Mention another way to achieve full commitment

[samuel-lucas6]

As discussed in #40.

[jedisct1]

The output of a KDF must be indistinguishable from a random function , so given the key size required by AEGIS, collision resistance is implied.

However, for key commitment, the KDF needs to be preimage-resistant, or else it remains possible to find distinct (k,ad) input pairs that produce the same key.

But I'm not sure that preimage resistance is a required property for a KDF.

This is certainly true for HKDF when instantiated with secure hash functions. But we can't generalize that to any KDF.

[jedisct1]

It's very common to have a key derivation step using HKDF before using an AEAD.

So, maybe we could suggest including what would be the AD in that derivation step, as the HKDF salt parameter.

[samuel-lucas6]

The output of a KDF must be indistinguishable from a random function , so given the key size required by AEGIS, collision resistance is implied.

I see what you mean. However, commitment papers like BH22 and ADGKLS22 call this a collision-resistant PRF, and obviously PRFs are used for KDFs.

You could use HMAC-SHA1, which is obviously a PRF that produces a 160-bit output (large enough for collision resistance), and it isn't collision-resistant due to SHA-1 so isn't committing. As another example, CBC-MAC is a PRF with prefix-free inputs but not collision resistant and thus not committing.

However, for key commitment, the KDF needs to be preimage-resistant, or else it remains possible to find distinct (k,ad) input pairs that produce the same key.

Is preimage resistance not context discoverability rather than commitment? It's been a while since I've looked at that paper, but prior to that paper everybody only talked about collision resistance. The terminology is quite confusing.

But I'm not sure that preimage resistance is a required property for a KDF.

CMAC isn't preimage resistant but used as a NIST KDF, so it doesn't seem to be.

This is certainly true for HKDF when instantiated with secure hash functions. But we can't generalize that to any KDF.

That's basically what I mean by a collision-resistant KDF; one that's hash-based.

maybe we could suggest including what would be the AD in that derivation step, as the HKDF salt parameter.

Yeah, I was debating whether to name the parameter, although I was thinking of the info parameter. The salt is a bit dodgy in that a large associated data would get hashed, which could affect the commitment. This variable length key issue is mentioned in a recent paper (that I haven't read in full).

[jedisct1]

Hi Samuel,

Is preimage resistance not context discoverability rather than commitment? It's been a while since I've looked at that paper, but prior to that paper everybody only talked about collision resistance. The terminology is quite confusing.

The terminology is indeed quite confusing. "Context discoverability" was introduced in that paper, and I don't think it's been widely used elsewhere.

That's basically what I mean by a collision-resistant KDF; one that's hash-based.

Alright let's keep that, then. We can always clarify this later if we get feedback from the CFRG.

I was debating whether to name the parameter, although I was thinking of the info parameter. The salt is a bit dodgy in that a large associated data would get hashed, which could affect the commitment. This variable length key issue is mentioned in a recent paper (that I haven't read in full).

info would also be more efficient, but it's already commonly used by applications to describe the purpose of the derived key. So, adding the AD to it requires proper separation between the key context and the AD. Maybe we should provide a little bit more guidance. People may be confused about where exactly the AD should be added to their regular key derivation step.

[samuel-lucas6]

I'm still wondering if this should say a minimum of 128-bit collision resistance and maybe must should be changed to MUST:

Protocols mandating a fully committing scheme without that restriction can provide the associated data as input to a cryptographic hash function and use the output as the ad parameter of the Encrypt and Decrypt functions. The selected hash function must ensure a minimum of 128-bit preimage resistance. An instance of such a function is SHA-256 [RFC6234].