Re: AES-based PRF for IKEv2

[Uri Blumenthal <uri@bell-labs.com>]

David,

First - thank you for the review! I appreciate it!
My answers are inline.

David Wagner wrote:
> I don't think your security claims are quite right.  You've padded the key
> with zeros.  As a result, you need a stronger assumption than that the
> block cipher is a pseudorandom permutation.  A pseudorandom permutation
> only guarantees that the cipher is strong for uniformly random keys, not
> for keys padded with zeros and not for keys with poor-quality randomness.

Not quite - a key with all zeroes is just as random as any other key.

> For instance, suppose E_k(x) is a block cipher with 256-bit key that
> acts as the identity function when the last 128 bits of k are zero,
> but otherwise acts as a secure block cipher.  Then E_k(x) will be a
> pseudorandom permutation (with security parameter 2^-128), but your
> construction will be totally insecure when used with E_.(.) if S is
> 128 bits long (or shorter).

You are basically saying here that the key space is non-linear.
There are ciphers in use like that (especially in the military),
but it is *assumed* that AES keyspace is linear. And yes - for
non-linear keyspace you need special treatment of the key.
Just randomizing it doesn't always help - it all depends
on the keyspace properties.

> Given your assumptions on S and N, I suspect you're really going to need
> to use a hash function.  (Otherwise, you'll have to use some very strong
> assumptions about the block cipher -- e.g., the ideal cipher model --
> but I definitely do not recommend doing so.)

I don't think that linear keyspace assumption is too much.
And so far there were  no weak keys found for AES, were there?

Thanks!

Regards,
Uri.