Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

["D. J. Bernstein" <djb at cr.yp.to>]

David Wagner writes:
> > > The hash function also has to be independent of the adversary's choices.
> > No, that sort of assumption is always wrong for public hash functions.
> Exactly my point. I'm saying the assumption is necessary for provable
> security under the Leftover Hash Lemma

No. Your false hypothesis is not an assumption of the lemma. You clearly
understand that the lemma applies to public hash functions used for one
message; I have no idea why you think that the multiple-message case is
different. Anyway, I already cited a Shoup page that explains all this
in detail.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg