IETF Logo Mail Archive

Re: [Cfrg] Fwd: Hash-Based Key Derivation

Daniel Brown <DBrown@certicom.com> Wed, 26 October 2005 17:52 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUpRm-0006XE-8o; Wed, 26 Oct 2005 13:52:22 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUpRl-0006Vx-2B for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 13:52:21 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10342 for <cfrg@ietf.org>; Wed, 26 Oct 2005 13:52:04 -0400 (EDT)
Received: from ns.ca.certicom.com ([66.48.18.197] helo=mail.ca.certicom.com) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EUpew-0003Q4-Iu for cfrg@ietf.org; Wed, 26 Oct 2005 14:06:00 -0400
Received: from spamfilter.certicom.com (localhost.localdomain [127.0.0.1]) by mail.ca.certicom.com (Postfix) with ESMTP id 5FA4E1018197C; Wed, 26 Oct 2005 13:52:06 -0400 (EDT)
Received: from mail.ca.certicom.com ([127.0.0.1]) by spamfilter.certicom.com (storm [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27845-03; Wed, 26 Oct 2005 13:51:56 -0400 (EDT)
Received: from certicom1.certicom.com (domino1.certicom.com [10.0.1.24]) by mail.ca.certicom.com (Postfix) with ESMTP id EF82610181961; Wed, 26 Oct 2005 13:51:55 -0400 (EDT)
In-Reply-To: <200510261653.j9QGrf2W024639@taverner.CS.Berkeley.EDU>
To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.1 January 21, 2004
Message-ID: <OF694DE401.AB850BE2-ON852570A6.005D9699-852570A6.006234C8@certicom.com>
From: Daniel Brown <DBrown@certicom.com>
Date: Wed, 26 Oct 2005 13:52:55 -0400
X-MIMETrack: Serialize by Router on Certicom1/Certicom(Release 6.5.4|March 27, 2005) at 10/26/2005 01:52:53 PM, Serialize complete at 10/26/2005 01:52:53 PM
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ff9c467ad7f19c2a6d058acd7faaec8
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0718354413=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Sorry, my mistake, I was confusing PRF with PRG.

David Wagner wrote on 10/26/2005 12:53:41 PM:

> Daniel Brown writes:
> >A KDF should be "one-way" [...]
> >certain PRFs can fail to be 1-way.
> 
> I believe a KDF only needs to be one-way in the sense that given
> KDF(K,X) you cannot recover K.  (It does not need to be one-way in
> the usual sense: it doesn't matter if given Y=KDF(K,X) you can recover
> some other K' s.t. KDF(K',X)=Y, so long as K' reveals nothing about K.)
> 

Aside: does the PRF property ensure the functions to be one-way with 
respect to X?  That is, for random K, given two functions F(K,.) (the 
challenge function to distinguish) and G(K,.) (an adversary that finds 
preimages) such that G(K,F(K,X)) = X with high probability, can one 
distinguish F(K,.) from a random function R(.)?

I ask because X might contain sensitive (but low-entropy) information, 
e.g. password or private identifier, in the context of a KDF. 

> 
> So this is not an issue: the PRF requirement already implies all the
> one-wayness properties that you might want a KDF to have.
> 
> >If the PRF is 
> >the identity and the secret input is uniform and unpredictable, then 
the 
> >output is indistinguishable (from random), so it seems to be a PRF.
> 

Ok, I was thinking of a PRG, i.e. a function F(.) such that F(K) is 
indistinguishable from random if K is fully random.  (For more 
practicality, one would only need K to have enough min-entropy, 
computational or info-theoretic.)

My example was that the identity function F(K) = K is a length-preserving 
PRG and K is fully random, but would not be good enough for KDF, because 
it is not 1-way.

> If you mean F(K,X)=K, that's not a PRF.  The attack: Choose X, X'
> distinct.  Send X and X' to your oracle, receiving Y and Y'.  If Y=Y',
> then your oracle is a F(K,.) oracle; otherwise, your oracle is a random
> function.  So you've distinguished F(K,.) from random.
> 

NIST SP 800-56 says that raw DH shared secrets should be destroyed after 
they are used to generate a key with a KDF, thus one doesn't need to 
resist (very much) multiple chosen-input access to the KDF function. 

If there are "KDF" applications where the same secret K is fed into a 
function several times, potentially in conjunction with adversarially 
supplied inputs X, then I can see why the full power of a PRF may be 
necessary.  Doesn't TLS do this with master secrets and nonces? 

Is a 1-way (moreover leakage-resistant?) PRG sufficient for a KDF, or is 
the full power of a PRF needed?  It seems to me that a PRG used for KDF 
should be more than just 1-way: it should not leak info about the input, 
e.g. if the input is S||T, where S is a strong secret, then T should not 
be leaked.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email