Re: [Cfrg] AES-based PRF - comment please

[daw@mozart.cs.berkeley.edu (David Wagner)]

Uri Blumenthal  wrote:
>It looks that whatever arguments can be made against this construction,
>the very same ones apply to the existing PRF's, such as HMAC - 

I don't see it.  In the random oracle model (where SHA1 is modelled as
a random oracle), I think SHA1-HMAC is golden.

I'm happier modelling SHA1 as a random oracle than I am modelling AES as
an ideal cipher.  The former has been better studied by cryptanalysts,
I think.

I think some kind of random oracle or ideal cipher model is going to be
necessary, if we can't assume our key material is uniformly distributed
(as seems to be the case for IPSec).
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg