IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Fri, 28 October 2005 02:30 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVK10-0004s2-GM; Thu, 27 Oct 2005 22:30:46 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVK0y-0004ru-Cs for cfrg@megatron.ietf.org; Thu, 27 Oct 2005 22:30:44 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA12634 for <cfrg@ietf.org>; Thu, 27 Oct 2005 22:30:28 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVKES-00045C-3q for cfrg@ietf.org; Thu, 27 Oct 2005 22:44:40 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9S2URfa013010 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2005 19:30:28 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9S2URI9013006; Thu, 27 Oct 2005 19:30:27 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510280230.j9S2URI9013006@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Thu, 27 Oct 2005 19:30:27 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David McGrew writes:
>On Oct 25, 2005, at 5:25 PM, David Wagner wrote:
>> it does end up being wasteful of entropy: if I recall correctly,
>> you need 2x or 3x times as much entropy as you might naively think,
>> so in this sense it is much worse than the random oracle scheme.
>
>That's interesting; it could potentially harm the utility an  
>extractor-based KDF.  Can you point to something in the literature  
>which explains the inefficiency?

My favorite statement of the Leftover Hash Lemma is in Section 4 of
  http://www.cs.utexas.edu/users/diz/pubs/recycle.ps

Basically, the Leftover Hash Lemma says that if H is drawn at random from
a family of 2-universal hash functions with m-bit outputs, and if X is
drawn from a distribution with at least 3m bits of Renyi entropy, then
the random variable (H, H(X)) will be close to the uniform distribution:
in particular, the variation distance from uniform will be at most 1/2^m.
To put it even more roughly, if you want to derive a m-bit key with m bits
of security, then you need your source to come from a distribution with
3m bits of Renyi entropy.  (Note: The Renyi entropy is at least the min
entropy, so it suffices for X to have at least 3m bits of min entropy,
or in other words, that Pr[X=x] <= 2^{-3m} for all x.)

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email