[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cfrg] RE : do we need a new document defining a KDF, extractor, and computational min-entropy?

To: "'David McGrew'" <mcgrew at cisco.com>, "'Zooko Wilcox-O'Hearn'" <zooko at zooko.com>
Subject: [Cfrg] RE : do we need a new document defining a KDF, extractor, and computational min-entropy?
From: Sean Shen 沈烁 <shenshuo at cnnic.cn>
Date: Mon, 21 Dec 2009 10:21:46 +0800
Cc: cfrg at irtf.org
Delivered-to: cfrg at core3.amsl.com
In-reply-to: <461232445.15301 at cnnic.cn>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <4B1FC438.9070602 at htt-consult.com> <e89b43830912090929g50b21e27vda5f98d66a3cc050 at mail.gmail.com> <62469D96-502F-4C31-A4C5-8A001BE74520 at zooko.com> <461232445.15301 at cnnic.cn>
Thread-index: AcqAtnPguOZ9Ci6ERUCJKGdpPa/6uABLT5bw

Hi，David, Zooko and CRFG,
I would like to contribute on such a document.
Best,

Sean

> > There are a lot of questions that I don't yet understand the answers
> > to.  The first one is: what is the definition of a secure KDF?
> >
> > I didn't see such a definition in the HKDF paper [1].  If we have a
> > definition, then we can productively argue about whether this or that
> > algorithm will meet the goal.
> 
> I agree that it would be useful to come up with a definition of what
> we expect from a KDF.   I don't think the HKDF paper has a concise
> definition.  The really important aspect to capture is that of the
computational
> extractor.  If I recall correctly, that paper cites a definition of
computational
> min-entropy, but the definition was not immediately applicable (or at
least I
> couldn't see how to apply it).
> 
> >
> > Clearly we haven't achieved this first step yet, since Hugo Krawczyk
> > writes:  "a MAC function does NOT exist without a secret key and a
> > HKDF does NOT have a secret key.".  This surprises me because I think
> > of a KDF as having a secret key, and in particular HKDF has a secret
> > key, named "SKM" on page 1 of hkdf.pdf.
> 
> The important aspect here is that SKM is not uniformly random, but instead
has
> a min-entropy that has a known lower bound.
> 
> A document that defined of a KDF and that explained (computational)
> min-entropy and (computational) extractors would be valuable.  If we can
find
> enough people to write and review this work, it would be
> valuable to have it as a CFRG draft.   I think that a good approach
> here would be to write it up as something like a requirements document,
> saying what applications the KDF is targeting (this was already discussed
on
> the list), what assumptions go into its use, and
> what security properties it should have.   This approach would make
> the new work a nice complement to the HKDF draft.   Any other thoughts?
> 
> David

References:
- [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
  - From: Robert Moskowitz
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
  - From: Hugo Krawczyk
- Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
  - From: Zooko Wilcox-O'Hearn

Prev by Date: [Cfrg] do we need a new document defining a KDF, extractor, and computational min-entropy?
Next by Date: [Cfrg] Can we please have a new draft of draft-krawczyk-hkdf?
Previous by thread: [Cfrg] do we need a new document defining a KDF, extractor, and computational min-entropy?
Next by thread: Re: [Cfrg] Can CMAC and/or GMAC be substituted in an HMAC-styled KDF?
Index(es):
- Date
- Thread