KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

David Wagner <daw@cs.berkeley.edu> Wed, 26 October 2005 00:08 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUYq1-0003sX-OP; Tue, 25 Oct 2005 20:08:17 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EUYpz-0003py-Uf for cfrg@megatron.ietf.org; Tue, 25 Oct 2005 20:08:15 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA08411 for <cfrg@ietf.org>; Tue, 25 Oct 2005 20:08:01 -0400 (EDT)
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EUZ30-0003iI-D7 for cfrg@ietf.org; Tue, 25 Oct 2005 20:21:45 -0400
Received: from taverner.CS.Berkeley.EDU (localhost.localdomain [127.0.0.1]) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1) with ESMTP id j9Q07xij025674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Oct 2005 17:07:59 -0700
Received: (from daw@localhost) by taverner.CS.Berkeley.EDU (8.13.1/8.13.1/Submit) id j9Q07xHC025670; Tue, 25 Oct 2005 17:07:59 -0700
From: David Wagner <daw@cs.berkeley.edu>
Message-Id: <200510260007.j9Q07xHC025670@taverner.CS.Berkeley.EDU>
Subject: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
To: cfrg@ietf.org
Date: Tue, 25 Oct 2005 17:07:59 -0700
Secret-Bounce-Tag: 9a029cbee41caf2ca77a77efa3c13981
X-Mailer: ELM [version 2.5 PL6]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 856eb5f76e7a34990d1d457d8e8e5b7f
Content-Transfer-Encoding: 7bit
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.CS.Berkeley.EDU>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Sender: cfrg-bounces@ietf.org
Errors-To: cfrg-bounces@ietf.org

David McGrew writes:
>Agreed, the KDF as stated would only be useful for deriving a set of  
>keys from a master key, and would not be useful for other problems.

The good news is that if you have a master key to start with, you
don't need anything fancy for deriving a set of keys: any ordinary
PRF does the trick (e.g., AES, AES-CBC, SHA256-HMAC, and so on).

>Sure, the random oracle model and KDFs based on it are well  
>accepted.  It would be nice to get something based on a reduction- 
>based proof, though.

Definitely.  It would be very nice.  The bad news is that I don't see
how to get there without the random oracle if we want to be general
purpose.  Perhaps someone else has some ideas.  If we can characterize
the distribution on the secret inputs, we can do better (such as the
Hash Diffie-Hellman assumption that DJB mentioned), but then of course
you don't have a general-purpose KDF scheme any more.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg