Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

"D. J. Bernstein" <djb@cr.yp.to> Sat, 29 October 2005 10:33 UTC

Date: Sat, 29 Oct 2005 10:34:03 -0000
Message-ID: <20051029103403.39940.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
References: <200510282204.j9SM43mw013898@taverner.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Precedence: list
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David Wagner writes:
> > > The hash function also has to be independent of the adversary's choices.
> > No, that sort of assumption is always wrong for public hash functions.
> Exactly my point. I'm saying the assumption is necessary for provable
> security under the Leftover Hash Lemma

No. Your false hypothesis is not an assumption of the lemma. You clearly
understand that the lemma applies to public hash functions used for one
message; I have no idea why you think that the multiple-message case is
different. Anyway, I already cited a Shoup page that explains all this
in detail.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
[Cfrg] Re: Extractors/KDF definition and goal csjutla
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti