IETF Logo Mail Archive

RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

"Simon Blake-Wilson" <sblakewilson@bcisse.com> Wed, 26 October 2005 14:46 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUmXV-0007ca-Hp; Wed, 26 Oct 2005 10:46:05 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUmXU-0007cF-5j for cfrg@megatron.ietf.org; Wed, 26 Oct 2005 10:46:04 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA24312 for <cfrg@ietf.org>; Wed, 26 Oct 2005 10:45:48 -0400 (EDT)
Received: from 209-204-118-122.sniparpa.net ([209.204.118.122] helo=bcisse.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUmkc-00049U-KX for cfrg@ietf.org; Wed, 26 Oct 2005 10:59:41 -0400
Received: from simon (toronto-HSE-ppp4162719.sympatico.ca [70.51.151.107]) by bcisse.com; Wed, 26 Oct 2005 10:44:49 -0400
From: Simon Blake-Wilson <sblakewilson@bcisse.com>
To: cfrg@ietf.org
Subject: RE: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Date: Wed, 26 Oct 2005 10:44:41 -0400
Message-ID: <04bb01c5da3b$d0926d70$0200a8c0@simon>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
MIME-Version: 1.0
In-Reply-To: <200510252241.j9PMf4LG023342@taverner.CS.Berkeley.EDU>
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 22bbb45ef41b733eb2d03ee71ece8243
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0515198921=="
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

Hi David,

OK ... A couple of stupid questions embedded below.

Best regards. Simon

> I gave a competing definition that I find more useful in 
> practice, and that is easy to achieve in the random oracle 
> model, and that guarantees the KDF will be secure and useful 
> when applied to any secret input whose distribution 
> satisifies a few weak conditions (high min-entropy, 
> independence from the hash, efficiently samplable).  

min-entropy is an information-theoretic, as opposed to complexity
theoritic, concept, isn't it? If so, how can it be useful in this
situation? Typically an attacker of a KDF will have witnessed a DH
exchange that precedes it ... Meaning that the secret has no information
theoretic entropy, only complexity theoretic unpredictability.

> I can 
> spell it out more precisely if you like, though I don't think 
> there would be anything especially new or surprising in a 
> more detailed statement.  The only bad news is that my 
> competing definition seems to require that the KDF use random 
> oracles, but in my opinion that's not the end of the world.

I think it would be a great contribution to spell out a good definition.
One comment though: I think a more palatable definition would be to take
an unpredictable input and produce an indistinguishable output, in the
face of an oracle that gives access to various other bits of the output.
This is probably somehow equivalent to other more PRF-like definitions,
but as a protocol designer, it seems to me to be much closer to my
intuitive idea of what is needed. I think having an intuitive definition
therefore really helps to promote formal analysis.

One aspect that the definition should also capture is what the security
requirement is surrounding the auxiliary data that is bound to the key. I
must confess that I have always been wary of this feature, since I think
that just getting from an unpredictable secret to a key is already hard
enough without trying to achieve extra capabilities. Personally I wonder
is it isn't better to leave this out of the KDF, and achieve it by
immediately MACing the relevant data ... Identities, cipher suites, etc
.. This is essentially the TLS approach.



_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email