Paper 2005/061

Key Derivation and Randomness Extraction

Olivier Chevassut, Pierre-Alain Fouque, Pierrick Gaudry, and David Pointcheval

Abstract

Key derivation refers to the process by which an agreed upon large random number, often named master secret, is used to derive keys to encrypt and authenticate data. Practitioners and standardization bodies have usually used the random oracle model to get key material from a Diffie-Hellman key exchange. However, proofs in the standard model require randomness extractors to formally extract the entropy of the random master secret into a seed prior to derive other keys. This paper first deals with the protocol $\Sigma_0$, in which the key derivation phase is (deliberately) omitted, and security inaccuracies in the analysis and design of the Internet Key Exchange (IKE version 1) protocol, corrected in IKEv2. They do not endanger the practical use of IKEv1, since the security could be proved, at least, in the random oracle model. However, in the standard model, there is not yet any formal global security proof, but just separated analyses which do not fit together well. The first simplification is common in the theoretical security analysis of several key exchange protocols, whereas the key derivation phase is a crucial step for theoretical reasons, but also practical purpose, and requires careful analysis. The second problem is a gap between the recent theoretical analysis of HMAC as a good randomness extractor (functions keyed with public but random elements) and its practical use in IKEv1 (the key may not be totally random, because of the lack of clear authentication of the nonces). Since the latter problem comes from the probabilistic property of this extractor, we thereafter review some \textit{deterministic} randomness extractors and suggest the \emph{'Twist-AUgmented'} technique, a new extraction method quite well-suited for Diffie-Hellman-like scenarios.

Metadata
Available format(s)
PDF PS
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Keywords
Key exchangeRandomness extractorsKey derivation
Contact author(s)
David Pointcheval @ ens fr
History
2005-03-19: last of 2 revisions
2005-02-25: received
See all versions
Short URL
https://ia.cr/2005/061
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2005/061,
      author = {Olivier Chevassut and Pierre-Alain Fouque and Pierrick Gaudry and David Pointcheval},
      title = {Key Derivation and Randomness Extraction},
      howpublished = {Cryptology {ePrint} Archive, Paper 2005/061},
      year = {2005},
      url = {https://eprint.iacr.org/2005/061}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.