From: "Dang, Quynh H. (Fed)" <>
To: "Blumenthal, Uri - 0553 - MITLL" <>, Hugo Krawczyk <>
CC: "" <>
Thread-Topic: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)
Thread-Index: AQHWKhCkJdy/0/JoW0SbM89Z2V1tjw==
Date: Thu, 14 May 2020 17:46:23 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 30d659b9-b346-4e97-f805-08d7f82eb7c8
x-ms-traffictypediagnostic: BY5PR09MB5940:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 040359335D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WPmEUYC2FwXyBC8R5okL046oDsDMzj9A3WlPfz222E/7U8tO7aAPrKGFMtiTiD9udP8Zt2EKxB93dndw4Kiy4LI/LgRi923ZuQDFw7Gs72X5NDyRIuvu8ZJE+khdusgyF2GXtJhbSfI3IwEsM7pUkklFeeVkAe/IHrqKm82Y19s4yge9VHhLBmyNFh5L6THp7MhFkOJLHn9kCMKXe05vXDGu0GiXBwUCsBtHsBe3XiOb0BDR/Er0X47NczBiTGoZuAF4+yC2ohbE7ZnMI7rOiEgY/bfYisDgypMJo8s7yXyOjttHOVsB+nRJC4pkP3rsznp8VbVIsu3Wh4DBCkzmPb0xO9MvDhihhd1Ef+qukUTE6FzPzu/H6TtWy5ATytVK1s1tr3ho/Jj2HSjwLv0U0KmikXX1DRi1uZD0kODPL41ov8J6KNnw2j+SJ6n/Gv5P
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM;; PTR:; CAT:NONE; SFTY:; SFS:(396003)(39860400002)(346002)(136003)(366004)(376002)(6506007)(53546011)(86362001)(7696005)(8936002)(71200400001)(5660300002)(52536014)(26005)(186003)(19627405001)(478600001)(33656002)(8676002)(55016002)(2906002)(4326008)(9686003)(76116006)(66946007)(91956017)(66556008)(66446008)(66476007)(64756008)(316002)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ryK7MnNnzHa9hXBQmwzH8ywShAwxzwb9nLrzmP0Tw2tzhbfU3uWsZVdwI4yo/GYxPP3MQ/EwWneZjdBpJgpoyGvZtGXEeY5Pcwnp9GzbN6zsydAiCqFJsqHgt53VrshNVY5MtodjZfabJEHI1kBCenE2P2W0l7Up29fpADiCjkr+MOBcDq66BWle945USt1N4/O/KgkjmFNHRdbAgMTRdyTHcNnPVg013QNoJSr04lt6cXvIEPNRyhsDpuI3Z6v6B5XMNld2+KiY9c19NESUYCnzTYGWemiXJign8mVo54WInCePFIHM/5gaUvs6IIjmcjVkl9wzg20UDLR3zdrLVuB84z1p9E5wDBxdE+aw2yMu7KljiEBmUPs9WVm77Ie3/vJQuzwNzzrBY7ZstqbaDVTSOjeCGtJ7mHyZT+nj27VpZIMGoRyqP271BSG4HcdbrvgLzCIhcl2isov4i018kwfWwEFy624m0r7RnvyxOx7UsWYcJVOg57ZROZO4XtrB
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR09MB4755457C1B80CAB64E9B1488F3BC0BY5PR09MB4755namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 30d659b9-b346-4e97-f805-08d7f82eb7c8
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 May 2020 17:46:23.0654 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kLgEFysUvaOhJFkp85AzlLX3jEPtUbHQmNTF6I9cxEjZokdSk9Fyy2MFFiW9AMKM
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR09MB5940
Archived-At: <>
Subject: Re: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 May 2020 17:46:46 -0000

Hi Uri,

Let me elaborate more on what I said by red text inside the message below.

From: Blumenthal, Uri - 0553 - MITLL
Sent: Thursday, May 14, 2020 11:00 AM
To: Hugo Krawczyk; Dang, Quynh H. (Fed)
Subject: Re: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)

When the IKM is longer than 1 block, it gets hashed iteratively by the compression function in Merkle-Damgard fashion (the hash function). Then, this hashed result is padded to become a full block, then Xor with opad and ipad (making input blocks are "independent"/different blocks/keys.  One of these Xored values is hashed with the salt, then its result and the other Xored value get hashed one more time by the iterative MD-hash function.

I dont understand why any extraction property that you get from the traditional extraction gets lost by this alternative method.

The only way I know to justify this step in general is to assume the underlying hash function is a RO which is general is not, due to extension attacks.

Can you please explain: what is the significance of extension attacks in this context?

KDF is not a MAC. And while it’s nice to have a construction as generic as possible – sometimes it helps to narrow the applicability scope, because the generic version may be too limiting for that specific use case.

This would make the analysis fully dependent on RO while the analysis of HKDF can use less stringent modeling depending on particular cases.

Thank you. One conclusion I draw form this is – since extension attacks do not seem to apply/matter for the Key Derivation, it is reasonably safe to model the entire hash function as RO. Therefore, the proposed option appears to be safe.

For me, it is less important to stay generic than to be able to employ currently-available commercial HSM. For that use case, modeling hash function (even SHA-2) as RO seems OK.

I don't know how you do that if the only input to the function is an initial hash value of the IKM.

When the IKM is not more than an input block, then each of  the 2 Xored values gets processed by 1 compression function call which is modeled as a RO. I dont understand why this alternative method losses some extraction property from the traditional extraction function.

In this situation, for the final hash function call, the first input block to the compression function is (K0 Xor opad) is treated as a secret input block.  The next (also final) input block to the compression function: (H(K0 Xor ipad || salt) || fixed padding), where fixed padding is half input block (by the hash function) and H(K0 Xor ipad || salt) is a secret half of the input block.  So, the IV to this compression when processing the final hash input block is a secret value and its data input is half secret and half fixed known value. So, a collision attack using length extension does not apply here since half of the input block is unknown. And, it would not make any sense to do length extension attack on the fixed padding (the attacker is interested in finding a MAC for a message which has the prefix being the message (the salt in this case).

One could argue that length extension property might apply to H (K0 Xor ipad) || text) (text is the salt in this case). However, the hash value here is an internal secret value, not available for the attacker.

For the former case, the hash function hashes the key first meaning it absorbs the entropy from the key (or randomizes the key, may be not perfectly) to produce K0. This case should not have less security than the case described in the previous paragraphs because hashing the key first additionally should not hurt security.



When the key is no longer than hash block then you would need to assume what the compression function is a PRF when keyed via a non-uniform key, essentially assuming what you need to prove.

You can go ahead and use the reverse construction as an ad-hoc construction. However, if you want a detailed analysis such as in the case of HKDF , which is careful about lowering cryptographic assumptions, builds on the Merkle Damgard iterations (that are the basis of HMAC as PRF), is based on rich statistical extraction literature of 30+ years,  justifies the use of the function for many different settings (reflected very well in the use of HKDF in practical protocol, cf. TLS 1.3), and provides usage guidance, then I am not sure you can do it with the ad-hoc construction.

At the risk of repeating myself: while I appreciate what you’re explaining here, in my case staying with the lowest theoretic-proven cryptographic assumptions makes stuff undeployable in practice.

I really recommend you read the paper.  As I said at the beginning of this thread, I don't want to convert this into an exposition on HKDF. For that I wrote a full paper

I think I said that I have read that paper (I suspect that Quynh did too), and (in my case) found it targeting a different audience. No offence meant – but if it were more readable, I wouldn’t have to ask my questions here.