IETF Logo Mail Archive

[Cfrg] Fwd: Hash-Based Key Derivation

David Wagner <daw@cs.berkeley.edu> Wed, 26 October 2005 17:07 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUokQ-0005zN-TR; Wed, 26 Oct 2005 13:07:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUokO-0005zG-JV for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 13:07:32 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA07754 for <cfrg@ietf.org>; Wed, 26 Oct 2005 13:07:16 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUoxa-00020Y-13 for cfrg@ietf.org; Wed, 26 Oct 2005 13:21:11 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9QH7NoH024985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 26 Oct 2005 10:07:23 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9QH7Nge024981; Wed, 26 Oct 2005 10:07:23 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510261707.j9QH7Nge024981@taverner.CS.Berkeley.EDU>
Subject: [Cfrg] Fwd: Hash-Based Key Derivation
To: cfrg@ietf.org
Date: Wed, 26 Oct 2005 10:07:23 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 79899194edc4f33a41f49410777972f8
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Dan Brown writes:
>Aside, if H fails to be collision-resistant (for its length), isn't there 
>an argument that it isn't pseudorandom?  I suppose that depends very much 
>on the definition of PRF, of course.

First, there is only one definition of PRF: the standard one.

Second, the first question in some sense has a type error: a PRF takes
two inputs (a key and a 'message'), while a hash takes one input (a
'message').

But supposing that we view a hash H as a PRF through the construction
F(K,X) = H(K||X), then the answer is "No".  It is possible for a
function to be pseudorandom but not collision-resistant.  For example,
take this function:
  Evil(K,X):
  1. If K = 0^128, output 0^128.
  2. Otherwise, output AES(K,X).
This is pseudorandom but not collision-resistant, since
  Evil(0^128,X) = Evil(0^128,X') for any X!=X'.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email