[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] AES-based PRF - comment please

To: David Wagner <daw@mozart.cs.berkeley.edu>
Subject: Re: [Cfrg] AES-based PRF - comment please
From: Uri Blumenthal <uri@bell-labs.com>
Date: Sun, 23 Mar 2003 15:13:00 -0500
Cc: cfrg@ietf.org
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>,<mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>,<mailto:cfrg-request@ietf.org?subject=unsubscribe>
Organization: Lucent Tehcnologies / Bell Labs
Original-cc: cfrg@ietf.org
References: <3E7D718F.7050304@bell-labs.com> <b5ku0n$u91$1@abraham.cs.berkeley.edu> <3E7E05C4.8070605@bell-labs.com> <b5l0nr$uo2$1@abraham.cs.berkeley.edu>
Sender: cfrg-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

David Wagner wrote:

It looks that whatever arguments can be made against this construction,
the very same ones apply to the existing PRF's, such as HMAC -
I don't see it.

Let's see. (no pun intended :-)

> In the random oracle model (where SHA1 is modelled as

a random oracle), I think SHA1-HMAC is golden.

SHA was designed as a collision-resistant hash function. All
the other properties are assumed.

I'm happier modelling SHA1 as a random oracle than I am modelling

> AES as an ideal cipher.

Why? AES is a lot closer to an ideal cipher (unless and until broken)
than SHA - to random oracle (because if proven wrong, SHA still can
function as a crypto-hash).

> The former has been better studied by cryptanalysts, I think.

For longer time - yes. Better? I doubt. Anyway, this is
highly subjective.

I think some kind of random oracle or ideal cipher model is going to be
necessary, if we can't assume our key material is uniformly distributed
(as seems to be the case for IPSec).

Probably so. So please do join the analysis, will you? After all,
it is for the benefit of everybody involved to get it right. BTW,
what assumptions can be made of g^xy, in your opinion?

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] AES-based PRF - comment please
  - From: Mats Näslund

References:
- [Cfrg] AES-based PRF - comment please
  - From: Uri Blumenthal
- Re: [Cfrg] AES-based PRF - comment please
  - From: David Wagner
- Re: [Cfrg] AES-based PRF - comment please
  - From: Uri Blumenthal
- Re: [Cfrg] AES-based PRF - comment please
  - From: David Wagner

Prev by Date: Re: [Cfrg] AES-based PRF - comment please
Next by Date: Re: [Cfrg] AES-based PRF - comment please
Previous by thread: Re: [Cfrg] AES-based PRF - comment please
Next by thread: Re: [Cfrg] AES-based PRF - comment please
Index(es):
- Date
- Thread