[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] On using ROs for analyzing randomness extraction functions

To: John Wilkinson <wilkjohn at gmail.com>
Subject: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
From: canetti <canetti at watson.ibm.com>
Date: Mon, 31 Oct 2005 23:18:53 -0500 (EST)
Cc: cfrg at ietf.org
In-reply-to: <7D5CF428-3FD3-40CE-A05D-4E1A22CC7068@gmail.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200510282114.j9SLEarq012372@taverner.CS.Berkeley.EDU> <Pine.A41.4.58.0510290053020.30282@prf.watson.ibm.com> <5719CDC5-3557-4E5F-9E82-9342BC8685ED@gmail.com> <20051031054127.21824.qmail@cr.yp.to> <E3D2B4ED-668C-4A71-97D6-BCD61F414920@gmail.com> <20051031181050.30808.qmail@cr.yp.to> <7D5CF428-3FD3-40CE-A05D-4E1A22CC7068@gmail.com>
Sender: cfrg-bounces at ietf.org

John,

Again, if I may intervene...

my take here is that, yes, in principle the method you suggest works for
the reasons you stated.

But Dan is right that care should be taken: First, the leftover hash lemma
guarantees almost-randomness of the output only if the output size is much
shorter than the input (and is roughly the size of the underlying
entropy).

Also, there is dependence of the specific key exchange method in use, and
in some cased UH is not enough. an example is the case mentioned by Dan,
where parties use related exponents for different exchanges. other examples
includes, say, exchanges where the peer identities must be incorporated
into the derivation procedure to prevent "identity misbinding attacks".
so, in all, it is probably hard to come up with a generic method that will
provide a good extraction/derivation function for all KE methods,
even if an independent R is given.

however, for "standard" ke methods such as the ISO-9798-3 or IKE, without
reuse of the ephemeral exponents,  universal hashing with sufficiently
short output should work.

Ran

On Mon, 31 Oct 2005, John Wilkinson wrote:

> On Oct 31, 2005, at 1:10 PM, D. J. Bernstein wrote:
>
> > John Wilkinson writes:
> >
> >> 2.3) K_i = PRF( UH( R, SV ), i || context )
> >> 2.3 seems to be the only one that offers security in the standard
> >> model,
> >>
> >
> > You've been misled. That construction does _not_ guarantee secure key
> > derivation under standard assumptions.
>
> OK, clearly I'm in way over my head, but isn't that what the
> discussion about the Leftover Hash Lemma was about? Doesn't that
> lemma guarantee that UH(R,SV) is delta-uniform when R is chosen
> independently of SV? And if the output of UH is delta-uniform, then
> isn't the PRF secure under standard assumptions? I know this falls
> far short of a real proof, but, as I said, I'm in over my head here.
>
> -John
>
>

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: David Wagner
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: canetti
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: D. J. Bernstein
- Re: [Cfrg] On using ROs for analyzing randomness extraction functions
  - From: John Wilkinson

Prev by Date: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by Date: [Cfrg] Please review: draft-songlee-aes-cmac-02.txt
Previous by thread: Re: [Cfrg] On using ROs for analyzing randomness extraction functions
Next by thread: [Cfrg] On using ROs for analyzing randomness extraction functions
Index(es):
- Date
- Thread