Re: [Cfrg] Answers to HKDF questions

To: "Blumenthal, Uri" <uri at ll.mit.edu>

Subject: Re: [Cfrg] Answers to HKDF questions

From: Hugo Krawczyk <hugo at ee.technion.ac.il>

Date: Thu, 22 Oct 2009 19:48:51 -0400

Cc: "cfrg at irtf.org" <cfrg at irtf.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=GeLvQEtLWxqCpKAzlbvFQkr37cxhw/A+i/nQyFip+Zc=; b=tmTO7xE/gJiRKh6utjHLmUsJt7G25CuqEYlyGFB+ZblSx/M3d0UCcvSfC+3Niw77kX pBE+J+wUc5/RmPzQ6N5SzW6zJDFpSitaUSfFkvXMK2q1eOsH/HdoXZhNQRS20wLlAYF2 thrniTiQNStXuGcJfK6qyk+TzHiemwF8wE5Fs=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=i1J059/9BBiqfWOPpg5fjyufMAkGQCgyxc8mQHPUgMWaurgQEbHhTbVQGMyMUftGpL UlI/u/PAbnHlMQvI5NSrUMLlKXIh91ZFxEriC+/uLOQk3CWiTQ46ZCWKgKqclVwZpJpX aYjSCdwAl0TB3nWJeQysk5sdmrQb9ZtjVtHjs=

In-reply-to: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE at LLE2K7-BE01.mitll.ad.local>

List-archive: <http://www.irtf.org/mail-archive/web/cfrg>

List-help: <mailto:cfrg-request@irtf.org?subject=help>

List-id: Crypto Forum Research Group <cfrg.irtf.org>

List-post: <mailto:cfrg@irtf.org>

List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>

List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>

References: <90E934FC4BBC1946B3C27E673B4DB0E4A7E75F6BFE at LLE2K7-BE01.mitll.ad.local>

Sender: hugokraw at gmail.com

On Thu, Oct 22, 2009 at 7:19 PM, Blumenthal, Uri <uri at ll.mit.edu> wrote:

Actually one thing I don't think I found in the paper that Hugo referred to, was why HMAC-SHA is a better *Randomizer* than SHA. Why HMAC is better than say keyed SHA is clear.

Would you care to clarify this?

From: cfrg-bounces at irtf.org <cfrg-bounces at irtf.org>
To: Zooko Wilcox-O'Hearn <zooko at zooko.com>
Cc: cfrg at irtf.org <cfrg at irtf.org>
Sent: Thu Oct 22 19:09:32 2009
Subject: Re: [Cfrg] Answers to HKDF questions

On Wed, Oct 21, 2009 at 11:01 PM, Zooko Wilcox-O'Hearn <zooko at zooko.com> wrote:
Dear Hugo Krawcyck:

Thank you for the detailed answers. I still have a question about HMAC as compared to other MACs. Feel free to point me to existing documents if they answer my question. Suppose I were to instantiate HKDF with the keyed PRF being a cipher based MAC such as Poly1305 instead of HMAC. Which of the arguments for HKDF's security would still apply?

To answer these questions I need to ask you some questions myself:

Can you explain how do you plan to use poly1305 for KDF.
Is it as an extractor, or for key expansion or both? You say as a "keyed PRF": how do you get a PRF out of your MAC and where does the key to the PRF come from?
Are you going to use only the universal hash part of poly1305 or the whole construction?
If the latter, where does the key for AES come from?

In general a MAC function does not imply a good KDF. Even a good PRF does not.
(If that was the case it would have been much easier to argue that HMAC is a good basis for KDF).

If you give me more details on what you mean by your "MAC-based KDF" I can try to answer more specifically.

Hugo