Re: AES-based PRF for IKEv2

[daw@mozart.cs.berkeley.edu (David Wagner)]

Uri Blumenthal  wrote:
>Here's a proposal for an AES-based PRF that takes variable-length
>input and produces variable-length output.
[...]
>Two parameters - one is secret, the other one may be
>known. No assumption on the quality of randomness of
>either one is made. Assume that S is secret and N is
>known. No limitation on size of S, N.
[...]
>   1. Fill the key-buffer with S. If S is shorter than
>      the key-buffer, pad the key buffer with zeroes.
[...]
>A block cipher being a Pseudo Random Permutation, if the
>S parameter is secret, the following hold true:
>
>   - output of (3) is pseudo-random.
>   - output of (5) is pseudo-random.

I don't think your security claims are quite right.  You've padded the key
with zeros.  As a result, you need a stronger assumption than that the
block cipher is a pseudorandom permutation.  A pseudorandom permutation
only guarantees that the cipher is strong for uniformly random keys, not
for keys padded with zeros and not for keys with poor-quality randomness.

For instance, suppose E_k(x) is a block cipher with 256-bit key that
acts as the identity function when the last 128 bits of k are zero,
but otherwise acts as a secure block cipher.  Then E_k(x) will be a
pseudorandom permutation (with security parameter 2^-128), but your
construction will be totally insecure when used with E_.(.) if S is
128 bits long (or shorter).

Given your assumptions on S and N, I suspect you're really going to need
to use a hash function.  (Otherwise, you'll have to use some very strong
assumptions about the block cipher -- e.g., the ideal cipher model --
but I definitely do not recommend doing so.)