[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] On using ROs for analyzing randomness extraction functions

To: cfrg at ietf.org
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
From: John Wilkinson <wilkjohn at gmail.com>
Date: Mon, 31 Oct 2005 13:22:38 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:mime-version:in-reply-to:references:content-type:message-id:from:subject:date:to:x-mailer; b=bkUFn4Vqo3Fz+1dt6sEDAD6Tx2ni4C0GjB1/R7A7eKYOA0Sz+Wqat7xmML6NCk2wJG+7DBl2qkNKmYBFVVdm/SfCIwlOsOh+k75Kq7QbOvPKVxt2YhVnPN1oSO7miPs3Nq0EeNzyf7zuQ/FhJlHK8vrc6plYJytky2Y5XeLNJ7Y=
In-reply-to: <20051031181050.30808.qmail@cr.yp.to>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU> <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com> <5719CDC5-3557-4E5F-9E82-9342BC8685ED@gmail.com> <20051031054127.21824.qmail@cr.yp.to> <E3D2B4ED-668C-4A71-97D6-BCD61F414920@gmail.com> <20051031181050.30808.qmail@cr.yp.to>
Sender: cfrg-bounces at ietf.org

On Oct 31, 2005, at 1:10 PM, D. J. Bernstein wrote:

John Wilkinson writes:

2.3) K_i = PRF( UH( R, SV ), i || context )
2.3 seems to be the only one that offers security in the standard model,

You've been misled. That construction does _not_ guarantee secure key
derivation under standard assumptions.

OK, clearly I'm in way over my head, but isn't that what the discussion about the Leftover Hash Lemma was about? Doesn't that lemma guarantee that UH(R,SV) is delta-uniform when R is chosen independently of SV? And if the output of UH is delta-uniform, then isn't the PRF secure under standard assumptions? I know this falls far short of a real proof, but, as I said, I'm in over my head here.

-John

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: canetti
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein

References:
- [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: David Wagner
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: canetti
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein

Prev by Date: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by Date: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Previous by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Index(es):
- Date
- Thread