On Wed, Oct 21, 2009 at 11:01 PM, Zooko Wilcox-O'Hearn
<zooko at zooko.com> wrote:
Dear Hugo Krawcyck:
Thank you for the detailed answers. I still have a question about HMAC as compared to other MACs. Feel free to point me to existing documents if they answer my question. Suppose I were to instantiate HKDF with the keyed PRF being a cipher based MAC such as Poly1305 instead of HMAC. Which of the arguments for HKDF's security would still apply?
To answer these questions I need to ask you some questions myself:
Can you explain how do you plan to use poly1305 for KDF.
Is it as an extractor, or for key expansion or both? You say as a "keyed PRF": how do you get a PRF out of your MAC and where does the key to the PRF come from?
Are you going to use only the universal hash part of poly1305 or the whole construction?
If the latter, where does the key for AES come from?
In general a MAC function does not imply a good KDF. Even a good PRF does not.
(If that was the case it would have been much easier to argue that HMAC is a good basis for KDF).
If you give me more details on what you mean by your "MAC-based KDF" I can try to answer more specifically.
Hugo