[noise] Wrong arguments for KDF in PSK mode
Trevor Perrin
trevp at trevp.net
Thu Apr 21 15:41:34 PDT 2016
On Thu, Apr 21, 2016 at 3:17 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Thu, Apr 21, 2016 at 9:25 PM, Trevor Perrin <trevp at trevp.net> wrote:
>>
>>
>> (d) Note that whether you pass a key to HMAC in the first or second
>> argument, this key is processed as message data by the hash function.
>> So security reductions for HMAC (like Bellare's 2006 proof) already
>> need to assume that the underlying compression function is a "dual
>> PRF", a PRF when keyed either through the chaining variable or the
>> message.
>>
>
> This is a key point. For certain PRFs -- "dual PRF"s -- the order of
> arguments does not matter. The security considerations section should note
> that Noise depends on this property of the underlying PRF.
I think I'll discuss the hash as a "random oracle", but also mention
"collision-resistance" in the security considerations.
Arguing security based on PRFs, without random oracles, is inherently
complicated because the output of the DH is not necessarily a
uniformly random key. So you need some additional assumptions or
operations (entropy extraction) to turn the DH output into something
that could be used as a PRF key.
For example, maybe DDH plus ignoring some bits of the DH output yields
a secure key for a PRF / dual PRF, but that's trading stronger
assumptions about the hash for stronger assumptions about the DH.
So I think the ROM remains the easiest way to look at this, and is
typical in analyzing key agreement protocols.
Trevor
More information about the Noise
mailing list