Re: [Cfrg] Answers to HKDF questions
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 22 October 2009 23:49 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9429C3A6870 for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.501
X-Spam-Level:
X-Spam-Status: No, score=-1.501 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIl+YPuKa2NX for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:49:04 -0700 (PDT)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id 770D83A686A for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:49:04 -0700 (PDT)
Received: by qw-out-2122.google.com with SMTP id 9so101409qwb.7 for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=GeLvQEtLWxqCpKAzlbvFQkr37cxhw/A+i/nQyFip+Zc=; b=tmTO7xE/gJiRKh6utjHLmUsJt7G25CuqEYlyGFB+ZblSx/M3d0UCcvSfC+3Niw77kX pBE+J+wUc5/RmPzQ6N5SzW6zJDFpSitaUSfFkvXMK2q1eOsH/HdoXZhNQRS20wLlAYF2 thrniTiQNStXuGcJfK6qyk+TzHiemwF8wE5Fs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=i1J059/9BBiqfWOPpg5fjyufMAkGQCgyxc8mQHPUgMWaurgQEbHhTbVQGMyMUftGpL UlI/u/PAbnHlMQvI5NSrUMLlKXIh91ZFxEriC+/uLOQk3CWiTQ46ZCWKgKqclVwZpJpX aYjSCdwAl0TB3nWJeQysk5sdmrQb9ZtjVtHjs=
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.224.30.209 with SMTP id v17mr5031552qac.188.1256255351116; Thu, 22 Oct 2009 16:49:11 -0700 (PDT)
In-Reply-To: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE@LLE2K7-BE01.mitll.ad.local>
References: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE@LLE2K7-BE01.mitll.ad.local>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 22 Oct 2009 19:48:51 -0400
X-Google-Sender-Auth: 9992f8f03b75192b
Message-ID: <e89b43830910221648w63bc7b38n7cc837fa2dff51b5@mail.gmail.com>
To: "Blumenthal, Uri" <uri@ll.mit.edu>
Content-Type: multipart/alternative; boundary="00c09f89928ff3556404768ebd3a"
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 23:49:05 -0000
I do not know what you mean by "better randomizer" so I cannot answer the question. I can answer why it is a better extractor which is what the whole paper is about. One result you may want to take a look at is Coron et al. Ref [17] in my paper. They show something that I use but is not specific to KDFs. They prove that HMAC (think of it as a mode of operation acting on Merkle-Damgard functions) is random-oracle-preserving, while Merkle-Damgard alone is not (as clearly demonstrated by extension attacks). You can think of it as an indication that HMAC is a better randomness-preserving function than the plain hash. Maybe that is what you mean by "better randomizer"? Hugo On Thu, Oct 22, 2009 at 7:19 PM, Blumenthal, Uri <uri@ll.mit.edu> wrote: > Actually one thing I don't think I found in the paper that Hugo referred > to, was why HMAC-SHA is a better *Randomizer* than SHA. Why HMAC is better > than say keyed SHA is clear. > > Would you care to clarify this? > > ------------------------------ > *From*: cfrg-bounces@irtf.org <cfrg-bounces@irtf.org> > *To*: Zooko Wilcox-O'Hearn <zooko@zooko.com> > *Cc*: cfrg@irtf.org <cfrg@irtf.org> > *Sent*: Thu Oct 22 19:09:32 2009 > *Subject*: Re: [Cfrg] Answers to HKDF questions > > > > On Wed, Oct 21, 2009 at 11:01 PM, Zooko Wilcox-O'Hearn <zooko@zooko.com>wrote: > >> Dear Hugo Krawcyck: >> >> Thank you for the detailed answers. I still have a question about HMAC as >> compared to other MACs. Feel free to point me to existing documents if they >> answer my question. Suppose I were to instantiate HKDF with the keyed PRF >> being a cipher based MAC such as Poly1305 instead of HMAC. Which of the >> arguments for HKDF's security would still apply? >> >> > To answer these questions I need to ask you some questions myself: > > Can you explain how do you plan to use poly1305 for KDF. > Is it as an extractor, or for key expansion or both? You say as a "keyed > PRF": how do you get a PRF out of your MAC and where does the key to the PRF > come from? > Are you going to use only the universal hash part of poly1305 or the whole > construction? > If the latter, where does the key for AES come from? > > In general a MAC function does not imply a good KDF. Even a good PRF does > not. > (If that was the case it would have been much easier to argue that HMAC is > a good basis for KDF). > > If you give me more details on what you mean by your "MAC-based KDF" I can > try to answer more specifically. > > Hugo > >
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions David McGrew
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Blumenthal, Uri
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- Re: [Cfrg] Answers to HKDF questions David McGrew
- [Cfrg] KDF==MAC? and: how about HKDF-Poly1305? Re… Zooko Wilcox-O'Hearn
- Re: [Cfrg] KDF==MAC? and: how about HKDF-Poly1305… David McGrew
- [Cfrg] Fwd: KDF==MAC? and: how about HKDF-Poly130… Hugo Krawczyk