KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

[David Wagner <daw at cs.berkeley.edu>]

Dan Bernstein writes:
>David Wagner writes:
>> The Leftover Hash Lemma requires that
>> the 2-universal hash be chosen randomly.  You have specified a scheme
>> where we use a single hash function that has been fixed in advance --
>> but then the Leftover Hash Lemma is not applicable.
>
>The hash function has to be chosen randomly, and has to be independent
>of all the other random choices in the protocol, but this doesn't mean
>that the choice has to wait until the last possible moment! A single
>random hash function can be standardized and reused for many keys.

The hash function also has to be independent of the adversary's choices.
If you pick and reveal the hash function first, and the adversary chooses
their values afterwards (and those values are processed with the hash
function you picked), all bets are off.  Did I get that right?

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg