Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 28 October 2005 16:49 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXQU-0005AM-JL; Fri, 28 Oct 2005 12:49:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXQR-0005A3-Vr for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 12:49:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA28282 for <cfrg@ietf.org>; Fri, 28 Oct 2005 12:49:38 -0400 (EDT)
Received: from mailgw2.technion.ac.il ([132.68.238.33]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVXe0-00037p-NQ for cfrg@ietf.org; Fri, 28 Oct 2005 13:03:59 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailgw2.technion.ac.il (Postfix) with ESMTP id 2BC3939018F for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:49:49 +0200 (IST)
Received: from mailgw2.technion.ac.il ([127.0.0.1]) by localhost (mailgw2.technion.ac.il [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 30584-02-9 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:49:49 +0200 (IST)
Received: from ee.technion.ac.il (ee.technion.ac.il [132.68.48.5]) by mailgw2.technion.ac.il (Postfix) with ESMTP id F2F4E39025A for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:49:48 +0200 (IST)
Received: from ee.technion.ac.il (localhost [127.0.0.1]) by ee.technion.ac.il (8.12.10+Sun/8.12.2) with ESMTP id j9SGpjOl023281; Fri, 28 Oct 2005 18:51:45 +0200 (IST)
Received: from localhost (hugo@localhost) by ee.technion.ac.il (8.12.10+Sun/8.12.2/Submit) with ESMTP id j9SGpjAE023277; Fri, 28 Oct 2005 18:51:45 +0200 (IST)
Date: Fri, 28 Oct 2005 18:51:45 +0200
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
In-Reply-To: <20051028104031.64522.qmail@cr.yp.to>
Message-ID: <Pine.GSO.4.44_heb2.09.0510281830530.20510-100000@ee.technion.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Virus-Scanned: by amavisd-new at technion.ac.il
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
On 28 Oct 2005, D. J. Bernstein wrote: > Hugo Krawczyk writes: > > Firststep: K=H(SV || [context-information1]) > > Second step:Hi=PRF(K, counter++ || [context-information2] > > How do we build PRFs? By hashing the key and the input. So this No.I do not recommend (actually I object to) the approach of building a PRF by "hashing the key and the input". That is an error-prone approach which easily leads, for example, to define PRF(K,M)=SHA-1(M||K) which, as I said in a previous posting, assumes SHA-1 is collision resistant and therefore insecure. I use well-structured constructions based on as weak as possible requirements from the hash function. In HMAC, for example, it is the pseudo-random property of the compression function. If you are going to say that we do not know how pseudorandom this compression functon is then I will certainly agree with you (which is the case for almost everything else in cryptography) But it certainly states a well-defined property of the compresion function that can be judged relative to current cryptanlytical knowledge. In particular, for all we know today HMAC-SHA-1 is a good PRF while SHA-1(M||K) is not. In addition, when you specify a scheme with a generic PRF (and analyze it accordingly) you allow for different implementation of the PRF including non hash-based ones such as AES in CBC-MAC mode > construction boils down to something like H(H(SV,context),counter++). Or > maybe you want H(H(H(SV,context),counter++),H(SV,context)) because you > don't really trust your H. Or perhaps you meant > > H(SV,H(counter++,H(H(H(SV,context),counter++),H(SV,context)))) > > because security is really measured by the number of H's, right? Whoops, > looks like the added implementation difficulty made me double-increment > the counter, which I'll have to fix; nobody said security was easy! I do not know what you are trying to say. The counter++ was a short hand expression to avoid using i explicitly as counter (which NIST does not mandate) and saving the i=i+1 notation outside the Hi. It was not meant as a programming specification just to simplify presentation. > > ---D. J. Bernstein, Professor, Mathematics, Statistics, > and Computer Science, University of Illinois at Chicago > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg > _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David McGrew
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Scott Fluhrer
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Blumenthal, Uri
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Paul Hoffman
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Tom Shrimpton
- RE: [Cfrg] Fwd: Hash-Based Key Derivation Simon Blake-Wilson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David McGrew
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Jack Lloyd
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- [Cfrg] Fwd: Hash-Based Key Derivation David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Daniel Brown
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Hugo Krawczyk
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) Jack Lloyd
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd) David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd) D. J. Bernstein