Re: [Cfrg] soliciting feedback on HKDF

["Blumenthal, Uri" <uri at ll.mit.edu>]

Thank you for supporting and expounding on my point!


----- Original Message -----
From: Basil Dolmatov <dol at cryptocom.ru>
To: Blumenthal, Uri
Cc: 'zooko at zooko.com' <zooko at zooko.com>; 'dharkins at lounge.org' <dharkins at lounge.org>; 'tim.polk at nist.gov' <tim.polk at nist.gov>; 'mcgrew at cisco.com' <mcgrew at cisco.com>; 'cfrg at irtf.org' <cfrg at irtf.org>; 'hugo at ee.technion.ac.il' <hugo at ee.technion.ac.il>
Sent: Tue Oct 20 10:58:42 2009
Subject: Re: [Cfrg] soliciting feedback on HKDF



Blumenthal, Uri пишет:
> I'd like to bring up my old question that hasn't been answered.
> 
> Design of hash functions had  producing unique digests (collision avoidance) as its primary goal. Any randomization properties - if they existed - were just a by-product.
> 
> Engineers noticed that hash output looked random to them, and started using hash functions as randomizers.
> 
> HMAC construct was designed to foil certain attacks against keyed hash functions. What are the reasons to believe that HMAC adds anything to the randomization property of the underlying hash functions?
> 
> (I'm not asking for a proof - just give me something that wouldn't be foolish to believe :-)
> 
> 
There cannot be a definite answer without a thorough mathematical 
analysis of HMAC transformation and its influence upon randomness of the 
source.

Moreover, taking into account that hash output is not by definition the 
source of uniformly distributed randomness, the question which 
properties will be held by the result of consecutive computation of hash 
and HMAC will definitely depend upon the hash function used and HMAC 
transformation used.

dol@