Re: [Cfrg] comments and questions on draft-krawczyk-hkdf and related work

[David McGrew <mcgrew at cisco.com>]

Hi Hugo,

I never heard back from you on my security questions about HKDF.  I'm  
resending the original email from last year, with the questions that  
Pasi answered stripped out.

On Oct 20, 2009, at 2:43 PM, David McGrew wrote:

> Hi Hugo and Pasi,
>
> I have some comments and questions on draft-krawczyk-hkdf-00 and "On
> Extract-then-Expand Key Derivation Functions and an HMAC-based KDF".
> First, thanks for taking on this work; it makes strong contributions
> in an important area.
>
> The most important question is: what is the precise security statement
> for HKDF?  What assumptions does one need to make about the hash
> function used in HKDF in order that the security analysis applies?
> The paper says that "it is shown in [23] (see Section 8) that using
> HMAC with a truncated output as an extractor allows to prove security
> under considerably weaker assumptions on the underlying hash
> function."  However, both of the Lemmas in that paper (and the
> implication in Section 8) make random oracle assumptions.
>
> A recommended instantiation of HKDF from the paper uses HMAC-SHA-512
> (with output truncated to 256 bits) in the extract stage and
> HMAC-SHA-256 in the expand stage.  I understand from [23] that "if we
> are interested in an output of L close-to-uniform bits then the key to
> the underlying compression function needs to be sufficiently larger
> than L," which motivates the use of SHA-512 in the extraction stage.
> But I don't see any exact security statement for this instantiation.
>
> What is the impact of the salt (and its omission) on the security
> properties?
>
> <snip>
> </snip>
>
> A minor point: The HKDF analysis asserts that OFB mode is better than
> CTR, because the attacker has less knowledge on the inputs to the PRF,
> and because successive values of a counter differ in very few bits.
> These are valid points, but are they strong enough to justify the
> implementation of a new algorithm for an "expand" stage?
>
> It would be a valuable contribution to theory to isolate the security
> requirements of the hash function that are needed to build a
> good computational extractor, and provide these requirements to the
> NIST hash function competition.
>
> I was unsatisfied with my results in trying to track down references
> on a computational extractor.  It would be valuable to have a precise
> and concise statement of the security goal (reference [35] in the
> paper doesn't mention min-entropy - should I be looking somewhere
> else?).  Also, the citation "Randomness Extraction and Key Derivation
> Using the CBC, Cascade and HMAC Modes", includes the statement
> "Computational Security: Our second approach to analyzing NMAC is
> similar to the analysis of the padded cascade from Lemma 5. We will
> present it in the full version."  Is the full version available
> online?  Or is there another reference that you could recommend?
>
> Regards,
>
> David
>
> _______________________________________________
> Cfrg mailing list
> Cfrg at irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg