IETF Logo Mail Archive

Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

"D. J. Bernstein" <djb@cr.yp.to> Fri, 28 October 2005 09:45 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVQo5-0003DP-Lj; Fri, 28 Oct 2005 05:45:53 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EVQo3-0003DH-SB for cfrg@megatron.ietf.org; Fri, 28 Oct 2005 05:45:51 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA04347 for <cfrg@ietf.org>; Fri, 28 Oct 2005 05:45:35 -0400 (EDT)
Received: from stoneport.math.uic.edu ([131.193.178.160]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EVR1a-0008A3-MI for cfrg@ietf.org; Fri, 28 Oct 2005 05:59:51 -0400
Received: (qmail 93326 invoked by uid 1016); 28 Oct 2005 09:46:09 -0000
Date: Fri, 28 Oct 2005 09:46:08 -0000
Message-ID: <20051028094608.93325.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@ietf.org
Subject: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
References: <200510280225.j9S2Pgpn012942@taverner.CS.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d6b246023072368de71562c0ab503126
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David Wagner writes:
> The Leftover Hash Lemma requires that
> the 2-universal hash be chosen randomly.  You have specified a scheme
> where we use a single hash function that has been fixed in advance --
> but then the Leftover Hash Lemma is not applicable.

The hash function has to be chosen randomly, and has to be independent
of all the other random choices in the protocol, but this doesn't mean
that the choice has to wait until the last possible moment! A single
random hash function can be standardized and reused for many keys. See,
e.g., Shoup's Computational Introduction to Number Theory and Algebra,
Theorem 6.22.

Regarding the number of secure bits obtained in this way: My point was
that there's an obvious, and quite severe, limit on the number. Perhaps
the limit is actually even smaller; I made no effort to check.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email