Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]

[canetti <canetti at watson.ibm.com>]

If I may jump into the discussion to harp on another point...

On Sat, 29 Oct 2005, David Wagner wrote:

...

> So it sounds like 2-universal key derivation has to be used with some
> care, and cannot be blindly applied to all protocols.  If we were going
> to replace the NIST KDF with a 2-universal based KDF, then we would
> probably need some extra precautionary usage notes describing what
> conditions the protocol must satisfy.
>
> Is that right?

I think so. And this highlights the need for a spearate function for
randomness extraction (or, call it key derivation if you like) and a separate
one for key expansion. The first one is intimitely tied to the specific
key exchange method in use, and very different extraction/derivation
functions are needed for each different key exchange method. The second
one is generic, and should depend only on the needs of the application
in terms of key lengths etc.

Ran


PS: 2-universal hashing is one (rather primitive) instantiation of a
"randomness extractor". Other constructions exist in the modern literature.
So it's probably better to use the generic term for the primitive rather
than a specific algorithm.

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg