[noise] KDF, part 9281274

Brian Smith brian at briansmith.org
Sat Apr 23 13:57:28 PDT 2016

Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> On Fri, Apr 22, 2016 at 10:15 PM, Rhys Weatherley <
> rhys.weatherley at gmail.com> wrote:
>> On Sat, Apr 23, 2016 at 1:18 AM, Jason A. Donenfeld <Jason at zx2c4.com>
>> wrote:
>>> What precisely prevents you from using these?
>> Embedded systems.
> Okay, sure. But I'm mainly interested in hearing cryptographic reasons
> here, following our previous discussions on this matter.

I was just skimming about this today:

“Standards bodies should reexamine — taking into account tightness gaps —
the security of all standardized protocols that use HMAC for non-MAC
purposes such as key derivation or passwords.” [1]

"To the best of our knowledge, the PRF-assumption has never been seriously
studied for the compression functions used in MD5, SHA1, or SHA256." (or
SHA-512, IIUC.) [1]

"Oops! Nobody knows how to prove that SHA-256’s compression function is a
PRF." (or SHA-512, IIUC). [2]

I have only read [1] once, so I've no opinion on it other than I think it's
worth considering its ideas.

[1] https://eprint.iacr.org/2016/360.pdf
[2] https://www.cs.princeton.edu/~appel/papers/verif-sha.pdf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160423/bcc71a84/attachment.html>

More information about the Noise mailing list