IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation

Daniel Brown <DBrown@certicom.com> Wed, 26 October 2005 15:42 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUnQH-00056k-F2; Wed, 26 Oct 2005 11:42:41 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUnQF-00056Z-U6 for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 11:42:39 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA02035 for <cfrg@ietf.org>; Wed, 26 Oct 2005 11:42:24 -0400 (EDT)
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EUndR-0007Xc-DJ for cfrg@ietf.org; Wed, 26 Oct 2005 11:56:18 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id 1FE731018198E; Wed, 26 Oct 2005 11:42:30 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22991-48; Wed, 26 Oct 2005 11:42:28 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id 4D312101813D6; Wed, 26 Oct 2005 11:42:28 -0400 (EDT)
In-Reply-To: <200510252317.j9PNHSRZ024400@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OFB7F1D85D.777D4745-ON852570A6.0054C690-852570A6.00565AD4@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Wed, 26 Oct 2005 11:43:28 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/26/2005 11:43:25 AM, Serialize complete at 10/26/2005 11:43:25 AM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0311037303=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David Wagner wrote on 10/25/2005 07:17:28 PM:

> Dan Brown writes:
> >Let H be a collision-resistant hash.
> >
> >Let D be an adversary that defines a distribution S, efficiently 
> >sampleable, with some requisite level of min-entropy, such that D has a 

> >signficant advantage of distinguishing H(s) from random R, where s is 
> >drawn from S and R is a random bit string of the same length as R.
> >
> >Use D in algorithm C that finds a collision in H faster than expected, 
[..]
> 
> Unfortunately, this proof doesn't really prove anything.  The flaw
> in the proof is that you failed to account for the time to generate
> samples from S.  Consequently, while D might find a collision, it won't
> necessarily be any faster than expected.

I agree: for my argument to have any chance of saying something 
meaningful, the cost of sampling S is must negligible compared to hashing. 
 Such cheap entropy sources are not necessarily realistic, so the argument 
is very limited in its applicability.  (Your first example, not copied 
here, illustrates the point nicely.)

> 
> Here's another example.  Suppose H(x) = 0^256 || SHA256(x).  Then H
> is collision-resistant, but it's output is useless for generating keys,
> since these keys will not be pseudrorandom.

This H has only 128 bits of collision resistance for an output length of 
512 bits. Recall that my argument was to show that non-pseudorandomness 
implies collision resistance less than half the output length.  This 
example has collision resistance at most one quarter of its output length. 
 In fact, if you plug in the lg(1-d) formula, everyone is as predicted.

* * * 

Aside, if H fails to be collision-resistant (for its length), isn't there 
an argument that it isn't pseudorandom?  I suppose that depends very much 
on the definition of PRF, of course.  But let's say collision-resistance 
fails severely in that hashes of random messages collide signficant sooner 
than random strings.  Then a collision  distinguishes the H output from 
random.    This may need a huge amount of H output, and does not at all 
cover the possibility of custom designed collisions.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email