KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
David Wagner <daw@cs.berkeley.edu> Sun, 30 October 2005 06:12 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EW6QX-00024Q-9V; Sun, 30 Oct 2005 01:12:21 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EW6QW-00024F-1b for cfrg@megatron.ietf.org; Sun, 30 Oct 2005 01:12:20 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA16403 for <cfrg@ietf.org>; Sun, 30 Oct 2005 01:12:01 -0500 (EST)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EW6eQ-0003US-5C for cfrg@ietf.org; Sun, 30 Oct 2005 01:26:43 -0500
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9U6C0lu024206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 29 Oct 2005 23:12:00 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9U6C0sR024202; Sat, 29 Oct 2005 23:12:00 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510300612.j9U6C0sR024202@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Sat, 29 Oct 2005 23:12:00 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Dan Bernstein writes: >Here's the standard example. The legitimate users exchange authenticated >public keys g^x and g^y, and an independent authenticated random H. They >compute the Diffie-Hellman shared secret g^xy and a short hash H(g^xy). >If the attacker can't distinguish g^xy from a uniform random group >element then, by the leftover-hash lemma, the attacker can't distinguish >H(g^xy) from a uniform random short string. Ok. Now I get it. I see what you're saying, and it makes sense. That kind of protocol hadn't occurred to me. (I guess you are assuming that H is chosen by a party who won't be malicious, which is reasonable.) Thanks for the detailed explanation. That was very helpful. To make a pre-fixed 2-universal hash work in this context, it seems we need it to be the case that: (a) the 2-universal hash function is chosen by a party who is known not to be malicious, and its value is authenticated so that everyone can know it came from that party; and, (b) all inputs to the hash function are chosen by users who are known not to be malicious, and are authenticated so that everyone can verify that they came from those users. In this case, a 2-universal hash function fixed in advance will work (for some choice of security parameters). It seems that all of these conditions need to hold true if we want to use the Leftover Hash Lemma. There are also protocols where these conditions do not hold, and where a hash function chosen and fixed in advance is not secure. So it sounds like 2-universal key derivation has to be used with some care, and cannot be blindly applied to all protocols. If we were going to replace the NIST KDF with a 2-universal based KDF, then we would probably need some extra precautionary usage notes describing what conditions the protocol must satisfy. Is that right? >There are some serious limitations here, notably the short H output >length, but the limitations shouldn't be exaggerated. Yup. Thank you for your clarifying email. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- [Cfrg] Re: Extractors/KDF definition and goal csjutla
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti