[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

To: cfrg at ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
From: John Wilkinson <wilkjohn at gmail.com>
Date: Sat, 29 Oct 2005 11:56:03 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=daqvJx1V8dhCDI/rmcfyzGCb7UvIxp1ejd5NyQahgJnA+z4SqoqALnsOG8S/y7RrsHjZQjUZ0+NxMhRKGQTZadhrOCX98YMMUODxg1GrDSkLH0gpqxWWHxApYIf1N7/SZMpyhlNDJGCNCxirSyD4V0s32Iud7k9KGFz/WQ4ZwBw=
In-reply-to: <20051029140649.GW6237@randombit.net>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510281711.j9SHBI9f005644@taverner.CS.Berkeley.EDU> <20051028221539.15039.qmail@cr.yp.to> <FD2E8098-F7BA-4DEA-9A8D-192D3BA1293D@gmail.com> <20051029140649.GW6237@randombit.net>
Sender: cfrg-bounces at ietf.org


On Oct 29, 2005, at 10:06 AM, Jack Lloyd wrote:

On Sat, Oct 29, 2005 at 09:08:42AM -0400, John Wilkinson wrote:

On Oct 28, 2005, at 6:15 PM, D. J. Bernstein wrote:
You can turn AES into a hash function by applying, e.g., Luby- Rackoff plus Miyaguchi-Preneel. Using this hash function to derive keys is then identical to using AES to derive keys.
Dr. Bernstein, could you please describe (or give reference to) a way
to produce a hash function H from AES, such that HMAC-H is a provably
secure PRF, based only on the assumption that AES is a secure PRP?
Thanks. -John


The paper "Black-Box Anylsis of the Block-Cipher-Based Hash-Function
Constructions from PGV" from Crypto '02 (by Black, Rogaway, Shrimpton)
would seem to get us there. If AES is an ideal cipher, then we know
the collision and inversion resistance properties of various AES-based
hashing schemes thanks to that paper.

That AES is an ideal cipher is a much bigger assumption than that AES is a secure PRP. Dr. Bernstein stated that there is a way to make a hash function from AES such that deriving keys using that hash function is "identical" to deriving keys using, say, CMAC-AES. I am curious as to what method he has in mind. -John


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: David Wagner
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: D. J. Bernstein
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: John Wilkinson
- Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: Jack Lloyd

Prev by Date: [Cfrg] Re: Cfrg Digest, Vol 16, Issue 43
Next by Date: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Previous by thread: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Index(es):
- Date
- Thread