Re: [Cfrg] Answers to HKDF questions

[David McGrew <mcgrew at cisco.com>]

Hi Zooko,

On Oct 25, 2009, at 4:06 PM, Zooko Wilcox-O'Hearn wrote:

> On Thursday,2009-10-22, at 17:09 , Hugo Krawczyk wrote:
>
> > Can you explain how do you plan to use poly1305 for KDF.
>
> I was thinking firstly of the expansion stage, but a similar  
> question applies to the extraction stage.
>
> Poly1305 and HMAC have the same "interface" -- that of a MAC which  
> takes a key and a message and perhaps a nonce and generates a tag.   
> In your paper you describe a general structure for the Extract then  
> Expand ("XtX") KDF which uses in the expansion stage a function  
> named "PRF".  Then you suggest to instantiate PRF(PRK, m) as  
> HMAC(PRK, m) (section 2).
>
> My question is, suppose I instead instantiated PRF(PRK, m) as  
> Poly1305-AES(PRK, m).  HMAC and Poly1305 each have arguments for  
> their security as MACs.  But are the arguments of the security of  
> HKDF predicated on the assumption that the PRK is a secure MAC?  In  
> other words: what property is required of the PRK function in order  
> for HKDF to be a good KDF?
>
> David McGrew wrote a nice note in answer to my question: http://www.ietf.org/mail-archive/web/cfrg/current/msg02672.html
>
> In the context of the extraction stage, he seemed to say that a  
> Carter-Wegman MAC such as Poly1305 should be analyzed merely as a  
> statistical extractor, not as a computational extractor.  Is that  
> what you meant to say, David?

Yes, that's right.

> I don't see why that would be so.

Check out S2.1 of http://cs.haifa.ac.il/~ronen/online_papers/survey.ps

David


> Regards,
>
> Zooko
> _______________________________________________
> Cfrg mailing list
> Cfrg at irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg