Re: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)

"Blumenthal, Uri - 0553 - MITLL" <> Thu, 14 May 2020 15:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E5C283A0B2A for <>; Thu, 14 May 2020 08:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YBlGJQjXRC_A for <>; Thu, 14 May 2020 08:00:30 -0700 (PDT)
Received: from (LLMX3.LL.MIT.EDU []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6C573A0B0D for <>; Thu, 14 May 2020 08:00:28 -0700 (PDT)
Received: from ( by (unknown) with ESMTPS id 04EF0OQF013539; Thu, 14 May 2020 11:00:24 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Hugo Krawczyk <>, "Dang, Quynh H. (Fed)" <>
CC: "" <>
Thread-Topic: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)
Thread-Index: AQHWKM8GOuKZQPWunkG5m0pxBcxVp6il95OAgAB+sICAAA3rAIABZhuA///E4AA=
Date: Thu, 14 May 2020 15:00:23 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/16.36.20041300
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3672298822_937421517"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-14_05:2020-05-14, 2020-05-14 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2005140132
Archived-At: <>
Subject: Re: [Cfrg] [TLS] NIST crypto group and HKDF (and therefore TLS 1.3)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 May 2020 15:00:33 -0000

When the IKM is longer than 1 block, it gets hashed iteratively by the compression function in Merkle-Damgard fashion (the hash function). Then, this hashed result is padded to become a full block, then Xor with opad and ipad (making input blocks are "independent"/different blocks/keys.  One of these Xored values is hashed with the salt, then its result and the other Xored value get hashed one more time by the iterative MD-hash function. 


I dont understand why any extraction property that you get from the traditional extraction gets lost by this alternative method. 


The only way I know to justify this step in general is to assume the underlying hash function is a RO which is general is not, due to extension attacks. 


Can you please explain: what is the significance of extension attacks in this context? 

KDF is not a MAC. And while it’s nice to have a construction as generic as possible – sometimes it helps to narrow the applicability scope, because the generic version may be too limiting for that specific use case.


This would make the analysis fully dependent on RO while the analysis of HKDF can use less stringent modeling depending on particular cases.


Thank you. One conclusion I draw form this is – since extension attacks do not seem to apply/matter for the Key Derivation, it is reasonably safe to model the entire hash function as RO. Therefore, the proposed option appears to be safe.


For me, it is less important to stay generic than to be able to employ currently-available commercial HSM. For that use case, modeling hash function (even SHA-2) as RO seems OK.


I don't know how you do that if the only input to the function is an initial hash value of the IKM.


When the IKM is not more than an input block, then each of  the 2 Xored values gets processed by 1 compression function call which is modeled as a RO. I dont understand why this alternative method losses some extraction property from the traditional extraction function.


When the key is no longer than hash block then you would need to assume what the compression function is a PRF when keyed via a non-uniform key, essentially assuming what you need to prove.  


You can go ahead and use the reverse construction as an ad-hoc construction. However, if you want a detailed analysis such as in the case of HKDF , which is careful about lowering cryptographic assumptions, builds on the Merkle Damgard iterations (that are the basis of HMAC as PRF), is based on rich statistical extraction literature of 30+ years,  justifies the use of the function for many different settings (reflected very well in the use of HKDF in practical protocol, cf. TLS 1.3), and provides usage guidance, then I am not sure you can do it with the ad-hoc construction.


At the risk of repeating myself: while I appreciate what you’re explaining here, in my case staying with the lowest theoretic-proven cryptographic assumptions makes stuff undeployable in practice. 


I really recommend you read the paper.  As I said at the beginning of this thread, I don't want to convert this into an exposition on HKDF. For that I wrote a full paper


I think I said that I have read that paper (I suspect that Quynh did too), and (in my case) found it targeting a different audience. No offence meant – but if it were more readable, I wouldn’t have to ask my questions here.