[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

To: cfrg at ietf.org
Subject: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
From: John Wilkinson <wilkjohn at gmail.com>
Date: Sat, 29 Oct 2005 14:36:46 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=NAvRM0Q/TUtm5Z06zjk+3s2l4FWniGh/onpaM1SIbFVBn2a6YcPOvEVGZrV9kc/bsAjbhM2QBV7TmqsrGwvF408KzHMn2/r1rO/cv3GwZEoqOh+ZB7iYhg6+RVGALCydtuifyY+2LWuP9Z5juRJYtfYdHvXrY3xhd9jKa4cmZV0=
In-reply-to: <200510291655.j9TGtIxg007767@taverner.CS.Berkeley.EDU>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510291655.j9TGtIxg007767@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

On Oct 29, 2005, at 12:55 PM, David Wagner wrote:

If the protocol calls for Alice to pick the hash H first and publish it, and Mallory later picks the message A, then there is no reason to think that H,A will be independent. Consequently, for such a protocol, the Leftover Hash Lemma will not be applicable.

Since the original scenario was DH key exchange, let Alice and Bob be the legitimate parties to the communication, and let A = g^xy, where x and y are uniform random values chosen by Alice and Bob. Let H be chosen in advance by the protocol designer, and made public. How does Mallory, a would-be eavesdropper, influence the selection of x and y so as to choose A dependent on H? If Mallory has this level of influence over Alice and/or Bob, it seems that he would have other ways to eavesdrop. So, I'm not sure I see the problem of using the leftover hash lemma in the context of entropy extraction for key exchange. Any thoughts? -John

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
  - From: David Wagner

Prev by Date: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by Date: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Previous by thread: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by thread: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Index(es):
- Date
- Thread