On Thursday,2009-10-22, at 17:09 , Hugo Krawczyk wrote:
Can you explain how do you plan to use poly1305 for KDF.
I was thinking firstly of the expansion stage, but a similar question applies to the extraction stage.
Poly1305 and HMAC have the same "interface" -- that of a MAC which takes a key and a message and perhaps a nonce and generates a tag. In your paper you describe a general structure for the Extract then Expand ("XtX") KDF which uses in the expansion stage a function named "PRF". Then you suggest to instantiate PRF(PRK, m) as HMAC(PRK, m) (section 2).
My question is, suppose I instead instantiated PRF(PRK, m) as Poly1305-AES(PRK, m). HMAC and Poly1305 each have arguments for their security as MACs. But are the arguments of the security of HKDF predicated on the assumption that the PRK is a secure MAC? In other words: what property is required of the PRK function in order for HKDF to be a good KDF?
David McGrew wrote a nice note in answer to my question: http:// www.ietf.org/mail-archive/web/cfrg/current/msg02672.html
In the context of the extraction stage, he seemed to say that a Carter-Wegman MAC such as Poly1305 should be analyzed merely as a statistical extractor, not as a computational extractor. Is that what you meant to say, David? I don't see why that would be so.
Regards, Zooko