Re: [Cfrg] soliciting feedback on HKDF

[Zooko Wilcox-O'Hearn <zooko at zooko.com>]

On Monday,2009-10-19, at 17:36 , Dan Harkins wrote:

>   A very nice I-D and I think HKDF will be a valuable building  
> block for protocol designers.

I would like to echo this sentiment: in attempting to stringently  
evaluate "Everything that could possibly go wrong" with Tahoe-LAFS's  
crypto design [1], I keep thinking that the KDF is a linchpin  
component in several places.  (The recent revelation of related-key  
issues in AES-256 is one of the reasons to think this.)  Thank you  
for working on the design and standardization of HKDF!

For what it is worth -- I really don't want to start an argument  
about this somewhat tangential issue -- I don't like HMAC-SHA256  
nearly as well as I like Poly1305-AES or Poly1305-Salsa20.  This is  
an unfortunate period in cryptography when there isn't a really good  
secure hash function that we can rely on, and the strong security  
proofs and superior performance of the Carter-Wegman MACs like  
Poly1305 look better to me than the security proofs of HMAC.

Regards,

Zooko Wilcox-O'Hearn

[1] http://allmydata.org/trac/tahoe/wiki/NewCaps/WhatCouldGoWrong