IETF Logo Mail Archive

Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

John Wilkinson <wilkjohn@gmail.com> Sat, 29 October 2005 18:36 UTC

Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVvZS-0001CS-5x; Sat, 29 Oct 2005 14:36:50 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVvZQ-0001CE-Bc for cfrg@megatron.ietf.org; Sat, 29 Oct 2005 14:36:48 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA16719 for <cfrg@ietf.org>; Sat, 29 Oct 2005 14:36:30 -0400 (EDT)
Received: from wproxy.gmail.com ([64.233.184.196]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EVvnE-00034B-N2 for cfrg@ietf.org; Sat, 29 Oct 2005 14:51:05 -0400
Received: by wproxy.gmail.com with SMTP id 71so316888wri for <cfrg@ietf.org>; Sat, 29 Oct 2005 11:36:46 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=NAvRM0Q/TUtm5Z06zjk+3s2l4FWniGh/onpaM1SIbFVBn2a6YcPOvEVGZrV9kc/bsAjbhM2QBV7TmqsrGwvF408KzHMn2/r1rO/cv3GwZEoqOh+ZB7iYhg6+RVGALCydtuifyY+2LWuP9Z5juRJYtfYdHvXrY3xhd9jKa4cmZV0=
Received: by 10.65.180.18 with SMTP id h18mr299930qbp; Sat, 29 Oct 2005 11:36:46 -0700 (PDT)
Received: from ?10.0.1.2? ( [141.154.76.225]) by mx.gmail.com with ESMTP id e13sm525247qba.2005.10.29.11.36.45; Sat, 29 Oct 2005 11:36:45 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v734)
In-Reply-To: <200510291655.j9TGtIxg007767@taverner.CS.Berkeley.EDU>
References: <200510291655.j9TGtIxg007767@taverner.CS.Berkeley.EDU>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <25924DFD-6065-44AA-97E0-392D0DF9CEFC@gmail.com>
Content-Transfer-Encoding: 7bit
From: John Wilkinson <wilkjohn@gmail.com>
Subject: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Sat, 29 Oct 2005 14:36:46 -0400
To: cfrg@ietf.org
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 856eb5f76e7a34990d1d457d8e8e5b7f
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

On Oct 29, 2005, at 12:55 PM, David Wagner wrote:
> If the protocol calls for Alice to pick the hash H first and publish
> it, and Mallory later picks the message A, then there is no reason to
> think that H,A will be independent.  Consequently, for such a  
> protocol,
> the Leftover Hash Lemma will not be applicable.

Since the original scenario was DH key exchange, let Alice and Bob be  
the legitimate parties to the communication, and let A = g^xy, where  
x and y are uniform random values chosen by Alice and Bob. Let H be  
chosen in advance by the protocol designer, and made public. How does  
Mallory, a would-be eavesdropper, influence the selection of x and y  
so as to choose A dependent on H? If Mallory has this level of  
influence over Alice and/or Bob, it seems that he would have other  
ways to eavesdrop. So, I'm not sure I see the problem of using the  
leftover hash lemma in the context of entropy extraction for key  
exchange. Any thoughts? -John

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email