Re: [Cfrg] Fwd: Hash-Based Key Derivation (fwd)

["D. J. Bernstein" <djb at cr.yp.to>]

David Wagner writes:
> *the attacker has limited (or no) control over the input to the hash*

I disagree. It is highly dangerous to model Diffie-Hellman shared
secrets g^xy as uniform random group elements. For example, the attacker
can feed the geometric progression g^xy g^x, g^xy g^2x, ... to the hash.
Sure, this is more complicated than an arithmetic progression 0,1,2,...,
but describing it as ``limited (or no) control'' is unreasonable.

> H(i || SV || ...) puts more stress on
> the hash than PRF(H(SV), i || ...) does.  

I disagree. This ``stress'' hasn't even succeeded in breaking wimpy
MD5-based constructions from a decade ago. The ``many simple rounds''
philosophy for building unbroken secret-key ciphers, and for trying to
build collision-resistant hash functions, has been 100% successful at
building unbroken key-derivation functions.

There don't seem to be speed pressures telling us to reduce the number
of rounds in a key-derivation function; there aren't security pressures
telling us to increase the number of rounds; there _are_ code-size
pressures telling us to reuse existing cryptographic components in the
simplest possible way.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg