[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cfrg] why HKDF? -- Re: existing KDFs and their uses
- To: "Zooko Wilcox-O'Hearn" <zooko at zooko.com>
- Subject: Re: [Cfrg] why HKDF? -- Re: existing KDFs and their uses
- From: David McGrew <mcgrew at cisco.com>
- Date: Thu, 22 Oct 2009 08:08:54 -0700
- Authentication-results: sj-iport-3.cisco.com; dkim=neutral (message not signed) header.i=none
- Cc: "'dbrown at certicom.com'" <dbrown at certicom.com>, "'cfrg at irtf.org'" <cfrg at irtf.org>, "'pgut001 at cs.auckland.ac.nz'" <pgut001 at cs.auckland.ac.nz>
- Delivered-to: cfrg at core3.amsl.com
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mcgrew at cisco.com; l=4987; q=dns/txt; s=sjiport03001; t=1256224139; x=1257433739; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20David=20McGrew=20<mcgrew at cisco.com>|Subject:=20R e:=20[Cfrg]=20why=20HKDF?=20=20--=20Re:=20=20existing=20K DFs=20and=20their=20uses|Date:=20Thu,=2022=20Oct=202009 =2008:08:54=20-0700|Message-Id:=20<A652B6BC-1E5B-463F-BA5 C-E61E2B31E06C at cisco.com>|To:=20"Zooko=20Wilcox-O'Hearn" =20<zooko at zooko.com>|Cc:=20"Blumenthal,=20Uri"=20<uri at ll. mit.edu>,=0D=0A=20=20=20=20=20=20=20=20"'dbrown at certicom. com'"=20<dbrown at certicom.com>,=0D=0A=20=20=20=20=20=20=20 =20"'cfrg at irtf.org'"=20<cfrg at irtf.org>,=0D=0A=20=20=20=20 =20=20=20=20"'pgut001 at cs.auckland.ac.nz'"=20<pgut001 at cs.a uckland.ac.nz>|Mime-Version:=201.0=20(Apple=20Message=20f ramework=20v936)|In-Reply-To:=20<B418D21A-0BC0-4E6E-8063- 4D100B94B974 at zooko.com>|References:=20<90E934FC4BBC1946B3 C27E673B4DB0E4A7E75F6BF4 at LLE2K7-BE01.mitll.ad.local>=20<B 418D21A-0BC0-4E6E-8063-4D100B94B974 at zooko.com>; bh=J5e5v2mKnU4XWLXUXURPtM+UTpkGi08uvPTPYRwkMAA=; b=m6PfzIdT01iOQ9yiKwUvtu8KTILqVi1RTl5E726NfeTM+/JANGYJUkq8 zE3A5cBgQZZo757CWZxs/Zbx0MxZ/WDh5mIZFC0NqnK6OWKU5wANnWvz/ 4cP71IOxm0z8HB4Mu5watc4wzLnpAk1piMTHQuOnOxGpFdwBVXa+HWnnX k=;
- In-reply-to: <B418D21A-0BC0-4E6E-8063-4D100B94B974 at zooko.com>
- List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
- List-help: <mailto:cfrg-request@irtf.org?subject=help>
- List-id: Crypto Forum Research Group <cfrg.irtf.org>
- List-post: <mailto:cfrg@irtf.org>
- List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
- List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
- References: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BF4 at LLE2K7-BE01.mitll.ad.local> <B418D21A-0BC0-4E6E-8063-4D100B94B974 at zooko.com>
Hi Zooko,
On Oct 21, 2009, at 12:05 PM, Zooko Wilcox-O'Hearn wrote:
I'm speaking as a consumer of such standards rather than as a
producer. I have already invented my own KDF [1] because, as far as
I know, the existing specs don't spell out how to generate a random
key which isn't just a certain number of bytes or bits, but instead
a random element from a group.
check out example 9.10 of http://www.shoup.net/ntb/ntb-v2.pdf
David
(Fortunately I haven't yet deployed this KDF that I invented so I am
still free to change it.)
At this time I would probably prefer to use HKDF over the other KDF
algorithms that I know of because the accompanying full paper [2]
comes with much more thorough arguments about its theoretical
security properties. It isn't perfect for me! As I mentioned in my
initial questions, HKDF has the same omission that the others do in
specifying how to generate keys which aren't just byte sequences,
and it isn't entirely clear to me whether the security arguments for
HKDF are predicated on the underlying primitive being HMAC, being a
MAC, being a PRF, or what. (I am more comfortable relying on AES or
Salsa20 to be like an ideal cipher than relying on SHA-256 or
SHA-512 to be like an ideal hash function.)
Also I don't know which of those same security arguments apply to
the other KDFs.
Also it isn't clear whether I should skip the extract step when my
original key is already densely packed with nutritious entropy.
However, as things stand I would much rather use HKDF since it is
apparent that someone (Hugo Krawczyck) has spent the effort to
analyze and write down a bunch of relevant security arguments.
HKDF's rigorous reductions (as far as I understand them) and its
heuristic design both look good to me.
Regards,
Zooko
[1] http://allmydata.org/trac/pycryptopp/browser/pycryptopp/publickey/ecdsamodule.cpp?rev=672#L269
[2] http://webee.technion.ac.il/~hugo/kdf/kdf.pdf
_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg
Attachment:
smime.p7s
Description: S/MIME cryptographic signature