Re: AES 256 based key derivation function.
- From: Kristian Gjøsteen <kristiag+news@xxxxxxxxxxxx>
- Date: Fri, 24 Oct 2008 06:43:08 +0000 (UTC)
Fabrice <fabrice.gautier@xxxxxxxxx> wrote:
Now, I'm wondering how to do this properly using AES 256. That is,
RootKey and Derived Key are 256 bits, and Public Value could be up to
256 bits.
Assume AES-CBC-MAC is a secure PRF for fixed-size messages and for
significantly less than 2^64 invocations. We define the function
f(rk, x0||x1||x2) = AES(rk, x2 + AES(rk, x1 + AES(rk, x0))).
Then
dk = f(rk, 0||PV) || f(rk, 1||PV)
is secure but somewhat wasteful at six AES invocations per derived
key. If you can store AES(rk,0) and AES(rk,1), this goes down to four
AES invocations.
With
g(rk, x0||x1) = AES(rk, x1 + AES(rk, x0))
we can do
tk = g(rk, PV)
dk = AES(tk, 0) || AES(tk, 1)
which is secure and maybe more efficient, at four AES invocations
plus one extra key schedule.
More speculatively, you could try
tk = g(rk,PV)
dk = tk || AES(rk, tk)
This requires three AES invocations and no extra key schedule. It may
be possible to prove it secure...
--
Kristian Gjøsteen
.
- Follow-Ups:
- Re: AES 256 based key derivation function.
- From: Fabrice
- Re: AES 256 based key derivation function.
- References:
- AES 256 based key derivation function.
- From: Fabrice
- AES 256 based key derivation function.
- Prev by Date: Re: AES 256 based key derivation function.
- Next by Date: Re: Is this problem relevant to the Diffie-Hellman problem?
- Previous by thread: Re: AES 256 based key derivation function.
- Next by thread: Re: AES 256 based key derivation function.
- Index(es):
