[Cfrg] Fwd: Hash-Based Key Derivation (fwd)

[David Wagner <daw at cs.berkeley.edu>]

Dan Bernstein writes:
>David Wagner writes:
>> Another possibility -- which I would have more confidence in at the
>> moment -- is to use a block cipher based PRF such as AES-OMAC.
>
>You can turn AES into a hash function by applying, e.g., Luby-Rackoff
>plus Miyaguchi-Preneel. Using this hash function to derive keys is then
>identical to using AES to derive keys.

Is it?  I don't see it.  AES-OMAC(K,X) is provably secure (as a PRF)
assuming only that AES is a secure PRP.  Is your M-P + L-R hash KDF
provably secure under the same assumption?  I don't see why it would be.

In general, the schemes that build a hash function out of a block cipher
generally make much stronger assumptions about the block cipher:

  - In theory, if you want to prove something about such hash modes,
  you generally have to work in the ideal cipher model (the analog to
  the random oracle model); assuming only that the block cipher is a
  secure PRP (the standard model) gets you roughly nowhere.

  - In practice, such hash modes put a lot more stress on the key
  schedule than encryption or PRF modes do.  For instance, there are
  real-world block ciphers that appear to be highly secure when used
  for encryption, MACs, or PRFs, yet are totally insecure when using in
  a standard hashing mode.  TEA is a favorite example along these
  lines.  RMAC is another fantastic example.

>In other words, there's no justification for the religious notion that
>``encryption functions'' are safe while ``hash functions'' are to be
>avoided.

It's not religion.  There is a difference between PRP/PRF assumptions
and ideal cipher/random oracle model "assumptions".

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg