IETF Logo Mail Archive

[Cfrg] Fwd: Hash-Based Key Derivation

David Wagner <daw@cs.berkeley.edu> Tue, 25 October 2005 21:56 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUWm6-0007LQ-Kc; Tue, 25 Oct 2005 17:56:06 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUWm5-0007LI-Hq for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 17:56:05 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA17408 for <cfrg@ietf.org>; Tue, 25 Oct 2005 17:55:50 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUWz6-0003Z4-Na for cfrg@ietf.org; Tue, 25 Oct 2005 18:09:34 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9PLtqmc021996 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Oct 2005 14:55:52 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9PLtqfQ021992; Tue, 25 Oct 2005 14:55:52 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510252155.j9PLtqfQ021992@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation
To: cfrg@ietf.org
Date: Tue, 25 Oct 2005 14:55:52 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7655788c23eb79e336f5f8ba8bce7906
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Tom Shrimpton writes:
>The problem is that all of our existing hash functions are based on the 
>Merkle-Damgard paradigm, but plain MD doesn't preserve random-oracle-ness.
>There's a nice new paper by Coron, Dodis, Malinaud and Puniya 
>"Merkle-Damgard Revisited: How to Construct a Hash Function" that addresses 
>this issue.

Amusingly, I view that paper as supporting the random oracle model,
not undermining it.  That paper provided evidence that it may be
reasonable to model our hash functions as random oracles, as long as
the hash functions are only invoked on some prefix-free message space.
More precisely, if the compression function is modeled as a random oracle,
then the MD scheme is also a random oracle as long as you ensure there is
no pair of possible messages M,M' in the message space such that M is a
prefix of M'.  And good cryptosystem designers already ought to know to
avoid length-extension attacks on MD hashes by ensuring that the message
space is chosen to be prefix-free.

I guess what I'm saying is that good cryptographic design involves
both provable security (e.g., in the random oracle model) as well as
application of good cryptographic hygiene, prudent engineering practices,
and other heuristic rules of thumb.  This combination seems to lead to
pretty reasonable protocols.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email