IETF Logo Mail Archive

Re: [Cfrg] Answers to HKDF questions

David McGrew <mcgrew@cisco.com> Thu, 22 October 2009 11:59 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5AA763A68A4 for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 04:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.901
X-Spam-Level:
X-Spam-Status: No, score=-5.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83bGIDkrMYVp for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 04:59:51 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 574BE3A6875 for <cfrg@irtf.org>; Thu, 22 Oct 2009 04:59:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew@cisco.com; l=4449; q=dns/txt; s=sjiport01001; t=1256212801; x=1257422401; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20David=20McGrew=20<mcgrew@cisco.com>|Subject:=20R e:=20[Cfrg]=20Answers=20to=20HKDF=20questions|Date:=20Thu ,=2022=20Oct=202009=2004:59:58=20-0700|Message-Id:=20<F5E F53C3-2037-4EBC-B806-997035F9F14C@cisco.com>|To:=20"Zooko =20Wilcox-O'Hearn"=20<zooko@zooko.com>|Cc:=20Hugo=20Krawc zyk=20<hugo@ee.technion.ac.il>,=20cfrg@irtf.org |Mime-Version:=201.0=20(Apple=20Message=20framework=20v93 6)|In-Reply-To:=20<46DFA920-54BF-4567-90AF-6742C8FAA5F2@z ooko.com>|References:=20<e89b43830910211838x2e1ca67cgaf48 d02cd4008710@mail.gmail.com>=20<46DFA920-54BF-4567-90AF-6 742C8FAA5F2@zooko.com>; bh=/YVfXi2jA5jC1EI+X5Zyp+k1ZXx2uYZ8Z+eNFMejY2Y=; b=ytj1jU0xDplNGMcOIYBLtN3fObL9dTkHd313fDGZquW4OlZo2i27KBJ0 F3vRKSYFplBQXw2aVKezcPF8psUGv00hdMxSr7B4uUSifQygVGaVEJ5mg BDVqDB2AmZzem1GWl3xB8cGh5DucSvU7VD49ihaH8QpAILQLzd0L6sD3W A=;
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-Files: smime.p7s : 1760
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsIEAFvm30qrR7Hu/2dsb2JhbACEdJUNqFeHEZFXg2xTBA
X-IronPort-AV: E=Sophos; i="4.44,605,1249257600"; d="p7s'?scan'208"; a="259773113"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-1.cisco.com with ESMTP; 22 Oct 2009 12:00:00 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id n9MC00YQ011736; Thu, 22 Oct 2009 12:00:00 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 22 Oct 2009 05:00:00 -0700
Received: from [10.32.254.210] ([10.32.254.210]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 22 Oct 2009 04:59:59 -0700
Message-Id: <F5EF53C3-2037-4EBC-B806-997035F9F14C@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Zooko Wilcox-O'Hearn <zooko@zooko.com>
In-Reply-To: <46DFA920-54BF-4567-90AF-6742C8FAA5F2@zooko.com>
Content-Type: multipart/signed; boundary="Apple-Mail-94-880207828"; micalg="sha1"; protocol="application/pkcs7-signature"
Mime-Version: 1.0 (Apple Message framework v936)
Date: Thu, 22 Oct 2009 04:59:58 -0700
References: <e89b43830910211838x2e1ca67cgaf48d02cd4008710@mail.gmail.com> <46DFA920-54BF-4567-90AF-6742C8FAA5F2@zooko.com>
X-Mailer: Apple Mail (2.936)
X-OriginalArrivalTime: 22 Oct 2009 12:00:00.0208 (UTC) FILETIME=[2E6E5D00:01CA530F]
Cc: cfrg@irtf.org, Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 11:59:52 -0000

Hi Zooko,

On Oct 21, 2009, at 8:01 PM, Zooko Wilcox-O'Hearn wrote:

> Dear Hugo Krawcyck:
>
> Thank you for the detailed answers.  I still have a question about  
> HMAC as compared to other MACs.  Feel free to point me to existing  
> documents if they answer my question.  Suppose I were to instantiate  
> HKDF with the keyed PRF being a cipher based MAC such as Poly1305  
> instead of HMAC.  Which of the arguments for HKDF's security would  
> still apply?
>

HKDF has two stages, extract and expand.  Replacing HMAC in the  
extract stage with Poly1305 is not going to work as well as you would  
like.   It will have provable security bounds given realistic  
assumptions (because universal hash functions like that in Poly1305  
can be used as statistical extractors), but to get the security bound  
to be as high as you would like will force you to do things very  
inefficiently.  To use this instantiation to extract keys from Diffie- 
Hellman, for example, would require you to double the size of the DH  
keys in order to claim the benefit of the security bound.   Hugo's  
paper points this out: "Statistical extractors require a significant  
gap between the min-entropy m of the source and the required number m 
′ of extracted bits (no statistical extractor can achieve a  
statistical distance, on arbitrary sources, better than 2^(−(m−m 
′)/2) [59])".

The use of CBC-MAC as a computational extractor has been studied, and  
its security bounds also do not match that we can achieve with hash- 
based extractors.

David

v2.23.0 | Report a Bug | By Email