IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 28 October 2005 16:49 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXQU-0005AM-JL; Fri, 28 Oct 2005 12:49:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVXQR-0005A3-Vr for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 12:49:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA28282 for <cfrg@ietf.org>; Fri, 28 Oct 2005 12:49:38 -0400 (EDT)
Received: from mailgw2.technion.ac.il ([132.68.238.33]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVXe0-00037p-NQ for cfrg@ietf.org; Fri, 28 Oct 2005 13:03:59 -0400
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailgw2.technion.ac.il (Postfix) with ESMTP id 2BC3939018F for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:49:49 +0200 (IST)
Received: from mailgw2.technion.ac.il ([127.0.0.1]) by localhost (mailgw2.technion.ac.il [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 30584-02-9 for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:49:49 +0200 (IST)
Received: from ee.technion.ac.il (ee.technion.ac.il [132.68.48.5]) by mailgw2.technion.ac.il (Postfix) with ESMTP id F2F4E39025A for <cfrg@ietf.org>; Fri, 28 Oct 2005 18:49:48 +0200 (IST)
Received: from ee.technion.ac.il (localhost [127.0.0.1]) by ee.technion.ac.il (8.12.10+Sun/8.12.2) with ESMTP id j9SGpjOl023281; Fri, 28 Oct 2005 18:51:45 +0200 (IST)
Received: from localhost (hugo@localhost) by ee.technion.ac.il (8.12.10+Sun/8.12.2/Submit) with ESMTP id j9SGpjAE023277; Fri, 28 Oct 2005 18:51:45 +0200 (IST)
Date: Fri, 28 Oct 2005 18:51:45 +0200
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
To: "D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
In-Reply-To: <20051028104031.64522.qmail@cr.yp.to>
Message-ID: <Pine.GSO.4.44_heb2.09.0510281830530.20510-100000@ee.technion.ac.il>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Virus-Scanned: by amavisd-new at technion.ac.il
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8b431ad66d60be2d47c7bfeb879db82c
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On 28 Oct 2005, D. J. Bernstein wrote:

> Hugo Krawczyk writes:
> > Firststep:  K=H(SV || [context-information1])
> > Second step:Hi=PRF(K, counter++ || [context-information2]
>
> How do we build PRFs? By hashing the key and the input. So this

No.I do not recommend (actually I object to) the approach of building a
PRF by "hashing the key and the input". That is an error-prone approach
which easily leads, for example, to define PRF(K,M)=SHA-1(M||K) which, as
I said in a previous posting, assumes SHA-1 is collision resistant and
therefore insecure. I use well-structured constructions based on as weak
as possible requirements from the hash function. In HMAC, for example, it
is the pseudo-random property of the compression function. If you are
going to say that we do not know how pseudorandom this compression functon
is then I will certainly agree with you (which is the case for almost
everything else in cryptography) But it certainly states a well-defined
property of the compresion function that can be judged relative to current
cryptanlytical knowledge. In particular, for all we know today HMAC-SHA-1
is a good PRF while SHA-1(M||K) is not.

In addition, when you specify a scheme with a generic PRF (and analyze it
accordingly) you allow for different implementation of the PRF including
non hash-based ones such as AES in CBC-MAC mode

> construction boils down to something like H(H(SV,context),counter++). Or
> maybe you want H(H(H(SV,context),counter++),H(SV,context)) because you
> don't really trust your H. Or perhaps you meant
>
>  H(SV,H(counter++,H(H(H(SV,context),counter++),H(SV,context))))
>
> because security is really measured by the number of H's, right? Whoops,
> looks like the added implementation difficulty made me double-increment
> the counter, which I'll have to fix; nobody said security was easy!

I do not know what you are trying to say. The counter++ was a short hand
expression to avoid using i explicitly as counter (which NIST does not
mandate) and saving the i=i+1 notation outside the Hi. It was not meant as
a programming specification just to simplify presentation.

>
> ---D. J. Bernstein, Professor, Mathematics, Statistics,
> and Computer Science, University of Illinois at Chicago
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email