Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

["D. J. Bernstein" <djb at cr.yp.to>]

David Wagner writes:
> The hash function also has to be independent of the adversary's choices.

No, that sort of assumption is always wrong for public hash functions.
The adversary remains active after he sees the legitimate users' choice
of hash function.

> If you pick and reveal the hash function first, and the adversary chooses
> their values afterwards (and those values are processed with the hash
> function you picked), all bets are off.  Did I get that right?

If you're trying to say that the attacker can perhaps produce non-random
behavior in the secret that he shares with you, that's true. In fact, he
always knows the entire value! But this has no relevance to his attempts
to determine the secret that you share with someone else.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg