IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation

Daniel Brown <DBrown@certicom.com> Wed, 26 October 2005 15:22 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUn6H-0006ls-VQ; Wed, 26 Oct 2005 11:22:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUn6G-0006lf-ID for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 11:22:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA00682 for <cfrg@ietf.org>; Wed, 26 Oct 2005 11:21:44 -0400 (EDT)
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EUnJQ-0006pc-Ii for cfrg@ietf.org; Wed, 26 Oct 2005 11:35:38 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id 6304110182958; Wed, 26 Oct 2005 11:21:24 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23227-66; Wed, 26 Oct 2005 11:21:12 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id E28EB10182AB1; Wed, 26 Oct 2005 11:21:12 -0400 (EDT)
In-Reply-To: <200510252220.j9PMKWv9022797@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OF2238E08C.E0EF6740-ON852570A6.00504780-852570A6.005468A2@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Wed, 26 Oct 2005 11:22:13 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/26/2005 11:22:10 AM, Serialize complete at 10/26/2005 11:22:10 AM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 825e642946eda55cd9bc654a36dab8c2
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1546310737=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David Wagner wrote on 10/25/2005 06:20:32 PM:

> Daniel Brown writes:
> >David Wagner wrote on 10/25/2005 02:51:58 PM:
> >> >> http://www.ietf.org/internet-drafts/draft-dang-nistkdf-00.txt
> >> 
> 
> >Presumably this is based on two results: (1) HMAC makes a good PRF and 
(2) 
> >PRF makes a good KDF.  Are there convenient references for such 
results? 
> 
> For (2), I don't understand the question.  Isn't a PRF exactly the
> obvious and right way of making precise what we expect from a KDF?
> I have a suspicion that this may be a question of semantics (i.e.,
> of what definitions we attach to KDF).  So probably before I can answer
> whether a PRF makes for something that *you* would call a good PRF, I
> should ask you whether you can make precise what you mean by a KDF.
> For me, when I say KDF, what I mean is almost exactly that it should
> act as a PRF when given secret inputs from some specified 
distribution(s).
> 

A KDF should be "one-way", at least for some protocols.  (For example, see 
http://eprint.iacr.org/2004/306 or the recent papers on HMQV.)

I'm not well-versed in the formal definitions for PRF (not to mention a 
KDF), but as I see it, certain PRFs can fail to be 1-way.  If the PRF is 
the identity and the secret input is uniform and unpredictable, then the 
output is indistinguishable (from random), so it seems to be a PRF.

I realize that length-expanding PRFs must be 1-way, because otherwise one 
can recover the input and re-run the PRF to distinguish its output from 
random.  However KDFs may not necessarily be length-expanding, and in fact 
they are often length-decreasing.

This is not at all to say that any of the existing PRF designs are 
inadequate as a KDFs, (usually the designs have length-expanding options 
and thus must be one-way).  All I'm saying is that there's something's 
more to the KDF security than pseudorandom output.

On the other hand, if the output of KDF is meant to be used as a key in a 
secure algorithm, how crucial is pseudorandomness, or even 1-wayness, in 
practical terms?  (For protocols that use the KDF output directly, e.g. as 
a stream cipher, then full pseudorandomness is essential.)  If the KDF 
output goes directly into a AES key or HMAC key, then having a small 
amount of bias seems relatively harmless.  I appreciate the theoretical 
value: AES is secure with a random key, then AES is secure with a 
pseudorandom key.   I also recall the attacks on ARC4 with the keys have 
extensive structure (highly non pseudorandom), but am not aware if such 
attacks are expected for AES, HMAC, etc.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email