Re: [Cfrg] Fwd: Can CMAC and/or GMAC be substituted in an HMAC-styledKDF?
Hugo Krawczyk <hugo@ee.technion.ac.il> Wed, 09 December 2009 23:41 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@core3.amsl.com
Delivered-To: cfrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 289193A680E for <cfrg@core3.amsl.com>; Wed, 9 Dec 2009 15:41:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OqEWZZ6+F0KR for <cfrg@core3.amsl.com>; Wed, 9 Dec 2009 15:41:39 -0800 (PST)
Received: from mail-qy0-f178.google.com (mail-qy0-f178.google.com [209.85.221.178]) by core3.amsl.com (Postfix) with ESMTP id B74FA3A67F4 for <cfrg@irtf.org>; Wed, 9 Dec 2009 15:41:36 -0800 (PST)
Received: by qyk8 with SMTP id 8so2907895qyk.24 for <cfrg@irtf.org>; Wed, 09 Dec 2009 15:41:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to:cc :content-type; bh=yXWkJqxP0GoSkEnmUfXZzgOA8ed+wDXnhDTSGjqYfU4=; b=GYk/9CYyGJZ8p3DwZgjJCUyHEkekcBOn0eSYBoRxuivpHrjQ682gQsFvQQN7oBspd5 S7ajl5bjBBd0DXQznuxi/MIrb+9B34fIIuXGErrhx93aNmf1dNe7JM5RNOJlx/up3WY3 z7KmQIOynfMn+0PCyRMYQCGNFozh6FZ3jW8y0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=SyCGUYkBPJsYDeAuUzqa0n20zpKJ/YfQ8WL12iuOwZUQprHMnIPNpg0UVgM/wl9h15 RIn7HTD91pdz66bCDJxm8b3HygmY8huvuP2kt0yiH5aZlIcq32UtjjPQl71Ef8/hQZTo orwPThHOovBOIF9xth8oeeTE6og8GoAnJSPKA=
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.224.63.219 with SMTP id c27mr6004593qai.168.1260402083110; Wed, 09 Dec 2009 15:41:23 -0800 (PST)
In-Reply-To: <7E1DF37F1F42AB4E877E492C308E6AC49493ED@XCH57YKF.rim.net>
References: <e89b43830912091057j11b6dad3nf773003b32b656c9@mail.gmail.com> <7E1DF37F1F42AB4E877E492C308E6AC49493ED@XCH57YKF.rim.net>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Wed, 09 Dec 2009 18:41:02 -0500
X-Google-Sender-Auth: d5ec7d9fef601536
Message-ID: <e89b43830912091541k6021fce4xac56c2f6d13d59ea@mail.gmail.com>
To: Dan Brown <dbrown@certicom.com>
Content-Type: multipart/alternative; boundary="0016e64b15f0702057047a543ad1"
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Fwd: Can CMAC and/or GMAC be substituted in an HMAC-styledKDF?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2009 23:41:41 -0000
On Wed, Dec 9, 2009 at 3:41 PM, Dan Brown <dbrown@certicom.com> wrote: > This raises a minor, non-security issue: isn't a KDF a lower level > primitive than a MAC? E.g. the key in a MAC is one of the intended purposes > of the output of a KDF, not the other way. If so, isn't it architecturally > awkward to define a KDF that has built-in component of a MAC? E.g. HKDF has > HMAC built-in. > We are building HKDF on HMAC not on a generic MAC (did I say that before?) We are using specific properties of the HMAC scheme (with suitable assumptions on the underlying hash function) and not those of a MAC. If at all, we are building on HMAC being a PRF since we are using it for the expansion part as such. But for extraction you need other properties. These properties change according to the usage scenario and what you can assume about your source of keying material. In some cases you need to assume more than a MAC and PRF, namely, model the hash function as a random oracle (especially when you do not have a salt value and you need to output almost all entropy of the source). In other cases, you need MUCH LESS than PRF/MAC, namely, just properties of universal hashing from the underlying hash function. Such properties are combinatorial in nature and do not require, in principle, computational assumptions let alone the idealized modeling of random oracles. So, for extraction, sometimes you are assuming more from the hash functions than what you need for MAC/PRF and sometimes less. But however you define the KDF functionality, and however you build it, remember that a KDF is in particular a PRF (this is actually the easy case, when your source of keying material is uniform or pseudo-random and you need to produce more pseudorandom bits than the input). Thus for the whole construction you cannot avoid having some form of pseudorandomness assumption. > More philosophically, is building new primitives from old primitives, where > the old have to do more than their original aim (e.g. HMAC as more than MAC, > SHA1 as more than CRHF) the wisest approach? Does it put too much reliance > on these retrofitted primitives? > If you can build a generic KDF based on MAC and collision resistance only, you are more than welcome to present it. Remember that you will need to first be able to build a PRF out of these properties, a simpler task which I do not know how to accomplish. On the other hand, why rely on collision resistance which may be the weakest point of hash functions anyway? Would you feel better with the traditional KDFs of the form Hash (SKM||1) || Hash(SKM||2)||... that may only be justified assuming Hash is a random oracle (which is more than a MAC, PRF, collision resistance, universal hashing, etc,)??? Would you even buy that construction as a PRF (which as said, is a particular case of a KDF)?? Hugo > --------------------------------------------------------------------- > This transmission (including any attachments) may contain confidential > information, privileged material (including material protected by the > solicitor-client or other applicable privileges), or constitute non-public > information. Any use of this information by anyone other than the intended > recipient is prohibited. If you have received this transmission in error, > please immediately reply to the sender and delete this information from your > system. Use, dissemination, distribution, or reproduction of this > transmission by unintended recipients is not authorized and may be unlawful. > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Can CMAC and/or GMAC be substituted in an … Robert Moskowitz
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in… Hugo Krawczyk
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in… Zooko Wilcox-O'Hearn
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in… Robert Moskowitz
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in… Santosh Chokhani
- [Cfrg] Fwd: Can CMAC and/or GMAC be substituted i… Hugo Krawczyk
- Re: [Cfrg] Fwd: Can CMAC and/or GMAC be substitut… Dan Brown
- Re: [Cfrg] Fwd: Can CMAC and/or GMAC be substitut… Hugo Krawczyk
- [Cfrg] do we need a new document defining a KDF, … David McGrew
- [Cfrg] RE : do we need a new document defining a … Sean Shen 沈烁