[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] AES-based PRF - comment please

To: Mats Näslund <mats.naslund@era.ericsson.se>
Subject: Re: [Cfrg] AES-based PRF - comment please
From: Uri Blumenthal <uri@bell-labs.com>
Date: Sun, 23 Mar 2003 14:22:20 -0500
Cc: "Crypto Forum Research Group (CFRG)" <cfrg@ietf.org>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>,<mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>,<mailto:cfrg-request@ietf.org?subject=unsubscribe>
Organization: Lucent Tehcnologies / Bell Labs
Original-cc: "Crypto Forum Research Group (CFRG)" <cfrg@ietf.org>
References: <3E7D718F.7050304@bell-labs.com> <3E7DBDDF.5@era.ericsson.se>
Sender: cfrg-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Mats Näslund wrote:

...if the desired output length is, say 256 bits, you will still
only get an effective key-size of 128, or?

The effective key size is that of the AES key size. So if one
uses AES with 128-bit key - then it's 128 bits, if AES with
256 bits - then it's 256 bits. And there's no way to make
it stronger. At least this is my understanding.

So whatever entropy the initial secret has, the resulting
entropy will be no greater than the key size of AES.

But for SHA-based PRF the resulting entropy is no greater  than
SHA output size (160 bits at most), and the same applies to MD5
(128 bits at most). Am I correct?

> Also, since the OFB starts from 00....0 it seems you could have
> vulnerability to off-line pre-computation attacks.

I'm not sure I fully follow. Precomputation of the PRF output
for a bunch of assumed keys (because it shouldn't be feasible
to precompute OFB output for a reasonable-sized portion of
AES keyspace)? Could you amplify please?

Also, there are variations. One - to start OFB from the existing
buffer (which contains the key), in effect beginning OFB with
E{K}K (a non-invertible construct). Another - to skip the
first few blocks of the OFB output based on the function
of the first OFB encryption...

What would you say - does it make sense?

In other words, there seems to be a bottle-neck just after
that step 4 that upper bounds the effective entropy, is that
right?

I doubt it's at the step 4. I'd say it's the consequence of
having a pseudo random function, whose key size effectively
defines an upper bound. No matter what, it wouldn't be
possible to create an AES-based PRF whose entropy is
greater than AES key size. I think step 4 doesn't
bring it any lower than that.

Have you looked at ISO/IEC 18033-2 ? they have a similar PRF
(mapping aribitrary length to arbitrary length) that is (if I remember
correctly) basically running SHA1 is "counter mode", keyed by the
input key.

Grrrrr. No I haven't. I will. I've taken the construct from Rijndael
paper. But as I understand form your description, ISO/IEC is similar
to what I'm doing, right?

And for precomputation attack it shouldn't matter whether CTR or OFB
mode is used, correct? Please comment.

And Mats, I appreciate your review very much. Thank you!

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] AES-based PRF - comment please
  - From: Mats Näslund

References:
- [Cfrg] AES-based PRF - comment please
  - From: Uri Blumenthal
- Re: [Cfrg] AES-based PRF - comment please
  - From: Mats Näslund

Prev by Date: Re: [Cfrg] AES-based PRF - comment please
Next by Date: Re: [Cfrg] AES-based PRF - comment please
Previous by thread: Re: [Cfrg] AES-based PRF - comment please
Next by thread: Re: [Cfrg] AES-based PRF - comment please
Index(es):
- Date
- Thread