[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] On using ROs for analyzing randomness extraction functions

To: cfrg at ietf.org
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
From: John Wilkinson <wilkjohn at gmail.com>
Date: Sun, 30 Oct 2005 08:27:34 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:content-transfer-encoding:from:subject:date:to:x-mailer; b=r2y1l0uImkP7YI9rtsK6JjcmjTcNP9fQoECaqHora+7evnQAZ17+Y8yr1jKZqke3fF3JJWnV6VkgVcH9Mu4kU9htSXwlgwXF7dMTS6jAMVLVHST+EwW79gVOIs2vYmNUiByeemdDHk7euebbiz8g/EI1nYBClw6YBCRa4AJywy4=
In-reply-to: <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU> <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com>
Sender: cfrg-bounces at ietf.org

Perhaps this is the discussion topic I should have replied to with my questions about Bernstein and Wagner's non-NIST KDF discussion. I apologize for any confusion I may have caused on the other topic.

Perhaps some will think it is only of academic interest, but I, for one, would be very interested in continuing the discussion on KDFs that can minimize, or avoid entirely, our reliance on the RO assumption for hash functions. So, in the interest of having a suitable target to throw darts at, what, if anything, is wrong with the following proposal, and does anything like it already exist as a standard or write-up?

1. Assume that there has already been an authenticated DH key exchange (details and caveats to be fleshed out later), resulting in the sharing of the secret g^xy between Alice and Bob.

2. To extract "computational entropy" (or whatever term is most correct) from g^xy, Alice and Bob each use, as specified by their protocol, the fixed universal hash function H(g^xy), where H(m) is defined as:

H(m) := m*x^256 mod x^256 + x^10 + x^5 + x^2 + 1

Where m is interpreted as a polynomial in x, with coefficients modulo 2.

3. H(g^xy) can then be used directly for further communications, if only 256-bits of key material are required, or H(g^xy) can be used as the key to a PRF (say, HMAC-SHA256 or CMAC-AES256) to derive more key material.

Such a construction would seem to be efficient and practical, and avoids any reliance on random oracles, so, something must be wrong with it. :)

-John


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein

References:
- [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: David Wagner
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: canetti

Prev by Date: Re: KDF definition and goal [was: [Cfrg] Fwd: Hash-Based Key Derivation]
Next by Date: Re: [saag] Re: [Cfrg] KDF: Randomness extraction vs. key expansion
Previous by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Index(es):
- Date
- Thread