[Cfrg] Re: [saag] KDF: Randomness extraction vs. key expansion

[Nicolas Williams <Nicolas.Williams at sun.com>]

On Fri, Oct 28, 2005 at 03:48:59PM -0400, canetti wrote:
> Finally, a general remark on modeling and abstractions: I can imagine people
> read this note and think to themselves: "why is he bothing us with these
> abstract notions. In the end of the day all that is going to be done is a
> bunch of hashes and/or block cipher operations, so why not do it explicitly
> and be done with it." My answer is that these abstractions are our
> only hope to make sense of this spaghetti of hashes, shifts,
> concatenations, exponentiations etc. If we want to build systems that will
> have some pretence of security we have no choice but use the abstractions
> and abide by them, even is there is some price in complexity.

I'm with you on the same layering abstraction matter; even we agreed on
the identity function for randomness extraction there would still be a
layering abstraction.

This KDF has a lot of inputs, and in some ways arguably not enough
(e.g., IDs but, surprisingly, no ID types), but a PRF has a much
simpler function signature.  So it seems simpler to define a PRF
and then a KDF in terms of said PRF than to inextricably mix the two.

And why shouldn't there be a standard PRF if there is to be a standard
KDF?  And if there's to be a standard PRF then that'd be all the more
reason to base a standard KDF on a standard PRF.

Nico
-- 

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg