[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] KDF: Randomness extraction vs. key expansion

To: David Wagner <daw-usenet at taverner.CS.Berkeley.EDU>
Subject: Re: [Cfrg] KDF: Randomness extraction vs. key expansion
From: canetti <canetti at watson.ibm.com>
Date: Fri, 28 Oct 2005 17:00:41 -0400 (EDT)
Cc: cfrg at ietf.org
In-reply-to: <200510282047.j9SKlCVG011268@taverner.CS.Berkeley.EDU>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510282047.j9SKlCVG011268@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

David,

I'm talking about key exchange protocols where the nonces are
authenticated (mac'ed) as part of the exchange (eg, IKE).
In such protocols we know that the nocnes came from the real participants,
and since we only care about the goodness of the key in case that the
participants are following their protocol, we can assume they are random
(in case, ofcourse, that the protocol instructs the nonces to be random).
makes sense?

Ran

On Fri, 28 Oct 2005, David Wagner wrote:

> Ran Canetti writes:
> >A remark on randomness extraction: Randomness extraction becomes
> >significantly easier if the extracting function has some public random input
> >that is independent from the secret value. In many situations such public
> >randomness is readily available (eg, take the nonces used in the exchange).
>
> Hey, that's a clever idea.  I hadn't heard that one before.
>
> But does it really work?  Can we safely use the nonces "as-is"?
> What's got me worried is that one of the nonces could have been chosen
> by an attacker.  See my previous email for some example scenarios where
> everything breaks if the adversary can choose the value of the public
> randomness.
>
> Perhaps you mean that we should hash the concatenation of the nonces?
> In the random oracle model, that sounds like it should work, but then
> we're back to the random oracle model again (where we can already solve
> this problem without needing public random inputs).  And I don't see
> how to combine nonces securely in the absence of the random oracle model.
>
> Maybe we could have both parties commit to their nonce, then once
> the commitments are revealed, have both parties open the commitments,
> and use the xor of the nonces are our public randomness (taking care
> to avoid reflection and malleability attacks).  But I doubt that many
> existing protocols are already doing this, and it sounds like it might
> be a somewhat annoying change to have to make to an existing protocol.
>
> Is there any analysis of how to make some idea like this work, without
> using the random oracle model?
>
> (I'm finding this to be a fascinating discussion, by the way...)
>
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] KDF: Randomness extraction vs. key expansion
  - From: David Wagner

Prev by Date: [Cfrg] Re: [saag] KDF: Randomness extraction vs. key expansion
Next by Date: [Cfrg] On using ROs for analyzing randomness extraction functions
Previous by thread: [Cfrg] KDF: Randomness extraction vs. key expansion
Next by thread: [Cfrg] KDF: Randomness extraction vs. key expansion
Index(es):
- Date
- Thread