[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES-based PRF for IKEv2



Uri Blumenthal  wrote:
>David Wagner wrote:
>> I don't think your security claims are quite right.  You've padded the key
>> with zeros.  As a result, you need a stronger assumption than that the
>> block cipher is a pseudorandom permutation.  A pseudorandom permutation
>> only guarantees that the cipher is strong for uniformly random keys, not
>> for keys padded with zeros and not for keys with poor-quality randomness.
>
>Not quite - a key with all zeroes is just as random as any other key.

No, no, no.  You're confused.  Keys aren't random; it's the process
used to create them that might or might not be random.

A number like 000 isn't random, and it isn't uniformly distributed;
it makes no sense to try to attach the term "random" to simple numbers.
The process used to generate it might or might not be random; the
term "random" attaches to processes that generate numbers, not to
the numbers themselves.

Imagine I have a six-sided die.  I claim to you that it is fair, i.e.,
all six outcomes are equally likely.  You roll it 100 times and get a
"6" every time.  If you express some skepticism that my die is fair,
I'm going to tell you that the number "6" is just as random as any other
outcome.  Are you convinced?  I certainly hope not!

The point is that we must look at the process used to create the key.
When using a PRP, that key-creation process must provide outputs that
are secret, random, and uniformly distributed on the cipher's keyspace.
The key-creation process you specified does not qualify: the last bit of
the AES key is much more likely to be 0 than to be 1, for instance.

>There are ciphers in use like that (especially in the military),
>but it is *assumed* that AES keyspace is linear.

Assumed by whom?  The assumption that AES is a secure PRP does *not*
guarantee that its keyspace is "linear" (whatever that means precisely).
And the standard security goal for block ciphers is that they be a
secure PRP.

(In my experience, this goal is generally agreed upon by both
theoreticians, block cipher designers, and cryptanalysts.  Sometimes block
cipher designers try for other, extra goals, but being a secure PRP is
usually the most important goal and it is usually the one that receives
the most study from cryptanalysts, in my experience.  As a result, among
all unproven security properties, PRP-ness is probably the property taht
we can have the most confidence in.)