[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AES-based PRF for IKEv2
David,
First - thank you for the review! I appreciate it!
My answers are inline.
David Wagner wrote:
> I don't think your security claims are quite right. You've padded the key
> with zeros. As a result, you need a stronger assumption than that the
> block cipher is a pseudorandom permutation. A pseudorandom permutation
> only guarantees that the cipher is strong for uniformly random keys, not
> for keys padded with zeros and not for keys with poor-quality randomness.
Not quite - a key with all zeroes is just as random as any other key.
> For instance, suppose E_k(x) is a block cipher with 256-bit key that
> acts as the identity function when the last 128 bits of k are zero,
> but otherwise acts as a secure block cipher. Then E_k(x) will be a
> pseudorandom permutation (with security parameter 2^-128), but your
> construction will be totally insecure when used with E_.(.) if S is
> 128 bits long (or shorter).
You are basically saying here that the key space is non-linear.
There are ciphers in use like that (especially in the military),
but it is *assumed* that AES keyspace is linear. And yes - for
non-linear keyspace you need special treatment of the key.
Just randomizing it doesn't always help - it all depends
on the keyspace properties.
> Given your assumptions on S and N, I suspect you're really going to need
> to use a hash function. (Otherwise, you'll have to use some very strong
> assumptions about the block cipher -- e.g., the ideal cipher model --
> but I definitely do not recommend doing so.)
I don't think that linear keyspace assumption is too much.
And so far there were no weak keys found for AES, were there?
Thanks!
Regards,
Uri.