[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

To: cfrg at ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
From: "D. J. Bernstein" <djb at cr.yp.to>
Date: 29 Oct 2005 10:45:13 -0000
Automatic-legal-notices: See http://cr.yp.to/mailcopyright.html.
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510282223.j9SMN8Si014341@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

David Wagner writes:
> Dan Bernstein writes:
> > You can turn AES into a hash function by applying, e.g., Luby-Rackoff
> > plus Miyaguchi-Preneel. Using this hash function to derive keys is then
> > identical to using AES to derive keys.
> Is it?  I don't see it.  AES-OMAC(K,X) is provably secure (as a PRF) assuming

Irrelevant. I said nothing about PRFs. I said that using a particular
hash function to derive keys is exactly the same as using AES to derive
keys. Rejecting the hash-based key-derivation function, but accepting
the identical AES-based key-derivation function, is blatantly idiotic.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: David Wagner

Prev by Date: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by Date: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Previous by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Index(es):
- Date
- Thread