[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

To: cfrg at ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
From: John Wilkinson <wilkjohn at gmail.com>
Date: Sat, 29 Oct 2005 14:10:56 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=epaN+KaMkV7Y5uN38IOl+czprKz2rfFmga20LaON/wviKmqmiFPtF8QsV4cBiPuUIwPduyQAIKSqo9EKdfpqfrxHwnzH4r62o5gP6rLxXPQk0xMLOz/1pH7gibDRTbkIbBm5Nn9cNZo/qiyLCnUxNhHjUc8ygVAw8KVlEbDuX/c=
In-reply-to: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

I suspect that Dr. Bernstein's will claim that the following two KDF's are equivalent, from a provable security perspective:

KDF1: Ki = CMAC-AES256(SHA256(x),i), where x is the shared secret, SHA256(x) is used as the key to CMAC, and i is a counter used as the message input to CMAC.

KDF2: Ki = SHA256(i,x), where i is a counter, x is the shared secret, and (i,x) represents the concatenation of i and x.

I suppose he's correct in the sense that for KDF1 we need to assume that the output of SHA256(x) is uniformly distributed and random for CMAC to retain its proven properties as a PRF. If we're willing to assume that SHA256(x) is uniform and random, then I don't see why we can't assume that SHA256(i,x) is also uniform and random, in which case we might as well use KDF2.

KDF1 may "feel" more secure, but it seems to me to be akin to double encrypting with, say, AES and RC6. You might gain some security over using AES alone, but it seems an expensive way to do so. I guess it all comes down to how much confidence we place in our cryptographic primitives, and to what extent we desire to "overengineer" our higher level protocols to compensate for any potential weaknesses in the primitives.

-John

On Oct 29, 2005, at 12:25 PM, David Wagner wrote:

Dan Bernstein writes:
David Wagner writes:
Dan Bernstein writes:
You can turn AES into a hash function by applying, e.g., Luby- Rackoff plus Miyaguchi-Preneel. Using this hash function to derive keys is then identical to using AES to derive keys.

Is it? I don't see it. AES-OMAC(K,X) is provably secure (as a PRF) assuming
Irrelevant. I said nothing about PRFs. I said that using a particular hash function to derive keys is exactly the same as using AES to derive keys.
Sure.  I know you said that.  But what you said looked wrong to me,
or at least, I couldn't see any reason why it would be true.  I was
hoping someone would explain.
As far as I can tell, the M-P scheme you mention computes a different function than the OMAC scheme I described, and they will have different security properties. So, I don't know what you mean by "exactly the same", but it doesn't seem to mean "computes the same outputs" or "secure under the same assumptions". If you think differently, I'd welcome an explanation or elaboration.
_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: David Wagner

Prev by Date: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by Date: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Previous by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by thread: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Index(es):
- Date
- Thread