IETF Logo Mail Archive

Re: [Cfrg] Answers to HKDF questions

Zooko Wilcox-O'Hearn <zooko@zooko.com> Sun, 25 October 2009 23:06 UTC

Return-Path: <zooko@zooko.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00AEC3A6A02 for <cfrg@core3.amsl.com>; Sun, 25 Oct 2009 16:06:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.106
X-Spam-Level:
X-Spam-Status: No, score=-1.106 tagged_above=-999 required=5 tests=[AWL=-1.196, BAYES_05=-1.11, J_CHICKENPOX_33=0.6, J_CHICKENPOX_43=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWtCGP-A-nvs for <cfrg@core3.amsl.com>; Sun, 25 Oct 2009 16:06:15 -0700 (PDT)
Received: from nooxie.zooko.com (nooxie.zooko.com [207.7.145.200]) by core3.amsl.com (Postfix) with ESMTP id 49C163A69FE for <cfrg@irtf.org>; Sun, 25 Oct 2009 16:06:14 -0700 (PDT)
Received: from [192.168.1.118] (97-118-103-27.hlrn.qwest.net [97.118.103.27]) by nooxie.zooko.com (Postfix) with ESMTP id 5AE3019DC6 for <cfrg@irtf.org>; Sun, 25 Oct 2009 16:11:16 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v753.1)
In-Reply-To: <e89b43830910221609y75514633m8064d5b19d8d54e4@mail.gmail.com>
References: <e89b43830910211838x2e1ca67cgaf48d02cd4008710@mail.gmail.com> <46DFA920-54BF-4567-90AF-6742C8FAA5F2@zooko.com> <e89b43830910221609y75514633m8064d5b19d8d54e4@mail.gmail.com>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <823D9A4C-11AB-4CBE-A554-D8FF62AC6166@zooko.com>
Content-Transfer-Encoding: 7bit
From: Zooko Wilcox-O'Hearn <zooko@zooko.com>
Date: Sun, 25 Oct 2009 17:06:17 -0600
To: cfrg@irtf.org
X-Mailer: Apple Mail (2.753.1)
Subject: Re: [Cfrg] Answers to HKDF questions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2009 23:06:16 -0000

On Thursday,2009-10-22, at 17:09 , Hugo Krawczyk wrote:

> Can you explain how do you plan to use poly1305 for KDF.

I was thinking firstly of the expansion stage, but a similar question  
applies to the extraction stage.

Poly1305 and HMAC have the same "interface" -- that of a MAC which  
takes a key and a message and perhaps a nonce and generates a tag.   
In your paper you describe a general structure for the Extract then  
Expand ("XtX") KDF which uses in the expansion stage a function named  
"PRF".  Then you suggest to instantiate PRF(PRK, m) as HMAC(PRK, m)  
(section 2).

My question is, suppose I instead instantiated PRF(PRK, m) as  
Poly1305-AES(PRK, m).  HMAC and Poly1305 each have arguments for  
their security as MACs.  But are the arguments of the security of  
HKDF predicated on the assumption that the PRK is a secure MAC?  In  
other words: what property is required of the PRK function in order  
for HKDF to be a good KDF?

David McGrew wrote a nice note in answer to my question: http:// 
www.ietf.org/mail-archive/web/cfrg/current/msg02672.html

In the context of the extraction stage, he seemed to say that a  
Carter-Wegman MAC such as Poly1305 should be analyzed merely as a  
statistical extractor, not as a computational extractor.  Is that  
what you meant to say, David?  I don't see why that would be so.

Regards,

Zooko

v2.23.0 | Report a Bug | By Email