IETF Logo Mail Archive

Re: [Cfrg] Answers to HKDF questions

Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 22 October 2009 23:49 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9429C3A6870 for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.501
X-Spam-Level:
X-Spam-Status: No, score=-1.501 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SARE_OBFU_ALL=0.751]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIl+YPuKa2NX for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:49:04 -0700 (PDT)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id 770D83A686A for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:49:04 -0700 (PDT)
Received: by qw-out-2122.google.com with SMTP id 9so101409qwb.7 for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:49:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=GeLvQEtLWxqCpKAzlbvFQkr37cxhw/A+i/nQyFip+Zc=; b=tmTO7xE/gJiRKh6utjHLmUsJt7G25CuqEYlyGFB+ZblSx/M3d0UCcvSfC+3Niw77kX pBE+J+wUc5/RmPzQ6N5SzW6zJDFpSitaUSfFkvXMK2q1eOsH/HdoXZhNQRS20wLlAYF2 thrniTiQNStXuGcJfK6qyk+TzHiemwF8wE5Fs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=i1J059/9BBiqfWOPpg5fjyufMAkGQCgyxc8mQHPUgMWaurgQEbHhTbVQGMyMUftGpL UlI/u/PAbnHlMQvI5NSrUMLlKXIh91ZFxEriC+/uLOQk3CWiTQ46ZCWKgKqclVwZpJpX aYjSCdwAl0TB3nWJeQysk5sdmrQb9ZtjVtHjs=
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.224.30.209 with SMTP id v17mr5031552qac.188.1256255351116; Thu, 22 Oct 2009 16:49:11 -0700 (PDT)
In-Reply-To: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE@LLE2K7-BE01.mitll.ad.local>
References: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE@LLE2K7-BE01.mitll.ad.local>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 22 Oct 2009 19:48:51 -0400
X-Google-Sender-Auth: 9992f8f03b75192b
Message-ID: <e89b43830910221648w63bc7b38n7cc837fa2dff51b5@mail.gmail.com>
To: "Blumenthal, Uri" <uri@ll.mit.edu>
Content-Type: multipart/alternative; boundary="00c09f89928ff3556404768ebd3a"
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 23:49:05 -0000

I do not know what you mean by "better randomizer" so I cannot answer the
question.
I can answer why it is a better extractor which is what the whole paper is
about.

One result you may want to take a look at is Coron et al. Ref [17] in my
paper.
They show something that I use but is not specific to KDFs.

They prove that HMAC (think of it as a mode of operation acting on
Merkle-Damgard functions) is random-oracle-preserving, while Merkle-Damgard
alone is not (as clearly demonstrated by extension attacks).

You can think of it as an indication that HMAC is a better
randomness-preserving function than the plain hash.
Maybe that is what you mean by "better randomizer"?

Hugo

On Thu, Oct 22, 2009 at 7:19 PM, Blumenthal, Uri <uri@ll.mit.edu> wrote:

>  Actually one thing I don't think I found in the paper that Hugo referred
> to, was why HMAC-SHA is a better *Randomizer* than SHA. Why HMAC is better
> than say keyed SHA is clear.
>
> Would you care to clarify this?
>
> ------------------------------
>  *From*: cfrg-bounces@irtf.org <cfrg-bounces@irtf.org>
> *To*: Zooko Wilcox-O'Hearn <zooko@zooko.com>
> *Cc*: cfrg@irtf.org <cfrg@irtf.org>
> *Sent*: Thu Oct 22 19:09:32 2009
> *Subject*: Re: [Cfrg] Answers to HKDF questions
>
>
>
> On Wed, Oct 21, 2009 at 11:01 PM, Zooko Wilcox-O'Hearn <zooko@zooko.com>wrote:
>
>> Dear Hugo Krawcyck:
>>
>> Thank you for the detailed answers.  I still have a question about HMAC as
>> compared to other MACs.  Feel free to point me to existing documents if they
>> answer my question.  Suppose I were to instantiate HKDF with the keyed PRF
>> being a cipher based MAC such as Poly1305 instead of HMAC.  Which of the
>> arguments for HKDF's security would still apply?
>>
>>
> To answer these questions I need to ask you some questions myself:
>
> Can you explain how do you plan to use poly1305 for KDF.
> Is it as an extractor, or for key expansion or both? You say as a "keyed
> PRF": how do you get a PRF out of your MAC and where does the key to the PRF
> come from?
> Are you going to use only the universal hash part of poly1305 or the whole
> construction?
> If the latter, where does the key for AES come from?
>
> In general a MAC function does not imply a good KDF. Even a good PRF does
> not.
> (If that was the case it would have been much easier to argue that HMAC is
> a good basis for KDF).
>
> If you give me more details on what you mean by your "MAC-based KDF" I can
> try to answer more specifically.
>
> Hugo
>
>

v2.23.0 | Report a Bug | By Email