RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
"Simon Blake-Wilson" <sblakewilson@bcisse.com> Wed, 26 October 2005 14:46 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUmXV-0007ca-Hp; Wed, 26 Oct 2005 10:46:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUmXU-0007cF-5j for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 10:46:04 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24312 for <cfrg@ietf.org>; Wed, 26 Oct 2005 10:45:48 -0400 (EDT)
Received: from 209-204-118-122.sniparpa.net ([209.204.118.122] helo=bcisse.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUmkc-00049U-KX for cfrg@ietf.org; Wed, 26 Oct 2005 10:59:41 -0400
Received: from simon (toronto-HSE-ppp4162719.sympatico.ca [70.51.151.107]) by bcisse.com; Wed, 26 Oct 2005 10:44:49 -0400
From: Simon Blake-Wilson <sblakewilson@bcisse.com>
To: cfrg@ietf.org
Subject: RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Wed, 26 Oct 2005 10:44:41 -0400
Message-ID: <04bb01c5da3b$d0926d70$0200a8c0@simon>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
MIME-Version: 1.0
In-Reply-To: <200510252241.j9PMf4LG023342@taverner.CS.Berkeley.EDU>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 22bbb45ef41b733eb2d03ee71ece8243
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0515198921=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org
Hi David, OK ... A couple of stupid questions embedded below. Best regards. Simon > I gave a competing definition that I find more useful in > practice, and that is easy to achieve in the random oracle > model, and that guarantees the KDF will be secure and useful > when applied to any secret input whose distribution > satisifies a few weak conditions (high min-entropy, > independence from the hash, efficiently samplable). min-entropy is an information-theoretic, as opposed to complexity theoritic, concept, isn't it? If so, how can it be useful in this situation? Typically an attacker of a KDF will have witnessed a DH exchange that precedes it ... Meaning that the secret has no information theoretic entropy, only complexity theoretic unpredictability. > I can > spell it out more precisely if you like, though I don't think > there would be anything especially new or surprising in a > more detailed statement. The only bad news is that my > competing definition seems to require that the KDF use random > oracles, but in my opinion that's not the end of the world. I think it would be a great contribution to spell out a good definition. One comment though: I think a more palatable definition would be to take an unpredictable input and produce an indistinguishable output, in the face of an oracle that gives access to various other bits of the output. This is probably somehow equivalent to other more PRF-like definitions, but as a protocol designer, it seems to me to be much closer to my intuitive idea of what is needed. I think having an intuitive definition therefore really helps to promote formal analysis. One aspect that the definition should also capture is what the security requirement is surrounding the auxiliary data that is bound to the key. I must confess that I have always been wary of this feature, since I think that just getting from an unpredictable secret to a key is already hard enough without trying to achieve extra capabilities. Personally I wonder is it isn't better to leave this out of the KDF, and achieve it by immediately MACing the relevant data ... Identities, cipher suites, etc .. This is essentially the TLS approach.
_______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… David McGrew
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- [Cfrg] Re: Extractors/KDF definition and goal csjutla
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Simon Blake-Wilson
- RE: KDF definition and goal [was: [Cfrg] Fwd: Has… Daniel Brown
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… John Wilkinson
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… D. J. Bernstein
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Ba… David Wagner
- Re: KDF definition and goal [was: [Cfrg] Fwd: Has… canetti