Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

["D. J. Bernstein" <djb at cr.yp.to>]

David Wagner writes:
> Another possibility -- which I would have more confidence in at the
> moment -- is to use a block cipher based PRF such as AES-OMAC.

You can turn AES into a hash function by applying, e.g., Luby-Rackoff
plus Miyaguchi-Preneel. Using this hash function to derive keys is then
identical to using AES to derive keys.

Or you can use Whirlpool, a more efficient AES-style hash function.
Using Whirlpool to derive keys isn't exactly the same as applying AES,
but it's based on the same design principles.

In other words, there's no justification for the religious notion that
``encryption functions'' are safe while ``hash functions'' are to be
avoided. Sure, MD5 is a disaster, but 4-round AES is a disaster for the
same reasons. If you want to know whether a primitive is safe, you have
to look at the details of the primitive; the high-level packaging is
almost irrelevant.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg