[noise] KDF, part 9281274
Brian Smith
brian at briansmith.org
Sat Apr 23 13:57:28 PDT 2016
Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> On Fri, Apr 22, 2016 at 10:15 PM, Rhys Weatherley <
> rhys.weatherley at gmail.com> wrote:
>>
>> On Sat, Apr 23, 2016 at 1:18 AM, Jason A. Donenfeld <Jason at zx2c4.com>
>> wrote:
>>
>>> What precisely prevents you from using these?
>>
>> Embedded systems.
>>
>
> Okay, sure. But I'm mainly interested in hearing cryptographic reasons
> here, following our previous discussions on this matter.
>
I was just skimming about this today:
“Standards bodies should reexamine — taking into account tightness gaps —
the security of all standardized protocols that use HMAC for non-MAC
purposes such as key derivation or passwords.” [1]
"To the best of our knowledge, the PRF-assumption has never been seriously
studied for the compression functions used in MD5, SHA1, or SHA256." (or
SHA-512, IIUC.) [1]
"Oops! Nobody knows how to prove that SHA-256’s compression function is a
PRF." (or SHA-512, IIUC). [2]
I have only read [1] once, so I've no opinion on it other than I think it's
worth considering its ideas.
[1] https://eprint.iacr.org/2016/360.pdf
[2] https://www.cs.princeton.edu/~appel/papers/verif-sha.pdf
Cheers,
Brian
--
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160423/bcc71a84/attachment.html>
More information about the Noise
mailing list