IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

Jack Lloyd <lloyd@randombit.net> Sat, 29 October 2005 14:07 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVrML-0000Mg-Jx; Sat, 29 Oct 2005 10:07:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVrMK-0000MY-0X for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 10:07:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA02326 for <cfrg@ietf.org>; Sat, 29 Oct 2005 10:06:41 -0400 (EDT)
Received: from saria.randombit.net ([66.179.181.167] helo=mail.randombit.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVra6-0004Dd-05 for cfrg@ietf.org; Sat, 29 Oct 2005 10:21:15 -0400
Received: by mail.randombit.net (Postfix, from userid 501) id 6D0A5247C0FA; Sat, 29 Oct 2005 10:06:49 -0400 (EDT)
Date: Sat, 29 Oct 2005 10:06:49 -0400
From: Jack Lloyd <lloyd@randombit.net>
To: cfrg@ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Message-ID: <20051029140649.GW6237@randombit.net>
Mail-Followup-To: cfrg@ietf.org
References: <200510281711.j9SHBI9f005644@taverner.CS.Berkeley.EDU> <20051028221539.15039.qmail@cr.yp.to> <FD2E8098-F7BA-4DEA-9A8D-192D3BA1293D@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <FD2E8098-F7BA-4DEA-9A8D-192D3BA1293D@gmail.com>
X-PGP-Fingerprint: 3F69 2E64 6D92 3BBE E7AE 9258 5C0F 96E8 4EC1 6D6B
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 798b2e660f1819ae38035ac1d8d5e3ab
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On Sat, Oct 29, 2005 at 09:08:42AM -0400, John Wilkinson wrote:
> 
> On Oct 28, 2005, at 6:15 PM, D. J. Bernstein wrote:
> >You can turn AES into a hash function by applying, e.g., Luby-Rackoff
> >plus Miyaguchi-Preneel. Using this hash function to derive keys is  
> >then
> >identical to using AES to derive keys.
> 
> Dr. Bernstein, could you please describe (or give reference to) a way  
> to produce a hash function H from AES, such that HMAC-H is a provably  
> secure PRF, based only on the assumption that AES is a secure PRP?  
> Thanks. -John

The paper "Black-Box Anylsis of the Block-Cipher-Based Hash-Function
Constructions from PGV" from Crypto '02 (by Black, Rogaway, Shrimpton)
would seem to get us there. If AES is an ideal cipher, then we know
the collision and inversion resistance properties of various AES-based
hashing schemes thanks to that paper. At that point we can say how
strong an NMAC scheme instantiated with such a hash would be, and by
making the usual NMAC->HMAC leap of faith, we have a proof (of sorts).

Jack

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email