[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] On using ROs for analyzing randomness extraction functions

To: cfrg at ietf.org
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
From: "D. J. Bernstein" <djb at cr.yp.to>
Date: 31 Oct 2005 23:34:43 -0000
Automatic-legal-notices: See http://cr.yp.to/mailcopyright.html.
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU> <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com> <5719CDC5-3557-4E5F-9E82-9342BC8685ED@gmail.com> <20051031054127.21824.qmail@cr.yp.to> <E3D2B4ED-668C-4A71-97D6-BCD61F414920@gmail.com> <20051031181050.30808.qmail@cr.yp.to> <7D5CF428-3FD3-40CE-A05D-4E1A22CC7068@gmail.com>
Sender: cfrg-bounces at ietf.org

There are both quantitative problems and qualitative problems with this
type of universal hashing. The most obvious quantitative problem is that
if you start with (e.g.) a 256-bit elliptic-curve g^xy, and hash it to a
(e.g.) a 256-bit key, then the leftover-hash lemma says _nothing_ about
the resulting distribution. The most obvious qualitative problem is that
real-world protocols reuse Diffie-Hellman keys with multiple parties,
forcing the key-derivation function to eliminate related keys, which
universal hashing fails to do.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: David Wagner
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: canetti
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson

Prev by Date: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by Date: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Previous by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Index(es):
- Date
- Thread