[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styledKDF?

I thought all KDF and HMAC functions are white box functions, assuming
key is part of input to the function. 

-----Original Message-----
From: cfrg-bounces at irtf.org [mailto:cfrg-bounces at irtf.org] On Behalf Of
Zooko Wilcox-O'Hearn
Sent: Wednesday, December 09, 2009 1:15 PM
To: cfrg at irtf.org
Subject: Re: [Cfrg] Can CMAC and/or GMAC be substituted in an
HMAC-styledKDF?

There are a lot of questions that I don't yet understand the answers to.
The first one is: what is the definition of a secure KDF?

I didn't see such a definition in the HKDF paper [1].  If we have a
definition, then we can productively argue about whether this or that
algorithm will meet the goal.

Clearly we haven't achieved this first step yet, since Hugo Krawczyk
writes:  "a MAC function does NOT exist without a secret key and a HKDF
does NOT have a secret key.".  This surprises me because I think of a
KDF as having a secret key, and in particular HKDF has a secret key,
named "SKM" on page 1 of hkdf.pdf.

Naor and Reingold [2] suggest that the formal definition of a MAC is an
Unpredictable Function.  I think they are right.  They also show a
black-box reduction from UF to PRF.

An Unpredictable Function is one where if I give you black-box access to
it, i.e. you can invoke it but you can't examine its implementation,
then you won't be able to predict what f(x) will return for some x that
you didn't actually invoke it with.

Now an Unpredictable Function is an unkeyed thing, but a KDF (in my
view) has a secret key which is unknown to the adversary.  So let's
model that by saying that we use the key to select one Unpredictable
Function, f_s(), out of a family of Unpredictable Functions.

Does anyone agree that this notion of a function chosen from a family of
Unpredictable Functions is a good enough definition of what we want out
of our KDFs?

Regards,

Zooko Wilcox-O'Hearn

[1] Hugo Krawczyk: "On Extract-then-Expand Key Derivation Functions and
an HMAC-based KDF" http://webee.technion.ac.il/~hugo/kdf/kdf.pdf
[2] Moni Naor, Omer Reingold: "From unpredictability to
indistinguishability: A simple construction of pseudo-random functions
from MACs" http://citeseerx.ist.psu.edu/viewdoc/summary? 
doi=10.1.1.121.6517
---
Your cloud storage provider does not need access to your data.
Tahoe-LAFS -- http://allmydata.org

_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg