IETF Logo Mail Archive

[Cfrg] Fwd: Hash-Based Key Derivation (fwd)

David Wagner <daw@cs.berkeley.edu> Sun, 30 October 2005 05:42 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EW5y7-0002qu-Lh; Sun, 30 Oct 2005 01:42:59 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EW5y6-0002ql-7X for cfrg@megatron.ietf.org; Sun, 30 Oct 2005 01:42:58 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA15563 for <cfrg@ietf.org>; Sun, 30 Oct 2005 01:42:40 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EW6By-0002tu-Qm for cfrg@ietf.org; Sun, 30 Oct 2005 01:57:20 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9U5gbkH023527 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 29 Oct 2005 22:42:38 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9U5gbRn023523; Sat, 29 Oct 2005 22:42:37 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510300542.j9U5gbRn023523@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
To: cfrg@ietf.org
Date: Sat, 29 Oct 2005 22:42:37 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

John Wilkinson writes:
>Getting back to the original topic of the NIST HKDF proposal, several
>people suggested that they were uncomfortable with the construction
>H_i = H( i || SV || contextID ), which is the one suggested in the
>HKDF proposal, with some optional arguments suppressed.
>
>Most of these same people suggested instead something along the lines
>of K_i = PRF( H(SV), i || contextID ), where H(SV) is the key input to
>the PRF, and ( i || contextID ) is the "message" input to the PRF.
>HMAC and CMAC were both suggested as suitable PRFs.
>
>Neither HMAC, nor CMAC retains any security guarantee as a PRF if the
>key is not chosen uniformly at random. If we assume that H(SV) is
>uniformly random, given that SV may not be, then we should have no
>concern with the NIST HKDF.

I don't agree with the last statement.  As I have written before (I
apologize for repeating myself), H(i || SV || ...) puts more stress on
the hash than PRF(H(SV), i || ...) does.  For the latter, we only need
H() to be good at producing uniformly random output *once*, and for the
case when *the attacker has limited (or no) control over the input to
the hash*.  For the former, we need H() to be good at producing uniformly
random output *on many closely related inputs*, and *when large parts
of the input can be entirely controlled by the attacker*.  Dealing with
producing many uniformly random outputs is precisely what PRFs are
good at.  And dealing with (non-secret) inputs that can be controlled
by the attacker is also exactly what PRFs are good at.  PRF(H(SV), i ||
...) uses the H() and PRF() primitives for what they are best at, not
what they are worst at.  For this reason, I would think that PRF(H(SV),
i || ...) would be a better design.

Basically, I'm talking about limiting how much we rely on the random
oracle model -- or, almost equivalently, limiting how much stress we put
on the hash function to behave well in scenarios it wasn't necessarily
designed for.

I think the NIST KDF is sub-optimal, and could be improved.  I don't
understand the argument that would be better to leave it unchanged.
But hey, I don't want to overstate the case.  It's not the end of
the world to leave the NIST KDF as is.  It's probably secure as it is.
My comment is only that one can do better: one can reduce the likelihood
of security failure, through more thoughtful design.  But if the powers
that be decide they prefer the current form, it's not a big deal.
Frankly, it's pretty rare for the crypto to be the weakest point in any
real system anyway, so even if the crypto isn't the very best it could
be, that might still be ok.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email