[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [CFRG] Dual-PRF, following IETF 113
From: Gilles VAN ASSCHE <gilles.vanassche=40st.com () dmarc ! ietf ! org>
Date: 2022-03-31 15:59:35
Message-ID: AM9PR10MB5005232A863AB0A40ED9CC26F2E19 () AM9PR10MB5005 ! EURPRD10 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
[Attachment #2 (text/plain)]
Dear Nimrod,
Regarding KMAC: I think people were asking if we can replace HMAC in our construction \
with KMAC. We rely on HMAC to supply several properties, both a PRF and an extractor, \
so it depends whether KMAC also meets them. KMAC is claimed to be a PRF in [3], \
without a proof. There is also some literature on this, e.g. [5], but in a brief \
search I could not find specific PRF-security claims for KMAC. So at a very cursory \
glance, it looks like KMAC is a PRF, and then it'd be a question whether it's also an \
extractor. It'd be great if folks could please point us towards concrete analysis, \
and then we could give more precise answers.
Up to its claimed security (see Claim 1 in [6]) and impossibility results, we can \
reason about KMAC/Keccak as seen as a random oracle and thereby convince ourselves \
that it is a PRF and an extractor. The validity of this claim is supported by the \
indifferentiabilty proof of the sponge construction [7] and a substantial amount of \
cryptanalysis.
Kind regards,
Gilles
[6] G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, The Keccak reference, 2011, \
https://keccak.team/files/Keccak-reference-3.0.pdf [7] idem, On the \
Indifferentiability of the Sponge Construction, EUROCRYPT 2008
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#002052;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR-BE" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052;mso-fareast-language:EN-US">Dear \
Nimrod,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:0cm;margin-left:35.4pt">
<span lang="EN-US" style="font-family:"Arial",sans-serif;color:black">Regarding \
KMAC: I think people were asking if we can replace HMAC in our construction with \
KMAC. </span><span style="font-family:"Arial",sans-serif;color:black">We \
rely on HMAC to supply several properties, both a PRF and an extractor, so it depends \
whether KMAC also meets them. KMAC is claimed to be a PRF in [3], without a proof. \
There is also some literature on this, e.g. [5], but in a brief search I could not \
find specific PRF-security claims for KMAC. So at a very cursory glance, it looks \
like KMAC is a PRF, and then it'd be a question whether it's also an extractor. It'd \
be great if folks could please point us towards concrete analysis, and then we could \
give more precise answers.</span><span \
style="font-size:12.0pt"><o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:12.0pt;color:#002052"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052">Up to \
its claimed security (see Claim 1 in [6]) and impossibility results, we can reason \
about KMAC/Keccak as seen as a random oracle and thereby convince ourselves that it \
is a PRF and an extractor. The validity of this claim is supported by the \
indifferentiabilty proof of the sponge construction [7] and a substantial amount of \
cryptanalysis.<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052">Kind \
regards,<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052">Gilles<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052">[6] \
G. Bertoni, J. Daemen, M. Peeters and G. Van Assche, The Keccak reference, 2011, \
https://keccak.team/files/Keccak-reference-3.0.pdf<o:p></o:p></span></p> <p \
class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052">[7] \
idem, On the Indifferentiability of the Sponge Construction, EUROCRYPT \
2008<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002052"><o:p> </o:p></span></p>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
--===============5557347238087088218==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic