[Cfrg] Fwd: Hash-Based Key Derivation (fwd)

[David Wagner <daw at cs.berkeley.edu>]

Dan Bernstein writes:
>David Wagner writes:
>> Dan Bernstein writes:
>> > You can turn AES into a hash function by applying, e.g., Luby-Rackoff
>> > plus Miyaguchi-Preneel. Using this hash function to derive keys is then
>> > identical to using AES to derive keys.
>> Is it?  I don't see it.  AES-OMAC(K,X) is provably secure (as a PRF) assuming
>
>Irrelevant. I said nothing about PRFs. I said that using a particular
>hash function to derive keys is exactly the same as using AES to derive
>keys.

Sure.  I know you said that.  But what you said looked wrong to me,
or at least, I couldn't see any reason why it would be true.  I was
hoping someone would explain.

As far as I can tell, the M-P scheme you mention computes a different
function than the OMAC scheme I described, and they will have different
security properties.  So, I don't know what you mean by "exactly the
same", but it doesn't seem to mean "computes the same outputs" or "secure
under the same assumptions".  If you think differently, I'd welcome an
explanation or elaboration.

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg