Re: [Cfrg] Answers to HKDF questions
"Blumenthal, Uri" <uri@ll.mit.edu> Thu, 22 October 2009 23:21 UTC
Return-Path: <uri@ll.mit.edu>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 439AF28C11C for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:21:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.212
X-Spam-Level:
X-Spam-Status: No, score=-6.212 tagged_above=-999 required=5 tests=[AWL=-0.115, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BAD_LINEBREAK=0.5, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fC+qsc-Yopov for <cfrg@core3.amsl.com>; Thu, 22 Oct 2009 16:21:38 -0700 (PDT)
Received: from ll.mit.edu (LLMAIL1.LL.MIT.EDU [129.55.12.41]) by core3.amsl.com (Postfix) with ESMTP id 432D13A67EF for <cfrg@irtf.org>; Thu, 22 Oct 2009 16:21:38 -0700 (PDT)
Received: (from smtp@localhost) by ll.mit.edu (8.12.10/8.8.8) id n9MNLg7d003679; Thu, 22 Oct 2009 19:21:42 -0400 (EDT)
Received: from lle2k7-hub01.llan.ll.mit.edu( ), claiming to be "LLE2K7-HUB01.mitll.ad.local" via SMTP by llpost, id smtpdAAASAaWCg; Thu Oct 22 19:20:17 2009
Received: from LLE2K7-BE01.mitll.ad.local ([ ]) by LLE2K7-HUB01.mitll.ad.local ([ ]) with mapi; Thu, 22 Oct 2009 19:20:17 -0400
From: "Blumenthal, Uri" <uri@ll.mit.edu>
To: "'hugo@ee.technion.ac.il'" <hugo@ee.technion.ac.il>
Date: Thu, 22 Oct 2009 19:19:49 -0400
Thread-Topic: [Cfrg] Answers to HKDF questions
Thread-Index: AcpTbapTFEfEotHCSJCudvdaO6+LbQAAIyiT
Message-ID: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE@LLE2K7-BE01.mitll.ad.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFELLE2K7BE01mit_"
MIME-Version: 1.0
Cc: "'cfrg@irtf.org'" <cfrg@irtf.org>
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2009 23:21:39 -0000
Actually one thing I don't think I found in the paper that Hugo referred to, was why HMAC-SHA is a better *Randomizer* than SHA. Why HMAC is better than say keyed SHA is clear. Would you care to clarify this? ________________________________ From: cfrg-bounces@irtf.org <cfrg-bounces@irtf.org> To: Zooko Wilcox-O'Hearn <zooko@zooko.com> Cc: cfrg@irtf.org <cfrg@irtf.org> Sent: Thu Oct 22 19:09:32 2009 Subject: Re: [Cfrg] Answers to HKDF questions On Wed, Oct 21, 2009 at 11:01 PM, Zooko Wilcox-O'Hearn <zooko@zooko.com<mailto:zooko@zooko.com>> wrote: Dear Hugo Krawcyck: Thank you for the detailed answers. I still have a question about HMAC as compared to other MACs. Feel free to point me to existing documents if they answer my question. Suppose I were to instantiate HKDF with the keyed PRF being a cipher based MAC such as Poly1305 instead of HMAC. Which of the arguments for HKDF's security would still apply? To answer these questions I need to ask you some questions myself: Can you explain how do you plan to use poly1305 for KDF. Is it as an extractor, or for key expansion or both? You say as a "keyed PRF": how do you get a PRF out of your MAC and where does the key to the PRF come from? Are you going to use only the universal hash part of poly1305 or the whole construction? If the latter, where does the key for AES come from? In general a MAC function does not imply a good KDF. Even a good PRF does not. (If that was the case it would have been much easier to argue that HMAC is a good basis for KDF). If you give me more details on what you mean by your "MAC-based KDF" I can try to answer more specifically. Hugo
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions David McGrew
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Blumenthal, Uri
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- Re: [Cfrg] Answers to HKDF questions David McGrew
- [Cfrg] KDF==MAC? and: how about HKDF-Poly1305? Re… Zooko Wilcox-O'Hearn
- Re: [Cfrg] KDF==MAC? and: how about HKDF-Poly1305… David McGrew
- [Cfrg] Fwd: KDF==MAC? and: how about HKDF-Poly130… Hugo Krawczyk