IETF Logo Mail Archive

KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Sun, 30 October 2005 06:12 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EW6QX-00024Q-9V; Sun, 30 Oct 2005 01:12:21 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EW6QW-00024F-1b for cfrg@megatron.ietf.org; Sun, 30 Oct 2005 01:12:20 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA16403 for <cfrg@ietf.org>; Sun, 30 Oct 2005 01:12:01 -0500 (EST)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EW6eQ-0003US-5C for cfrg@ietf.org; Sun, 30 Oct 2005 01:26:43 -0500
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9U6C0lu024206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 29 Oct 2005 23:12:00 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9U6C0sR024202; Sat, 29 Oct 2005 23:12:00 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510300612.j9U6C0sR024202@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Sat, 29 Oct 2005 23:12:00 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan Bernstein writes:
>Here's the standard example. The legitimate users exchange authenticated
>public keys g^x and g^y, and an independent authenticated random H. They
>compute the Diffie-Hellman shared secret g^xy and a short hash H(g^xy).
>If the attacker can't distinguish g^xy from a uniform random group
>element then, by the leftover-hash lemma, the attacker can't distinguish
>H(g^xy) from a uniform random short string.

Ok.  Now I get it.  I see what you're saying, and it makes sense.
That kind of protocol hadn't occurred to me.  (I guess you are assuming
that H is chosen by a party who won't be malicious, which is reasonable.)

Thanks for the detailed explanation.  That was very helpful.

To make a pre-fixed 2-universal hash work in this context, it seems
we need it to be the case that:
  (a) the 2-universal hash function is chosen by a party who is
  known not to be malicious, and its value is authenticated so
  that everyone can know it came from that party; and,
  (b) all inputs to the hash function are chosen by users who are
  known not to be malicious, and are authenticated so that everyone
  can verify that they came from those users.
In this case, a 2-universal hash function fixed in advance will
work (for some choice of security parameters).

It seems that all of these conditions need to hold true if we want
to use the Leftover Hash Lemma.  There are also protocols where these
conditions do not hold, and where a hash function chosen and fixed in
advance is not secure.

So it sounds like 2-universal key derivation has to be used with some
care, and cannot be blindly applied to all protocols.  If we were going
to replace the NIST KDF with a 2-universal based KDF, then we would
probably need some extra precautionary usage notes describing what
conditions the protocol must satisfy.

Is that right?

>There are some serious limitations here, notably the short H output
>length, but the limitations shouldn't be exaggerated.

Yup.  Thank you for your clarifying email.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email