[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

To: cfrg at ietf.org
Subject: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
From: "D. J. Bernstein" <djb at cr.yp.to>
Date: 29 Oct 2005 22:59:33 -0000
Automatic-legal-notices: See http://cr.yp.to/mailcopyright.html.
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510291625.j9TGPFPn007150@taverner.CS.Berkeley.EDU>
Sender: cfrg-bounces at ietf.org

David Wagner writes:
> So, I don't know what you mean by "exactly the same"

I mean that the functions are equal: same output for every input. I'm
talking about _one_ key-derivation function that can be described in two
equivalent ways:

   * a very simple application of a particular ``hash function'' or
   * a complicated multi-layer Canetti-style application of a particular
     ``cipher,'' namely AES.

This disproves the religious notion that Canetti-style key-derivation
functions are safe while hash-based key-derivation functions are not.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
  - From: David Wagner

Prev by Date: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by Date: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Previous by thread: Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Next by thread: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)
Index(es):
- Date
- Thread