[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cfrg] why HKDF? -- Re: existing KDFs and their uses

To: "Blumenthal, Uri" <uri at ll.mit.edu>
Subject: [Cfrg] why HKDF? -- Re: existing KDFs and their uses
From: Zooko Wilcox-O'Hearn <zooko at zooko.com>
Date: Wed, 21 Oct 2009 13:05:25 -0600
Cc: "'dbrown at certicom.com'" <dbrown at certicom.com>, "'mcgrew at cisco.com'" <mcgrew at cisco.com>, "'cfrg at irtf.org'" <cfrg at irtf.org>, "'pgut001 at cs.auckland.ac.nz'" <pgut001 at cs.auckland.ac.nz>
Delivered-to: cfrg at core3.amsl.com
In-reply-to: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BF4 at LLE2K7-BE01.mitll.ad.local>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BF4 at LLE2K7-BE01.mitll.ad.local>

I'm speaking as a consumer of such standards rather than as aproducer. I have already invented my own KDF [1] because, as far asI know, the existing specs don't spell out how to generate a randomkey which isn't just a certain number of bytes or bits, but instead arandom element from a group. (Fortunately I haven't yet deployedthis KDF that I invented so I am still free to change it.)

At this time I would probably prefer to use HKDF over the other KDFalgorithms that I know of because the accompanying full paper [2]comes with much more thorough arguments about its theoreticalsecurity properties. It isn't perfect for me! As I mentioned in myinitial questions, HKDF has the same omission that the others do inspecifying how to generate keys which aren't just byte sequences, andit isn't entirely clear to me whether the security arguments for HKDFare predicated on the underlying primitive being HMAC, being a MAC,being a PRF, or what. (I am more comfortable relying on AES orSalsa20 to be like an ideal cipher than relying on SHA-256 or SHA-512to be like an ideal hash function.)

Also I don't know which of those same security arguments apply to theother KDFs.

Also it isn't clear whether I should skip the extract step when myoriginal key is already densely packed with nutritious entropy.

However, as things stand I would much rather use HKDF since it isapparent that someone (Hugo Krawczyck) has spent the effort toanalyze and write down a bunch of relevant security arguments.HKDF's rigorous reductions (as far as I understand them) and itsheuristic design both look good to me.


Regards,

Zooko

[1] http://allmydata.org/trac/pycryptopp/browser/pycryptopp/publickey/ecdsamodule.cpp?rev=672#L269

[2] http://webee.technion.ac.il/~hugo/kdf/kdf.pdf

Follow-Ups:
- Re: [Cfrg] why HKDF? -- Re: existing KDFs and their uses
  - From: David McGrew

References:
- Re: [Cfrg] existing KDFs and their uses
  - From: Blumenthal, Uri

Prev by Date: Re: [Cfrg] existing KDFs and their uses
Next by Date: Re: [Cfrg] existing KDFs and their uses
Previous by thread: Re: [Cfrg] existing KDFs and their uses
Next by thread: Re: [Cfrg] why HKDF? -- Re: existing KDFs and their uses
Index(es):
- Date
- Thread