[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] KDF==MAC? and: how about HKDF-Poly1305? Re: Answers to HKDF questions

To: cfrg at irtf.org
Subject: Re: [Cfrg] KDF==MAC? and: how about HKDF-Poly1305? Re: Answers to HKDF questions
From: Shai Halevi <shaih at alum.mit.edu>
Date: Tue, 08 Dec 2009 20:22:26 -0500
Delivered-to: cfrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :organization:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=yTpOoqV2vgMUT2bBCsX9upeMj5yNuTEcMPEnCvkkyrc=; b=TrHfDSFbG+34ezXmTvpIqYkQOOqeaT0sFoNjTXbYUPyDQ8oH2WjbzvHYK4RKhEJnV7 b+G/CnfqqDD4JHYvDyh3UGAXXGunKYwG+6oSXeS8AStatjKr0rAdh8d1fvT2Q/TJ2bwZ OGmvUbNcPHqJWD3sJP90Tlg++mTvPe3GkdfGo=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:organization:user-agent:mime-version:to :subject:references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=P034nkUlV+em64s62ZINZJHtXgsgfcjimBTnMZc4rj3m/E/VC2nQOvfGz1CUFJ6NFy BzSucjB8S8Cepnlc+vTiqHyJkm/qGNubNbqLNaretBepBo89JQkfXJ8Eo2wfaoGnShsr UMdUQKp2w4PNXwV12mwRnQ1cpaDndkJplkKlc=
In-reply-to: <mailman.4111.1260320599.32729.cfrg at irtf.org>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
Organization: IBM
References: <mailman.4111.1260320599.32729.cfrg at irtf.org>
Sender: Shai Halevi <shai.halevi at gmail.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Blumenthal, Uri wrote:
> Please correct me if I'm wrong, but it seems that *in general*
> KDF based on a PRP primitive (such as AES) is clearly better than
> the one based on a weaker one (such as unkeyed hash, even extended
> to keyed MAC - where I have my own misgivings that are besides the
> point).

Seems quite wrong to me. From a theory perspective, neither PRFs nor
CRHFs would automatically make a good KDF (e.g., deal with high-entropy
but non-uniform inputs). Also, in theory CRHFs are *stonger* than PRFs,
not weaker. (You can build a PRF from a CRHF in a provable black-box
manner, but not the other way around.)

From a practical perspective, I don't see any reason to suspect that
an AES-based construction would give a better KDF than a construction
based on (say) HMAC-SHA2. If anything, it seems that the latter tends
to do better on most fronts.

Regards,

-- Shai

Prev by Date: Re: [Cfrg] Fwd: KDF==MAC? and: how about HKDF-Poly1305? Re: Answers to HKDF questions
Next by Date: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Previous by thread: Re: [Cfrg] Fwd: KDF==MAC? and: how about HKDF-Poly1305? Re: Answers to HKDF questions
Next by thread: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Index(es):
- Date
- Thread