Re: AES-based PRF for IKEv2

[Hugo Krawczyk <hugo@ee.technion.ac.il>]

> SECURITY PROPERTIES.
>  
> A block cipher being a Pseudo Random Permutation, if the
> S parameter is secret, the following hold true:
>  
>    - output of (3) is pseudo-random.
>    - output of (5) is pseudo-random.
> 

Unfortunately, this is incorrect.
If all what you assume about the block cipher is that it
is a pseudorandom permutation then to be able to get a result 
as you state you need to assume that all the values used to key the block
cipher are random (or pseudo-random, in the complexity-theoretic sense).
That means that you need to assume S to be secret (as you do) but also
random (that you don't do) and of at least the length of the cipher's
keys (what you don't do either). Therefore the stated security properties 
do not provably hold. Specifically one can build examples of perfectly secure
pseudorandom permutations that will induce insecure outputs from (3) and (5).
This was pointed out by Dave Wagner for the case in which S is too short,
and one can also give examples in which S is longer than the key 
(but not uniformly distributed).

Now, clearly, if you assume that the given value S is already a good random
key for the prf then you do not need all the construction.

Finally, regarding the use of this method with a DH key S=g^{xy} as you
suggest. In this case you'd take the first, say, 128 bits of g^{xy} as the key
to the block cipher and the rest as data.  Under which assumptions on DH and
the block cipher you can claim the proposed key derivation to be secure?  
Note that the attacker knows g^x,g^y.

Hugo