Re: [CFRG] HKDF - difference in counter between original paper and RFC 5869
Hugo Krawczyk <hugo@ee.technion.ac.il> Thu, 02 June 2022 07:38 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 000E4C157908 for <cfrg@ietfa.amsl.com>; Thu, 2 Jun 2022 00:38:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.407
X-Spam-Level:
X-Spam-Status: No, score=-1.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjPdKiWOw4NI for <cfrg@ietfa.amsl.com>; Thu, 2 Jun 2022 00:38:17 -0700 (PDT)
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D91BC14F725 for <cfrg@irtf.org>; Thu, 2 Jun 2022 00:38:17 -0700 (PDT)
Received: by mail-wr1-f51.google.com with SMTP id k19so5295846wrd.8 for <cfrg@irtf.org>; Thu, 02 Jun 2022 00:38:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NC5ZljUpQm7fhnbui/YtAkjdJALM3dk67eINfdnYiAs=; b=nMP6NCjPL5/X3VaSwx+/NZ8rUwcJNio0kAqu+Fio7wGktQa6QcDxpugW13+dhaxA/G H+hpPYRJH/nWurvK70wZZwQQh87qo9SH8dcJpRFXz9c5b8lWKAgHL9/FFdn9PmRGmTk2 gUNoafZARAXcaCleriEFEWRSMoo7F3VPIL4gbXuKlcJCiZareiLP/8vlYe0qr47Zmf6i Xi0JfoaM2wFrFPr4dh8MupGTRVLOeJxfKjlPwI8+hpwZsWw/3dvjC1hFaXlPrFGZu94s TUIsjl7cuCUeT4i0JKok0TVlCAePtL2QnjNsVo7IF8PNuFY9yO3KNiMFNwwPqhe9hCWx 740g==
X-Gm-Message-State: AOAM532006LFAq1EqNwbOUjqxLNPO1mDlUZgzPZlbPnORNR2H1iC6q/i tUwWCcQROAGgSvtPt05/th2C+VzWo+CcfsNzYIk=
X-Google-Smtp-Source: ABdhPJyLfrX19MHfTNU/khiG2sXYZMwst51eeFqBAva0HXWSfLYzGJ9VWz9PWCiPmlooYJdFOPL9bkYQ+xDJDzCe/Bo=
X-Received: by 2002:a5d:4292:0:b0:210:1228:cefd with SMTP id k18-20020a5d4292000000b002101228cefdmr2331341wrq.519.1654155495935; Thu, 02 Jun 2022 00:38:15 -0700 (PDT)
MIME-Version: 1.0
References: <D0A4585A-450D-4A4C-A25A-CD85E3A1FBBB@gmail.com>
In-Reply-To: <D0A4585A-450D-4A4C-A25A-CD85E3A1FBBB@gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 02 Jun 2022 09:38:02 +0200
Message-ID: <CADi0yUO3cnHV+X6zqfE=C=L9ojg3RQH5ZWwizGSfCp-JAykc1Q@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000bd150205e0721608"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mA5KlWBCkOuYp6Z8m3b6vHa2Llw>
Subject: Re: [CFRG] HKDF - difference in counter between original paper and RFC 5869
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2022 07:38:22 -0000
Good question. I believe (I checked some old email of mine with Pasi) this was done for compatibility with the definition of HKDF in IKE (which is when I originally designed HKDF, though without a name and published analysis). I wasn't too happy about being limited by backwards compatibility but it was judged at the time as one less hurdle for adoption. Hugo On Tue, May 31, 2022 at 9:33 AM Neil Madden <neil.e.madden@gmail.com> wrote: > When looking at HKDF I was curious why the definition of HKDF-Expand in > RFC 5869 [1] starts the counter at 1 rather than 0: > > T(0) = empty string (zero length) > T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) > T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) > T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) > ... > > > Section 4.2 of the original paper [2] does indeed start the counter value > at 0: > > PRK = HMAC(XTS, SKM) > K(1) = HMAC(PRK, CTXinfo ∥ 0), > > K(i+1) = HMAC(PRK, K(i)∥CTXinfo∥i), 1≤i<t, > > I can’t find any rationale for why this change was made in the RFC, so I > thought I’d check here in case anyone knows? Given that the counter is only > a single byte, eliminating one of the 256 valid values seems unfortunate. I > also can’t see any security or practical reason for doing so, but perhaps > I’m missing something? > > (It happens to be a useful feature for me, but I suspect not deliberately > so: a C program I am looking at uses HMAC and happens to include a null > terminator byte in each input. It is therefore accidentally > domain-separated from use of HKDF-Expand, potentially providing a > satisfyingly simple way to upgrade it to AEAD by deriving a separate > encryption sub-key. But this inclusion of a null-terminator byte appears to > not be deliberate). > > [1]: https://www.rfc-editor.org/rfc/rfc5869#section-2.3 > [2]: https://eprint.iacr.org/2010/264.pdf > > Best wishes, > > Neil > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] HKDF - difference in counter between origi… Neil Madden
- Re: [CFRG] HKDF - difference in counter between o… Peter Gutmann
- Re: [CFRG] HKDF - difference in counter between o… Hugo Krawczyk