Re: [Cfrg] Fwd: Hash-Based Key Derivation
Daniel Brown <DBrown@certicom.com> Wed, 26 October 2005 15:22 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUn6H-0006ls-VQ; Wed, 26 Oct 2005 11:22:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUn6G-0006lf-ID for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 11:22:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA00682 for <cfrg@ietf.org>; Wed, 26 Oct 2005 11:21:44 -0400 (EDT)
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EUnJQ-0006pc-Ii for cfrg@ietf.org; Wed, 26 Oct 2005 11:35:38 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id 6304110182958; Wed, 26 Oct 2005 11:21:24 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23227-66; Wed, 26 Oct 2005 11:21:12 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id E28EB10182AB1; Wed, 26 Oct 2005 11:21:12 -0400 (EDT)
In-Reply-To: <200510252220.j9PMKWv9022797@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OF2238E08C.E0EF6740-ON852570A6.00504780-852570A6.005468A2@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Wed, 26 Oct 2005 11:22:13 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/26/2005 11:22:10 AM, Serialize complete at 10/26/2005 11:22:10 AM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 825e642946eda55cd9bc654a36dab8c2
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1546310737=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
David Wagner wrote on 10/25/2005 06:20:32 PM: > Daniel Brown writes: > >David Wagner wrote on 10/25/2005 02:51:58 PM: > >> >> http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt > >> > > >Presumably this is based on two results: (1) HMAC makes a good PRF and (2) > >PRF makes a good KDF. Are there convenient references for such results? > > For (2), I don't understand the question. Isn't a PRF exactly the > obvious and right way of making precise what we expect from a KDF? > I have a suspicion that this may be a question of semantics (i.e., > of what definitions we attach to KDF). So probably before I can answer > whether a PRF makes for something that *you* would call a good PRF, I > should ask you whether you can make precise what you mean by a KDF. > For me, when I say KDF, what I mean is almost exactly that it should > act as a PRF when given secret inputs from some specified distribution(s). > A KDF should be "one-way", at least for some protocols. (For example, see http://eprint.iacr.org/2004/306 or the recent papers on HMQV.) I'm not well-versed in the formal definitions for PRF (not to mention a KDF), but as I see it, certain PRFs can fail to be 1-way. If the PRF is the identity and the secret input is uniform and unpredictable, then the output is indistinguishable (from random), so it seems to be a PRF. I realize that length-expanding PRFs must be 1-way, because otherwise one can recover the input and re-run the PRF to distinguish its output from random. However KDFs may not necessarily be length-expanding, and in fact they are often length-decreasing. This is not at all to say that any of the existing PRF designs are inadequate as a KDFs, (usually the designs have length-expanding options and thus must be one-way). All I'm saying is that there's something's more to the KDF security than pseudorandom output. On the other hand, if the output of KDF is meant to be used as a key in a secure algorithm, how crucial is pseudorandomness, or even 1-wayness, in practical terms? (For protocols that use the KDF output directly, e.g. as a stream cipher, then full pseudorandomness is essential.) If the KDF output goes directly into a AES key or HMAC key, then having a small amount of bias seems relatively harmless. I appreciate the theoretical value: AES is secure with a random key, then AES is secure with a pseudorandom key. I also recall the attacks on ARC4 with the keys have extensive structure (highly non pseudorandom), but am not aware if such attacks are expected for AES, HMAC, etc.
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein