Re: [Cfrg] Answers to HKDF questions
David McGrew <mcgrew@cisco.com> Mon, 26 October 2009 11:07 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3323E3A6968 for <cfrg@core3.amsl.com>; Mon, 26 Oct 2009 04:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.859
X-Spam-Level:
X-Spam-Status: No, score=-5.859 tagged_above=-999 required=5 tests=[AWL=-0.460, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPiZpeyHH2IE for <cfrg@core3.amsl.com>; Mon, 26 Oct 2009 04:07:39 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 1BEDE3A6945 for <cfrg@irtf.org>; Mon, 26 Oct 2009 04:07:39 -0700 (PDT)
Authentication-Results: sj-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEALIf5UqrR7H+/2dsb2JhbADARpZohD8E
X-IronPort-AV: E=Sophos;i="4.44,625,1249257600"; d="scan'208";a="217779671"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-2.cisco.com with ESMTP; 26 Oct 2009 11:07:52 +0000
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id n9QB7que018594; Mon, 26 Oct 2009 11:07:52 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Oct 2009 04:07:52 -0700
Received: from stealth-10-32-254-212.cisco.com ([10.32.254.212]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 26 Oct 2009 04:07:51 -0700
Message-Id: <1AA41B0A-F458-444A-BFC0-78A49FAB6F43@cisco.com>
From: David McGrew <mcgrew@cisco.com>
To: Zooko Wilcox-O'Hearn <zooko@zooko.com>
In-Reply-To: <823D9A4C-11AB-4CBE-A554-D8FF62AC6166@zooko.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 26 Oct 2009 04:07:50 -0700
References: <e89b43830910211838x2e1ca67cgaf48d02cd4008710@mail.gmail.com> <46DFA920-54BF-4567-90AF-6742C8FAA5F2@zooko.com> <e89b43830910221609y75514633m8064d5b19d8d54e4@mail.gmail.com> <823D9A4C-11AB-4CBE-A554-D8FF62AC6166@zooko.com>
X-Mailer: Apple Mail (2.936)
X-OriginalArrivalTime: 26 Oct 2009 11:07:52.0227 (UTC) FILETIME=[8FA95730:01CA562C]
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2009 11:07:40 -0000
Hi Zooko,
On Oct 25, 2009, at 4:06 PM, Zooko Wilcox-O'Hearn wrote:
> On Thursday,2009-10-22, at 17:09 , Hugo Krawczyk wrote:
>
>> Can you explain how do you plan to use poly1305 for KDF.
>
> I was thinking firstly of the expansion stage, but a similar
> question applies to the extraction stage.
>
> Poly1305 and HMAC have the same "interface" -- that of a MAC which
> takes a key and a message and perhaps a nonce and generates a tag.
> In your paper you describe a general structure for the Extract then
> Expand ("XtX") KDF which uses in the expansion stage a function
> named "PRF". Then you suggest to instantiate PRF(PRK, m) as
> HMAC(PRK, m) (section 2).
>
> My question is, suppose I instead instantiated PRF(PRK, m) as
> Poly1305-AES(PRK, m). HMAC and Poly1305 each have arguments for
> their security as MACs. But are the arguments of the security of
> HKDF predicated on the assumption that the PRK is a secure MAC? In
> other words: what property is required of the PRK function in order
> for HKDF to be a good KDF?
>
> David McGrew wrote a nice note in answer to my question: http://www.ietf.org/mail-archive/web/cfrg/current/msg02672.html
>
> In the context of the extraction stage, he seemed to say that a
> Carter-Wegman MAC such as Poly1305 should be analyzed merely as a
> statistical extractor, not as a computational extractor. Is that
> what you meant to say, David?
Yes, that's right.
> I don't see why that would be so.
Check out S2.1 of http://cs.haifa.ac.il/~ronen/online_papers/survey.ps
David
>
> Regards,
>
> Zooko
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions David McGrew
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Blumenthal, Uri
- Re: [Cfrg] Answers to HKDF questions Hugo Krawczyk
- Re: [Cfrg] Answers to HKDF questions Zooko Wilcox-O'Hearn
- Re: [Cfrg] Answers to HKDF questions David McGrew
- [Cfrg] KDF==MAC? and: how about HKDF-Poly1305? Re… Zooko Wilcox-O'Hearn
- Re: [Cfrg] KDF==MAC? and: how about HKDF-Poly1305… David McGrew
- [Cfrg] Fwd: KDF==MAC? and: how about HKDF-Poly130… Hugo Krawczyk