[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] soliciting feedback on HKDF

To: "'zooko at zooko.com'" <zooko at zooko.com>, "'dharkins at lounge.org'" <dharkins at lounge.org>
Subject: Re: [Cfrg] soliciting feedback on HKDF
From: "Blumenthal, Uri" <uri at ll.mit.edu>
Date: Tue, 20 Oct 2009 10:04:59 -0400
Accept-language: en-US
Acceptlanguage: en-US
Cc: "'tim.polk at nist.gov'" <tim.polk at nist.gov>, "'mcgrew at cisco.com'" <mcgrew at cisco.com>, "'cfrg at irtf.org'" <cfrg at irtf.org>, "'hugo at ee.technion.ac.il'" <hugo at ee.technion.ac.il>
Delivered-to: cfrg at core3.amsl.com
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
Thread-index: AcpRNn6nSYIPIHBHT0GQ3Ko+7cQp8QAV9u6h
Thread-topic: [Cfrg] soliciting feedback on HKDF

I'd like to bring up my old question that hasn't been answered.

Design of hash functions had  producing unique digests (collision avoidance) as its primary goal. Any randomization properties - if they existed - were just a by-product.

Engineers noticed that hash output looked random to them, and started using hash functions as randomizers.

HMAC construct was designed to foil certain attacks against keyed hash functions. What are the reasons to believe that HMAC adds anything to the randomization property of the underlying hash functions?

(I'm not asking for a proof - just give me something that wouldn't be foolish to believe :-)

----- Original Message -----
From: cfrg-bounces at irtf.org <cfrg-bounces at irtf.org>
To: Dan Harkins <dharkins at lounge.org>
Cc: Tim Polk <tim.polk at nist.gov>; David McGrew <mcgrew at cisco.com>; cfrg at irtf.org <cfrg at irtf.org>; Hugo Krawczyk <hugo at ee.technion.ac.il>
Sent: Mon Oct 19 23:36:24 2009
Subject: Re: [Cfrg] soliciting feedback on HKDF

On Monday,2009-10-19, at 17:36 , Dan Harkins wrote:

>   A very nice I-D and I think HKDF will be a valuable building  
> block for protocol designers.

I would like to echo this sentiment: in attempting to stringently  
evaluate "Everything that could possibly go wrong" with Tahoe-LAFS's  
crypto design [1], I keep thinking that the KDF is a linchpin  
component in several places.  (The recent revelation of related-key  
issues in AES-256 is one of the reasons to think this.)  Thank you  
for working on the design and standardization of HKDF!

For what it is worth -- I really don't want to start an argument  
about this somewhat tangential issue -- I don't like HMAC-SHA256  
nearly as well as I like Poly1305-AES or Poly1305-Salsa20.  This is  
an unfortunate period in cryptography when there isn't a really good  
secure hash function that we can rely on, and the strong security  
proofs and superior performance of the Carter-Wegman MACs like  
Poly1305 look better to me than the security proofs of HMAC.

Regards,

Zooko Wilcox-O'Hearn

[1] http://allmydata.org/trac/tahoe/wiki/NewCaps/WhatCouldGoWrong
_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] soliciting feedback on HKDF
  - From: Basil Dolmatov

Prev by Date: Re: [Cfrg] soliciting feedback on HKDF
Next by Date: Re: [Cfrg] soliciting feedback on HKDF
Previous by thread: Re: [Cfrg] soliciting feedback on HKDF
Next by thread: Re: [Cfrg] soliciting feedback on HKDF
Index(es):
- Date
- Thread