[Cfrg] Re: [saag] KDF: Randomness extraction vs. key expansion

[canetti <canetti at watson.ibm.com>]

Bill,

Thanks for the good questions. See inline:

On Fri, 28 Oct 2005, Bill Sommerfeld wrote:

> On Fri, 2005-10-28 at 15:48, canetti wrote:
> > * Randomness extraction: taking an input with "high computational entropy"
> > and generating from it a pseudorandom value.
> >
> > * Key expansion: taking a short pseudorandom value and extending it to a
> > longer pseudorandom value, here the output length is variable anddepends
> > on the application.
>
> Some plumbing-level questions:
>
> you suggested that random nonces should go into the first stage.  would
> non-random context/identity inputs go there, too?

Yes. But indeed not for the purpose of randomness extraction.
eg, the identities are useful for binding the generated key to the
identitied of the peers. In general, the first stage should do whatever
is necessary to get an initial seed of fixed length (say, 128 or 160 bits)
that is pseudorandom for anyone except the two peers, and is bound to
the correct peer identity within each one of the peers.

>
> and: would it ever be appropriate to use multiple stages of key
> expansion?

Yes, that could ofcourse happen. But the requirements from all levels of
key expansion are the same: take a fixed-length pseudorandom key and expand
it to a long-enough pseudorandom value.
This is in fact another motivation for separating randomness extraction
from key expansion. All these levels of key expansion already get a
pseudorandom key, so they dont need the full power of the KDF proposed
in the I-D.

Ran

>
> for instance:
>
> [diffie-hellman] -> [randomness extraction] -> [key expansion] -> (A, B,
> C)
>
> A -> [key expansion] -> (A1, A2, A3)
> B -> [key expansion] -> (B1, B2, B3)
> C -> [key expansion] -> (C1, C2, C3)
>
> 					- Bill
>
>
>
>
>
>
>

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg