[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] soliciting feedback on HKDF

To: David McGrew <mcgrew at cisco.com>
Subject: Re: [Cfrg] soliciting feedback on HKDF
From: Zooko Wilcox-O'Hearn <zooko at zooko.com>
Date: Mon, 19 Oct 2009 17:46:12 -0600
Cc: "Pasi.Eronen at nokia.com Eronen" <Pasi.Eronen at nokia.com>, Tim Polk <tim.polk at nist.gov>, cfrg at irtf.org, Hugo Krawczyk <hugo at ee.technion.ac.il>
Delivered-to: cfrg at core3.amsl.com
In-reply-to: <2BDAD1BB-A200-4B35-809A-FC0F0385F9D7 at cisco.com>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <2BDAD1BB-A200-4B35-809A-FC0F0385F9D7 at cisco.com>

Hi there.

We've been considering using HKDF in the Tahoe-LAFS project [1].Here are some our notes on the topic: [2, 3, 4, 5]


I have a few questions.

One is, which parts of the security arguments in the full paperdepend on "any good MAC" and which parts depend specifically onHMAC? The full paper nicely names and cites all the properties thatits arguments are predicated on, but unfortunately it does not alwaysmention whether those properties (are believed to) hold of HMACspecifically or of a larger class of algorithms.

Another question is: suppose we want to derive a key which is >= 1and < order of an ECDSA group. Should we use HKDF for the smallestnumber of bytes that are enough, check whether it is < the grouporder, and then if not get more bytes? Or should we get more bytesup to some integral multiple of the group order, divide by thatintegral multiple, and then check whether it is < group order? Or what?

Another question is: suppose we're doing one of these algorithmsabove, and we want to "get some more bytes" from HKDF . Should wejust read more bytes, or should we change the INFO field, for examplechanging it to "Try number 2", and then read the first few bytes fromthis new instance?

Another question is: suppose we're doing one of these algorithms, andwe want to spend more CPU power during the initial key generation inorder to spend less CPU power during subsequent re-generation of thatkey. Then could we iteratively pick an IKM, check whether it wouldproduce a fitting key (>= 1 and < group order) in a single try, andif not start over and pick a different random IKM?

Another question is: should we really include the "extract" step evenwhen the IKM is (believed by us) to be high-quality strong cryptokeys, or should we "optimize out" the extract step and just use theexpand step in this case?


Thank you very much!

Regards,

Zooko Wilcox-O'Hearn

[1] http://allmydata.com
[2] http://allmydata.org/trac/pycryptopp/ticket/2
[3] http://allmydata.org/pipermail/tahoe-dev/2009-August/002598.html
[4] http://groups.google.com/group/cryptopp-users/msg/01a2620f684a70bd

[5] http://groups.google.com/group/cryptopp-users/browse_thread/thread/f30427601a5884f6

References:
- [Cfrg] soliciting feedback on HKDF
  - From: David McGrew

Prev by Date: Re: [Cfrg] soliciting feedback on HKDF
Next by Date: Re: [Cfrg] soliciting feedback on HKDF
Previous by thread: Re: [Cfrg] soliciting feedback on HKDF
Next by thread: Re: [Cfrg] soliciting feedback on HKDF
Index(es):
- Date
- Thread